Cisco PDF

Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .
c o m
Cisco MDS 9000 Family Fabric Manager

Configuration Guide, Release 4.x
Cisco MDS NX-OS Release 4.1(1b) Through 4.1(3a)
Cisco MDS 9000 FabricWare Release 4.x
March 2009
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-17256-03

Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome
to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS,
Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step,
Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone,
MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase,
SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of
Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco MDS 9000 Family Fabric Manager Configuration Guide

2009 Cisco Systems, Inc. All rights reserved.
CONTENTS
New and Changed Information lvii
Preface lxi
Audience lxi
Organization lxi
Document Conventions lxvi
Related Documentation lxvii

Release Notes lxvii
Regulatory Compliance and Safety Information lxvii
Compatibility Information lxvii
Hardware Installation lxviii
Software Installation and Upgrade lxviii
Cisco Fabric Manager lxviii
Command-Line Interface lxviii
Intelligent Storage Networking Services Configuration Guides lxviii
Troubleshooting and Reference lxviii
Obtaining Documentation and Submitting a Service Request lxix
PART 1 Getting Started
CHAPTER 1 Product Overview 1-1

Hardware Overview 1-1
Cisco MDS 9500 Series Multilayer Directors 1-2
Cisco MDS 9200 Series Fabric Switches 1-3
Cisco MDS 9216i Multiprotocol Fabric Switch 1-3
Cisco MDS 9222i Multilayer Fabric Switch 1-3
Cisco MDS 9100 Series Fixed Configuration Fabric Switches 1-4
Cisco NX-OS Software Configuration 1-4

Tools for Software Configuration 1-5
CLI 1-5
Cisco MDS 9000 Fabric Manager 1-5
Software Configuration Overview 1-6
Basic Configuration 1-6
Advanced Configuration 1-7

OL-17256-03, Cisco MDS NX-OS Release 4.x iii
Contents
CHAPTER 2 Installing Cisco MDS NX-OS and Fabric Manager 2-1
Starting a Switch in the Cisco MDS 9000 Family 2-1
Initial Setup Routine 2-2

Preparing to Configure the Switch 2-2
Default Login 2-3
Setup Options 2-3
Assigning Setup Information 2-4
Configuring Out-of-Band Management 2-4
Configuring In-Band Management 2-9
Using the setup Command 2-12
Accessing the Switch 2-12
Where Do You Go Next? 2-13
About Cisco Fabric Manager 2-13

Fabric Manager Server 2-14
Fabric Manager Client 2-14
Fabric Manager Server Proxy Services 2-14
Device Manager 2-15
Performance Manager 2-15
Fabric Manager Web Server 2-15
Cisco MDS 9000 Switch Management 2-15
Storage Management Solutions Architecture 2-16
In-Band Management and Out-of-Band Management 2-17
mgmt0 2-17
IPFC 2-17
Installing the Management Software 2-18
Before You Install 2-18
Supported Software 2-19
Java Database Connectivity 2-19
Minimum Hardware Requirements 2-20
Upgrading Fabric Manager in Cisco SAN-OS Releases Prior to 3.1(2b) 2-20
Upgrading Fabric Manager in Cisco SAN-OS Releases 3.1(2b) and Later to 3.2(1) 2-20
Installing the Database 2-20
Directory Structure 2-21
2-21
Installing Oracle 2-22
Increasing UDP Buffer Size 2-23
Database Backup and Restore-PostgresSQL 2-23
Backup 2-23
Restore 2-24

iv OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Importing PM Statitics Data to Fabric Manager 2-24

Installing Fabric Manager 2-24
Installing Device Manager 2-34
Creating FM/DM Shortcut Manually 2-36
Upgrading the Management Software 2-38
Upgrading Fabric Manager Server and Fabric Manager Standalone Version Using the Fabric Manager
Update Installer 2-39
Integrating Cisco Fabric Manager with Other Management Tools 2-40
Running Fabric Manager Behind a Firewall 2-40
Uninstalling the Management Software 2-43
CHAPTER 3 Fabric Manager Server 3-1
Fabric Manager Server Overview 3-1
Fabric Manager Server Features 3-1
Installing and Configuring Fabric Manager Server 3-2

Installing Fabric Manager Server 3-2
Unlicensed Versus Licensed Fabric Manager Server 3-3
Verifying Performance Manager Collections 3-3
Managing a Fabric Manager Server Fabric 3-3
Selecting a Fabric to Manage Continuously 3-3
Fabric Manager Server Properties File 3-4
Modifying Fabric Manager Server 3-5

Adding or Removing Fabric Manager Server Users 3-6
Changing the Fabric Manager Server User Name and Password 3-7
Changing the Polling Period and Fabric Rediscovery Time 3-7
Using Device Aliases or FC Aliases 3-7
CHAPTER 4 Authentication in Fabric Manager 4-1
Fabric Manager Authentication Overview 4-1
Best Practices for Discovering a Fabric 4-3

Setting Up Discovery for a Fabric 4-3
Performance Manager Authentication 4-4
Fabric Manager Web Server Authentication 4-4
CHAPTER 5 Fabric Manager Client 5-1
About Fabric Manager Client 5-1

Fabric Manager Advanced Mode 5-2
Launching Fabric Manager Client in Cisco SAN-OS Release 3.2(1) and Later 5-2

OL-17256-03, Cisco MDS NX-OS Release 4.x v
Contents
Fabric Manager Client Quick Tour: Server Admin Perspective 5-7

Fabric Manager Main Window 5-7
Menu Bar 5-9
Tool Bar 5-9
Logical Domains Pane 5-9
Physical Attributes Pane 5-9
Information Pane 5-10
Fabric Pane 5-11
Fabric Manager Client Quick Tour: Admin Perspective 5-12
Menu Bar 5-13
File 5-13
View 5-14
Zone 5-14
Tools 5-15
Performance 5-17
Server 5-17
Help 5-17
Toolbar 5-17
Logical Domains Pane 5-19
Filtering 5-19
Physical Attributes Pane 5-20
Context Menu for Tables 5-20
Information Pane 5-22
Detachable Tables 5-24
Fabric Pane 5-24
Context Menus 5-26
Saving the Map 5-26
Purging Down Elements 5-27
Multiple Fabric Display 5-27
Filtering by Groups 5-28
Status Bar 5-29
Setting Fabric Manager Preferences 5-30
Network Fabric Discovery 5-31
Modifying the Device Grouping 5-32

Using Alias Names as Enclosures 5-32
Controlling Administrator Access with Users and Roles 5-34
Using Fabric Manager Wizards 5-34
Fabric Manager Troubleshooting Tools 5-35

vi OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
CHAPTER 6 Device Manager 6-1
About Device Manager 6-1
Launching Device Manager 6-2
Using Device Manager 6-2

Menu Bar 6-3
Toolbar Icons 6-4
Dialog Boxes 6-5
Tabs 6-5
Legend 6-5
Supervisor and Switching Modules 6-7
Context Menus 6-7
Setting Device Manager Preferences 6-8
CHAPTER 7 Fabric Manager Web Client 7-1
About Fabric Manager Web Client 7-1
Navigating Fabric Manager Web Client 7-2
Installing Fabric Manager Web Client 7-3

Using Fabric Manager Web Client with SSL 7-5
Launching Fabric Manager Web Client 7-7
Health 7-9
Viewing Summary Information 7-9
Viewing Fabric Information 7-10
Viewing Syslog Information 7-11
Viewing Analysis Reports 7-12
Performance 7-13
Viewing Performance Summary Information 7-14
Performance Detail Summary Report 7-15
7-15
Viewing Performance Information for End Devices 7-16
Viewing Performance Information for ISLs 7-17
Viewing Performance Information for NPV Links 7-21
Viewing Performance Information for Flows 7-22
Viewing Performance Information for Gigabit Ethernet and Ethernet Ports 7-23
Viewing Other Statistics 7-23
Viewing Detailed Traffic Information 7-24
Viewing Predicted Future Performance 7-25
Using the Default Values 7-25
Using Your Own Values 7-26

OL-17256-03, Cisco MDS NX-OS Release 4.x vii
Contents
Viewing Switch Bandwidth 7-27
Inventory 7-28
Viewing Summary Inventory Information 7-28
Viewing Detailed Summary Inventory Information 7-29
Viewing Detailed Information for VSANs 7-29
Viewing Detailed Information for Switches 7-30
Viewing License Information 7-31
Viewing Detailed Information for Modules 7-32
Viewing Detailed Information for End Devices 7-33
Viewing Detailed Information for ISLs 7-34
Viewing Detailed Information for NPV Links 7-35
Viewing Detailed Information for Zones 7-36
Reports 7-37
Creating a Custom Report Template 7-37
Viewing Custom Reports by Template 7-39
Viewing Custom Reports by Users 7-39
Generating Custom Reports by Template 7-40
Modifying a Custom Report Template 7-41
Deleting Custom Reports 7-42
Viewing Scheduled Jobs by Report Template 7-43
Modifying Scheduled Jobs 7-43
Admin 7-44
Recovering a Web Server Password 7-45
Starting, Restarting, and Stopping Services 7-45
Adding, Editing, and Removing Managed Fabrics 7-46
Viewing Trap and Syslog Registration Information 7-48
Configuring Forwarding of Notifications for Events 7-49
Viewing and Disconnecting Clients 7-50
Configuring Fabric Manager Server Preferences 7-51
Adding and Removing Communities 7-51
Configuring AAA Information 7-53
Adding and Removing Users 7-53
Adding and Removing Roles 7-54
Creating Performance Collections 7-56
Configuring Other Statistics 7-57
Configuring Collection Thresholds 7-59
Importing the RRD Statistics Index 7-60
Configuring the RRD Database 7-60
Viewing Log Information 7-62

viii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Downloading Fabric Manager Client 7-62
CHAPTER 8 Performance Manager 8-1
Performance Manager Architecture 8-1

Data Interpolation 8-2
Data Collection 8-2
Using Performance Thresholds 8-2
Flow Setup Wizards 8-3
Creating a Flow Using Flow Configuration Wizard 8-3
Flow Statistics Configuration 8-6

About Flow Statistics 8-6
CHAPTER 9 Cisco Traffic Analyzer 9-1
Understanding SPAN 9-1
Using Cisco Traffic Analyzer with Performance Manager 9-2

Understanding the PAA-2 9-2
Understanding Cisco Traffic Analyzer 9-3
Installing Cisco Traffic Analyzer 9-3
Accessing Traffic Analyzer from Fabric Manager Web Server 9-5
PART 2 Installation and Switch Management
CHAPTER 10 Obtaining and Installing Licenses 10-1
Licensing Terminology 10-1

Licensing Model 10-2
Licensing High Availability 10-8
Options to Install a License 10-8
Obtaining a Factory-Installed License 10-9
Performing a Manual Installation 10-9
Obtaining the License Key File 10-9
Installing the License Key File 10-10
Installing Licenses Using Fabric Manager License Wizard 10-11
Installing or Updating Licenses Using Device Manager 10-12
Identifying License Features in Use 10-13
Uninstalling Licenses 10-14
Updating Licenses 10-14
Grace Period Alerts 10-15

OL-17256-03, Cisco MDS NX-OS Release 4.x ix
Contents
License Transfers Between Switches 10-16
Displaying License Information 10-16

Viewing License Information in Fabric Manager 10-16
Viewing License Information in Device Manager 10-16
Viewing Licenses Using Fabric Manager Web Server 10-17
Fabric Manager Server Licensing 10-17
CHAPTER 11 On-Demand Port Activation Licensing 11-1
About On-Demand Port Activation Licensing 11-1

Port-Naming Conventions 11-2
Port Licensing 11-2
License Status Definitions 11-3
Configuring Port Activation Licenses 11-4
Checking the Status of Licenses 11-4
Making a Port Eligible for a License 11-5
Acquiring a License for a Port 11-6
CHAPTER 12 Initial Configuration 12-1
Assigning a Switch Name 12-1
Verifying the Module Status 12-2
Configuring Date, Time, and Time Zone 12-3
NTP Configuration 12-4

About NTP 12-4
NTP Configuration Guidelines 12-5
Configuring NTP 12-6
Editing an NTP Server or Peer Configuration 12-6
Deleting an NTP Server or Peer 12-7
NTP CFS Distribution 12-8
Configuring NTP with CFS 12-8
Committing NTP Configuration Changes 12-9
Discarding NTP Configuration Changes 12-9
Releasing Fabric Session Lock 12-9
Database Merge Guidelines 12-10
Management Interface Configuration 12-10
Default Gateway Configuration 12-10
Telnet Server Connection 12-11

Disabling a Telnet Connection 12-11
Configuring CDP 12-12

x OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
CHAPTER 13 Using the CFS Infrastructure 13-1
About CFS 13-1

Cisco MDS NX-OS Features Using CFS 13-2
CFS Features 13-2
CFS Protocol 13-3
CFS Distribution Scopes 13-3
CFS Distribution Modes 13-4
Uncoordinated Distribution 13-4
Coordinated Distribution 13-4
Unrestricted Uncoordinated Distributions 13-4
Disabling CFS Distribution on a Switch 13-4
CFS Application Requirements 13-5
Enabling CFS for an Application 13-5
Locking the Fabric 13-6
Committing Changes 13-7
Discarding Changes 13-8
Saving the Configuration 13-8
Clearing a Locked Session 13-8
CFS Merge Support 13-9
Displaying CFS Configuration Information 13-9
CFS Distribution over IP 13-10

Configuring Static IP Peers for CFS over IP 13-11
Adding Peers to List 13-12
Removing an NPV Device from the Peer List 13-14
CFS Regions 13-16
About CFS Regions 13-16
Managing CFS Regions Using Fabric Manager 13-17
Creating CFS Regions 13-17
Assigning Features to CFS Regions 13-17
Moving a Feature to a Different Region 13-18
Removing a Feature from a Region 13-19
Deleting CFS Regions 13-19
CFS Example Using Fabric Manager 13-20
CFS Example Using Device Manager 13-23
Default Settings 13-23

OL-17256-03, Cisco MDS NX-OS Release 4.x xi
Contents
CHAPTER 14 Configuring FlexAttach Virtual pWWN 14-1
About FlexAttach Virtual pWWN 14-1
FlexAttach Virtual pWWN Guidelines and Requirements 14-2
Configuring FlexAttach Virtual pWWN 14-2

Enabling FlexAttach Virtual pWWN 14-2
Automatically Enabling FlexAttach Virtual pWWN 14-2
Launching FlexAttach in Fabric Manager 14-3
Manually Enabling FlexAttach Virtual pWWN 14-4
Mapping pWWN to Virtual pWWN 14-6
Debugging FlexAttach Virtual pWWN 14-8
Security Settings for FlexAttach Virtual pWWN 14-8
FlexAttach Virtual pWWN CFS Distribution 14-9
Using the Server Admin FlexAttach Wizards 14-9
Pre-Configuring FlexAttach for a New Server 14-9
Pre-Configuring FlexAttach for All the Ports 14-10
Pre-Configuring FlexAttach for Each Port Individually 14-12
Moving a Server to Another Port or Switch 14-15
Replacing a Server with Another Server 14-18
Replacing a Server on the Same Port 14-19
Replacing the Server to a Different Port on the Same Switch 14-21
Replacing with a Server on a Different Switch 14-22
Difference Between San Device Virtualization and FlexAttach Port Virtualization 14-23
CHAPTER 15 Software Images 15-1
About Software Images 15-1

Dependent Factors for Software Installation 15-1
Selecting the Correct Software Images for Cisco MDS 9100 Series Switches 15-2
Selecting the Correct Software Images for Cisco MDS 9200 Series Switches 15-2
Selecting the Correct Software Images for Cisco MDS 9500 Family Switches 15-2
Essential Upgrade Prerequisites 15-3
Software Upgrade Methods 15-5

Determining Software Compatibility 15-5
Automated Upgrades 15-6

Benefits of Using the Software Install Wizard 15-6
Recognizing Failure Cases 15-7
Using the Software Install Wizard 15-8
Upgrading Services Modules 15-12
Nondisruptive Upgrades on Fabric and Modular Switches 15-13

xii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Preparing for a Nondisruptive Upgrade on Fabric and Modular Switches 15-13

Performing a Nondisruptive Upgrade on a Fabric Switch 15-14
Maintaining Supervisor Modules 15-14
Replacing Supervisor Modules 15-15
Migrating from Supervisor-1 Modules to Supervisor-2 Modules 15-15
Standby Supervisor Module Boot Variable Version 15-15
Standby Supervisor Module Bootflash Memory 15-16
Standby Supervisor Module Boot Alert 15-16
Installing Generation 2 Modules in Generation 1 Chassis 15-16
Replacing Modules 15-17
CHAPTER 16 Managing Configuration Files 16-1
About Flash Devices 16-1

Internal bootflash: 16-2
Formatting Flash Devices and File Systems 16-2
Using the File System 16-2

Flash Files 16-3
Creating a Directory 16-3
Deleting an Existing File or Directory 16-4
Copying Files 16-5
Performing Other File Manipulation Tasks 16-7
Working with Configuration Files 16-7
Downloading Configuration Files to the Switch 16-7
Saving the Configuration 16-8
Saving the Running Configuration 16-8
Saving Startup Configurations in the Fabric 16-9
Backing Up the Current Configuration 16-9
CHAPTER 17 Configuring High Availability 17-1
About High Availability 17-1
Switchover Mechanisms 17-2

HA Switchover Characteristics 17-2
Initiating a Switchover 17-2
Switchover Guidelines 17-3
Process Restartability 17-3
Synchronizing Supervisor Modules 17-3

OL-17256-03, Cisco MDS NX-OS Release 4.x xiii
Contents
CHAPTER 18 Managing System Hardware 18-1
Displaying Switch Hardware Inventory 18-1
Running the CompactFlash Report 18-2
Displaying the Switch Serial Number 18-3
Displaying Power Usage Information 18-3
Power Supply Configuration Modes 18-4

Power Supply Configuration Guidelines 18-5
About Crossbar Management 18-7

Operational Considerations When Removing Crossbars 18-9
Gracefully Shutting Down a Crossbar 18-9
Backward Compatibility for Generation 1 Modules in Cisco MDS 9513 Directors 18-10
About Module Temperature 18-11

Displaying Module Temperature 18-11
About Fan Modules 18-12
CHAPTER 19 Managing Modules 19-1
About Modules 19-1

Supervisor Modules 19-2
Switching Modules 19-3
Services Modules 19-3
Verifying the Status of a Module 19-3
Obtaining Supervisor Module Statistics 19-4

Checking the State of a Module 19-4
Reloading Modules 19-5
Reloading a Switch 19-6
Power Cycling Modules 19-6
Preserving the Module Configuration 19-7
Powering Off Switching Modules 19-8
Identifying Module LEDs 19-9
Managing SSMs and Supervisor Modules 19-13

Considerations for Replacing SSMs and Supervisor Modules 19-13
PART 3 Switch Configuration

xiv OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
CHAPTER 20 Configuring Interfaces 20-1
Common Interface Configuration 20-1
Fibre Channel Interfaces 20-2

Generation 1 Interfaces Configuration Guidelines 20-2
About Interface Modes 20-3
E Port 20-4
F Port 20-5
FL Port 20-5
NP Ports 20-5
TL Port 20-5
TE Port 20-6
TF Port 20-6
TNP Port 20-6
SD Port 20-6
ST Port 20-6
Fx Port 20-7
B Port 20-7
Auto Mode 20-7
About Interface States 20-7
Administrative States 20-7
Operational States 20-8
Reason Codes 20-8
Graceful Shutdown 20-11
Setting the Interface Administrative State 20-11
Configuring Interface Modes 20-12
Configuring Administrative Speeds 20-12
Autosensing 20-13
Specifying a Port Owner 20-13
Configuring Port Guard 20-16
About Interface Descriptions 20-18
About Frame Encapsulation 20-18
About Receive Data Field Size 20-19
Configuring Receive Data Field Size 20-19
Identifying the Beacon LEDs 20-19
About Speed LEDs 20-20
About Beacon Mode 20-20
Configuring Beacon Mode 20-20
About Bit Error Thresholds 20-21
Switch Port Attribute Default Values 20-21

OL-17256-03, Cisco MDS NX-OS Release 4.x xv
Contents
About SFP Transmitter Types 20-22

Displaying SFP Transmitter Types 20-22
About Gathering Interface Statistics 20-22
Gathering Interface Statistics 20-23
TL Ports for Private Loops 20-23
About TL Ports 20-24
Configuring TL Ports 20-25
About TL Port ALPA Caches 20-25
Buffer Credits 20-26
About Buffer-to-Buffer Credits 20-26
Configuring Buffer-to-Buffer Credits 20-26
About Performance Buffers 20-27
Configuring Performance Buffers 20-27
About Extended BB_credits 20-28
Extended BB_credits on Generation 1 Switching Modules 20-28
Extended BB_credits on Generation 2 and Generation 3 Switching Modules 20-29
Configuring Extended BB_credits 20-29
Management Interfaces 20-29
About Management Interfaces 20-30
Configuring Management Interfaces 20-30
VSAN Interfaces 20-30
About VSAN Interfaces 20-31
Creating VSAN Interfaces 20-31
CHAPTER 21 Configuring N Port Virtualization 21-1
About NPV 21-1

NPV Mode 21-3
NP Ports 21-3
NP Links 21-3
Internal FLOGI Parameters 21-3
Default Port Numbers 21-5
NPV CFS Distribution over IP 21-5
NPV Traffic Management 21-5
Auto 21-5
Traffic Map 21-5
Disruptive 21-6
Multiple VSAN Support 21-6
NPV Guidelines and Requirements 21-6

xvi OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
NPV Traffic Management Guidelines 21-7
Configuring NPV 21-7

Configuring NPV Traffic Management 21-9
Configuring List of External Interfaces per Server Interface 21-9
Enabling or Disabling the Global Policy for Disruptive Load Balancing 21-11
Using the NPV Setup Wizard 21-12
DPVM Configuration 21-31
NPV and Port Security 21-31
CHAPTER 22 Configuring Generation 2 and Generation 3 Switching Modules 22-1
About Generations of Modules and Switches 22-1
Port Groups and Port Rate Modes 22-3

Port Groups 22-3
Port Rate Modes 22-4
Dedicated Rate Mode 22-6
Shared Rate Mode 22-7
Dedicated Rate Mode Configurations for the 8-Gbps Modules 22-7
Reserving Bandwidth Quickly for the 8-Gbps Modules 22-8
Dynamic Bandwidth Management 22-9
Out-of-Service Interfaces 22-10
Buffer Credit Allocation 22-10
Buffer Pools 22-10
BB_Credit Buffers for Switching Modules 22-13
48-Port 8-Gbps Fibre Channel Module BB_Credit Buffers 22-14
4/44-Port 8-Gbps Host-Optimized Fibre Channel Module BB_Credit Buffers 22-16
18-Port Fibre Channel/4-Port Gigabit Ethernet Multiservice Module BB_Credit Buffers 22-19
12-Port 4-Gbps Switching Module BB_Credit Buffers 22-20
4-Port 10-Gbps Switching Module BB_Credit Buffers 22-21
BB_Credit Buffers for Fabric Switches 22-22
Cisco MDS 9134 Fabric Switch BB_Credit Buffers 22-22
Cisco MDS 9124 Fabric Switch BB_Credit Buffers 22-23
Cisco MDS 9222i Multiservice Modular Switch BB_Credit Buffers 22-23
Extended BB_Credits 22-23
Combining Generation 1, Generation 2, and Generation 3 Modules 22-24
Port Indexes 22-24
PortChannels 22-26

OL-17256-03, Cisco MDS NX-OS Release 4.x xvii
Contents
Configuring Module Interface Shared Resources 22-28

Configuration Guidelines for 48-Port, 24-Port, and 4/44-Port 8-Gbps Fibre Channel Switching
Modules 22-28
Migrating from Shared Mode to Dedicated Mode 22-29
Migrating from Dedicated Mode to Shared Mode 22-29
Configuration Guidelines for 48-Port and 24-Port 4-Gbps Fibre Channel Switching Modules 22-30
Migrating from Shared Mode to Dedicated Mode 22-30
Migrating from Dedicated Mode to Shared Mode 22-30
Configuration Guidelines for 12-Port 4-Gbps Switching Module Interfaces 22-31
Configuration Guidelines for 4-Port 10-Gbps Switching Module Interfaces 22-31
Configuring Port Speed 22-32
Configuring Rate Mode 22-33
Configuring Oversubscription Ratio Restrictions 22-34
Disabling Restrictions on Oversubscription Ratios 22-35
Enabling Restrictions on Oversubscription Ratios 22-37
Configuring Bandwidth Fairness 22-37
Enabling Bandwidth Fairness 22-38
Disabling Bandwidth Fairness 22-39
Upgrade or Downgrade Scenario 22-40
Taking Interfaces Out of Service 22-40
Releasing Shared Resources in a Port Group 22-41
Displaying SFP Diagnostic Information 22-41
CHAPTER 23 Configuring PortChannels 23-1
About PortChannels 23-1

About E PortChannels 23-2
About F and TF PortChannels 23-3
About PortChanneling and Trunking 23-3
About Load Balancing 23-4
About PortChannel Modes 23-6
Configuration Guidelines and Restrictions 23-7
Generation 1 PortChannel Restrictions 23-7
F and TF PortChannel Restrictions 23-8
PortChannel Configuration 23-9
About PortChannel Configuration 23-10
Configuring PortChannels Using the Wizard 23-11
Configuring the PortChannel Mode 23-16
About PortChannel Deletion 23-16

xviii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Deleting PortChannels 23-16
Interfaces in a PortChannel 23-17

About Interface Addition to a PortChannel 23-17
Compatibility Check 23-17
Suspended and Isolated States 23-18
Adding an Interface to a PortChannel 23-18
Forcing an Interface Addition 23-19
About Interface Deletion from a PortChannel 23-20
Deleting an Interface from a PortChannel 23-20
PortChannel Protocols 23-20
About Channel Group Creation 23-21
About Autocreation 23-22
Enabling and Configuring Autocreation 23-23
About Manually Configured Channel Groups 23-23
Converting to Manually Configured Channel Groups 23-23
Verifying the PortChannel Configuration 23-24
CHAPTER 24 Configuring Trunking 24-1
About Trunking 24-1

Trunking E Ports 24-2
Trunking F Ports 24-2
Key Concepts 24-3
Trunking Guidelines and Restrictions 24-3
Trunking Misconfiguration Examples 24-4
Upgrade and Downgrade Restrictions 24-5
Difference Between TE Ports and TF-TNP Ports 24-5
Enabling the Trunking Protocols 24-6
About Trunking Protocols 24-6
Enabling the F Port Trunking and Channeling Protocol 24-7
Configuring Trunk Mode and VSAN List 24-7

About Trunk Modes 24-7
Configuring Trunk Mode 24-8
About Trunk-Allowed VSAN Lists and VF_IDs 24-9
Configuring an Allowed-Active List of VSANs 24-11

OL-17256-03, Cisco MDS NX-OS Release 4.x xix
Contents
CHAPTER 25 Configuring Domain Parameters 25-1
Fibre Channel Domains 25-2

About Domain Restart 25-3
Restarting a Domain 25-3
About Switch Priority 25-5
Configuring Switch Priority 25-5
About fcdomain Initiation 25-5
Enabling or Disabling fcdomains 25-6
Setting Fabric Names 25-6
About Incoming RCFs 25-6
Rejecting Incoming RCFs 25-7
About Autoreconfiguring Merged Fabrics 25-7
Enabling Autoreconfiguration 25-8
Domain IDs 25-8
About Domain IDs 25-8
Specifying Static or Preferred Domain IDs 25-10
About Allowed Domain ID Lists 25-11
Configuring Allowed Domain ID Lists 25-11
About CFS Distribution of Allowed Domain ID Lists 25-12
Enabling Distribution 25-12
Clearing a Fabric Lock 25-14
Displaying Pending Changes 25-14
Displaying Session Status 25-15
About Contiguous Domain ID Assignments 25-15
Enabling Contiguous Domain ID Assignments 25-15
FC IDs 25-16
About Persistent FC IDs 25-17
Enabling the Persistent FC ID Feature 25-17
About Persistent FC ID Configuration 25-17
Configuring Persistent FC IDs 25-18
About Unique Area FC IDs for HBAs 25-19
Configuring Unique Area FC IDs for an HBA 25-19
About Persistent FC ID Selective Purging 25-21
Purging Persistent FC IDs 25-21
Displaying fcdomain Statistics 25-22

xx OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
PART 4 Fabric Configuration
CHAPTER 26 Configuring and Managing VSANs 26-1
About VSANs 26-1

VSANs Topologies 26-1
VSAN Advantages 26-3
VSANs Versus Zones 26-4
VSAN Configuration 26-5
About VSAN Creation 26-6
Creating VSANs Statically 26-6
About Port VSAN Membership 26-8
Assigning Static Port VSAN Membership 26-8
About the Default VSAN 26-8
About the Isolated VSAN 26-8
Displaying Isolated VSAN Membership 26-9
Operational State of a VSAN 26-9
Mapping VSANs to VLANs 26-9
Mapping VSANs to VLANs Using Fabric Manager 26-10
Mapping VSANs to VLANs Using Device Manager 26-11
About Static VSAN Deletion 26-12
Deleting Static VSANs 26-13
About Load Balancing 26-13
Configuring Load Balancing 26-13
About Interop Mode 26-14
About FICON VSANs 26-14
CHAPTER 27 SAN Device Virtualization 27-1
About SDV 27-1

Key Concepts 27-3
Automatic Failover and Fallback 27-4
Configuring SDV 27-4

Configuring a Virtual Device 27-4
Linking a Virtual Device with a Physical Device 27-7
Resolving Fabric Merge Conflicts 27-8
SDV Requirements and Guidelines 27-9

OL-17256-03, Cisco MDS NX-OS Release 4.x xxi
Contents
CHAPTER 28 Creating Dynamic VSANs 28-1
DPVM 28-1
About DPVM Configuration 28-2
Configuring DPVM with the DPVM Wizard 28-2
About DPVM Databases 28-5
Configuring DPVM Config and Pending Databases 28-5
Activating DPVM Config Databases 28-7
Viewing the Pending Database 28-8
About Autolearned Entries 28-8
Enabling Autolearning 28-9
Clearing Learned Entries 28-9
DPVM Database Distribution 28-10
About DPVM Database Distribution 28-10
Disabling DPVM Database Distribution 28-11
About Locking the Fabric 28-11
Clearing a Locked Session 28-13
About Copying DPVM Databases 28-14
Copying DPVM Databases 28-14
Comparing Database Differences 28-14
CHAPTER 29 Configuring Inter-VSAN Routing 29-1

Inter-VSAN Routing 29-1
About IVR 29-2
IVR Features 29-3
IVR Terminology 29-3
IVR Limits Summary 29-4
Fibre Channel Header Modifications 29-4
IVR NAT 29-5
IVR NAT Requirements and Guidelines 29-5
IVR VSAN Topology 29-6
Autonomous Fabric ID 29-7
IVR Interoperability 29-7
About the IVR Zone Wizard 29-7
Configuring IVR Using the IVR Zone Wizard 29-7

xxii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Manual IVR Configuration 29-9

About IVR NAT and Auto Topology 29-10
Transit VSAN Guidelines 29-10
Border Switch Guidelines 29-10
Configuring IVR NAT and IVR Auto Topology 29-11
About AFIDs 29-11
Configuring Default AFIDs 29-12
Configuring Individual AFIDs 29-12
Configuring IVR Without IVR NAT or Auto Topology 29-13
Domain ID Guidelines 29-13
Transit VSAN Guidelines 29-14
Border Switch Guidelines 29-14
Configuring IVR Without NAT 29-14
Manually Creating the IVR Topology 29-15
Activating a Manually Configured IVR Topology 29-16
Clearing the Configured IVR Topology 29-17
Migrating from IVR Auto Topology Mode to Manual Mode 29-17
About IVR Virtual Domains 29-18
Configuring IVR Virtual Domains 29-18
About Persistent FC IDs for IVR 29-19
Configuring Persistent FC IDs for IVR 29-19
Configuring IVR Logging Levels 29-20
IVR Zones and IVR Zone Sets 29-21
About IVR Zones 29-22
Automatic IVR Zone Creation 29-22
Configuring IVR Zones and IVR Zone Sets 29-23
About Activating Zone Sets and Using the force Option 29-26
Recovering an IVR Full Zone Database 29-28
Recovering an IVR Full Topology 29-29
About LUNs in IVR Zoning 29-30
Configuring LUNs in IVR Zoning 29-30
About QoS in IVR Zones 29-30
Configuring QoS for IVR Zones 29-30
Renaming IVR Zones and IVR Zone Sets 29-30
Clearing the IVR Zone Database 29-31
Configuring IVR Using Read-Only Zoning 29-31
System Image Downgrading Considerations 29-31
Resolving Database Merge Failures 29-33

OL-17256-03, Cisco MDS NX-OS Release 4.x xxiii
Contents
CHAPTER 30 Configuring and Managing Zones 30-1
About Zoning 30-1

Zoning Example 30-2
Zone Implementation 30-3
Zone Member Configuration Guidelines 30-4
Active and Full Zone Set Considerations 30-4
Using the Quick Config Wizard 30-7
Zone Configuration 30-10

About the Edit Local Full Zone Database Tool 30-11
Configuring a Zone Using the Zone Configuration Tool 30-12
Adding Zone Members 30-14
Zone Sets 30-15
About Zone Set Creation 30-16
Activating a Zone Set 30-17
Deactivating a Zoneset 30-18
Displaying Zone Membership Information 30-20
About the Default Zone 30-20
Configuring the Default Zone 30-21
About FC Alias Creation 30-21
Creating FC Aliases 30-22
Adding Members to Aliases 30-22
Converting Zone Members to pWWN-based Members 30-24
Zone Enforcement 30-26
Zone Set Distribution 30-26
Enabling Full Zone Set Distribution 30-26
Enabling a One-Time Distribution 30-27
About Recovering from Link Isolation 30-28
Importing and Exporting Zone Sets 30-28
Zone Set Duplication 30-29
Copying Zone Sets 30-30
About Backing Up and Restoring Zones 30-30
Backing Up Zones 30-31
Restoring Zones 30-32
Renaming Zones, Zone Sets, and Aliases 30-34
Cloning Zones, Zone Sets, FC Aliases, and Zone Attribute Groups 30-35
Migrating a Non-MDS Database 30-35
Clearing the Zone Server Database 30-36

xxiv OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Advanced Zone Attributes 30-36

About Zone-Based Traffic Priority 30-36
Configuring Zone-Based Traffic Priority 30-37
Configuring Default Zone QoS Priority Attributes 30-37
Configuring the Default Zone Policy 30-38
About Broadcast Zoning 30-38
Configuring Broadcast Zoning 30-39
About LUN Zoning 30-40
Configuring a LUN-Based Zone 30-40
Assigning LUNs to Storage Subsystems 30-41
About Read-Only Zones 30-41
Configuring Read-Only Zones 30-42
Displaying Zone Information 30-42
Enhanced Zoning 30-43

About Enhanced Zoning 30-43
Changing from Basic Zoning to Enhanced Zoning 30-44
Changing from Enhanced Zoning to Basic Zoning 30-44
Enabling Enhanced Zoning 30-45
Creating Attribute Groups 30-45
Merging the Database 30-45
Analyzing a Zone Merge 30-46
Configuring Zone Merge Control Policies 30-47
Compacting the Zone Database for Downgrading 30-47
CHAPTER 31 Distributing Device Alias Services 31-1
About Device Aliases 31-1

About Device Alias Modes 31-1
Changing Mode Settings 31-2
Device Alias Mode Distribution 31-2
Merging Device Alias 31-2
Resolving Merge and Device Alias Mode Mismatch 31-3
Device Alias Features 31-3
Device Alias Requirements 31-3
Zone Aliases Versus Device Aliases 31-4
Device Alias Databases 31-4
About Device Alias Distribution 31-4
Distributing the Device Alias Database 31-5
About Creating a Device Alias 31-5

OL-17256-03, Cisco MDS NX-OS Release 4.x xxv
Contents
Creating a Device Alias 31-6

Legacy Zone Alias Conversion 31-7
Using Device Aliases or FC Aliases 31-8
Device Alias Statistics Cleanup 31-8
CHAPTER 32 Configuring Fibre Channel Routing Services and Protocols 32-1
About FSPF 32-2

FSPF Examples 32-2
Fault Tolerant Fabric 32-2
Redundant Links 32-3
Fail-Over Scenarios for PortChannels and FSPF Links 32-3
FSPF Global Configuration 32-4

About SPF Computational Hold Times 32-4
About Link State Records 32-4
Configuring FSPF on a VSAN 32-5
Resetting FSPF to the Default Configuration 32-5
Enabling or Disabling FSPF 32-6
FSPF Interface Configuration 32-6
About FSPF Link Cost 32-6
Configuring FSPF Link Cost 32-7
About Hello Time Intervals 32-7
Configuring Hello Time Intervals 32-8
About Dead Time Intervals 32-8
Configuring Dead Time Intervals 32-8
About Retransmitting Intervals 32-8
Configuring Retransmitting Intervals 32-9
About Disabling FSPF for Specific Interfaces 32-9
Disabling FSPF for Specific Interfaces 32-9
Displaying the FSPF Database 32-10
Viewing FSPF Statistics 32-11
FSPF Routes 32-12
About Fibre Channel Routes 32-12
Configuring Fibre Channel Routes 32-12
About Broadcast and Multicast Routing 32-14
About Multicast Root Switch 32-14

xxvi OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Setting the Multicast Root Switch 32-14
In-Order Delivery 32-15

About Reordering Network Frames 32-15
About Reordering PortChannel Frames 32-16
About Enabling In-Order Delivery 32-17
Enabling In-Order Delivery Globally 32-18
Enabling In-Order Delivery for a VSAN 32-18
Configuring the Drop Latency Time 32-18
CHAPTER 33 Dense Wavelength Division Multiplexing 33-1
About DWDM 33-1
Viewing DWDM Links 33-1
CHAPTER 34 Managing FLOGI, Name Server, FDMI, and RSCN Databases 34-1
FLOGI 34-1
Displaying FLOGI Details 34-1
Name Server Proxy 34-2

About Registering Name Server Proxies 34-2
Registering Name Server Proxies 34-2
About Rejecting Duplicate pWWN 34-3
Rejecting Duplicate pWWNs 34-3
About Name Server Database Entries 34-3
Viewing Name Server Database Entries 34-3
FDMI 34-4
Displaying FDMI 34-4
RSCN 34-5
About RSCN Information 34-5
Displaying RSCN Information 34-5
About the multi-pid Option 34-6
Configuring the multi-pid Option 34-6
Clearing RSCN Statistics 34-7
RSCN Timer Configuration Distribution Using CFS 34-7
Configuring the RSCN Timer with CFS 34-8
CHAPTER 35 Discovering SCSI Targets 35-1
About SCSI LUN Discovery 35-1

OL-17256-03, Cisco MDS NX-OS Release 4.x xxvii
Contents
About Starting SCSI LUN Discovery 35-1

Starting SCSI LUN Discovery 35-2
About Initiating Customized Discovery 35-2
Initiating Customized Discovery 35-2
Displaying SCSI LUN Information 35-3
CHAPTER 36 Configuring FICON 36-1
About FICON 36-1

FICON Requirements 36-2
MDS-Specific FICON Advantages 36-3
Fabric Optimization with VSANs 36-3
FCIP Support 36-5
PortChannel Support 36-5
VSANs for FICON and FCP Mixing 36-5
Cisco MDS-Supported FICON Features 36-5
FICON Cascading 36-7
FICON VSAN Prerequisites 36-7
FICON Port Numbering 36-8
Default FICON Port Numbering Scheme 36-8
Port Addresses 36-11
Implemented and Unimplemented Port Addresses 36-11
About the Reserved FICON Port Numbering Scheme 36-11
Installed and Uninstalled Ports 36-12
FICON Port Numbering Guidelines 36-12
Assigning FICON Port Numbers to Slots 36-13
About Port Numbers for FCIP and PortChannel 36-13
Reserving FICON Port Numbers for FCIP and PortChannel Interfaces 36-13
FC ID Allocation 36-14
Configuring FICON 36-15
About Enabling FICON on a VSAN 36-15
Setting Up a Basic FICON Configuration 36-16
Manually Enabling FICON on a VSAN 36-18
Deleting FICON VSANs 36-18
Suspending a FICON VSAN 36-19
Configuring the code-page Option 36-19
Assigning FC ID Last Byte 36-20
Allowing the Host to Move the Switch Offline 36-21
Allowing the Host to Change FICON Port Parameters 36-22
Allowing the Host to Control the Timestamp 36-22

xxviii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Configuring SNMP Control of FICON Parameters 36-22

FICON Information Refresh 36-23
About FICON Device Allegiance 36-23
Automatically Saving the Running Configuration 36-23
Configuring FICON Ports 36-24

Configuring Port Blocking 36-25
Viewing ESCON Style Ports 36-26
Port Prohibiting 36-26
Configuring Port Prohibiting 36-26
Assigning a Port Address Name 36-27
About RLIR 36-27
Displaying RLIR Information 36-27
FICON Configuration Files 36-28
About FICON Configuration Files 36-29
Applying the Saved Configuration Files to the Running Configuration 36-29
Editing FICON Configuration Files 36-30
Displaying FICON Configuration Files 36-30
Copying FICON Configuration Files 36-31
Port Swapping 36-31
About Port Swapping 36-32
Swapping Ports 36-33
FICON Tape Acceleration 36-33
Configuring FICON Tape Acceleration 36-35
CUP In-Band Management 36-37

Calculating FICON Flow Load Balance 36-39
Displaying FICON Information 36-40

Receiving FICON Alerts 36-41
Displaying FICON Port Address Information 36-41
Displaying IPL File Information 36-41
Viewing the History Buffer 36-41
CHAPTER 37 Advanced Features and Concepts 37-1
Common Information Model 37-1

SSL Certificate Requirements and Format 37-1
Fibre Channel Time Out Values 37-2

Timer Configuration Across All VSANs 37-2
Timer Configuration Per-VSAN 37-3

OL-17256-03, Cisco MDS NX-OS Release 4.x xxix
Contents
About fctimer Distribution 37-4

Enabling or Disabling fctimer Distribution 37-4
World Wide Names 37-5
Displaying WWN Information 37-6
Link Initialization WWN Usage 37-6
Configuring a Secondary MAC Address 37-6
FC ID Allocation for HBAs 37-7

Default Company ID list 37-8
Verifying the Company ID Configuration 37-8
Switch Interoperability 37-8

About Interop Mode 37-9
Configuring Interop Mode 1 37-11
Verifying Interoperating Status 37-12
PART 5 Security
CHAPTER 38 Configuring FIPS 38-1
Configuration Guidelines 38-1
Enabling FIPS Mode 38-2
FIPS Self-Tests 38-3
CHAPTER 39 Configuring Users and Common Roles 39-1
Role-Based Authorization 39-1

About Roles 39-2
Configuring Roles and Profiles 39-2
Deleting Common Roles 39-3
About the VSAN Policy 39-3
Modifying the VSAN Policy 39-4
About Rules and Features for Each Role 39-4
Modifying Rules 39-5
Displaying Role-Based Information 39-7
Role Distributions 39-7
About Role Databases 39-7
Committing the Changes 39-8
Discarding the Changes 39-9

xxx OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents

Clearing Sessions 39-9
Displaying Roles When Distribution is Enabled 39-10
User Accounts 39-10

About Users 39-11
Configuring Users 39-12
Changing Administrator Password using Fabric Manager 39-13
Deleting a User 39-15
Displaying User Account Information 39-15
SSH Services 39-15
About SSH 39-16
About the SSH Server Key Pair 39-16
Generating the SSH Server Key Pair 39-17
Overwriting a Generated Key Pair 39-18
Enabling SSH or Telnet Service 39-18
SSH Authentication Using Digital Certificates 39-19
Creating or Updating Users 39-19
Recovering the Administrator Password 39-20
Configuring Cisco ACS Servers 39-21
CHAPTER 40 Configuring SNMP 40-1
About SNMP Security 40-1

SNMP Version 1 and Version 2c 40-2
SNMP Version 3 40-2
Assigning SNMP Switch Contact and Location Information 40-2
SNMPv3 CLI User Management and AAA Integration 40-2
CLI and SNMP User Synchronization 40-3
Restricting Switch Access 40-3
Group-Based SNMP Access 40-3
Creating and Modifying Users 40-4
About AES Encryption-Based Privacy 40-4
Enforcing SNMPv3 Message Encryption 40-5
Assigning SNMPv3 Users to Multiple Roles 40-6
Adding Communities 40-7
Deleting a Community String 40-7
SNMP Trap and Inform Notifications 40-8
Configuring SNMPv2c Notifications 40-8

OL-17256-03, Cisco MDS NX-OS Release 4.x xxxi
Contents
Configuring SNMPv3 Notifications 40-9

Enabling SNMP Notifications 40-9
Configuring the Notification Target User 40-11
Configuring Event Security 40-11
Viewing the SNMP Events Log 40-12
CHAPTER 41 Configuring RADIUS and TACACS+ 41-1
Switch Management Security 41-1

Fabric Manager Security Options 41-2
SNMP Security Options 41-2
Switch AAA 41-2
Authentication 41-3
Authorization 41-3
Accounting 41-3
Remote AAA Services 41-4
Remote Authentication Guidelines 41-4
Server Groups 41-4
AAA Configuration Options 41-4
AAA Server Monitoring 41-5
Authentication and Authorization Process 41-6
Configuring RADIUS Server Monitoring Parameters 41-7

About RADIUS Server Default Configuration 41-8
About the Default RADIUS Server Encryption Type and Preshared Key 41-8
Configuring the Default RADIUS Server Encryption Type and Preshared Key 41-8
Setting the Default RADIUS Server Timeout Interval and Retransmits 41-9
About RADIUS Servers 41-9
Configuring a RADIUS Server 41-10
Configuring the Test Idle Timer 41-11
Configuring Test User Name 41-11
About Validating a RADIUS Server 41-11
Periodically Validating a RADIUS Server 41-11
Displaying RADIUS Server Statistics 41-12
About Users Specifying a RADIUS Server at Login 41-12
Allowing Users to Specify a RADIUS Server at Login 41-12
About Vendor-Specific Attributes 41-13
VSA Format 41-13
Specifying SNMPv3 on AAA Servers 41-13
Configuring TACACS+ Server Monitoring Parameters 41-14

xxxii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
About TACACS+ 41-14

About TACACS+ Server Default Configuration 41-14
About the Default TACACS+ Server Encryption Type and Preshared Key 41-15
Setting the Default TACACS+ Server Encryption Type and Preshared Key 41-15
Setting the Default TACACS+ Server Timeout Interval and Retransmits 41-15
About TACACS+ Servers 41-16
Configuring a TACACS+ Server 41-16
About Validating a TACACS+ Server 41-17
Periodically Validating a TACACS+ Server 41-18
Displaying TACACS+ Server Statistics 41-18
About Users Specifying a TACACS+ Server at Login 41-18
Allowing Users to Specify a TACACS+ Server at Login 41-18
About Custom Attributes for Roles 41-19
Supported TACACS+ Servers 41-19
Server Groups 41-19
About Configuring Server Groups 41-20
Configuring Server Groups 41-20
About Bypassing a Nonresponsive Server 41-21
AAA Server Distribution 41-21

Enabling AAA Server Distribution 41-22
Starting a Distribution Session on a Switch 41-22
Displaying the Session Status 41-23
Displaying the Configuration to be Distributed 41-23
Committing the Distribution 41-23
Discarding the Distribution Session 41-23
Clearing Sessions 41-24
Merge Guidelines for RADIUS and TACACS+ Configurations 41-24
MSCHAP Authentication 41-24

About Enabling MSCHAP 41-25
Enabling MSCHAP Authentication 41-25
Local AAA Services 41-26
Configuring Cisco Access Control Servers 41-26
CHAPTER 42 Configuring IPv4 and IPv6 Access Control Lists 42-1
IPv4-ACL and IPv6-ACL Configuration Guidelines 42-2
About Filter Contents 42-2

Protocol Information 42-2
Address Information 42-3

OL-17256-03, Cisco MDS NX-OS Release 4.x xxxiii
Contents
Port Information 42-3

ICMP Information 42-4
ToS Information 42-5
Creating IPv4-ACLs or IPv6-ACLs with the IP-ACL Wizard 42-5
Creating IPv4-ACLs or IPv6-ACLs in Device Manager 42-6
Removing IP Filters from an Existing IPv4-ACL or IPv6-ACL 42-8
Deleting IP-ACLs 42-9
Reading the IP-ACL Log Dump 42-9
Applying an IP-ACL to an Interface 42-10

Applying an IP-ACL to mgmt0 42-11
Example IP-ACL Configuration 42-12
CHAPTER 43 Configuring Certificate Authorities and Digital Certificates 43-1
About CAs and Digital Certificates 43-1

Purpose of CAs and Digital Certificates 43-2
Trust Model, Trust Points, and Identity CAs 43-2
RSA Key-Pairs and Identity Certificates 43-2
Multiple Trusted CA Support 43-3
PKI Enrollment Support 43-4
Manual Enrollment Using Cut-and-Paste Method 43-4
Multiple RSA Key-Pair and Identity CA Support 43-4
Peer Certificate Verification 43-5
CRL Downloading, Caching, and Checking Support 43-5
OCSP Support 43-5
Import and Export Support for Certificates and Associated Key Pairs 43-5
Configuring CAs and Digital Certificates 43-6

Configuring the Host Name and IP Domain Name 43-6
Generating an RSA Key-Pair 43-6
Creating a Trust Point CA Association 43-8
Copying Files to Bootflash 43-9
Authenticating the CA 43-10
Confirming CA Authentication 43-11
Configuring Certificate Revocation Checking Methods 43-12
Generating Certificate Requests 43-12
Installing Identity Certificates 43-13
Saving Your Configuration 43-13
Ensuring Trust Point Configurations Persist Across Reboots 43-14
Monitoring and Maintaining CA and Certificates Configuration 43-14
Exporting and Importing Identity Information in PKCS#12 Format 43-14

xxxiv OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Configuring a CRL 43-15

Deleting Certificates from the CA Configuration 43-16
Deleting RSA Key-Pairs from Your Switch 43-16
Example Configurations 43-17
Configuring Certificates on the MDS Switch 43-17
Downloading a CA Certificate 43-19
Requesting an Identity Certificate 43-24
Revoking a Certificate 43-30
Generating and Publishing the CRL 43-33
Downloading the CRL 43-34
Importingthe CRL 43-36
Maximum Limits 43-36
CHAPTER 44 Configuring IPsec Network Security 44-1
About IPsec 44-2
About IKE 44-3
IPsec Prerequisites 44-3
Using IPsec 44-4

IPsec Compatibility 44-4
IPsec and IKE Terminology 44-5
Supported IPsec Transforms and Algorithms 44-6
Supported IKE Transforms and Algorithms 44-6
IPsec Digital Certificate Support 44-7
Implementing IPsec Without CAs and Digital Certificates 44-7
Implementing IPsec with CAs and Digital Certificates 44-8
How CA Certificates Are Used by IPsec Devices 44-9
Configuring IPsec Using FCIP Wizard 44-10
Manually Configuring IPsec and IKE 44-13

About IKE Initialization 44-13
About the IKE Domain 44-13
About IKE Tunnels 44-13
About IKE Policy Negotiation 44-14
Configuring an IKE Policy 44-15
Optional IKE Parameter Configuration 44-16
Configuring the Keepalive Time for a Peer 44-17
Configuring the Initiator Version 44-18
Clearing IKE Tunnels or Domains 44-20

OL-17256-03, Cisco MDS NX-OS Release 4.x xxxv
Contents
Refreshing SAs 44-20
Crypto IPv4-ACLs 44-21

About Crypto IPv4-ACLs 44-22
Crypto IPv4-ACL Guidelines 44-22
Mirror Image Crypto IPv4-ACLs 44-24
The any Keyword in Crypto IPv4-ACLs 44-25
Creating Crypto IPv4-ACLs 44-25
About Transform Sets in IPsec 44-25
Configuring Transform Sets 44-26
About Crypto Map Entries 44-28
SA Establishment Between Peers 44-28
Crypto Map Configuration Guidelines 44-29
Creating Crypto Map Entries 44-29
About SA Lifetime Negotiation 44-30
Setting the SA Lifetime 44-31
About the AutoPeer Option 44-32
Configuring the AutoPeer Option 44-33
About Perfect Forward Secrecy 44-34
Configuring Perfect Forward Secrecy 44-35
About Crypto Map Set Application 44-36
Applying a Crypto Map Set 44-36
IPsec Maintenance 44-37
Global Lifetime Values 44-37
CHAPTER 45 Configuring FC-SP and DHCHAP 45-1
About Fabric Authentication 45-1

DHCHAP 45-2
DHCHAP Compatibility with Existing Cisco MDS Features 45-3
About Enabling DHCHAP 45-4
Enabling DHCHAP 45-4
About DHCHAP Authentication Modes 45-5
Configuring the DHCHAP Mode 45-5
About the DHCHAP Hash Algorithm 45-6
Configuring the DHCHAP Hash Algorithm 45-6
About the DHCHAP Group Settings 45-7
Configuring the DHCHAP Group Settings 45-7
About the DHCHAP Password 45-7
Configuring DHCHAP Passwords for the Local Switch 45-8

xxxvi OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
About Password Configuration for Remote Devices 45-8

Configuring DHCHAP Passwords for Remote Devices 45-8
About the DHCHAP Timeout Value 45-9
Configuring the DHCHAP Timeout Value 45-9
Configuring DHCHAP AAA Authentication 45-10
Enabling FC-SP on ISLs 45-10
CHAPTER 46 Configuring Port Security 46-1
About Port Security 46-1

Port Security Enforcement 46-2
About Auto-Learning 46-2
Port Security Activation 46-3
Port Security Configuration Guidelines 46-3
Configuring Port Security with Auto-Learning and CFS Distribution 46-3
Configuring Port Security with Auto-Learning without CFS 46-4
Configuring Port Security with Manual Database Configuration 46-4
Configuring Port Security Using Wizard 46-5
Prerequisites 46-5
Enabling Port Security 46-8
Port Security Activation 46-9
Activating Port Security 46-9

Database Activation Rejection 46-10
Forcing Port Security Activation 46-10
Database Reactivation 46-11
Copying an Active Database to the Config Database 46-11
Displaying Activated Port Security Settings 46-12
Displaying Port Security Statistics 46-12
Displaying Port Security Violations 46-12
Auto-learning 46-12
About Enabling Auto-learning 46-13
Enabling Auto-learning 46-13
Disabling Auto-learning 46-13
Auto-Learning Device Authorization 46-14
Authorization Scenarios 46-14
Port Security Manual Configuration 46-15
About WWN Identification 46-16
Adding Authorized Port Pairs 46-16
Deleting Port Security Setting 46-17

OL-17256-03, Cisco MDS NX-OS Release 4.x xxxvii
Contents
Port Security Configuration Distribution 46-17

Committing the Changes 46-19
Activation and Auto-learning Configuration Distribution 46-19
Database Interaction 46-20

Database Scenarios 46-21
Port Security Database Copy 46-22
Port Security Database Deletion 46-22
Port Security Database Cleanup 46-23
CHAPTER 47 Configuring Fabric Binding 47-1
About Fabric Binding 47-1

Licensing Requirements 47-1
Port Security Versus Fabric Binding 47-1
Fabric Binding Enforcement 47-2
Fabric Binding Configuration 47-3
Enabling Fabric Binding 47-3
Configuring Switch WWN List 47-3
Fabric Binding Activation 47-4
Forcing Fabric Binding Activation 47-5
Saving Fabric Binding Configurations 47-5
Clearing the Fabric Binding Statistics 47-6
Deleting the Fabric Binding Database 47-6
Verifying Fabric Binding Configurations 47-6
PART 6 IP Services
CHAPTER 48 Configuring FCIP 48-1
About FCIP 48-1

FCIP Concepts 48-2
FCIP and VE Ports 48-2
FCIP Links 48-3
FCIP Profiles 48-4
FCIP Interfaces 48-4
FCIP High-Availability Solutions 48-4

xxxviii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Fibre Channel PortChannels 48-5

FSPF 48-5
VRRP 48-6
Ethernet PortChannels 48-6
Ethernet PortChannels and Fibre Channel PortChannels 48-7
Configuring FCIP 48-7

Enabling FCIP 48-8
Using the FCIP Wizard 48-8
Basic FCIP Configuration 48-15
Creating FCIP Profiles 48-15
Creating FCIP Links 48-16
Verifying Interfaces and Extended Link Protocol 48-16
Checking Trunk Status 48-17
Launching Cisco Transport Controller 48-17
Launching Cisco Transport Controller 48-17
Advanced FCIP Profile Configuration 48-18
Configuring TCP Parameters 48-19
Advanced FCIP Interface Configuration 48-21
Configuring Peers 48-22
Peer IP Address 48-22
Active Connections 48-25
Number of TCP Connections 48-25
Time Stamp Control 48-25
FCIP B Port Interoperability Mode 48-25
Quality of Service 48-28
Configuring E Ports 48-28
Advanced FCIP Features 48-29
FCIP Write Acceleration 48-29
Configuring FCIP Write Acceleration 48-31
FCIP Tape Acceleration 48-32
Configuring FCIP Tape Acceleration 48-36
FCIP Compression 48-37
CHAPTER 49 Configuring the SAN Extension Tuner 49-1
About the SAN Extension Tuner 49-1

SAN Extension Tuner Setup 49-2
Data Pattern 49-3
License Prerequisites 49-3

OL-17256-03, Cisco MDS NX-OS Release 4.x xxxix
Contents
Configuring the SAN Extension Tuner 49-3

Tuning the FCIP Link 49-4
Using the SAN Extension Tuner Wizard 49-4
CHAPTER 50 Configuring iSCSI 50-1
About iSCSI 50-1

About iSCSI Configuration Limits 50-4
Configuring iSCSI 50-4

Enabling iSCSI 50-4
Creating iSCSI Interfaces 50-5
Using the iSCSI Wizard 50-5
Presenting Fibre Channel Targets as iSCSI Targets 50-7
Dynamic Mapping 50-8
Static Mapping 50-10
iSCSI Virtual Target Configuration Examples 50-12
Presenting iSCSI Hosts as Virtual Fibre Channel Hosts 50-14
Initiator Identification 50-14
Initiator Presentation Modes 50-14
VSAN Membership for iSCSI 50-22
Example of VSAN Membership for iSCSI Devices 50-23
Advanced VSAN Membership for iSCSI Hosts 50-24
iSCSI Access Control 50-24
Fibre Channel Zoning-Based Access Control 50-25
iSCSI-Based Access Control 50-26
Enforcing Access Control 50-27
iSCSI Session Authentication 50-28
Authentication Mechanism 50-29
Local Authentication 50-30
Restricting iSCSI Initiator Authentication 50-30
Mutual CHAP Authentication 50-30
Configuring an iSCSI RADIUS Server 50-31
iSCSI Immediate Data and Unsolicited Data Features 50-31
iSCSI Interface Advanced Features 50-32
iSCSI Listener Port 50-32
TCP Tuning Parameters 50-32
QoS 50-32
iSCSI Routing Modes 50-33
Configuring iSLB 50-35

xl OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
About iSLB Configuration Limits 50-36

iSLB Configuration Prerequisites 50-36
About iSLB Initiators 50-37
Configuring iSLB Using Device Manager 50-37
Configuring iSLB Initiators 50-39
Assigning WWNs to iSLB Initiators 50-39
Making the Dynamic iSLB Initiator WWN Mapping Static 50-40
Assigning VSAN Membership for iSLB Initiators 50-40
Configuring Metric for Load Balancing 50-40
Configuring iSLB Initiator Targets 50-41
Configuring and Activating Zones for iSLB Initiators and Initiator Targets 50-42
Configuring iSLB Session Authentication 50-43
About Load Balancing Using VRRP 50-43
Changing iSCSI Interface Parameters and the Impact on Load Balancing 50-45
VRRP Load Balancing Algorithm For Selecting Gigabit Ethernet Interfaces 50-45
Configuring Load Balancing Using VRRP 50-45
About iSLB Configuration Distribution Using CFS 50-46
Distributing the iSLB Configuration Using CFS 50-47
Enabling iSLB Configuration Distribution 50-47
Committing Changes to the Fabric 50-48
Discarding Pending Changes 50-48
Clearing a Fabric Lock 50-49
CFS Merge Process 50-49
iSLB CFS Merge Status Conflicts 50-49
iSCSI High Availability 50-50
Transparent Target Failover 50-50
iSCSI High Availability with Host Running Multi-Path Software 50-50
iSCSI HA with Host Not Having Any Multi-Path Software 50-51
LUN Trespass for Storage Port Failover 50-53
Multiple IPS Ports Connected to the Same IP Network 50-53
VRRP-Based High Availability 50-54
Ethernet PortChannel-Based High Availability 50-55
iSCSI Authentication Setup Guidelines and Scenarios 50-56
No Authentication 50-56
CHAP with Local Password Database 50-57
CHAP with External RADIUS Server 50-57
iSCSI Transparent Mode Initiator 50-58
Target Storage Device Requiring LUN Mapping 50-62

OL-17256-03, Cisco MDS NX-OS Release 4.x xli
Contents
iSNS 50-67
About iSNS Client Functionality 50-67
Creating an iSNS Client Profile 50-68
About iSNS Server Functionality 50-69
Example Scenario 50-70
Configuring iSNS Servers 50-71
Enabling the iSNS Server 50-71
iSNS Configuration Distribution 50-71
Configuring the ESI Retry Count 50-72
Configuring the Registration Period 50-72
iSNS Client Registration and Deregistration 50-72
Target Discovery 50-72
iSNS Cloud Discovery 50-73
About Cloud Discovery 50-73
Configuring iSNS Cloud Discovery 50-74
Enabling iSNS Cloud Discovery 50-74
Initiating On-Demand iSNS Cloud Discovery 50-74
Configuring Automatic iSNS Cloud Discovery 50-75
Configuring iSNS Cloud Discovery Distribution 50-75
CHAPTER 51 Configuring IP Services 51-1
Traffic Management Services 51-2
Management Interface Configuration 51-2
Default Gateway 51-3

About the Default Gateway 51-3
Configuring the Default Gateway 51-3
IPv4 Default Network Configuration 51-4
IPFC 51-5
IPFC Configuration Guidelines 51-5
IPv4 Static Routes 51-5
Overlay VSANs 51-6

About Overlay VSANs 51-6
Configuring Overlay VSANs 51-6
Multiple VSAN Configuration 51-7
Virtual Router Redundancy Protocol 51-8

About VRRP 51-9
Configuring VRRP 51-10

xlii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Adding and Deleting Virtual Router 51-10

Virtual Router Initiation 51-11
Adding Virtual Router IP Addresses 51-11
Setting the Priority for the Virtual Router 51-11
Setting the time Interval for Advertisement Packets 51-11
Configuring or Enabling Priority Preemption 51-11
Setting Virtual Router Authentication 51-12
Tracking the Interface Priority 51-12
DNS Server Configuration 51-12
CHAPTER 52 Configuring IP Storage 52-1
Services Modules 52-1

Module Status Verification 52-2
IPS Module Upgrade 52-3
MPS-14/2 Module Upgrade 52-3
Supported Hardware 52-3
Configuring Gigabit Ethernet Interfaces for IPv4 52-4

Basic Gigabit Ethernet Configuration 52-4
Configuring Interface Descriptions 52-5
Configuring Autonegotiation 52-5
Configuring the MTU Frame Size 52-5
Configuring Promiscuous Mode 52-6
About VLANs for Gigabit Ethernet 52-6
Interface Subnet Requirements 52-6
Verifying Gigabit Ethernet Connectivity 52-7
Gigabit Ethernet IPv4-ACL Guidelines 52-7
Configuring Gigabit Ethernet High Availability 52-8
VRRP for iSCSI and FCIP Services 52-8
Configuring VRRP for Gigabit Ethernet Interfaces 52-9
About Ethernet PortChannel Aggregation 52-9
Configuring Ethernet PortChannels 52-10
Configuring CDP 52-10
CHAPTER 53 Configuring IPv4 for Gigabit Ethernet Interfaces 53-1
About IPv4 53-1

OL-17256-03, Cisco MDS NX-OS Release 4.x xliii
Contents
Basic Gigabit Ethernet Configuration for IPv4 53-2

Configuring Interface Descriptions 53-3
Configuring Autonegotiation 53-3
Configuring the MTU Frame Size 53-3
Configuring Promiscuous Mode 53-4
VLANs 53-4
About VLANs for Gigabit Ethernet 53-4
Configuring the VLAN Subinterface 53-5
Interface Subnet Requirements 53-5
IPv4-ACLs 53-6
CHAPTER 54 Configuring IPv6 for Gigabit Ethernet Interfaces 54-1
About IPv6 54-1

Extended IPv6 Address Space for Unique Addresses 54-2
IPv6 Address Formats 54-2
IPv6 Address Prefix Format 54-3
IPv6 Address Type: Unicast 54-3
Global Addresses 54-3
Link-Local Address 54-4
IPv6 Address Type: Multicast 54-5
ICMP for IPv6 54-6
Path MTU Discovery for IPv6 54-7
IPv6 Neighbor Discovery 54-7
IPv6 Neighbor Solicitation and Advertisement Messages 54-7
Router Discovery 54-9
IPv6 Stateless Autoconfiguration 54-9
Dual IPv4 and IPv6 Protocol Stacks 54-10
Configuring Basic Connectivity for IPv6 54-11
Configuring IPv6 Addressing and Enabling IPv6 Routing 54-11
Configuring IPv4 and IPv6 Protocol Addresses 54-13
Configuring IPv6 Static Routes 54-13
Configuring a IPv6 Static Route 54-13
Transitioning from IPv4 to IPv6 54-15

xliv OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
PART 7 Intelligent Storage Services
CHAPTER 55 Configuring SCSI Flow Services and Statistics 55-1
SCSI Flow Services 55-1

About SCSI Flow Services 55-1
SCSI Flow Manager 55-2
SCSI Flow Configuration Client 55-3
SCSI Flow Data Path Support 55-3
Configuring SCSI Flow Services 55-3
Enabling Intelligent Storage Services 55-3
Disabling Intelligent Storage Services 55-6
SCSI Flow Statistics 55-6
About SCSI Flow Statistics 55-6
Configuring SCSI Flow Statistics 55-7
Enabling SCSI Flow Statistics 55-7
Clearing SCSI Flow Statistics 55-8
CHAPTER 56 Configuring Fibre Channel Write Acceleration 56-1
Fibre Channel Write Acceleration 56-1

About Fibre Channel Write Acceleration 56-1
Enabling Fibre Channel Write Acceleration 56-2
PART 8 Network and Switch Monitoring
CHAPTER 57 Network Monitoring 57-1
SAN Discovery and Topology Mapping 57-1

Device Discovery 57-1
Topology Mapping 57-2
Using the Topology Map 57-2
Saving a Customized Topology Map Layout 57-2
Using Enclosures with Fabric Manager Topology Maps 57-3
Mapping Multiple Fabrics 57-3
Inventory Management 57-3
Using the Inventory Tab from Fabric Manager Web Server 57-4
Viewing Logs from Device Manager 57-4
Health and Event Monitoring 57-4

OL-17256-03, Cisco MDS NX-OS Release 4.x xlv
Contents
Fabric Manager Events Tab 57-5

Event Information in Fabric Manager Web Server Reports 57-5
Events in Device Manager 57-5
CHAPTER 58 Performance Monitoring 58-1
Real-Time Performance Monitoring 58-1

Device Manager Real-Time Performance Monitoring 58-1
Fabric Manager Real-Time ISL Statistics 58-3
Historical Performance Monitoring 58-4
Creating a Flow with Performance Manager 58-4
Creating a Collection with Performance Manager 58-4
Using Performance Thresholds 58-4
Using the Performance Manager Configuration Wizard 58-5
Viewing Performance Manager Reports 58-5
Performance Summary 58-6
Performance Tables and Details Graphs 58-6
Viewing Performance of Host-Optimized Port Groups 58-6
Viewing Performance Manager Events 58-6
Generating Top10 Reports in Performance Manager 58-7
Generating Top10 Reports Using Scripts 58-7
Exporting Data Collections to XML Files 58-7
Exporting Data Collections in Readable Format 58-8
Configuring Performance Manager for Use with Cisco Traffic Analyzer 58-9
CHAPTER 59 Configuring RMON 59-1
About RMON 59-1

Configuring RMON Using Threshold Manager 59-1
RMON Alarm Configuration 59-2
Enabling RMON Alarms by Port 59-3
Enabling 32-Bit and 64-Bit Alarms 59-4
Create RMON Alarms in Fabric Manager 59-6

Enabling 32-bit RMON Alarms for VSANs 59-9
Enabling 32-Bit and 64-Bit RMON Alarms for Physical Components 59-10
Creating a New RMON from Device Manager Threshold Manager 59-11
Enabling RMON Alarms for VSANs 59-13
Managing RMON Events 59-14
Managing RMON Alarms 59-15
Viewing the RMON Log 59-16

xlvi OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
CHAPTER 60 Monitoring Network Traffic Using SPAN 60-1
About SPAN 60-1
SPAN Sources 60-2

IPS Source Ports 60-3
Allowed Source Interface Types 60-3
VSAN as a Source 60-4
Guidelines to Configure VSANs as a Source 60-4
SPAN Sessions 60-5
Specifying Filters 60-5

Guidelines to Specifying Filters 60-5
SD Port Characteristics 60-5

Guidelines to Configure SPAN 60-6
Configuring SPAN 60-6

Configuring SPAN 60-6
Configuring SPAN max-queued-packets 60-7
Creating SPAN Sessions 60-7
Editing SPAN Sources 60-8
Deleting SPAN Sessions 60-9
SPAN Conversion Behavior 60-9
Monitoring Traffic Using Fibre Channel Analyzers 60-10
Without SPAN 60-10
With SPAN 60-11
Configuring Fibre Channel Analyzers Using SPAN 60-12
Single SD Port to Monitor Traffic 60-12
Default SPAN Settings 60-13
CHAPTER 61 Configuring System Message Logging 61-1

About System Message Logging 61-1
System Message Logging Configuration 61-3

Message Logging Initiation 61-3
Console Severity Level 61-4
Module Logging 61-5
Log Files 61-6
System Message Logging Servers 61-7
Verifying Syslog Servers from Fabric Manager Web Server 61-10
Outgoing System Message Logging Server Facilities 61-10
Viewing Logs from Fabric Manager Web Server 61-11
Viewing Logs from Device Manager 61-11

OL-17256-03, Cisco MDS NX-OS Release 4.x xlvii
Contents
CHAPTER 62 Configuring Call Home 62-1
Call Home Features 62-2
About Smart Call Home 62-2
Obtaining Smart Call Home 62-5
Configuring Call Home 62-5
Configuring Contact Information 62-6
Destination Profiles 62-7
Alert Groups 62-9
Customized Alert Group Messages 62-10

Customizing Alert Group Messages Using Fabric Manager 62-10
Call Home Message Level Feature 62-11

Setting the Call Home Message Levels Using Fabric Manager 62-11
Syslog-Based Alerts 62-12

Configuring Syslog-Based Alerts Using Fabric Manager 62-12
RMON-Based Alerts 62-13

Configuring RMON Alerts Using Fabric Manager 62-13
E-Mail Options 62-14

Configuring General E-Mail Options Using Fabric Manager 62-14
Configuring HTTPS Support 62-15
Periodic Inventory Notification 62-15
Enabling Periodic Inventory Notifications Using Fabric Manager 62-15
Duplicate Message Throttle 62-16
Enabling Message Throttling Using Fabric Manager 62-16
Call Home Enable Function 62-17

Enabling Call Home Using Fabric Manager 62-17
Call Home Configuration Distribution 62-18

Enabling Call Home Fabric Distribution Using Fabric Manager 62-18
Fabric Lock Override 62-19
Call Home Communications Test 62-19
Testing Call Home Using Fabric Manager 62-19
Clearing Call Home Name Server Database 62-20
Configuring EMC E-mail Home Delayed Traps 62-21

Configuring Delayed Traps Using Cisco Fabric Manager 62-21
Enabling Delayed Traps Using Cisco Device Manager 62-23

xlviii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Sample Syslog Alert Notification in Full-txt Format 62-24
Sample Syslog Alert Notification in XML Format 62-24
Sample RMON Notification in XML Format 62-28
Event Triggers 62-30
Call Home Message Levels 62-32
Message Contents 62-33
CHAPTER 63 Configuring Fabric Configuration Servers 63-1
About FCS 63-1

Significance of FCS 63-2
Displaying FCS Discovery 63-3
Displaying FCS Elements 63-3
Creating an FCS Platform 63-4
Displaying FCS Fabric Ports 63-5
PART 9 Traffic Management
CHAPTER 64 Configuring Fabric Congestion Control and QoS 64-1
FCC 64-1
About FCC 64-1
FCC Process 64-2
Enabling FCC 64-2
Assigning FCC Priority 64-3
QoS 64-3
About Control Traffic 64-3
Enabling or Disabling Control Traffic 64-4
About Data Traffic 64-4
VSAN Versus Zone-Based QoS 64-5
Configuring Data Traffic 64-6
About Class Map Creation 64-6
Creating a Class Map 64-7
About Service Policy Definition 64-8
About Service Policy Enforcement 64-8
About the DWRR Traffic Scheduler Queue 64-8
Changing the Weight in a DWRR Queue 64-9
Example Configuration 64-10

OL-17256-03, Cisco MDS NX-OS Release 4.x xlix
Contents
Ingress Port Rate Limiting 64-11
CHAPTER 65 Configuring Port Tracking 65-1
About Port Tracking 65-1
Port Tracking 65-2

About Port Tracking 65-2
Enabling Port Tracking 65-3
About Configuring Linked Ports 65-3
Operationally Binding a Tracked Port 65-3
About Tracking Multiple Ports 65-5
Tracking Multiple Ports 65-5
About Monitoring Ports in a VSAN 65-6
Monitoring Ports in a VSAN 65-6
About Forceful Shutdown 65-6
Forcefully Shutting Down a Tracked Port 65-6
Default Port Tracking Settings 65-6
PART 10 Troubleshooting
CHAPTER 66 Troubleshooting Your Fabric 66-1
Troubleshooting Tools and Techniques 66-1

Cisco Traffic Analyzer 66-2
Cisco Protocol Analyzer 66-3
Analyzing Switch Device Health 66-3
Analyzing Switch Fabric Configuration 66-4
Analyzing End-to-End Connectivity 66-5

Using the Ping Tool (fcping) 66-7
Using Traceroute (fctrace) and Other Troubleshooting Tools 66-7
Analyzing the Results of Merging Zones 66-8
Using the Show Tech Support Command 66-9
Running CLI Commands 66-10

Adjusting for Daylight Savings Time 66-12
Locating Other Switches 66-12
Getting Oversubscription Information in Device Manager 66-14
Fibre Channel Time Out Values 66-14

Timer Configuration Across All VSANs 66-15

l OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
Timer Configuration Per-VSAN 66-16
Configuring a Fabric Analyzer 66-17

About the Cisco Fabric Analyzer 66-17
Local Text-Based Capture 66-18
Remote Capture Daemon 66-18
GUI-Based Client 66-19
Configuring the Cisco Fabric Analyzer 66-19
Sending Captures to Remote IP Addresses 66-20
Displaying Captured Frames 66-20
Defining Display Filters 66-21
Capture Filters 66-21
Permitted Capture Filters 66-22
Configuring World Wide Names 66-23
Link Initialization WWN Usage 66-23
Configuring a Secondary MAC Address 66-23
Displaying WWN Information 66-24
FC ID Allocation for HBAs 66-24
CHAPTER 67 Management Software FAQ 67-1
Installation Issues 67-3

When installing Fabric Manager from windows, why does clicking install fail? 67-3
Why do I have trouble launching Fabric Manager on Solaris? 67-3
What do I do if my browser prompts to save JNLP files? 67-3
What do I do if I see a "Java Web Start not detected" error? 67-4
What do I do if my desktop shortcuts not visible? 67-4
How do I upgrade to a newer version of Fabric Manager or Device Manager? 67-4
How do I downgrade Fabric Manager or Device Manager? 67-4
What do I do if an upgrade is not working? 67-4
What do I do if Java Web Start hangs on the download dialog? 67-5
How do I manually configure a browser for Java Web Start? 67-5
How do I run Java Web Start from the command line? 67-5
How do I clear the Java Web Start cache? 67-6
What do I do if during a Fabric Manager upgrade, the installer doesnt display a prompt to create a
shortcut? 67-6
What do I do if my login does not work in Fabric Manager or Device Manager? 67-6
What do I do if I cannot install Fabric Manager or Device Manager, or run Java, when pcAnyWhere
is running? 67-6

OL-17256-03, Cisco MDS NX-OS Release 4.x li
Contents
What do I do if the Fabric Manager or Performance Manager service shows up as disabled in the
Services menu? 67-6
What do I do if I am unable to install Fabric Manager or Device Manager, or run Java, when McAfee
Internet Suite 6.0 Professional is running? 67-7
General 67-7
What do I do if I see errors while monitoring Area chart graphing? 67-7
What do I do if I see "gen error" messages? 67-7
What do I do if disk images in the Device Manager Summary View are not visible? 67-7
What do I do if I am unable to set both the D_S_TOV and E_D_TOV timers in Device Manager? 67-7
What do I do if columns in Device Manager tables are too small? 67-8
What do I do if fabric changes are not propagated onto the map (for example, links don't
disappear)? 67-8
What do I do if the PortChannel creation dialog becomes too small after several uses? 67-8
What do I do if I see errors after IPFC configuration? 67-8
What do I do if Fabric Manager or Device Manager is using the wrong network interface? 67-8
What do I do if I see display anomalies in Fabric Manager or Device Manager? 67-8
What do I do if most of my Physical Attributes catagories disappear? 67-9
What do I do if I cant see the Information pane? 67-9
Why is the active zone set in edit zone always shown in bold (even after successful activation)? 67-9
Can I create a zone with prefix IVRZ or a zone set with name nozonset? 67-9
What do I do when One-Click License Install fails, and I cannot connect to the Cisco website? 67-9
What do I do when Fabric Manager client and Device Manager cannot connect to the switch? 67-10
How do I increase the log window size in Fabric Manager Client? 67-10
When do I do when the FM Server Database fails to start or has a file locking error? 67-10
How do I re-synchronize Fabric Manager Client with Fabric Manager Server? 67-10
How do I rediscover the current fabric? 67-10
How do I rediscover SCSI Targets? 67-10
Windows Issues 67-11
What do I do when text fields show up too small, and I cannot enter any data? 67-11
What do I do when printing causes an application crash? 67-11
What do I do when Windows XP hangs (or I see a blue screen)? 67-11
What do I do when Fabric Manager and Device Manager Icons Disappear? 67-11
What do I do when Device Manager or Fabric Manager window content disappears in Windows
XP? 67-11
What do I do when SCP/SFTP fails when a file is copied from local machine to the switch? 67-12
UNIX Issues 67-12
What do I do when the parent Menus Disappear? 67-12
What do I do when the web browser cannot find web server even it is running? 67-12
How do I fix a "too many open files" error? 67-12
Other 67-13

lii OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
How do I set the map layout so it stays after Fabric Manager restarted? 67-13
What do I do when two switches show on the map, but there is only one switch? 67-13
What does a red/orange/dotted line through the switch mean? 67-13
How do I upgrade without losing map settings? 67-19
How do I preserve historical data when moving Fabric Manager server to new host? 67-19
Are there restrictions when using Fabric Manager across FCIP? 67-19
How do I fix a "Please insure that FM server is running on localhost" message? 67-20
How do I run Cisco Fabric Manager with multiple interfaces? 67-20
Manually specifying an interface for Fabric Manager Server 67-20
Manually specifying an interface for Fabric Manager Client or Device Manager 67-21
How do I configure an HTTP proxy server? 67-21
How do I clear the topology map? 67-21
How can I use Fabric Manager in a mixed software environment? 67-22
How do I fix a "corrupted jar file" error when Launching Fabric Manager? 67-22
How do I search for Devices in a Fabric? 67-22
How do I search in a table? 67-23
How does Fabric Manager Server licensing work? 67-24
How do I manage Multiple Fabrics? 67-24
How can I clear an Orange X Through a Switch caused by license expiration? 67-24
CHAPTER 68 Monitoring System Processes and Logs 68-1
Displaying System Processes 68-1
Displaying System Status 68-2
Core and Log Files 68-3

Displaying Core Status 68-3
Clearing the Core Directory 68-4
First and Last Core 68-4
First and Last Core Verification 68-5
Online System Health Management 68-5
About Online System Health Management 68-6
Performing Internal Loopback Tests 68-6
Performing External Loopback Tests 68-7
CHAPTER 69 Fabric Manager Web Services 69-1
About Fabric Manager Web Services 69-1
Web Services Specifications 69-1

XML 69-2
SOAP 69-2

OL-17256-03, Cisco MDS NX-OS Release 4.x liii
Contents
HTTP/HTTPS 69-2
WDSL 69-2
Logon Service 69-2
requestToken 69-2
validateToken 69-3
Authentication or Token 69-3
IdentityManager 69-3
San Service 69-4
Service Endpoint Interface (SEI) 69-4

Methods 69-4
getFabrics 69-4
getFabricByIP 69-4
getFabricByKey 69-4
getFabricBySwitchKey 69-5
getSwitchesByFabric 69-5
getSwitch 69-5
getSwitchByKey 69-6
getSwitchIPByName 69-6
getSwitchIPByKey 69-6
getNeighborSwitches 69-7
getVsans 69-7
getVsan 69-7
getIsls 69-8
discoverFabric 69-8
manageFabric 69-8
unManageFabric 69-9
closeFabric 69-9
purgeFabric 69-9
getEndports 69-10
getEnclosures 69-10
getEndPortByFWwn 69-10
getEndPortByKey 69-10
getEndPortAttachedToSw 69-11
getEnclosureByName 69-11
getEnclosureByKey 69-11
getEnclosureByPWwn 69-12
updateEnclosure 69-12
updateEndportEnclosure 69-12
getHosts 69-13

liv OL-17256-03, Cisco MDS NX-OS Release 4.x
Contents
getHost 69-13
getHostByFabric 69-13
getStorages 69-14
getStorageByFabric 69-14
getHostPorts 69-14
Error Codes 69-15
APPENDIX A Launching Fabric Manager in Cisco SAN-OS Releases Prior to 3.2(1) A-1
Setting the Seed Switch in Cisco SAN-OS Releases 3.1(1) to 3.2(1) A-1
Setting the Seed Switch in Releases Prior to Cisco SAN-OS Release 3.1(1) A-3
APPENDIX B Cisco Fabric Manager Unsupported Feature List B-1
APPENDIX C Interface Nonoperational Reason Codes C-1
APPENDIX D Managing Cisco FabricWare D-1
Fibre Channel Support D-1
Zone Configuration D-2
Security D-2
Events D-2
Managing Cisco FabricWare with Fabric Manager D-3
INDEX

OL-17256-03, Cisco MDS NX-OS Release 4.x lv
Contents

lvi OL-17256-03, Cisco MDS NX-OS Release 4.x
New and Changed Information
This document provides release-specific information for each new and changed feature in Cisco MDS
Fabric Manager Release 4.x software. The Cisco MDS 9000 Family Fabric Manager Configuration
Guide is updated to address each new and changed feature. The latest version of this document is
available at the Cisco MDS 9000 NX-OS Software Configuration Guides website.
Tip The configuration guides created for earlier releases are also listed at the aforementioned website. Each
guide addresses the features introduced or available in those releases. Select and view the configuration
guide pertinent to the software installed in your switch.
To check for additional information about this release, refer to the Cisco MDS 9000 Family Release
Notes available at the Cisco MDS 9000 NX-OS Software Release Notes website.
Table 1 summarizes the new and changed features for the Cisco MDS 9000 Family Fabric Manager
Configuration Guide, and tells you where they are documented. The table includes a brief description of
each new feature and the release in which the change occurred.
Table 1 New and Changed Features for Cisco MDS Fabric Manager Release 4.x
Changed
in
Feature GUI Change Description Release Where Documented
Port Guard and Port New Interface Port Added port guard and port owner 4.1(3a) Chapter 20, Configuring
Owner Guard tab and updated configuration procedures. Interfaces
General tab.
F Port Trunking Trunking GUI accepts F Added information about 4.1(3a) Chapter 24, Configuring
ports and NP ports. configuring F port trunking across Trunking
the chapter including key concepts,
guidelines and restritions, upgrade
and downgrade considerations,
trunking and channeling protocols,
trunk modes, and allowed VSAN
lists.
F and TF Channel creation Added information about 4.1(3a) Chapter 23, Configuring
PortChanneling dialogs accept F ports configuring F and TF PortChannels PortChannels
and NP ports. including guidelines and
restrictions, interface addition, and
compatibility check.

OL-17256-03, Cisco MDS NX-OS Release 4.x lvii
Table 1 New and Changed Features for Cisco MDS Fabric Manager Release 4.x (continued)
Changed
in
SAN virtual device Create Virtual Device Added information about automatic 4.1(3a) Chapter 27, SAN Device
automatic failover Dialog failover and fallback configuration. Virtualization
and fallback
Table menu Table menu Added information on changes in 4.1(3a) Chapter 5, Fabric
enhancements enhancements Switch Table, ISL Table and End Manager Client
Devices menu options.
Edit Full Zone Backup and Restore Added information on changes in 4.1(3a) Chapter 30, Configuring
Database operations backup and restore operations. and Managing Zones
Flow Configuration Flow Configuration Added new screen in the Flow 4.1(3a) Chapter 8, Performance
Wizard Enhancement Wizard Enhancement Configuration Wizard. Manager
Web Client Interactive Performance Changes in charts display and 4.1(3a) Chapter 7, Fabric
enhancements Manager charts display realtime status information. Manager Web Client
and realtime status.
NX-OS Software As of Release 4.1(1a) and later, the 4.1(1a) All chapters
MDS SAN-OS software name is
changed to MDS NX-OS software.
The earlier release names are
unchanged and all refrerences are
retained.
Supported Platforms Installation options and The server platforms supported for 4.1(1a) Chapter 2, Installing
Information and FM screens Cisco Fabric Manager have been Cisco MDS NX-OS and
Express Install revised in this release. Fabric Manager
Server Admin Tool A perspective view The Server Admin perspective view 4.1(1a) Chapter 5, Fabric
filters out menu items, limits the scope of Fabric Manager Manager Client
buttons, tabs, tables, to FlexAttach configuration and
and configuration relevant data
options that are not
relevant to the server
admin.
Inventory Report SAN Health Report and The FMS inventory switch detail 4.1(1a) Chapter 7, Fabric
Enhancements Template report has been enhanced to include Manager Web Client
a number of summary statistics
useful for creating a more
comprehensive SAN health
report.
FlexAttach New FlexAttach Procedures to use the FlexAttach 4.1(1a) Chapter 14, Configuring
Configuration by Pre-Configure Server, wizards for pre-configuring all or FlexAttach Virtual
Server Administrators Move Server, and selected ports, moving a server to a pWWN
Replace Server wizards different port or switch, and
replacing a server in the same or
different port or switch.
IP Static Peers for New NPV CFS Setup Added IP static peers configuration 4.1(1a) Chapter 13, Using the
CFS over IP wizard steps for CFS distribution over IP. CFS Infrastructure

lviii OL-17256-03, Cisco MDS NX-OS Release 4.x
Table 1 New and Changed Features for Cisco MDS Fabric Manager Release 4.x (continued)
Changed
in
SSM Global Upgrade New SSM Globals tab Added SSM global upgrade delay 4.1(1a) Chapter 19, Managing
Delay timer configuration details. Modules
Generation 3 48-Port, New Quick Bandwidth Added configuration guidelines that 4.1(1a) Chapter 22, Configuring
24-Port, and Reservation includes port groups, port rate Generation 2 and
4/44-Port 8-Gbps Configuration window modes, BB_credit buffer allocation, Generation 3 Switching
Fibre Channel in Device Manager for port speed configuration, Modules
modules 8-Gbps modules and the over-subscription ratio restrictions,
Port Rate Mode combining with earlier generation
Configuration window modules, upgrade and downgrade
in Fabric Manager considerations, crossbar
supports 8-Gbps speed management, port channel interface
modes. configuration, example
configurations, and default settings.
DPVM Wizard DPVM Wizard New screens added. 4.1(1a) Chapter 28, Creating
Dynamic VSANs
Call Home Delayed Traps for EMC Added the delayed traps 4.1(1a) Chapter 62, Configuring
Call Home enhancements for EMC Call Home. Call Home
configuration window
in Fabric Manager.
Performance Flow Creation Wizard Added the flow creation wizard for 4.1(1a) Chapter 8, Performance
Manager in Fabric Manager. performance manager. Manager
Configuring NPV NPV Traffic Map tab, New tabs and setup wizard steps are 4.1(1a) Chapter 21, Configuring
Traffic Management Load Balance tab, and added to map external interfaces to N Port Virtualization
NPV Setup Wizard the server interface and to enable
disruptive load balancing.
Configuring SANTap SANTap DVT MSM tab New tabs are added to configure 4.1(1a) Cisco MDS 9000 Family
DVT MSM SANTap DVT MSM 18+4 and SANTap Deployment
9222i. Guide
Configuring RMON RMON 32 and 64 bit New tabs are added to configure 4.1(1a) Chapter 59, Configuring
32 and 64 bit Alarm Alarm tab RMON 32 and 64 bit alarm. RMON
Inventory Summary Report tab. An Inventory switch detail report has 4.1(1a) Chapter 7, Fabric
Detail ReportS additional option to see been enhanced to include a number Manager Web Client
detailed reports in the of summary statistics useful for
summary section. creating a more comprehensive
SAN health reports

OL-17256-03, Cisco MDS NX-OS Release 4.x lix

lx OL-17256-03, Cisco MDS NX-OS Release 4.x
Preface
This preface describes the audience, organization, and conventions of the Cisco MDS 9000 Family
Configuration Guide. It also provides information on how to obtain related documentation.
Audience
This guide is for experienced network administrators who are responsible for configuring and
maintaining the Cisco MDS 9000 Family of multilayer directors and fabric switches.
Organization
The Cisco MDS 9000 Family Fabric Manager Configuration Guide is organized as follows: :
Chapter Title Description

Chapter 1 Product Overview Presents an overview of the Cisco MDS 9000
Family of multilayer switches and directors.
Chapter 2 Installing Cisco MDS NX-OS and Provides a brief overview of Fabric Manager
Fabric Manager components and capabilities, and information
on installation and launching the applications.
Chapter 3 Fabric Manager Server Provides in-depth descriptions of GUI and
capabilities for the Fabric Manager Server.
Chapter 4 Authentication in Fabric Manager Describes the authentication schemes between
Fabric Manager components and fabric
switches.
Chapter 5 Fabric Manager Client Provides in-depth descriptions of GUI and
capabilities for the Fabric Manager.
Chapter 6 Device Manager Provides in-depth descriptions of GUI and
capabilities for the Device Manager.
Chapter 7 Fabric Manager Web Client Provides in-depth descriptions of GUI and
capabilities for the Fabric Manager Web Client.
Chapter 8 Performance Manager Provides overview of Performance Manager
architecture.
Chapter 9 Cisco Traffic Analyzer Describes installing and launching Cisco
Traffic Analyzer from Performance Manager.

OL-17256-03, Cisco MDS NX-OS Release 4.x lxi
Preface

Chapter 10 Obtaining and Installing Licenses Describes license types, procedure,
installation, and management for the Cisco
MDS NX-OS software.
Chapter 11 On-Demand Port Activation Describes how to use the on-demand port
Licensing activation licensing feature on the Cisco MDS
9124 Fabric Switch, the Cisco MDS 9134
Fabric Switch, the Cisco Fabric Switch for HP
c-Class BladeSystem, and the Cisco Fabric
Switch for IBM BladeCenter.
Chapter 12 Initial Configuration Provides initial switch configuration options
and switch access information.
Chapter 13 Using the CFS Infrastructure Explains the use of the Cisco Fabric Services
(CFS) infrastructure to enable efficient
database distribution.
Chapter 14 Configuring FlexAttach Virtual FlexAttach virtual pWWN feature facilitates
pWWN server and configuration management. In a
SAN environment, the server installation or
replacement, requires interaction and
coordination among the SAN and server
administrators.
Chapter 15 Software Images Describes how to install and upgrade software
images
Chapter 16 Managing Configuration Files Describes the initial configuration of the
switches using the configuration files so they
can be accessed by other devices
Chapter 17 Configuring High Availability Describes the high availability feature
including switchover mechanisms.
Chapter 18 Managing System Hardware Explains switch hardware inventory, power
usage, power supply, module temperature, fan
and clock modules, and environment
information.
Chapter 19 Managing Modules Explains how to display and analyze the status
of each module and specifies the power on and
power off process for modules.
Chapter 20 Configuring Interfaces Explains Generation 1 and Generation 2
module port and operational state concepts in
Cisco MDS 9000 Family switches and provides
details on configuring ports and interfaces.
Chapter 21 Configuring N Port Virtualization Provides an overview of N Port Virtualization
and includes quidelines and requirements for
configuring and verifying NPV.
Chapter 22 Configuring Generation 2 and Explains configuration concepts for
Generation 3 Switching Modules Generation 2 module ports and interfaces.

lxii OL-17256-03, Cisco MDS NX-OS Release 4.x
Preface

Chapter 23 Configuring PortChannels Explains PortChannels and load balancing
concepts and provides details on configuring
PortChannels, adding ports to PortChannels,
and deleting ports from PortChannels.
Chapter 24 Configuring TrunkingConfiguring Explains TE ports and trunking concepts.
Trunking
Chapter 25 Configuring Domain Parameters Explains the Fibre Channel domain (fcdomain)
feature, which includes principal switch
selection, domain ID distribution, FC ID
allocation, and fabric reconfiguration
functions.
Chapter 26 Configuring and Managing VSANs Describes how virtual SANs (VSANs) work,
explains the concept of default VSANs,
isolated VSANs, VSAN IDs, and attributes,
and provides details on how to create, delete,
and view VSANs.
Chapter 27 SAN Device Virtualization Describes how to configure virtual devices to
represent physical end devices for switches
running Cisco MDS SAN-OS Release 3.1(2)
and NX-OS Release 4.1(3).
Chapter 28 Creating Dynamic VSANs Defines the Dynamic Port VSAN Membership
(DPVM) feature that is used to maintain fabric
topology when a host or storage device
connection is moved between two Cisco MDS
switches.
Chapter 29 Configuring Inter-VSAN Routing Provides details on sharing resources across
VSANs using the inter-VSAN Routing (IVR)
feature.
Chapter 30 Configuring and Managing Zones Defines various zoning concepts and provides
details on configuring a zone set and zone
management features.
Chapter 31 Distributing Device Alias Services Describes the use of the Distributed Device
Alias Services (device alias) to distribute
device alias names on a fabric-wide basis.
Chapter 32 Configuring Fibre Channel Routing Provides details and configuration information
Services and Protocols on Fibre Channel routing services and
protocols.
Chapter 33 Dense Wavelength Division Dense Wavelength-Division Multiplexing
Multiplexing (DWDM) multiplexes multiple optical carrier
signals on a single optical fiber. DWDM uses
different wavelengths to carry various signals.
Chapter 34 Managing FLOGI, Name Server, Provides name server and fabric login details
FDMI, and RSCN Databases required to manage storage devices and display
registered state change notification (RSCN)
databases.
Chapter 35 Discovering SCSI Targets Describes how the SCSI LUN discovery
feature is started and displayed.

OL-17256-03, Cisco MDS NX-OS Release 4.x lxiii
Preface

Chapter 36 Configuring FICON Provides details on the FI-bre CON-nection
(FICON) interface, fabric binding, and the
Registered Link Incident Report (RLIR)
capabilities in Cisco MDS switches.
Chapter 37 Advanced Features and Concepts Describes the advanced configuration
featurestime out values, fctrace, fabric
analyzer, world wide names, flat FC IDs, loop
monitoring, and interoperating switches.
Chapter 38 Configuring FIPS Describes the configuration guidelines for
FIPS and also how to enable FIPS mode and
how to conduct FIPS self-tests.
Chapter 39 Configuring Users and Common Describes how to configure users and common
Roles roles.
Chapter 40 Configuring SNMP Provides details on how you can use SNMP to
modify a role that was created using CLI.
Chapter 41 Configuring RADIUS and TACACS+ Discusses the AAA parameters, user profiles,
and RADIUS authentication security options
provided in all switches in the Cisco MDS 9000
Family and provides configuration information
for these options.
Chapter 42 Configuring IPv4 and IPv6 Access Describes the IPv4 static routing feature and its
Control Lists use to route traffic between VSANs.
Chapter 43 Configuring Certificate Authorities Describes how to interoperate with Certificate
and Digital Certificates Authorities (CAs) and use digital certificates
for secure, scalable communication.
Chapter 44 Configuring IPsec Network Security Provides details on the digital certificates, IP
Security Protocol (IPsec) open standards, and
the Internet Key Exchange (IKE) protocol that
it uses to handle protocol and algorithm
negotiation.
Chapter 45 Configuring FC-SP and DHCHAP Describes the DHCHAP protocol, an FC-SP
protocol, that provides authentication between
Cisco MDS 9000 Family switches and other
devices.
Chapter 46 Configuring Port Security Provides details on port security features that
can prevent unauthorized access to a switch
port in the Cisco MDS 9000 Family.
Chapter 47 Configuring Fabric Binding Describes the fabric binding security feature
for VSANs, which ensures that ISLs are only
enabled between specific switches.
Chapter 48 Configuring FCIP Describes how the switch allows IP hosts to
access Fibre Channel storage using the iSCSI
protocol.
Chapter 49 Configuring the SAN Extension Explains the SAN extension tuner (SET)
Tuner feature that optimizes FCIP performance.

lxiv OL-17256-03, Cisco MDS NX-OS Release 4.x
Preface

Chapter 50 Configuring iSCSI Describes the iSCSI feature that is specific to
the IPS module and is available in the Cisco
MDS 9200 Switches or Cisco MDS 9500
Directors.
Chapter 51 Configuring IP Services Provides details on IP over Fibre Channel
(IPFC) services and provides configuring
IPFC, virtual router, and DNS server
configuration information.
Chapter 52 Configuring IP Storage Provides details on extending the reach of Fibre
Channel SANs by connecting separated SAN
islands together through IP networks using
FCIP, and allowing IP hosts to access FC
storage using the iSCSI protocol.
Chapter 53 Configuring IPv4 for Gigabit Ethernet Describes the IPv4 protocol support provided
Interfaces by Cisco MDS 9000 Family switches.
Chapter 54 Configuring IPv6 for Gigabit Ethernet Describes the IPv6 protocol support provided
Interfaces by Cisco MDS 9000 Family switches.
Chapter 55 Configuring SCSI Flow Services and Describes the SCSI flow services and SCSI
Statistics flow statistics, the Intelligent Storage Services.
Chapter 56 Configuring Fibre Channel Write Describes Fibre Channel Write Acceleration
Acceleration support and configuration.
Chapter 57 Network Monitoring Describes how to use Fabric Manager
monitoring features.
Chapter 58 Performance Monitoring Provides details on using Performance
Manager.
Chapter 59 Configuring RMON Provides details on using RMONs to configure
alarms and events.
Chapter 60 Monitoring Network Traffic Using Describes the Switched Port Analyzer (SPAN),
SPAN SPAN sources, filters, SPAN sessions, SD port
characteristics, and configuration details.
Chapter 61 Configuring System Message Describes how system message logging is
Logging configured and displayed.
Chapter 62 Configuring Call Home Provides details on the Call Home service and
includes information on Call Home, event
triggers, contact information, destination
profiles, and e-mail options.
Chapter 54 Configuring the Embedded Event Provides informaiton about configuring
Manager Embedded Event Manager (EEM).
Chapter 63 Configuring Fabric Configuration Describes how the fabric configuration server
Servers (FCS) feature is configured and displayed.
Chapter 64 Configuring Fabric Congestion Provides details on the quality of service (QoS)
Control and QoS and Fibre Channel Congestion Control (FCC)
features.

OL-17256-03, Cisco MDS NX-OS Release 4.x lxv
Preface

Chapter 65 Configuring Port Tracking Provides information about a port tracking
feature that provides a faster recovery from link
failures.
Chapter 66 Troubleshooting Your Fabric Describes basic troubleshooting methods used
to resolve issues with switches.
Chapter 67 Management Software FAQ Provides answers to some of the most
frequently asked questions about Cisco Fabric
Manager and Device Manager.
Chapter 68 Monitoring System Processes and Provides information on displaying system
Logs processes and status. It also provides
information on configuring core and log files,
HA policy, heartbeat and watchdog checks, and
upgrade resets.
Chapter 69 Fabric Manager Web Services Provides a list of features and functions
supported by Fabric Manager Web Services
(FMWS) application program interface (API).
Appendix A Launching Fabric Manager in Cisco Provides instructions for launching Fabric
SAN-OS Releases Prior to 3.2(1) Manager Client in Cisco SAN-OS releases
prior to 3.2(1).
Appendix B Cisco Fabric Manager Unsupported Provides a list of features and functions not
Feature List supported by Cisco Fabric Manager or Device
Manager.
Appendix C Interface Nonoperational Reason Provides the nonoperational reason codes for
Codes why an interface is up and the operational state
is down.
Appendix D Managing Cisco FabricWare Provides information on the Cisco FabricWare

software running on the MDS 9020 Switch
which offers Fibre Channel switching services
that realize maximum performance.
Document Conventions
Command descriptions use these conventions:
boldface font Commands and keywords are in boldface.

italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
[x|y|z] Optional alternative keywords are grouped in brackets and separated by
vertical bars.

lxvi OL-17256-03, Cisco MDS NX-OS Release 4.x
Preface
Screen examples use these conventions:

screen font Terminal sessions and information the switch displays are in screen font.
boldface screen font Information you must enter is in boldface screen font.
italic screen font Arguments for which you supply values are in italic screen font.
< > Nonprinting characters, such as passwords, are in angle brackets.
[ ] Default responses to system prompts are in square brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
This document uses the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Related Documentation
The documentation set for the Cisco MDS 9000 Family includes the following documents. To find a
document online, use the Cisco MDS NX-OS Documentation Locator at:
http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/roadmaps/doclocater.htm
Release Notes
Cisco MDS 9000 Family Release Notes for Cisco MDS NX-OS Releases
Cisco MDS 9000 Family Release Notes for Storage Services Interface Images
Cisco MDS 9000 Family Release Notes for Cisco MDS 9000 EPLD Images
Regulatory Compliance and Safety Information

Regulatory Compliance and Safety Information for the Cisco MDS 9000 Family
Compatibility Information
Cisco MDS 9000 NX-OS Hardware and Software Compatibility Information
Cisco MDS NX-OS Release Compatibility Matrix for Storage Service Interface Images
Cisco MDS 9000 Family Interoperability Support Matrix

OL-17256-03, Cisco MDS NX-OS Release 4.x lxvii
Preface
Cisco MDS NX-OS Release Compatibility Matrix for IBM SAN Volume Controller Software for
Cisco MDS 9000
Hardware Installation
Cisco MDS 9500 Series Hardware Installation Guide
Cisco MDS 9200 Series Hardware Installation Guide
Software Installation and Upgrade

Cisco MDS 9000 Family Software Upgrade and Downgrade Guide -
For Cisco NX-OS
Cisco MDS 9000 Family Storage Services Interface Image Install and Upgrade Guide -
For Cisco NX-OS
Cisco MDS 9000 Family Port Analyzer Adapter Installation and Configuration Note
Cisco Fabric Manager

Cisco MDS 9000 Family Fabric Manager Installation and Upgrade Guide
Cisco MDS 9000 Fabric Manager Online Help
Cisco MDS 9000 Fabric Manager Web Services Online Help
Command-Line Interface
Cisco MDS 9000 Family CLI Configuration Guide
Cisco MDS 9000 Family Command Reference
Cisco MDS 9000 Family SAN Volume Controller Configuration Guide
Intelligent Storage Networking Services Configuration Guides

Cisco MDS 9000 Family SANTap Deployment Guide
Cisco MDS 9000 Family Data Mobility Manager Configuration Guide
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
Cisco MDS 9000 Family Secure Erase Configuration Guide - For Cisco MDS 9500 and 9200 Series
Troubleshooting and Reference

Cisco MDS 9000 Family Troubleshooting Guide
Cisco MDS 9000 Family MIB Quick Reference

lxviii OL-17256-03, Cisco MDS NX-OS Release 4.x
Preface
Cisco MDS 9000 Family SMI-S Programming Reference

Cisco MDS 9000 Family System Messages Reference
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS Version 2.0.

OL-17256-03, Cisco MDS NX-OS Release 4.x lxix
Preface

lxx OL-17256-03, Cisco MDS NX-OS Release 4.x
PA R T 1
Getting Started
CH A P T E R 1
Product Overview
The Cisco MDS 9000 Family of multilayer directors and fabric switches offers intelligent
fabric-switching services that realize maximum performance while ensuring high reliability levels. They
combine robust and flexible hardware architecture with multiple layers of network and storage
management intelligence. This powerful combination enables highly available, scalable storage
networks that provide intelligent networking features such as multiprotocol and multitransport
integration, virtual SANs (VSANs), advanced security, sophisticated debug analysis tools, and unified
SAN management.
This chapter lists the hardware features for the Cisco MDS 9000 Family and describes its software
features. It includes the following sections:
Hardware Overview, page 1-1
Cisco NX-OS Software Configuration, page 1-4
Hardware Overview
This section provides an overview of the following Cisco MDS 9000 Family of multilayer directors and
fabric switches:
Cisco MDS 9500 Series multilayer directors
Cisco MDS 9513 multilayer director
Cisco MDS 9200 Series fabric switches
Cisco MDS 9222i multilayer fabric switch
Cisco MDS 9216i multilayer fabric switch
Cisco MDS 9100 Series fixed configuration fabric switches
Cisco MDS 9134 multilayer switch
Cisco MDS 9124 multilayer switch
Cisco Fabric Switch for HP c-Class BladeSystem
Cisco Fabric Switch for IBM BladeCenter

OL-17256-03, Cisco MDS NX-OS Release 4.x 1-1
Chapter 1 Product Overview
Hardware Overview
Cisco MDS 9500 Series Multilayer Directors

The Cisco MDS 9500 Series includes the following multilayer, modular directors:
The Cisco MDS 9513 Director, which has thirteen slots, two of which (slot 7 and slot 8) are reserved
for the Supervisor-2 modules, and can accommodate up to eleven hot-pluggable switching or
services modules.
The Cisco MDS 9509 Director, which has nine slots, two of which (slot 5 and slot 6) are reserved
for the Supervisor-1 modules or Supervisor-2 modules, and can accommodate up to seven
hot-pluggable switching or services modules.
The Cisco MDS 9506 Director, which has six slots, two of which (slot 5 and slot 6) are reserved for
the Supervisor-1 modules or Supervisor-2 modules, and can accommodate up to four hot-pluggable
switching or services modules.
Note Cisco MDS NX-OS Release 4.1(1a) and later are not supported on the MDS 9120, 9140, 9216,
9216A switches, and the MDS 9500 Series Directors that include Supervisor 1 modules. You must
replace Supervisor 1 modules with Supervisor 2 modules.
Supervisor-1 modules and Supervisor-2 modules can only operate in the same chassis during
migration.
The two supervisor modules ensure high availability and traffic load balancing capabilities. The standby
supervisor module provides redundancy if the active supervisor module fails. Supervisor-1 modules
provide management access through a 10/100BASE-T Ethernet port switch and an RS-232 serial port.
Supervisor-2 modules provide management access through a 10/100/1000BASE-T Ethernet port switch
and an RS-232 serial port.
Note As of Cisco MDS SAN-OS Release 3.2(1), the USB ports on the Supervisor-2 module are supported.
USB flash drives connected to these ports may be used for the same functions as media in the external
compact flash slot.
The Cisco MDS 9500 Series directors support the following switching and services modules:
48-port 8-Gbps Fibre Channel switching module
4/44-port 8-Gbps Host Optimized Fibre Channel switching module
18/4-port Multiservice module (MSM-18/4)
18/4-port Multiservice module FIPS

1-2 OL-17256-03, Cisco MDS NX-OS Release 4.x
Hardware Overview
14/2-port Multiprotocol Services (MPS-14/2) module

Storage Services Module (SSM)
Refer to the Cisco MDS 9500 Series Hardware Installation Guide.
Cisco MDS 9200 Series Fabric Switches

The Cisco MDS 9200 Series includes the following multilayer switches supporting multiprotocol
capabilities:
Cisco MDS 9222i
Cisco MDS 9216i
Cisco MDS 9216i Multiprotocol Fabric Switch

The Cisco MDS 9216i multiprotocol fabric switch has two slots, one of which is reserved for the
integrated supervisor module and the other for switching or services modules. The supervisor module
provides supervisor functions and has 14 standard Fibre Channel ports and two multiprotocol ports that
can support FCIP and iSCSI protocols simultaneously.
The Cisco MDS 9200 multilayer fabric switches support the following switching and services modules:
8-port IP Storage Services (IPS-8) module
Cisco MDS 9222i Multilayer Fabric Switch

The Cisco MDS 9222i multilayer fabric switch has two slots, one of which is reserved for the integrated
supervisor module and the other for a switching or services module. The supervisor module provides
supervisor functions and has 16 standard Fibre Channel ports.
The Cisco MDS 9222i multilayer fabric switch supports the following switching and services modules:
4/44-port 8/4-Gbps Host Optimized Fibre Channel switching module
12-port, 24-port, and 48-port 4-Gbps Fibre Channel switching modules
18/4-port Multiservice Module

Cisco NX-OS Software Configuration
18/4-port Multiservice FIPS Module with Federal Information Processing Standard (FIPS) 140-2
Level-3 validation
32-port Storage Services Module
8-port IP Storage Services Module
Refer to the Cisco MDS 9200 Series Hardware Installation Guide and the Cisco MDS 9216 Switch
Hardware Installation Guide.
Cisco MDS 9100 Series Fixed Configuration Fabric Switches

Cisco MDS 9100 Series includes the following multilayer, fixed configuration (non-modular) switches:
Cisco MDS 9134 with 34 ports (24-port base with 8-port license for growth; two 10 Gbps ports can
be activated independently in 24-port or 32-port configurations)
On-demand port activation licensing
Nondisruptive upgrades
Cisco MDS 9124 with 24 ports (8-port base with 8-port license for growth)
Also includes:
On-demand port activation licensing
Non-disruptive upgrades
Note Cisco MDS NX-OS Release 4.1(1a) and later are not supported on the MDS 9120 switch, the MDS 9140
switch, and the MDS 9500 Series Directors that include Supervisor 1 modules. You must replace
Supervisor 1 modules with Supervisor 2 modules.
Cisco Fabric Switch for HP c-Class BladeSystem (24 ports; 14 internal 2/4 Gbps, and 6 full-rate
ports)
Cisco Fabric Switch for IBM BladeCenter (20 ports; 14 internal 2/4 Gbps, and 6 external full-rate
ports)
These fixed configuration switches are packaged in 1 RU enclosures and provide 1-Gbps, 2-Gbps,
4-Gbps, or 10 Gbps autosensing Fibre Channel ports. Besides Telnet access, a 10/100BASE-T Ethernet
port provides switch access.
Note Switches in the Cisco MDS 9100 Series do not have a COM1 port (RS-232 serial port).

This section describes the tools you can use to configure NX-OS software, and provides an overview of
the software configuration process with links to the appropriate chapters.
Note Fabric Manager also manages Cisco MDS 9020 switches running FabricWare 2.1. For more information,
refer to the Cisco MDS 9020 Fabric Switch Configuration Guide and Command Reference.

This section includes the following topics:

Tools for Software Configuration, page 1-5
Software Configuration Overview, page 1-6
Tools for Software Configuration

You can use one of two configuration management tools to configure your SANs (see Figure 1-1).
The command-line interface (CLI) can manage Cisco MDS 9000 Family switches using Telnet,
SSH, or a serial connection.
The Cisco MDS 9000 Fabric Manager, a Java-based graphical user interface, can manage Cisco
MDS 9000 Family switches using SNMP.
Figure 1-1 Tools for Configuring Cisco NX-OS Software
Cisco Fabric Manager

Default
Telnet CLI (Fabric Manager, Device
Manager, Web Services)
SSH
SNMP version 1, 2c or 3
Serial
connection
Cisco MDS 9000 Family
IP
137440
network RADIUS server
CLI
With the CLI, you can type commands at the switch prompt, and the commands are executed when you
press the Enter key. The CLI parser provides command help, command completion, and keyboard
sequences that allow you to access previously executed commands from the buffer history.
For more information on configuring the Cisco MDS switch using the CLI, refer to the Cisco MDS 9000
CLI Configuration Guide.
Cisco MDS 9000 Fabric Manager

The Cisco Fabric Manager is a set of network management tools that supports Secure Simple Network
Management Protocol version 3 (SNMPv3) and legacy versions. The Cisco Fabric Manager applications
are:
Fabric Manager ClientProvides a graphical user interface (GUI) that displays real-time views of
your network fabric, and lets you manage the configuration of Cisco MDS 9000 Family devices and
third-party switches.
Fabric Manager ServerPerforms advanced monitoring, troubleshooting, and configuration for
multiple fabrics. It must be started before running the Fabric Manager Client. It can be accessed by
up to 16 Fabric Manager Clients at a time.
Device ManagerPresents two views of a switch.

Device View displays a continuously updated physical representation of the switch

configuration, and provides access to statistics and configuration information for a single
switch.
Summary View presents real-time performance statistics of all active interfaces and channels on
the switch for Fibre Channel and IP connections.
Fabric Manager Web ServicesAllows operators to monitor MDS events, performance, and
inventory, and perform minor configuration tasks from a remote location using a web browser.
Performance ManagerProvides detailed traffic analysis by capturing data with SNMP. This data
is compiled into various graphs and charts that can be viewed with any web browser using Fabric
Manager Web Services.
The Cisco Fabric Manager applications are an alternative to the CLI for most switch configuration
commands.
Note Resource Manager Essentials (RME) versions 3.4 and 3.5 provide support for switches in the Cisco MDS
9000 Family. Device Updates (DU) are available on Cisco.com (http://www.cisco.com/).
Continue reading this book for more information on configuring the Cisco MDS switch using the Cisco
MDS 9000 Family Fabric Manager.
Software Configuration Overview

This section provides an overview of the Cisco NX-OS configuration process and includes the following
topics:
Basic Configuration, page 1-6
Advanced Configuration, page 1-7
Basic Configuration
These sections contain the minimum information you need to get your switch up and running.
Setting Up the Switch (Starting a Switch in the Cisco MDS 9000 Family, page 2-1)
Installing Fabric Manager (Installing the Management Software, page 2-18)
Fabric Manager Server (Chapter 3, Fabric Manager Server)
Fabric Manager Client (Chapter 5, Fabric Manager Client)
Device Manager (Chapter 6, Device Manager)
Fabric Manager Web Services (Chapter 7, Fabric Manager Web Client)
Installing licenses (Chapter 10, Obtaining and Installing Licenses)
Activating additional ports (Chapter 11, On-Demand Port Activation Licensing)
Configuring the minimum requirements:
Initial configuration (Chapter 12, Initial Configuration)
VSANs (Chapter 26, Configuring and Managing VSANs.)
Interfaces (Chapter 20, Configuring Interfaces)
Zones and zone sets (Chapter 30, Configuring and Managing Zones.)

Advanced Configuration
These sections contain additional configuration information for NX-OS software and the MDS 9000
Family of switches and includes the following topics:
Switch Configuration, page 1-7
Fabric Configuration, page 1-7
Security, page 1-7
IP Services, page 1-8
Intelligent Storage Services, page 1-8
Network and Switch Monitoring, page 1-8
Traffic Management, page 1-8
Switch Configuration
On-demand port activation licensing (Chapter 11, On-Demand Port Activation Licensing)
Generation 2 switching modules (Chapter 22, Configuring Generation 2 and Generation 3
Switching Modules)
High Availability (Chapter 17, Configuring High Availability)
N-Port Virtualization (Chapter 21, Configuring N Port Virtualization)
Trunking (Chapter 24, Configuring Trunking)
PortChannels (Chapter 23, Configuring PortChannels)
Domains (Chapter 25, Configuring Domain Parameters)
Fabric Configuration
Dynamic VSANs (Chapter 28, Creating Dynamic VSANs)

SAN device virtualization (Chapter 27, SAN Device Virtualization)
Inter-VSAN Routing (Chapter 29, Configuring Inter-VSAN Routing)
Device alias distribution (Chapter 31, Distributing Device Alias Services)
FSPF (Chapter 32, Configuring Fibre Channel Routing Services and Protocols)
FLOGI (Chapter 34, Managing FLOGI, Name Server, FDMI, and RSCN Databases)
SCSI (Chapter 35, Discovering SCSI Targets)
FICON (Chapter 36, Configuring FICON)
Switch interoperability (Chapter 37, Advanced Features and Concepts)
Security
Users and Roles (Chapter 32, Configuring Users and Common Roles)
SNMP (Chapter 40, Configuring SNMP)
RADIUS and TACACS+ (Chapter 41, Configuring RADIUS and TACACS+)
Access lists for IPv4 and IPv6 (Chapter 42, Configuring IPv4 and IPv6 Access Control Lists)
Digital certificates (Chapter 43, Configuring Certificate Authorities and Digital Certificates)

IPsec for network security (Chapter 44, Configuring IPsec Network Security)
FC-SP for fabric security (Chapter 45, Configuring FC-SP and DHCHAP)
Port security (Chapter 46, Configuring Port Security)
Fabric binding (Chapter 47, Configuring Fabric Binding)
IP Services
FCIP (Chapter 48, Configuring FCIP)

SAN extension tuner (Chapter 49, Configuring the SAN Extension Tuner)
iSCSI (Chapter 50, Configuring iSCSI)
IP services (Chapter 51, Configuring IP Services)
IP storage (Chapter 52, Configuring IP Storage)
IPv4 (Chapter 53, Configuring IPv4 for Gigabit Ethernet Interfaces
IPv6 (Chapter 54, Configuring IPv6 for Gigabit Ethernet Interfaces)
Intelligent Storage Services
SCSI flow services (Chapter 55, Configuring SCSI Flow Services and Statistics)
Fibre Channel write acceleration (Chapter 56, Configuring Fibre Channel Write Acceleration
SANTap (Cisco MDS 9000 Family SANTap Deployment Guide)
Network and Switch Monitoring
General Network Monitoring (Chapter 57, Network Monitoring)

Performance Monitoring (Chapter 58, Performance Monitoring)
RMON (Chapter 59, Configuring RMON)
SPAN (Chapter 60, Monitoring Network Traffic Using SPAN)
System message logging (Chapter 61, Configuring System Message Logging)
Call Home (Chapter 62, Configuring Call Home)
Fabric configuration servers (Chapter 63, Configuring Fabric Configuration Servers)
Traffic Management
QoS (Chapter 64, Configuring Fabric Congestion Control and QoS)

Port tracking (Chapter 65, Configuring Port Tracking)

CH A P T E R 2
Installing Cisco MDS NX-OS and Fabric Manager
The Cisco Fabric Manager is a set of network management tools that supports Secure Simple Network
Management Protocol version 3 (SNMPv3). It provides a graphical user interface (GUI) that displays
real-time views of your network fabrics, and lets you manage the configuration of Cisco MDS 9000
Family devices and third-party switches.
This chapter describes how to install Cisco Fabric Manager.
This chapter contains the following sections:
Starting a Switch in the Cisco MDS 9000 Family, page 2-1
Initial Setup Routine, page 2-2
Accessing the Switch, page 2-12
Where Do You Go Next?, page 2-13
About Cisco Fabric Manager, page 2-13
Installing the Management Software, page 2-18
Upgrading the Management Software, page 2-38
Upgrading Fabric Manager Server and Fabric Manager Standalone Version Using the Fabric
Manager Update Installer, page 2-39
Integrating Cisco Fabric Manager with Other Management Tools, page 2-40
Running Fabric Manager Behind a Firewall, page 2-40
Uninstalling the Management Software, page 2-43
Starting a Switch in the Cisco MDS 9000 Family

The following procedure is a review of the tasks you should have completed during hardware
installation, including starting up the switch. These tasks must be completed before you can configure
the switch.
Note You must use the CLI for initial switch start up.
Before you can configure a switch, follow these steps:
Step 1 Verify the following physical connections for the new Cisco MDS 9000 Family switch:

Chapter 2 Installing Cisco MDS NX-OS and Fabric Manager
Initial Setup Routine
The console port is physically connected to a computer terminal (or terminal server).
The management 10/100 Ethernet port (mgmt0) is connected to an external hub, switch, or router.
Refer to the Cisco MDS 9000 Family Hardware Installation Guide (for the required product) for more
information.
Tip Save the host ID information for future use (for example, to enable licensed features). The host
ID information is provided in the Proof of Purchase document that accompanies the switch.
Step 2 Verify that the default console port parameters are identical to those of the computer terminal (or
terminal server) attached to the switch console port:
9600 baud
8 data bits
1 stop bit
No parity
Step 3 Power on the switch. The switch boots automatically and the switch# prompt appears in your terminal
window.

The first time that you access a switch in the Cisco MDS 9000 Family using the CLI, it runs a setup
program that prompts you for the IP address and other configuration information necessary for the
switch to communicate over the supervisor module Ethernet interface. This information is required to
configure and manage the switch.
Note The IP address can only be configured from the CLI. When you power up the switch for the first time,
assign the IP address. After you perform this step, the Cisco MDS 9000 Family Fabric Manager can
reach the switch through the management port.
Preparing to Configure the Switch

Before you configure a switch in the Cisco MDS 9000 Family for the first time, you need the following
information:
Administrator password, including:
Creating a password for the administrator (required).
Creating an additional login account and password (optional).
IP address for the switch management interfaceThe management interface can be an out-of-band
Ethernet interface or an in-band Fibre Channel interface (recommended).
Subnet mask for the switch's management interface (optional).
IP addresses, including:

Destination prefix, destination prefix subnet mask, and next hop IP address, if you want to
enable IP routing. Also, provide the IP address of the default network (optional).
Otherwise, provide an IP address of the default gateway (optional).
SSH service on the switchTo enable this optional service, select the type of SSH key (dsa/rsa/rsa1)
and number of key bits (768 to 2048).
DNS IP address (optional).
Default domain name (optional).
NTP server IP address (optional).
SNMP community string (optional).
Switch nameThis is your switch prompt (optional).
Note Be sure to configure the IP route, the IP default network address, and the IP default gateway address to
enable SNMP access. If IP routing is enabled, the switch uses the IP route and the default network IP
address. If IP routing is disabled, the switch uses the default gateway IP address.
Note You should verify that the Fabric Manager Server hostname entry exists on the DNS server, unless the
Fabric Manager Server is configured to bind to a specific interface during installation.
Default Login
All Cisco MDS 9000 Family switches have the network administrator as a default user (admin). You
cannot change the default user at any time (see the Role-Based Authorization section on page 39-1).
You have an option to enforce secure password for any switch in the Cisco MDS 9000 Family. If a
password is trivial (short, easy-to-decipher), your password configuration is rejected. Be sure to
configure a secure password (see the User Accounts section on page 39-10). If you configure and
subsequently forget this new password, you have the option to recover this password (see the
Recovering the Administrator Password section on page 39-20).
Note Starting from NX-OS Release 4.x, secure password is enforced on all Cisco MDS 9000 Family switches
unless disabled by the user.
Setup Options
The setup scenario differs based on the subnet to which you are adding the new switch. You must
configure a Cisco MDS 9000 Family switch with an IP address to enable management connections from
outside of the switch.
Note Some concepts such as out-of-band management and in-band management are briefly explained here.
These concepts are explained in more detail in subsequent chapters.
Out-of-band managementThis feature provides a connection to the network through a supervisor

module front panel Ethernet port (see Figure 2-1).

In-band managementThis feature provides IP over Fibre Channel (IPFC) to manage the switches.
The in-band management feature is transparent to the network management system (NMS). Instead
of conventional Ethernet physical media, switches in the Cisco MDS 9000 Family use IPFC as the
transport mechanism (see Figure 2-1 and Chapter 51, Configuring IP Services).
Figure 2-1 Management Access to Switches
Router
Console Out of band IP address IP
connection management 172.16.1.1 network
subnetwork
Telnet or CLI
SSH
Switch 2
DNS server
mgmt 0 GUI
(IP address:
172.16.1.2)
SNMP
Management LAN
79936
(Ethernet connection)
Assigning Setup Information

This section describes how to initially configure the switch for both out-of-band and in-band
management.
Note Press Ctrl-C at any prompt to skip the remaining configuration options and proceed with what is
configured until that point. Entering a new password for the administrator is a requirement and cannot
be skipped.
Tip If you do not wish to answer a previously configured question, or if you wish to skip answers to any
questions, press Enter. If a default answer is not available (for example, switch name), the switch uses
what was previously configured and skips to the next question.
Configuring Out-of-Band Management
Note You can configure both in-band and out-of-band configuration together by entering Yes in both Step 11c
and Step 11d in the following procedure.
To configure the switch for first time out-of-band access, follow these steps:

Step 1 Power on the switch. Switches in the Cisco MDS 9000 Family boot automatically.
Do you want to enforce secure password standard (Yes/No)?
Step 2 Enter Yes to enforce secure password.
a. Enter the administrator password
Enter the password for admin: 2008asdf*lkjh17
b. Confirm the administrator password.
Confirm the password for admin: 2008asdf*lkjh17
Tip If a password is trivial (short, easy to decipher), your password configuration is rejected. Be sure
to configure a secure password as shown in the sample configuration. Passwords are
case-sensitive. You must explicitly configure a password that meets the requirements listed in
the User Accounts section on page 39-10.
Step 3 Enter yes to enter the setup mode.
Note This setup utility will guide you through the basic configuration of the system. Setup configures
only enough connectivity for management of the system.
Please register Cisco MDS 9000 Family devices promptly with your supplier. Failure to
register may affect response times for initial service calls. MDS devices must be
registered to receive entitled support services.
Press Enter anytime you want to skip any dialog. Use ctrl-c at anytime to skip away
remaining dialogs.
Would you like to enter the basic configuration dialog (yes/no): yes
The setup utility guides you through the basic configuration process. Press Ctrl-C at any prompt to end
the configuration process.
Step 4 Enter the new password for the administrator (admin is the default).
Enter the password for admin: admin
Step 5 Enter yes (no is the default) to create additional accounts.

Create another login account (yes/no) [n]: yes
While configuring your initial setup, you can create an additional user account (in the network-admin
role) besides the administrators account. See the Role-Based Authorization section on page 39-1 for
information on default roles and permissions.
Note User login IDs must contain non-numeric characters.
a. Enter the user login ID [administrator].

Enter the user login ID: user_name
b. Enter the user password.
Enter the password for user_name: user-password
c. Confirm the user password for
Confirm the password for user_name: user-password

Step 6 Enter yes (no is the default) to create an SNMPv3 account.

Configure read-only SNMP community string (yes/no) [n]: yes
a. Enter the user name (admin is the default).

SNMPv3 user name [admin]: admin
b. Enter the SNMPv3 password (minimum of eight characters). The default is admin123.
SNMPv3 user authentication password: admin_pass
Step 7 Enter yes (no is the default) to configure the read-only or read-write SNMP community string.
Configure read-write SNMP community string (yes/no) [n]: yes
a. Enter the SNMP community string.

SNMP community string: snmp_community
Step 8 Enter a name for the switch.
Note The switch name is limited to 32 alphanumeric characters. The default is switch.
Enter the switch name: switch_name
Step 9 Enter yes (yes is the default) to configure out-of-band management.

Continue with Out-of-band (mgmt0) management configuration? [yes/no]: yes
a. Enter the mgmt0 IP address.

Mgmt0 IPv4 address: ip_address
b. Enter the mgmt0 subnet mask.

Mgmt0 IPv4 netmask: subnet_mask
Step 10 Enter yes (yes is the default) to configure the default gateway (recommended).
Configure the default-gateway: (yes/no) [y]: yes
a. Enter the default gateway IP address.

IPv4 address of the default gateway: default_gateway
Step 11 Enter yes (no is the default) to configure advanced IP options such as in-band management, static routes,
default network, DNS, and domain name.
Configure Advanced IP options (yes/no)? [n]: yes
a. Enter no (no is the default) at the in-band management configuration prompt.

Continue with in-band (VSAN1) management configuration? (yes/no) [no]: no
b. Enter yes (no is the default) to enable IP routing capabilities.

Enable the ip routing? (yes/no) [n]: yes
c. Enter yes (no is the default) to configure a static route (recommended).

Configure static route: (yes/no) [n]: yes
Enter the destination prefix.

Destination prefix: dest_prefix

Type the destination prefix mask.

Destination prefix mask: dest_mask
Type the next hop IP address.

Next hop ip address: next_hop_address
Note Be sure to configure the IP route, the default network IP address, and the default gateway IP
address to enable SNMP access. If IP routing is enabled, the switch uses the IP route and the
default network IP address. If IP routing is disabled, the switch uses the default gateway IP
address.
d. Enter yes (no is the default) to configure the default network (recommended).
Configure the default network: (yes/no) [n]: yes
Enter the default network IP address.
Note The default network IP address is the destination prefix provided in Step 11c .
Default network IP address [dest_prefix]: dest_prefix
e. Enter yes (no is the default) to configure the DNS IP address.

Configure the DNS IPv4 address? (yes/no) [n]: yes
Enter the DNS IP address.

DNS IPv4 address: name_server
f. Enter yes (default is no) to configure the default domain name.

Configure the default domain name? (yes/no) [n]: yes
Enter the default domain name.

Default domain name: domain_name
Step 12 Enter yes (no is the default) to enable Telnet service.

Enable the telnet server? (yes/no) [n]: yes
Step 13 Enter yes (no is the default) to enable the SSH service.
Enabled SSH server? (yes/no) [n]: yes
Step 14 Enter the SSH key type (see the Generating the SSH Server Key Pair section on page 39-17) that you
would like to generate.
Type the SSH key you would like to generate (dsa/rsa)? dsa
Step 15 Enter the number of key bits within the specified range.
Enter the number of key bits? (768 to 2048): 768
Step 16 Enter yes (no is the default) to configure the NTP server.
Configure NTP server? (yes/no) [n]: yes
Configure clock? (yes/no) [n] :yes
Configure clock? (yes/no) [n] :yes

Configure timezone? (yes/no) [n] :yes

Configure summertime? (yes/no) [n] :yes
Configure the ntp server? (yes/no) [n] : yes
a. Enter the NTP server IP address.

NTP server IP address: ntp_server_IP_address
Step 17 Enter noshut (shut is the default) to configure the default switch port interface to the shut state.
Configure default switchport interface state (shut/noshut) [shut]: noshut
Step 18 Enter on (on is the default) to configure the switch port trunk mode.
Configure default switchport trunk mode (on/off/auto) [on]: on
Step 19 Enter no (no is the default) to configure switchport port mode F.

Configure default switchport port mode F (yes/no) [n] : no
Step 20 Enter permit (deny is the default) to deny a default zone policy configuration.
Configure default zone policy (permit/deny) [deny]: permit
Permits traffic flow to all members of the default zone.

Step 21 Enter yes (no is the default) to disable a full zone set distribution (see the Zone Set Distribution section
on page 30-26). Disables the switch-wide default for the full zone set distribution feature.
Enable full zoneset distribution (yes/no) [n]: yes
You see the new configuration. Review and edit the configuration that you have just entered.
Step 22 Enter no (no is the default) if you are satisfied with the configuration.
The following configuration will be applied:
username admin password admin_pass role network-admin
username user_name password user_pass role network-admin
snmp-server community snmp_community ro
switchname switch
interface mgmt0
ip address ip_address subnet_mask
no shutdown
ip routing
ip route dest_prefix dest_mask dest_address
ip default-network dest_prefix
ip default-gateway default_gateway
ip name-server name_server
ip domain-name domain_name
telnet server enable
ssh key dsa 768 force
ssh server enable
ntp server ipaddr ntp_server
system default switchport shutdown
system default switchport trunk mode on
system default port-channel auto-create
zone default-zone permit vsan 1-4093
zoneset distribute full vsan 1-4093
Would you like to edit the configuration? (yes/no) [n]: no
Step 23 Enter yes (yes is default) to use and save this configuration:
Use this configuration and save it? (yes/no) [y]: yes

Caution If you do not save the configuration at this point, none of your changes are updated the next
time the switch is rebooted. Type yes to save the new configuration. This ensures that the
kickstart and system images are also automatically configured (see Chapter 15, Software
Images).
Configuring In-Band Management

The in-band management logical interface is VSAN 1. This management interface uses the Fibre
Channel infrastructure to transport IP traffic. An interface for VSAN 1 is created on every switch in the
fabric. Each switch should have its VSAN 1 interface configured with an IP address in the same
subnetwork. A default route that points to the switch providing access to the IP network should be
configured on every switch in the Fibre Channel fabric (see Chapter 26, Configuring and Managing
VSANs).
Note You can configure both in-band and out-of-band configuration together by entering Yes in both Step 9c
and Step 9d in the following procedure.
To configure a switch for first time in-band access, follow these steps:
Step 1 Power on the switch. Switches in the Cisco MDS 9000 Family boot automatically.
Step 2 Enter the new password for the administrator.
Enter the password for admin: 2004asdf*lkjh18
Tip If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Be

sure to configure a strong password as shown in the sample configuration. Passwords are
case-sensitive. You must explicitly configure a password that meets the requirements listed in
the User Accounts section on page 39-10.
Step 3 Enter yes to enter the setup mode.

This setup utility will guide you through the basic configuration of the system. Setup
configures only enough connectivity for management of the system.
Please register Cisco MDS 9000 Family devices promptly with your supplier. Failure to
register may affect response times for initial service calls. MDS devices must be
registered to receive entitled support services.
Press Enter incase you want to skip any dialog. Use ctrl-c at anytime to skip away
remaining dialogs.
The setup utility guides you through the basic configuration process. Press Ctrl-C at any prompt to end
the configuration process.
Step 4 Enter no (no is the default) if you do not wish to create additional accounts.
Create another login account (yes/no) [no]: no

Step 5 Configure the read-only or read-write SNMP community string.

a. Enter no (no is the default) to avoid configuring the read-only SNMP community string.
Configure read-only SNMP community string (yes/no) [n]: no
Step 6 Enter a name for the switch.
Note The switch name is limited to 32 alphanumeric characters. The default is switch.
Enter the switch name: switch_name
Step 7 Enter no (yes is the default) at the configuration prompt to configure out-of-band management.
Continue with Out-of-band (mgmt0) management configuration? [yes/no]: no
Step 8 Enter yes (yes is the default) to configure the default gateway.
Configure the default-gateway: (yes/no) [y]: yes
a. Enter the default gateway IP address.

IP address of the default gateway: default_gateway
Step 9 Enter yes (no is the default) to configure advanced IP options such as in-band management, static routes,
default network, DNS, and domain name.
Configure Advanced IP options (yes/no)? [n]: yes
a. Enter yes (no is the default) at the in-band management configuration prompt.
Continue with in-band (VSAN1) management configuration? (yes/no) [no]: yes
Enter the VSAN 1 IP address.

VSAN1 IP address: ip_address
Enter the subnet mask.

VSAN1 IP net mask: subnet_mask
b. Enter no (yes is the default) to enable IP routing capabilities.

Enable ip routing capabilities? (yes/no) [y]: no
c. Enter no (yes is the default) to configure a static route.

Configure static route: (yes/no) [y]: no
d. Enter no (yes is the default) to configure the default network.

Configure the default-network: (yes/no) [y]: no
e. Enter no (yes is the default) to configure the DNS IP address.

Configure the DNS IP address? (yes/no) [y]: no
f. Enter no (no is the default) to skip the default domain name configuration.
Configure the default domain name? (yes/no) [n]: no
Step 10 Enter no (yes is the default) to disable Telnet service.

Enable the telnet service? (yes/no) [y]: no
Step 11 Enter yes (no is the default) to enable the SSH service.

Enabled SSH service? (yes/no) [n]: yes
Step 12 Enter the SSH key type (see the Generating the SSH Server Key Pair section on page 39-17) that you
would like to generate.
Type the SSH key you would like to generate (dsa/rsa/rsa1)? rsa
Step 13 Enter the number of key bits within the specified range.
Enter the number of key bits? (768 to 1024): 1024
Step 14 Enter no (no is the default) to configure the NTP server.

Configure NTP server? (yes/no) [n]: no
Step 15 Enter shut (shut is the default) to configure the default switch port interface to the shut state.
Configure default switchport interface state (shut/noshut) [shut]: shut
Note The management Ethernet interface is not shut down at this pointonly the Fibre Channel,
iSCSI, FCIP, and Gigabit Ethernet interfaces are shut down.
Step 16 Enter auto (off is the default) to configure the switch port trunk mode.
Configure default switchport trunk mode (on/off/auto) [off]: auto
Step 17 Enter deny (deny is the default) to deny a default zone policy configuration.
Configure default zone policy (permit/deny) [deny]: deny
Denies traffic flow to all members of the default zone.

Step 18 Enter no (no is the default) to disable a full zone set distribution (see the Zone Set Distribution section
on page 30-26).
Enable full zoneset distribution (yes/no) [n]: no
Disables the switch-wide default for the full zone set distribution feature.
You see the new configuration. Review and edit the configuration that you have just entered.
Step 19 Enter no (no is the default) if you are satisfied with the configuration.
The following configuration will be applied:
username admin password admin_pass role network-admin
snmp-server community snmp_community rw
switchname switch
interface vsan1
ip address ip_address subnet_mask
no shutdown
ip default-gateway default_gateway
no telnet server enable
ssh key rsa 1024 force
ssh server enable
no system default switchport shutdown
system default switchport trunk mode auto
no zone default-zone permit vsan 1-4093
no zoneset distribute full vsan 1-4093
Would you like to edit the configuration? (yes/no) [n]: no
Step 20 Enter yes (yes is default) to use and save this configuration.
Use this configuration and save it? (yes/no) [y]: yes

Accessing the Switch
Caution If you do not save the configuration at this point, none of your changes are updated the next
time the switch is rebooted. Type yes to save the new configuration. This ensures that the
kickstart and system images are also automatically configured (see Chapter 15, Software
Images).
Using the setup Command

To make changes to the initial configuration at a later time, you can issue the setup command in EXEC
mode.
switch# setup
---- Basic System Configuration Dialog ----
This setup utility will guide you through the basic configuration of
the system. Setup configures only enough connectivity for management
of the system.
*Note: setup always assumes a predefined defaults irrespective
of the current system configuration when invoked from CLI.
Press Enter incase you want to skip any dialog. Use ctrl-c at anytime
to skip away remaining dialogs.
The setup utility guides you through the basic configuration process.
Accessing the Switch

After initial configuration, you can access the switch in one of three ways (see Figure 2-2):
Serial console accessYou can use a serial port connection to access the CLI.
In-band IP (IPFC) accessYou can use Telnet or SSH to access a switch in the Cisco MDS 9000
Family or use Cisco MDS 9000 Fabric Manager to access the switch.
Out-of-band (10/100BASE-T Ethernet) accessYou can use Telnet or SSH to access a switch in the
Cisco MDS 9000 Family or use Cisco MDS 9000 Fabric Manager to access the switch.

Where Do You Go Next?
Figure 2-2 Switch Access Options
Router
subnetwork
Telnet or CLI
SSH
Switch 2
DNS server
mgmt 0 GUI
(IP address:
172.16.1.2)
SNMP
Management LAN
79936
Where Do You Go Next?

After reviewing the default configuration, you can change it or perform other configuration or
management tasks. The initial setup can only be performed at the CLI. However, you can continue to
configure other software features, or access the switch after initial configuration by using either the CLI
or the Device Manager and Fabric Manager applications.
To use the CLI, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
About Cisco Fabric Manager

The Cisco Fabric Manager provides an alternative to the command-line interface (CLI) for most switch
configuration commands. For information on using the CLI to configure a Cisco MDS 9000 Family
switch, refer to the Cisco MDS 9000 Family CLI Configuration Guide or the Cisco MDS 9020 Switch
Configuration Guide and Command Reference Guide. For details on managing switches running Cisco
FabricWare, see the Managing Cisco FabricWare with Fabric Manager section on page D-3.
In addition to complete configuration and status monitoring capabilities for Cisco MDS 9000 switches,
Fabric Manager provides powerful Fibre Channel troubleshooting tools. These in-depth health and
configuration analysis capabilities leverage unique MDS 9000 switch capabilities: Fibre Channel Ping
and Traceroute.
The Cisco Fabric Manager includes these management applications:
Fabric Manager (client and server)
Device Manager
Performance Manager

About Cisco Fabric Manager
Fabric Manager Web Server
Fabric Manager Server

The Fabric Manager Server component must be started before running Fabric Manager. On a Windows
PC, the Fabric Manager Server is installed as a service. This service can then be administered using the
Windows Services in the Control Panel. Fabric Manager Server is responsible for discovery of the
physical and logical fabric, and for listening for SNMP traps, syslog messages, and Performance
Manager threshold events. For more information, see Chapter 3, Fabric Manager Server.
Fabric Manager Client

The Fabric Manager Client component displays a map of your network fabrics, including Cisco MDS
9000 Family switches, third-party switches, hosts, and storage devices. The Fabric Manager Client
provides multiple menus for accessing the features of the Fabric Manager Server. For more information,
see Chapter 5, Fabric Manager Client.
Fabric Manager Server Proxy Services

The Fabric Manager Client and Device Manager use SNMP to communicate with the Fabric Manager
Server. In typical configurations, the Fabric Manager Server may be installed behind a firewall. The
SNMP proxy service available in Cisco Fabric Manager Release 2.1(1a) or later provides a TCP-based
transport proxy for these SNMP requests. The SNMP proxy service allows you to block all UDP traffic
at the firewall and configure Fabric Manager Client to communicate over a configured TCP port.
Fabric Manager uses the CLI for managing some features on the switches. These management tasks are
used by Fabric Manager and do not use the proxy services. Your firewall must remain open for CLI
access for the following features:
External and internal loopback test
Flash files
Create CLI user
Security - ISCSI users
Show image version
Show tech
Switch resident reports (syslog, accounting)
Zone migration
Show cores
If you are using the SNMP proxy service and another application on your server is using port 9198, you
need to modify your workstation settings.
Note The MDS switch always checks the local SNMP users before the remote AAA users, unlike the CLI.
To modify a Windows workstation, follow these steps:

Cisco MDS 9000 Switch Management
Step 1 Open Internet Explorer and select Tools > Internet Options.
You see the Internet Options dialog box.
Step 2 Select the Connections tab and click LAN Settings.
You see the LAN Settings dialog box.
Step 3 Check the Use a Proxy Server for your LAN check box and click Advanced.
Step 4 Add your server IP Address or local host under the Exceptions section.
Step 5 Click OK to save your changes.
See the Running Fabric Manager Behind a Firewall section on page 2-40.
Device Manager
The Device Manager provides two views of a single switch:
Device View displays a graphic representation of the switch configuration and provides access to
statistics and configuration information.
Summary View displays a summary of xE ports (Inter-Switch Links), Fx ports (fabric ports), and Nx
ports (attached hosts and storage) on the switch, as well as Fibre Channel and IP neighbor devices.
Summary or detailed statistics can be charted, printed, or saved to a file in tab-delimited format. See
Chapter 6, Device Manager.
Performance Manager
Performance Manager presents detailed traffic analysis by capturing data with SNMP. This data is
compiled into various graphs and charts that can be viewed with any web browser. See Chapter 58,
Performance Monitoring.
Fabric Manager Web Server

The Fabric Manager Web Server allows operators to monitor and obtain reports for MDS events,
performance, and inventory from a remote location using a web browser. For information on installing
and using Fabric Manager Web Server, see Chapter 7, Fabric Manager Web Client.

The Cisco MDS 9000 Family of switches can be accessed and configured in many different ways and
supports standard management protocols. Table 2-1 lists the management protocols that Fabric Manager
supports to access, monitor, and configure the Cisco MDS 9000 Family of switches.

Table 2-1 Supported Management Protocols
Management Protocol Purpose

Telnet/SSH Provides remote access to the CLI for a Cisco
MDS 9000 switch.
FTP/SFTP/TFTP, SCP Copies configuration and software images
between devices.
SNMPv1, v2c, and v3 Includes over 80 distinct Management
Information Bases (MIBs). Cisco MDS 9000
Family switches support SNMP version 1, 2, and
3 and RMON V1 and V2. RMON provides
advanced alarm and event management, including
setting thresholds and sending notifications based
on changes in device or network behavior.
By default, the Cisco Fabric Manager
communicates with Cisco MDS 9000 Family
switches using SNMPv3, which provides secure
authentication using encrypted user names and
passwords. SNMPv3 also provides the option to
encrypt all management traffic.
HTTP/HTTPS Includes HTTP and HTTPS for web browsers to
communicate with Fabric Manager Web Services
and for the distribution and installation of the
Cisco Fabric Manager software. It is not used for
communication between the Cisco Fabric
Manager Server and Cisco MDS 9000 Family
switches.
XML/CIM over HTTP/HTTPS Includes CIM server support for designing storage
area network management applications to run on
Cisco SAN-OS and NX-OS.
ANSI T11 FC-GS-3 Provides Fibre Channel-Generic Services
(FC-GS-3) in the defining management servers in
the Fabric Configuration Server (FCS). Fabric
Manager uses the information provided by FCS on
top of the information contained in the Name
Server database and in the Fibre Channel Shortest
Path First (FSPF) topology database to build a
detailed topology view and collect information for
all the devices building the fabric.
Storage Management Solutions Architecture

Management services required for the storage environment can be divided into five layers, with the
bottom layer being closest to the physical storage network equipment, and the top layer managing the
interface between applications and storage resources.

Of these five layers of storage network management, Cisco Fabric Manager provides tools for device
(element) management and fabric management. In general, the Device Manager is most useful for device
management (a single switch), while Fabric Manager is more efficient for performing fabric
management operations involving multiple switches.
Tools for upper-layer management tasks can be provided by Cisco or by third-party storage and network
management applications. The following summarizes the goals and function of each layer of storage
network management:
Device management provides tools to configure and manage a device within a system or a fabric.
You use device management tools to perform tasks on one device at a time, such as initial device
configuration, setting and monitoring thresholds, and managing device system images or firmware.
Fabric management provides a view of an entire fabric and its devices. Fabric management
applications provide fabric discovery, fabric monitoring, reporting, and fabric configuration.
Resource management provides tools for managing resources such as fabric bandwidth, connected
paths, disks, I/O operations per second (IOPS), CPU, and memory. You can use Fabric Manager to
perform some of these tasks.
Data management provides tools for ensuring the integrity, availability, and performance of data.
Data management services include redundant array of independent disks (RAID) schemes, data
replication practices, backup or recovery requirements, and data migration. Data management
capabilities are provided by third-party tools.
Application management provides tools for managing the overall system consisting of devices,
fabric, resources, and data from the application. Application management integrates all these
components with the applications that use the storage network. Application management
capabilities are provided by third-party tools.
In-Band Management and Out-of-Band Management

Cisco Fabric Manager requires an out-of-band (Ethernet) connection to at least one Cisco MDS 9000
Family switch. You need either mgmt0 or IP over Fibre Channel (IPFC) to manage the fabric.
mgmt0
The out-of-band management connection is a 10/100 Mbps Ethernet interface on the supervisor module,
labeled mgmt0. The mgmt0 interface can be connected to a management network to access the switch
through IP over Ethernet. You must connect to at least one Cisco MDS 9000 Family switch in the fabric
through its Ethernet management port. You can then use this connection to manage the other switches
using in-band (Fibre Channel) connectivity. Otherwise, you need to connect the mgmt0 port on each
switch to your Ethernet network.
Each supervisor module has its own Ethernet connection; however, the two Ethernet connections in a
redundant supervisor system operate in active or standby mode. The active supervisor module also hosts
the active mgmt0 connection. When a failover event occurs to the standby supervisor module, the IP
address and media access control (MAC) address of the active Ethernet connection are moved to the
standby Ethernet connection.
IPFC
You can also manage switches on a Fibre Channel network using an in-band IP connection. The Cisco
MDS 9000 Family supports RFC 2625 IP over Fibre Channel, which defines an encapsulation method
to transport IP over a Fibre Channel network.

Installing the Management Software
IPFC encapsulates IP packets into Fibre Channel frames so that management information can cross the
Fibre Channel network without requiring a dedicated Ethernet connection to each switch. This feature
allows you to build a completely in-band management solution.

To install the software for the first time, or if you want to update or reinstall the software, access the
supervisor module with a web browser. Click the Install links on the web page that is displayed. The
software running on your workstation is verified to make sure you are running the most current version
of the software. If it is not current, the most recent version is downloaded and installed on your
workstation.
Note Before upgrading or uninstalling Fabric Manager or Device Manager, make sure any instances of these
applications have been shut down.
Installation options include:

UpgradeThe installer detects your current version of Fabric Manager and Device Manager, and it
provides the option to upgrade. The default is to upgrade to the latest version of Fabric Manager or
Device Manager.
UninstallIf you are downgrading from Fabric Manager 2.x or later to Fabric Manager 1.3x or
earlier, use the Uninstall batch file or shell script. Do not delete the MDS 9000 folder as this might
prevent your installation from being upgraded in the future.
Note We recommend that you install the latest version of the Fabric Manager applications. Fabric Manager is
backward-compatible with the Cisco MDS SAN-OS and Cisco FabricWare software running on the
switches. When upgrading, upgrade the Fabric Manager software first, and then upgrade the Cisco MDS
SAN-OS or NX-OS or Cisco FabricWare software on the switch.
Before You Install

Before you can access the Cisco Fabric Manager, you must complete the following tasks:
Install a supervisor module on each switch that you want to manage.
Configure the supervisor module with the following values using the setup routine or the CLI:
IP address assigned to the mgmt0 interface
SNMP credentials (v3 user name and password or v1/v2 communities), maintaining the same
user name and password for all the switches in the fabric
Cisco MDS SAN-OS Release 2.x, 3.x, and NX-OS 4.1(3a) supports AAA authentication using RADIUS,
TACACS, or local SNMP users.
The Cisco Device Manager software executable files reside on each supervisor module of each Cisco
MDS 9000 Family switch running Cisco MDS SAN-OS or NX-OS software in your network. The
supervisor module provides an HTTP server that responds to browser requests and distributes the
software to Windows or UNIX network management stations. You can also find Cisco Fabric Manager
software on Cisco.com at the following website:
http://cisco.com/cgi-bin/tablebuild.pl/mds-fm

Supported Software
Note For the latest information on supported software, refer to the Cisco MDS 9000 Family Release Notes for
Cisco MDS NX-OS Release 4.1(3a).
Cisco Fabric Manager and Cisco Device Manager have been tested with the following software:
Operating Systems
Windows 2003 SP2, Windows XP SP2, Windows XP SP3, Windows Vista SP1 (Enterprise
edition)
Red Hat Enterprise Linux AS Release 4
Solaris (SPARC) 8, 9 and 10
VMWare ESX Server 3.5
Note We support only Windows 2003 SP2 VM created on VMWare ESX Server 3.5
Java
Sun JRE and JDK 1.5(x) and 1.6(x) is supported
Java Web Start 1.5 and 1.6
Browsers
Internet Explorer 6.x and 7.0
Note Internet Explorer 7.0 is not supported on Windows 2000 SP4.
Firefox 1.5 and 2.0

Mozilla 1.7 (packaged with Solaris 9)
Databases
Oracle Database 10g Express, Oracle 10g Enterprise Edition
Oracle 11g Enterprise Edition
PostgreSQL 8.2 (Windows and Red Hat Enterprise Linux AS Release 4)
PostgreSQL 8.1 (Solaris 8, 9 and 10)
Security
Cisco ACS 3.1 and 4.0
PIX Firewall
IP Tables
SSH v2
Global Enforce SNMP Privacy Encryption
HTTPS

Java Database Connectivity

Java database connectivity (JDBC) is the JavaSoft specification of a standard application programming
interface (API) that allows Java programs to access database management systems.
A JDBC driver is a software component enabling a Java application to interact with a database. Fabric
Manager uses Oracle JDBC drivers ojdbc14.jar and ojdbc14.jar to access the Oracle database and store
data.
You can download the recommended version (10.2.0.1.0) of the ojdbc14.jar file, from the following link:
http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/htdocs/jdbc_10201.html
Alternatively, if you have access to the system where Oracle is installed in your environment, you can
find the jar file in the Oracle installation directory under ORACLE_HOME\jdbc\lib\.
Minimum Hardware Requirements

For a PC running Fabric Manager Server on large fabrics (1000 or more end devices), we recommend
you use a Dual Core/Dual CPU high-speed system with 2 GB of RAM and 10 GB of free disk space.
Upgrading Fabric Manager in Cisco SAN-OS Releases Prior to 3.1(2b)

When you install Cisco SAN-OS 3.2(1), data is migrated from the Hypersonic HSQL database to either
the PostgreSQL database or Oracle Database 10g Express during the installation. To install the
PostgreSQL database on Windows, click the FM Installer link on the CD. To install Oracle Database 10g
Express, follow the instructions in the Installing Oracle section on page 2-22.
Note If you are upgrading a previous installation of Fabric Manager Server, be sure the previous installation
of the database is running. Do not uninstall the previous version. If the previous version is uninstalled,
the database will not be migrated and your server settings will not be preserved. After you ensure that
the previous installation is running, follow the steps listed in the Installing Fabric Manager section on
page 2-24. Before beginning the upgrade, you must close Fabric Manager and Device Manager.
Upgrading Fabric Manager in Cisco SAN-OS Releases 3.1(2b) and Later to 3.2(1)
When you install Cisco SAN-OS 3.2(1), data is migrated from the Hypersonic HSQL database to either
the PostgreSQL database or Oracle Database 10g Express during the installation. Data is also migrated
from Oracle to Oracle.
Note If you migrate the database from Oracle to Oracle, the schema is updated as required by Cisco SAN-OS
3.2(1).
To install the PostgreSQL database on Windows, click the FM Installer link on the CD. To install Oracle
Database 10g Express, follow the instructions in the Installing Oracle section on page 2-22.

Installing the Database

Before you install Fabric Manager, you must install a database. As of Cisco MDS NX-OS Release 4.1(1)
and later, Fabric Manager is packaged with PostgreSQL and Oracle Database 10g Express databases.
You can install the database of your choice using Fabric Manager from the CD-ROM or from Cisco.com.
If the database is present, the Fabric Manager installer will upgrade it to the latest version.
Note If you are installing Cisco SAN-OS Release 3.1(2b) or later, you can also use Oracle Database 10g
Express. Your other choice is PostgreSQL.
Note Be sure to back up all of the rrd file in $INSTALL/pm/db before the upgrade.
Directory Structure
As of Cisco MDS NX-OS Release 4.1(3a), the directory structure has changed to accommodate its future
integration with Nexus 5000 products. By default, the Fabric Manager components are installed on your
computers hard drive, in the C:\Program Files\ folder. The installation path is the root directory on your
computer, such as C:\Program Files\Cisco Systems. Fabric Manager and databases are installed in
application directories, such as C:\Program Files\Cisco Systems\DCM\FM. Table 2-2 and Table 2-3
describe the directory structure for Windows, UNIX and Solaris operating systems.
Table 2-2 Directory Structure (Windows)
Directory Description
C:\Program Files\Cisco Systems\ Home directory for Cisco products.
C:\Program Files\Cisco Systems\DCM\ Home directory for Cisco Data Center
Management products.
C:\Program Files\Cisco Systems\DCM\FM Home directory for Fabric Manager
and Device Manager.
C:\Program Files\Cisco Systems\DCM\JBOSS-4.2.2.GA Home directory for JBoss (Fabric
Manager Server infrastructure).
C:\Program Files\Cisco Systems\DCM\DB Home directory for database (Oracle
and PostgreSQL).
C:\Program Files\Cisco Systems\DCM\JRE Home directory for Java Runtime
Environment.
C:\Program Files\Cisco Home directory for Fabric Manager
Systems\DCM\JBOSS-4.2.2.GA\SERVER\FM Server.

Table 2-3 Directory Structure (Unix and Solaris)
Directory Description
/usr/local/cisco Home directory for Cisco products.
/usr/local/cisco/dcm/ Home directory for Cisco Data Center
Management products.
/usr/local/cisco/dcm/fm Home directory for Fabric Manager and
Device Manager.
/usr/local/cisco/dcm/jboss-4.2.2.GA Home directory for JBoss (Fabric Manager
Server infrastructure).
/usr/local/cisco/dcm/db Home directory for database (Oracle and
PostgreSQL).
/usr/local/cisco/dcm/jboss-4.2.2.GA/server/fm Home directory for Fabric Manager Server.
Installing Oracle
Note We recommend the Oracle Database 10g Express option for all users who are running Performance
Manager on large fabrics (1000 or more end devices). If you want to use Oracle Database 10g Express,
you must install the database and create a user name and password before continuing with the Fabric
Manager installation.
To install the Oracle Database 10g Express, follow these steps:
Step 1 Click the following link to install Oracle Database 10g Express.
http://www.oracle.com/technology/software/products/database/xe/index.html
Note If you have another instance of Oracle already installed on a PC, we recommend that you do not
install the Oracle database on the same PC. In such cases, Fabric Manager can only use the
PostgreSQL database.
Step 2 Run OracleXE.exe to install the Oracle database. Set the password for the system user. The database
administrator uses the password to manage and administer Oracle Database 10g Express server, which
is installed by the Oracle installer.
Step 3 Finish the installation and verify that both services (OracleServiceXE and OracleXETNSListener) are
running from the Services window.
Step 4 Run the following script to change the default Oracle admin port and to create a database account.
C:\> cd c:\oraclexe\app\oracle\product\10.2.0\server\bin
C:\oraclexe\app\oracle\product\10.2.0\server\bin>sqlplus / as sysdba
SQL> exec dbms_xdb.sethttpport(8082);
SQL> GRANT CONNECT,RESOURCE,UNLIMITED TABLESPACE TO SCOTT IDENTIFIED BY
TIGER;
SQL> EXIT;

Note The Oracle Database 10g Express option is only supported on Microsoft Windows. It is not
supported on UNIX systems.
Note For information about backing up the Oracle database, go to this location:
http://download.oracle.com/docs/cd/B25329_01/doc/admin.102/b25107/backrest.htm#i1004902. You
canalso use the exp/imp utility at this location:
http://download.oracle.com/docs/cd/B25329_01/doc/admin.102/b25107/impexp.htm#BCEEDCIB.
Note For information about backing up the PostgreSQL database, run the pg_dump utility to have a good
backup. For more information, go to this location:
http://www.postgresql.org/docs/8.1/static/app-pgdump.html.
Note For information about installing Oracle Database 10g and Oracle Database 11g Enterprise Editions , go
to this location: http://www.oracle.com/technology/software/products/database/index.html.
If you are using the Oracle database, you need to install the Oracle JDBC (Java Database Connectivity)
component for Fabric Manager to connect to the database. For more information refer to the Java
Database Connectivity section on page 2-19.
Increasing UDP Buffer Size

If the Fabric Manager SNMP packet log shows an SNMP VarBind decode error, the UDP buffer size is
low and the buffer size needs to be increased.
To increase the UDP buffer size, do the following:
Step 1 For Solaris 8, ensure that the UDP buffer size is at least 64 K.
ndd -set /dev/udp udp_recv_hiwat 65535
ndd -set /dev/udp udp_xmit_hiwat 65535
Step 2 Add the following setting in /etc/system, so that the buffer size will be in effect even after a reboot.
set ndd:udp_recv_hiwat=65535
set ndd:udp_xmit_hiwat=65535
Note Before starting the installation, make sure that you have logged in as a Superuser.
Database Backup and Restore-PostgresSQL

The Fabric Manager uses PostgresSQL Database as the default database. The Fabric Manager backup
utility uses PostgresSQL pg_dump utility to dump all of the database content to an ASCII dump file.
Restore utility uses PostgresSQL to recreate data using the dump file.

The dump file represents a snapshot of the database at the time of backup.
Backup
To perform a backup of the Fabric Manager database, enter these commands on Linux/Solaris. Assume
INSTALLDIR is the top directory of Fabric Manager installation.
cd $INSTALLDIR/bin
/pgbackup.sh 02252008.data
The backup file 02252008.data will be created in $INSTALLDIR/bin directory. If you want to create it
in a standard backup director provide the full path name of the dump file
Restore
To restore Fabric Manager database, you must have a good backup file, and you must stop the Fabric
Manager server before restoration. Run restore and enter these commands on Linux Solaris. Assume
INSTALLDIR is the top directory of the Fabric Manager installation.
cd $INSTALLDIR/bin
./FMServer.sh stop
./pgrestore.sh 02252008.data
./FMServer.sh start
Importing PM Statitics Data to Fabric Manager

To manually import existing Performance Manager statistics data to Fabric Manager, follow these steps:
Step 1 Stop the Fabric Manager Server.

Step 2 Copy the existing RRD file (from a prior installation) to $INSTALLDIR/pm/db.
Step 3 Run the $INSTALLDIR/bin/pm.bat s.
Step 4 Restart the Fabric Manager Server.
Step 5 Add the fabric to the Performance Manager collection using WebClient.
The Performance Manager historic statistics are available on WebClient after the application has been
running for an hour..
Installing Fabric Manager

As of Cisco MDS NX-OS Release 4.1(3a), Fabric Manager is no longer packaged with a Cisco MDS
9000 Family switch. You must install Fabric Manager from the CD-ROM or from Cisco.com. When you
install Fabric Manager software, the Device Manager is installed by default.
Note Users installing Fabric Manager must have full administrator privileges to create user accounts and start
services. Users should also have access to all ports. These are the ports used by Fabric Manager Server
and the PostgreSQL database: 1098, 1099, 4444, 4445, 8009, 8083, 8090, 8092, 8093, 514, 5432.
For switches running Cisco MDS 9000 FabricWare, you must install Fabric Manager from the CD-ROM
included with your switch, or you can download Fabric Manager from Cisco.com.

To download the software from Cisco.com, go to the following website:

To install Fabric Manager on Solaris, follow these steps:
Step 1 Set Java 1.5 to the path that is to be used for installing Fabric Manager.
Step 2 Copy the Fabric Manager jar file m9000-fm-3.2.0.136.jar from the CD-ROM to a folder on the Solaris
workstation.
Step 3 Launch the installer using the following command:
java -Xms512m Xmx512m -jar m9000-fm-3.2.0.136
Step 4 Follow the on-screen instructions provided in the Fabric Manager management software setup wizard.
When you connect to the server for the first time, Fabric Manager checks to see if you have the correct
Sun Java Virtual Machine version installed on your workstation. Fabric Manager looks for version 1.5(x)
during installation. If required, install the Sun Java Virtual Machine software.
Note You can run CiscoWorks on the same PC as Fabric Manager, even though the Java requirements are
different. When installing the later Java version for Fabric Manager, make sure it does not overwrite the
earlier Java version required for CiscoWorks. Both versions of Java can coexist on your PC.
Note On Windows, remote Fabric Manager installations or upgrades should be done through the console using
VNC or through the Remote Desktop Client (RDC) in console mode (ensuring RDC is used with the
/Console option). This is very important if the default PostgreSQL database is used with Fabric
Manager, because this database requires the local console for all installations and upgrades.
Note Before installing Cisco Fabric Manager on a Windows Vista system, turn the User Account Control
(UAC) off. To turn off UAC, select Start > Control Panel > User Accounts > Turn User Account
Control on or off, clear the Use User Account Control (UAC) to help protect your computer check
box, and then click OK. Click Restart Now to apply the change.
Note Telnet Client application is not installed by default on Microsoft Windows Vista. To install Telnet Client,
select Start > Programs > Control Panel > Click Turn Windows features on or off (if you have UAC
turned on you will need to give it the permission to continue). Check the Telnet Client check box and
then click OK.
As of Cisco MDS NX-OS Release 4.1(3a), Fabric Manager has an express installation option. When you
select this option, Fabric Manager will be installed on your computer with a set of default user
credentials. If the PostgreSQL database is not present on your computer, the installer will install
PostgreSQL. If the PostgreSQL database is present, the installer will upgrade it to latest version. You
may change the default credentials after the installation is complete.
To install (Express) Fabric Manager on Windows, follow these steps:

Step 1 Click the Install Management Software link.

Step 2 Choose Management Software > Cisco Fabric Manager.
Step 3 Click the Installing Fabric Manager link.
Step 4 Click the FM Installer link.
You see the welcome message in the Cisco Fabric Manager Installer window shown in Figure 2-3.
Figure 2-3 Welcome to the Management Software Setup Wizard
Step 5 Click the Express radio button, and then click Next to begin express installation.
Step 6 Check the I accept the terms of the License Agreement check box, and then click Next.
Note Fabric Manager express installation option uses admin as the user name and password as the user
password. The user may change the password after the installation is complete.
Note Fabric Manager express installation option installs the PostgreSQL database with admin as the
user name and password_1_2_3 as the user password. The user may change the password after
the installation is complete.
You see the default credentials in the Cisco Fabric Manager Installer window shown in Figure 2-4.

Figure 2-4 Default User Credentials
Step 7 Click Install.

Once the installation is finished, you see an installation completed message in the Cisco Fabric Manager
Installer window shown in Figure 2-5.
Figure 2-5 Install Complete
Note You can choose to launch Fabric Manager or Device Manager by checking the Launch Fabric
Manager or Launch Device Manager check boxes. Icons for Fabric Manager and Device
Manager are automatically created on the desktop.

Step 8 Click Finish to close the Cisco Fabric Manager Installer window.
To install (Custom) Fabric Manager on Windows, follow these steps:
Step 1 Click the Install Management Software link.

Step 2 Choose Management Software > Cisco Fabric Manager.
Step 3 Click the Installing Fabric Manager link.
Step 4 Click the FM Installer link.
You see the welcome message in the Cisco Fabric Manager Installer window shown in Figure 2-6.
Figure 2-6 Welcome to the Management Software Setup Wizard
Step 5 Click the Custom radio button, and then click Next to begin the installation.
Step 6 Check the I accept the terms of the License Agreement check box, and then click Next.
You see the Install Options dialog box shown in Figure 2-7.

Figure 2-7 Install Options Dialog Box
Step 7 Click the radio button for either:

a. Fabric Manager Server (Licensed) to install the server components for Fabric Manager Server.
b. Fabric Manager Standalone to install the standalone version of Fabric Manager.
Note You should verify that the Fabric Manager Server hostname entry exists on the DNS server, unless the
Fabric Manager Server is configured to bind to a specific interface during installation.
Note Fabric Manager Standalone is a single application containing Fabric Manager Client and a local version
of Fabric Manager Server bundled together. Fabric Manager Standalone allows you to discover and
monitor the immediate fabric.
Step 8 Select an installation folder on your workstation for Fabric Manager. On Windows, the default location
is C:\Program Files\Cisco Systems\MDS 9000. On a UNIX (Solaris or Linux) machine, the installation
path name is /usr/local/cisco_mds9000 or $HOME/cisco_mds9000, depending on the permissions of
the user doing the installation.
Step 9 Click Next.
You see the Database Options dialog box shown in Figure 2-8.

Figure 2-8 Database Options Dialog Box
Step 10 Click the radio button for either Install PostgreSQL or Use existing DB to specify which database you
want to use.
If you choose Install PostgreSQL, accept the defaults and enter a password. The PostgreSQL database
will be installed.
Note If you choose to install PostgreSQL, you must disable any security software you are running, because
PostgreSQL may not install certain folders or users.
Note Before you install PostgreSQL, remove the cygwin/bin from your environment variable path if Cygwin
is running on your system.
Step 11 If you select Use existing DB, click the radio button for either PostgreSQL 8.1/8.2 or Oracle10g.
Step 12 Click Next in the Database Options dialog box.
You see the User Options dialog box shown in Figure 2-9.

Figure 2-9 User Options Dialog Box
Step 13 Enter a user name and password and click Next.

You see the Authentication Options dialog box shown in Figure 2-10.
Figure 2-10 Authentication Options Dialog Box
Step 14 Choose an authentication mode (Local, RADIUS, TACACS or MDS) and click Next.
Note When the MDS radio button is selected, the FM authentication uses the user database in the
switch for authentication.

Step 15 Click Verify to test your login.

You see the Configuration Options dialog box for Fabric Manager Standalone shown in Figure 2-11.
Figure 2-11 Configuration Options Dialog Box for Fabric Manager Standalone
Step 16 Check the FC Alias and SNMPv3 check boxes as desired and click Install if you are installing Fabric
Manager Standalone.
You see the Configuration Options dialog box for Fabric Manager Server shown in Figure 2-12.
Figure 2-12 Configuration Options Dialog Box for Fabric Manager Server

Step 17 Select the local interface, web server port or Fabric Manager server port and check the FC Alias and
SNMPv3 check boxes as desired. Click Install if you are installing Fabric Manager Server. You see the
installation progress in the Cisco Fabric Manager Installer window as shown in Figure 2-13.
Note You can change the Fabric Manager Server port number to a port that is not used by any other
application.
Note You should verify that the Fabric Manager Server hostname entry exists on the DNS server,
unless the Fabric Manager Server is configured to bind to a specific interface during installation.
Note If you check the Use HTTPS Web Server check box, the Web Server Port field is grayed out
and the default port is 443.
Note If you select a specific IP address during installation and change the server host IP address, you
must modify the following two files that are all located in the $INSTALL/conf directory. Change
server.bindaddrs to the new IP address in the server.properties file and change
wrapper.app.parameter.4 to the new IP address in the FMServer.conf file.
Figure 2-13 Progress of Installation
Once the installation is finished, you see an installation completed message in the Cisco Fabric Manager

Note If you installed Fabric Manager Standalone, you can choose to launch Fabric Manager or Device
Manager by checking the Launch Fabric Manager or Launch Device Manager check boxes.
Icons for Fabric Manager and Device Manager are automatically created on the desktop.
Step 18 Click Finish to close the Cisco Fabric Manager Installer window.
If you installed Fabric Manager Server, icons for Fabric Manager and Device Manager are not created
on the desktop until you launch Fabric Manager Client. Follow the instructions in the Launching Fabric
Manager Client in Cisco SAN-OS Release 3.2(1) and Later section on page 5-2 to launch Fabric
Manager Client.
If you checked the Create shortcuts check box, a Cisco MDS 9000 program group is created under Start
> Programs on Windows. This program group contains shortcuts to batch files in the install directory.
On a UNIX (Solaris or Linux) machine, shell scripts are created in the install directory. The shell scripts
that run the programs equivalent to the Windows services are FMServer.sh, all the server-side data and
Performance Manager data are stored in the install directory.
Fabric Manager Client cannot run without Fabric Manager Server. The server component is downloaded
and installed when you download and install Fabric Manager. On a Windows machine you install the
Fabric Manager Server as a service. This service can then be administered using Services in the
Microsoft Windows Control Panel. The default setting for the Fabric Manager Server service is that the
server is automatically started when the machine is rebooted. You can change this behavior by modifying
the properties in Services.
Installing Device Manager

To install Device Manager on your workstation, follow these steps:

Step 1 Enter the IP address of the switch in the Address field of your browser.
You see the Installation window for Device Manager shown in Figure 2-15.
Figure 2-15 Device Manager Installation Window
Step 2 Click the Cisco Device Manager link.

You see the welcome to the management software setup wizard message in the Cisco Device Manager
Figure 2-16 Welcome to the Management Software Setup Wizard Window
Step 3 Click Next to begin the Installation.

Step 4 Check the I accept the terms of the License Agreement check box and click Next.

Step 5 Select an installation folder on your workstation for Device Manager. On Windows, the default location
is C:\Program Files\Cisco Systems\MDS 9000. On a UNIX (Solaris or Linux) machine, the installation
path name is /usr/local/cisco_mds9000 or $HOME/cisco_mds9000, depending on the permissions of the
user doing the installation.
Step 6 Click Install.
Once the installation is finished, you see an installation completed message in the Cisco Device Manager
Step 7 Click Finish to close the Cisco Device Manager Installer window.
Creating FM/DM Shortcut Manually

The FM/DM shortcut on the desktop is available only when launching the application for the first time.
The shortcut is not offered when you lauch Fabric Manager from the FM download page.
To create FM/DM shortcut on the desktop, follow these steps:
Step 1 Navigate to Control Panel> Java.

Double-click Java.
The Java Control Panel displays as shown in the Figure 2-18.

Figure 2-18 Java Control Panel Dialog Box
Step 2 In the Temporary Internet Files area, click View.

The Java Cache Viewer dialog box displays as shown in Figure 2-19.
Figure 2-19 Java Cache Viewer Dialog Box
Step 3 To recreate the shortcut, right-click on the application, and select Install Shortcuts from the shortcut
menu, as shown in Figure 2-20

Upgrading the Management Software
Figure 2-20 Shortcut Menu
Upgrading the Management Software

If you log into a switch running Cisco MDS SAN-OS with Device Manager and that switch has a later
version of the management software, you are prompted to install the later version. To upgrade the Cisco
MDS Fabric Manager software, follow the instructions described in the Installing the Management
Software section on page 2-18. You can also upgrade Device Manager at any time by entering the IP
address or host name of the supervisor module with the later version of software in the Address field of
your browser. You will need a new CD to upgrade Fabric Manager.
Note As of Cisco MDS SAN-OS Release 3.x, downgrades are not supported through the installer. To
downgrade Fabric Manager or Device Manager to an earlier release, you need to manually uninstall first
and then reinstall the previous version of Fabric Manager or Device Manager.

Upgrading Fabric Manager Server and Fabric Manager Standalone Version Using the Fabric Manager Update
Upgrading Fabric Manager Server and Fabric Manager

Standalone Version Using the Fabric Manager Update Installer
As of Release 3.3(1a), you can use the Cisco MDS 9000 Fabric Manager Update Installer to upgrade:
Fabric Manager Standalone
The Fabric Manager Update Installer is smaller in size than the Fabric Manager installer which makes it
easier to download. The update Installer has limited capability to upgrade Fabric Manager Server or the
Fabric Manager Standalone version and it does not have the capability to install a database or the Fabric
Manager Server infrastructure (JBoss). Table 2-4 shows the recommended Fabric Manager upgrade
paths.
Table 2-4 Fabric Manager Upgrade Path Using Update Installer
Current Version Upgrading To Upgrade Path

3.0(x)1 3.3(1a) or above 1. Upgrade to 3.1(x).
2. Upgrade to 3.2(x).
3. Upgrade to 3.3(x) or above by launching the
update installer {java Xmx512m jar
jar_file_name} and then follow the steps to
upgrade Fabric Manager.
Note Change the server port to 9099 if you are

not upgrading from Release 3.2(2c) in
Step 2.
3.1(x)1 3.3(1a) or above 1. Upgrade to 3.2(x).

2. Upgrade to 3.3(x) or above by launching the

not upgrading from Release 3.2(2c) in
Step 1.

Integrating Cisco Fabric Manager with Other Management Tools
Table 2-4 Fabric Manager Upgrade Path Using Update Installer
Current Version Upgrading To Upgrade Path

3.2(x) 3.3(1a) or above 1. Upgrade to 3.3(x) or above by launching the
update installer{java Xmx512m jar

not upgrading from Release 3.2(2c).
3.3(x) NX-OS 4.1(1b) 1. Upgrade to 4.1(x) or above by launching the


not upgrading from Release 3.4(x).
1. The gateway upgrade needs to be performed as the HSQL database data cannot be migrated to the new database.
Integrating Cisco Fabric Manager with Other Management

Tools
You can use Fabric Manager, Device Manager, and Performance Manager with these management tools:
Cisco Traffic AnalyzerAllows you to break down traffic by VSANs and protocols and to examine
SCSI traffic at a logical unit number (LUN) level.
Cisco Protocol AnalyzerEnables you to examine actual sequences of Fibre Channel frames
easily using the Fibre Channel and SCSI decoders Cisco developed for Ethereal.
Cisco Port Analyzer Adapter 2Encapsulates SPAN traffic (both Fibre Channel control and data
plane traffic) in an Ethernet header for transport to a Windows PC or workstation for analysis. Both
the Cisco Traffic Analyzer and Cisco Protocol Analyzer require the PAA to transport MDS SPAN
traffic to a Windows PC or workstation.
For more information on these tools and how they work together with the Cisco Fabric Manager
management applications, see Chapter 66, Troubleshooting Your Fabric.
Running Fabric Manager Behind a Firewall

For Windows PCs running Fabric Manager, Device Manager, and Performance Manager behind a
firewall, certain ports need to be available.
By default, Fabric Manager Client and Device Manager use the first available UDP port for sending and
receiving SNMP responses. The UDP SNMP trap local ports are 1162 for Fabric Manager, and 1163 or
1164 for Device Manager. Fabric Manager Server also opens TCP RMI port 9099.
In Fabric Manager Release 2.1(2) or later, you can select the UDP port that Fabric Manager Client or
Device Manager uses for SNMP responses by uncommenting the following statement:

On a Windows desktop, uncomment the following in the FabricManager.bat or DeviceManager.bat

file in the C:\Program Files\Cisco Systems\MDS9000\bin directory:
rem JVMARGS=%JVMARGS% -Dsnmp.localport=9001
On a UNIX desktop, uncomment the following in the FabricManager.sh or DeviceManager.sh file

in the $HOME/.cisco_mds9000/bin directory:
# JVMARGS=$JVMARGS -Dsnmp.localport=9001
In Fabric Manager Release 3.2(1) or later, Fabric Manager Client initiates communication with Fabric
Manager Server on the port 9099 for Java Naming Directory and Interface (JNDI) lookup. Fabric
Manager Server redirects the client to 1098 and JBoss directs the request to the appropriate service.
Fabric Manager Server proxy services uses a configurable TCP port (9198 by default) for SNMP
communications between the Fabric Manager Client or Device Manager and Fabric Manager Server.
The Fabric Manager Server component requires two predictable TCP ports to be opened on the firewall
for an incoming connection:
server.port = 9099
server.data.port = 9100
As long as these two ports are open, Fabric Manager Client can connect to the server. Other TCP ports
connected to Fabric Manager Client are initiated by the server, which is behind the firewall.
The following table lists all ports used by Fabric Manager applications:
Communication
Type Port(s) Used
Used by All Applications
SSH Port 22 (TCP)
Telnet Port 23 (TCP)
HTTP Port 80 (TCP)
TFTP Port 69 (UDP)
SNMP Port 161 (UDP)
Syslog Port 514 (UDP)
Used by Fabric Manager Server and Performance Manager
SNMP_TRAP Port 2162 (UDP)
SNMP Picks a random free local port (UDP) or 9198 (TCP) if SNMP proxy is enabled.
Can be changed in server.properties.
Java RMI Ports 9099, 9100 (TCP)
Used by Fabric Manager Client
SNMP Picks a random free local port (UDP) if SNMP proxy is enabled. Can be changed
with the client -Dsnmp.localport option.
Java RMI Picks a free local port between 19199 and 19399 (TCP). Can be changed with
the client -Dclient.portStart and -Dclient.portEnd options. For example,
-Dclient.portStart = 19199 -Dclient.portEnd = 19399.
Used by Device Manager

Communication
Type Port(s) Used
SNMP_TRAP Picks a free local port between 1163 and 1170 (UDP).
SNMP Picks a random free local port (UDP) or 9198 (TCP) if SNMP proxy is enabled.
Can be changed in server.properties.
Port(s)
Used/Type Service Descriptor Service Name Attribute Name Description
1098 conf/jboss-service.xml jboss:service=Naming RMI Naming This port is for JNDI based naming
(TCP) Service Port services. The client look up this port for
JNDI binding objects and resources.
9099 conf/jboss-service.xml jboss:service=Naming Bootstrap JNP This port is for JNDI based naming
(TCP) Port ( FM services. The client look up this port for
changed 1099 to JNDI binding objects and resources.
9099)
4444 conf/jboss-service.xml jboss:service=invoker,typ RMI /JRMP The org.jboss.invocation.jrmp.
(TCP) e=jrmp ObjectPort server.JRMPInvoker class is an MBean
service that provides the RMI/JRMP
implementation of the Invoker interface.
The JRMPInvoker exports itself as an
RMI server so that when it is used as the
Invoker in a remote client, the
JRMPInvoker stub is sent to the client
instead.
4445 conf/jboss-service.xml jboss:service=invoker,typ Pooled Invoker The org.jboss.invocation.
(TCP) e=pooled pooled.server.PooledInvoker is an
MBean service that provides RMI over a
custom socket transport implementation
of the Invoker interface. The
PooledInvoker exports itself as an RMI
server so that when it is used as the
Invoker in a remote client, the
PooledInvoker stub is sent to the client
instead and invocations use the a custom
socket protocol.
8009 deploy/jbossweb-tomc jboss.web:service=WebSe AJP Connector The AJP Connector element represents a
(TCP) at41.sar/META-INF/jb rver? Connector component that communicates
oss-service.xml with a web connector via the AJP
protocol. This is used for invisibly
integrating JBoss Web into an existing or
a new Apache server.
8083 conf/jboss-service.xml jboss:service=WebService RMI dynamic The WebService MBean provides
(TCP) class loader port dynamic class loading for RMI access to
the server EJBs. Used for web service

Uninstalling the Management Software
8092 deploy/jms/oil2-servic jboss.mq:service=Invocati Optimized This port is used for JBossMQ services.
(TCP) e.xml onLayer?,type=OIL2 Invocation JBossMQ is composed of several services
Layer for JMS working together to provide JMS API
level services to client applications.
Optimized Invocation Layer is a service
used by JMS client.
8093 deploy/jms/uil2-servic jboss.mq:service=Invocati Unified This port is used for JBossMQ services.
(TCP) e.xml onLayer?,type=UIL2 Invocation JBossMQ is composed of several services
Layer for JMS working together to provide JMS API
level services to client applications.
Unified Invocation Layer is a service
used by JMS client.
3873 Service end point for JBoss EJB3 Aspect JBoss EJB3 This port used by the client to
(TCP) EJB3 aspect service Service Deployer Invoker communicate with EJB3(Enterprise
JavaBean 3.0) services on JBoss Server.

To uninstall the Fabric Manager applications on a Windows PC, follow these steps:
Step 1 Close all running instances of Fabric Manager and Device Manager.
Step 2 Select Start > Programs > Cisco MDS 9000 > Uninstall to run the uninstall.bat script.
Step 3 When you are prompted with the following message, type Y.
Are you sure you want to Uninstall? Press 'Y' to uninstall, 'A' to remove all files or 'N' to exit. [Y/A/N]
Note When you uninstall the application, the installer will not remove the database as it is shared with
other DCM applications. Option A will remove all the log files and client prefences. Option
Y will not remove the log files and client prefences.
Note Starting from NX-OS Release 4.1(3a), when you uninstall Fabric Manager Server, only Fabric
Manager is removed. Jboss and the database, either PostgreSQL or Oracle, are not removed
because they might be shared with other applications such as Cisco DCNM.
You can also run the batch file (located in the C:\Program Files\Cisco Systems\MDS 9000 folder by
default) directly from the command line.
Note For older installations, delete the .cisco_mds9000 folder. Manually delete all desktop icons and
program menu items.
On a Windows PC, this folder is created under the Documents and Settings folder (for example,
d:\Documents and Settings\Administrator\.cisco_mds9000 if you had installed it as user
Administrator). On a UNIX machine, the default installation folder is /usr/bin.

To uninstall the Fabric Manager applications on a UNIX machine, follow these steps:
Step 1 For all releases starting with Release 2.x, run the shell script
$HOME/cisco_mds9000/Uninstall.sh or /usr/local/cisco_mds9000/uninstall.sh, depending on where
Fabric Manager was installed.
Step 2 For all releases starting with Release 1.3(1), run the shell script
$HOME/.cisco_mds9000/Uninstall.sh or /usr/local/.cisco_mds9000/uninstall.sh, depending on where
Fabric Manager was installed.
Step 3 For earlier installations, delete the $HOME/.cisco_mds9000 folder.

CH A P T E R 3
Fabric Manager Server is a platform for advanced MDS monitoring, troubleshooting, and configuration
capabilities. No additional software needs to be installed. The server capabilities are an integral part of
the Cisco Fabric Manager software.
Fabric Manager Server Overview, page 3-1
Fabric Manager Server Features, page 3-1
Installing and Configuring Fabric Manager Server, page 3-2
Managing a Fabric Manager Server Fabric, page 3-3
Fabric Manager Server Properties File, page 3-4
Modifying Fabric Manager Server, page 3-6
Fabric Manager Server Overview

Install Cisco Fabric Manager Server on a computer that you want to provide centralized MDS
management services and performance monitoring. SNMP operations are used to efficiently collect
fabric information. The Cisco Fabric Manager software, including the server components, requires about
60 MB of hard disk space on your workstation. Cisco Fabric Manager Server runs on Windows 2000,
Windows 2003, Windows XP, Solaris 8 and 10, and Red Hat Enterprise Linux AS Release 4.
Each computer configured as a Cisco Fabric Manager Server can monitor multiple Fibre Channel SAN
fabrics. Up to 16 clients (by default) can connect to a single Cisco Fabric Manager Server concurrently.
The Cisco Fabric Manager Clients can also connect directly to an MDS switch in fabrics that are not
monitored by a Cisco Fabric Manager Server, which ensures you can manage any of your MDS devices
from a single console.
Fabric Manager Server Features

Cisco Fabric Manager Server has the following features:
Multiple fabric management Fabric Manager Server monitors multiple physical fabrics under
the same user interface. This facilitates managing redundant fabrics. A licensed Fabric Manager
Server maintains up-to-date discovery information on all configured fabrics so device status and
interconnections are immediately available when you open the Fabric Manager Client.

Chapter 3 Fabric Manager Server
Installing and Configuring Fabric Manager Server
Continuous health monitoringMDS health is monitored continuously, so any events that

occurred since the last time you opened the Fabric Manager Client are captured.
Roaming user profilesThe licensed Fabric Manager Server uses the roaming user profile feature
to store your preferences and topology map layouts on the server, so that your user interface will be
consistent regardless of what computer you use to manage your storage networks.
Note You must have the same release of Fabric Manager Client and Fabric Manager Server.
Installing and Configuring Fabric Manager Server

Note Prior to running Fabric Manage Server, you should create a special Fabric Manager administrative user
on each switch in the fabric or on a remote AAA server. Use this user to discover your fabric topology.
See the Best Practices for Discovering a Fabric section on page 4-3.
To install Fabric Manager Server and set the initial configuration, follow these steps:
Step 1 Install Fabric Manager and Fabric Manager server on your workstation. See the Installing Fabric
Manager Server section on page 3-2.
Step 2 Log in to Fabric Manager. See the Launching Fabric Manager Client in Cisco SAN-OS Release 3.2(1)
and Later section on page 5-2.
Step 3 Set Fabric Manager Server to continuously monitor the fabric. See the Managing a Fabric Manager
Server Fabric section on page 3-3.
Step 4 Repeat Step 2 through Step 3 for each fabric that you want to manage through Fabric Manager Server.
Step 5 Install Fabric Manager Web Server. See the Verifying Performance Manager Collections section on
page 3-3.
Step 6 Verify Performance Manager is collecting data. See the Verifying Performance Manager Collections
section on page 3-3.
Installing Fabric Manager Server

When you install Fabric Manager, the basic version of the Fabric Manager Server (unlicensed) is
installed with it. After you click the Fabric Manager icon, a dialog box opens and you can enter the IP
address of a computer running the Fabric Manager Server component. If you do not see the Fabric
Manager Server IP address text box, click Options to expand the list of configuration options. If the
server component is running on your local machine, leave localhost in that field. If you try to run Fabric
Manager without specifying a valid server, you are prompted to start the Fabric Manager Server locally.
On a Windows PC, you install the Fabric Manager Server as a service. This service can then be
administered using Services in the Administrative Tools. The default setting for the Fabric Manager
Server service is that the server is automatically started when the Windows PC is rebooted. You can
change this behavior by modifying the properties in Services.

Managing a Fabric Manager Server Fabric
Note Starting from NX-OS Release 4.1(3a), when you install a licensed version of the Fabric manager Server,
it will automatically install Fabric Manager Client.
Unlicensed Versus Licensed Fabric Manager Server

When you install Fabric Manager, the basic unlicensed version of Fabric Manager Server is installed
with it. To get the licensed features, such as Performance Manager, remote client support, and
continuously monitored fabrics, you need to buy and install the Fabric Manager Server package.
However, trial versions of these licensed features are available. To enable the trial version of a feature,
you run the feature as you would if you had purchased the license. You see a dialog box explaining that
this is a demo version of the feature and that it is enabled for a limited time.
If you are evaluating one of these Fabric Manager Server features and want to stop the evaluation period
for that feature, you can do that using Device Manager. See the Fabric Manager Server Licensing
Data Migration in Fabric Manager Server

The database migration should be limited to the existing database. Data collision may occur when you
merge the data between the several databases.
When you upgrade a non-clustering mode database to clustering mode database for the first time, we
pre-fill the cluster sequence table with the values larger than the corresponding ones in sequence table
and conforming to the cluster sequence number format for that server ID.
Verifying Performance Manager Collections

Once Performance Manager collections have been running for five or more minutes, you can verify that
the collections are gathering data by choosing Performance Manager > Reports in Fabric Manager.
You see the first few data points gathered in the graphs and tables.
Managing a Fabric Manager Server Fabric

You can continuously manage a Fabric Manager Server fabric, whether or not a client has that fabric
open. A continuously managed fabric is automatically reloaded and managed by Fabric Manager Server
whenever the server starts.
Selecting a Fabric to Manage Continuously

To continuously manage a fabric using Fabric Manager, follow these steps:
Step 1 Choose Server > Admin.

You see the Control Panel dialog box with the Fabrics tab open (see Figure 3-1).

Fabric Manager Server Properties File
Note The Fabrics tab is only accessible to network administrators.
Figure 3-1 Fabrics Tab in Control Panel Dialog Box
Note You can pre-configure a user name and password to manage fabrics. In this instance, you should
use a local switch account, not a TACACS+ server.
Step 2 Select one of the following Admin options:

a. Manage ContinuouslyThe fabric is automatically managed when Fabric Manager Server starts
and continues to be managed until this option is changed to Unmanage.
b. ManageThe fabric is managed by Fabric Manager Server until there are no instances of Fabric
Manager viewing the fabric.
c. UnmanageFabric Manager Server stops managing this fabric.
Step 3 Click Apply.
Note If you are collecting data on these fabrics using Performance Manager, you should now configure flows
and define the data collections. These procedures are described in Chapter 8, Performance Manager.
Note As of Cisco MDS NX-OS Release 4.1(3a), the Admin option is set to Manage Continuously by default
on all the switches that are once discovered.

The Fabric Manager Server properties file (MDS 9000\server.properties) contains a list of properties
that determine how the Fabric Manager Server will function. You can edit this file with a text editor, or
you can set the properties through the Fabric Manager Web Services GUI, under the Admin tab.
Note As of Cisco NX-OS Release 4.1(1b) and later, you can optionally encrypt the password in the
server.properties and the AAA.properties files.
The server properties file contains these nine general sections:

GENERALContains the general settings for the server.

SNMP SPECIFICContains the settings for SNMP requests, responses, and traps.
SNMP PROXY SERVER SPECIFICContains the settings for SNMP proxy server configuration
and TCP port designation.
GLOBAL FABRICContains the settings for fabrics, such as discovery and loading.
CLIENT SESSIONContains the settings for Fabric Manager Clients that can log into the server.
EVENTSContains the settings for syslog messages.
PERFORMANCE CHARTContains the settings for defining the end time to generate a
Performance Manager chart.
EMC CALL HOMEContains the settings for the forwarding of traps as XML data using e-mail,
according to EMC specifications.
EVENT FORWARD SETUPContains the settings for forwarding events logged by Cisco Fabric
Manager Server through e-mail.
The following are new or changed server properties for Fabric Manager Release 3.x:
SNMP Specific
snmp.preferTCPIf this option is set to true, TCP will be the default protocol for the Fabric
Manager Server to communicate with switches. By default, this setting is true. For those switches
that do not have have TCP enabled, the Fabric Manager Server uses UDP. The advantage of this
setting is the ability to designate one TCP session for each SNMP user on a switch. It also helps to
reduce timeouts and increase scalability.
Note If you set this option to false, the same choice must be set in Fabric Manager. The default value
of snmp.preferTCP for Fabric Manager is true.
Performance Chart
pmchart.currenttimeSpecifies the end time to generate a Performance Manager chart. This
should only be used for debugging purposes.
EMC Call Home

server.callhome.enableEnables or disables EMC Call Home. By default, it is disabled.
server.callhome.locationSpecifies the Location parameter.
server.callhome.fromEmailSpecifies the 'From Email' list.
server.callhome.recipientEmailSpecifies the 'recipientEmail' list.
server.callhome.smtphostSpecifies the SMTP host address for outbound e-mail.
server.callhome.xmlDirSpecifies the path to store the XML message files.
server.callhome.connectTypeSpecifies the method to use to remotely connect to the server.
server.callhome.accessTypeSpecifies the method to use to establish remote communication with
the server.
server.callhome.versionSpecifies the version number of the connection type.
server.callhome.routerIpSpecifies the public IP address of the RSC router.

Modifying Fabric Manager Server
Event Forwarding
server.forward.event.enableEnables or disables event forwarding.
server.forward.email.fromAddressSpecifies the 'From Email' list.
server.forward.email.mailCCSpecifies the 'CC Email' list.
server.forward.email.mailBCCSpecifies the 'BCC Email' list.
server.forward.email.smtphostSpecifies the SMTP host address for outbound e-mail.
Deactivation
deactivate.confirm=deactivateSpecific Request for User to type a String for deactivation.
For more information on setting the server properties, read the server.properties file or see the
Configuring Fabric Manager Server Preferences section on page 7-52.

Fabric Manager Release 2.1(2) or later allows you to modify certain Fabric Manager Server settings
without stopping and starting the server. These settings include:
Changing the Fabric Manager Server User Name and Password, page 3-7
Changing the Polling Period and Fabric Rediscovery Time, page 3-7
Adding or Removing Fabric Manager Server Users

To add a Fabric Manager Server user or to change the password for an existing user using Fabric
Manager, follow these steps:
Step 1 Click the Local FM Users tab in the Control Panel dialog box (see Figure 3-1). You see a list of Fabric
Manager users.
Note Only network administrators can manage users.
Step 2 Click New to add a user or click the user name and click Edit to change the password for an existing user.
You see the FM User dialog box as shown in Figure 3-2.

Figure 3-2 FM User Dialog Box
Step 3 Set the user name and password for the new user and then click Apply.
To remove a Fabric Manager Server user using Fabric Manager, follow these steps:
Step 1 Click the Local FM Users tab in the Control Panel dialog box (see Figure 3-1). You see a list of Fabric
Manager users.
Step 2 Click the user name you want to delete.
Step 3 Click Remove to delete the user.
Step 4 Click Yes to confirm the deletion or No to cancel it.
Changing the Fabric Manager Server User Name and Password

You can modify the user name or password used to access a fabric from Fabric Manager Client without
restarting Fabric Manager Server.
To change the user name or password used by Fabric Manager Server, follow these steps:

Step 2 Set the Name or Password for each fabric that you are monitoring with Fabric Manager Server.
Step 3 Click Apply to save these changes.
Changing the Polling Period and Fabric Rediscovery Time

Fabric Manager Server periodically polls the monitored fabrics and periodically rediscovers the full
fabric at a default interval of five cycles.You can modify these settings from Fabric Manager Client
without restarting Fabric Manager Server.

To change the polling period or full fabric rediscovery setting used by Fabric Manager Server using
Fabric Manager, follow these steps:

Step 2 For each fabric that you are monitoring with Fabric Manager Server, set the Polling Interval to determine
how frequently Fabric Manager Server polls the fabric elements for status and statistics.
Step 3 For each fabric that you are monitoring with Fabric Manager Server, set the Rediscover Cycles to
determine how often Fabric Manager Server rediscovers the full fabric.
Using Device Aliases or FC Aliases

You can change whether Fabric Manager uses FC aliases or global device aliases from Fabric Manager
Client without restarting Fabric Manager Server.
To change whether Fabric Manager uses FC aliases or global device aliases using Fabric Manager, follow
these steps:

Step 2 For each fabric that you are monitoring with Fabric Manager Server, check the Device Alias check box
to use global device aliases, or uncheck to use FC aliases.

CH A P T E R 4
Authentication in Fabric Manager
Fabric Manager contains interdependent software components that communicate with the switches in
your fabric. These components use varying methods to authenticate to other components and switches.
This chapter describes these authentication steps and the best practices for setting up your fabric and
components for authentication.
Fabric Manager Authentication Overview, page 4-1
Best Practices for Discovering a Fabric, page 4-3
Performance Manager Authentication, page 4-4
Fabric Manager Web Server Authentication, page 4-4
Fabric Manager Authentication Overview

Fabric Manager contains multiple components that interact to manage a fabric.
These components include:
Performance Manager
Interconnected fabric of Cisco MDS 9000 switches and storage devices
AAA server (optional)
Figure 4-1 shows an example configuration for these components.

Chapter 4 Authentication in Fabric Manager
Fabric Manager Authentication Overview
Figure 4-1 Fabric Manager Authentication Example
AAA server

and Performance
Manager
Fabric Manager
Client
Fabric
130715
Local database
Administrators launch Fabric Manager Client and select the seed switch that is used to discover the
fabric. The user name and password used are passed to Fabric Manager Server and used to authenticate
to the seed switch. If this user name and password are not a recognized SNMP user name and password,
either Fabric Manager Client or Fabric Manager Server opens a CLI session to the switch (SSH or Telnet)
and retries the user name/password pair. If the user name and password are recognized by the switch in
either the local switch authentication database or through a remote AAA server, then the switch creates
a temporary SNMP user name that is used by Fabric Manager Client and server.
Note You may encounter a delay in authentication if you use a remote AAA server to authenticate Fabric
Manager or Device Manager.
Note You must allow CLI sessions to pass through any firewall that exists between Fabric Manager Client and
Fabric Manager Server. See the Running Fabric Manager Behind a Firewall section on page 2-40.
Note We recommend that you use the same password for the SNMPv3 user name authentication and privacy
passwords as well as the matching CLI user name and password.

Best Practices for Discovering a Fabric
Best Practices for Discovering a Fabric

Fabric Manager Server monitors multiple physical fabrics under the same user interface. This facilitates
managing redundant fabrics. A licensed Fabric Manager Server maintains up-to-date discovery
information on all configured fabrics so device status and interconnections are immediately available
when you launch Fabric Manager Client.
Caution If the Fabric Manager Servers CPU usage exceeds 50 percent, it is recommended that you switch to a
higher CPU-class system. For more information on recommended hardware, see the Before You Install
We recommend you use these best practices for discovering your network and setting up Performance
Manager. This ensures that Fabric Manager Server has a complete view of the fabric. Subsequent Fabric
Manager Client sessions can filter this complete view based on the privileges of the client logging in.
For example, if you have multiple VSANs in your fabric and you create users that are limited to a subset
of these VSANs, you want to initiate a fabric discovery through Fabric Manager Server using a network
administrator or network operator role so that Fabric Manager Server has a view of all the VSANs in the
fabric. When a VSAN-limited user launches Fabric Manager Client, that user sees only the VSANs they
are allowed to manage.
Note Fabric Manager Server should always monitor fabrics using a local switch account, do not use a AAA
(RADIUS or TACACS+) server. You can use a AAA user account to log into the clients to provision
fabric services. For more information on Fabric Manager Server fabric monitoring, see the Managing
a Fabric Manager Server Fabric section on page 3-3.
Setting Up Discovery for a Fabric

To ensure that Fabric Manager Server discovers your complete fabric, follow these steps:
Step 1 Create a special Fabric Manager administrative user name in each switch on your fabric with network
administrator or network operator roles. Or, create a special Fabric Manager administrative user name
in your AAA server and set every switch in your fabric to use this AAA server for authentication.
Step 2 Verify that the roles used by this Fabric Manager administrative user name are the same on all switches
in the fabric and that this role has access to all VSANs.
Step 3 Launch Fabric Manager Client using the Fabric Manager administrative user. This ensures that your
fabric discovery includes all VSANs.
Step 4 Set Fabric Manager Server to continuously monitor the fabric.
See the Managing a Fabric Manager Server Fabric section on page 3-3.
Step 5 Repeat Step 4 for each fabric that you want to manage through Fabric Manager Server.

Performance Manager Authentication
Performance Manager Authentication

Performance Manager uses the user name and password information stored in the Fabric Manager Server
database. If this information changes on the switches in your fabric while Performance Manager is
running, you need to update the Fabric Manager Server database and restart Performance Manager.
Updating the Fabric Manager Server database requires removing the fabric from Fabric Manager Server
and rediscovering the fabric.
To update the user name and password information used by Performance Manager, follow these steps:
Step 1 Click Server > Admin in Fabric Manager.

Figure 4-2 Fabrics Tab in Control Panel Dialog Box
Step 2 Click the fabrics that have updated user name and password information.
Step 3 From the Admin listbox, select Unmanage and then click Apply.
Step 4 Enter the appropriate user name and password and then click Apply.
Step 5 From the Admin listbox, select Manage and then click Apply.
Step 6 To rediscover the fabric, click Open tab and check the check box(es) next to the fabric(s) you want to
open in the Select column.
Step 7 Click Open to rediscover the fabric. Fabric Manager Server updates its user name and password
information.
Step 8 Repeat Step 3 through Step 7 for any fabric that you need to rediscover.
Step 9 Choose Performance > Collector > Restart to restart Performance Manager and use the new user name
and password.
Fabric Manager Web Server Authentication

Fabric Manager Web Server does not communicate directly with any switches in the fabric. Fabric
Manager Web Server uses its own user name and password combination that is either stored locally or
stored remotely on an AAA server.
We recommend that you use a RADIUS or TACACS+ server to authenticate users in Fabric Manager
Web Server.
To configure Fabric Manager Web Server to use RADIUS authentication, follow these steps:

Step 1 Launch Fabric Manager Web Server.

See the Launching Fabric Manager Web Client section on page 7-7.
Step 2 Click the Admin tab > Configure to update the authentication used by Fabric Manager Web Server.
Step 3 Click AAA.
Step 4 Set the authenticationmode attribute to radius.
Step 5 Set the RADIUS server name, shared secret, authentication method, and ports used for up to three
RADIUS servers.
Step 6 Click Modify to save this information.
To configure Fabric Manager Web Server to use TACACS+ authentication, follow these steps:
Step 1 Launch Fabric Manager Web Server.

See the Launching Fabric Manager Web Client section on page 7-7.
Step 2 Click Admin > Configure to update the authentication used by Fabric Manager Web Server.
Step 3 Click AAA.
Step 4 Set the authenticationmode attribute to tacacs.
Step 5 Set the TACACS+ server name, shared secret, authentication method, and port used for up to three
TACACS+ servers.
Step 6 Click Modify to save this information.
Note Fabric Manager does not support SecureID because it is not compatible with SNMP authentication.
Fabric Manager uses the same login credentials for all the switches in a fabric. Since SecureID cannot
be used more than once for authentication, Fabric Manager will not be able to establish a connection to
the second switch using a SecureID.


CH A P T E R 5
Cisco Fabric Manager Client is a java-based GUI application that provides access to the Fabric Manager
applications from a remote workstation.
About Fabric Manager Client, page 5-1
Launching Fabric Manager Client in Cisco SAN-OS Release 3.2(1) and Later, page 5-2
Fabric Manager Client Quick Tour: Server Admin Perspective, page 5-7
Fabric Manager Client Quick Tour: Admin Perspective, page 5-12
Setting Fabric Manager Preferences, page 5-30
Network Fabric Discovery, page 5-31
Modifying the Device Grouping, page 5-32
Controlling Administrator Access with Users and Roles, page 5-34
Using Fabric Manager Wizards, page 5-34
Fabric Manager Troubleshooting Tools, page 5-35
About Fabric Manager Client

Cisco Fabric Manager is a Java and SNMP-based network fabric and device management tool with a GUI
that displays real-time views of your network fabric, including Cisco Nexus 5000 Series switches, Cisco
MDS 9000 Family and third-party switches, hosts, and storage devices.
In addition to complete configuration and status monitoring capabilities for Cisco MDS 9000 Family
switches and Cisco Nexus 5000 Series switches, Fabric Manager Client provides Fibre Channel
troubleshooting tools. You can use these health and configuration analysis tools on the MDS 9000
Family switch or Cisco Nexus 5000 Series switch to perform Fibre Channel ping and traceroute.
Fabric Manager Release 4.1(1b) and later releases provides multilevel security system by adding a server
admin role that allows access to limited features. The configuration capabilities of a server admin is
limited to FlexAttach and relevant data.
Note You must use the same release of Fabric Manager Client and Fabric Manager Server.

Chapter 5 Fabric Manager Client
Launching Fabric Manager Client in Cisco SAN-OS Release 3.2(1) and Later
Fabric Manager Advanced Mode

Advanced mode is enabled by default and provides the full suite of Fabric Manager features, including
security, IVR, iSCSI, and FICON. To simplify the user interface, from the list box in the upper right
corner of the Fabric Manager Client, select Simple. In simple mode, you can access basic MDS 9000
features such as VSANs, zoning, and configuring interfaces. Advanced mode option is not available for
server admin role.
Launching Fabric Manager Client in Cisco SAN-OS Release

3.2(1) and Later
Note As of Cisco SAN-OS 3.x and NX-OS Release 4.x, the Fabric Manager Client login procedure has
changed. If you are running a version of Cisco SAN-OS that is earlier than Cisco SAN-OS 3.2(1), follow
the login instructions in the Setting the Seed Switch in Cisco SAN-OS Releases 3.1(1) to 3.2(1)
section on page A-1 or the Setting the Seed Switch in Releases Prior to Cisco SAN-OS Release 3.1(1)
section on page A-3.
Note Network administrators must initially launch Fabric Manager Client using Fabric Manager Web Server,
as described in the following procedure. Once an administrator has installed the Fabric Manager Client
icon on your desktop, you can double-click the icon to launch the Fabric Manager Client.
To launch Fabric Manager Client, follow these steps:
Step 1 Open your browser and enter the IP address where you installed Fabric Manager Server, or enter
localhost if you installed Fabric Manager Server on your local workstation.
You see the Fabric Manager Web Server Login dialog box shown in Figure 5-1.

Figure 5-1 Fabric Manager Web Server Login Dialog Box
Step 2 Enter your user name and password and click Login.
You see the Fabric Manager Web Server Summary page.
Step 3 Click the Download link in the upper right corner of the page.
You see the Download page for Fabric Manager and Device Manager (see Figure 5-2).

Figure 5-2 Download Page for Fabric Manager and Device Manager
Step 4 Click the link for either Fabric Manager or Device Manager.
If you are launching Fabric Manager Client for the first time, you see a message asking whether you want
to create shortcuts for Fabric Manager (see Figure 5-3).
Figure 5-3 Fabric Manager Create Shortcut(s) Message
Step 5 Click Yes to create shortcuts for Fabric Manager.
Note This message only appears the first time you launch Fabric Manager Client. If you select No,
your selection will be remembered and you will not be prompted to make a selection again. In
this case, you will need to launch Fabric Manager Client using the Fabric Manager Web Client.
Step 6 When the software is installed and icons are created on your desktop, double-click the Fabric Manager
icon to launch Fabric Manager.
You see the Fabric Manager Login dialog box shown in Figure 5-4.

Figure 5-4 Fabric Manager Login Dialog Box
Step 7 Enter the Fabric Manager Server user name and password.
Step 8 Check the Use SNMP Proxy check box if you want Fabric Manager Client to communicate with Fabric
Manager Server through a TCP-based proxy server.
Step 9 Click Login. Once you successfully log in to Fabric Manager Server, you can set the seed switch and
open the fabrics that you are entitled to access.
Note When you launch Fabric Manager Client for the first time or when there are no available fabrics,
you see the Discover New Fabric dialog box.
You see the Discover New Fabric dialog box shown in Figure 5-5.
Figure 5-5 Discover New Fabric Dialog Box
Note Only network administrators can discover new fabrics.
Step 10 Set the fabric seed switch to the Cisco MDS 9000 Family or Cisco Nexus 5000 Series switch that you
want Fabric Manager to use.
Note A Cisco Nexus 5000 Series switch will be discovered as part of the fabric only if the switch has
Fibre Channel over Ethernet (FCoE) features enabled.
Step 11 Enter the user name and password for the switch.

Step 12 Choose the Auth-Privacy option according to the privacy protocol you have configured on your switch:
a. If you have not configured the switch with a privacy protocol, then choose Auth-Privacy option MD5
(no privacy).
b. If you have configured the switch with your privacy protocol, choose your Auth-Privacy choice.
Note If you want a clean discovery, remove the fabric and rediscover it.
Step 13 Click Discover.

You see the Control Panel dialog box shown in Figure 5-6.
Figure 5-6 Control Panel Dialog Box
Note You see a message in the dialog box when the server and client are running on the same
workstation and there are unlicensed fabrics in the database. You also see a message when there
are unmanaged fabrics (the state of the licenses is unknown).
Step 14 Check the check box(es) next to the fabric(s) you want to open in the Select column, or click Discover
to add a new fabric.
Note Only network administrators can continuously manage or unmanage fabrics. For more
information, see the Selecting a Fabric to Manage Continuously section on page 3-3.
Step 15 Click Open to open the selected fabric(s).
Note If you have an incomplete view of your fabric, rediscover the fabric with a user that has no
VSAN restriction.
If the fabric includes a Cisco Nexus 5000 Series switch, then the FCoE node appears under
the Switches > Interfaces > Ethernet tree in the Physical Attributes pane.
To launch Fabric Manager Client from within a running instance of Fabric Manager, follow these steps:
Step 1 Choose File > Open Fabric or click the Open Switch Fabric icon on the Fabric Manager toolbar.
You see the Control Panel dialog box (see Figure 5-6).
Step 2 Check the check box(es) next to the fabric(s) you want to open in the Select column and click Open.

Fabric Manager Client Quick Tour: Server Admin Perspective
Note Changes made using Fabric Manager are applied to the running configuration of the switches
that you are managing. If you have made changes to the configuration or performed an operation
(such as activating zones), Fabric Manager prompts you to save your changes before you exit.

Fabric Manager Release 4.1(1b) and later provides a multilevel security system by adding a server admin
role that allows access only to limited features. The configuration capabilities of a server admin role is
limited to FlexAttach and relevant data. server admin can pre-configure SAN for new servers, move a
server to another port on the same NPV device or another NPV device, replace a failed server onto the
same port without involving the SAN administrator. The server role admin will not be able to manage
Fabric Manager users or connected clients.
Fabric Manager Main Window

This section describes the Fabric Manager Client interface that is specific to server admin users as shown
in Figure 5-7

Figure 5-7 Fabric Manager Main Window: Server Admin Perspective
1 Menu barProvides access to options that are organized by menus.

2 ToolbarProvides icons for direct access to the most commonly used options on the File,
Tools, and Help menus.
3 Information paneDisplays information about whatever option is selected in the menu tree.
4 Status Bar (right side)Shows the last entry displayed by the discovery process and the
possible error message.
5 Fabric paneDisplays a map of the network fabric, including switches, hosts, and storage. It
also provides tabs for displaying log and event data.
6 Status Bar (left side)Shows short-term transient messages, such as the number of rows
displayed in a table.
7 Physical Attributes paneDisplays a tree of available configuration tasks depending on the
fabric, VSAN, or zone selected previously. Lists the switches in the logical selection.
8 Logical Domains paneDisplays a tree of configured SAN, fabrics and user-defined groups.

Menu Bar
The menu bar at the top of the Fabric Manager main window provides options for managing and for
controlling the display of information on the Fabric pane. Server admin will not have all the options that
are available for SAN admin. The menu bar provides the following menus:
FileOpens a new fabric, rediscovers the current fabric, locates switches, sets preferences, prints
the map.
ViewChanges the appearance of the map (these options are duplicated on the Fabric pane toolbar).
ToolsManages the Server and configuration using the FlexAttach virtual pWWN feature, as
described in the Using the Server Admin FlexAttach Wizards section on page 14-9.
HelpDisplays online help topics for specific dialog boxes in the Information pane.
Tool Bar
The Fabric Manager main toolbar (specific to server admin) provides icons for accessing the most
commonly used menu bar options as shown in Table 5-5.
Table 5-1 Fabric Manager Client Main Toolbar
Icon Description
Opens switch fabric.
Rediscovers current fabric.
Finds in the map.
Shows online help.
Logical Domains Pane

Use the Logical Domains pane to view fabrics and to access user-defined groups. You can expand the
groups to see different user-defined groups. The non-editable groups created for each core switch
contains their NPV switches.
Physical Attributes Pane

Use the Physical Attributes pane to display a tree of the options available for managing the switches in
the currently selected fabric or group.

To select an option, click a folder to display the options available and then click the option. You see the
table with information for the selected option in the Information pane. The Physical Attributes pane
provides the following main folders:
SwitchesViews and configures hardware, system, licensing, and configuration files.
InterfacesViews and configures FC physical, FC logical, Ethernet, SVC, and PortChannel
interfaces.
Information Pane
Use the Information pane to display tables of information associated with the option selected from the
menu tree in the Logical Domains or Physical Attributes panes. The Information pane toolbar provides
buttons for performing one or more of the operations shown in Table 5-2.
Table 5-2 Information Pane Toolbar
Icons Description
Applies configuration changes.
Refreshes table values.
Copies data from one row to another.
Pastes the data from one row to another.
Undoes the most recent change.
Finds a specified string in the table.
Exports and saves information to a file.
Prints the contents of the Information pane.
Displays a non-editable copy of the table in the

Information pane in its own window, which you
can move around the screen.

Fabric Pane
Use the Fabric pane to display the graphical representation of your fabric. Table 5-1 explains the
graphics you may see displayed, depending on which devices you have in your fabric.
The bottom of the Fabric pane has the following tabs:
FabricWhen displaying multiple fabrics, each fabric has its own tab. You can switch between
fabrics by clicking on their respective tabs.
LogDisplays messages that describe Fabric Manager operations, such as fabric discovery.
EventsDisplays information about the SNMP traps received by the management station. This
includes combination events as detected by discovery and important traps such as license, SNMP,
and FICON.
Note Fabric map display is based on what you select in the logical domain pane. When you select a fabric
node, all the switches that belong to that fabric will be enabled. When you select the group node, all the
switches that belong to the groups listed under that group node will be enabled. When you select only a
group, all the switches that belong to the specific group will be enabled.

Fabric Manager Client Quick Tour: Admin Perspective

This section describes the Fabric Manager Client interface shown in Figure 5-8.
Figure 5-8 Fabric Manager Main Window
1 Menu barProvides access to options that are organized by menus.

2 ToolbarProvides icons for direct access to the most commonly used options on the File, Tools,
and Help menus.
3 Information paneDisplays information about whatever option is selected in the menu tree.
4 Status Bar (right side)Shows the last entry displayed by the discovery process and the possible
error message.
5 Fabric paneDisplays a map of the network fabric, including switches, hosts, and storage. It also
provides tabs for displaying log and event data.

6 Status Bar (left side)Shows short-term transient messages, such as the number of rows
displayed in a table.
7 Physical Attributes paneDisplays a tree of available configuration tasks depending on the
fabric, VSAN, or zone selected previously. Lists the switches and end devices in the logical
selection.
8 Logical Domains paneDisplays a tree of configured SAN, fabrics, VSANs, and zones, and
provides access to user-defined groups. The label next to the segmented VSAN indicates the
number of segments.
Note You can resize each pane by dragging the boundaries between each region or by clicking the Minimize
or Maximize controls.
Menu Bar
The menu bar at the top of the Fabric Manager main window provides options for managing and
troubleshooting the current fabric and for controlling the display of information on the Fabric pane. The
menu bar provides the following menus:
FileOpens a new fabric, rediscovers the current fabric, locates switches, sets preferences, prints
the map, and exports the Fabric pane log.
ViewChanges the appearance of the map (these options are duplicated on the Fabric pane toolbar).
ZoneManages zones, zone sets, and inter-VSAN routing (IVR).
ToolsVerifies and troubleshoots connectivity and configuration, as described in the Fabric
Manager Troubleshooting Tools section on page 5-35.
PerformanceRuns and configures Performance Manager and Cisco Traffic Analyzer, and
generates reports.
ServerRuns administrative tasks on clients and fabrics. Provides Fabric Manager Server
management and a purge command. Lists fabrics being managed.
File
The file menu provides the following options:
Open FabricOpens a new switch fabric.
Locate Switches and DevicesUses the SNMPv2 protocol to discover devices responding to SNMP
requests with the read-only community string public. You may use this feature if you want to locate
other Cisco MDS 9000 switches in the subnet, but are not physically connected to the fabric.
RediscoverInitiates an on-demand discovery to learn recent changes from the switches and update
the Fabric Manager Client. You may use this option when Fabric Manager Server is not in sync with
switches in the fabric and you do not want to wait until the next polling cycle. The rediscover option
does not delete the fabric and add it again. You may delete and add the fabric only if the rediscover
option fails to update Fabric Manager Server.
Resync All Open FabricsFabric Manager Server forces all the fabrics to close and re-open. You
may use this option when Fabric Manager Client is not in sync with Fabric Manager Server.

Rediscover SCSI TargetsInitiates an on-demand discovery to learn recent changes from the SCSI
target switches. You may use this option when Fabric Manager Server is not in sync with SCSI target
switches in the fabric and you do not want to wait until the next polling cycle.
PreferencesSets your preferences to customize the behavior of the Fabric Manager Client.
Import EnclosuresImports saved enclosures.
Export
Map ImageGenerates and export the map to a specified location.
VisioExports the map to a Visio file.
TableExports the table data to a text file.
LogExports the log to a text file.
EventsExports the events to a text file.
EnclosuresExports the enclosure values to a text file.
Print Prints the map.
ExitExit Fabric Manager.
View
View menu provides the following options:
Refresh MapRefreshes the current map.
Layout
CancelCancels the current layout.
SpringDisplays the layout based on spring algorithm.
QuickQuickly displays the layout when the switch has many end-devices.
Zoom
InZooms in the view.
OutZooms out the view.
FitFits the view in the fabric pane.
GridEnables the grid view.
Overview WindowAllows you to center the Fabric pane on the area of the fabric that you want to
see. This option is useful for large fabrics that cannot be displayed entirely within the Fabric pane.
LegendShows all the legends used in the fabric map.
Find in MapFinds a device in the fabric map.
Zone
The zone menu provides the following options:
Edit Local Full Zone DatabaseAllows you to create zones across multiple switches. Zones
provide a mechanism for specifying access control. Zone sets are a group of zones to enforce access
control in the fabric. All zoning features are available through the Edit Local Full Zone Database
dialog box.
Deactivate ZonesetDeactivates an active zone-set.

Copy Full Zone DatabaseCreates a new zone set. On the Cisco MDS Family switches, you cannot
edit an active zone set. However, you can copy an active zone set to create a new zone set that you
can edit.
Merge AnalysisEnables you to determine if zones will merge successfully when two Cisco MDS
switches are interconnected. If the interconnected switch ports allow VSANs with identical names
or contain zones with identical names, then Fabric Manager verifies that the zones contain identical
members. You can use merge analysis tool before attempting a merge, or after fabrics are
interconnected to determine zone merge failure causes.
Migrate Non-MDS Database -Migrate a non-MDS database using Fabric Manager (you may need
to use the Zone Migration Wizard to accomplish this task).
IVR
Deactivate ZonesetDeactivates an active zone-set.
Copy Full Zone DatabaseRecovers an IVR zone database by copying the IVR full zone
database from another switch.
Copy Full TopologyRecovers a topology by copying from the active zone database or the full
zone database.
Tools
Tools menu provides the following options:
Health
Switch HealthDetermines the status of the components of a specific switch.
Fabric ConfigurationAnalyzes the configuration of a switch by comparing the current
configuration to a specific switch or to a policy file. You can save a switch configuration to a
file and then compare all switches against the configuration in the file.
Show Tech SupportCollects large amount of information about your switch for
troubleshooting purposes. When you issue a show tech support command from Fabric Manager
for one or more switches in a fabric, the results of each command are written to a text file, one
file per switch, in a directory you specify. You can then view these files using Fabric Manager.
Connectivity
End to End ConnectivityDetermines connectivity and routes among devices with the switch
fabric. This tool checks to see that every pair of end devices can talk to each other, using a Ping
test and by determining if they are in the same VSAN or in the same active zone.
PingDetermines connectivity from another switch to a port on your switch.
Trace RouteVerifies connectivity between two end devices that are currently selected on the
Fabric pane.
NPV
CFS Static Peer SetupManage the peer list used during CFS on NPV enabled switches. After
setting up the static peers list, the CFS discovery on the switches will be changed to static mode
for all peers in the list. Fabric Manager does not automatically update static peers list. You may
need to update the list using the CFS Static Peer Setup Wizard when a new switch is added to
the fabric.
Traffic Map SetupConfigures the list of external interfaces to the servers, and enabling or
disabling disruptive load balancing. Using Traffic Map Setup you can specify the external ports
that a server should use for traffic management.

Flex Attach Pre-Configure ServerSets the port configurations for all the ports in a switch such
as enabling or disabling FlexAttach, setting the default VSAN ID, setting the interface status
etc.
Flex Attach Move ServerMoves a server to another port on the same NPV device or another
NPV device without changing the SAN.
Flex Attach Replace ServerReplaces a failed server with a new server on the same port
without changing the SAN.
Data Mobility Manager
Server BasedPerforms server-based data migration.
Storage basedPerforms storage-based data migration.
Server LUN DiscoveryPerforms LUN discovery to select the LUNs available for migration
and automates the session creation by matching the LUNs in the existing and new storage.
Port ChannelCreates PortChannels from selected ISL either manually or automatically.
DPVM SetupEstablishes dynamic port VSAN membership, enables autolearning, and activates
the DPVM database.
IP SAN
FCIP TunnelCreates FCIP links between Gigabit Ethernet ports. Enables Fibre Channel write
acceleration and IP compression
iSCSI SetupCreates zones for iSCSI initiators and adds a VSAN to a target-allowed VSAN
list.
SAN Extension TunerOptimizes FCIP performance by generating either direct access
(magnetic disk) or sequential access (magnetic tape) SCSI I/O commands and directing such
traffic to a specific virtual target. This option is used to generate SCSI I/O commands (read and
write) to the virtual target based on your configured options.
Security
Port SecurityPrevents unauthorized access to a switch port in the Cisco MDS 9000 Family,
rejects intrusion attempts and reports these intrusions to the administrator.
IP ACLCreates an ordered list of IP filters in a named IPv4-ACL or IPv6-ACL profile using
the IPv4-ACL Wizard.
Install
LicenseFacilitate download and installation of licenses in selected switches in the fabric.
SoftwareVerifies image compatibility and installs software images on selected switches in the
fabric.
Flow Load Balance CalculatorAllows you to get the best load balancing configuration for your
FICON flows. The calculator does not rely on any switch or flow discovery in the fabric.
Virtual InterfaceInvokes the Virtual Interface Wizard.
Note The Virtual Interface menu option appears only if the discovered fabric has a Cisco Nexus
5000 Series switch with the FCoE feature enabled.
Device ManagerInvokes Device Manager for a switch.

Command Line InterfaceEnables command-line operations.
Run CLI CommandsRuns command-line operations on more than one switch at a time.

Performance
The performance menu provides the following options:
Create FlowsCreates host-to-storage, storage-to-host, or bidirectional flows. You can add these
flows to a collection configuration file to monitor the traffic between a host or storage element pair.
Server
The server menu provides the following options:
AdminOpens the control panel.
Purge Down ElementsPurges all down elements in the fabric.
Help
The help menu provides the following options:
ContentsLaunches the online help contents.
Config GuideLaunches the Fabric Manager Configuration Guide.
AboutDisplays information about Fabric Manager.
Toolbar
The Fabric Manager main toolbar provides icons for accessing the most commonly used menu bar
options as shown in Table 5-3.
Table 5-3 Fabric Manager Client Main Toolbar
Icon Description
Opens switch fabric.
Rediscovers current fabric.
Finds in the map.
Creates VSAN.
Launches DPVM wizard.
Launches Port Security wizard.

Table 5-3 Fabric Manager Client Main Toolbar (continued)
Icon Description
Edits full zone database.
Launches IVR zone wizard.
Launches PortChannel wizard.
Launches Virtual Interface wizard.

Note This icon appears only if the discovered
fabric has a Cisco Nexus 5000 Series
switch with FCoE enabled.
Launches FCIP wizard.
Launches iSCSI wizard.
Launches NPVM wizard.
Launches QoS wizard.
Configures users and roles.
Launches IP-ACL wizard.
Launches License Install wizard.
Launches Software Install wizard.
Performs switch health analysis.

Table 5-3 Fabric Manager Client Main Toolbar (continued)
Icon Description
Performs fabric configuration analysis.
Performs end-to-end connectivity analysis.
Monitors ISL performance. Brings up real-time

ISL performance information for all interfaces in
the fabric, in the Information pane.
Shows online help.
Logical Domains Pane

Use the Logical Domains pane to manage attributes for fabrics, VSANs, and zones, and to access
user-defined groups. Under the fabric node, VSANs are ordered by a VSAN ID. The segmented VSANs
are placed under the fabric node. The label next to the segmented VSAN indicates the number of
segments. You can expand a segmented VSAN and the segments under that VSAN. Right-click one of
the folders in the tree and click a menu item from the pop-up menu. You see the appropriate configuration
dialog box.
The default name for the fabric is the name, IP address, or WWN for the principal switch in VSAN 1. If
VSAN 1 is segmented, the default name is chosen from a principal switch with the smallest WWN. The
fabric names you see are as follows:
Fabric <sysName>
Fabric <ipAddress>
Fabric <sWWN>
To change the fabric name using Fabric Manager, follow these steps:

You see the Control Panel dialog box.
Step 2 Double-click the fabric name and enter the new name of the fabric.
Step 3 Click Apply to change the name.
Filtering
Fabric Manager has a filtering mechanism that displays only the data that you are interested in. To filter,
first select the fabric and VSAN from the Logical Domains pane. This action narrows the scope of what
is displayed in the Fabric pane. Any information that does not belong to the selected items is dimmed.

Also, any information that does not belong to the selected items is not displayed in the tables in the
Information pane. As shown in Figure 5-9, the filter that you select is displayed at the top right of the
Fabric Manager window.
To further narrow the scope, select attributes from the Physical Attributes pane. The Fabric Manager
table, display, and filter criteria change accordingly.
Physical Attributes Pane

Use the Physical Attributes pane to display a tree of the options available for managing the switches in
the currently selected fabric, VSAN, or zone.
To select an option, click a folder to display the options available and then click the option. You see the
table with information for the selected option in the Information pane. The Physical Attributes pane
provides the following main folders:
SwitchesViews and configures hardware, system, licensing, and configuration files.
InterfacesViews and configures FC physical, FC logical, Ethernet, SVC, and PortChannel
interfaces.
FC ServicesViews and configures Fibre Channel network configurations.
IPViews and configures IP storage and IP services.
EventsViews and configures events, alarms, thresholds, notifications, and informs.
SecurityViews and configures MDS management and FC-SP security.
ISLsViews and configures Inter-Switch Links.
End DevicesViews and configures end devices.
Context Menu for Tables

When you right-click in the table, you see a pop-up menu with options that vary depending on the type
of option you selected in the Physical Attributes pane. You can perform various operations by
right-clicking the device listed in the table. To view various options available for switches, ISLs, and end
devices, refer to the procedures in the sections that follows.
Switch Options
To view the options for the switch table, follow these steps:
Step 1 Click Switches in the Physical Attributes pane.

Step 2 Right-click the device in the table.
The pop-up menu provides the following options:
Apply ChangesApplies the changes to the switch.
Refresh ValuesRefreshes the current values.
Undo ChangesUndoes modifications to the switch.
Export to FileExport the values to a file.
Print TablePrints the table.
Detach TableDetaches the table.

Switch AttributesChanges the switch properties.

Interface AttributesChanges the interface properties.
Device ManagerManages this switch using Device Manager.
Command Line InterfaceEnables to perform command line operations.
CopyCopies the switch.
PurgePurges the switch.
Fix LocationFixes the switch in the current location.
AlignAligns the switch.
Show End DevicesShows the end devices.
Expand Multiple LinksExpands the links to this switch.
OtherOther options.
GroupGroups switches.
ISL Options
To view the options for the ISLs table, follow these steps:
Step 1 In the Physical Attributes pane, click ISLs and then click Summary tab.
CopyCopies information from a specific field.
FindConducts search based on the input string.
Export to FileExports the values to a file.
Element ManagerManages the device.
FCIP Tunnel AttributesChanges FCIP tunneling properties.
Create Port ChannelCreates port channel.
Re-enableReenables a disabled device.
Enable FC-SPEnables FC-SP.
SAN Extention TunerOptimizes FCIP performance.
PurgePurges the device.
Note When you select a port channel from the table, the pop-up menu will have the following additional
options:
Member AttributesChanges the member properties.

Channel AttributesChanges the port channel properties.

EditEdits the channel properties.
End Device Options
To view the options for the end devices table, follow these steps:
Step 1 In the Physical Attributes pane, click End Devices and then click the Summary tab.
Apply ChangesApplies the changes to the device.
CopyCopies the information specific to the field.
PastePastes the copied text.
Undo ChangesUndoes modifications to the device.
FindSearches for information depending on the input string.
Export to FileExports the values to a file.
Device AttributesChanges the device properties.
Element ManagerManages this device.
Command Line InterfaceEnables you to perform command line operations.
CopyCopies the switch.
PurgePurges the switch.
Fix LocationFixes the switch in the current location.
AlignAligns the switch.
PingPings another device.
Trace RouteDetermines the route taken by packets across the network.
Select Dependent PortsSelects dependent ports.
GroupGroups devices.
Information Pane
Use the Information pane to display tables of information associated with the option selected from the
menu tree in the Logical Domains or Physical Attributes panes. The Information pane toolbar provides
buttons for performing one or more of the operations shown in Table 5-4.

Table 5-4 Information Pane Toolbar
Icon Description
Applies configuration changes.
Refreshes table values.
Opens the appropriate dialog box to make a new

row in the table.
Deletes the currently highlighted rows from the

table.
Copies data from one row to another.
Pastes the data from one row to another.
Undoes the most recent change.
Finds a specified string in the table.
Exports and saves information to a file.
Prints the contents of the Information pane.
Displays a non-editable copy of the table in the

Information pane in its own window, which you
can move around the screen.
Note After making changes, you must save the configuration or the changes will be lost when the device is
restarted.
Note The buttons that appear on the toolbar vary according to the option that you select. They are activated or
deactivated (dimmed) according to the field or other object that you select in the Information pane.

Detachable Tables
Detachable tables in Fabric Manager allow you to detach tables and move them to different areas on your
desktop so that you can compare similar tables from different VSANs. You can keep informational tables
open from one view while you examine a different area in Fabric Manager. To detach tables, click the
Detach Table icon in the Information pane in Fabric Manager.
Fabric Pane
Use the Fabric pane to display the graphical representation of your fabric. Table 5-5 explains the
graphics you may see displayed, depending on which devices you have in your fabric.
Table 5-5 Fabric Manager Graphics
Icon or Graphic Description

Director class MDS 9000.
Non-director class MDS 9000.

iSAN
Generic Fibre Channel switch.
Cisco SN5428.
Dashed or dotted orange line through a device

indicates that the device is manageable but there
are operational problems.
Dashed or dotted orange X through a device or
link indicates that the device or ISL is not working
properly.
A red line through a device indicates that the
device is not manageable.
A red X through a device or link indicates that the

device is down or that the ISL is down.
Fibre Channel HBA (or enclosure).
Fibre Channel target (or enclosure).

Table 5-5 Fabric Manager Graphics (continued)
Icon or Graphic Description

iSCSI host.
Fibre Channel ISL and edge connection.
Fibre Channel PortChannel.
IP ISL and edge connection.
IP PortChannel.
DWDM connection.
NPV connection.
Fibre Channel loop (storage).
IP cloud (hosts). This icon is also used to represent

a fabric when viewing a SAN (multiple fabrics) in
the Fabric Manager Fabric pane.
Any device, cloud, or loop with a box around it
means that there are hidden links attached.
If a switch or director is grayed out, Fabric Manager can no longer communicate with it.
The bottom of the Fabric pane has the following tabs:
FabricWhen displaying multiple fabrics, each fabric has its own tab. You can switch between
fabrics by clicking on their respective tabs.
LogDisplays messages that describe Fabric Manager operations, such as fabric discovery.
EventsDisplays information about the SNMP traps received by the management station. This
includes combination events as detected by discovery and important traps such as license, SNMP,
and FICON.
When viewing large fabrics in the Fabric pane, it is helpful to do the following tasks:
Turn off end device labels.

Collapse loops.
Collapse expanded multiple links (collapsed multiple links are shown as very thick single lines).
Dim or hide portions of your fabric by VSAN.
Note When a VSAN, zone, or zone member is selected in the VSAN tree, the map highlighting changes to
identify the selected objects. To remove this highlighting, click the Clear Highlight button on the Fabric
pane toolbar or choose Clear Highlight from the pop-up menu.
Context Menus
When you right-click an icon in the Fabric pane, you see a pop-up menu with options that vary depending
on the type of icon selected. The various options available for different objects include the following:
Open an instance of Device Manager for the selected switch.
Open a CLI session for the selected switch.
Copy the display name of the selected object.
Execute a ping or traceroute command for the device.
Show or hide end devices.
View attributes.
Quiesce and disable members for PortChannels.
Set the trunking mode for an ISL.
Create or add to a PortChannel for selected ISLs.
The Fabric pane has its own toolbar with options for saving, printing, and changing the appearance of
the map. When you right-click the map, a pop-up menu appears that provides options (duplicated on the
toolbar) for changing the appearance of the map.
Note You can launch web-based or non-web-based applications from the Fabric pane. To do this, you assign
an IP address to the storage port or enclosure. Then right-click to bring up the pop-up menu, and select
Device Manager.
Saving the Map

You can save the map in the Fabric Pane as an image, or as an editable Visio diagram. You can save the
map with or without labels on the links. The created Visio diagram is editable and saved in two layers:
The default layer includes all switches and links in the fabric.
The end devices layer includes the end devices and can be turned off to remove end devices from
the Visio diagram.
To save the map as a Visio diagram, select Files > Export > Visio and choose Map or Map with link
labels. The saved Visio diagram retains the viewing options that you selected from the Fabric pane. For
example, if you collapse multiple links in the map and export the links as a Visio diagram, the Visio
diagram shows those multiple links as one solid link.
The Show Tech Support option from the Tools menu also supports saving the map as a Visio diagram.

Purging Down Elements

The Fabric pane allows you to refresh the map at any time by clicking the Refresh Map icon. The
Refresh Map icon redraws the map but does not purge elements that are down. To purge down elements
you can:
Click Server > Purge Down Elements. This purges all down elements in the fabric.
Right-click the Fabric pane and select Purge Down Elements.
Right-click a down element and select Purge. This action purges only this element from the fabric.
Note If you select an element that is not down and purge it, that element will reappear on the next
fabric discovery cycle.
Multiple Fabric Display

Fabric Manager can display multiple fabrics in the same pane (see Figure 5-9).
Figure 5-9 Fabric Managers Multiple Fabric Display Window

1 The Fabric view tab for fabric 172.23.46.152. When selected, the Fabric view displays fabric
172.23.46.152.
2 The Fabric view tab for fabric 172.23.46.153. When selected, the Fabric view displays fabric
172.23.46.153.
3 SAN tab (selected), showing two fabrics.
The information for both fabrics is displayed; you do not need to select a seed switch. To see details of
a fabric, select the tab for that fabric at the bottom of the Fabric pane, or double-click the Cloud icon for
the fabric in the SAN tab.
Note Enclosure names should be unique. If the same enclosure name is used for each port, Fabric Manager
shows a host/target enclosure connected to both fabrics. To fix this problem, you can either disable
auto-creation or create unique enclosure names.
Filtering by Groups
You can filter the Fabric pane display by creating groups of switches or end ports. To create a group in
Step 1 Right-click a switch or end port in the Fabric pane map and select Group > Create.
You see the Edit User Defined Group dialog box shown in Figure 5-10.
Figure 5-10 Edit User Defined Group Dialog Box
Step 2 Enter a group name in the Name field.

Step 3 Use the arrows to move additional switches or end ports from the Available column to the Selected
column.
Step 4 Click OK to save the group.
To add a switch or end port to an existing group in Fabric Manager, follow these steps:

Step 1 Right-click a switch or end device and select Group > Add To > YourGroupName.
You see the Edit User Defined Group dialog box (see Figure 5-10).
Step 2 Use the arrows to move additional switches or end ports from the Available column to the Selected
column.
Step 3 Click OK to save the updated group.
To filter the display by a group you have created, follow these steps:
Step 1 Expand the Groups folder in the Logical Domains pane.

You see the list of groups that you have created as shown in Figure 5-11.
Figure 5-11 Group Highlighted in Fabric Pane Map
Step 2 Click the name of the group that you want to filter.
In the Fabric pane, the switches or end devices in your group are shown normally; all other switches and
end devices are shown in gray.
Step 3 Click the Groups folder in the Logical Domains pane to return the display to normal.
Note User-defined groups tables are filtered based on switches in the group except for switches where
CFS-controlled features are enabled when all CFS member switches are displayed to avoid
misconfigurations.
Status Bar
The status bar at the bottom of the Fabric Manager window shows the last entry displayed by the
discovery process, and the possible error message on the right side. The status bar displays a message
stating that something has changed in the fabric and a new discovery is needed. The status bar shows
both short-term, transient messages (such as the number of rows displayed in the table) and long-term
discovery issues.

Setting Fabric Manager Preferences
Setting Fabric Manager Preferences

To set your preferences for the behavior of the Fabric Manager, choose File > Preferences from the
Fabric Manager menu bar. You see the Preferences dialog box with the following tabs for setting
different components of the application:
General
SNMP
Map
The default General preferences for Fabric Manager are as follows:
Show Device Name byDisplays the switches in the Fabric pane by IP address, DNS name, or
logical name. The default setting for this value is Logical Name.
Show WorldWideName (WWN) VendorDisplays the world wide name vendor name in any table
or listing displayed by Fabric Manager. Check the Prepend Name check box to display the name in
front of the IP address of the switch. Check the Replacing Vendor Bytes check box to display the
name instead of the IP address. The default is the Prepend Name option.
Show End Device UsingDisplays end devices in the Fabric pane using alias or pWWN alias. The
default setting for this value is Alias.
Show Shortened iSCSI NamesDisplays the default setting for this value is OFF.
Show Timestamps as Date/TimeDisplays timestamps in the date/time format. If this preference is
not checked, timestamps are displayed as elapsed time. The default setting is enabled (checked).
Telnet PathDisplays the path for the telnet.exe file on your system. The default is telnet.exe, but
you need to browse for the correct location.
Note If you browse for a path or enter a path and you have a space in the pathname (for example,
c:\program files\telnet.exe), then the path will not work. To get the path to work, you must
manually place quotes around it (for example, "c:\program files\telnet.exe").
Use Secure Shell instead of TelnetSpecifies whether to use SSH or Telnet when using the CLI to
communicate with the switch. If enabled, you must specify the path to your SSH application. The
default setting is disabled.
Confirm DeletionDisplays a confirmation pop-up window when you delete part of your
configuration using Fabric Manager. The default setting is enabled (checked).
Export Tables with FormatSpecifies the type of file that is created when you export a table using
Device Manager. The options are tab-delimited or XML. The default setting is Tab-Delimited.
Show CFS WarningsShows warning messages if CFS is not enabled on all switches for a selected
feature.
The default SNMP preferences for Fabric Manager are as follows:
Retry request 1 time(s) after 5 sec timeoutYou can set the retry value to 0-5, and the timeout value
to 3-30.
Trace SNMP packets in LogThe default setting for this value is ON.
Enable Audible Alert when Event ReceivedThe default setting for this value is OFF.

Network Fabric Discovery
The default Map preferences for Fabric Manager are as follows:

Display Unselected VSAN MembersDisplays the unselected VSAN members in the Fabric pane.
The default setting for this value is ON.
Display End DevicesDisplays the fabrics end devices in the Fabric pane. The default setting for
this value is ON.
Display End Device LabelsDisplays the fabrics end device labels in the Fabric pane. The default
setting for this value is OFF.
Expand LoopsDisplays the loops in the fabric as individual connections in the Fabric pane. The
default setting for this value is OFF.
Expand Multiple LinksDisplays multiple links in the Fabric pane as separate lines instead of one
thick line. The default setting for this value is OFF.
Open New Device Manager Each TimeOpens a new instance of Device Manager each time that
you invoke it from a switch in your fabric. The default value is OFF, which means that only one
instance of Device Manager is open at a time.
Select Switch or Link from TableAllows you to select a switch or link in the Fabric pane by
clicking the switch or link in a table in the Information pane. The default setting for this value is
disabled (unchecked), which means clicking a switch or link in the table does not change the switch
or link selection in the Fabric pane.
Layout New Devices AutomaticallyAutomatically places new devices in the Fabric pane in an
optimal configuration. The default setting for this value is OFF. In this mode, when you add a new
device, you must manually reposition it if the initial position does not suit your needs.
Use Quick Layout when Switch has 30 or more End DevicesDisplays the default setting for this
value (30). You can enter any number in this field. Enter 0 to disable Quick Layout.
Override Preferences for Non-default LayoutDisplays the default setting for this value (ON).
Automatically Save LayoutIf this option is enabled, any changes in the layout are automatically
saved. The default setting for this value is ON.
Detach Overview WindowAllows you to easily center the Fabric pane on the area of the fabric
that you want to see. (This feature is useful for large fabrics that cannot be displayed entirely within
the Fabric pane.) Bring up the overview window by clicking the Show/Hide Overview Window
button. It overlays the fabric window and remains there until you click the Show/Hide Overview
Window button again. If you enable this preference, you can detach the overview window and move
it to one side while you access the Fabric pane. The default setting for this value is disabled
(unchecked).
Network Fabric Discovery

Cisco Fabric Manager collects information about the fabric topology through SNMP queries to the
switches that are connected to Fabric Manager. The switch replies after having discovered all devices
connected to the fabric by using the information from its FSPF technology database and the Name Server
database and collected using the Fabric Configuration Servers request/response mechanisms that are
defined by the FC-GS-3/4 standard. When you start Fabric Manager, you enter the IP address (or host
name) of a seed switch for discovery.
After you start Fabric Manager and the discovery completes, Fabric Manager presents you with a view
of your network fabric, including all discovered switches, hosts, and storage devices.

Modifying the Device Grouping

Because not all devices are capable of responding to FC-GS-3 requests, different ports of a single server
or storage subsystem may be displayed as individual end devices on the Fabric Manager map.
To group end devices in a single enclosure to have them represented by a single icon on the map, Fabric
Step 1 Expand End Devices and then select Storage or Hosts in the Physical Attributes pane.
You see the end devices displayed in the Information pane.
Step 2 Click one of the devices in the Fabric pane, or click the Enclosures tab of the Information pane, and then
click the device name (in the Name field) that you want to include in the enclosure.
Step 3 Enter a name to identify the new enclosure in the Fabric pane map.
Step 4 Click once on the device name in the Name field. To select more than one name, press the Shift key and
click each of the other names.
Step 5 Press Ctrl-C to copy the selected name(s).
Step 6 Press Ctrl-V to paste the device name into the Name field.
Note To remove devices from an enclosure, triple click the device name and press Delete. To remove
an enclosure, repeat this step for each device in the enclosure.
Using Alias Names as Enclosures

To create an enclosure that uses the alias name as the name of the enclosure using Fabric Manager, follow
these steps:
Step 1 Expand End Devices and select Hosts or Storage from the Physical Attributes pane.
You see the list of devices in the Information pane. The NxPorts tab is the default.
Step 2 Right-click the enclosure names that you want to convert to alias names and select Alias > Enclosure as
shown in Figure 5-12.

Figure 5-12 Alias Enclosure
The Ailas > Enclosures window appears as shown in Figure 5-13. It contains a list of expressions. You
can also add expressions to the list and modify expressions in the current list.
Figure 5-13 List of Expressions
Step 3 Click the Apply Changes icon to save the changes and then click Close.
Note Fabric Manager uses the regular expressions to convert multiple alias names into one enclosure. The
alias names should be in the same expression pattern rule. You can create enclosure names from selected
aliases using the regular expresssions list.

Controlling Administrator Access with Users and Roles
Controlling Administrator Access with Users and Roles

Cisco MDS 9000 Family switches support role-based management access whether using the CLI or
Cisco Fabric Manager. This lets you assign specific management privileges to particular roles and then
assign one or more users to each role.
The default-role contains the access permissions needed by a user to access the GUI (Fabric Manager
and Device Manager). These access permissions are automatically granted to all users in order for them
to use the GUI.
Cisco Fabric Manager uses SNMPv3 to establish role-based management access. After completing the
setup routine, a single role, user name, and password are established. The role assigned to this user
allows the highest level of privileges, which includes creating users and roles. Use the Cisco Fabric
Manager to create roles and users and to assign passwords as required for secure management access in
your network.
Using Fabric Manager Wizards

Fabric Manager Client provides the following wizards to facilitate common configuration tasks:
VSANCreates VSANs on multiple switches in the fabric and sets VSAN attributes including
interop mode, load balancing, and FICON.
Virtual InterfaceCreates virtual Fibre Channel interfaces on a Cisco Nexus 5000 Series switch.
Zone Edit ToolCreates zone sets, zones, and aliases. Adds members to zones and edits the zone
database.
IVR ZoneCreates IVR zone sets, zones, and aliases. Enables IVR NAT and auto-topology. Adds
members to IVR zones, and edits the IVR zone database.
PortChannelCreates PortChannels from selected ISLs either manually or automatically. Sets
PortChannel attributes such as channel ID and trunking mode.
FCIPCreates FCIP links between Gigabit Ethernet ports. Enables Fibre Channel write
acceleration and IP compression.
DPVMEstablishes dynamic port VSAN membership, enables autolearning, and activates the
DPVM database.
Port SecurityPrevents unauthorized access to Cisco MDS switches and reports these intrusions to
the administrator.
iSCSICreates zones for iSCSI initiators and adds a VSAN to a target-allowed VSAN list.
NPVReduces the number of Fibre Channel domain IDs in SANs.
QoSSets QoS attributes for zones in the selected VSAN.
IP ACLCreates ordered IP access control lists and distributes to selected switches in the fabric.
License InstallFacilitates download and installation of licenses in selected switches in the fabric.
Software InstallVerifies image compatibility and installs software images on selected switches in
the fabric.

Fabric Manager Troubleshooting Tools

Fabric Manager has several troubleshooting tools available from the toolbar or Tools menu. Procedures
for using these tools are described in Chapter 66, Troubleshooting Your Fabric. This section provides
a brief description of each tool:
Zone Merge AnalysisThe zone merge analysis tool (available from the Zone menu) enables you
to determine if zones will merge successfully when two Cisco MDS switches are interconnected. If
the interconnected switch ports allow VSANs with identical names or contain zones with identical
names, then Fabric Manager verifies that the zones contain identical members. The merge analysis
tool can be run before attempting a merge or after fabrics are interconnected to determine zone
merge failure causes.
End-to-End ConnectivityFabric Managers end-to-end connectivity analysis tool uses FC Ping to
verify interconnections between Cisco MDS switches and end-device (HBAs and storage devices)
in a particular VSAN. In addition to basic connectivity, Fabric Manager can optionally verify the
following:
Paths are redundant.
Zones contain at least two members.
End devices are connected to a manageable switch (have a currently active in-band or out-of-band
management path.)
Switch Health AnalysisYou can run an in-depth switch health analysis with Fabric Manager. It
verifies the status of all critical Cisco MDS switches, modules, ports, and Fibre Channel services.
Over 40 conditions are checked. This tool provides a very fast, simple, and thorough way to assess
Cisco MDS switch health.
Fabric Configuration AnalysisFabric Manager includes a fabric configuration analysis tool. It
compares the configurations of all Cisco MDS switches in a fabric to a reference switch or a policy
file. You can define what functions to check and what type of checks to perform. The analysis can
look for mismatched values, and missing or extra values. If all configuration checking is performed
for all functions, over 200 checks are performed for each Cisco MDS switch.
After the analysis is run, the results are displayed with details about the issues that were discovered. You
can automatically resolve configuration differences by selecting them and clicking the Resolve button.
Fabric Manager automatically changes the configuration to match the reference switch or policy file.


CH A P T E R 6
Device Manager
Device Manager provides a graphic representation of a Cisco MDS 9000 Family switch chassis or Cisco
Nexus 5000 Series switch chassis, including the installed switching modules, the supervisor modules,
the status of each port within each module, the power supplies, and the fan assemblies.
This chapter includes the following sections:
About Device Manager, page 6-1
Launching Device Manager, page 6-2
Using Device Manager, page 6-2
Setting Device Manager Preferences, page 6-8
About Device Manager

The tables in the Fabric Manager Information pane basically correspond to the dialog boxes that appear
in Device Manager. However, while Fabric Manager tables show values for one or more switches, a
Device Manager dialog box shows values for a single switch. Also, Device Manager provides more
detailed information for verifying or troubleshooting device-specific configuration than Fabric Manager.
Device Manager provides two views, Device View and Summary View. Use Summary View to monitor
interfaces on the switch. Use Device View to perform switch-level configurations including the
following:
Configure virtual Fibre Channel interfaces.
Configure Fibre Channel over Ethernet (FCoE) features.
Configure zones for multiple VSANs
Manage ports, PortChannels, and trunking.
Manage SNMPv3 security access to switches.
Manage CLI security access to the switch.
Manage alarms, events, and notifications.
Save and copy configuration files and software image.
View hardware configuration.
View chassis, module, port status, and statistics.

Chapter 6 Device Manager
Launching Device Manager
Launching Device Manager

You can launch Device Manager two ways.
To launch Device Manager from your desktop, double-click the Device Manager icon and follow the
instructions described in the Integrating Cisco Fabric Manager with Other Management Tools section
on page 2-40.
You can launch Device Manager from Fabric Manager three ways:
Right-click the switch you want to manage on the Fabric pane map and choose Device Manager
from the menu that appears.
Double-click a switch in the Fabric pane map.
Select a switch in the Fabric pane map and choose Tools > Device Manager.
Using Device Manager

This section describes the Device Manager interface, as shown in Figure 6-1.

Figure 6-1 Device Manager, Device Tab
1 2 3
272424
5 4
1 Menu bar 5 Status

2 Toolbar 6 Supervisor modules
3 Tabs 7 Switching or services modules
4 Legend
Menu Bar
The menu bar at the top of the Device Manager main window provides options for managing and
troubleshooting a single switch. The menu bar provides the following options:
DeviceOpens an instance of Device Manager, sets management preferences, sets the page layout,
opens a Telnet/SSH session with the current switch, exports a device image, and closes the Device
Manager application.
PhysicalAllows you to view and manage inventory, modules, temperature sensors, power
supplies, fans, and the entire system.

InterfaceAllows you to configure and manage PortChannels, as well as Fibre Channel, Ethernet,
iSCSI, and FICON ports. Also provides diagnostic, management and monitoring capabilities, as
well as SPAN and port tracking.
FCAllows you to configure and manage VSAN, domain, and name server characteristics. Also
provides advanced configuration capabilities.
FICONAllows you to configure and manage FICON VSANs, configure RLIR ERL information,
swap selected FICON ports, and view FICON port numbers.
IPAllows you to configure and manage the following types of information: FCIP, iSCSI, iSNS,
routes, VRRP, and CDP.
SecurityAllows you to configure and manage FCSP, port security, iSCSI security, SNMP security,
common roles, SSH, AAA, and IP ACLs.
AdminAllows you to save, copy, edit, and erase the switch configuration, monitor events,
manipulate Flash files, manage licenses, configure NTP, use CFS, and reset the switch. Also enables
you to use the show tech support, show cores, and show image commands.
LogsShows the various logs: message, hardware, events, and accounting. Also displays FICON
link incidents, and allows you to configure the syslog setup.
Toolbar Icons
The Device Manager toolbar provides quick access to many Device Manager features. Once the icon is
selected, a dialog box may open that allows configuration of the feature. The toolbar provides the main
Device and Summary View icons as shown in Table 6-1.
Table 6-1 Device Manager Main Toolbar
Icon Description
Open Device Opens the Device Manager view for another
switch, with the option to open this view in a
separate window.
Refresh Display Communicates with the switch and displays the
information in the Device Manager view.
Command-Line Opens a separate CLI command window to the

Interface switch.
Configure Selected Opens a configuration dialog box for the selected

component (line card or port).
SysLog Opens a window that lists the latest system

messages that occurred on the switch.
VSANs Opens the VSAN dialog box that provides VSAN

configuration for the switch.

Table 6-1 Device Manager Main Toolbar (continued)
Icon Description
Save Configuration Saves the current running configuration to the
startup configuration.
Copy Copies configuration file between server and

switch
Toggle Toggles the FICON and interface port labels.

FICON/Interface
Port Labels
Select VSAN Filters the port display to show only those ports
belonging to the selected VSAN.
Help Accesses online help for Device Manager.
Dialog Boxes
If a toolbar icon is selected, a dialog box may open that allows configuration of the selected feature. The
dialog box may include table manipulation icons. See the Information Pane section on page 5-17 for
descriptions of these icons.
Tabs
Click the Device tab on the Device Manager main window to see a graphical representation of the switch
chassis and components.
Click the Summary tab on the Device Manager main window to see a summary of active interfaces on
a single switch, as well as Fibre Channel and IP neighbor devices. The Summary View also displays port
speed, link utilization, and other traffic statistics. There are two buttons in the upper left corner of the
Summary View tab used to monitor traffic. To monitor traffic for selected objects, click the Monitor
Selected Interface Traffic Util% button. To display detailed statistics for selected objects, click the
Monitor Selected Interface Traffic Details button. You can set the poll interval, the type or Rx/Tx
display, and the thresholds.
Legend
The legend at the bottom right of the Device Manager indicates port status, as follows:
Colors
GreenThe port is up.
BrownThe port is administratively down.
RedThe port is down or has failed.

AmberThe port has a minor fault condition.

GrayThe port is unreachable.
BlueThe port is out of service.
Labels
XLink failure
EISL
TEMulti-VSAN ISL
FHost/storage
FLF loop
I iSCSI
SDSPAN destination
CHChannel
CUControl Unit
NPProxy N-Port (NPV Mode)
vFCvFC Present (Cisco Nexus 5000 Series switches only)

Supervisor and Switching Modules

In the Device View, you can right-click an object and get information on it, or configure it. If you
right-click a module, the menu shows the module number and gives you the option to configure or reset
the module. If you right-click a port, the menu shows the port number and gives you the option to
configure, monitor, enable/disable, set beacon mode, or perform diagnostics on the port.
Tip You can select multiple ports in Device Manager and apply options to all the selected ports at one time.
Either select the ports by clicking the mouse and dragging it around them, or hold down the Control key
and click each port.
To enable or disable a port, right-click the port and click Enable or Disable from the pop-up menu. To
enable or disable multiple ports, drag the mouse to select the ports and then right-click the selected ports.
Then click Enable or Disable from the pop-up menu.
To manage trunking on one or more ports, right-click the ports and click Configure. In the dialog box
that appears, right-click the current value in the Trunk column and click nonTrunk, trunk, or auto from
the pull-down list.
To create PortChannels using Device Manager, click PortChannels from the Interface menu. For
detailed instructions, see Chapter 23, Configuring PortChannels. You can also use Fabric Manager to
conveniently create a PortChannel.
Note To create a PortChannel, all the ports on both ends of the link must have the same port speed, trunking
type, and administrative state.
Context Menus
Context menus are available in both Device Manager views by right-clicking a device or table.
From Device View:
DeviceRight-click a system, module, or power supply to bring up a menu that gives you the option
to configure or reset the device.
Port Right-click a port to bring up a menu that shows you the number of the port you have clicked,
and to give you the option to configure, monitor, enable, disable, set beacon mode, or perform
diagnostics on the port.
From Summary View:
Table Right-click the table header to show a list of which columns to display in that table:
Interface, Description, VSANs, Mode, Connected To, Speed (Gb), Rx, Tx, Errors, Discards, and
Log. Click the Description field to bring up the appropriate configuration dialog box for the port
type.

Setting Device Manager Preferences
Setting Device Manager Preferences

To set your preferences for the behavior of the Device Manager application, choose Device >
Preferences from the Device menu. You can set the following preferences:
Retry Requests x Time(s) After x sec TimeoutAllows you to set the retry request values. The
default settings are 1 time after a 5-second timeout.
Enable Status Polling Every x secsAllows you to set the status polling value. The default setting
is enabled (checked) with a time of 40 seconds.
Trace SNMP Packets in Message LogAllows you to set whether Device Manager traces SNMP
packets and logs the trace. The default setting is disabled (unchecked).
Register for Events After Open, Listen on Port 1163Allows you to register this switch so that
events are logged once you open Device Manager. The default setting is enabled (checked).
Show WorldWideName (WWN) VendorDisplays the world wide name vendor name in any table
or listing displayed by Device Manager. If Prepend is checked, the name is displayed in front of the
IP address of the switch. If Replace is checked, the name is displayed instead of the IP address. The
default setting is enabled (checked) with the Prepend option.
Show Timestamps as Date/TimeDisplays timestamps in the date/time format. If this preference
is not checked, timestamps are displayed as elapsed time. The default setting is enabled (checked).
Telnet PathSets the path for the telnet.exe file on your system. The default is telnet.exe, but you
need to browse for the correct location.
Note If you browse for a path or enter a path and you have a space in the pathname (for example,
c:\program files\telnet.exe, then the path will not work. To get the path to work, manually
place quotes around it (for example, "c:\program files\telnet.exe").
Use Secure Shell Instead of TelnetSpecifies whether to use SSH or Telnet when using the CLI
to communicate with the switch. If enabled, you must specify the path to your SSH application. The
default setting is disabled.
CLI Session Timeout x secs (0= disable)Specifies the timeout interval for a CLI session. Enter
0 to disable (no timeout value). The default setting is 30 seconds.
Show Tooltips in Physical ViewDetermines whether tooltips are displayed in Physical (Device)
View. The default setting is enabled (checked).
Label Physical View Ports With:Specifies the type of label to assign to the ports when you are
in Physical (Device) View. The options are FICON and Interface. The default setting is Interface.
Export TableSpecifies the type of file that is created when you export a table using Device
Manager. The options are Tab-Delimited or XML. The default setting is Tab-Delimited.

CH A P T E R 7
Fabric Manager Web Client
With Fabric Manager Web Client, you can monitor Cisco MDS switch events, performance, and
inventory from a remote location using a web browser. You can also monitor the events, performance,
and inventory information of Cisco Nexus 5000 Series switches.
About Fabric Manager Web Client, page 7-1
Navigating Fabric Manager Web Client, page 7-2
Installing Fabric Manager Web Client, page 7-3
Launching Fabric Manager Web Client, page 7-7
Health, page 7-9
Performance, page 7-13
Inventory, page 7-29
Reports, page 7-38
Admin, page 7-45
About Fabric Manager Web Client

Using Fabric Manager Web Client, you can monitor MDS or Cisco Nexus 5000 Series switch events,
performance, and inventory, and perform minor administrative tasks.
Fabric Manager Web Client provides the following features:
Summary and drill down reportsThe Performance Manager summary report provides a
high-level view of your network performance. These reports list the average and peak throughput
and provides hot-links to additional performance graphs and tables with additional statistics. Both
tabular and graphical reports are available for all interconnections monitored by Performance
Manager. Performance Manager also analyzes daily, weekly, monthly and yearly trends. You can
also view the results for specific time intervals using the interactive zooming functionality. These
reports are only available if you create a collection using Performance Manager and start the
collector. To view historical perfomance reports, you need to install Adobe flash player 10 or later..
See the Historical Performance Monitoring section on page 58-4.

Chapter 7 Fabric Manager Web Client
Navigating Fabric Manager Web Client
Zero maintenance database for statistics storageNo maintenance is required to maintain

Performance Managers round-robin database, because its size does not grow over time. At
prescribed intervals the oldest samples are averaged (rolled-up) and saved. A full two days of raw
samples are saved for maximum resolution. Gradually the resolution is reduced as groups of the
oldest samples are rolled up together.
You see Fabric Manager Web Client window as shown in Figure 7-1.
Figure 7-1 Fabric Manager Web Client
Navigating Fabric Manager Web Client

With most screens, Fabric Manager Web Client has standardized certain navigation conventions.
Navigation Tree
You can use the filter navigation tree in the left pane to access the areas you want as follows:
Select SAN to view information for all fabrics and VSANs in the SAN. When you do this, a Fabric
column is added as the first column of the tables.
Click a fabric folder to view information for that specific fabric.
Some screens have expandable fabric folders. You can expand the fabric folders (by clicking the +
or - icons in front of the folders) to see a list of VSANs in that fabric. Select a VSAN to view
information for that VSAN.
The features accessible from the tabs are limited to the areas you select in the filter tree.

Installing Fabric Manager Web Client
Table Filtering and Navigation
You can filter the display of some tables to view subsets of the information. At the top right of these
tables are one or more drop-down lists. Select an item from these lists, and then click Filter to filter the
table information on that item.
You can change the number of rows displayed per page by selecting a number from the Rows per page
drop-down list at the lower left corner of the table. Once you select a number, the table is updated with
the new number of rows; you do not have to click a button.
For tables with multiple pages of information, you can:
Jump to the first or last page of the table by clicking the first page or last page icons (arrows with a
bar in front of it)
Jump to the next page or previous page by clicking the next page or previous page icons (arrows)
Jump to a specific page by entering the page number in the Go to page field and clicking the Go
button.
You can search certain columns in the tables for information if a table column has a black icon next to
the column head. Click the icon to display a Search dialog box.
Printing
There is a Print icon in the lower right corner of some tables. Click this icon to view the table in a
printer-friendly format. You can then print the page from the browser.
Exporting to a File
There is an Export icon in the lower right corner of some tables. Click this icon to export the data to a
.CSV file that can be read by programs such as Microsoft Excel.
Sorting Columns
On some screens, you can click a column head to sort the information for that column.

If you are installing the Fabric Manager Web Client software for the first time, or if you want to update
or reinstall the software, you access the supervisor module of the switch using a web browser. Install
Fabric Manager Web Client on the same workstation where you installed Fabric Manager Server.
You must install Fabric Manager Web Client to view Performance Manager reports through a web
browser.
For switches running Cisco MDS 9000 FabricWare, you need to install the Fabric Manager Web Client
software from the CD-ROM included with your switch, or download Fabric Manager from Cisco.com.
To install Fabric Manager Web Client from the CD-ROM, navigate to the Fabric Manager installation
notes and follow the directions.
To download the software from Cisco.com (requires a valid user name and password), go to the following
website:
To download and install the software on your workstation, follow these steps:

Step 1 Optionally, enter the IP address or host name of the supervisor module running Cisco MDS NX-OS in
the Location or Address field of your browser. You see the installation page displayed by the HTTP
server of the supervisor module.
When you connect to the server for the first time, it checks to see if you have the correct Sun Java Virtual
Machine version installed on your workstation. If you do not have the correct version installed, a link is
provided to the appropriate web page on the Sun Microsystems website so you can install it.
a. Click the Sun Java Virtual Machine software link (if required) to install the software.
b. Using the instructions provided by the Sun Microsystems website, reconnect to the supervisor
module by reentering the IP address or host name in the Location or Address field of your browser.
Note We recommend Java version 1.5(x) or later. To use IPv6 addresses, you must have Java version
1.5. To change the Java Runtime Environment (JRE) version, start Java Web Start and set the
Java preferences.
Step 2 Click the Fabric Manager Web Client installation link. You see a prompt asking for permission to
install the application on your workstation.
Step 3 Click Yes to run the installer, which detects the installed version of the software, and prompts for
upgrades or downgrades and other options if applicable.
Note If TCP port 80 is in use, Fabric Manager Web Client checks port 8080 next. If that port is also
in use, Fabric Manager Web Client uses the next available port. You can set the TCP port that
you want Fabric Manager Web Client to use during the installation process.
Unless you specify a different directory on a Windows PC, the software is installed in the default location
of C:\Program Files\Cisco Systems\MDS 9000. A Cisco MDS 9000 program group is created under
Start > Programs. This program group contains shortcuts to Fabric Manager and Device manager.
On a UNIX (Solaris or Linux) machine, the installation path is /usr/local/cisco_mds9000. If this directory
is not writable by the user, which is the case for non-root users, the default is set to $HOME/cisco_mds9000.
Shell scripts are created in the bin directory.
Note On a Windows PC, you install Fabric Manager Web Client as a service. This service can then be
administered using the Services Panel from the Windows Control Panel. By default, Fabric Manager
Web Client automatically starts when the workstation is rebooted. You can change this behavior by
modifying the properties in the Services Panel.
Note You need to configure the Fabric Manager Server on the DNS server for remote logins unless the Fabric
Manager Server is binding to a specific interface.

Using Fabric Manager Web Client with SSL

Fabric Manager Web Client uses TCP port 80 by default. If you want to install SSL certificates and use
Fabric Manager Web Client over HTTPS (using TCP port 443 or another custom port), you need a
certificate for each external IP address that accepts secure connections. You can purchase these
certificates from a well-known Certificate Authority (CA).
To enable SSL, users must set up the keystore to use either a self-signed certificate or a certificate from
a trusted third-party company such as Verisign.
To create a local certificate, follow these steps:
Step 1 Set up a keystore to use self-signed certificate (local certificate). From the command line, enter the
following command:
%JAVA_HOME%/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Program
Files\Cisco Systems\MDS 9000\keystore"
Step 2 Enter your name, organization, state, and country. Enter changeit when prompted for a keystore
password. If you prefer to use your own password, do not forget to change the keystorepass attribute in
the server.xml file. When prompted for a key password, press Enter or use the same password as the
keystore password.
Note You can now follow the steps in the next section for modifying Fabric Manager Web Client to
use SSL.
In order to obtain a certificate from the Certificate Authority of your choice, you must create a Certificate
Signing Request (CSR). The CSR is used by the certificate authority to create a certificate that identifies
your website as secure.
To create a CSR, follow these steps:
Step 1 Create a local certificate (as described in the previous section).
Note You must enter the domain of your website in the field first and last name in order to create a
working certificate.
Step 2 The CSR is then created with this command:

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore "C:\Program
Files\Cisco Systems\MDS 9000\keystore"
Now you have a file called certreq.csr. The file is encoded in PEM format. You can submit it to the
certificate authority. You can find instructions for submitting the file on the Certificate Authority
website. You will receive a certificate.
Step 3 Once you have your certificate, you can import it into your local keystore. You must first import a Chain
Certificate or Root Certificate into your keystore. You can then import your certificate.
Step 4 Download a Chain Certificate from the Certificate Authority where you obtained the certificate:
For Verisign.com commercial certificates, go to:
http://www.verisign.com/support/install/intermediate.html

For Verisign.com trial certificates, go to:

http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
For Trustcenter.de, go to:

http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com, go to:

http://www.thawte.com/certs/trustmap.html
Import the Chain Certificate into your keystore by entering the following command:
keytool -import -alias root -keystore "C:\Program Files\Cisco Systems\MDS 9000\keystore"
-trustcacerts -file filename_of_the_chain_certificate
Import the new certificate in X509 format:

keytool -import -alias tomcat -keystore "C:\Program Files\Cisco Systems\MDS
9000\keystore" -trustcacerts -file your_certificate_filename
To modify Fabric Manager Web Client to use SSL, follow these steps:
Step 1 Stop Fabric Manager Web Client if you have already launched it. If you installed this on Windows, you
can stop the service using Windows Services under Administrative Tools.
Step 2 Use a text editor to open \jboss\server\default\deploy\jboss-web.deployer\server.xml from the
directory where Fabric Manager Web Client is installed. You see the following lines in the beginning
after some copyright information:
<Connector acceptCount="100" allowTrace="false" connectionTimeout="20000"
disableUploadTimeout="true" emptySessionPath="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="250" port="80" protocol="HTTP/1.1"
redirectPort="8443" strategy="ms"/>


<Connector emptySessionPath="true" enableLookups="false" port="8009"
protocol="AJP/1.3" redirectPort="8443"/>

Step 3 Comment the first <Connector> element and uncomment the second one. Your file should look like the
following example:


Launching Fabric Manager Web Client



<Connector emptySessionPath="true" enableLookups="false" port="8009"
protocol="AJP/1.3" redirectPort="8443"/>
<Connector port="80"
protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false" sslProtocol = "TLS"
securityDomain="java:/jaas/encrypt-keystore-password"
SSLImplementation="org.jboss.net.ssl.JBossImplementation" allowTrace="false"/>
Step 4 Save this file.

Step 5 Restart Fabric Manager Web Client.
Note If you restart Fabric Manager Server with SSL enabled, you must restart Fabric Manager Web Client. If
you want to stop and restart Fabric Manager Server with SSL disabled, then you must restart Fabric
Manager Web Client.

Before you can use Fabric Manager Web Client to monitor a switch, the service must be started on the
server you are connecting through. The browser does not have to be on the same workstation where
Fabric Manager Web Client is installed.
To launch Fabric Manager Web Client, follow these steps:
Step 1 If you are on the same workstation where you installed Fabric Manager Web Client, then open your
browser and in the Location field enter http://localhost:PORT. Enter your port number if you specified
a different port during installation. You can omit the port number if you used port 80 by default.
If you are on a different workstation from where you installed Fabric Manager Web Client, then open
your browser and in the Location field enter http://<yourServerAddress>:PORT, where
<yourServerAddress> is the address where you installed Fabric Manager Web Client, and PORT is 80
by default. Enter your port number if you specified a different port during installation.

Tip Choose Start > Control Panel > Administrative Tools > Services to verify that Fabric Manager
Web Client has started. To start Fabric Manager Web Client, use a browser to go to the location
of the service.
You can also view this information using the Admin > Status menu of the Fabric Manager Web
Client.
On a UNIX workstation, use the following command:

$ /usr/local/cisco_mds9000/bin/FMWebClient.sh status
You see the Fabric Manager Web Client Login dialog box shown in Figure 7-2. The text field at the
bottom shows the Message of the Day from the server you logged into.
Figure 7-2 Fabric Manager Web Client Login Dialog Box
Step 2 Enter your user name and password.

Step 3 Click Login.
Note If you have a new installation of Fabric Manager, the default user ID and password is
admin/password. We recommend you change your password the first time you use Fabric
Manager Server. If you do not have a new installation, you can use any existing passwords.
Note If you are using Firefox to access Fabric Manager Web Client, you may receive a warning message
indicating a problem with the security certificate of the website. To resolve this issue, you may need to
add the security exception.

Health
To add the security exception, follow these steps:
Step 1 On the warning page, click Or you can add an exception.

Step 2 Click Add Exception.
The Add Security Exception dialog will appear.
Step 3 Click Get Certificate.
Read the text describing the problems with this site.
Step 4 Click Confirm Security Exception.
After launching Fabric Manager Web Client, you see the screen as shown in Figure 7-1, which you can
also see by choosing Health > Summary. Fabric Manager Web Client polls the Fabric Manager Server
database to display the managed devices in the left pane.
Health
The Health tab shows events and issues for the selected items, persistent across user sessions.
The Health tab contains the following subtabs:
SummaryShows a summary of events and problems for all SANs, or a selected SAN, fabric, or
switch. You can click any of the blue links for more information about that item.
FabricShows a detailed list of events and hardware, or accounting. You can filter these events by
severity, date, and type of event.
SyslogShows a detailed list of system messages. You can filter these events by severity, date, and
type of event.
AnalysisEnables you to schedule or run analysis reports and compile results to analyze the Fabric
Manager Server database statistics.
Viewing Summary Information

To view a summary of events and problems using Fabric Manager Web Client, follow these steps:
Step 1 Click the Health tab, and then click Summary tab.
You see the Summary tab window. In the left navigation pane you see a list of the fabrics managed by
Fabric Manager Server. In the right pane is a summary table of problems and events for the last 24 hours
(see Figure 7-3).

Health
Figure 7-3 Summary Tab
Step 2 Do one of the following:

Choose SAN to display summary information for all fabrics.
Choose one of the fabrics to display summary information for that fabric.
Step 3 Click the warnings next to Switches, ISLs, Hosts, or Storage (other than 0) to see an inventory of
switches, ISLs, or end devices for that fabric.
Step 4 Choose the number of events next to the event severity levels (Emergency, Alert, Critical, Error,
Warning, Notice, Info, or Debug) to see a table of events and descriptions for that fabric.
Viewing Fabric Information

To view a detailed list of events and hardware or accounting using Fabric Manager Web Client, follow
these steps:
Step 1 Click the Health tab, and then click Fabric Events tab.
You see the Fabric tab window as shown in Figure 7-4.

Health
Figure 7-4 Fabric Events Tab
Step 2 Expand a fabric and choose one of the switches to display event information for that switch.
Viewing Syslog Information

To view a detailed list of system messages using Fabric Manager Web Client, follow these steps:
Step 1 Click the Health tab, and then click Syslog tab.
You see the Syslog tab as shown in Figure 7-5.

Health
Figure 7-5 Syslog Tab
Step 2 Select one of the fabrics to display a table of syslog information for that fabric.
Step 3 Expand a fabric and select one of the switches to display syslog information for that switch.
Step 4 If you have selected a fabric and one or more switches in that fabric have system messages, you see
Events, Hardware, Accounting, and Link Incidents in the Files column. Click one of these message
types to see system messages for the switches in that fabric filtered by the message type you clicked.
Note If you select a switch, choose an interval and a message type from the drop-down lists, and then
click Filter to see system messages filtered by the message type you chose.
Note To view MDS configuration changes, click accountingX.log under Files. To view the
configuration changes of a switch using Device Manager, click Logs > FMServer > Accounting
> Current.
Viewing Analysis Reports

As of Cisco SAN-OS Release 3.2(1) and up to Cisco NX-OS 4.1(3), you can run or schedule analysis
reports to summarize the Fabric Manager Server database statistics. You can run or schedule the
following analysis reports:
Connectivity (Host to Storage or Storage to Host)The connectivity report summarizes zoning for
multiple hosts or storage devices. If you choose host to storage, the report shows all storage devices
zoned as accessible by each host. If you choose storage to host, the report shows all hosts that can
access a specific storage device.

Performance
Zoning DiscrepanciesThe zoning discrepancies report identifies zoning issues that might impact
connectivity or security.
Multi PathThe multi path report determines the number of active and inactive paths between
hosts and storage enclosures.
Switch HealthThe switch health report provides status information on all critical Cisco MDS
9000 system, module, port, and Fibre Channel services.
Fabric ConfigurationThe fabric configuration analysis compares multiple switches to a specific
switch or a saved configuration.
To run analysis reports using Fabric Manager Web Client, follow these steps:
Step 1 Click the Health tab, and then click Analysis tab.
You see the Analysis tab shown in Figure 7-6.
Figure 7-6 Analysis Tab
Step 2 Select a report from the Report Type drop-down list.

Step 3 Click Run Report to run the report.
To schedule a report to run at a specified time, see Generating Custom Reports by Template section
on page 7-41.
Performance
The Performance tab shows an overview of the average throughput and link utilization of SAN
components. You see pie charts for the throughput and utilization. You can click a pie chart to view a
table of the data. In these tables, clicking a blue link displays a graph of that data, if applicable. The
Filter drop-down list at the top right of the screen allows you to filter the data based on various periods
of time.

Performance
The Performance tab contains the following subtabs:

SummaryShows the total utilization and throughput in summary form.
End DevicesShows a detailed list of end devices (host or storage), port traffic, and errors.
ISLsShows a detailed list of ISL traffic and errors.
NPV Links Shows a detailed list of traffic between NPV devices and ports.
FlowsShows a detailed list of host-to-storage traffic.
EthernetShows a detailed list of Gigabit Ethernet ports and Cisco Nexus 5000 Series Ethernet
ports.
OthersShows a detailed list of other statistics.
Traffic AnalyzerShows a summary of SPAN ports configured in the SAN and any traffic
analyzers configured.
PredictionDisplays a graph that predicts future performance to help determine when storage
network connections will become overutilized.
Switch BandwidthShows total bandwidth for a switch.
Viewing Performance Summary Information

To view total utilization and throughput in summary form using Fabric Manager Web Client, follow
these steps:
Step 1 Click the Performance tab, and then click Summary tab.
You see the Summary tab shown in Figure 7-7.

Performance
Step 2 Expand a fabric and select one of the VSANs to display network throughput and link utilization
information for that VSAN.
Note Click a pie chart (Hosts, Storage, or ISLs) to go to the appropriate performance table.
Note License compliance information is provided at the top of the pane indicating that unlicensed switches
may not be supported in the future. You can click the link to view the list of unlicensed switches.
Note To view performance information, you must activate performance collector. To configure Performance
Manager, follow the instructions described in the Creating Performance Collections section on
page 7-57
Performance Detail Summary Report

To view a detailed summary report of the performance details using Fabric Manager Web Client, follow
these steps:
Step 1 Click the Performance tab, and then click Summary tab.
Step 2 Click the Performance Utilization Summary Details link at the bottom of the page.

Performance
You will see the summary report details as shown in Figure 7-8.
Figure 7-8 Performance Utilization Detail Summary Report
Viewing Performance Information for End Devices

To view host and storage port traffic and errors using Fabric Manager Web Client, follow these steps:
Step 1 Click the Performance tab, and then click End Devices tab.
You see the End Devices tab window as shown in Figure 7-9.

Performance
Figure 7-9 End Devices Tab
Step 2 Expand a fabric and select one of the VSANs to display performance information for the end devices in
that VSAN.
Step 3 Click the name of a device in the Name column to see a graph of the traffic on that device for the past
24 hours.
Note There are variations to this procedure. In addition to these basic steps, you can also perform the
following steps to view detailed information for the end devices:
To change the time range for this graph, select it from the drop-down list in the upper right corner.
To view the detailed information for specific period, drag the slider control to choose the time
interval for which you need the information.
To view information in grid format, click the grid icon in the bottom right corner.
To export the data into a spreadsheet, click the excel icon in the upper right corner and then click
Save.
To view real time information, select Real Time from the drop-down list in the upper right corner.
Real time data is updated in every 10 seconds.
Viewing Performance Information for ISLs

To view ISL traffic and errors using Fabric Manager Web Client, follow these steps:
Step 1 Click the Performance tab, and then click ISLs tab.
You see the ISLs tab window as shown in Figure 7-10.

Performance
Figure 7-10 ISLs Tab
Step 2 Expand a fabric and select one of the VSANs to display performance information for the ISLs in that
VSAN.
Step 3 Click the name of an ISL from the Name column to see a graph of the traffic across that ISL for the past
24 hours.
You see the ISL traffic information window as shown in Figure 7-11.

Performance
Figure 7-11 ISL Traffic (24 Hours)

Performance
Figure 7-12 ISL Traffic Grid View
Note Notation NaN (Not a Number) in the data grid means it is a negative value.

Performance
Figure 7-13 ISL Traffic (Real Time)
Note There are variations to this procedure. In addition to the basic steps described above, you can also
perform the following steps to view detailed information for ISLs:
Save.

Performance
Viewing Performance Information for NPV Links

To view traffic between NPV devices and ports using Fabric Manager Web Client, follow these steps:
Step 1 Click the Performance tab, and then click NPV Links.
You see the NPV Links tab window shown in Figure 7-14
Figure 7-14 NPV Links Tab
Step 2 Expand a fabric and select one of the VSANs to display performance information for the NPV Links in
that VSAN.
Step 3 Click the name of an NPV Link from the Name column to see a list of the traffic for the past 24 hours.
Note There are variations to this procedure. In addition to the basic steps described above, you can also
perform the following steps to view detailed information for NPV Links:
You can change the time range for this information by selecting it from the drop-down list in the
upper right corner.
Save.

Performance
Viewing Performance Information for Flows

To view host and storage traffic using Fabric Manager Web Client, follow these steps:
Step 1 Click the Performance tab, and then click Flows.

You see the Flows tab window as shown in Figure 7-15.
Figure 7-15 Flows Tab
Step 2 Expand a fabric and select one of the VSANs to display performance information for the flows in that
VSAN.
Step 3 Click the name of a flow from the Name column to see a list of the traffic for the past 24 hours.
Note There are variations to this procedure. In addition to these basic steps, you can also perform the
following steps to view detailed information for Flows:
Save.

Performance
Viewing Performance Information for Gigabit Ethernet and Ethernet Ports

To view Gigabit Ethernet ports and Cisco Nexus 5000 Series Ethernet ports using Fabric Manager Web
Client, follow these steps:
Step 1 Click the Performance tab, and then click Ethernet.

You see the Ethernet tab window as shown in Figure 7-16.
Figure 7-16 Ethernet Tab
Step 2 Expand a fabric and choose one of the VSANs to display the Gigabit Ethernet ports and Cisco Nexus
5000 Series Ethernet ports in that VSAN.
Note There are variations to this procedure. In addition to these basic steps, you can also:
Select the time range, and click Filter to filter the display.
Select the name of a GigE port from the Name column to see a graph of the traffic across that GigE
port for the past 24 hours. You can change the time range for this graph by selecting it from the
drop-down list in the upper right corner.
Viewing Other Statistics

To view other statistics using Fabric Manager Web Client, follow these steps:
Step 1 Click the Performance tab, and then click Others.

You see the Others tab window as shown in Figure 7-17.

Performance
Figure 7-17 Others Tab
Step 2 Expand a fabric and select one of the VSANs to display the other statistics in that VSAN.
Select the time range, and click Filter to filter the display.
Select the IP address of a switch from the Name column to see a graph of the traffic across that
switch for the past 24 hours. You can change the time range for this graph by selecting it from the
drop-down list in the upper right corner.
Note To configure Other Statistics, follow the instructions described in the Configuring Other Statistics
Viewing Detailed Traffic Information

To view SPAN port detailed traffic using Fabric Manager Web Client, follow these steps:
Step 1 Click the Performance tab, and then click Traffic Analyzer.
You see the Traffic Analyzer tab window as shown in Figure 7-18.

Performance
Figure 7-18 Traffic Analyzer Tab

Select a SAN to display a list of SPAN ports for switches in all fabrics in the SAN.
Select one of the fabrics to display a list of SPAN ports for switches in that fabric.
Viewing Predicted Future Performance

To plan storage network changes, it is necessary to determine when configuration changes (such as
rezoning) may be needed to meet growing performance demands. Fabric Manager Server provides a
performance prediction report to enable you to more easily predict when storage network connections
will become overutilized.
In general, to create a performance prediction report, do the following:
Specify the period of time in the past that you want to use as a sample to predict the future
performance.
Specify the threshold values that you do not want to exceed.
Specify the period of time in the future for which you want to view performance.
Fabric Manager Server extrapolates the performance and lists in chronological order which interfaces
are expected to reach the threshold within the specified time period.
Using the Default Values

When you first view predicted future performance by clicking the Performance tab and then the
Prediction tab, you see a table showing the predicted performance for your entire SAN using the default
values. The default values are as follows:
ScopeEntire SAN
Past performance periodMonth
Future performance periodMonth

Performance
Threshold80%
SAN elements or linksISLs
Performance prediction typeAverage
Click a link in the Name column to view a graph of that ISLs performance for the past 24 hours. To view
the performance for the past week, month, year, or custom time, select an option from the drop-down list.
Using Your Own Values

To view a table of predicted future performance with your own values using Fabric Manager Web Client,
follow these steps:
Step 1 Click the Performance tab, and then click Prediction.

You see the Prediction tab window as shown in Figure 7-19.
Figure 7-19 Prediction Tab
Step 2 Expand a fabric and select one of the VSANs to specify that the prediction report will be generated for
that VSAN.
Step 3 Select the period of time (Week, Month, 3 Months, 6 Months or Year) to use to predict performance from
the past drop-down list.
Step 4 Select the period of time (Week, Month, 3 Months, 6 Months or Year) for which to make the prediction
from the future drop-down list.
Step 5 Enter the threshold percentage (1100) of utilization that you do not want the traffic to exceed.
Step 6 Enter the number of ISLs, hosts, storage devices, or flows for which you want to make the prediction.
The prediction will show the top 10, top 20, or top 50 with the most traffic.
Step 7 Select the type of traffic prediction to show:
AverageThe average value of all the sample data is used.

Performance
PeakThe average value of all the peak values is used. The number of peak values is obtained by
dividing the total number of records into groups based on the number you enter in the Use Peak
Value of Every xx Records field. For example, if you have 1000 records and you enter 100 into the
field, your records are divided into 10 groups and 10 peak values are used.
Step 8 Click Predict.
You see the prediction table with the new data. Click the links in the Name column to show performance
charts based on the history data.
Viewing Switch Bandwidth

To view the total bandwidth for a switch using Fabric Manager Web Client, follow these steps:
Step 1 Click the Performance tab, and then click Switch Bandwidth.
You see the Switch Bandwidth tab window as shown in Figure 7-20.
Figure 7-20 Switch Bandwidth Tab
Step 2 Select the period of time (24 Hours, Week, Month or Year) for which you want to view bandwidth usage
from the Last drop-down list.

Inventory
Inventory
The Inventory tab shows an inventory of the selected SAN, fabric, or switch. You can export this
information to an ASCII file in comma-separated value format that can be read by applications such as
Microsoft Excel. You can set the number of rows and columns per page.
The Inventory tab contains the following subtabs:
VSANsShows details about VSANs.
SwitchesShows details about switches.
LicensesShows details about the licenses in use in the fabric.
ModulesShows details for MDS switching and services modules, fans, and power supplies.
End DevicesShows the host and storage ports.
ISLsShows the Inter-Switch Links.
NPV LinksShows the links betweek NPV devices and ports.
ZonesShows the active zone members (including those in inter-VSAN zones).
SummaryShows VSANs, switches, ISLs, ports, and end devices.
Viewing Summary Inventory Information

To view a summary of VSANs, switches, ISLs, ports, and end devices using Fabric Manager Web Client,
follow these steps:
Step 1 Click the Inventory tab, and then click Summary.

You see the Summary tab window as shown in Figure 7-21.

Inventory
Select a SAN to display a summary of inventory information for all fabrics in the SAN.
Select one of the fabrics to display a summary of inventory information for that fabric.
Viewing Detailed Summary Inventory Information

Detailed summary includes a number of key summary statistics such as port usage and any statistics
information, license use summary, environmental status and switch states, monitoring and alerting status
that is useful for creating comprehensive SAN health reports.
To view a detailed summary using Fabric Manager Web Client, follow these steps:
Step 1 Click the Inventory tab, and then click Summary.

Step 2 Click Inventory Summary Details at the bottom of the page.
You see the Inventory Summary Details as shown in Figure 7-22.
Figure 7-22 Detailed Summary Information
Viewing Detailed Information for VSANs

To view detailed inventory information about VSANs using Fabric Manager Web Client, follow these
steps:

Inventory
Step 1 Click the Inventory tab, and then click VSANs.

You see the VSANs tab window as shown in Figure 7-23.
Figure 7-23 VSANs Tab
Step 2 Select one of the fabrics to display VSAN inventory information for that fabric.
Select the status level, then click Filter to filter the display to show all VSANs or just those with
errors.
Viewing Detailed Information for Switches

To view detailed inventory information about switches using Fabric Manager Web Client, follow these
steps:
Step 1 Click the Inventory tab, and then click VSANs.

You see the Switches tab window as shown in Figure 7-24.

Inventory
Figure 7-24 Switches Tab

Select a SAN to display switch inventory information for all fabrics in the SAN.
Select one of the fabrics to display switch inventory information for that fabric.
Expand a fabric and select one of the VSANs to display switch inventory information for that
VSAN.
Viewing License Information

To view license information for switches using Fabric Manager Web Client, follow these steps:
Step 1 Click the Inventory tab, and then click Licenses.

You see the Switch Licenses tab window as shown in Figure 7-25.

Inventory
Figure 7-25 Switch Licenses Tab
Step 2 Select one of the fabrics to display license information for switches in that fabric.
Select the status level, and click Filter to filter the display to show all licenses or just those with
errors.
Viewing Detailed Information for Modules

To view detailed inventory information about modules using Fabric Manager Web Client, follow these
steps:
Step 1 Click the Inventory tab, and then click Modules.

You see the Modules tab window as shown in Figure 7-26.

Inventory
Figure 7-26 Modules Tab

Select a SAN to display module inventory information for all fabrics in the SAN.
Select one of the fabrics to display module inventory information for that fabric.
Expand a fabric and select one of the VSANs to display module inventory information for that
VSAN.
Viewing Detailed Information for End Devices

To view detailed inventory information about end devices using Fabric Manager Web Client, follow
these steps:
Step 1 Click the Inventory tab, and then click End Devices.
You see the End Devices tab window as shown in Figure 7-27.

Inventory
Figure 7-27 End Devices Tab
Step 2 Expand a fabric and select one of the VSANs to display end device inventory information for that VSAN.
Note If you filter by hosts or enclosures, you can click a host in the resulting table to see host enclosure
performance, a list of hosts, a list of hosts to which your device is connected, and the connection paths.
This allows you to see performance statistics for hosts and enclosures.
You can also filter by end devices or by port groups to view aggregate information for those port groups,
such as peak and average usage.
Viewing Detailed Information for ISLs

To view detailed inventory information about ISLs using Fabric Manager Web Client, follow these steps:
Step 1 Click the Inventory tab, and then click ISLs.

You see the ISLs tab window as shown in Figure 7-28.

Inventory
Figure 7-28 ISLs Tab
Step 2 Expand a fabric and select one of the VSANs to display ISL inventory information for that VSAN.
Select the status level, and click Filter to filter the display to show all ISLs or only those with errors.
Viewing Detailed Information for NPV Links

To view detailed inventory information about NPV Links using Fabric Manager Web Client, follow these
steps:
Step 1 Click the Inventory tab, and then click NPV Links.
You see the NPV Links tab window as shown in Figure 7-29.

Inventory
Figure 7-29 NPV Links
Step 2 Expand a fabric and select one of the VSANs to display NPV Links information for that VSAN.
Viewing Detailed Information for Zones

To view detailed inventory information about zones using Fabric Manager Web Client, follow these
steps:
Step 1 Click the Inventory tab, and then click Zones.

You see the Zones tab window as shown in Figure 7-30.

Reports
Figure 7-30 Zones Tab
Step 2 Expand a fabric and select one of the VSANs to display zone inventory information for that VSAN.
Select the status level, and click Filter to filter the display to show all zones or just those with errors.
Reports
The Reports tab allows you to create customized reports based on historical performance, events, and
inventory information gathered by the Fabric Manager Server. You can create aggregate reports with
summary and detailed views. You can also view previously saved reports.
The Report tab contains the following subtabs:
ViewDisplays previously saved reports.
GenerateGenerates a custom report based on the selected report template.
EditEdits an existing report template.
CreateCreates a report template, allowing you to select any combination of events, performance
categories, and inventory.
Scheduled JobsDisplays scheduled jobs based on the selected report template.
Creating a Custom Report Template

You can create custom reports from all or any subset of information gathered by Fabric Manager Server.
You create a report template by selecting events, performance, and inventory statistics that you want in
your report and set the desired SAN, fabric or VSAN to limit the scope of the template. You can generate

Reports
and schedule a report of your fabric based on this template immediately or at a later time. Fabric
Manager Web Client saves each report based on the report template used and the time you generate the
report.
To create a custom report template using Fabric Manager Web Client, follow these steps:
Step 1 Click the Report tab, and then click Create.

You see the Create Report tab as shown in Figure 7-31.
Figure 7-31 Create Report Tab
Step 2 Provide a new name for the report.

Step 3 Indicate the information you want in the report by checking the Events, Performance, and Inventory
check boxes.
Step 4 (Optional) Select Severity for events, Status for inventory information, or Type of end devices for
performance information and inventory information.
Step 5 (Optional) Check the Private check box to change the attribute of the report. If selected, the report can
be viewed only by the specific user and network administrator.
Step 6 Click Save to save this report template.

Reports
Viewing Custom Reports by Template

To view a custom report based on a specific template using Fabric Manager Web Client, follow these
steps:
Step 1 Click the Reports tab, and then click View.

You see the Report table window as shown in Figure 7-32.
Figure 7-32 View Report Table
Step 2 In the left pane expand Templates.

Step 3 Select the report that you want to view. You can view the report in the main screen or you can view the
report in a new browser window if you click the report in the report table.
Viewing Custom Reports by Users

To view a custom report based on a specific user using Fabric Manager Web Client, follow these steps:

You see the report table window as shown in Figure 7-33.

Reports
Figure 7-33 View Report Table
Step 2 In the left pane, click to expand Users.

Step 3 Double-click the user name.
Step 4 Select the report that you want to view. You can view the report in the main screen or you can view the
report in a new browser window if you click the report in the report table.
Generating Custom Reports by Template

You can generate reports based on a selected template or you can schedule the report to run at a specified
time.
To generate a report or to schedule a report using Fabric Manager Web Client, follow these steps:
Step 1 Select a SAN, fabric, or VSAN on which to base the report.

Step 2 Click the Reports tab, and then click Generate.
You see the Generate Custom Report tab window as shown in Figure 7-34.
Figure 7-34 Generate Custom Report Tab
Step 3 Choose a report template from the Available drop-down list.

Reports
Step 4 (Optional) Change the name of the report. By default, report names are based on the date and time
generated.
Step 5 (Optional) Uncheck the Use Scope from Template check box to override the scope defined by the filter
type.
Step 7 (Optional) Check the Email Report check box to receive an e-mail notification.
Step 8 Click Generate to generate a report based on this template.
You see the report results in a new browser window. Alternatively, you can view the report by clicking
Report > View and selecting the report name from the report template you used in the navigation pane.
Step 9 Click Schedule to schedule a report based on this template. You see the schedule panel.
Step 10 In the schedule panel, specify the scheduled run time and how often you want the report to run.
Step 11 Enter a name for the report in the Job Name field and click Create Job to save the report.
You can view the scheduled jobs on the Scheduled Jobs page but once the scheduled jobs have started
running, they are removed from the Scheduled Job table.
Modifying a Custom Report Template

To edit a custom report template using Fabric Manager Web Client, follow these steps:
Step 1 Click the Reports tab, and then click Edit.

You see the Edit Report dialog box.
Step 2 Choose a report template and click Open.
You see the current information that this report gathers as shown in Figure 7-35.

Reports
Figure 7-35 Report
Step 3 Indicate the information you want to gather in the report by checking the Health, Analysis,
Performance, or Inventory check boxes.
Step 4 (Optional) Select a severity level for events, status for inventory information, or type of end device for
performance information and inventory information.
Step 6 Click Save to save this report template.
Note You cannot change the SAN, fabrics or VSAN the report is based on. Generate a new report for
a new SAN, fabrics or VSAN.
Deleting Custom Reports

Reports you generate are saved by Fabric Manager Server. To delete a custom report, you need to first
select the report you want to delete. To delete a custom report based on a specific user using Fabric
Manager Web Client, follow these steps:

Step 2 In the left pane, expand Users.
Step 3 Double-click the user name.
Step 4 In the right pane, select the report that you want to delete and then click Remove.

Reports
Viewing Scheduled Jobs by Report Template

To view scheduled jobs by report template using Fabric Manager Web Client, follow these steps:
Step 1 Click the Reports tab, and then click Scheduled Jobs.
You see the Scheduled Jobs table window as shown in Figure 7-36.
Figure 7-36 Scheduled Jobs Table
Step 2 Click a report template in the left navigation pane to view the scheduled jobs based on the selected
template.
Modifying Scheduled Jobs

To modify scheduled jobs using Fabric Manager Web Client, follow these steps:
Step 1 Click the Reports tab, and then click Scheduled Jobs.
Step 2 In the right pane, click View.
You see the modify options in the Scheduled Jobs table as shown in Figure 7-37.

Admin
Figure 7-37 Modify Scheduled Jobs
Step 3 Click the calander next to Start Date to modify the date settings.
Step 4 Select the Start Time drop-down list to modify time settings.
Step 5 Click to select the appropriate radio button to change the frequency of generating report.
Step 6 (Optional) - Check the Email Notification check box to get the report by e-mail.
Step 7 Click Edit Job to save changes.
Admin
Note Only network administrators can access the Fabric Manager Web Client Admin tab. Network operators
cannot view the Admin tab.
The Admin tab allows you to perform minor administrative and configuration tasks on the Fabric
Manager Server sending data to your web client.
The Admin tab contains the following subtabs:
StatusDisplays the status of the Database Server, and allows you to start and stop Performance
Collector services on your server. You should to restart services only if something is not working
properly, or if too large a percentage of system resources are being consumed.
Note You cannot start or stop Database Server services using Fabric Manager Webclient. If
you are using Microsoft Windows operating system, you need to use Microsoft
Management Console to Stop, Start or Restart Database Server.
ConfigureAllows you to configure various parameters for Fabric Manager Server.

Admin
LogsAllows you to view all the logs from the various services running on the Fabric Manager
Server.
Note If you see a database file lock error in the database log, you can fix it by shutting down and restarting
the database server using the web client.
Recovering a Web Server Password

Fabric Manager Web Client user passwords are encrypted and stored locally on the workstation where
you installed Web Server. If you forget a password, you can create a new network-admin user locally on
the workstation where you installed Web Server and then log in and delete the old user account under
the Admin tab.
To create a user on the workstation where you installed Web Server and delete the old user, follow these
steps:
Step 1 Go to the Web Server installation directory and enter the cd command to access the bin directory.
Step 2 Enter the following line to create a user:
addUser.{sh,bat} <userName> <dbpassword>
Step 3 Choose Admin > Configure > Web Users > Local Database.
You see the list of users in the local database.
Step 4 Select the user that you want to delete and click Delete to remove the old user.
Starting, Restarting, and Stopping Services

To start, restart, or stop services using Fabric Manager Web Client, follow these steps:
Step 1 Click the Admin tab, and then click Status.

You see a table of services and the status of each as shown in Figure 7-38.

Admin
Figure 7-38 Fabric Manager Services Status
Step 2 Select the services you want to start, restart, or stop.

Step 3 Click Start or Stop, or Restart.
The selected services are started, restarted, or stopped.
Note If the word more is in the Status column, you can click it to view a detailed status of the
service.
Note You need to configure Performance collection in order to start, stop or restart Performance
Collector.
Adding, Editing, and Removing Managed Fabrics

Fabric Manager Web Client reports information gathered by the Fabric Manager Server on any fabric
known to the Fabric Manager Server.
To start managing a fabric from the Fabric Manager Server using Fabric Manager Web Client, follow
these steps:
Step 1 Click the Admin tab, and then click Configure.

Step 2 Click Fabrics in the left navigation pane.
You see the list of fabrics (if any) managed by Fabric Manager Server in the Opened column (see
Figure 7-39).

Admin
Figure 7-39 List of Fabrics Managed by the Fabric Manager Server
Step 3 Click Add.

You see the Add Fabric dialog box shown in Figure 7-40.
Figure 7-40 Add Fabric Dialog Box
Step 4 Enter the seed switch IP address, read community and write community for this fabric.
Step 5 Enter the user name and password for this fabric.
Step 6 (Optional) Check the SNMPV3 check box. If you check SNMPV3, the fields Read Community and
Write Community change to User Name and Password. You must enter your user name and password.
Step 7 Select the privacy settings from the Auth-Privacy listbox.
Step 8 Click Add to begin managing this fabric.
Step 9 Select the IP address of the server from the Server listbox.
To stop managing a fabric from Fabric Manager Server using Fabric Manager Web Client, follow these
steps:


Admin
Step 3 Check the check box next to the fabric that you want to remove and click Remove to discontinue data
collection for that fabric.
To edit a fabric from Fabric Manager Server using Fabric Manager Web Client, follow these steps:

Step 3 Check the check box next to the fabric that you want to edit and click Edit.
You see the Edit Fabric dialog box shown in Figure 7-41.
Figure 7-41 Edit Fabric Dialog Box
Step 4 Enter a new fabric name, user name and password and specify how you want Fabric Manager Server to
manage the fabric by selecting an option from the drop-down list.
Step 5 Click Modify to save the changes.
Viewing Trap and Syslog Registration Information

To view trap and syslog registration information from Fabric Manager Server using Fabric Manager Web
Client, follow these steps:

Step 2 Click Registration in the left navigation pane.
Step 3 Select a fabric to display registration information for that fabric.
You see the Registration screen showing the registration information for the selected fabric (see
Figure 7-42).

Admin
Figure 7-42 Registration Screen
Step 4 (Optional) Click the Print icon or the Export Report icon for a copy of the information.
Configuring Forwarding of Notifications for Events

You can use Fabric Manager Web Client to add and remove notification forwards for system messages.
Note Fabric Manager Web Client forwards fabric events via e-mail or SNMPv1 traps.
To add a notification forward using Fabric Manager Web Client, follow these steps:

Step 2 Click Forwarding in the left navigation pane.
Step 3 Click Add.
You see the Add Notification dialog box shown in Figure 7-43.
Figure 7-43 Add Notification Dialog Box
Step 4 In the Type field, either choose E-Mail or SNMP Trap. If you choose Trap, a Port field is added to the
dialog box.

Admin
Step 5 From the Fabric drop-down list, choose the fabric for notification.
Step 6 Either check the VSAN Scope check box to receive notifications for all VSANs, or enter the VSAN IDs
in the ID List field to limit the VSANs for which you want to receive notifications.
Step 7 Enter the e-mail address for notifications in the Address field.
Step 8 From the Minimum Severity drop-down list, select the severity level of the messages to receive.
Step 9 Click Add to add the notification.
Note The traps sent by Fabric Manager Server correspond to the severity type followed by a text description:
trap type(s) = 40990 (emergency) 40991 (alert) 40992 (critical) 40993 (error) 40994
(warning) 40995 (notice) 40996 (info) 40997 (debug)textDescriptionOid = 1, 3, 6, 1, 4, 1,
9, 9, 40999, 1, 1, 3, 0
To remove a notification forward using Fabric Manager Web Client, follow these steps:

Step 2 Click Forwarding in the left navigation pane.
Step 3 Check the check box in front of the notification that you want to remove.
Step 4 Click Remove.
Viewing and Disconnecting Clients

To view or disconnect clients from the Fabric Manager Server using Fabric Manager Web Client, follow
these steps:

Step 2 Click Clients in the left navigation pane.
You see the Clients page shown in Figure 7-44.

Admin
Figure 7-44 List of Clients
Step 3 Check the check box next to the client you want to disconnect.
Step 4 Click Disconnect.
Configuring Fabric Manager Server Preferences

To configure Fabric Manager Server preferences, click the Admin tab, click Configure and then click
Preferences in the left navigation pane. Follow the on-screen instructions.
Adding and Removing Communities

You can use Fabric Manager Web Client to add and remove communities.
To add a community fabric using Fabric Manager Web Client, follow these steps:

Step 2 Click Communities in the left navigation pane.
Step 3 Click Add.
You see the Add Community dialog box shown in Figure 7-45.

Admin
Figure 7-45 Add Community Dialog Box
Step 4 Enter the IP mask or address of the community in the IP Mask/Address field.
Note The IP mask can contain wildcards (0s) you can use to assign communities to subnets.
Step 5 Enter the name of the community in the Community field.

Step 6 Click Add to add the community.
To remove a community using Fabric Manager Web Client, follow these steps:

Step 2 Click Communities in the left navigation pane.
You see the Communities page shown in Figure 7-46.
Figure 7-46 Communities Page
Step 3 Check the check box next to the community that you want to remove and click Remove.

Admin
Note Cisco Fabric Manager 3.0(1) does not require you to make changes to the communities.properties file
even if you are using a Cisco MDS 9020 switch or any third-party devices.
Configuring AAA Information

To configure Fabric Manager Server preferences, click the Admin tab, click Configure and then in left
pane select, FMS Users, and AAA and follow the instructions on the screen.
Adding and Removing Users

You can use Fabric Manager Web Client to add and remove Web Server users.
To add a user using Fabric Manager Web Client, follow these steps:

Step 2 Click Local Database in the left navigation pane.
You see the Local Database page shown in Figure 7-47.
Figure 7-47 Local Database Page
Step 3 Click Add.

You see the Add User dialog box shown in Figure 7-48.

Admin
Figure 7-48 Add User Dialog Box
Step 4 Enter the user name in the User Name field.
Note The user name guest is a reserved name (case insensitive). The guest user can only view reports.
The guest user cannot change the guest password, nor can the guest user access the Admin tab
in Fabric Manager Web Client.
Step 5 Select a role for the user from the Role drop-down list.
Step 6 Enter the password in the Password field.
Step 7 Enter the password again in the Confirm Password field.
Step 8 Click Add to add the user to the database.
Step 9 Repeat Steps 3 through 7 to continue adding users.
To remove a user using Fabric Manager Web Client, follow these steps:

Step 2 Click Local Database in the left navigation pane.
Step 3 Click the radio button next to the user that you want to remove and click Remove.
Adding and Removing Roles

You can use Fabric Manager Web Client to add and remove Web Server roles.
To add a role using Fabric Manager Web Client, follow these steps:

Step 2 Click Local Roles in the left navigation pane.
You see the Local Roles page as shown in Figure 7-49.

Admin
Figure 7-49 Local Roles Page
Step 3 Click Add.

You see the Add Role dialog box shown in Figure 7-50.
Figure 7-50 Add Role Dialog Box
Step 4 Enter the role name in the Role Name field.

Step 5 Select fabrics that the role can access from the Available Fabrics column and add them to the Selected
Fabrics column.
Step 6 Click Add to add the role to the database.
Step 7 Repeat Steps 3 through 5 to add additional roles.
To remove a role using Fabric Manager Web Client, follow these steps:

Admin
Step 1 Click the Admin tab and then click Configure.

Step 2 Click Local Roles in the left navigation pane.
Step 3 Click the radio button next to the role you want to remove and click Remove.
Creating Performance Collections

If you are managing your fabrics with Performance Manager, you need to set up an initial set of flows
and collections on the fabric. You can use Fabric Manager Web Client to add and remove performance
collections. The fabric has to be licensed and in the Managed Continuously state before a collection for
the fabric can be created.
Note You cannot manage performance collections for multiple devices through a single port interface. Since
only one set of statistics exists per interface, Fabric Manager Web Client can manage performance
collections for only one visible FL or iSCSI device through an interface.
To add a collection using Fabric Manager Web Client, follow these steps:

Step 2 Click Collections in the left navigation pane.
You see the Collections page as shown in Figure 7-51.
Figure 7-51 Collections Page
Step 3 Click Add.

You see the Create Collection dialog box shown in Figure 7-52.

Admin
Figure 7-52 Create Collection Dialog Box
Step 4 Select a fabric for which to collect performance data from the Fabric drop-down list.
Step 5 Either check the VSAN Scope check box to receive notifications for all VSANs, or enter the VSAN IDs
in the ID List field to limit the VSANs for which you want to collect performance data.
Step 6 Check the check boxes for the type(s) of entities for which you want to collect performance data.
Step 7 Check the check boxes for the type(s) of thresholds you want to enable.
Step 8 Click Create to add the collection and add it to the table.
Step 9 Repeat Steps 3 through 8 to continue adding roles.
Note Performance Manager shows statistics for fabrics that you have configured collections for using the
Collection Wizard.
To remove a collection using Fabric Manager Web Client, follow these steps:

Step 2 Click Collections in the left navigation pane.
Step 3 Check the check box next to the collection you want to remove and click Remove.
Configuring Other Statistics

To configue other statistics using Fabric Manager Web Client, follow these steps:

Step 2 Click Others in the left navigation pane.
You see the Others page as shown in Figure 7-53.

Admin
Figure 7-53 Others Page
Step 3 Click Add.

You see the Add Oid dialog box shown in Figure 7-54.
Figure 7-54 Add Oid Dialog Box
Step 4 Select a fabric for which you want to add other statistics.
Step 5 Select the statistic that you want to add from the Other OID drop-down list and specify a name for the
statistic in the Display Name field.
Step 6 Click Add to add this statistic.

Admin
Configuring Collection Thresholds

To configure collection thresholds using Fabric Manager Web Client, follow these steps:

Step 2 Click Thresholds in the left navigation pane.
You see the Thresholds page shown in Figure 7-55.
Figure 7-55 Thresholds Page
Step 3 If you are using absolute values, follow these steps, otherwise skip to Step 3.
a. To configure conditions for sending Critical notifications, check the Send Critical check box. In the
...when traffic exceeds field, enter a number (from 5 to 95) to indicate the percentage at which the
Critical notification is sent. For example, entering 10 causes a notification to be sent when traffic at
any given time exceeds 10% of capacity.
b. To configure conditions for sending Warning notifications, check the Send Warning check box. In
the ...when traffic exceeds field, enter a number (from 5 to 95) to indicate the percentage at which
the Warning notification is sent. For example, entering 9 causes a notification to be sent when traffic
at any given time exceeds 9% of capacity.
Step 4 Select the time period for the collection (1 Week, 1 Month, or 1 Year) from the Baseline Values over past
drop-down list. The baseline value represents the sum of the absolute values.
a. To configure conditions for sending Critical notifications, check the Send Critical check box. In the
...when traffic exceeds field, enter a number to indicate the percentage at which the Critical
notification is sent. For example, entering 300 causes a notification to be sent when traffic for the
selected period exceeds 300% of capacity.

Admin
b. To configure conditions for sending Warning notifications, check the Send Warning check box. In
the ...when traffic exceeds field, enter a number to indicate the percentage at which the Warning
notification is sent. For example, entering 150 causes a notification to be sent when traffic for the
selected period exceeds 150% of capacity.
Step 5 Click Apply.
Importing the RRD Statistics Index

To manually import the RRD statistics index, follow these steps:
Step 1 Stop Fabric Manager Server.

Step 2 Copy the original RRD file into $INSTALLDIR/pm/db.
Step 3 Run $INSTALLDIR/bin/pm.bat s.
Step 4 Restart the Fabric Manager Server and add the fabric.
Configuring the RRD Database

Configuring the RRD database allows you to set the intervals at which data samples are collected. After
applying the configuration, the database storage format is converted to a new format at those intervals.
Since database formats are incompatible with each other, you must copy the old data (before the
conversion) to the $INSTALLDIR/pm directory. SeeImporting the RRD Statistics Index section on
page 7-61.
To configure the RRD database using Fabric Manager Web Client, follow these steps:

Step 2 Click Database in the left navigation pane.
You see the Performance Database (collection interval) page as shown in Figure 7-56.

Admin
Figure 7-56 Performance Database Page
Step 3 Enter the number of days to collect samples at 5-minute intervals in the top row of the Days column.
Step 4 Enter the number of days to collect samples at 30-minute intervals in the second row of the Days column.
Step 5 Enter the number of days to collect samples at 2-hour intervals in the third row of the Days column.
Step 6 Enter the number of days to collect samples at 1-day intervals in the bottom row of the Days column.
Note As of Cisco SAN-OS Release 3.1(1) and later, you can configure the sampling interval for ISLs.
Select a sampling interval from the ISLs drop-down list.
Step 7 Click Apply to apply your changes, or click Defaults to reset the file sizes to the default values.
If you are applying new values, or if the current values are not the default values, you see a message
indicating that conversion of the RRD files will take a certain amount of time and that the database will
be unavailable until then. The time it takes depends on the difference between the old and new values.
Note The system allows you to convert data, one process at a time. When you start converting the data,
the Apply and Default buttons change to Refresh and Cancel so that another process cannot be
inadvertently started. The display is the same for all browsers accessing the server during this
time. Click Refresh to view the latest progress. Click Cancel to cancel the process of converting
the data. If the job is successfully canceled, you see the Apply and Default buttons again. If the
cancel job is not successful, you see a message indicating that the cancellation has failed.
If you want to perform this procedure, it is best to perform it before collecting a lot of data.
Otherwise, converting the data can take a long time.

Downloading Fabric Manager Client
Viewing Log Information

You may occasionally want to view logs such as the Fabric Manager Server log. These processes have
no corresponding GUI to allow you to view information about these log files. If you see errors, preserve
these two files for viewing.
To view log information using Fabric Manager Web Client, follow these steps:
Step 1 Click the Admin tab, and then click Logs.

You see a list of viewable logs in the left column.
Step 2 Click a log file to view it.

You must use Fabric Manager Web Client to launch Fabric Manager Client. See the Launching Fabric
Manager Client in Cisco SAN-OS Release 3.2(1) and Later section on page 5-2 for information on
launching Fabric Manager Client.


CH A P T E R 8
Performance Manager
The primary purpose of Fabric Manager is to manage the network. A key management capability is
network performance monitoring. This chapter includes the following topics:
Performance Manager Architecture, page 8-1
Flow Statistics Configuration, page 8-6
Performance Manager Architecture

Performance Manager gathers network device statistics historically and provides this information
graphically using a web browser. It presents recent statistics in detail and older statistics in summary.
Performance Manager also integrates with external tools such as Cisco Traffic Analyzer.
The Performance Manager has three operational stages:
DefinitionThe Flow Wizard sets up flows in the switches.
CollectionThe Web Server Performance Collection screen collects information on desired fabrics.
PresentationGenerates web pages to present the collected data through Fabric Manager Web
Server.
Performance Manager can collect statistics for ISLs, hosts, storage elements, and configured flows.
Flows are defined based on a host-to-storage (or storage-to-host) link. Performance Manager gathers
statistics from across the fabric based on collection configuration files. These files determine which SAN
elements and SAN links Performance Manager gathers statistics for. Based on this configuration,
Performance Manager communicates with the appropriate devices (switches, hosts, or storage elements)
and collects the appropriate information at fixed five-minute intervals.
Performance Manager uses a round-robin database to hold the statistical data collected from the fabric.
This data is stored based on the configured parameters in the collection configuration file. At each
polling interval, Performance Manager gathers the relevant statistics and stores them in the round-robin
database. This database is a fixed size and will not grow beyond its preset limits.
Performance Manager creates a series of archived data to hold summarized information present in the
real-time round-robin database. This archived data is used to generate daily, weekly, monthly, and yearly
consolidated reports. In this way, Performance Manager maintains significant historical data without the
cost of an ever-increasing database size.
Note You must restart Performance Manager if you change the user credentials on Fabric Manager Server.

Chapter 8 Performance Manager
Data Interpolation
One of the unique features of Performance Manager is its ability to interpolate data when statistical
polling results are missing or delayed. Other performance tools may store the missing data point as zero,
but this can distort historical trending. Performance Manager interpolates the missing data point by
comparing the data point that preceded the missing data and the data point stored in the polling interval
after the missing data. This maintains the continuity of the performance information.
Data Collection
One years worth of data for two variables (Rx and Tx bytes) requires a round-robin database (rrd) file
size of 76 K. If errors and discards are also collected, the rrd file size becomes 110 K. The default
internal values are as follows:
600 samples of 5 minutes (2 days and 2 hours)
700 samples of 30 minutes (12.5 days)
775 samples of 2 hours (50 days)
300 samples of 1 day
A 1000-port SAN requires 110 MB for a years worth of historical data that includes errors and discards.
If there were 20 switches in this SAN with equal distribution of fabric ports, about two to three SNMP
packets per switch would be sent every 5 minutes for a total of about 100 request or response SNMP
packets required to monitor the data.
Because of their variable counter requests, flows are more difficult to predict storage space requirements
for. But in general you can expect that, each extra flow adds another 76 KB.
Note Performance Manager does not collect statistics on nonmanageable and non-MDS switches. Loop
devices (FL/NL) are not collected.
Using Performance Thresholds

The Performance Manager Configuration Wizard allows you to set up two thresholds that will trigger
events when the monitored traffic exceeds the percent utilization configured. These event triggers can be
set as either Critical or Warning events that are reported on the Fabric Manager web client Events
browser page.
Absolute value thresholds apply directly to the statistics gathered. These statistics, as a percent of the
total link capacity, are compared to the percent utilization configured for the threshold type. If the
statistics exceed either configured threshold, an event is shown on the Fabric Manager web client Events
tab.
Baseline thresholds create a threshold that adapts to the typical traffic pattern for each link for the same
time window each day, week, or every two weeks. Baseline thresholds are set as a percent of the average
(110% to 500%), where 100% equals the calculated weighted average. Figure 8-1 shows an example of
setting a baseline threshold for a weekly or daily option.

Figure 8-1 Baseline Threshold Example
Two thresholds per throughput

Weekly (option) statistic - updated hourly
8 weeks
Mon 1/3 Mon 1/10 Mon 1/17 Mon 2/21 @2 PM
Threshold
setting
Average X Mon 2/28 @2 PM
Percent over baseline (e.g. 130%)
Daily (option)
14 days
Mon 2/14 Tues 2/15 Wed 2/16 Sun 2/27 @2 PM
Threshold
setting
Average X Mon 2/28 @2 PM
130886
Percent over baseline (e.g. 130%)
The threshold is set for Monday at 2 p.m. The baseline threshold is set at 130% of the average for that
statistic. The average is calculated from the statistics value that occurred at 2 p.m. on Monday, for every
prior Monday (for the weekly option) or the statistics value that occurred at 2 p.m. on each day, for every
prior day (for the daily option).
Flow Setup Wizards

The Performance Manager Flow and Performance Manager Setup wizards greatly simplify
configuration. All you need to do is select the categories of statistics to capture and the wizards provide
a list of flows and links to monitor. You can remove entries if desired, or just accept the provided list and
start data collection. Statistics for host and storage links are not associated with a specific port on a
switch, so you do not lose long term statistics if a connection is moved to a different port.
Creating a Flow Using Flow Configuration Wizard

To create a flow using Fabric Manager, follow these steps:
Step 1 Choose Performance > Create Flows.

You see the Define Traffic Flows dialog box as shown in Figure 8-2.

Figure 8-2 Create Flows Dialog Box
Step 2 Click the drop-down menu in the VSAN field.

Step 3 Choose the list of VSANs provided by the flow configuration wizard.
Step 4 Click the drop-down menu in the Zone field.
Step 5 Choose the list of zones provided by the flow configuration wizard.
Step 6 Click Next to continue to the next window (see Figure 8-3).

Figure 8-3 Review Traffic Flows Dialog Box
Step 7 Choose items in the Possible Flow Pairs area.

The Review Traffic Flows window displays all VSAN flow pairs in the Exisitng Flows for Vsan area.
Step 8 Click Add to create the selected flow.
Step 9 Choose items in the Existing Flows for Vsan area.
Step 10 Click Remove to remove the selected flow.
Step 11 Click Finish to restart the Performance Manager collection.
You see the Confirmation dialog box as shown in Figure 8-4.
Figure 8-4 Confirmation Dialog Box
To verify the newly created flow, choose Physical Attributes > End Devices > Flow Statistics. The
newly created flows are displayed.

Flow Statistics Configuration
Flow Statistics Configuration

Flow statistics count the ingress traffic in the aggregated statistics table. You can collect two kinds of
statistics:
Aggregated flow statistics to count the traffic for a VSAN.
Flow statistics to count the traffic for a source and destination ID pair in a VSAN.
About Flow Statistics, page 8-6
About Flow Statistics

If you enable flow counters, you can enable a maximum of 1 K entries for aggregate flow and flow
statistics. Be sure to assign an unused flow index to a module for each new flow. Flow indexes can be
repeated across modules. The number space for flow index is shared between the aggregate flow
statistics and the flow statistics.
Generation 1 modules allow a maximum of 1024 flow statements per module. Generation 2 modules
allow a maximum of 2048-128 flow statements per module.
Table 8-1 explains the Flow Type radio button that defines the type of traffic monitored.
Table 8-1 Performance Manager Flow Types
Flow type Description

Host->Storage Unidirectional flow, monitoring data from the host to the storage element
Storage->Host Unidirectional flow, monitoring data from the storage element to the host
Both Bidirectional flow, monitoring data to and from the host and storage
elements

CH A P T E R 9
Cisco Traffic Analyzer
Cisco Traffic Analyzer is a version of network top (ntop) software that is modified to support Fibre
Channel and SCSI.
Understanding SPAN, page 9-1
Using Cisco Traffic Analyzer with Performance Manager, page 9-2
Installing Cisco Traffic Analyzer, page 9-3
Accessing Traffic Analyzer from Fabric Manager Web Server, page 9-5
Understanding SPAN
The SPAN feature is specific to switches in the Cisco MDS 9000 Family. It monitors network traffic
though a Fibre Channel interface. Traffic through any Fibre Channel interface can be replicated to a
special port called the SPAN destination port (SD port). Any Fibre Channel port in a switch can be
configured as an SD port. Once an interface is in SD port mode, it cannot be used for normal data traffic.
You can attach a Fibre Channel analyzer to the SD port to monitor SPAN traffic.
SD ports do not receive frames, they transmit a copy of the SPAN source traffic. The SPAN feature is
nonintrusive and does not affect switching of network traffic for any SPAN source ports (see Figure 9-1).
Figure 9-1 SPAN Transmission
SPAN source port

Fibre Channel traffic
fc1/2
fc3/1
Fibre Channel analyzer

Cisco MDS 9000 switch fc9/1
85478
SD port
For information on configuring SPAN, refer to the Cisco MDS 9000 Family CLI Configuration Guide.

Chapter 9 Cisco Traffic Analyzer
Using Cisco Traffic Analyzer with Performance Manager
Using Cisco Traffic Analyzer with Performance Manager

Performance Manager works in conjunction with Cisco Traffic Analyzer to monitor and manage the
traffic on your fabric. Using Cisco Traffic Analyzer with Performance Manager requires the following
components:
A configured Fibre Channel Switched Port Analyzer (SPAN) destination (SD) port to forward Fibre
Channel traffic.
A Port Analyzer Adapter 2 (PAA-2) to convert the Fibre Channel traffic to Ethernet traffic.
Cisco Traffic Analyzer software to analyze the traffic from the PAA-2.
Note We recommend that you install Traffic Analyzer and Performance Manager on separate servers. Linux
server is recommended for installing Traffic Analyzer.
Figure 9-2 shows how Performance Manager works with Cisco Traffic Analyzer to monitor traffic on
your fabric.
Figure 9-2 Overview of Performance Manager Working with Cisco Traffic Analyzer
Performance Cisco Traffic

Manager Analyzer
GUI Collection GUI Collection SPAN destination port
NIC 1 NIC 2 PAA MDS 9000 switch
Network mgmt0
port
113485
PC PC PC
Understanding the PAA-2

The PAA-2 enables effective, low-cost analysis of Fibre Channel traffic. The device is a standalone Fibre
Channel-to-Ethernet adapter, designed primarily to analyze SPAN traffic from a Fibre Channel port on
a Cisco MDS 9000 Family switch. The main function of the Port Analyzer Adapter 2 is to encapsulate
Fibre Channel frames into Ethernet frames. This allows low-cost analysis of Fibre Channel traffic while
leveraging the existing Ethernet infrastructure.
The PAA-2 allows you to examine Fibre Channel frames of various sizes. Fibre Channel frames from
Layers 2, 3, and 4 may be examined without network disruption.

Installing Cisco Traffic Analyzer
Understanding Cisco Traffic Analyzer

Performance Manager collects Fibre Channel level performance statistics using SNMP to access
counters on Cisco MDS 9000 Family switches. To view detailed SCSI I/O statistics, you need to look at
the data on an SD port with the help of Cisco Traffic Analyzer, which uses the Cisco Port Analyzer
Adapter 2 (PAA-2).
Cisco Traffic Analyzer provides real-time analysis of SPAN traffic or analysis of captured traffic through
a Web browser user interface. Traffic encapsulated by one or more Port Analyzer Adapter 2 products can
be analyzed concurrently with a single workstation running Cisco Traffic Analyzer, which is based on
ntop, a public domain software enhanced by Cisco for Fibre Channel traffic analysis.
Round-trip response times, SCSI I/Os per second, SCSI read or traffic throughput and frame counts,
SCSI session status, and management task information are monitored. Additional statistics are also
available on Fibre Channel frame sizes and network management protocols.
For seamless performance analysis and troubleshooting, Cisco Traffic Analyzer can be launched
in-context from Fabric Manager. Port world wide name (pWWN), Fibre Channel ID (FC ID), FC alias,
and VSAN names are passed to Cisco Traffic Analyzer.
Cisco Traffic Analyzer must be downloaded and installed separately from the following website:
http://www.cisco.com/kobayashi/sw-center/sw-stornet.shtml.
Cisco Traffic Analyzer software is available under the Port Analyzer Adapter link. See the Installing
Cisco Traffic Analyzer section on page 9-3.
Caution Cisco Traffic Analyzer for Fibre Channel throughput values are not accurate when used with the original
Cisco Port Analyzer Adapter (PAA) if data truncation is enabled. PAA Version 2 (product ID
DS-PAA_2) is required to achieve accurate results with truncation, because it adds a count that enables
Cisco Traffic Analyzer to determine how many data bytes were actually transferred.
Note Refer to the Cisco MDS 9000 Family CLI Configuration Guide for information on configuring the
settings for your SPAN destination port. It is important that the data you collect through this port matches
the data collected by Performance Manager through the mgmt0 port. If the data does not match, you
cannot view Cisco Traffic Analyzer information through a Traffic Analyzer link on the detail page of a
Performance Manager report.

To install Cisco Traffic Analyzer on a UNIX workstation, follow these steps:
Step 1 Open a browser and go to the following website to access the web page where Cisco Traffic Analyzer is
available:
http://cisco.com/cgi-bin/tablebuild.pl/mds-fm.
Step 2 Download fc-ntop.tar.gz and install it using the instructions at the following website:
http://www.ntop.org.
Step 3 Verify that the Fibre Channel port on the PAA-2 is connected to the SD port on the switch (Figure 9-2).
Step 4 Verify that the Ethernet port on the PAA-2 is connected to the workstation running Cisco Traffic
Analyzer.

Step 5 Click Interfaces > SPAN in Device Manager to configure SPAN on the required switch ports.
Step 6 Click Interfaces > SPAN in Device Manager to verify that the Fibre Channel port connected to the
PAA-2 is configured as an SD port. The port mode of the destination interface must be SD.
Step 7 Click the Sessions tab in Device Manager to verify the correct destination and source of traffic (ingress).
Caution Cisco Traffic Analyzer must not be used with the PAA-2 in Management mode (MNM). Refer to the
Cisco MDS 9000 Family Port Analyzer Adapter 2 Installation and Configuration Note.
To install Cisco Traffic Analyzer on a Windows workstation, follow these steps:
Step 1 Open a browser and go to the following website to access the web page where Cisco Traffic Analyzer is
available:
http://cisco.com/cgi-bin/tablebuild.pl/mds-fm.
Step 2 Download ntop-win32.zip and save it on your workstation.
Step 3 Unzip the downloaded file.
Note You need the WinPcap library file to use Cisco Traffic Analyzer on a Microsoft Windows
system.You can download this file from the following website:
http://winpcap.polito.it/.
Step 4 Open a command prompt and change directories to your ntop installation directory.
Step 5 Type ntop -i or install ntop as a service on Windows by following these steps:
a. Type ntop /i to install ntop as a service.
b. Choose Start > Programs > Administrative Tools > Services to access the Windows Services
Panel.
c. Right-click ntop and choose properties. You see the Properties dialog box.
d. Set the Start Parameters to -i interface number, where interface number is the number of the
interface on your workstation that connects to the PAA-2.
e. Click Start to start ntop on that interface.
Note Subsequent restarts of the ntop service do not require setting the -i option. unless you are
changing the interface that connects to the PAA-2.
Step 6 Verify that the Fibre Channel port on the PAA-2 is connected to the SD port on the switch (Figure 9-2).
Step 7 Verify that the Ethernet port on the PAA-2 is connected to the workstation running Cisco Traffic
Analyzer.
Step 8 Click Interfaces > SPAN in Device Manager to configure SPAN on the required switch ports.
Step 9 Click the Sources tab in Device Manager to verify that the Fibre Channel port connected to the PAA-2
is configured as an SD port. The port mode of the destination interface must be SD.
Step 10 Click the Sessions tab in Device Manager to verify the correct destination and source of traffic (ingress).

Accessing Traffic Analyzer from Fabric Manager Web Server
Tip To modify the script that launches ntop (ntop.sh or ntop.bat), follow the instructions provided within the
script file. Create a backup of the original script before modifying the file.
Linux platforms use the shell script path. The ntop output is sent to the syslog file (/var/log/messages
by default).
Windows platforms use the batch file. The ntop output is sent to a file located in the same directory
as the one from which ntop is launched.

Fabric Manager supports discovering instances of Traffic Analyzer and SPAN ports configured within
your fabric.
Fabric Manager Web Server supports the following Traffic Analyzer integration features:
SCSI I/O Traffic Analyzer pages can be viewed within the Web client.
Traffic Analyzer can reside on a different server than Performance Manager.
Performance Manager integrates with multiple servers running Traffic Analyzer.
Instances of Traffic Analyzer servers can be discovered by Fabric Manager Server.
Web client report lists SPAN destination ports and associations with Traffic Analyzers.
To access an instance of Traffic Analyzer running in your fabric using Fabric Manager Web Server,
follow these steps:
Step 1 Choose the Performance tab and then the Traffic Analyzer tab.
You see a summary table of all SPAN destination ports and configured Traffic Analyzers in your fabric
(see Figure 9-3). The source column shows the ports that are monitored by the SPAN destination port.
Figure 9-3 Traffic Analyzer in Fabric Manager Web Server

Step 2 Click a Traffic Analyzer to launch that Traffic Analyzer within Fabric Manager Web Server.
To rediscover instances of Traffic Analyzer running in your fabric using Fabric Manager Web Server,
follow these steps:
Step 1 Choose Performance > Traffic Analyzer.

You see a summary table of all SPAN destination ports and configured Traffic Analyzers in your fabric
Figure 9-4 Traffic Analyzer in Fabric Manager Web Server
Step 2 Navigate to the fabric or VSAN where you want to rediscover instances of Traffic Analyzer from the
navigation bar.
Step 3 Set Analyzers on Subnet to the subnet that you want to discover.
Step 4 Click Discover to find instances of Traffic Analyzer within the selected fabric or VSAN and subnet.

PA R T 2
Installation and Switch Management

CH A P T E R 10
Obtaining and Installing Licenses
Licenses are available in all switches in the Cisco MDS 9000 Family. Licensing allows you to access
specified premium features on the switch after you install the appropriate license for that feature.
This chapter contains information related to licensing types, options, procedures, installation, and
management for the Cisco MDS NX-OS software.
Licensing Terminology, page 10-1
Licensing Model, page 10-2
Licensing High Availability, page 10-8
Options to Install a License, page 10-8
Obtaining a Factory-Installed License, page 10-9
Performing a Manual Installation, page 10-9
Obtaining the License Key File, page 10-9
Installing the License Key File, page 10-10
Installing Licenses Using Fabric Manager License Wizard, page 10-11
Installing or Updating Licenses Using Device Manager, page 10-12
Identifying License Features in Use, page 10-13
Uninstalling Licenses, page 10-14
Updating Licenses, page 10-14
Grace Period Alerts, page 10-15
License Transfers Between Switches, page 10-16
Displaying License Information, page 10-16
Fabric Manager Server Licensing, page 10-17
Licensing Terminology
The following terms are used in this chapter:
Licensed featurePermission to use a particular feature through a license file, a hardware object,
or a legal contract. This permission is limited to the number of users, number of instances, time span,
and the implemented switch.

Chapter 10 Obtaining and Installing Licenses
Licensing Model
Licensed applicationA software feature that requires a license to be used.

License enforcementA mechanism that prevents a feature from being used without first obtaining
a license.
Node-locked licenseA license that can only be used on a particular switch using the switchs
unique host ID.
Host IDsA unique chassis serial number that is specific to each Cisco MDS switch.
Proof of purchaseA document entitling its rightful owner to use licensed feature(s) on one Cisco
MDS switch as described in that document. Also known as the claim certificate.
Product Authorization Key (PAK)The PAK allows you to obtain a license key from one of the sites
listed in the proof of purchase document. After registering at the specified website, you will receive
your license key file and installation instructions through e-mail.
License key fileA switch-specific unique file that specifies the licensed features. Each file
contains digital signatures to prevent tampering and modification. License keys are required to use
a licensed feature. License keys are enforced within a specified time span.
Counted licenseThe number of licenses issued for a single feature (for example, FCIP). You can
increase counted licenses (incremental licenses) should a need arise in the future.
Missing licenseIf the bootflash has been corrupted or a supervisor module replaced after a license
has been installed, that license will show as missing. The feature will still work, but the license
count will be inaccurate. You should reinstall the license as soon as possible.
Incremental licenseAn additional licensed feature that was not in the initial license file. License
keys are incrementalif you purchase some features now and others later, the license file and the
software detect the sum of all features for the specified switch.
Port Activation licenseA license that activates additional ports on any of the following:
Cisco MDS 9124 Multilayer Fabric Switch
For more information refer to Chapter 11, On-Demand Port Activation Licensing.
Evaluation licenseA temporary license. Evaluation licenses are time bound (valid for a specified
number of days) and are not tied to a host ID (switch serial number).
Permanent licenseA license that is not time bound is called a permanent license.
Grace periodThe amount of time the features in a license package can continue functioning
without a license.
SupportIf you purchased Cisco support through a Cisco reseller, contact the reseller directly. If
you purchased support directly from Cisco Systems, contact Cisco Technical Support at this URL:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Licensing Model
Any feature not included in a license package is bundled with the Cisco MDS 9000 Family switches and
is provided at no extra charge.
We recommend that you do not download more licenses than can be used for a module or switch.

Licensing Model
See Chapter 11, On-Demand Port Activation Licensing for information about on-demand port
activation licensing.
The licensing model defined for the Cisco MDS product line has two options:
Feature-based licenses allow features that are applicable to the entire switch. The cost varies based
on a per-switch usage. Table 10-1 lists the feature-based license packages.
Module-based licenses allow features that require additional hardware modules. The cost varies
based on a per-module usage. An example is the IPS-8 or IPS-4 module using the FCIP feature.
Note Each module requires its own separate license. If you replace a module that requires a
license with a module of the same type (such as replacing a Storage Services Module (SSM)
with another SSM), the existing license will support the new module.
Note The Cisco MDS 9216i and the Cisco MDS 9222i switches enable SAN extension features on the two
fixed IP services ports only. The features enabled on these ports are identical to the features enabled by
the SAN extension over IP license on the 14/2-port Multiprotocol Services (MPS-14/2) module. If you
install a module with IP ports in the empty slot on the Cisco MDS 9216i or the Cisco MDS 9222i switch,
a separate SAN extension over IP license is required to enable related features, such as FCIP, on the IP
ports of the additional module.

Licensing Model
Table 10-1 Feature-Based Licenses
Feature License Features

Enterprise package Enhanced security features:
(ENTERPRISE_PKG) LUN zoning

Read-only zones
FC Port security
VSAN-based access control
Fibre Channel Security Protocol (FC-SP)
authentication
Advanced traffic engineeringquality of service
(QoS)
IP security (IPsec) protocol for iSCSI and FCIP
using the MPS-14/2 module or Cisco MDS 9216i
switch
IPsec & IKE for IPv4
IKE digital certificates
Extended credits using the MPS-14/2 module or the
Cisco MDS 9216i Switch
Enhanced VSAN routinginter-VSAN routing
(IVR) over Fibre Channel
IVR Network Address Translation (NAT) over
Fibre Channel
Zone-based traffic prioritizing
Zone-based FC QoS
Extended BB_Credits
Fibre Channel write acceleration
SCSI flow statistics
FCIP encryption
Fabric binding for Fibre Channel
SAN device virtualization

Licensing Model
Table 10-1 Feature-Based Licenses (continued)

SAN extension over IP package for IPS-8 The following features apply to IPS-8 and IPS-4
modules modules:
(SAN_EXTN_OVER_IP) FCIP
SAN extension over IP package for IPS-4 FCIP compression
modules
FCIP write acceleration
(SAN_EXTN_OVER_IP_IPS4)
FCIP tape read acceleration
SAN extension tuner features
IVR over FCIP
IVR NAT over FCIP
Network Stimulator
SAN extension over IP package for The following features apply to the MPS-14/2 module
MPS-14/2 modules and the fixed Cisco MDS 9216i IP ports:
(SAN_EXTN_OVER_IP_IPS2) FCIP
Note The FCIP, IVR, and SAN extension Hardware-based FCIP compression
tuner features are bundled with the
Cisco MDS 9216i switch and do not
require the SAN extension over IP FCIP tape read acceleration
package to be installed for the fixed SAN extension tuner features
IP ports on the integrated supervisor
module. You must install a SAN IVR over FCIP
extension over IP package if you IVR NAT over FCIP
install an MPS-14/2, IPS-8, or IPS-4
module in the Cisco MDS9216i
switch.
SAN extension over IP package for one The following features apply to the MPS-18/4 or
MPS-18/4 or one MPS-18/4 FIPS in the MPS-18/4 FIPS modules:
Cisco MDS 9500 series
FCIP
(SAN_EXTN_OVER_IP_18_4)
Hardware-based FCIP compression
FCIP tape read acceleration
SAN extension tuner features
IVR over FCIP
IVR NAT over FCIP

Licensing Model

Mainframe package FICON protocol and CUP management
(MAINFRAME_PKG) FICON VSAN and intermixing

Switch cascading
Fabric binding for FICON
IBM TotalStorage Virtual Tape Server (VTS)
IBM TotalStorage XRC application
FICON tape acceleration
FICON license for 9100
Persistent FCIDs for FICON
Config locking for FICON
Port swap, block, prohibit
FICON Qualification
Fabric Manager Server package Centralized, Multiple physical fabric management
(FM_SERVER_PKG) Fabric discovery services
Continuous MDS health and event monitoring
Long term historical Fibre Channel performance
monitoring and reporting
Custom performance reports and charting for
hotspot analysis
Historical Performance Monitoring
Performance prediction
Performance threshold monitoring
Fabric Manager Web Client for operational view
Fabric Manager server proxy services
Server performance summary report
Configurable RRD collection parameters
Data collection auto update
Event forwarding
Filtering by user-defined groups
Custom Reports Enhancements
Fabric Analysis Report
Threshold Configuration Flexibility
Web-based operational view
Roaming User Profiles
Traffic Analyzer for SCSI Flow Statistics

Licensing Model

Storage Services Enabler package The underlying infrastructure and programmatic
interface to enable network-hosted storage
(STORAGE_SERVICES_ENABLER_PKG)
applications when used with the Storage Services
Modules (SSMs).
The intelligent fabric applications running on the
SSM that require the SSE license are as follows:
SANTap
Network-based Storage Virtualization
Third-party partner application
On-demand Port Activation Licensing Activates ports (in 8-port increments) on the Cisco
package MDS 9124 Fabric Switch, which has 24 ports. The
(PORT_ACTIVATION_PKG) first 8 ports are licensed by default.
Activates 8 ports of 4Gbps on the Cisco MDS 9134
Note License Manager does not prevent
Fabric Switch. The switch has 32 ports, 24 of which
installing more port licenses then the
are licensed by default.
available physical ports on the
switch. The extra licenses if On the Cisco Fabric Switch for HP c-Class
installed, will not affect the normal BladeSystem, any eight internal ports and external
behaviour of the licensed ports. ports ext1 through ext4 are licensed by default.
On the Cisco Fabric Switch for IBM BladeCenter,
any seven internal ports and external ports ext0,
ext15 and ext16 are licensed by default.
See Chapter 11, On-Demand Port Activation
Licensing for information about on-demand port
activation licensing.
10 Gbps Port Activation Package Activates the two 10 Gbps ports on the Cisco MDS
10G_PORT_ACTIVATION_PKG 9134 Multilayer Fabric Switch.
Storage Media Encryption (SME) Activates Storage Media Encryption for Intrusion
Prevention System (IPS) Sensor of 184 unit
SME_FOR_IPS_184_PKG
specification.
SME_FOR_9222i_PKG
Activates Storage Media Encryption for MDS
9222i switch.

Licensing High Availability

Data Mobility Manager (DMM) The Cisco MDS 9000 DMM feature runs on the
Storage Service Module (SSM) in a MDS series
DMM_FOR_SSM_PKG
switch. This license will activate Data Mobility
Manager (DMM) for Storage Service Module.
Online migration of heterogenous arrays
Simultaneous migration of multiple LUNs
Unequal size LUN migration
Rate adjusted migration
Verification of migrated data
Secure erasure of migrated data
Dual fabric support
Note License packages for Cisco DMM (Cisco Data Mobility Manager) and Cisco SME (Cisco Storage Media
Encryption) are documented in the Cisco MDS Data Mobility Manager Configuration Guide, and the
Cisco Storage Media Encryption Configuration Guide.
Licensing High Availability

As with other Cisco MDS NX-OS features, the licensing feature also maintains the following high
availability standards for all switches in the Cisco MDS 9000 Family:
Installing any license in any switch is a nondisruptive process.
Installing a license automatically saves a copy of permanent licenses to the chassis in all switches.
Enabling a license feature without a license key starts a counter on the grace period. You then have
120 days to install the appropriate license keys or disable the use of that feature. If at the end of the
120-day grace period the switch does not have a valid license key for the feature, the feature is
automatically disabled by the switch.
Directors in the Cisco MDS 9500 Series have the following additional high availability features:
The license software runs on both supervisor modules and provides failover protection.
The license key file is mirrored on both supervisor modules. Even if both supervisor modules fail,
the license file continues to function from the version that is available on the chassis.
Options to Install a License

If you have purchased a new switch through either your reseller or through Cisco Systems, you can:
Obtain a factory-installed license (only applies to new switch orders).
Perform a manual license installation (applies to existing switches).

Obtaining a Factory-Installed License
Obtaining a Factory-Installed License

You can obtain factory-installed licenses for a new switch.
To obtain a factory-installed license for a new Cisco MDS switch, follow these steps:
Step 1 Contact your reseller or Cisco representative and request this service.
Note If you purchased Cisco support through a Cisco reseller, contact the reseller directly. If you
purchased support directly from Cisco Systems, contact Cisco Technical Support at this URL:
Your switch is shipped with the required licenses installed in the system. The proof of purchase
document is sent along with the switch.
Step 2 Obtain the host ID from the proof of purchase document for future use.
Step 3 Start to use the switch and the licensed features.
Performing a Manual Installation

If you have existing switches or if you wish to install the licenses on your own, you must first obtain the
license key file and then install that file in the switch (see Figure 10-1).
Figure 10-1 Obtaining a License Key File
Software claims certificate Internet web browser

Release 1 .1 and 1.2
Website URL URL address
Product authorization key Product authorization key

License key file
Proof of purchase through email
Release 1.3 and above Switch serial number (switch ID)
Website URL
Cisco MDS switch

Product authorization key
Switch serial number (switch ID)

105227
Obtaining the License Key File

To obtain new or updated license key files using Device Manager, follow these steps:

Installing the License Key File
Step 1 Select Physical > Inventory from the main menu. You see the inventory for the switch. The host ID is
referred to as the serial number.
Tip Prepend the serial number with VDH=. For example, if the serial number is FOX064317SQ, the
full serial number is VDH=FOX064317SQ.
Step 2 Obtain either your claim certificate or your proof of purchase document. This document accompanies
every Cisco MDS switch.
Step 3 Obtain the Product Authorization Key (PAK) from either the claim certificate or the proof of purchase
document.
Step 4 Locate the website URL from either the claim certificate or the proof of purchase document.
Step 5 Access the specified URL that applies to your switch and enter the switch serial number and the PAK.
The license key file is sent to you by e-mail. The license key file is digitally signed to only authorize use
on the requested switch. The requested features are also enabled once the Cisco NX-OS software on the
specified switch accesses the license key file.
Caution Install the license key file in the specified MDS switch without making any modifications.
A license is either permanent or it expires on a fixed date. If you do not have a license, the grace period
for using that feature starts from the first time you start using a feature offered by that license (see the
Grace Period Alerts section on page 10-15).
Step 6 Use the copy licenses command in EXEC mode to save your license file to one of two locationsthe
bootflash: directory or the slot0: device . Refer to the Cisco MDS 9000 Family CLI Configuration Guide
for more information.
Installing the License Key File
Tip If you need to install multiple licenses in any switch in the Cisco MDS 9000 Family, be sure to provide
unique file names for each license key file.
The best way to install licenses on the switches in your fabric is to use the License Wizard provided in
Fabric Manager. You can also use Device Manager to install licenses on each switch individually.
Note You do not need a license to access a switch with Fabric Manager. See the Licensing Model section
on page 10-2 for a list of features requiring licenses.
You can install licenses two ways:

Using the Fabric Manager License Wizard

Installing Licenses Using Fabric Manager License Wizard
Installing Licenses Using Fabric Manager License Wizard

To install licenses using the Fabric Manager License Wizard, follow these steps:
Step 1 Log into a switch in the fabric containing the switches for which you want to install licenses.
To install licenses on multiple switches, you do not need to log into each switch; however, the switches
must be in the fabric you are viewing.
Step 2 Start the License Wizard by selecting Tools > Install >License. Or, you can select Licenses under
Switches in the Physical Attributes pane.
You see the license information in the Information pane, one line per feature.
Step 3 Click the Keys tab, and then click the License Install Wizard icon in the toolbar.
Figure 10-2 License Install Wizard Icon
You see the initial screen of the License Wizard.

Step 4 If you have already obtained the license key files, click the corresponding radio button and proceed to
Step 6.
Step 5 Click I have the Product Authorization Key (PAK) if you have the authorization key.
Step 6 Select the vendor, from whom you purchased your switch, in the Vendor drop-down list.
The License Server URL changes depending on the vendor you select. If your URL is different, or if you
select Other as the vendor, enter the correct license server URL.
Step 7 Click Next to continue to the next screen (see Figure 10-3).
Figure 10-3 License Install Wizard Dialog Box

Installing or Updating Licenses Using Device Manager
Step 8 Select the switches for which you have PAKs or license key files.
When you check the check box for a switch, the PAK or license file name field for that switch becomes
editable. The serial number for each switch is shown in the Host ID column.
Step 9 Enter the PAK or license file name for each switch you have selected in the appropriate column. If you
have the license files on your PC, you can double-click in the License File Name text area to bring up a
dialog box and browse for the license files.
You can install multiple licenses on the same switch using different PAKs. To do this, enter the PAKs
separated by commas.
Step 10 Click Finish to transfer the licenses from the host to the switches.
Fabric Manager accesses the appropriate license site and installs the licenses onto each switch. The
status of each installation is displayed in the Status column, as follows:
successInstall or uninstall operation completed successfully.
inProgressLicense install or uninstall operation is in progress.
corruptedLicenseFileLicense file content is invalid or corrupted.
targetLicenseFileAlreadyExistTarget license file-name already exists.
invalidLicenseFileNameLicense file does not exist.
duplicateLicenseLicense file is already installed.
generalLicensingFailureGeneral error from License Manager.
noneNo install operation is performed.
licenseExpiryConflictLicense exists with a different expiration date for the feature.
invalidLicenseCountLicense count is invalid for the feature.
Step 11 Click the Close button to close the wizard. To install more licenses at this point, you must close the
wizard and launch it again.
Installing or Updating Licenses Using Device Manager

To install a license on your switch using Device Manager, follow these steps:
Step 1 Select Licenses from the Admin menu.

You see the Licenses dialog box.
Step 2 Click the Install tab.
The HostId shows the "VDH=" portion of the serial number. The rest of the number is completed in Steps
3 through 5.
Step 3 Enter the uniform resource identifier (URI) from which the license file will be retrieved.
You should already have copied the license file provided by Cisco.com or by some other means (for
example, through the CLI) to this location.
Step 4 Enter the target file name in the Target Filename field to specify where the license file will be installed.

Identifying License Features in Use
Step 5 Click Install if you are installing, or Update if you are updating.
You see the status of the installation at the bottom of the dialog box, as follows:
successInstall or uninstall operation completed successfully.
inProgressLicense install or uninstall operation is in progress.
corruptedLicenseFileLicense file content is invalid or corrupted.
targetLicenseFileAlreadyExistTarget license file name already exists.
invalidLicenseFileNameLicense file does not exist.
duplicateLicenseLicense file is already installed.
generalLicensingFailureGeneral error from License Manager.
noneNo install operation is performed.
licenseExpiryConflictLicense exists with a different expiration date for the feature.
invalidLicenseCountLicense count is invalid for the feature.
notThisHostLicense host ID in the license file does not match.
licenseInGraceMoreNumber of licenses in grace period is more than the number in the install
license file.
licenseFileNotFoundLicense file not found for the install, uninstall, or update operation.
licenseFileMissingA previously installed license file is found missing.
invalidLicenseFileExtensionLicense file does not have a .lic extension.
invalidURIInvalid license file URI specified for install operation.
noDemoLicenseSupportDemo license not supported.
invalidPlatformInvalid platform.
Step 6 Repeat Steps 3 through 5 to install another license, or click Close to close the License Manager dialog
box.
Identifying License Features in Use

When a Cisco MDS NX-OS software feature is enabled, it can activate a license grace period.
To identify the features active for a specific license using Fabric Manager, follow these steps:
Step 1 Select a switch from the Fabric pane, or select a group of switches (SAN, fabric, VSAN) from the
Logical Domains pane.
Step 2 Select Licenses under Switches in the Physical Attributes pane.
You see the contents of the Feature Usage tab in the Information pane, with installed licenses listed in
the Feature column.
Step 3 Click the Usage tab.
You see the features currently in use in the Application column.

Uninstalling Licenses
Uninstalling Licenses
You can only uninstall a permanent license that is not in use. If you try to delete a permanent license that
is currently being used, the software rejects the request and issues an error message. Uninstalling an
unused license causes the grace period to come into effect. The grace period is counted from the first use
of the feature without a license and is reset when a valid license file is installed.
Note Permanent licenses cannot be uninstalled if they are currently being used. Features turned on by
permanent licenses must first be disabled, before that license is uninstalled.
Tip If you are using an evaluation license and would like to install a new permanent license, you can do so
without service disruption and before the evaluation license expires. Removing a permanent license
immediately triggers a grace period without service disruption.
Caution Disable related features before uninstalling a license. The delete procedure fails if the license is in use.
To uninstall a license, follow these steps:
Step 1 Log into the switch. If you are using Fabric Manager to remove licenses from multiple switches, you do
not need to log in to each switch; however, the switches must be in the fabric you are viewing.
Step 2 From the Fabric Manager Physical Attributes pane, select Licenses under Switches. You see the license
information in the Information pane, one line per feature.
From Device Manager, click Admin > Licenses from the menu. You see the Licenses dialog box.
Step 3 In Fabric Manager, click the Keys tab. You see the list of License Key files. Click the name of the license
you want to remove, and press the Delete keyboard key or click the Delete Row icon in the toolbar.
In Device Manager, click Uninstall, and enter the name of the License Key file you want to remove.
Click Apply to remove the License Key file, and click Close to close the dialog box.
Note To delete a license, you must disable the features enabled by that license. The delete procedure
fails if the license is in use, and an error message is displayed.
Updating Licenses
If your license is time bound, you must obtain and install an updated license. Contact technical support
to request an updated license.
Note If you purchased Cisco support through a Cisco reseller, contact the reseller directly. If you purchased
support directly from Cisco Systems, contact Cisco Technical Support at this URL:

Grace Period Alerts
To update a license, follow these steps:
Step 1 Obtain the updated license file using the procedure described in the Obtaining the License Key File
Step 2 Save your running configuration to a remote server using the copy command (see the Copying Files
section on page 16-5).
Step 3 Verify the name of the file to be updated.
Step 4 Follow the procedure for updating a license described in the Uninstalling Licenses section on
page 10-14.
Grace Period Alerts

Cisco NX-OS gives you a 120-day grace period. This grace period starts or continues when you are
evaluating a feature for which you have not installed a license.
Note There is no grace period for licenses purchased for the On-Demand Port Activation license feature.
The grace period stops if you disable a feature you are evaluating, but if you enable that feature again
without a valid license, the grace period countdown continues where it left off.
The grace period operates across all features in a license package. License packages can contain several
features. If you disable a feature during the grace period and there are other features in that license
package that are still enabled, the countdown does not stop for that license package. To suspend the grace
period countdown for a license package, you must disable every feature in that license package.The
Cisco NX-OS license counter keeps track of all licenses on a switch. If you are evaluating a feature and
the grace period has started, you will receive console messages, SNMP traps, system messages, and Call
Home messages on a daily basis. The frequency of these messages become hourly during the last seven
days of the grace period.
The following example uses the FICON feature. On January 30th, you enabled the FICON feature, using
the 120-day grace period. You will receive grace period ending messages as:
Daily alerts from January 30th to May 21st.
Hourly alerts from May 22nd to May 30th.
On May 31st, the grace period ends, and the FICON feature is automatically disabled. You will not be
allowed to use FICON until you purchase a valid license.
Note You cannot modify the frequency of the grace period messages.
Caution After the final seven days of the grace period, the feature is turned off and your network traffic may be
disrupted. Any future upgrade will enforce license requirements and the 120-day grace period.

License Transfers Between Switches
License Transfers Between Switches

A license is specific to the switch for which it is issued and is not valid on any other switch. If you need
to transfer a license from one switch to another, contact your customer service representative.
Note Rehosting licenses is only supported for RMAs.
Note If you purchased Cisco support through a Cisco reseller, contact the reseller directly. If you purchased
support directly from Cisco Systems, contact Cisco Technical Support at this URL:
Displaying License Information

Use Fabric Manager or Device Manager to display all license information configured on this switch.
Viewing License Information in Fabric Manager

To view license information in Fabric Manager, follow these steps:
Step 1 Select Licenses under Switches in the Physical Attributes pane. You see the license information in the
Information pane, one line per feature.
Step 2 Click the Feature Usage tab to see the switch, the name of the feature package, the type of license
installed, the number of licenses used (Installed Count), the expiration date, the grace period (if you do
not have a license for a particular feature), and any errors (for example, if you have a missing license).
Step 3 Click the Keys tab to display the information about each of the License Key files installed on your
switches.
Caution Once an expiration period has started, notifications appear in the Fabric Managers Events
pane on a daily basis. During the last seven days of the expiration period, these messages are
displayed hourly. After the final seven days of the expiration period, the feature is turned off
and your network traffic may be disrupted.
Step 4 Click the Usage tab to see the applications using the feature package on each switch. Use this tab to
determine which applications depend on each license installed.
Viewing License Information in Device Manager

To view license information in Device Manager, follow these steps:
Step 1 Select Admin > Licenses from the menu.


Fabric Manager Server Licensing
Step 2 Click the Features tab to see the name of the feature package, the type of license, the expiration date,
the grace period (if you do not have a license for a particular feature), and any errors, such as a missing
license.
Step 3 Click the Files tab to display the information about each of the License Key files installed on your
switch.
Step 4 Click the Install tab to install or update a license file.
Step 5 Click the Usage tab to which applications are using the features on the switch.
Viewing Licenses Using Fabric Manager Web Server

Fabric Manager Release 2.1(2) or later supports viewing license use across the fabric from Fabric
Manager Web Server. This view summarizes the licenses used on all switches in the fabric.
To view licenses using Fabric Manager Web Server, choose Inventory > Licenses.

When you install Fabric Manager, the basic version of the Fabric Manager Server (FMServer) is installed
with it. To get the enhanced features, such as Performance Manager and remote client support you will
need to buy and install the Cisco MDS 9000 Family Fabric Manager Server license package.
However, trial use of these enhanced features is available. To enable the 120-day trial, you simply use
the feature as you would if you had purchased the license. You see a dialog box explaining that this is a
demo version, enabled for a limited time.
If you are evaluating Fabric Manager Server features and want to stop the evaluation period for that
feature, you can do that using Device Manager.
To stop the evaluation using Device Manager, follow these steps:
Step 1 Select Admin > Licenses.

Step 2 Click the Features tab and select the feature to check in.
When you select the feature, you see a Check In FM button at the bottom of the dialog box.
Step 3 Click Check In FM to stop the demo period timer.


CH A P T E R 11
On-Demand Port Activation Licensing
This chapter describes how to use the on-demand port activation licensing feature on the Cisco MDS
9124 Fabric Switch, the Cisco MDS 9134 Fabric Switch, the Cisco Fabric Switch for HP c-Class
BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter. This chapter contains the following
sections:
About On-Demand Port Activation Licensing, page 11-1
Configuring Port Activation Licenses, page 11-4
About On-Demand Port Activation Licensing

As of Cisco MDS SAN-OS Release 3.1(1), you can expand your SAN connectivity as needed by
enabling users to purchase and install additional port licenses. By default, all ports are eligible for
license activation. On the Cisco MDS 9124 Fabric Switch, licenses are allocated sequentially. However,
you can move or reassign licenses to any eligible port on the switch.
On the Cisco MDS 9134 Fabric Switch, the first 32 ports operate at 1 Gbps, 2 Gbps, or 4 Gbps. The
switch has two ports that operate at 10 Gbps. Licenses are allocated sequentially.
On the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric Switch for IBM
BladeCenter, licenses for internal ports are allocated as the ports come up. Licenses for external ports
are allocated sequentially.

Chapter 11 On-Demand Port Activation Licensing
Port-Naming Conventions
Table 11-1 describes the port-naming conventions for the four Cisco Fabric switches.
Table 11-1 Port-Naming Conventions for Cisco Fabric Switches
Cisco MDS 9124 Cisco MDS 9134 Cisco Fabric Switch for HP Cisco Fabric Switch for
Switch Switch c-Class BladeSystem IBM BladeCenter
fc1/1 through fc1/24 fc1/1 through fc1/34 Internal ports: bay1 Internal ports: bay1
through bay16 through bay14
External ports: ext1 External ports: ext0 and
through ext8 ext15 through ext19
Port Licensing
On the Cisco MDS 9124 Switch, the first eight ports are licensed by default. You are not required to
perform any tasks beyond the default configuration unless you prefer to immediately activate additional
ports, make ports ineligible, or move port licenses.
Figure 11-1 shows the ports that are licensed by default for the Cisco MDS 9124 Switch.
Figure 11-1 Cisco MDS 9124 Switch Default Port Licenses (fc1/1 - fc1/8)
159831
If you need additional connectivity, you can activate additional ports in 8-port increments with each
on-demand port activation license, up to a total of 24 ports.
On the Cisco MDS 9134 Switch, the first 24 ports that can operate at 1 Gbps, 2 Gbps, or 4 Gbps are
licensed by default. If you need additional connectivity, you can activate the remaining eight ports with
one on-demand port activation license. A separate 10G license file is required to activate the remaining
two 10-Gbps ports.
Figure 11-2 shows the ports that are licensed by default for the Cisco MDS 9134 Switch.
Figure 11-2 Cisco MDS 9134 Switch Default Port Licenses (fc1/1 - fc1/24)
184089
Figure 11-3 shows the external ports that are licensed by default for the Cisco Fabric Switch for HP
c-Class BladeSystem.

Figure 11-3 Cisco Fabric Switch for HP c-Class BladeSystem Default Port Licenses (ext1 - ext4)
EXT 1 EXT 2 EXT 3 EXT 4 EXT 5 EXT 6 EXT 7 EXT 8
182072
!
Cisco MDS 9124e

LiNK
On the Cisco Fabric Switch for HP c-Class BladeSystem, any eight internal ports and the external ports
(ext1 through ext4) are licensed by default. A single on-demand port activation license is required to use
the remaining eight internal and four external ports.
On the Cisco Fabric Switch for IBM BladeCenter, any seven internal ports and the external ports( ext0,
ext15 and ext16) are licensed by default. A single on-demand port activation license is required to use
the remaining seven internal and three external ports.
Figure 11-4 shows the external ports that are licensed by default for the Cisco Fabric Switch for IBM
BladeCenter.
Figure 11-4 Cisco Fabric Switch for IBM BladeCenter Default Port Licenses (ext0, ext15 - ext16)
!
4cb
15
16
17
18
19
182074
If you do not prefer to accept the default behavior and would rather assign a license to a specific port,
make the port ineligible to receive a license, or move licenses among ports, refer to the Configuring
Port Activation Licenses section on page 11-4.
License Status Definitions

Table 11-2 defines the port activation license status terms.

Configuring Port Activation Licenses
.
Table 11-2 Port Activation License Status Definitions
Port Activation License Status Definition

acquired The port is licensed and active.
eligible The port is eligible to receive a license but does
not yet have one.
See Chapter 10, Obtaining and Installing
Licenses, for information about how to obtain
and install the PORT_ACTIVATION_PKG and
license key file.
ineligible The port is not allowed to receive a license.
By default, when you install additional port license activation packages, the activation status of ports
changes from eligible to acquired. If you prefer to accept the default behavior, no further action is
required.
Note You can uninstall licenses for ports not in use; however, you cannot uninstall default licenses.

This section contains the following topics:
Checking the Status of Licenses, page 11-4
Making a Port Eligible for a License, page 11-5
Acquiring a License for a Port, page 11-6
Checking the Status of Licenses
Note The dialog boxes shown in Figures 11-5 and 11-6 apply only to the Cisco MDS 9124 Fabric Switch.
To check the number of licenses that are in use using Device Manager, follow these steps:
Step 1 Choose Admin > Licenses.

You see the Licenses dialog box as shown in Figure 11-5.

Figure 11-5 Licenses Dialog Box
Step 2 Click the Port Licensing tab.

You see the licenses that are in use as shown in Figure 11-6.
Figure 11-6 Licenses in Use
Step 3 Click Close to close the dialog box.
Making a Port Eligible for a License

By default, all ports are eligible to receive a license. However, if a port has already been made ineligible
and you prefer to activate it, then you must make that port eligible
Note The dialog box shown in Figure 11-7 applies only to the Cisco MDS 9124 Fabric Switch.
To make multiple ports eligible to acquire a license using Device Manager, follow these steps:
Step 1 Choose Interface > FC All and click the License tab or hold down the Control key, and then click each
port that you want to make eligible.
Step 2 Right-click the selected ports, select Configure, and click the License tab.
You see the FC Interfaces dialog box as shown in Figure 11-7.

Figure 11-7 FC Interfaces Dialog Box
Step 3 Select eligible from the Config drop-down list for each port that you want to make eligible.
Step 4 Click Apply to save the changes.
Note The dialog box shown in Figure 11-8 applies only to the Cisco MDS 9124 Fabric Switch.
To make a single port eligible to acquire a license using Device Manager, follow these steps:
Step 1 Right-click a port, select Configure, and click the License tab.
You see the port licensing options for the selected port as shown in Figure 11-8.
Figure 11-8 License Tab for Selected Port
Step 2 Click the eligible radio button to make the port eligible.
Acquiring a License for a Port

If you do not prefer to accept the default on-demand port license assignments, you will need to first
acquire licenses for ports to which you want to move the license.
To acquire licenses for multiple ports using Device Manager, follow these steps:
Step 1 Choose Interface > FC All and click the License tab or hold down the Control key, and then click each
port for which you want to acquire a license.

Step 2 Right-click the selected ports, select Configure, and click the License tab.
You see the FC Interfaces dialog box as shown in Figure 11-7.
Step 3 Select acquire from the Config drop-down list for each port that you want to acquire a license.
To acquire a license for a single port using Device Manager, follow these steps:
Step 1 Right-click a port, select Configure, and click the License tab.
You see the port licensing options for the selected port as shown in Figure 11-8.
Step 2 Click the acquire radio button to acquire a license for the port.


CH A P T E R 12
Initial Configuration
Most of the initial switch configuration procedures can only be performed using the CLI. Refer to the
Cisco MDS 9000 Family CLI Configuration Guide for this information. This chapter includes the
following sections:
Assigning a Switch Name, page 12-1
Verifying the Module Status, page 12-2
Configuring Date, Time, and Time Zone, page 12-3
NTP Configuration, page 12-4
Management Interface Configuration, page 12-10
Telnet Server Connection, page 12-11
Configuring CDP, page 12-12
Note The Cisco Fabric Switch for IBM BladeCenter does not use admin as the default user. The default user
is USERID because there is no console access to the switch. You cannot delete the user USERID on this
switch. The password for this default user is PASSW0RD, where the 0 is a zero. You can change this
password; however, a write erase operation restores the default password. There is no initial setup menu.
Also note that you should not bring up the loader> prompt; the only way to fix this condition is to RMA
the switch.
The following commands are not allowed on the Cisco Fabric Switch for IBM BladeCenter: write erase
boot and init system. You also cannot set boot variables manually.
Assigning a Switch Name

Each switch in the fabric requires a unique name. You can assign names to easily identify the switch by
its physical location, its SAN association, or the organization to which it is deployed. The assigned name
is displayed in the command-line prompt. The switch name is limited to 20 alphanumeric characters.
To change the name of a switch using Fabric Manager, follow these steps:
Step 1 Expand SAN in the Logical Domains pane, select a fabric or a VSAN from the Logical Domains pane.
Step 2 Expand Switches in the Physical Attributes pane.
You see a list of switches in the Information pane.

Chapter 12 Initial Configuration
Verifying the Module Status
Step 3 Double-click the Logical Name of the switch you want to change in the Information pane.
You see the name highlighted with a blinking cursor next to it.
Figure 12-1 Changing the Logical Name of a Switch
Step 4 Type the new name of the switch (see Figure 12-1).
Step 5 Click the Apply Changes icon.
Step 6 Right-click the Fabric pane map and choose Refresh to see your changes.
Verifying the Module Status

Before you begin configuring the switch, you need to ensure that the modules in the chassis are
functioning as designed.
To verify the status of a module at any time, follow these steps:
Step 1 Expand SAN in the Logical Domains pane, then select a fabric or a VSAN from the Logical Domains
pane.
Step 2 Expand Switches and choose Hardware in the Physical Attributes pane.
You see the contents of the Inventory tab in the Information pane shown in Figure 12-2.
Figure 12-2 Inventory of a Selected Module
Step 3 Click the Card Module Status tab.

You see the status in the Oper Status column of each module in each switch of the SAN, fabric, or VSAN
you selected.

Configuring Date, Time, and Time Zone
If the status is OK or active, you can continue with your configuration (see Chapter 19, Managing
Modules).
Configuring Date, Time, and Time Zone

Switches in the Cisco MDS 9000 Family use Universal Coordinated Time (UTC), which is the same as
Greenwich Mean Time (GMT).
To change the default time on the switch with Fabric Manager, follow these steps:
Step 1 Expand SAN, then select a fabric or a VSAN in the Logical Domains pane.
Step 2 Expand Switches and select Clock in the Physical Attributes pane.
You see the clock information in the Information pane shown in Figure 12-3.
Figure 12-3 Clock Date and Time for Selected Switch
Step 3 Double-click the time in the ClockDateAndTime field for the switch to change.
Step 4 Enter the date, time, and time zone in the format YYYY/MM/DD-hh:mm:ss ZONE,
Where:
YYYY is the year (2002)
MM is the month (08)
DD is the date (23)
hh represents hours in military format (15 for 3 p.m.)
mm is minutes (58)
ss is seconds (09)
ZONE is GMT + or - number of hours

NTP Configuration
Note If you do not enter a time zone, GMT is used as the default.
Note The date and time changes are saved across system resets.
Note CFS does not support daylight savings time because a single fabric can span multiple time zones; every
switch must be configured individually.
If you want to configure daylight savings time on multiple switches simultaneously, see the RUN CLI
command feature in the Cisco MDS 9000 Family Fabric Manager Configuration Guide.
NTP Configuration
A Network Time Protocol (NTP) server provides a precise time source (radio clock or atomic clock) to
synchronize the system clocks of network devices. NTP is transported over User Datagram Protocol
UDP/IP. All NTP communications use Universal Time Coordinated (UTC). An NTP server receives its
time from a reference time source, such as a radio clock or atomic clock, attached to the time. NTP
distributes this time across the network.
This section includes the following sections:
About NTP, page 12-4
NTP Configuration Guidelines, page 12-5
Configuring NTP, page 12-6
Editing an NTP Server or Peer Configuration, page 12-6
Deleting an NTP Server or Peer, page 12-7
NTP CFS Distribution, page 12-8
About NTP
In a large enterprise network, having one time standard for all network devices is critical for management
reporting and event logging functions when trying to correlate interacting events logged across multiple
devices. Many enterprise customers with extremely mission-critical networks maintain their own
stratum-1 NTP source.
Time synchronization happens when several frames are exchanged between clients and servers. The
switches in client mode know the address of one or more NTP servers. The servers act as the time source
and receive client synchronization requests.
By configuring an IP address as a peer, the switch will obtain and provide time as required. The peer is
capable of providing time on its own and is capable of having a server configured. If both these instances
point to different time servers, your NTP service is more reliable. Thus, even if the active server link is
lost, you can still maintain the right time due to the presence of the peer.

NTP Configuration
Tip If an active server fails, a configured peer helps in providing the NTP time. Provide a direct NTP server
association and configure a peer to ensure backup support if the active server fails.
If you only configure a peer, the most accurate peer takes on the role of the NTP server and the other
peer(s) acts as a peer(s). Both machines end at the right time if they have the right time source or if they
point to the right NTP source.
NTP Configuration Guidelines

The following guidelines apply to all NTP configurations:
You should have a peer association with another switch only when you are sure that your clock is
reliable (which means that you are a client of a reliable NTP server).
A peer configured alone takes on the role of a server and should be used as backup. If you have two
servers, then you can have several switches point to one server, and the remaining switches to the
other server. Then you would configure peer association between these two sets. This forces the
clock to be more reliable.
If you only have one server, all of the switches should have a client association with that server.
Not even a server down time will affect well-configured switches in the network. Figure 12-4 displays a
network with two NTP stratum 2 servers and two switches.
Figure 12-4 NTP Peer and Server Association
From lower stratum From lower stratum

server-1 server-2
Stratum-2 Stratum-2
Peer association
Server-1 Server-2
Server Server
association association
Peer association
85532
Switch-1 Switch-2
In this configuration, the switches were configured as follows:

Stratum 2 Server 1
IPv4 address10.10.10.10
Stratum2 Server-2
IPv4 address10.10.10.9
Switch 1 IPv4 address10.10.10.1
Switch 1 NTP configuration
NTP server 10.10.10.10

NTP Configuration
NTP peer 10.10.10.2

Switch 2 IPv4 address10.10.10.2
Switch 2 NTP configuration
NTP server 10.10.10.9
NTP peer 10.10.10.1
Configuring NTP
You can configure NTP using either IPv4 addresses, IPv6 addresses, or DNS names.
To create an NTP server or peer, follow these steps:
Step 1 In the Fabric Manager Physical pane, expand Switches, and then select System, or from Device
Manager, choose Admin > NTP.
In Fabric Manager, you see the System information pane. In Device Manager, you see the NTP dialog
box (see Figure 12-5).
Figure 12-5 Device Manager NTP Dialog Box
Step 2 Click the NTP Peer tab.

You see a list of NTP peers and servers for that switch.
Step 3 Click Create.
You see the Create NTP Peer dialog box.
Step 4 Enter the peer address in the Peer Address field.
Step 5 Choose the mode (peer or server).
Step 6 Check the Preferred check box if you want this peer to be a Preferred Peer.
Step 7 Click Create to create the peer or server, or click Close to close the dialog box without creating the peer
or server.
The new peer or server is listed on the Peer tab.
Editing an NTP Server or Peer Configuration

To edit an NTP server or peer, follow these steps.
Step 1 In the Fabric Manager Physical Attributes pane, expand Switches, and then select System, or from
Device Manager, choose Admin > NTP.

NTP Configuration
box.
Step 3 Change the peer address by double-clicking the IP address in the Peer Address column, and changing
the numbers. Alternatively, you can triple click the IP address and type in a new address.
Step 4 Change the switch mode from peer to server by clicking the Mode column next to the address of the
switch.
You see a drop-down list. Select the mode (peer or server) you want for the switch.
Step 5 Change the peer status of the switch to Preferred Peer by checking the PrefPeer check box next to the
address of the switch. To remove this status, uncheck the check box.
Step 6 Click Apply to apply your changes to the switch, or click Close to close the dialog box without saving
your changes.
Deleting an NTP Server or Peer

To delete an NTP server or peer, follow these steps:
Step 1 In the Fabric Manager Physical pane, expand Switches and choose System, or from Device Manager,
choose Admin > NTP.
box.
Step 3 Delete a server or peer by clicking the IP address in the Peer Address column. The Delete button is
enabled.
Step 4 Click Delete to delete the peer or server, or click Close to close the dialog box without deleting the peer.

NTP Configuration
NTP CFS Distribution

You can enable NTP fabric distribution for all Cisco MDS switches in the fabric. When you perform NTP
configurations, and distribution is enabled, the entire server/peer configuration is distributed to all the
switches in the fabric.
You automatically acquire a fabric-wide lock when you issue the first configuration command after you
enabled distribution in a switch. The NTP application uses the effective and pending database model to
store or commit the commands based on your configuration.
See to Chapter 13, Using the CFS Infrastructure, for more information on the CFS application.
Configuring NTP with CFS, page 12-8
Committing NTP Configuration Changes, page 12-9
Releasing Fabric Session Lock, page 12-9
Database Merge Guidelines, page 12-10
Configuring NTP with CFS

To configure NTP with CFS using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Clock, and then select NTP in the Physical Attributes pane.
You see the feature configuration in the Information pane.
Step 2 Click the CFS tab in the Information pane.
You see the CFS configuration and status for each switch.
Step 3 Click a switch value in the Global column, enable or disable.
A drop-down menu appears (see Figure 12-6).
Figure 12-6 Enabling or Disabling NTP with CFS for a Switch
Step 4 Choose enable.

Step 5 Repeat steps 3 and 4 for all switches in the fabric.

NTP Configuration
Note A warning displays if you do not enable CFS for all switches in the fabric for this feature.
Step 6 Check the Master check box for the switch that you want to act as the merge master for this feature.
Step 7 Click the switch value in the Config Action column. A drop-down menu appears.
Step 8 Select Commit.
Step 9 Click the Servers tab in the Information pane. You see the configuration for this feature based on the
master switch.
Step 10 Modify the Master configuration as needed. For example, right-click the value in the Master column and
select Create Row to create a server for NTP.
a. Set the ID, and the Name or IP Address for the NTP server.
b. Choose a Mode radio button and, optionally, check the Preferred check box.
c. Click Create to add the server.
Fabric Manager sends the request to the master switch. Click the CFS tab and check the Last Results
column for the new entry. It has a pending status.
Step 11 From the CFS tab, set the Config Action column to commit to distribute the feature change through the
fabric. Fabric Manager only changes the status to running when commit, clear, or abort is selected and
applied.
Note Fabric Manager will not change the status to pending if enable is selected, because the pending
status does not apply until the first actual change is made.
Step 12 Click the Apply Changes icon to commit the configuration changes for that feature and distribute the
changes through CFS, or click Undo Changes to discard the changes for that feature.
Committing NTP Configuration Changes

When you commit the NTP configuration changes, the effective database is overwritten by the
configuration changes in the pending database and all the switches in the fabric receive the same
configuration. When you commit the NTP configuration changes without implementing the session
feature, the NTP configurations are distributed to all the switches in the fabric.
Discarding NTP Configuration Changes

After making the configuration changes, you can choose to discard the changes or to commit them. In
either case, the lock is released.
Releasing Fabric Session Lock

If you have performed an NTP fabric task and have forgotten to release the lock by either committing or
discarding the changes, an administrator can release the lock from any switch in the fabric. If the
administrator performs this task, your changes to the pending database are discarded and the fabric lock
is released.

Management Interface Configuration
Tip The changes are only available in the volatile directory and are subject to being discarded if the switch
is restarted.
Database Merge Guidelines

When merging two fabrics, follow these guidelines:
Be aware that the merge is a union of the existing and the received database in each switch in the
fabric.
Do not configure an IP address as a server on one switch and as a peer on another switch. The merge
can fail if this configuration exists.
Verify that the union of the databases does not exceed the maximum limit of 64.
See to the CFS Merge Support section on page 13-9 for detailed concepts.

The management interface on the switch allows multiple simultaneous Telnet or SNMP sessions. You
can remotely configure the switch through the management interface (mgmt0), but first you must
configure some IP parameters so that the switch is reachable. You can manually configure the
management interface from the CLI. You can configure the mgmt 0 interface with either IPv4 address
parameters or an IPv6 address.
On director class switches, a single IP address is used to manage the switch. The active supervisor
module's mgmt0 interface uses this IP address. The mgmt0 interface on the standby supervisor module
remains in an inactive state and cannot be accessed until a switchover happens. After a switchover, the
mgmt0 interface on the standby supervisor module becomes active and assumes the same IP address as
the previously active supervisor module.
The management port (mgmt0) is autosensing and operates in full duplex mode at a speed of
10/100/1000 Mbps (1000 Mbps is only available on the Supervisor-2 module). Autosensing supports
both the speed and the duplex mode. On a Supervisor-1 module, the default speed is 100 Mbps and the
default duplex mode is auto. On a Supervisor-2 module, the default speed is auto and the default duplex
mode is auto.
You can set the management interface in the Fabric Manager Preferences screen to use SNMP over TCP.
The advantages of this setting are an increased buffer size and faster transfer rate. If your fabric has a
long timeout period, it may prevent you from using SNMP (which may have a relatively shorter timeout
period). If so, change this setting to false and restart Fabric Manager Server. UDP is used instead.
Note Before you begin to configure the management interface manually, obtain the switchs IPv4 address and
IPv4 subnet mask or the IPv6 address. Also make sure the console cable is connected to the console port.
Default Gateway Configuration

The supervisor module sends IP packets with unresolved destination IPv4 addresses to the default
gateway (see Figure 12-7).

Telnet Server Connection
Figure 12-7 Default Gateway
Default
gateway Router
Console IP Address IP
connection 172.16.1.1 Network
Telnet or CLI
SSH
Switch 2
DNS server
mgmt 0
(IP address: GUI
172.16.1.2)
SNMP
Management LAN
79937
Telnet Server Connection

As of MDS NX-OS Release 4.1(1b), the Telnet server is disabled by default on all switches in the Cisco
MDS 9000 Family. If you require a secure SSH connection, you need to disable the default Telnet
connection and then enable the SSH connection (see the Generating the SSH Server Key-Pair section
on page 32-22).
Note For information on connecting a terminal to the supervisor module console port, refer to the Cisco MDS
9200 Series Hardware Installation Guide or the Cisco MDS 9500 Series Hardware Installation Guide.
Tip A maximum of 16 sessions are allowed in any switch in the Cisco MDS 9500 Series or the Cisco MDS
9200 Series.
Make sure the terminal is connected to the switch and that the switch and terminal are both powered on.
Disabling a Telnet Connection

To disable Telnet connections to the switch using Device Manager, follow these steps:
Step 1 Select Device > Preferences.

Step 2 Check the Use Secure Shell instead of Telnet check box.
Step 3 Click Apply.
Telnet is disabled and SSH is enabled on the switch.

Configuring CDP
Configuring CDP
The Cisco Discovery Protocol (CDP) is an advertisement protocol used by Cisco devices to advertise
itself to other Cisco devices in the same network. CDP runs on the data link layer and is independent of
Layer 3 protocols. Cisco devices that receive the CDP packets cache the information to make it is
accessible through the CLI and SNMP.
CDP is supported on the management Ethernet interface on the supervisor module and the Gigabit
Ethernet interfaces on the IPS and MPS-14/2 modules. The CDP daemon is restartable and switchable.
The running and startup configurations are available across restarts and switchovers.
CDP version 1 (v1) and version 2 (v2) are supported in Cisco MDS 9000 Family switches. CDP packets
with any other version number are silently discarded when received.
When the interface link is established, CDP is enabled by default and three CDP packets are sent at
one-second intervals. Following this, the CDP frames are sent at the globally configured refresh interval.
To globally disable CDP using Fabric Manager, follow these steps:
Step 1 Select a switch in the Logical Domains pane.

Step 2 Expand Switches, expand Interfaces, expand Management, and then select CDP in the Physical
Attributes pane.
You see the CDP information in the Information pane shown in Figure 12-8.
Figure 12-8 Cisco Discovery Protocol
Step 3 Deselect the Enable check box.

To disable CDP using Device Manager, follow these steps:
Step 1 Click IP > CDP.

You see the CDP dialog box as shown in Figure 12-8.
Step 2 Deselect the Enable check box.
To globally configure the message interval for the CDP protocol using Device Manager, follow these
steps:

Configuring CDP

Step 2 Set the message interval time in seconds (5-254).
Step 3 Click the Apply icon.
To globally configure the hold time advertised in CDP packets using Device Manager, follow these steps:

Step 2 Set the hold time in seconds (10-255).
Step 3 Click Apply.

Configuring CDP

CH A P T E R 13
Using the CFS Infrastructure
The Cisco MDS NX-OS software uses the Cisco Fabric Services (CFS) infrastructure to enable efficient
database distribution and to foster device flexibility. It simplifies SAN provisioning by automatically
distributing configuration information to all switches in a fabric.
Several Cisco MDS NX-OS applications use the CFS infrastructure to maintain and distribute the
contents of a particular applications database.
About CFS, page 13-1
Disabling CFS Distribution on a Switch, page 13-4
CFS Application Requirements, page 13-5
Enabling CFS for an Application, page 13-5
Locking the Fabric, page 13-6
Committing Changes, page 13-7
Discarding Changes, page 13-8
Saving the Configuration, page 13-8
Clearing a Locked Session, page 13-8
CFS Merge Support, page 13-9
Displaying CFS Configuration Information, page 13-9
CFS Regions, page 13-16
CFS Example Using Fabric Manager, page 13-20
CFS Example Using Device Manager, page 13-23
Default Settings, page 13-23
About CFS
Many features in the Cisco MDS switches require configuration synchronization in all switches in the
fabric. Maintaining configuration synchronization across a fabric is important to maintain fabric
consistency. In the absence of a common infrastructure, such synchronization is achieved through
manual configuration at each switch in the fabric. This process is tedious and error prone.

Chapter 13 Using the CFS Infrastructure
About CFS
Cisco Fabric Services (CFS) provides a common infrastructure for automatic configuration
synchronization in the fabric. It provides the transport function as well as a rich set of common services
to the applications. CFS has the ability to discover CFS capable switches in the fabric and discovering
application capabilities in all CFS capable switches.
Cisco MDS NX-OS Features Using CFS, page 13-2
CFS Features, page 13-2
CFS Protocol, page 13-3
CFS Distribution Scopes, page 13-3
CFS Distribution Modes, page 13-4
Cisco MDS NX-OS Features Using CFS

The following Cisco NX-OS features use the CFS infrastructure:
N Port Virtualization (see the NPV CFS Distribution over IP section on page 21-5).
FlexAttach Virtual pWWN (see the FlexAttach Virtual pWWN CFS Distribution section on
page 14-9).
NTP (see the NTP CFS Distribution section on page 12-8).
Dynamic Port VSAN Membership (see Chapter 28, Creating Dynamic VSANs).
Distributed Device Alias Services (see Chapter 31, Distributing Device Alias Services).
IVR topology (see the Database Merge Guidelines section on page 29-31).
SAN device virtualization (see the Configuring SDV section on page 27-4).
TACACS+ and RADIUS (see the AAA Server Distribution section on page 41-21).
User and administrator roles (see the Role-Based Authorization section on page 39-1).
Port security (see the Port Security Configuration Distribution section on page 46-17).
iSNS (see Configuring iSNS Servers section on page 50-71).
Call Home (see the Call Home Configuration Distribution section on page 62-18).
Syslog (see System Message Logging Configuration section on page 61-3).
fctimer (see the About fctimer Distribution section on page 37-4).
SCSI flow services (see the Configuring SCSI Flow Services section on page 55-3).
Saving startup configurations in the fabric using the Fabric Startup Configuration Manager (FSCM)
(see the Saving Startup Configurations in the Fabric section on page 16-9).
Allowed domain ID lists (see the About Allowed Domain ID Lists section on page 25-11).
RSCN timer (see the RSCN Timer Configuration Distribution Using CFS section on page 34-7).
iSLB (see the About iSLB Configuration Distribution Using CFS section on page 50-46).
CFS Features
CFS has the following features:
Peer-to-peer protocol with no client-server relationship at the CFS layer.

About CFS
Three scopes of distribution.

Logical scopeThe distribution occurs within the scope of a VSAN.
Physical scopeThe distribution spans the entire physical topology.
Over a selected set of VSANsSome applications, such as Inter-VSAN Routing (IVR), require
configuration distribution over some specific VSANs. These applications can specify to CFS the
set of VSANs over which to restrict the distribution.
Three modes of distribution.
Coordinated distributionsOnly one distribution is allowed in the fabric at any given time.
Uncoordinated distributionsMultiple parallel distributions are allowed in the fabric except
when a coordinated distribution is in progress.
Unrestricted uncoordinated distributionsMultiple parallel distributions are allowed in the
fabric in the presence of an existing coordinated distribution. Unrestricted uncoordinated
distributions are allowed to run in parallel with all other types of distributions.
Supports a merge protocol that facilitates the merge of application configuration during a fabric
merge event (when two independent fabrics merge).
CFS Protocol
The CFS functionality is independent of the lower layer transport. Currently, in Cisco MDS switches,
the CFS protocol layer resides on top of the FC2 layer and is peer-to-peer with no client-server
relationship. CFS uses the FC2 transport services to send information to other switches. CFS uses a
proprietary SW_ILS (0x77434653) protocol for all CFS packets. CFS packets are sent to or from the
switch domain controller addresses.
CFS can also use IP to send information to other switches (see the CFS Distribution over IP section
on page 13-10).
Applications that use CFS are completely unaware of the lower layer transport.
CFS Distribution Scopes

Different applications on the Cisco MDS 9000 Family switches need to distribute the configuration at
various levels:
VSAN level (logical scope)
Applications that operate within the scope of a VSAN have the configuration distribution restricted
to the VSAN. An example application is port security where the configuration database is applicable
only within a VSAN.
Physical topology level (physical scope)
Applications might need to distribute the configuration to the entire physical topology spanning
several VSANs. Such applications include NTP and DPVM (WWN based VSAN), which are
independent of VSANs.
Between two switches
Applications might only operate between selected switches in the fabric. An example application is
SCSI Flow Services, which operates between two switches.

Disabling CFS Distribution on a Switch
CFS Distribution Modes

CFS supports different distribution modes to support different application requirements: coordinated and
uncoordinated distributions. Both modes are mutually exclusive. Only one mode is allowed at any given
time.
Uncoordinated Distribution
Uncoordinated distributions are used to distribute information that is not expected to conflict with that
from a peer. An example is local device registrations such as iSNS. Parallel uncoordinated distributions
are allowed for an application.
Coordinated Distribution
Coordinated distributions can have only one application distribution at a given time. CFS uses locks to
enforce this. A coordinated distribution is not allowed to start if locks are taken for the application
anywhere in the fabric. A coordinated distribution consists of three stages:
1. A fabric lock is acquired.
2. The configuration is distributed and committed.
3. The fabric lock is released.
Coordinated distribution has two variants:
CFS driven The stages are executed by CFS in response to an application request without
intervention from the application.
Application drivenThe stages are under the complete control of the application.
Coordinated distributions are used to distribute information that can be manipulated and distributed
from multiple switches, for example, the port security configuration.
Unrestricted Uncoordinated Distributions

Unrestricted uncoordinated distributions allow multiple parallel distributions in the fabric in the
presence of an existing coordinated distribution. Unrestricted uncoordinated distributions are allowed to
run in parallel with all other types of distributions.
Disabling CFS Distribution on a Switch

By default, CFS distribution is enabled. Applications can distribute data and configuration information
to all CFS-capable switches in the fabric where the applications exist. This is the normal mode of
operation.
You can globally disable CFS on a switch, to isolate the applications using CFS from fabric-wide
distributions while maintaining physical connectivity. When CFS is globally disabled on a switch, CFS
operations are restricted to the switch and all CFS commands continue to function as if the switch were
physically isolated.
To globally disable or enable CFS distribution on a switch using Fabric Manager, follow these steps:
Step 1 In the Physical Attributes pane, expand Switches > CFS.

CFS Application Requirements
Step 2 In the information pane, from the drop-down menu, choose disable or enable for a switch.
Step 3 Click the Apply Changes icon to commit the configuration changes.
To globally disable or enable CFS distribution on a switch using Device Manager, follow these steps:
Step 1 Choose Admin > CFS (Cisco Fabric Services).

You see the CFS dialog box with the CFS status for all features on that switch.
Step 2 Uncheck or check the Globally Enabled check box to disable or enable CFS distribution on this switch.
Step 3 Click Apply to disable CFS on this switch.
CFS Application Requirements

All switches in the fabric must be CFS capable. A Cisco MDS 9000 Family switch is CFS capable if it
is running Cisco SAN-OS Release 2.0(1b) or later, or MDS NX-OS Release 4.1(1) or later. Switches that
are not CFS capable do not receive distributions and result in part of the fabric not receiving the intended
distribution.
CFS has the following requirements:
Implicit CFS usageThe first time you issue a CFS task for a CFS-enabled application, the
configuration modification process begins and the application locks the fabric.
Pending databaseThe pending database is a temporary buffer to hold uncommitted information.
The uncommitted changes are not applied immediately to ensure that the database is synchronized
with the database in the other switches in the fabric. When you commit the changes, the pending
database overwrites the configuration database (also known as the active database or the effective
database).
CFS distribution enabled or disabled on a per-application basisThe default (enable or disable) for
CFS distribution state differs between applications. If CFS distribution is disabled for an
application, then that application does not distribute any configuration nor does it accept a
distribution from other switches in the fabric.
Explicit CFS commitMost applications require an explicit commit operation to copy the changes
in the temporary buffer to the application database, to distribute the new database to the fabric, and
to release the fabric lock. The changes in the temporary buffer are not applied if you do not perform
the commit operation.
Enabling CFS for an Application

All CFS-based applications provide an option to enable or disable the distribution capabilities. Features
that existed prior to Cisco SAN-OS Release 2.0(1b) have the distribution capability disabled by default
and must have distribution capabilities enabled explicitly.
Applications introduced in Cisco SAN-OS Release 2.0(1b) or later, or MDS NX-OS Release 4.1(1) or
later have the distribution enabled by default.

Locking the Fabric
The application configuration is not distributed by CFS unless distribution is explicitly enabled for that
application.
To enable CFS for a feature using Fabric Manager, follow these steps:
Step 1 Choose a feature on which to enable CFS. For example, expand Switches > Events, and then select
CallHome in the Physical Attributes pane. The Information pane shows that feature, with a CFS tab.
Click the CFS tab to display the CFS state for each switch in the fabric for that feature.
Step 2 Decide on which switch(es) to enable CFS. Set the Admin column to either enable to enable CFS or
disable to disable CFS.
Note Enable CFS for all switches in the fabric or VSAN for the feature that uses CFS.
Step 3 Right-click the row you changed to see the pop-up menu. Select Apply Changes to apply the CFS
configuration change. The CFS tab updates as the CFS changes take effect.
Fabric Manager retrieves the status of the CFS change and updates the Last Result column.
To enable CFS for a feature using Device Manager, follow these steps:

Step 2 Decide which feature(s) need CFS. Set the Command column to either enable to enable CFS or disable
to disable CFS.
Note Enable or disable CFS for all switches in the fabric or VSAN for the feature that uses CFS.
Step 3 Click Pending Differences to compare the configuration of this feature on this switch to other switches
in the fabric or VSAN that have CFS enabled for this feature. Close the Show Pending Diff pop-up.
Step 4 Click Apply to apply the CFS configuration change.
Device Manager retrieves the status of the CFS change and updates the Last Command and Result
columns.
Locking the Fabric

When you configure (first time configuration) a Cisco NX-OS feature (or application) that uses the CFS
infrastructure, that feature starts a CFS session and locks the fabric. When a fabric is locked, the Cisco
NX-OS software does not allow any configuration changes from a switch to this Cisco NX-OS feature,
other than the switch holding the lock, and issues a message to inform the user about the locked status.
The configuration changes are held in a pending database by that application.
If you start a CFS session that requires a fabric lock but forget to end the session, an administrator can
clear the session. If you lock a fabric at any time, your user name is remembered across restarts and
switchovers. If another user (on the same machine) tries to perform configuration tasks, that users
attempts are rejected.

Committing Changes
Committing Changes
A commit operation saves the pending database for all application peers and releases the lock for all
switches.
In general, the commit function does not start a session; only a lock function starts a session. However,
an empty commit is allowed if configuration changes are not previously made. In this case, a commit
operation results in a session that acquires locks and distributes the current database.
When you commit configuration changes to a feature using the CFS infrastructure, you receive a
notification about one of the following responses:
One or more external switches report a successful statusThe application applies the changes
locally and releases the fabric lock.
None of the external switches report a successful stateThe application considers this state a failure
and does not apply the changes to any switch in the fabric. The fabric lock is not released.
You can commit changes for a specified feature by setting CFS > Config Action to commit for that
feature.
To commit changes using Fabric Manager for CFS-enabled features, follow these steps:
Step 1 Choose the feature you want to enable CFS for. For example, expand Switches expand Events, and then
select CallHome from the Physical Attributes pane.
The Information pane shows that feature, with a CFS tab.
Step 2 Click the CFS tab to display the CFS state for each switch in the fabric for that feature.
Step 3 Right-click the value in the Config Action column for any switch and select an option from the
drop-down menu (Copy, Paste, Export to File, Print Table, Detach Table).
changes through CFS.
Fabric Manager retrieves the status of the CFS change and updates the Last Command and Last Result
columns for the feature or VSAN.
To commit changes using Device Manager for CFS-enabled features, follow these steps:

Step 2 For each applicable feature, set the Command column to commit to commit the configuration changes
for that feature and distribute the changes through CFS, or set it to abort to discard the changes for that
feature and release the fabric lock for CFS for that feature.
Step 3 (Optional) Provide a Type or VsanID as the basis for the CFS distribution for CFS features that require
this.
Step 4 Click Pending Differences to check the configuration of this feature on this switch as compared to other
switches in the fabric or VSAN that have CFS enabled for this feature.
Step 5 Click Apply to apply the CFS configuration change.

Discarding Changes
Device Manager retrieves the status of the CFS change and updates the Last Command and Result
columns.
Caution If you do not commit the changes, they are not saved to the running configuration.
Discarding Changes
If you discard configuration changes, the application flushes the pending database and releases locks in
the fabric. Both the abort and commit functions are only supported from the switch from which the fabric
lock is acquired.
You can discard changes for a specified feature by setting the Command column value to disable for that
feature then clicking Apply.
Saving the Configuration

Configuration changes that have not been applied yet (still in the pending database) are not shown in the
running configuration. The configuration changes in the pending database overwrite the configuration
in the effective database when you commit the changes.
Caution If you do not commit the changes, they are not saved to the running configuration.
The CISCO-CFS-MIB contains SNMP configuration information for any CFS-related functions. Refer
to the Cisco MDS 9000 Family MIB Quick Reference for more information on this MIB.
Clearing a Locked Session

You can clear locks held by an application from any switch in the fabric. This option is provided to rescue
you from situations where locks are acquired and not released. This function requires Admin
permissions.
To clear locks using Fabric Manager, follow these steps:
Step 1 Click the CFS tab.

Step 2 Select clearLock from the Config Action drop-down list for each switch that you want to clear the lock
(see Figure 13-1).
Step 3 Click the Apply Changes icon to save the change.

CFS Merge Support
Figure 13-1 Clearing Locks
Caution Exercise caution when using this function to clear locks in the fabric. Any pending configurations in any
switch in the fabric is flushed and lost.
CFS Merge Support

An application keeps the configuration synchronized in a fabric through CFS. Two such fabrics might
merge as a result of an ISL coming up between them. These two fabrics could have two different sets of
configuration information that need to be reconciled in the event of a merge. CFS provides notification
each time an application peer comes online. If a fabric with M application peers merges with another
fabric with N application peers and if an application triggers a merge action on every such notification,
a link-up event results in M*N merges in the fabric.
CFS supports a protocol that reduces the number of merges required to one by handling the complexity
of the merge at the CFS layer. This protocol runs per application per scope. The protocol involves
selecting one switch in a fabric as the merge manager for that fabric. The other switches do not play any
role in the merge process.
During a merge, the merge manager in the two fabrics exchange their configuration databases with each
other. The application on one of them merges the information, decides if the merge is successful, and
informs all switches in the combined fabric of the status of the merge.
In case of a successful merge, the merged database is distributed to all switches in the combined fabric
and the entire new fabric remains in a consistent state. You can recover from a merge failure by starting
a distribution from any of the switches in the new fabric. This distribution restores all peers in the fabric
to the same configuration database.
Displaying CFS Configuration Information

To display the status of CFS distribution on the switch using Device Manager, follow these steps:

You see the CFS dialog box. This dialog box displays the distribution status of each feature using CFS,
which currently registered applications are using CFS, and the result of the last successful merge
attempt.
Step 2 Select a row and click Details to view more information about the feature.

CFS Distribution over IP

You can configure CFS to distribute information over IP for networks containing switches that are not
reachable over Fibre Channel. CFS distribution over IP supports the following features:
Physical distribution over an entirely IP network.
Physical distribution over a hybrid Fibre Channel and IP network with the distribution reaching all
switches that are reachable over either Fibre Channel or IP
Note The switch attempts to distribute information over Fibre Channel first and then over the IP
network if the first attempt over Fibre Channel fails. CFS does not send duplicate messages if
distribution over both IP and Fibre Channel is enabled.
Distribution over IP version 4 (IPv4) or IP version 6 (IPv6).
Note CFS cannot distribute over both IPv4 and IPv6 from the same switch.
Keepalive mechanism to detect network topology changes using a configurable multicast address.
Compatibility with Cisco MDS SAN-OS Release 2.x.
Distribution for logical scope applications is not supported because the VSAN implementation is
limited to Fibre Channel.
Figure 13-2 shows a network with both Fibre Channel and IP connections. Node A forwards an event to
node B over Fibre Channel. Node B forwards the event node C and node D using unicast IP. Node C
forwards the event to node E using Fibre Channel.
Figure 13-2 Network Example 1 with Fibre Channel and IP Connections
Node A Node B Node C Node E
FC
144860
Node D
IP
Figure 13-3 is the same as Figure 13-2 except that node C and node D are connected using Fibre
Channel. All processes is the same in this example because node B has node C and node D the
distribution list for IP. Node C does not forward to node D because node D is already in the distribution
list from node B.

FC
144861
Node D
IP
Figure 13-4 is the same as Figure 13-3 except that node D and node E are connected using FC. Both node
C and node D forward the event to E because the node E is not in the distribution list from node B.
FC
144862
Node D
IP
Configuring Static IP Peers for CFS over IP

Multicast forwarding is disabled by default in some devices. For example, IBM Blade chassis has
multicast forwarding disabled, especially on external ethernet ports and there is no method to enable it.
NPV devices use only IP as the transport medium and do not have ISL connectivity or FC domain.
To enable CFS over IP on the switches that do not support multicast forwarding, multicast forwarding
has to be enabled on the ethernet IP switches all along the network that physically connects the switch.
In such cases, you can configure static IP peers for CFS distribution over IP.
CFS uses the list of configured IP addresses to communicate with each peer and learn the peer switch
WWN. After learning the peer switch WWN, CFS marks the switch as CFS-capable and triggers
application-level merging and database distribution.
The following MDS 9000 features require static IP peer configuration for CFS over IP distribution:
N port virtualization devices have IP as the communication channel because NPV switches do not
have FC domain. NPV devices use CFS over IP as the transport medium. For more information, see
the NPV CFS Distribution over IP section on page 21-5.
FlexAttach virtual pWWN distribution on CFS region 201 that links only the NPV-enabled switches.
For more information, see the FlexAttach Virtual pWWN CFS Distribution section on page 14-9.
Cisco MDS Fabric Manager discovers NPV devices by reading the name server database on the NPV
core switch, which is also used to manage the static peer list at an NPV switch for CFS distribution over
IP using static peers.
Fabric Manager 4.1(1) and later provides a one-time configuration wizard to manage the peer list of the
discovered NPV peers on a switch. When the peer list is cofigured on a switch, CFS enables distribution
using the IP static peers on all members of the list and propagates the peer list to all members on the list.

Note If a new NPV switch is added to the fabric, you must launch the NPV CFS Setup wizard to update the
list, because Fabric Manager does not update the list automatically.
Adding Peers to List

To configure the static IP peers list using Fabric Manager, follow these steps:
Step 1 From the Fabric Manager menu, select Tools > Other > NPV CFS Setup .
Figure 13-5 NPV CFS Setup Menu
The NPV Device Selection dialog box is displayed with the list of NPV device peers retrieved from the
switch including the device name, device IP address, and the status of the peer.

Figure 13-6 NPV Device Selection
Step 2 From the NPV Device to retrieve peer list from drop-down list box, select the device to retrieve the
peer list from.
If the NPV device in the list retrieved from the switch is present in the fabric, then one of the following
statuses is displayed: Local, Reachable, Unreachable, or Discovery in Progress. If the NPV device is not
present in the fabric, then the status is displayed as Not in Fabric.
Note If the status is displayed as Not in Frabic, you must remove the device from the list.
Step 3 Click Add.

The following dialog box is displayed with the list of all the NPV devices in the fabric that are not
included in the current peer list. By default, all the switches in the list are selected.
Figure 13-7 Peer Selection

Step 4 Select the peers, and then click Ok to add the peers to the list.
The peers are added to the list with To Be Added status.
Figure 13-8 Confirm Peer Selection
Step 5 Click Set to confirm adding the peers to the list and start the peers list propogation by CFS.
Removing an NPV Device from the Peer List

To delete a peer from the IP peer list using the Fabric Manager, follow these steps:
Step 1 From the Fabric Manager menu, select Tools > Other > NPV CFS Setup.
The NPV CFS Setup wizard is launched.
Step 2 From the NPV Device to retrieve peer list from drop-down list box, select the device to retrieve the
peer list from which you want to delete a peer.
Step 3 Do one of the following tasks to mark the peer or local host as deleted:
To delete a peer from the peer list, select the peer from the list, and then click Delete.
To delete the local host from the peer list, select the local NPV device and click Delete, or select all
the peers in the list, and then click Delete All.
Step 4 Click Yes to delete the peer from the list.
Step 5 Click Set in the NPV CFS wizard. The following message box is displayed:

Figure 13-9 Start Dynamic Peer Discovery
Step 6 Click Yes to remove the deleted peer or localhost from all the other NPV device peer lists, and start
dynamic peer discovery using multicast in the deleted peer.
-------------------------------------------------------------
IP address WWN name Status
-------------------------------------------------------------
1.2.3.4 00:00:00:00:00:00:00:00 Discovery Inprogress
1.2.3.5 20:00:00:0d:ec:06:55:b9 Reachable
1.2.3.6 20:00:00:0d:ec:06:55:c0 Local

CFS Regions
CFS Regions
About CFS Regions, page 13-16
Managing CFS Regions Using Fabric Manager, page 13-17
Creating CFS Regions, page 13-17
Assigning Features to CFS Regions, page 13-17
Moving a Feature to a Different Region, page 13-18
Removing a Feature from a Region, page 13-19
Deleting CFS Regions, page 13-19
About CFS Regions

A CFS region is a user-defined subset of switches for a given feature or application in its physical
distribution scope.When a SAN is spanned across a vast geography, you may need to localize or restrict
the distribution of certain profiles among a set of switches based on their physical proximity. Before
MDS SAN-OS Release 3.2.(1) the distribution scope of an application within a SAN was spanned across
the entire physical fabric without the ability to confine or limit the distribution to a required set of
switches in the fabric. CFS regions enables you to overcome this limitation by allowing you to create
CFS regions, that is, multiple islands of distribution within the fabric, for a given CFS feature or
application. CFS regions are designed to restrict the distribution of a features configuration to a specific
set or grouping of switches in a fabric.
Note You can only configure a CFS region on physical switches in a SAN. You cannot configure a
CFS region in a VSAN.
Example CFS Scenario: Call Home is an application that triggers alerts to Network Administrators
when a situation arises or something abnormal occurs. When the fabric covers many geographies and
with multiple Network Administrators who are each responsible for a subset of switches in the fabric,
the Call Home application sends alerts to all Network Administrators regardless of their location. For
the Call Home application to send message alerts selectively to Network Administrators, the physical
scope of the application has to be fine tuned or narrowed down, which is achieved by implementing CFS
regions.
CFS regions are identified by numbers ranging from 0 through 200. Region 0 is reserved as the default
region, and contains every switch in the fabric. You can configure regions from 1 through 200. The
default region maintains backward compatibility. If there are switches on the same fabric running
releases of SAN-OS before release 3.2(1), only features in Region 0 are supported when those switches
are synchronized. Features from other regions are ignored when those switches are synchronized.
If the feature is moved, that is, assigned to a new region, its scope is restricted to that region; it ignores
all other regions for distribution or merging purposes. The assignment of the region to a feature has
precedence in distribution over its initial physical scope.
You can configure a CFS region to distribute configurations for multiple features. However, on a given
switch, you can configure only one CFS region at a time to distribute the configuration for a given
feature. Once you assign a feature to a CFS region, its configuration cannot be distributed within another
CFS region.

CFS Regions
Managing CFS Regions Using Fabric Manager

This section describes how to use Fabric Manager for managing CFS regions. Fabric Manager provides
a comprehensive view of all the switches, regions, and the features associated with each region in the
topology. To complete the following tasks, use the tables under the All Regions and Feature by Region
tabs:
Creating CFS Regions, page 13-17
Assigning Features to CFS Regions, page 13-17
Moving a Feature to a Different Region, page 13-18
Removing a Feature from a Region, page 13-19
Creating CFS Regions

To create a CFS region using Fabric Manager, follow these steps:
Step 1 Expand the Switches folder in the Physical Attributes pane and click CFS.
The information pane displays the Global, IP Multicast, Feature by Region, and All Regions tabs.
Step 2 Click the All Regions tab.
The tab displays a list of Switches and RegionIds.
Step 3 Click the Create Row button on the toolbar.
Figure 13-10 shows the Create a Region dialog box.
Figure 13-10 Create a Region Dialog Box
Step 4 From the drop-down list, select the switch and choose a RegionId from the range.
Upon successful creation of the region, Success is displayed at the bottom of the dialog box.
Assigning Features to CFS Regions

To assign a feature to a region using Fabric Manager, follow these steps:
Step 1 Expand the Switches folder in the Physical Attributes pane and click CFS.
Step 2 Click the Feature by Region tab.
This tab lists all the switches along with their corresponding Feature and RegionId.

CFS Regions
Step 3 Click the Create Row button on the toolbar.

Figure 13-11 shows the Assign a Feature dialog box.
Figure 13-11 Assign a Feature Dialog Box
Step 4 From the drop-down box, select a switch.

The features running on the selected switch are listed in the Feature drop-down list.
Step 5 Select a feature on that switch to associate a region.
Step 6 From the RegionID list, select the region number to associate a region with the selected feature.
Step 7 Click Create to complete assignment of a switch feature to the region.
Upon successful assignment of feature, Success is displayed at the bottom of the dialog box.
When a feature is assigned to a new region using the Feature by Region tab, a new row with the new
region is created automatically in the table under the All Regions tab. Alternatively, you can create a
region using the All Regions tab.
Note In the Feature by Region tab, when you try to reassign a feature on a switch to another region by
clicking Create Row, an operation failed message is shown. The error message states that an entry
already exists. However, moving a feature to a different region is a different task and it is described in
the next section.
Moving a Feature to a Different Region

Before moving a feature to a new region, create the new region in the All Regions tab. That is, a new row
has to be added in the All Regions tab with the new Region ID.
To move a feature to a different region using Fabric Manager, follow these steps:
Step 1 Expand the Switches folder in the Physical Attributes pane and select CFS.
Step 2 Click the Feature by Region tab.
Figure 13-12 shows the Feature by Region tab, which lists all the switches along with their feature and
region details.

CFS Regions
Figure 13-12 Feature by Region Tab
Step 3 Double-click the RegionId cell in the required row.

The cursor blinks in the cell prompting a change in the value.
Step 4 Change the RegionId value to the required region.
Step 5 Click the Apply Changes button on the tool bar to commit the change.
Removing a Feature from a Region

To remove a feature from a region using Fabric Manager, follow these steps:
Step 1 Click the Feature by Region tab and select the required row.
Step 2 Click the Delete Row button on the toolbar.
Figure 13-13 shows a confirmation dialog box.
Figure 13-13 Removing a Feature from a Region
Step 3 Click Yes to confirm row deletion from the table in view.
Deleting CFS Regions

To delete an entire region, follow these steps:
Step 1 Click the All Regions tab and select the required row.
Step 2 Click Delete Row.
This action removes all entries pertaining to that switch and region in the table under Feature by Region
tab.

CFS Example Using Fabric Manager
Figure 13-14 shows a confirmation dialog box.
Figure 13-14 Deleting CFS Regions
Step 3 Click Yes to confirm deletion of the region.

This procedure is an example of what you see when you use Fabric Manager to configure a feature that
uses CFS.
Step 1 Select the CFS-capable feature you want to configure. For example, expand a VSAN, and then select
Port Security in the Logical Domains pane.
You see the port security configuration for that VSAN in the Information pane.
You see the CFS configuration and status for each switch (see Figure 13-15).
Figure 13-15 CFS Configuration
Step 3 From the Feature Admin drop-down list, select enable for each switch.
Step 4 Repeat step 3 for all switches in the fabric.
Note A warning is displayed if you do not enable CFS for all switches in the fabric for this feature.
Step 5 Check the Master check box for the switch to act as the merge master for this feature.
Step 6 From the Config Action drop-down list, select commit Changes for each switch that you enabled for
CFS.
Step 7 Click the Servers tab in the Information pane.

You see the configuration for this feature based on the master switch (see Figure 13-16).
Step 8 Modify the feature configuration. For example, right-click the name in the Master column and select
Create Row to create a server for NTP.
a. Set the ID and the Name or IP Address for the NTP server.
b. Set the Mode radio button and optionally check the Preferred check box.
c. Click Create to add the server.
Figure 13-16 Servers Tab
Step 9 Click the Delete Row icon to delete a row.

If you make any changes, the status automatically changes to Pending (see Figure 13-17).
Figure 13-17 Status Change to Pending
Step 10 Click the Commit CFS Pending Changes icon to save the changes (see Figure 13-18).
Figure 13-18 Commit CFS Pending Changes
Step 11 The status changes to Running (see Figure 13-19).

Figure 13-19 Status Change to Running
Step 12 From the Config Action drop-down list, select abortChanges for each switch that you enabled for CFS
(see Figure 13-20).
Figure 13-20 Commit Configuration Changes
Note Fabric Manager does not change the status to pending if enable is selected, because the pending
status does not apply until the first actual change is made.
changes through CFS.
Note When using CFS with features such as DPVM and device alias, you must select commit at the end of
each configuration. If the session is locked, you must exit the feature by selecting abort.
To configure the master or seed switch for distribution for each feature using Fabric Manager, follow
these steps:
Step 1 Choose the feature that needs a merge master for CFS. For example, expand Switches, expand Events
and select CallHome from the Physical Attributes pane.
The Information pane shows that feature including a CFS tab.
Step 2 Click the CFS tab to display the CFS state for each switch in the fabric for that feature.
Step 3 Check the Master column check box for the switch to act as the merge master for this feature.
Step 4 Click the Apply Changes icon to select this switch as master for future CFS distributions.

CFS Example Using Device Manager
CFS Example Using Device Manager

This procedure is an example of what you see when you use Device Manager to configure a feature that
uses CFS. For specific procedures for features that use CFS, refer to that features documentation.
To configure a feature that uses CFS using Device Manager, follow these steps:
Step 1 Open the dialog box for any CFS-capable feature. Device Manager checks to see whether CFS is
enabled. It also checks to see if there is a lock on the feature by checking for at least one entry in the
Owner table. If CFS is enabled and there is a lock, Device Manager sets the status to pending for that
feature. You see a dialog box displaying the lock information.
Step 2 Click Continue or Cancel when prompted. If you continue, Device Manager remembers the CFS status.
Step 3 Choose Admin > CFS (Cisco Fabric Services) to view the user name of the CFS lock holder.
Step 4 Click the locked feature and click Details.
Step 5 Click the Owners tab and look in the UserName column.
Note Device Manager does not monitor the status of the feature across the fabric until you click
Refresh. If a user on another CFS-enabled switch attempts to configure the same feature, they
do not see the pending status. However, their configuration changes are rejected by your
switch.
Step 6 If CFS is enabled and there is no lock, Device Manager sets the status to running for that feature.
You then see a dialog box for the feature. As soon as you perform a creation, deletion, or modification,
Device Manager changes the status to pending and displays the updated information from the pending
database.
Step 7 View the CFS table for a feature. Device Manager only changes the status to running when commit,
clear, or abort is selected and applied. Device Manager will not change the status to pending if enable
is selected, because the pending status does not apply until the first actual change is made.
The Last Command and Result fields are blank if the last command is noOp.
Note When using CFS with features like DPVM and device alias, you must select commit at the end of each
configuration. If the session is locked, you must exit the feature by selecting abort.
Default Settings
Table 13-1 lists the default settings for CFS configurations.
Table 13-1 Default CFS Parameters
Parameters Default
CFS distribution on the switch Enabled.
Database changes Implicitly enabled with the first configuration change.

Default Settings
Table 13-1 Default CFS Parameters (continued)
Parameters Default
Application distribution Differs based on application.
Commit Explicit configuration is required.
CFS over IP Disabled.
IPv4 multicast address 239.255.70.83
IPv6 multicast address ff15::efff:4653

CH A P T E R 14
Configuring FlexAttach Virtual pWWN
This chapter describes the FlexAttach virtual port world-wide name (pWWN) feature and includes the
following sections:
About FlexAttach Virtual pWWN, page 14-1
FlexAttach Virtual pWWN Guidelines and Requirements, page 14-2
Configuring FlexAttach Virtual pWWN, page 14-2
Using the Server Admin FlexAttach Wizards, page 14-9
Difference Between San Device Virtualization and FlexAttach Port Virtualization, page 14-23
About FlexAttach Virtual pWWN

FlexAttach virtual pWWN feature facilitates server and configuration management. In a SAN
environment, the server installation or replacement, requires interaction and coordination among the
SAN and server administrators. For coordination, it is important that the SAN configuration does not
change when a new server is installed, or when an existing server is replaced. FlexAttach virtual pWWN
minimizes the interaction between the server administrator and the SAN administrator by abstracting the
real pWWN using virtual pWWNs.
When FlexAttach virtual pWWN is enabled on an interface, a virtual pWWN is assigned to the server
interface. The real pWWN is replaced by a virtual pWWN, which is used for a SAN configuration such
as zoning.
Server administrators can benefit from FlexAttach in the following scenarios:
Pre-configurePre-configure SAN for new servers that are not available physically yet. For
example, they may be on order. FlexAttach can be enabled on the ports designated for the new
servers and use the virtual WWNs assigned for configuring SAN. The new servers are then plugged
into the fabric without any change needed in the SAN.
Replacement to the same portA failed server can be replaced onto the same port without changing
the SAN. The new server gets a same pWWN as the failed server because the virtual pWWN is
assigned to the port.
Replacement to (spare)A spare server, which is on the same NPV device or a different NPV
device) can be brought online without changes to the SAN. This action is achieved by moving the
virtual port WWN from the current server port to the spare port.

Chapter 14 Configuring FlexAttach Virtual pWWN
FlexAttach Virtual pWWN Guidelines and Requirements
Server MobilityA server can be moved to another port on the same NPV device or another NPV
device without changing the SAN. This is accomplished by moving the virtual pWWN to the new
port. No change is needed if FlexAttach was configured using the physical port WWN of the server
to the virtual port WWN mapping.
FlexAttach Virtual pWWN Guidelines and Requirements

Following are recommended guidelines and requirements when deploying FlexAttach virtual pWWN:
FlexAttach configuration is supported only on NPV switches.
Cisco Fabric Services (CFS) IP version 4 (IPv4) distribution should be enabled.
Virtual WWNs should be unique across the fabric.

This section describes how to configure FlexAttach virtual pWWN feature and includes the following
topics:
Enabling FlexAttach Virtual pWWN, page 14-2
Debugging FlexAttach Virtual pWWN, page 14-8
Security Settings for FlexAttach Virtual pWWN, page 14-8
FlexAttach Virtual pWWN CFS Distribution, page 14-9
Enabling FlexAttach Virtual pWWN

The FlexAttach virtual pWWN feature is enabled automatically, manually, or by mapping pWWN to
virtual pWWN. Figure 14-1 shows how the FlexAttach virtual pWWN feature is enabled.
Automatically Enabling FlexAttach Virtual pWWN

The virtual pWWN is enabled automatically on all the NPV switches or per port on the NPV box. When
enabled automatically, a virtual WWN is generated from the device switch WWN. This WWN is used
as the virtual pWWN. Virtual pWWNs are generated using the local switch WWNs.
Note The port must be in a shut state when the virtual pWWN is enabled.
To enable virtual pWWN automatically for all the interfaces, follow these steps:
Step 1 From the Device Manger menu bar, select FC > FlexAttach. (Figure 14-1).

Figure 14-1 FlexAttach in Device Manager
You see the FlexAttach window. (Figure 14-2).
Figure 14-2 FlexAttach Window in Device Manager
Step 2 Check the VirtualPwwnAuto check box to enable automatic generation of virtual WWNs on all the
fabric port interfaces.
Note When the interface-list value is not included in the command, virtual pWWN is enabled globally.
All the interfaces mentioned in the interface-list value must be in a shut state.
Launching FlexAttach in Fabric Manager

To launch FlexAttach in Fabric Manager, follow these steps:
Step 1 In the Logical Domains pane, select a switch.

Step 2 In the Physical Attributes pane, expand Switches > NPIV.
Step 3 Select NPIV > N_Port Virtualizer (NPV) > FlexAttach.
The FlexAttach configuration pane appears to the right. (Figure 14-3).

Figure 14-3 FlexAttach Menu
Manually Enabling FlexAttach Virtual pWWN

You can manually assign a WWN to the interface, without generating it through the switch. Several
checks are done by the NPV core to ensure the uniqueness of virtual pWWNs in the switch. When
duplicate virtual pWWNs are configured, the subsequent logins are rejected by the NPV core switch.
Note Some ports may be in automode, some in manual mode, and the virtual pWWNs need not be
assigned.
The port must be in a shut state when a virtual pWWN is enabled.
.
To enable virtual pWWN on each interface manually, follow these steps:
Step 1 Click the Virtual PWWN tab.

A list of interfaces is displayed. (Figure 14-4).

Figure 14-4 Virtual PWWN Tab View in Device Manager
The Virtual pWWN tab view displays a list of the interfaces.

Step 2 Check the Auto check box to automatically generate the virtual pWWN value for the selected interface.
Note The interface mentioned in the interface value must be in a shut state.
The virtual port WWN value for the selected interface in Fabric Manager is automatically generated.
(Figure 14-5).

Figure 14-5 Virtual pWWN Tab View in Fabric Manager
Note The interface mentioned in the interface value must be in a shut state.
Mapping pWWN to Virtual pWWN

You can configure virtual pWWNs through real pWWNs. This process is required for NPIV hosts
containing multiple pWWNs, of which only FLOGI is mapped to the virtual pWWN. Subsequent
FDSIDs will have different mappings.
Several checks are done by the NPV core to ensure the uniqueness of virtual pWWNs in the switch across
the NPV switches. When duplicate virtual pWWNs are configured, the subsequent logins are rejected by
the NPV core switch.To map pWWN to virtual pWWN, follow these steps:
Step 1 In the FlexAttach window, select the Physical to Virtual WWNs tab.
You see the Physical to Virtual WWNs tab view as shown in Figure 14-6.

Figure 14-6 Physical to Virtual WWNs Tab View in Device Manager
The LastChange field displays the time when the virtual pWWN was changed.
Note The interface must be in a shut state and the specified Virtual pWWN should not be logged in.
The Figure 14-7 shows the Physical to Virtual pWWNs tab view in the Fabric Manager.
Figure 14-7 Physical to Virtual pWWNs Tab View in Fabric Manager
Note The specified virtual pWWN and the real pWWN must not be logged in.

Debugging FlexAttach Virtual pWWN

Table 14-1 lists the errors that might be displayed and provides the workarounds.
Table 14-1 FlexAttach Errors and Workarounds
Error Description Workaround

fc1/1 : interface is not FlexAttach configuration To move the port to the shut state, enable the
down fails because the FlexAttach configuration, and then move the port
configuration is enabled to no shut state.
for an active interface with
the operation state as up.
FlexAttach The FlexAttach FlexAttach configuration will not be distributed
configuration is not configuration on one peer if cfs ipv4 distribute, or cfs ipv6 distribute is
distributed to the peers NPV is not available to any disabled. Enable cfs ipv4 distribute, or cfs ipv6
other peer NPV. distribute.
Even with CFS CFS over IP is enabled, CFS over IP uses IP multicast to discover the
distribution enabled and the Inagua in one NPV peers in the network. IBM MM does not
Inagua does not blade center is not the peer support multicast and cannot act as a peer with
become a peer with NPV for other NPVs. NPV. This prevents the FlexAttach configuration
other NPVs from getting disrtibuted to other peer NPVs in the
network.
NP port uses physical This occurs whenNP port FlexAttach is supported on server interfaces like
pWWN instead of uses physical pWWN F ports, and not on external interfaces such as NP
virtual pWWN instead of virtual pWWN, ports.
confgured through that is configured through
FlexAttach FlexAttach.
real port WWN and This occurs when you try Use different values for pWWN and virtual
virtual WWN cannot to configure FlexAttach pWWN, as similar values for pWWN and virtual
be same with a similar value for pWWn are not allowed.
pWWN and virtual
pWWN.
Virtual port WWN This occurs when you try Use an undefined virtual pWWN for a new
already exists to configure an already interface.
defined pWWN to a
different interface.
Security Settings for FlexAttach Virtual pWWN

Security settings for the FlexAttach virtual pWWN feature are done by port security at the NPV core.
Node WWN of the end device is used to provide physical security.
For more details on enabling port security, see Chapter 46, Configuring Port Security.

Using the Server Admin FlexAttach Wizards
FlexAttach Virtual pWWN CFS Distribution

The FlexAttach virtual pWWN configuration is distributed for CFS through IPv4, and is enabled by
default. The FlexAttach virtual pWWN distribution, by default, is on CFS region 201. The CFS region
201 links only to the NPV-enabled switches. Other CFS features such as syslog is on region 0. Region 0
will be linked through IPv4 for all NPV switches on the same physical fabric. If CFS has an option to
link through IPv4 or ISL, then CFS will select the ISL path.
Note NPV switches do not have ISL (E or TE ports) and are linked through IPv4.

As in Fabric Manager Release 4.1(1) and later, the Server Admin perspective view of the Fabric Manager
GUI provides the following FlexAttach wizards, which the Fabric Manager users with server-admin role
can use to configure FlexAttach:
Pre-Configuring FlexAttach for a New Server, page 14-9
Moving a Server to Another Port or Switch, page 14-15
Replacing a Server with Another Server, page 14-18
To access the FlexAttach wizards, follow these steps:
Step 1 Log in to Fabric Manager with a username and password that has the server-admin role assigned.
Step 2 Discover and open the fabric on which you want to configure FlexAttach.
Step 3 In the Fabric Manager window displayed, select Tools > FlexAttach to display the list of wizards.
(Figure 14-8).
Figure 14-8 FlexAttach Wizards Menu Bar
Pre-Configuring FlexAttach for a New Server

Using the Pre-configure Server wizard, you can configure FlexAttach for servers that are not physically
available currently. FlexAttach can be enabled on the ports designated for the new servers and can use
the virtual WWNs assigned for configuring SAN. When the new servers are available, the servers can
then be plugged into the fabric without any change needed in the SAN.
The Pre-Configure Server wizard can be used to accomplish the following tasks:
Pre-Configuring FlexAttach for All the Ports, page 14-10
Pre-Configuring FlexAttach for Each Port Individually, page 14-12

Pre-Configuring FlexAttach for All the Ports

Using the Pre-Configure Server Basic configuration wizard, you can set the following port
configurations for all the ports in one or more switches in common:
Enable or disable FlexAttach Auto on all ports
Set the default VSAN ID for all the ports
Set the interface status for all the ports.
To pre-configure a common setting for all the ports in one or more switches, follow these steps:
Step 1 In the Fabric Manger window, select Tools > FlexAttach > Pre-configure Server.
The Pre-Configure Wizard is displayed. (Figure 14-9)
Figure 14-9 Pre-Configure Server Wizard
Step 2 In the Pre-Configure Server window, click the Basic radio button to configure a common setting to all
the ports on one or more switches.
The Basic Configuration window is displayed. (Figure 14-10)

Figure 14-10 Pre Configure Server - Basic Configuration
Step 3 In the Basic Configuration window, check the check box to select one or more switches from the list of
NPV switches in the fabric.
Step 4 Check the Enable FlexAttach Auto on every port check box to enable FlexAttach on all the ports of
all the selected switches.
Step 5 (Optional) From the VSAN ID drop-down list, select a VSAN ID to assign the selected VSAN ID to all
the ports.
Note Only the set of VSANs to which all the selected switches belong are listed. If no VSAN ID is
selected, then the existing VSAN configuration is retained.
Step 6 Click the Up or Down radio button to assign the selected interface status.
Note The status of only the F ports in the selected switches will be brought to up or down.
Step 7 Click Finish to pre-configure the selected settings to all the ports on all the selected switches.
The Configuration window is displayed with the finished message. (Figure 14-11)

Figure 14-11 Pre-Configure Server - Finish
Pre-Configuring FlexAttach for Each Port Individually

Using the Pre-Configure Server Advanced configuration wizard, you can set the following port
configurations for each port in one or more switches individually:
Enable FlexAttach Auto on all ports.
Enable FlexAttach Auto or Manual on individual ports.
Set the virtual PWWN for ports where FlexAttach enabled Manually.
Set pWWN to vPWWN mapping.
Set the default VSAN ID for each port.
Set the Interface status for each port.
To pre-configure FlexAttach on each port individually, follow these steps:
Step 1 In the Fabric Manger window, select Tools > FlexAttach > Pre-configure Server.
The Pre-Configure Server window is displayed. (Figure 14-9)
Step 2 In the Pre-Configure Server window, click the Advanced radio button to configure FlexAttach on each
port individually.
The Pre-Configure Server Advanced configuration window is displayed. (Figure 14-12)

Figure 14-12 Pre-Configure Server - Advanced Configuration
Step 3 In the Interface tab, click to select a switch from the list of switches displayed in the left pane.
The switch configuration details are displayed in the right pane with tabs and columns.
Step 4 Configure the following settings, for each interface:
In the Status column corresponding to the interface, double-click and then select up or down from
the drop-down list.
In the VSAN column corresponding to the interface, double-click and then select the VSAN ID from
the drop-down list of existing VSAN IDs.
In the Auto column corresponding to the interface, double-click and then select Auto to
automatically enable FlexAttach or select Manual to manually enable FlexAttach later.
In the Interface vPWWN cell, enter the vPWWN if Manual was selected in the Auto FlexAttach
configuration cell.
Note You can click Set All Auto to change all the interfaces with manual FlexAttach
configuration to Auto on the selected switch. However, if a valid vPWWN value is already
configured, then changing it to Auto does not change the configuration. Before you change
from Manual to Auto, update the Interface vPWWN column with the
00:00:00:00:00:00:00:00 value.

Step 5 Repeat Step 3 through Step 4 for each switch.

Step 6 Click the PWWN to vPWWN tab to configure pWWN to vPWWN mapping.
The Advanced Configuration window is displayed. (Figure 14-13)
Figure 14-13 Pre-Configure Server - PWWN to vPWWN Configuration
Step 7 From the Select Switch drop-down list, select the switch to display the existing pWWN to Virtual
PWWN mapping table for the CFS region to which the switch belongs, and then follow these steps to
add vPWWN to vPWWN automap entries:
a. Click Add Row to display the PWWN to vPWWN dialog box.
b. Enter the pWWN and the corresponding virtual pWWN.
c. Click Create to add the mapping list.
Note To delete an existing mapping, select the row, and then click Delete Row. Only one pWWN to
vPWWN table can be updated at a time. To update the table for each CFS region, perform
Step 6 though Step 8 for a switch from each CFS region.
Step 8 Click Finish to complete the configurations for each port.

Moving a Server to Another Port or Switch

Using the Move Server wizard, you can move a server to another port on the same NPV device or another
NPV device without changing the SAN. This is accomplished by moving the virtual pWWN to the new
port. No change is needed if FlexAttach was configured using the physical port WWN of the server to
the virtual port WWN mapping.
To move a server to a different port in the same switch, or in a different switch, follow these steps:
Step 1 In the Fabric Manger window, select Tools > FlexAttach > Move Server.
The Move Server wizard is displayed. (Figure 14-14)
Figure 14-14 Move Server Wizard
Step 2 In the Move Server window, click the Another Port on the Same Switch radio button or click the
Another Port on a Different Switch radio button.
Step 3 Click Next.
The Move Port window is displayed. (Figure 14-15)

Figure 14-15 Move Port Selection
Step 4 From the Select a Switch drop-down list, select the switch.
The switch ports are listed. To support moving a server from a failed port that is in down state, the ports
in down state are also listed.
Step 5 From the list of interfaces, select the port from which you want to move the server from.
Step 6 Click Next.
The New Port window is displayed. (Figure 14-16)

Figure 14-16 New Port Selection
Step 7 From the Select a Switch drop-down list box, select the switch.
Note If the Another Port on the Same Switch radio button was chosen, then the Select Switch
drop-down list is disabled.
Step 8 From the list of interfaces, select the port to which you want to move the server to.
Step 9 Click Next.
The Server WWN window is displayed. (Figure 14-17)

Figure 14-17 Existing Server Virtual Port WWN Entry
Step 10 In the Server WWN window, enter the existing server virtual port WWN to be moved.
Step 11 Click Finish.
Replacing a Server with Another Server

You can use the Replace Server wizard to accomplish the following tasks:
Replace a failed server with a new server onto the same port without changing the SAN. The new
server gets the same virtual pWWN as the failed server because the virtual pWWN is assigned to
the port.
Replace a server with a spare server on the same NPV device or a different NPV device, which can
be brought online without changes to the SAN. This is achieved by moving the virtual port WWN
from the current server port to the spare port.

Replacing a Server on the Same Port

To replace a failed server with a new server on the same port, follow these steps:
Step 1 In the Fabric Manger window, select Tools > FlexAttach > Replace Server.
The Replace Failed Server window is displayed. (Figure 14-18)
Figure 14-18 Replace Server Wizard
Step 2 In the Replace Server Wizard, click the On Same Port radio button.
Step 3 Click Next.
The Failed Port window is displayed. (Figure 14-19)

Figure 14-19 Failed Port Selection
Step 4 In the Failed Port selection window, from the Select a Switch drop-down list, select the switch.
Step 5 From the list of interfaces displayed, select the port on which the server needs to be replaced.
Step 6 Click Next.

Figure 14-20 Server WWN Entries
Step 7 In the Server WWN window, enter the existing FlexAttach server virtual port WWN to be replaced, and
the new server physical port WWN.
Step 8 Click Finish to complete the FlexAttach configuration for the new server.
Replacing the Server to a Different Port on the Same Switch

To replace a server with a spare server on a different port in the same switch, follow these steps:
The Replace Failed Server wizard is displayed. (Figure 14-18)
Step 2 In the Replace Failed Server wizard, click the With Spare Server on Same NPV Switch radio button.
Step 3 Click Next.
The Choose Failed Port window is displayed. (Figure 14-19)
Step 4 In the Choose Failed Port selection window, from the Select a Switch drop-down list, select the switch.
Step 5 From the list of interfaces displayed, select the port from which the server needs to be detached.
Step 6 Click Next.


Step 7 In the New Port selection window, select the port on which the spare server is connected.
Step 8 Click Next.
Figure 14-21 Server WWN Entries
Step 9 In the Server WWN window displayed, enter the existing FlexAttach server virtual port WWN to be
replaced, and the new server physical port WWN.
Step 10 Check the Allow wizard to change from pWWN to vPWWN mapping to interface to vPWWN
mapping check box to remove the pWWN to vPWWN entry from the CFS Region mapping table, and
configure the mapping only at the interface.
Step 11 Click Finish to complete the FlexAttach configuration for the spare server.
Replacing with a Server on a Different Switch

To replace a server with a spare server on a different switch, follow these steps:
The Replace Server wizard is displayed. (Figure 14-18)

Difference Between San Device Virtualization and FlexAttach Port Virtualization
Step 2 In the Replace Server wizard, click the With Spare Server on a Different NPV switch radio button.
Step 3 Click Next.
The Failed Server Port window is displayed. (Figure 14-19)
Step 4 In the Failed Server Port selection window, from the Select a Switch drop-down list, select the switch.
Step 5 From the list of interfaces displayed, select the port from which the server needs to be detached.
Step 6 Click Next.
Step 7 In the New Port selection window, select the switch and the port on which the spare server is connected.
Step 8 Click Next.
Step 9 In the Server WWN window displayed, enter the existing FlexAttach server virtual port WWN to be
replaced, and the new server physical port WWN.
Step 10 Check the Allow wizard to change from pWWN to vPWWN mapping to interface to vPWWN
mapping check box to remove the pWWN to vPWWN entry from the CFS Region mapping table, and
configure the mapping only at the interface.
Step 11 Click Finish to complete the FlexAttach configuration for the spare server.
Difference Between San Device Virtualization and FlexAttach

Port Virtualization
Table 14-2 describes the difference between SAN device virtualization (SDV) and FlexAttach port
virtualization.
Table 14-2 Difference Between SDV and FlexAttach Virtualization
SAN Device Virtualization (SDV) FlexAttach Virtualization

Facilitates target and disk management, and only Facilitates server management and has no
facilitates disk and data migration. restriction on the end devices used.
WWN NAT and Fibre Channel ID (FC-ID) are WWN and Network Address Transport (NAT) is
allocated on the virtual device, both primary and allocated to host bus adapter (HBA).
secondary.
FC-ID rewrite on the switch indicates a No rewrite requirements.
rewrite-capable switch on the path.
Configuration is distributed. This allows Configuration distribution is not required for any
programming rewrites and connectivity of the interface-based configurations.
anywhere.
Configuration is secured to device alias. Does not require device alias for virtual pWWN.
Does not allow automapping to the secondary Allows automapping to the new HBA. Mapping
device. process is manual for NPIV.

Difference Between San Device Virtualization and FlexAttach Port Virtualization

CH A P T E R 15
Software Images
This chapter describes how to install and upgrade Cisco MDS software images. It includes the following
sections:
About Software Images, page 15-1
Essential Upgrade Prerequisites, page 15-3
Software Upgrade Methods, page 15-5
Automated Upgrades, page 15-6
Using the Software Install Wizard, page 15-8
Nondisruptive Upgrades on Fabric and Modular Switches, page 15-13
Maintaining Supervisor Modules, page 15-14
Installing Generation 2 Modules in Generation 1 Chassis, page 15-16
Replacing Modules, page 15-17
About Software Images

Each switch is shipped with a Cisco MDS NX-OS or SAN-OS operating system for Cisco MDS 9000
Family switches. The Cisco MDS NX-OS consists of two imagesthe kickstart image and the system
image. To upgrade the switch to a new image, you must specify the variables that direct the switch to the
images.
To select the kickstart image, use the KICKSTART variable.
To select the system image, use the SYSTEM variable.
The images and variables are important factors in any install procedure. You must specify the variable
and the image to upgrade your switch. Both images are not always required for each install.
Note Unless explicitly stated, the software install procedures in this chapter apply to any switch in the Cisco
MDS 9000 Family.
Dependent Factors for Software Installation

The software image install procedure is dependent on the following factors:

Chapter 15 Software Images
About Software Images
Software imagesThe kickstart and system image files reside in directories or folders that can be
accessed from the Cisco MDS 9000 Family switch prompt.
Image versionEach image file has a version.
Flash disks on the switchThe bootflash: resides on the supervisor module and the CompactFlash
disk is inserted into the slot0: device.
Supervisor modulesThere are single or dual supervisor modules.
Selecting the Correct Software Images for Cisco MDS 9100 Series Switches
The Supervisor-1 and Supervisor-2 modules supported by Cisco MDS 9100 Series switches require
different system and kicstart images. You can determine which images to use on your switch by the
naming conventions shown in Table 15-1.
Table 15-1 Supervisor Module Software Image Naming Conventions for MDS 9100 Series
Cisco MDS 9100 Series

Switch Type Supervisor Module Type Naming Convention
9124, 9134, Cisco Fabric Supervisor-2 module Filename begins with m9100-s2ek9
Switch for HP c-Class
BladeSystem, Cisco Fabric
Switch for IBM
BladeCenter
Selecting the Correct Software Images for Cisco MDS 9200 Series Switches
The Supervisor-1 and Supervisor-2 modules supported by Cisco MDS 9200 Series switches require
different system and kicstart images. You can determine which images to use on your switch by the

9222i Supervisor-2 module Filename begins with m9200-s2ek9
9216, 9216A or 9216i Supervisor-1 module Filename begins with m9200-s1ek9
Selecting the Correct Software Images for Cisco MDS 9500 Family Switches
The Supervisor-1 and Supervisor-2 modules supported by Cisco MDS 9500 Family switches require
different system and kickstart images. You can determine which images to use on your switch by the

Essential Upgrade Prerequisites

9513 Supervisor-2 module Filename begins with m9500-sf2ek9
9506 or 9509 Supervisor-2 module Filename begins with m9500-sf2ek9

Note During a software upgrade to Cisco SAN-OS 3.1(3), the CompactFlash CRC Checksum test runs
automatically in the background. All modules that are online are tested and the installation stops if any
modules are running with a faulty CompactFlash. When this occurs, the switch can not be upgraded until
the situation is corrected. A system message displays the module information and indicates that you must
issue the system health cf-crc-check module CLI command to troubleshoot. For complete
configuration information about the CompactFlash CRC checksum test feature, refer to the Cisco MDS
9000 Family CLI Configuration Guide. For descriptions of new commands supported by the
CompactFlash checksum feature, refer to the Cisco MDS 9000 Family Command Reference.
Before attempting to migrate to any software image version, follow these guidelines:
Customer Service
Before performing any software upgrade, contact your respective customer service representative to
review your software upgrade requirements and to provide recommendations based on your current
operating environment.
Note If you purchased Cisco support through a Cisco reseller, contact the reseller directly. If you
purchased support directly from Cisco Systems, contact Cisco Technical Support at this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Scheduling
Schedule the upgrade when the fabric is stable and steady. Ensure that everyone who has access to
the switch or the network is not configuring the switch or the network during this time. All
configurations are disallowed at this time.
Space
Verify that sufficient space is available in the location where you are copying the images. This
location includes the active and standby supervisor module bootflash: (internal to the switch).
Standby supervisor module bootflash: file system (see Chapter 12, Initial Configuration).
Internal bootflash: offers approximately 200 MB of user space.
Hardware
Avoid power interruption during any install procedure. These kinds of problems can corrupt the
software image.
Connectivity (to retrieve images from remote servers)
Configure the IPv4 address or IPv6 address for the 10/100/1000 BASE-T Ethernet port
connection (interface mgmt0).

Note 1000 BASE-T Ethernet is only available on Supervisor-2 modules.
Ensure the switch has a route to the remote server. The switch and the remote server must be in
the same subnetwork if you do not have a router to route traffic between subnets.
Images
Ensure that the specified system and kickstart images are compatible with each other.
If the kickstart image is not specified, the switch uses the current running kickstart image.
If you specify a different system image, ensure that it is compatible with the running kickstart
image.
Retrieve images in one of two ways:
Local fileImages are locally available on the switch.
Network fileImages are in a remote location and the user specifies the destination using the
remote server parameters and the file name to be used locally.
Terminology
Table 15-4 summarizes terms used in this chapter with specific reference to the install and upgrade
process.
Table 15-4 Terms Specific to This Chapter
Term Definition
bootable The modules ability to boot or not boot based on image compatibility.
impact The type of software upgrade mechanismdisruptive or nondisruptive.
install-type reset Resets the module.
sw-reset Resets the module immediately after switchover.
rolling Upgrades each module in sequence.
copy-only Updates the software for BIOS, loader, or bootrom.
Tools
Verify connectivity to the remote server by clicking Verify Remote Server in the Software
Install Wizard in Fabric Manager.
Ensure that the required space is available for the image files to be copied by using Software
Install Wizard to check free disk space.
We recommend the Software Install Wizard in Fabric Manager to upgrade your software. This
wizard upgrades all modules in any Cisco MDS 9000 Family switch (see the Benefits of Using
the Software Install Wizard section on page 15-6).
Run only one installation on a switch at any time.
Do not issue another command while running the installation.
Do the installation on the active supervisor module, not the standby supervisor module.

Software Upgrade Methods
Note If the switching module(s) are not compatible with the new supervisor module image, some
traffic disruption may be noticed in the related modules, depending on your configuration.
These modules are identified in the summary when you use the Installation Wizard. You can
choose to proceed with the upgrade or end at this point.
Note The Software Install Wizard displays a summary of changes that are made to your
configuration.
Note Prior to Cisco SAN-OS Release 3.0, to preserve the FC IDs in your configuration, verify that the
persistent FC ID feature is enabled before rebooting. This feature is enabled by default. In earlier
releases, the default is disabled. See the FC IDs section on page 25-16.

You can upgrade software without any disruptions using the Cisco MDS NX-OS software designed for
mission-critical high availability environments. To realize the benefits of nondisruptive upgrades on the
Cisco MDS 9500 Directors, we highly recommend that you install dual supervisor modules.
You can upgrade any switch in the Cisco MDS 9000 Family using one of the following methods:
AutomaticYou can use the Fabric Manager Software Install Wizard for Cisco MDS NX-OS
switches as described in the Using the Software Install Wizard section on page 15-8.
ManualFor information on manual upgrades, see the Cisco MDS 9000 Family CLI Configuration
Guide or the Cisco MDS 9020 Switch Configuration Guide and Command Reference.
In some cases, regardless of which process you use, the software upgrades may be disruptive. These
exception scenarios can occur under the following conditions:
A single supervisor module system with kickstart or system image changes.
A dual supervisor module system with incompatible system software images.
Note For high availability, you need to connect the ethernet port for both active and standby
supervisors to the same network or virtual LAN. The active supervisor owns the one IP address
used by these Ethernet connections. On a switchover, the newly activated supervisor takes over
this IP address.
Determining Software Compatibility

If the running image and the image you want to install are incompatible, the software reports the
incompatibility. In some cases, you may decide to proceed with this installation. If the active and the
standby supervisor modules run different versions of the image, both images may be HA compatible in
some cases and incompatible in others.
Compatibility is established based on the image and configuration:
Image incompatibilityThe running image and the image to be installed are not compatible.

Automated Upgrades
Configuration incompatibilityThere is a possible incompatibility if certain features in the running

image are turned off as they are not supported in the image to be installed. The image to be installed
is considered incompatible with the running image if one of the following statements is true:
An incompatible feature is enabled in the image to be installed and it is not available in the
running image and may cause the switch to move into an inconsistent state. In this case, the
incompatibility is strict.
An incompatible feature is enabled in the image to be installed and it is not available in the
running image and does not cause the switch to move into an inconsistent state. In this case, the
incompatibility is loose.
Tip The Software Install Wizard compares and presents the results of the compatibility before proceeding
with the installation. You can exit if you do not want to proceed with these changes.
Automated Upgrades
The Software Install Wizard upgrades all modules in any Cisco MDS 9000 Family switch. Figure 15-1
provides an overview of the switch status before and after using Software Install Wizard.
Figure 15-1 The Effect of the Software Install Wizard
Cisco MDS 9500 Series switch
Switch before issuing Switch after the install all

the install all comand comand completes
Slot 5 Slot 6 Slot 5 Slot 6

Active Standby Standby Active
install all supervisor supervisor supervisor supervisor
2.1(2b) to 3.0(1) module module module module
154732
2.1(2b) 2.1(2b) 3.0(1) 3.0(1)
The Software Install Wizard automatically verifies if the standby supervisor module is functioning (if
present). If it is not functioning, it reloads that module and uses the force download option to force it
to function.
Benefits of Using the Software Install Wizard

The Software Install Wizard provides the following benefits:
You can upgrade the entire switch using just one procedure command.
You can receive descriptive information on the intended changes to your system before you continue
with the installation.
You can upgrade the entire switch using the least disruptive procedure.
You can see the progress of this command on the console, Telnet, and SSH screens:

Automated Upgrades
After a switchover process, you can see the progress from both the supervisor modules.
Before a switchover process, you can only see the progress from the active supervisor module.
The Software Install Wizard automatically checks the image integrity. This includes the running
kickstart and system images.
The Software Install Wizard performs a platform validity check to verify that a wrong image is not
used. For example, to check if an MDS 9500 Series image is used inadvertently to upgrade an MDS
9200 Series switch.
After issuing the installation, if any step in the sequence fails, the wizard completes the step in
progress and ends.
For example, if a switching module fails to be updated for any reason (for example, due to an
unstable fabric state), then the command sequence disruptively updates that module and ends. In
such cases, you can verify the problem on the affected switching module and upgrade the other
switching modules.
Recognizing Failure Cases

The following situations cause the installation to end:
If the standby supervisor module bootflash: file system does not have sufficient space to accept the
updated image.
If the specified system and kickstart images are not compatible.
If the fabric or switch is configured while the upgrade is in progress.
If a module is removed while the upgrade is in progress.
If the switch has any power disruption while the upgrade is in progress.
If the entire path for the remote location is not specified accurately.
If images are incompatible after an upgrade. For example, a switching module image may be
incompatible with the system image, or a kickstart image may be incompatible with a system image.
This is also identified by the Software Install Wizard compatibility check.
Caution If the installation is ended, be sure to verify the state of the switch at every stage and reissue the
command after 10 seconds. If you reissue the installation within the 10-second span, it is rejected with
an error message indicating that an installation is currently in progress.
Tip All configurations are disallowed while the installation is in progress. However, configurations coming
through the CFS applications are allowed and may affect the upgrade procedure.

Using the Software Install Wizard

You can use the Software Install Wizard to install Cisco NX-OS images on supported switches.
Note The Software Install Wizard supports installation and upgrade for Cisco MDS 9020 Fabric Switch or
Cisco FabricWare. For successful installation and upgrade, specify the TFTP server address that the
Cisco MDS 9020 Fabric Switch should use.
Note Before you use this wizard, be sure the standby supervisor management port is connected.
To use the Software Install Wizard, follow these steps:
Step 1 Click the Software Install Wizard icon in the toolbar (see Figure 15-2).
Figure 15-2 Software Install Wizard Icon
You see the Select Switches dialog box with all switches selected by default.
Figure 15-3 Select Switches Dialog Box
Step 2 Deselect the check box for the switch(es) for which you do not want to install images on. You must have
at least one switch selected to proceed (see Figure 15-3).
Step 3 Click Next when finished.
Step 4 (Optional) Check the Skip Image Download check box and click Next to use images that are already
downloaded (the file is already on the bootflash). Proceed to Step 7.
You see the Specify Software Image(s) by Model Dialog Box shown in Figure 15-4.

Figure 15-4 Specify Software Image(s) by Model Dialog Box
Step 5 Click the row under the System, Kickstart, ASM-SFN, or SSI columns to enter image URIs. You must
specify at least one image for each switch to proceed.
Step 6 Click Next.
You see the Check Flash Free Space dialog box (see Figure 15-5). This dialog box shows the active (and
standby, if applicable) bootflash space on each switch, and shows the status (whether there is enough
space for the new images). If any switch has insufficient space, you cannot proceed. Deselect the switch
without enough bootflash by going back to the first screen and unchecking the check box for that switch.
Figure 15-5 Check Flash Free Space Dialog Box
Step 7 Click Next.

You see the Start Install dialog box shown in Figure 15-6.
Figure 15-6 Start Install Dialog Box
Note There is no limit on the number of switches you can upgrade. However, the upgrade is a serial
process; that is, only a single switch is upgraded at a time.
Step 8 (Optional) Check the Ignore version check results check box to bypass a version check.
Step 9 (Optional) Check the Ignore Actual Install and only do Version Check check box to perform a version
check.
You see the Version Check Results dialog box shown in Figure 15-7

Figure 15-7 Version Check Results Dialog box
Note The version check provides information about the impact of the upgrade for each module on the
switch. It also shows any HA-related incompatibilities that might result. You see a final dialog
box at this stage, prompting you to confirm that this check should be performed. We recommend
that you do not ignore the version check results.
Caution If Ignore version check results is checked, the upgrade will proceed even if the current
switch version is newer than the version you are installing.
Step 10 Click Yes to upgrade.

Step 11 Click Finish to start the installation.
You see the Download and Install Status dialog box shown in Figure 15-8.

Figure 15-8 Download and Install Status Dialog Box
Note On hosts where the TFTP server cannot be started, a warning is displayed. The TFTP server may
not start because an existing TFTP server is running or because access to the TFTP port 69 has
been denied for security reasons (the default setting on Linux). In these cases, you cannot
transfer files from the local host to the switch.
Note Before exiting the session, be sure the upgrade process is complete. The wizard will display a
status as it goes along. Check the lower left-hand corner of the wizard for the status message
Upgrade Finished. First, the wizard displays the message Success followed a few seconds later
by InProgress Polling. Then the wizard displays a second message Success before displaying the
final Upgrade Finished.
Upgrading Services Modules

Any Fibre Channel switching module supports nondisruptive upgrades. The 14/2-port Multiprotocol
Services (MPS-14/2)) module supports nondisruptive upgrades for the Fibre Channel ports. Any
software upgrade for the two Gigabit Ethernet ports in this module is disruptive. See Chapter 52,
Configuring IP Storage for more information on MPS-14/2 modules.
Caution Any software upgrade for the Caching Services Module (CSM) and the IP Storage (IPS) services
modules is disruptive.
CSMs and IPS modules use a rolling upgrade install mechanism to guarantee a stable state for each
module in the switch:

Nondisruptive Upgrades on Fabric and Modular Switches
Each IPS module in a switch requires a 5-minute delay before the next IPS module is upgraded. See
Chapter 52, Configuring IP Storage for more information on IPS modules.
Each CSM module requires a 30-minute delay before the next CSM module is upgraded. See the
Cisco MDS 9000 Family SAN Volume Controller Configuration Guide for more information on
CSMs.
Nondisruptive Upgrades on Fabric and Modular Switches

This section describes how to perform nondisruptive upgrades on the following Cisco Fabric Switches:
Cisco MDS 9222i Multiservice Modular Switch
Preparing for a Nondisruptive Upgrade on Fabric and Modular Switches, page 15-13
Performing a Nondisruptive Upgrade on a Fabric Switch, page 15-14
Preparing for a Nondisruptive Upgrade on Fabric and Modular Switches

You can upgrade software on the following without any disruptions using the Software Install Wizard
for the system software images.
Cisco MDS 9134 Multlayer Fabric Switch
When completed, the supervisor kickstart image, supervisor system image, the linecard image and the
system BIOS are all updated.
Nondisruptive upgrades on these fabric switches take down the control plane for not more than 80
seconds. In some cases, when the upgrade has progressed past the point at which it cannot be stopped
gracefully, or if a failure occurs, the software upgrade may be disruptive.
Note During the upgrade the control plane is down, but the data plane remains up. So new devices will be
unable to log in to the fabric via the control plane, but existing devices will not experience any disruption
of traffic via the data plane.
Before attempting to upgrade any software images on these fabric switches, follow these guidelines:
During the upgrade, the fabric must be stable. None of the following configuration activities are
allowed:
Zoning changes

Maintaining Supervisor Modules
Telnet sessions
Schedule changes
Switch cabling
Addition or removal of physical devices
Configure the FSPF timers to the default value of 20 seconds.
If there are any CFS commits pending in the fabric, the upgrade is aborted.
If there is a zone server merge in progress, the upgrade is aborted.
Check whether there is sufficient space available in the system to load the new images using the
Software Install Wizard. At this point you need to either abort the upgrade or proceed with a
disruptive upgrade.
On the Cisco MDS 18/4-port multiservice module, upgrades of the 4-Gigabit Ethernet ports for the
hybrid Supervisor 18/4 line card will be disruptive.
Performing a Nondisruptive Upgrade on a Fabric Switch

Cisco MDS 9134 Multlayer Fabric Switch
You can use the Software Install Wizard to perform nondisruptive upgrades on Cisco MDS 9124 Fabric
Switches. See Using the Software Install Wizard section on page 15-8 for more information on using
the Sofware Install Wizard.
Caution It is recommended that you enable port-fast on the Ethernet interface of the Catalyst switch to which the
management interface of the fabric switch is connected. This is to avoid spanning-tree convergence time
on the Catalyst switch and packets from the fabric switch are forwarded immediately during the
nondisruptive upgrade.
Note When selecting images during the upgrade, ASM-SFN and SSI are not supported on the Cisco MDS
9124 Switch and the Cisco MDS 9134 Multilayer Fabric Switch.

This section includes general information about replacing and using supervisor modules effectively.
Replacing Supervisor Modules, page 15-15
Migrating from Supervisor-1 Modules to Supervisor-2 Modules, page 15-15
Standby Supervisor Module Boot Variable Version, page 15-15
Standby Supervisor Module Bootflash Memory, page 15-16

Standby Supervisor Module Boot Alert, page 15-16
Replacing Supervisor Modules

To avoid packet loss when removing a supervisor module from a Cisco MDS 9500 Series Director, take
the supervisor modules out of service before removing the supervisor module.
Note You must remove and reinsert or replace the supervisor module to bring it into service.
Migrating from Supervisor-1 Modules to Supervisor-2 Modules

Cisco MDS NX-OS Release 4.1(1a) requires the Supervisor-2 modules on the Cisco MDS 9509 and 9506
Directors both active and standby. You must upgrade from Supervisor-1 modules to Supervisor-2
modules before upgrading to MDS NX-OS Release 4.1(1a) or later, using the Cisco MDS SAN-OS
Release 3.3(1c) or earlier.
Supervisor-1 modules and Supervisor-2 modules cannot be used in the same switch, except for migration
purposes. Both the active and standby supervisor modules must be of the same type, either Supervisor-1
or Supervisor-2 modules. For Cisco MDS 9513 Directors, both supervisor modules must be Supervisor-2
modules.
Caution Migrating your supervisor modules is a disruptive operation. When migration occurs from a
Supervisor 1 to a Supervisor 2 module, a cold switchover occurs and both modules are reloaded. When
the Supervisor 1 attempts to come up as the standby with the Supervisor 2 as the active supervisor, the
standby is not brought up.
For step-by-step instructions about migrating from Supervisor 1 modules to Supervisor 2 modules, refer
to the Cisco MDS 9000 Family NX-OS and SAN-OS Software Upgrade and Downgrade Guide.
Note Migrating from Supervisor-2 modules to Supervisor-1 modules is not supported.
Standby Supervisor Module Boot Variable Version

If the standby supervisor module boot variable images are not the same version as those running on the
active supervisor module, the software forces the standby supervisor module to run the same version as
the active supervisor module.
If you specifically set the boot variables of the standby supervisor module to a different version and
reboot the standby supervisor module, the standby supervisor module will only load the specified boot
variable if the same version is also running on the active supervisor module. At this point, the standby
supervisor module is not running the images set in the boot variables.

Installing Generation 2 Modules in Generation 1 Chassis
Standby Supervisor Module Bootflash Memory

When updating software images on the standby supervisor module, verify that there is enough space
available for the image . It is a good practice to remove older versions of Cisco MDS NX-OS images and
kickstart images.
To verify the space on the standby supervisor using Device Manager, follow these steps:
Step 1 Click Admin > Flash Files.

Step 2 Select the standby supervisor from the Partition drop-down list.
At the bottom of the Flash Files dialog box, you see the space used and free space.
Standby Supervisor Module Boot Alert

If a standby supervisor module fails to boot, the active supervisor module detects that condition and
generates a Call Home event and a system message and reboots the standby supervisor module
approximately 3 to 6 minutes after the standby supervisor module moves to the loader> prompt.
The following system message is issued:
%DAEMON-2-SYSTEM_MSG:Standby supervisor failed to boot up.
This error message is also generated if one of the following situations apply:
You remain at the loader> prompt for an extended period of time.
You do not set the boot variables appropriately.
Installing Generation 2 Modules in Generation 1 Chassis

The Generation 2 modules have the following installation restrictions:
Supervisor-2 modules can be installed on all Cisco MDS 9500 Series Directors.
Note The Cisco MDS 9513 Director does not support Supervisor-1 modules.
Generation 2 switching modules can be installed on all Cisco MDS 9000 Family switches, except
the Cisco MDS 9216 switch.
Generation 1 modules can be used with Cisco MDS 9000 Family switches. However, installing
Generation 1 modules in combination with Generation 2 switching modules in the same chassis
reduces the capabilities of the Generation 2 switching modules (see the Combining Generation 1,
Generation 2, and Generation 3 Modules section on page 22-24).
Generation 1 and Generation 2 switching modules can be installed on Cisco MDS 9500 Family
switches with either Supervisor-1 modules or Supervisor-2 modules.

Replacing Modules
Replacing Modules
When you replace any module (supervisor, switching, or services module), you must ensure that the new
module is running the same software version as the rest of the switch.
Refer to Cisco MDS 9000 Family SAN Volume Controller Configuration Guide for configuration details
on replacing the Caching Services Module (CSM).
Note When a spare standby supervisor module is inserted, it uses the same image as the active supervisor
module. The Cisco NX-OS software image is not automatically copied to the standby flash device.
Tip Use the Software Install Wizard to copy the Cisco NX-OS software image to the standby supervisor
bootflash device.
Using the Software Install Wizard after replacing any module, ensures the following actions:
The proper system and kickstart images are copied on the standby bootflash: file system.
The proper boot variables are set.
The loader and the BIOS are upgraded to the same version available on the active supervisor module.
To replace a module in any switch in the Cisco MDS 9200 Series or 9500 Series using Device Manager,
follow these steps:
Step 1 Create a backup of your existing configuration file, if required, by clicking Admin > Copy
Configuration and selecting runningConfig to startupConfig.
Step 2 Replace the required module as specified in the Cisco MDS 9200 Series Hardware Installation Guide or
the Cisco MDS 9500 Series Hardware Installation Guide.
Step 3 Verify that space is available on the standby supervisor bootflash by clicking Admin > Flash Files and
selecting the sup-standby. It is a good practice to remove older versions of Cisco MDS NX-OS images
and kickstart images.
Step 4 Use the Software Install Wizard to ensure that the new module is running the same software as the rest
of the switch.
Step 5 Wait until the new module is online and then ensure that the replacement was successful by clicking
Physical > Modules in Device Manager.
Default Settings
Table 15-5 lists the default image settings for all Cisco MDS 9000 Family switches.
Table 15-5 Default Image Settings
Parameters Default
Kickstart image No image is specified.
System image No image is specified.

Default Settings

CH A P T E R 16
Managing Configuration Files
This chapter describes how to initially configure switches using the configuration files so they can be
accessed by other devices. This chapter includes the following sections:
About Flash Devices, page 16-1
Formatting Flash Devices and File Systems, page 16-2
Using the File System, page 16-2
Downloading Configuration Files to the Switch, page 16-7
About Flash Devices

Every switch in the Cisco MDS 9000 Family contains one internal bootflash (see Figure 16-1). The
Cisco MDS 9500 Series additionally contains one external CompactFlash called slot0 (see Figure 16-1
and Figure 16-2).
Figure 16-1 Flash Devices in the Cisco MDS 9000 Supervisor Module
Internal
bootflash
Internal
bootflash External
CompactFlash
Slot 0
120501
Cisco MDS 9200 Series Switch Cisco MDS 9500 Series Director

Chapter 16 Managing Configuration Files
Formatting Flash Devices and File Systems
Figure 16-2 External CompactFlash in the Cisco MDS 9000 Supervisor Module
CompactFlash 1 CompactFlash 1
eject button slot 0
85603
CompactFlash 1
LED
Internal bootflash:
All switches in the Cisco MDS 9000 Family have one internal bootflash: that resides in the supervisor
or switching module.You have access to two locations within the internal bootflash: file system.
The volatile: file system provides temporary storage, and it is also the default location for file system
commands. Files in temporary storage (volatile:) are erased when the switch reboots.
The bootflash: (nonvolatile storage) file system provides permanent storage. The files in bootflash:
are preserved through reboots and power outages.
Formatting Flash Devices and File Systems

By formatting a Flash devices or a file system, you are clearing out the contents of the device or the file
system and restoring it to its factory-shipped state.
See the About Flash Devices section on page 16-1 and the Using the File System section on
page 16-2.
Using the File System

All switches in the Cisco MDS 9000 Family have one internal bootflash: that resides in the supervisor
or switching module.You have access to two directories within the internal bootflash: file system.
The volatile: directory provides temporary storage, and it is also the default. Files in temporary
storage (volatile:) are erased when the switch reboots.
The bootflash: (nonvolatile storage) directory provides permanent storage. Files in permanent
storage (bootflash:) are preserved through reboots and power outages.
Cisco MDS 9500 Series directors contain an additional external CompactFlash referred to as the slot0:
directory. The external CompactFlash, an optional device for MDS 9500 Series directors, can be used
for storing software images, logs, and core dumps.
You can use Device Manager to perform the following functions to help you manage software image files
and configuration files:
Flash Files, page 16-3
Creating a Directory, page 16-3
Deleting an Existing File or Directory, page 16-4

Copying Files, page 16-5

Performing Other File Manipulation Tasks, page 16-7
Flash Files
To list the files in a directory using Device Manager, follow these steps:

By default, you see the bootflash directory listed for the supervisors local partition (see Figure 16-3).
Figure 16-3 Flash Files Dialog Box
Step 2 Select the device and partition for the directory you want to view from the drop-down lists.
You see a list of files and directories.
Creating a Directory
To create a directory using Device Manager, follow these steps:

By default, you see the bootflash directory listed for the supervisors local partition (see Figure 16-4).

Step 2 Select the device and partition from the drop-down lists for the directory where you want to create the
directory.
Step 3 Click the Create Directory icon to create a directory.
You see the Create New Directory dialog box as shown in Figure 16-5.
Figure 16-5 New Directory Dialog Box
Step 4 Enter the name of the new directory, and click OK.
You see the new directory in the directory listing.
Tip Any directory saved in the volatile: file system is erased when the switch reboots.
Deleting an Existing File or Directory

To delete a file or directory using Device Manager, follow these steps:

By default, you see the bootflash: directory listed for the supervisors local partition (see Figure 16-6).

Step 2 Select a device and partition from the drop-down lists.

Step 3 Click the file or directory you want to delete.
Step 4 Click Delete to delete the file or directory.
Caution If you specify a directory, the delete removes the entire directory and all of its contents.
Copying Files
To copy a file using Device Manager, follow these steps:
Step 1 Select Admin > Flash Files.

By default, you see the bootflash: directory listed for the supervisors local partition (see Figure 16-7).

Step 2 Select the device and partition from the drop-down lists for the directory containing the file you want to
copy.
Step 3 Click Copy.
You see the Copy dialog box shown in Figure 16-8.
Figure 16-8 Copy Flash Files in Device Manager
Step 4 Choose the protocol you want to use for the copy process: tftp, ftp, scp, or flashToFlash.
Step 5 Enter the address of the source server for a flash to flash copy only.
Step 6 Click the ... button to browse for the source file on your local PC or on the server, depending on the type
of copy.
Note If you are copying from flash, the filename must be in the format:
[device>:][<partition>:]<file>
Where device is a value obtained from FlashDeviceName, partition is a value obtained from
FlashPartitionName and file is the name of a file in flash.
Step 7 Enter the Switch Destination File name. (See the note in Step 6.)

Working with Configuration Files
Step 8 Click Apply.
Performing Other File Manipulation Tasks

To perform the following CLI-specific tasks, refer to the Cisco MDS 9000 Family CLI Configuration
Guide:
Displaying file contents
Displaying the last line in a file
Saving output to a file
Moving files
Compressing and uncompressing files
Executing commands specified in a script
Setting the delay time

Configuration files can contain some or all of the commands needed to configure one or more switches.
For example, you might want to download the same configuration file to several switches that have the
same hardware configuration so that they have identical module and port configurations.
This section describes how to work with configuration files and has the following topics:
Downloading Configuration Files to the Switch, page 16-7
Saving the Configuration, page 16-8
Backing Up the Current Configuration, page 16-9
Downloading Configuration Files to the Switch

You can configure a switch in the Cisco MDS 9000 Family by using configuration files you create or
download from another switch. In addition, you can store configuration files on a bootflash device on
the supervisor module and you can configure the switch using a configuration stored on an external
CompactFlash disk.
Before you begin downloading a configuration file using a remote server, do the following:
Ensure the configuration file to be downloaded is in the correct directory on the remote server.
Ensure that the permissions on the file are set correctly. Permissions on the file should be set to
world-read.
Ensure the switch has a route to the remote server. The switch and the remote server must be in the
same subnetwork if you do not have a router or default gateway to route traffic between subnets.
Check connectivity to the remote server using ping.

Saving the Configuration

To save the configuration file using Device Manager, follow these steps:
Step 1 Click Admin > Save Configuration.

You see this message:
Really save running to startup configuration?
Step 2 Click Yes to save the configuration. Click No to close the pop-up window without saving the
configuration.
Saving the Running Configuration

After you have created a running configuration in system memory, you can save it to the startup
configuration in NVRAM.
To save the configuration file using Device Manager, follow these steps:
Step 1 Click Admin > Copy Configuration.

You see the Copy Configuration dialog box shown in Figure 16-9.
Figure 16-9 Copy Configuration Dialog Box
Step 2 Select the location of the file you will copy from (serverFile, startupConfig, runningConfig).
Step 3 Select the location of the file you will copy to (serverFile, runningConfig, fabricStartupConfig).
Note You can copy a file fabric-wide using the fabricStartupConfig option, available in Cisco MDS
SAN-OS Release 2.1(1a) or later.
Step 4 Enter the server address of the source server.

Step 5 Click the ... button to browse for the source file on the switch or the server, depending on the type of
copy.
Step 6 Select the protocol you want to use to perform the copy procedure: tftp, ftp, or sftp.

Step 7 Enter the user name and password you use to access the switch or server.
Step 8 Click Apply.
Saving Startup Configurations in the Fabric

You can use Cisco Fabric Services (CFS) to instruct the other switches in the fabric to save their
configurations to their local NVRAM. You can copy the running configuration to the startup
configuration across the entire fabric by using the fabricStartupConfig option. This triggers every switch
in the fabric to copy its running configuration to its startup configuration.
Note If any switch fails during this fabric-wide copy, that switch and the switch that you used to initiate this
process will keep the existing startup configuration. This does not affect the other switches in the fabric.
Backing Up the Current Configuration

Before installing or migrating to any software configuration, back up the startup configuration. To back
up the startup configuration using Device Manager, follow these steps:
Step 1 Select Admin > Copy Configuration.

You see the Copy Configuration dialog box as shown in Figure 16-10.
Figure 16-10 Copy Configuration Dialog Box
Step 2 Select the location of the file you want to back up (server file, startup configuration, or running
configuration).
Step 3 Select the destination of the file (server file, running configuration, fabric startup configuration).
Step 4 Enter the server address.
Step 5 Click the ... button to select the file name.
Step 6 Choose the file transfer protocol (tftp, ftp, or sftp).
Step 7 Enter the user name and password for the server you specified in Step 4.

Step 8 Click Apply to copy the file.

CH A P T E R 17
Configuring High Availability
The Cisco MDS 9500 Series of multilayer directors support application restartability and nondisruptive
supervisor switchability. The switches are protected from system failure by redundant hardware
components and a high availability software framework.
About High Availability, page 17-1
Switchover Mechanisms, page 17-2
Switchover Guidelines, page 17-3
Process Restartability, page 17-3
Synchronizing Supervisor Modules, page 17-3
About High Availability

The high availability (HA) software framework provides the following:
Ensures nondisruptive software upgrade capability. See Chapter 15, Software Images.
Provides redundancy for supervisor module failure by using dual supervisor modules.
Performs nondisruptive restarts of a failed process on the same supervisor module. A service
running on the supervisor modules and on the switching module tracks the HA policy defined in the
configuration and takes action based on this policy. This feature is also available in switches in the
Cisco MDS 9200 Series and the Cisco MDS 9100 Series.
Protects against link failure using the PortChannel (port aggregation) feature. This feature is also
available in switches in the Cisco MDS 9200 Series and in the Cisco MDS 9100 Series. See
Chapter 23, Configuring PortChannels.
Provides management redundancy using the Virtual Router Redundancy Protocol (VRRP). This
feature is also available in switches in the Cisco MDS 9200 Series and in the Cisco MDS 9100
Series.
See the Virtual Router Redundancy Protocol section on page 51-8
Provides switchovers if the active supervisor fails. The standby supervisor, if present, takes over
without disrupting storage or host traffic.
Directors in the Cisco MDS 9500 Series have two supervisor modules (sup-1 and sup-2) in slots 5
and 6 (Cisco MDS 9509 and 9506 Switches) or slots 7 and 8 (Cisco MDS 9513 Switch). When the
switch powers up and both supervisor modules are present, the supervisor module that comes up first
enters the active mode and the supervisor module that comes up second enters the standby mode. If

Chapter 17 Configuring High Availability
Switchover Mechanisms
both supervisor modules come up at the same time, sup-1 becomes active. The standby supervisor
module constantly monitors the active supervisor module. If the active supervisor module fails, the
standby supervisor module takes over without any impact to user traffic.
Note For high availability, you need to connect the ethernet port for both active and standby
supervisors to the same network or virtual LAN. The active supervisor owns the one IP address
used by these ethernet connections. On a switchover, the newly activated supervisor takes over
this IP address.
Switchover Mechanisms
Switchovers occur by one of the following two mechanisms:
The active supervisor module fails and the standby supervisor module automatically takes over.
You manually initiate a switchover from an active supervisor module to a standby supervisor
module.
Once a switchover process has started another switchover process cannot be started on the same switch
until a stable standby supervisor module is available.
Caution If the standby supervisor module is not in a stable state (ha-standby), a switchover is not performed.
HA Switchover Characteristics
An HA switchover has the following characteristics:
It is stateful (nondisruptive) because control traffic is not impacted.
It does not disrupt data traffic because the switching modules are not impacted.
Switching modules are not reset.
Initiating a Switchover
To manually initiate a switchover from an active supervisor module to a standby supervisor module, reset
the active supervisor module using Device Manager. Once the switchover process has started, another
switchover process cannot be started on the same switch until a stable standby supervisor module is
available.
To perform a switchover using Device Manager, follow these steps:
Step 1 Ensure that an HA switchover is possible by selecting Physical > Modules to verify the presence of
multiple modules.
You see the screen shown in Figure 17-1.

Switchover Guidelines
Figure 17-1 Modules Screen Shows Current Supervisor
Step 2 Select Admin > Reset Switch on the main Device Manager screen.
Figure 17-2 Reset Switch Dialog Box
Step 3 Click Switch to Standby.
Switchover Guidelines
Be aware of the following guidelines when performing a switchover:
When you manually initiate a switchover, system messages indicate the presence of two supervisor
modules.
A switchover can only be performed when two supervisor modules are functioning in the switch.
The modules in the chassis are functioning as designed.
Process Restartability
Process restartability provides the high availability functionality in Cisco MDS 9000 Family switches.
It ensures that process-level failures do not cause system-level failures. It also restarts the failed
processes automatically. This vital process functions on infrastructure that is internal to the switch.
See the Displaying System Processes section on page 68-1.
Synchronizing Supervisor Modules

The running image is automatically synchronized in the standby supervisor module by the active
supervisor module. The boot variables are synchronized during this process.

The standby supervisor module automatically synchronizes its image with the running image on the
active supervisor module.
See the Replacing Modules section on page 15-17.
The following conditions identify when automatic synchronization is possible:
If the internal state of one supervisor module is Active with HA standby and the other supervisor
module is HA-standby, the switch is operationally HA and can do automatic synchronization.
If the internal state of one of the supervisor modules is none, the switch cannot do automatic
synchronization.
Table 17-1 lists the possible values for the redundancy states.
Table 17-1 Redundancy States
State Description
Not present The supervisor module is not present or is not plugged into the chassis.
Initializing The diagnostics have passed and the configuration is being downloaded.
Active The active supervisor module and the switch is ready to be configured.
Standby A switchover is possible.
Failed The switch detects a supervisor module failure on initialization and automatically
attempts to power-cycle the module three (3) times. After the third attempt it
continues to display a failed state.
Offline The supervisor module is intentionally shut down for debugging purposes.
At BIOS The switch has established connection with the supervisor and the supervisor
module is performing diagnostics.
Unknown The switch is in an invalid state. If it persists, call TAC.
Table 17-2 lists the possible values for the supervisor module states.
Table 17-2 Supervisor States
State Description
Active The active supervisor module in the switch is ready to be configured.
HA standby A switchover is possible.
Offline The switch is intentionally shut down for debugging purposes.
Unknown The switch is in an invalid state and requires a support call to TAC.
Table 17-3 lists the possible values for the internal redundancy states.
Table 17-3 Internal States
State Description
HA standby The HA switchover mechanism in the standby supervisor module is
enabled (see the HA Switchover Characteristics section on page 17-2).
Active with no standby A switchover is possible.

Table 17-3 Internal States (continued)
State Description
Active with HA standby The active supervisor module in the switch is ready to be configured. The
standby module is in the HA-standby state.
Shutting down The switch is being shut down.
HA switchover in The switch is in the process of changing over to the HA switchover
progress mechanism.
Offline The switch is intentionally shut down for debugging purposes.
HA synchronization in The standby supervisor module is in the process of synchronizing its state
progress with the active supervisor modules.
Standby (failed) The standby supervisor module is not functioning.
Active with failed The active supervisor module and the second supervisor module is present
standby but is not functioning.
Other The switch is in a transient state. If it persists, call TAC.


CH A P T E R 18
Managing System Hardware
This chapter provides details on how to manage system hardware other than services and switching
modules and how to monitor the health of the switch. It includes the following sections:
Displaying Switch Hardware Inventory, page 18-1
Running the CompactFlash Report, page 18-2
Displaying the Switch Serial Number, page 18-3
Displaying Power Usage Information, page 18-3
Power Supply Configuration Modes, page 18-4
About Crossbar Management, page 18-7
About Module Temperature, page 18-11
About Fan Modules, page 18-12
Displaying Switch Hardware Inventory

To view information on the field replaceable units (FRUs) in the switch, including product IDs and serial
numbers, follow these steps:
Step 1 In Fabric Manager, choose a fabric or switch in the Logical Domains pane, then expand Switches and
select Hardware in the Physical Attributes pane.
You see a list like the one shown in Figure 18-1.
Figure 18-1 Fabric Manager Hardware Inventory

Chapter 18 Managing System Hardware
Running the CompactFlash Report
Step 2 In Device Manager, choose Physical > Inventory.

You see a list like the one shown in Figure 18-2.
Figure 18-2 Device Manager Hardware Inventory
You see system attributes for multiple modules in Figure 18-1 and Figure 18-2. To see attributes for a
single switch in Device Manager, double click the graphic of the module in the main screen.
Note To configure modules, see Chapter 19, Managing Modules.
Running the CompactFlash Report

As of Cisco SAN-OS Release 3.1(2) and NX-OS Release 4.1(1b), you can run the CompactFlash Check
Utility to automatically scan your fabric and generate a report that shows the status of CompactFlash on
the following modules:
DS-X9016
DS-X9032
DS-X9302-14K9
DS-X9308-SMIP
DS-X9304-SMIP
DS-X9530-SF1-K9
The CompactFlash report can be used on switches running Cisco SAN-OS Release 2.x, 3.x, and NX-OS
Release 4.x. Before running the CompactFlash report, you must complete the following tasks:
Upgrade to Cisco Fabric Manager Release 3.1(2).
Download the CompactFlash Check Utility (m9000-lc1-gplug-mz.1.0.2.bin).
Run the CompactFlash report.

Displaying the Switch Serial Number
Step 1 Download m9000-lc1-gplug-mz.1.0.2.bin from the Software Center on Cisco.com

(http://www.cisco.com/cgi-bin/tablebuild.pl/mds-utilities). You must have a CCO account to access the
files on the Software Center.
Step 2 Save the CompactFlash Check Utility to a tftp server. You will need the tftp server address.
To run the CompactFlash report using Fabric Manager, follow these steps:
Step 1 Choose Tools > Compact Flash Report.
Note In the Flash Check Utility URL tftp:// field, you must enter the TFTP server location where
you saved the CompactFlash Check Utility.
Step 2 Deselect the check box for the switch(es) for which you do not want to run the CompactFlash report.
Step 3 Specify where you want the report file to be saved.
Step 4 Click OK to run the report.
Note A green indicator light showing Success: Finished check only indicates that the switch was
checked. You must examine the log file for CompactFlash status.
Step 5 If you see the message Error: Failed to copy plugin file, verify that the path you entered in the Flash
Check Utility URL tftp:// field is correct.
Step 6 If necessary, enter the correct location in the Flash Check Utility URL tftp:// field.
Step 7 Click OK to run the report again. Open the log file report for detailed information about CompactFlash
status.
Displaying the Switch Serial Number

The serial number of your Cisco MDS 9000 Family switch can be obtained by looking at the serial
number label on the back of the switch (next to the power supply) or from Fabric Manager by selecting
that switch in the Logical Domains pane, then expanding Switches and selecting Hardware in the
Physical Attributes pane in Fabric Manager. The Serial No Primary column in the Information pane
shows the serial number.
Displaying Power Usage Information

Use Fabric Manager to display power usage. Select a switch in the Logical Domains pane, expand
Switches and select Hardware in the Physical Attributes pane, then click the Power Supplies tab in the
Information pane to display actual power usage information for the entire switch. See the first example
under Power Supply Configuration Modes.

Power Supply Configuration Modes
Note In a Cisco MDS 9500 Series switch, power usage is reserved for both supervisors whether one or both
supervisor modules are present.

Switches in the MDS 9000 Family have two redundant power supply slots. The power supplies can be
configured in either redundant or combined mode.
Redundant modeUses the capacity of one power supply only. This is the default mode. In case of
power supply failure, the entire switch has sufficient power available in the system.
Combined modeUses the combined capacity of both power supplies. In case of power supply
failure, the entire switch can be shut down (depends on the power used) causing traffic disruption.
This mode is seldom used, except in cases where the switch has two low power supply capacities
but a higher power usage.
Note The chassis in the Cisco MDS 9000 Family uses 1200 W when powered at 110 V, and 2500 W when
powered at 220 V.
To configure the power supply mode, follow these steps:
Step 1 In the Fabric Manager Physical Attributes pane, expand Switches and then select Hardware. Click the
Power Supplies tab.
You see the power supply information screen shown in Figure 18-3.
Low TotalAvailable (< 200.0W) values for non-2-slot chassis are highlighted in yellow, as inserting a
new card into the switch requires power around 180 W.
Figure 18-3 Power Supply Information in Fabric Manager
Step 2 In Device Manager, click Physical > Power Supplies.

You see the screen in Figure 18-4.

Figure 18-4 Power Supply Information in Device Manager
Step 3 Configure the power attributes for the power supply.

Step 4 Click Apply in Device Manager or click the Apply Changes icon in Fabric Manager.
Note See the Displaying Power Usage Information section on page 18-3 to view the current power supply
configuration.
Power Supply Configuration Guidelines

Follow these guidelines when configuring power supplies:
1. When power supplies with different capacities are installed in the switch, the total power available
differs based on the configured mode, either redundant or combined:
a. Redundant modeThe total power is the lesser of the two power supply capacities.
For example, suppose you have the following usage figures configured:
Power supply 1 = 2500 W
Additional power supply 2 = not used
Current usage = 2000 W
Current capacity = 2500 W
Then the following three scenarios will differ as specified (see Table 18-1):
Scenario 1: If 1800 W is added as power supply 2, then power supply 2 is shut down.
Reason: 1800 W is less than the usage of 2000 W.
Scenario 2: If 2200 W is added as power supply 2, then the current capacity decreases to 2200
W.
Reason: 2200 W is the lesser of the two power supplies.
Scenario 3: If 3000 W is added as power supply 2, then the current capacity value remains at
2500 W.
Table 18-1 Redundant Mode Power Supply Scenarios
Power Current Insertion of New

Supply 1 Usage Power Capacity
Scenario (W)1 (W) Supply 2 (W) (W) Action Taken by Switch
1 2500 2000 1800 2500 Power supply 2 is shut down.

Table 18-1 Redundant Mode Power Supply Scenarios (continued)

2 2500 2000 2200 2200 Capacity becomes 2200 W.
3 2500 2000 3300 2500 Capacity remains the same.
1. W = Watts
b. Combined modeThe total power is twice the lesser of the two power supply capacities.
For example, suppose you have the following usage figures configured:
Additional Power supply 2 = not used
Current Usage = 2000 W
Current capacity = 2500 W
Then the following three scenarios will differ as specified (see Table 18-2):
Scenario 1: If 1800 W is added as power supply 2, then the capacity increases to 3600 W.
Reason: 3600 W is twice the minimum (1800 W).
Scenario 2: If 2200 W is added as power supply 2, then the current capacity increases to
4400 W.
Scenario 3: If 3000 W is added as power supply 2, then the current capacity increases to
5000 W.
Table 18-2 Combined Mode Power Supply Scenarios

1 2500 2000 1800 3600 Power is never shut down. The
2 2500 2000 2200 4400 new capacity is changed.
3 2500 2000 3300 5000

1. W = Watts
2. When you change the configuration from combined to redundant mode and the system detects a
power supply that has a capacity lower than the current usage, the power supply is shut down. If both
power supplies have a lower capacity than the current system usage, the configuration is not allowed.
Several configuration scenarios are summarized in Table 18-3.
Scenario 1: You have the following usage figures configured:
Additional Power supply 2 = 1800 W
Current mode = combined mode (so current capacity is 3600 W)
You decide to change the switch to redundant mode. Then power supply 2 is shut down.

About Crossbar Management
Reason: 1800 W is the lesser of the two power supplies and it is less than the system usage.
Current mode = combined mode (so current capacity is 4400 W).
You decide to change the switch to redundant mode. Then the current capacity decreases to
2200 W.
Current mode = combined mode (so current capacity is 3600 W).
You decide to change the switch to redundant mode. Then the current capacity decreases to
2500 W and the configuration is rejected.
Reason: 2500 W is less than the system usage (3000 W).
Table 18-3 Combined Mode Power Supply Scenarios
Power Current Current Power New

Scenario Supply 1 (W)1 Mode Usage (W) Supply 2 (W) New Mode Capacity (W) Action Taken by Switch
1 2500 combined 2000 1800 N/A 3600 This is the existing
configuration.
2500 N/A 2000 1800 redundant 2500 Power supply 2 is shut down.
configuration.
2500 N/A 2000 2200 redundant 2200 The new capacity is changed.
configuration.
2500 N/A 3000 1800 redundant N/A Rejected, so the mode reverts
to combined mode.
1. W = Watts

Cisco MDS NX-OS Release 4.1(1b) and later supports three types of hardware for the Cisco MDS 9500
Series Directors: Generation 1, Generation 2, and Generation 3.
Generation 3 consists of hardware supported by Cisco NX-OS Release 4.1(1b) and later, including the
following:
4/44-port 8-Gbps Host Optimized Fibre Channel module

MDS 9513 Fabric-2 Crossbar Switching module
Note The new software features in Cisco MDS NX-OS Release 4.1(1b) and later will not be supported in the
Generation 1 hardware.
Note Cisco MDS NX-OS Release 4.1(1b) and later does not support the following hardware: Supervisor-1
module, the IPS-4 and IPS-8 storage modules, the MDS 9216 switch, the MDS 9216A switch, the MDS
9020 switch, the MDS 9120 switch, and the MDS 9140 switch.
Cisco MDS SAN-OS Release 3.0(1) and later supports two types of hardware for the Cisco MDS 9500
Series Directors: Generation 1 and Generation 2.
Generation 2 consists of all new hardware supported by Cisco SAN-OS Release 3.0(1) and later,
including the following:
Cisco MDS 9513 Director chassis
Supervisor-2 module
MSM-18/4 Multiservice Storage module
MDS 9222i Module-1 module
The Cisco MDS 9500 Series Directors running Cisco MDS SAN-OS 3.0(1) or later support the following
types of crossbars:
Integrated crossbarLocated on the Supervisor-1 and Supervisor-2 modules. The Cisco MDS 9506
and 9509 Directors only use integrated crossbars.
External crossbarLocated on an external crossbar switching module. Cisco MDS 9513 Directors
require external crossbar modules.
Generation 1 consists of all hardware supported by Cisco SAN-OS earlier to Release 3.0(1), including
the following:
Cisco MDS 9506 and 9509 Director chassis
Supervisor-1 module

Operational Considerations When Removing Crossbars

You can mix and match Generation 1 and Generation 2 hardware on the Cisco MDS 9500 Series
Directors running Cisco MDS SAN-OS 3.0(1) or later without compromising the integrity and
availability of your SANs based on Cisco MDS 9500 Series Directors.
To realize these benefits, you must consider the following operational requirements when removing
crossbars for maintenance activities:
Gracefully Shutting Down a Crossbar, page 18-9
Backward Compatibility for Generation 1 Modules in Cisco MDS 9513 Directors, page 18-10
Gracefully Shutting Down a Crossbar

You must perform a graceful shutdown of a crossbar (integrated or external) before removing it from the
MDS 9500 Series Director.
To perform a graceful shutdown of external crossbar switching modules in a Cisco MDS 9513 Director
using Device Manager, follow these steps:
Step 1 Right-click the supervisor module. Crossbars are indicated with a green X (see Figure 18-5).
You see the context menu for the supervisor module.
Figure 18-5 Shutting Down a Crossbar
Step 2 Select Out of Service to gracefully shut down the integrated crossbar.
Note To reactivate the integrated crossbar, you must remove and reinsert or replace the Supervisor-1
or Supervisor-2 module.

Caution Taking the crossbar out of service may cause a supervisor switchover.
To perform a graceful shutdown of integrated crossbars on the supervisor module in a Cisco MDS 9509
or 9506 Director using Device Manager, follow these steps:
Step 1 Right-click the integrated crossbar switching module.

You see the context menu for that module.
Step 2 Select Out of Service to gracefully shut down the integrated crossbar switching module.
Note To reactivate the integrated crossbar module, you must remove and reinsert or replace the
crossbar module.
Caution Taking the crossbar out of service may cause a supervisor switchover.
Backward Compatibility for Generation 1 Modules in Cisco MDS 9513 Directors

To provide backward compatibility for a Generation 1 module in a Cisco MDS 9513 chassis, the active
and backup Supervisor-2 modules are associated to a specific crossbar module. The Supervisor-2 module
in slot 7 is associated with crossbar module 1 and Supervisor-2 module in slot 8 is associated with
crossbar module 2. You must plan for the following operational considerations before removing crossbar
modules:
Whenever a crossbar module associated with the active Supervisor-2 module goes offline or is
brought online in a system that is already online, a stateful supervisor switchover occurs. This
switchover does not disrupt traffic. Events that cause a crossbar module to go offline include the
following:
Out-of-service requests
Physical removal
Errors
Supervisor-2 module switchovers do not occur if the crossbar switching module associated with the
backup Supervisor-2 module goes offline.
Note Supervisor-2 module switchovers do not occur when removing crossbar switch modules on a Cisco MDS
9513 that only has Generation 2 modules installed.

About Module Temperature
About Module Temperature

Built-in automatic sensors are provided in all switches in the Cisco MDS 9000 Family to monitor your
switch at all times.
Each module (switching and supervisor) has four sensors: 1 (outlet sensor), 2 (intake sensor), 3 (onboard
sensor), and 4 (onboard sensor). Each sensor has two thresholds (in degrees Celsius): minor and major.
Note A threshold value of -127 indicates that no thresholds are configured or applicable.
Minor thresholdWhen a minor threshold is exceeded, a minor alarm occurs and the following
action is taken for all four sensors:
System messages are displayed.
Call Home alerts are sent (if configured).
SNMP notifications are sent (if configured).
Major thresholdWhen a major threshold is exceeded, a major alarm occurs and the following
action is taken:
For sensors 1, 3, and 4 (outlet and onboard sensors):
For sensor 2 (intake sensor):
If the threshold is exceeded in a switching module, only that module is shut down.
If the threshold is exceeded in an active supervisor module with HA-standby or standby present,
only that supervisor module is shut down and the standby supervisor module takes over.
If you do not have a standby supervisor module in your switch, you have an interval of 2 minutes
to decrease the temperature. During this interval the software monitors the temperature every
five (5) seconds and continuously sends system messages as configured.
Tip To realize the benefits of these built-in automatic sensors on any switch in the Cisco MDS 9500
Series, we highly recommend that you install dual supervisor modules. If you are using a Cisco
MDS 9000 Family switch without dual supervisor modules, we recommend that you
immediately replace the fan module if even one fan is not working.
Displaying Module Temperature

Expand Switches and then select Hardware in the Physical Attributes pane in Fabric Manager. Click
the Temperature Sensors tab in the Information pane to display temperature sensors for each module
(see the second example under Power Supply Configuration Modes).

About Fan Modules
About Fan Modules

Hot-swappable fan modules (fan trays) are provided in all switches in the Cisco MDS 9000 Family to
manage airflow and cooling for the entire switch. Each fan module contains multiple fans to provide
redundancy. The switch can continue functioning in the following situations:
One or more fans fail within a fan moduleEven with multiple fan failures, switches in the Cisco
MDS 9000 Family can continue functioning. When a fan fails within a module, the functioning fans
in the module increase their speed to compensate for the failed fan(s).
The fan module is removed for replacementThe fan module is designed to be removed and
replaced while the system is operating without presenting an electrical hazard or damage to the
system. When replacing a failed fan module in a running switch, be sure to replace the new fan
module within five minutes.
Tip If one or more fans fail within a fan module, the Fan Status LED turns red. A fan failure could lead to
temperature alarms if not corrected immediately.
The fan status is continuously monitored by the Cisco MDS NX-OS software. In case of a fan failure,
the following action is taken:
To display the fan module status, from Device Manager, choose Physical > Fans. The dialog box
displays the fan status.
The possible Status field values for a fan module on the Cisco MDS 9500 Series switches are as follows:
If the fan module is operating properly, the status is ok.
If the fan is physically absent, the status is absent.
If the fan is physically present but not working properly, the status is failure.
On the Cisco MDS 9513 Director, the front fan module has 15 fans.
Figure 18-6 shows the numbering of the fans in the front fan module on the Cisco MDS 9513 Director.

Default Settings
Figure 18-6 Cisco MDS 9513 Front Fan Module Numbering
3
2
1 6
5
4 9
8
7 12
11
10 15
14
13
144744
The rear fan module (DS-13SLT-FAN-R) on the Cisco MDS 9513 Director has only two fans.
Default Settings
Table 18-4 lists the default hardware settings.
Table 18-4 Default Hardware Parameters
Parameters Default
Power supply mode Redundant mode.

Default Settings

CH A P T E R 19
Managing Modules
This chapter describes how to manage switching and services modules (also known as line cards) and
provides information on monitoring module states.
About Modules, page 19-1
Verifying the Status of a Module, page 19-3
Obtaining Supervisor Module Statistics, page 19-4
Checking the State of a Module, page 19-4
Reloading Modules, page 19-5
Preserving the Module Configuration, page 19-7
Powering Off Switching Modules, page 19-8
Identifying Module LEDs, page 19-9
About Modules
Table 19-1 describes the supervisor module options for switches in the Cisco MDS 9000 Family.
Table 19-1 Supervisor Module Options
Number of Supervisor
Supervisor Module Slot Switching and Services Module
Product Modules Number Features
Cisco MDS 9513 Two modules 7 and 8 13-slot chassis allows any switching or
services module in the other eleven
slots.
services module in the other seven
slots.
services module in the other four slots.

Chapter 19 Managing Modules
About Modules
Table 19-1 Supervisor Module Options (continued)
Number of Supervisor
Supervisor Module Slot Switching and Services Module
Product Modules Number Features
Cisco MDS 9216 One module 1 2-slot chassis allows one optional
switching or services module in the
other slot.
Cisco MDS 9216A One module 1 2-slot chassis allows one optional
other slot.
Cisco MDS 9216i One module 1 2-slot chassis allows one optional
other slot.
Supervisor Modules
Supervisor modules are automatically powered up and started with the switch.
Cisco MDS 9513 Directors have two supervisor modulesone in slot 7 (sup-1) and one in slot 8
(sup-2). See Table 19-2. When the switch powers up and both supervisor modules come up together,
the active module is the one that comes up first. The standby module constantly monitors the active
module. If the active module fails, the standby module takes over without any impact to user traffic.
Cisco MDS 9506 and Cisco MDS 9509 switches have two supervisor modulesone in slot 5 (sup-1)
and one in slot 6 (sup-2). See Table 19-2. When the switch powers up and both supervisor modules
come up together, the active module is the one that comes up first. The standby module constantly
monitors the active module. If the active module fails, the standby module takes over without any
impact to user traffic.
Cisco MDS 9216i switches have one supervisor module that includes an integrated switching
module with 14 Fibre Channel ports and two Gigabit Ethernet ports.
Cisco MDS 9200 Series switches have one supervisor module that includes an integrated 16-port
switching module.
Table 19-2 Supervisor Module Terms and Usage
Module Terms Fixed or Relative Usage

module-7 and module-8 Fixed usage for module-7 always refers to the supervisor module in slot 7 and
MDS 9513 module-8 always refers to the supervisor module in slot 8.
module-5 and module-6 Fixed usage for module-5 always refers to the supervisor module in slot 5 and
MDS 9509 and module-6 always refers to the supervisor module in slot 6.
MDS 9506
module-1 Fixed usage for module-1 always refers to the supervisor module in slot 1.
MDS 9200 series

Verifying the Status of a Module
Table 19-2 Supervisor Module Terms and Usage
Module Terms Fixed or Relative Usage

sup-1 and sup-2 Fixed usage On the MDS 9506 and MDS 9509 switches, sup-1 always refers to the
supervisor module in slot 5 and sup-2 always refers to the supervisor
module in slot 6.
On the MDS 9513 Directors, sup-1 always refers to the supervisor
module in slot 7 and sup-2 always refers to the supervisor module in
slot 8.
sup-active and sup-standby Relative usage sup-active refers to the active supervisor modulerelative to the slot
that contains the active supervisor module.
sup-standby refers to the standby supervisor modulerelative to the
slot that contains the standby supervisor module.
sup-local and sup-remote Relative usage If you are logged into the active supervisor, sup-local refers to the
active supervisor module and sup-remote refers to the standby
supervisor module.
If you are logged into the standby supervisor, sup-local refers to the
standby supervisor module (the one you are logged into.) There is no
sup-remote available from the standby supervisor module (you cannot
access a file system on the active sup).
Switching Modules
Cisco MDS 9000 Family switches support any switching module in any non-supervisor slot. These
modules obtain their image from the supervisor module.
Services Modules
Cisco MDS 9000 Family switches support any services module in any non-supervisor slot.
Refer to the Cisco MDS 9000 Family SAN Volume Controller Configuration Guide for more information
on CSMs.
Verifying the Status of a Module

Before you begin configuring the switch, you need to ensure that the modules in the chassis are
functioning as designed. To verify the status of a module at any time expand Switches and then select
Hardware in the Physical Attributes pane in Fabric Manager and select Card Module Status tab in the
Information pane (see the Fibre Channel Interfaces section on page 20-2). The interfaces in each
module are ready to be configured when the ok status is displayed. A sample screenshot follows:

Obtaining Supervisor Module Statistics
Figure 19-1 Card Module Status Display
The Status column in the output should display an ok status for switching modules and an active or
standby (or HA-standby) status for supervisor modules. If the status is either ok or active, you can
continue with your configuration.
Note A standby supervisor module reflects the HA-standby status if the HA switchover mechanism is enabled
(see the HA Switchover Characteristics section on page 17-2). If the warm switchover mechanism is
enabled, the standby supervisor module reflects the standby status.
The states through which a switching module progresses is discussed in the Checking the State of a
Module section on page 19-4.
Obtaining Supervisor Module Statistics

You can view statistics for the supervisor module, such as CPU utilization and NVRAM size, using
Fabric Manager. To view supervisor module statistics using Fabric Manager, follow these steps:
Step 1 Do one of the following in the Logical Domains pane:

Expand SAN to display a list of all switches in the SAN.
Click one of the fabrics to display a list of switches for that fabric.
Click a VSAN to display a list of switches for that VSAN.
Step 2 Expand Switches and select Supervisor Statistics in the Physical Attributes pane.
You see the supervisor statistics for each switch in the Information pane.
Checking the State of a Module

The switching module goes through a testing and an initializing stage before displaying an ok status.
Table 19-3 describes the possible states in which a module can exist.

Reloading Modules
Table 19-3 Module States
Module Status
Output Description
powered up The hardware has electrical power. When the hardware is powered up, the
software begins booting.
testing The switching module has established connection with the supervisor
module and the switching module is performing bootup diagnostics.
initializing The diagnostics have completed successfully and the configuration is being
downloaded.
failure The switch detects a switching module failure upon initialization and
automatically attempts to power-cycle the module three times. After the third
attempt it continues to display a failed state.
ok The switch is ready to be configured.
power-denied The switch detects insufficient power for a switching module to power up.
active This module is the active supervisor module and the switch is ready to be
configured.
HA-standby The HA switchover mechanism is enabled on the standby supervisor module
(see the HA Switchover Characteristics section on page 17-2).
standby The warm switchover mechanism is enabled on the standby supervisor
module (see the HA Switchover Characteristics section on page 17-2).
To view the state of a module from Device Manager, choose Physical > Modules. The dialog box
displays the status of every module.
This example shows the output of the dir bootflash: command:
root 14502912 Jan 13 12:23:52 1980 kickstart_image1
admin 14424576 Jan 14 06:47:29 1980 kickstart_image2
root 14490112 Jan 08 07:25:50 1980 kickstart_image4
root 12288 Jan 16 15:49:24 1980 lost+found/
admin 24206675 Jan 14 02:57:03 1980 m9500-sf1ek.bin
root 19084510 Jan 13 12:23:28 1980 system_image1
admin 19066505 Jan 14 06:45:16 1980 system_image2
admin 18960567 Jan 14 01:25:21 1980 system_image5
Usage for bootflash: filesystem

158516224 bytes total used
102400 bytes free
167255040 bytes available
Reloading Modules
You can reload the entire switch, reset specific modules in the switch, or reload the image on specific
modules in the switch.
Reloading a Switch, page 19-6

Reloading Modules
Power Cycling Modules, page 19-6
Reloading a Switch
To reload a switch using Fabric Manager, follow these steps:

Click SAN to display a list of all switches in the SAN.
Step 2 Expand Switches and select Hardware in the Physical Attributes pane.
You see a list of modules contained in the selected switches.
You see the information shown in Figure 19-2.
Figure 19-2 Card Module Status Tab
Step 4 Check the Reset check box in the row of the switch to reload.
Power Cycling Modules

To power cycle any module using Fabric Manager, follow these steps:

Step 2 Expand Switches and select Hardware from the Physical Attributes pane.

Preserving the Module Configuration
Step 4 Check the Reset check box in the row for the module(s) you want to reset.
Caution Resetting a module disrupts traffic through the module.
Preserving the Module Configuration

Use the copy running-config to startup-config procedure to save the new configuration into nonvolatile
storage. Once this procedure is complete, the running and the startup copies of the configuration are
identical.
To preserve the module configuration using Fabric Manager, follow these steps:

Step 2 Expand Switches and select Copy Configuration in the Physical Attributes pane.
You see a list of switches (see Figure 19-3).
Figure 19-3 List of Switches Available to Copy
Step 3 Click individual Select check boxes for switch configurations to copy.
Step 4 In the From column, ensure that runningConfig is selected.
Step 5 In the To column, ensure that startupConfig is selected.
Table 19-4 displays various scenarios when module configurations are preserved or lost.

Powering Off Switching Modules
Table 19-4 Switching Module Configuration Status
Scenario Consequence
A particular switching module is removed and the copy The configured module information is lost.
running-config startup-config command is issued again.
A particular switching module is removed and the same The configured module information is
switching module is replaced before the copy preserved.
running-config startup-config command is issued again.
A particular switching module is removed and replaced The configured module information is
with the same type switching module, and a reload preserved.
module number command is issued.
A particular switching module is reloaded when a reload The configured module information is
module number command is issued. preserved.
A particular switching module is removed and replaced The configured module information is lost
with a different type of switching module. For example, a from the running configuration. The
16-port switching module is replaced with a 32-port default configuration is applied.
switching module.
The configured module information
remains in startup configuration until a
copy running-config startup-config
command is issued again.
Sample scenario: Sample response:

1. The switch currently has a 16-port switching module 1. The switch uses the 16-port switching
and the startup and running configuration files are the module and the present configuration
same. is saved in nonvolatile storage.
2. You replace the 16-port switching module in the 2. The factory default configuration is
switch with a 32-port switching module. applied.
3. Next, you remove the 32-port switching module and 3. The factory default configuration is
replace it with the same 16-port switching module applied.
referred to in Step 1.
4. You reload the switch. 4. The configuration saved in nonvolatile
storage referred to in Step 1 is applied.
Powering Off Switching Modules

By default, all switching modules are in the power up state.
To power off a module using Fabric Manager, follow these steps:

Step 2 Expand Switches and select Hardware in the Physical Attributes pane.
You see a list of modules contained in the selected switches.

Identifying Module LEDs
Step 3 Click the Card Module Config tab.

Step 4 Select off from the drop-down list in the row for the module(s) you want to power off.
Note To power on a module, repeat Steps 1-4 but select on in Step 3.

Table 19-5 describes the LEDs for the Cisco MDS 9200 Series integrated supervisor modules.
Table 19-5 LEDs for the Cisco MDS 9200 Series Supervisor Modules
LED Status Description

Status Green All diagnostics pass. The module is operational (normal initialization sequence).
Orange One of the following applies:
The module is booting or running diagnostics (normal initialization sequence).
The inlet air temperature of the system has exceeded the maximum system
operating temperature limit (a minor environmental warning). To ensure
maximum product life, you should immediately correct the environmental
temperature and restore the system to normal operation.
Red One of the following applies:
The diagnostic test failed. The module is not operational because a fault occurred
during the initialization sequence.
The inlet air temperature of the system has exceeded the safe operating
temperature limits of the card (a major environmental warning). The card has
been shut down to prevent permanent damage. The system will be shut down
after two minutes if this condition is not cleared.
Speed On 2-Gbps mode and beacon mode disabled.
Off 1-Gbps mode and beacon mode disabled.
Flashing Beacon mode enabledSee the Identifying the Beacon LEDs section on
page 20-19.
Link Solid green Link is up.
Solid Link is disabled by software.
yellow
Flashing A fault condition exists.
yellow
Off No link.

Table 19-6 describes the LEDs for the Cisco MDS 9200 Series interface module.
Table 19-6 LEDs on the Cisco MDS 9200 Series Interface Module

Status Green All diagnostics pass. The module is operational (normal initialization
sequence).
The module is booting or running diagnostics (normal initialization
sequence).
The diagnostic test failed. The module is not operational because a fault
occurred during the initialization sequence.
temperature limits of the card (a major environmental warning). The card
has been shut down to prevent permanent damage.
System Green All chassis environmental monitors are reporting OK.
The power supply failed or the power supply fan failed.
Incompatible power supplies are installed.
The redundant clock failed.
Red The temperature of the supervisor module exceeded the major threshold.
MGMT 10/100 Green Link is up.
Ethernet Link Off No link.
LED
MGMT 10/100 Green Traffic is flowing through port.
Ethernet Off No link or no traffic.
Activity LED
Table 19-7 describes the LEDs for the 16-port and 32-port switching modules, and the 4-port, 12-port,
24-port, and 48-port Generation 2 switching modules.

Table 19-7 LEDs for the Cisco MDS 9000 Family Fibre Channel Switching Modules

Status Green All diagnostics pass. The module is operational (normal initialization sequence).
The module is booting or running diagnostics (normal initialization sequence).
The diagnostic test failed. The module is not operational because a fault occurred
during the initialization sequence.
temperature limits of the card (a major environmental warning). The card has
been shut down to prevent permanent damage.
Speed On 2-Gbps mode.
Off 1-Gbps mode.
Link Solid green Link is up.
Steady Link is up (beacon used to identify port).
flashing
green
Intermittent Link is up (traffic on port).
flashing
green
Solid Link is disabled by software.
yellow
Flashing A fault condition exists.
yellow
Off No link.
The LEDs on the supervisor module indicate the status of the supervisor module, power supplies, and
the fan module. Table 19-8 provides more information about these LEDs.

Table 19-8 LEDs for the Cisco MDS 9500 Series Supervisor Modules

Status Green All diagnostics pass. The module is operational (normal initialization
sequence).
The module is booting or running diagnostics (normal initialization
sequence).
An over temperature condition has occurred (a minor threshold has been
exceeded during environmental monitoring).
The diagnostic test failed. The module is not operational because a fault
occurred during the initialization sequence.
An over temperature condition occurred (a major threshold was exceeded
during environmental monitoring).
System1 Green All chassis environmental monitors are reporting OK.
The power supply has failed or the power supply fan has failed.
Incompatible power supplies are installed.
The redundant clock has failed.
Red The temperature of the supervisor module major threshold has been
exceeded.
Active Green The supervisor module is operational and active.
Orange The supervisor module is in standby mode.
1
Pwr Mgmt Green Sufficient power is available for all modules.
Orange Sufficient power is not available for all modules.
MGMT 10/100 Green Link is up.
Ethernet Link Off No link.
LED
MGMT 10/100 Green Traffic is flowing through port.
Ethernet Off No link or no traffic.
Activity LED
CompactFlash Green The external CompactFlash card is being accessed.
Off No activity.
1. The System and Pwr Mgmt LEDs on a redundant supervisor module are synchronized to the active supervisor module.

Managing SSMs and Supervisor Modules
Managing SSMs and Supervisor Modules

This section describes the considerations for replacing SSMs and supervisor modules and for upgrading
and downgrading Cisco MDS NX-OS and SAN-OS releases.
Considerations for Replacing SSMs and Supervisor Modules

If you replace an SSM or supervisor module, you should consider the following:
If you replace an SSM with another SSM and the boot image is on bootflash:, respectively, you can
leave the boot image installed on the active supervisor.
If you replace an SSM with another SSM and the SSI boot image is on the modflash:, the SSM might
not initialize. See the Recovering an SSM After Replacing Corrupted CompactFlash Memory
If you replace an SSM with any other module, you can leave the boot image installed on the active
supervisor or remove it. The active supervisor module detects the module type and boots the module
appropriately.
If you replace a supervisor module in a switch with active and standby supervisors, no action is
required because the boot image is automatically synchronized to the new supervisor module.
If you replace a supervisor module in a switch with no standby supervisor, you need to reimplement
the configuration on the new supervisor.
Default Settings
Table 19-9 lists the default settings for the supervisor module.
Table 19-9 Default Supervisor Module Settings
Parameters Default
Administrative connection Serial connection.
Global switch information No value for system name.
No value for system contact.
No value for location.
System clock No value for system clock time.
In-band (VSAN 1) interface IP address, subnet mask, and broadcast address assigned to the
VSAN are set to 0.0.0.0.
Table 19-10 lists the default settings for the SSM.

Default Settings
Table 19-10 Default SSM Settings
Parameters Default
Initial state when installed Power-down state on switches with Cisco MDS SAN-OS
Release 2.1(1a) and earlier installed.
Fibre Channel switching mode on switches with Cisco MDS
SAN-OS Release 2.1(2) and NX-OS Release 4.1(1b), or later
installed and SSMs with EPLD version 2.0 (2) and later
installed.

PA R T 3
Switch Configuration
CH A P T E R 20
Configuring Interfaces
The main function of a switch is to relay frames from one data link to another. To relay the frames, the
characteristics of the interfaces through which the frames are received and sent must be defined. The
configured interfaces can be Fibre Channel interfaces, Gigabit Ethernet interfaces, the management
interface (mgmt0), or VSAN interfaces.
This chapter describes the basic interface configuration to get your switch up and running. It includes
the following sections:
Common Interface Configuration, page 20-1
Fibre Channel Interfaces, page 20-2
TL Ports for Private Loops, page 20-23
Buffer Credits, page 20-26
Management Interfaces, page 20-29
VSAN Interfaces, page 20-30
See Chapter 12, Initial Configuration, and Chapter 51, Configuring IP Services, for more
information on configuring mgmt0 interfaces.
See Chapter 53, Configuring IPv4 for Gigabit Ethernet Interfaces and Chapter 54, Configuring IPv6
for Gigabit Ethernet Interfacesfor more information on configuring Gigabit Ethernet interfaces.
Tip Before you begin configuring the switch, ensure that the modules in the chassis are functioning as
designed. See the Verifying the Module Status section on page 12-2.
Common Interface Configuration

Some configuration settings are similar for Fibre Channel, management, and VSAN interfaces. You can
configure interfaces from Fabric Manager by expanding Switches > Interfaces and selecting the
interface type from the Physical Attributes pane.
Figure 20-1 shows a sample of what you might see in the Information pane for Fibre Channel Interfaces.

Chapter 20 Configuring Interfaces
Fibre Channel Interfaces
Figure 20-1 Fibre Channel Interface Configuration

This section describes Fibre Channel interface characteristics, including (but not limited to) modes,
frame encapsulation, states, SFPs, and speeds.
Generation 1 Interfaces Configuration Guidelines, page 20-2
About Interface Modes, page 20-3
Configuring Interface Modes, page 20-12
Configuring Administrative Speeds, page 20-12
About Interface Descriptions, page 20-18
Specifying a Port Owner, page 20-13
Configuring Port Guard, page 20-16
About Frame Encapsulation, page 20-18
About Receive Data Field Size, page 20-19
Configuring Receive Data Field Size, page 20-19
Identifying the Beacon LEDs, page 20-19
About Beacon Mode, page 20-20
About Bit Error Thresholds, page 20-21
About SFP Transmitter Types, page 20-22
Displaying SFP Transmitter Types, page 20-22
Generation 1 Interfaces Configuration Guidelines

The 32-port switching module guidelines apply to the following hardware:
The 32-port, 2-Gbps or 1-Gbps switching module
The Cisco MDS 9124 and 9134 switches

When configuring these host-optimized ports, the following port mode guidelines apply:
You can configure only the first port in each 4-port group (for example, the first port in ports 1-4,
the fifth port in ports 5-8 and so on) as an E port. If the first port in the group is configured as an E
port, the other three ports in each group (ports 2-4, 6-8 and so on) are not usable and remain
shutdown.
If you execute the write erase command on a 32-port switching module, and then copy a saved
configuration to the switch from a text file that contains the no system default switchport
shutdown command, you need to copy the text file to the switch again for the E ports to come up
without manual configuration.
If any of the other three ports are enabled, you cannot configure the first port as an E port. The other
three ports continue to remain enabled.
The auto mode is not allowed in a 32-port switching module or the host-optimized ports in the Cisco
9100 Series (16 host-optimized ports in the Cisco MDS 9120 switch and 32 host-optimized ports in
the Cisco MDS 9140 switch).
The default port mode is Fx (Fx negotiates to F or FL) for 32-port switching modules.
The 32-port switching module does not support FICON.
Note We recommend that you configure your E ports on a 16-port switching module. If you must configure
an E port on a 32-port host-optimized switching module, the other three ports in that 4-port group cannot
be used.
Note In the Cisco MDS 9100 Series, the groups of ports that are located on the left and outlined in white are
full line rate. The other ports are host-optimized. Each group of 4 host-optimized ports have the same
features as for the 32-port switching module.
About Interface Modes

Each physical Fibre Channel interface in a switch may operate in one of several port modes: E port, F
port, FL port, TL port, TE port, SD port, ST port, and B port (see Figure 20-2). Besides these modes, each
interface may be configured in auto or Fx port modes. These two modes determine the port type during
interface initialization.

Figure 20-2 Cisco MDS 9000 Family Switch Port Modes
Note Interfaces are created in VSAN 1 by default. See Chapter 26, Configuring and Managing VSANs.
Each interface has an associated administrative configuration and an operational status:

The administrative configuration does not change unless you modify it. This configuration has
various attributes that you can configure in administrative mode.
The operational status represents the current status of a specified attribute like the interface speed.
This status cannot be changed and is read-only. Some values may not be valid when the interface is
down (for example, the operational speed).
Note When a module is removed and replaced with the same type of module, the configuration is retained. If
a different type of module is inserted, then the original configuration is no longer retained.
Each interface is briefly described in the sections that follow.
E Port
In expansion port (E port) mode, an interface functions as a fabric expansion port. This port may be
connected to another E port to create an Inter-Switch Link (ISL) between two switches. E ports carry
frames between switches for configuration and fabric management. They serve as a conduit between
switches for frames destined to remote N ports and NL ports. E ports support class 2, class 3, and class
F service.
An E port connected to another switch may also be configured to form a PortChannel (see Chapter 23,
Configuring PortChannels).
Note We recommend that you configure E ports on 16-port modules. If you must configure an E port on a
32-port oversubscribed module, then you can only use the first port in a group of four ports (for example,
ports 1 through 4, 5 through 8, and so forth). The other three ports cannot be used.

F Port
In fabric port (F port) mode, an interface functions as a fabric port. This port may be connected to a
peripheral device (host or disk) operating as an N port. An F port can be attached to only one N port. F
ports support class 2 and class 3 service.
FL Port
In fabric loop port (FL port) mode, an interface functions as a fabric loop port. This port may be
connected to one or more NL ports (including FL ports in other switches) to form a public arbitrated
loop. If more than one FL port is detected on the arbitrated loop during initialization, only one FL port
becomes operational and the other FL ports enter nonparticipating mode. FL ports support class 2 and
class 3 service.
Note FL port mode is not supported on 4-port 10-Gbps switching module interfaces.
NP Ports
An NP port is a port on a device that is in NPV mode and connected to the core switch via an F port. NP
ports behave like N ports except that in addition to providing N port behavior, they also function as
proxies for multiple, physical N ports.
For more details about NP ports and NPV, see Chapter 21, Configuring N Port Virtualization.
TL Port
In translative loop port (TL port) mode, an interface functions as a translative loop port. It may be
connected to one or more private loop devices (NL ports). TL ports are specific to Cisco MDS 9000
Family switches and have similar properties as FL ports. TL ports enable communication between a
private loop device and one of the following devices:
A device attached to any switch on the fabric
A device on a public loop anywhere in the fabric
A device on a different private loop anywhere in the fabric
A device on the same private loop
TL ports support class 2 and class 3 services.
Private loop devices refer to legacy devices that reside on arbitrated loops. These devices are not aware
of a switch fabric because they only communicate with devices on the same physical loop (see the
About TL Port ALPA Caches section on page 20-25).
Tip We recommend configuring devices attached to TL ports in zones that have up to 64 zone members.
Note TL port mode is not supported on Generation 2 switching module interfaces.

TE Port
In trunking E port (TE port) mode, an interface functions as a trunking expansion port. It may be
connected to another TE port to create an extended ISL (EISL) between two switches. TE ports are
specific to Cisco MDS 9000 Family switches. They expand the functionality of E ports to support the
following:
VSAN trunking
Transport quality of service (QoS) parameters
Fibre Channel trace (fctrace) feature
In TE port mode, all frames are transmitted in EISL frame format, which contains VSAN information.
Interconnected switches use the VSAN ID to multiplex traffic from one or more VSANs across the same
physical link. This feature is referred to as trunking in the Cisco MDS 9000 Family (see Chapter 24,
Configuring Trunking). TE ports support class 2, class 3, and class F service.
TF Port
In trunking F port (TF port) mode, an interface functions as a trunking expansion port. It may be
connected to another trunked N port (TN port) or trunked NP port (TNP port) to create a link between a
core switch and an NPV switch or an HBA to carry tagged frames. TF ports are specific to Cisco MDS
9000 Family switches. They expand the functionality of F ports to support VSAN trunking.
In TF port mode, all frames are transmitted in EISL frame format, which contains VSAN information.
Interconnected switches use the VSAN ID to multiplex traffic from one or more VSANs across the same
physical link. This feature is referred to as trunking in the Cisco MDS 9000 Family (see Chapter 24,
Configuring Trunking). TF ports support class 2, class 3, and class F service.
TNP Port
In trunking NP port (TNP port) mode, an interface functions as a trunking expansion port. It may be
connected to a trunked F port (TF port) to create a link to a core NPIV switch from an NPV switch to
carry tagged frames.
SD Port
In SPAN destination port (SD port) mode, an interface functions as a switched port analyzer (SPAN).
The SPAN feature is specific to switches in the Cisco MDS 9000 Family. It monitors network traffic that
passes though a Fibre Channel interface. This monitoring is done using a standard Fibre Channel
analyzer (or a similar switch probe) that is attached to an SD port. SD ports do not receive frames, they
merely transmit a copy of the source traffic. The SPAN feature is nonintrusive and does not affect
switching of network traffic for any SPAN source ports (see Chapter 60, Monitoring Network Traffic
Using SPAN).
ST Port
In the SPAN tunnel port (ST port) mode, an interface functions as an entry point port in the source switch
for the RSPAN Fibre Channel tunnel. The ST port mode and the remote SPAN (RSPAN) feature are
specific to switches in the Cisco MDS 9000 Family. When configured in ST port mode, the interface
cannot be attached to any device, and thus cannot be used for normal Fibre Channel traffic (see the
Configuring SPAN section on page 60-6).

Note ST port mode is not supported on the Cisco MDS 9124 Fabric Switch, the Cisco Fabric Switch for HP
c-Class BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter.
Fx Port
Interfaces configured as Fx ports can operate in either F port or FL port mode. The Fx port mode is
determined during interface initialization depending on the attached N port or NL port. This
administrative configuration disallows interfaces to operate in any other modefor example, preventing
an interface to connect to another switch.
B Port
While E ports typically interconnect Fibre Channel switches, some SAN extender devices, such as the
Cisco PA-FC-1G Fibre Channel port adapter, implement a bridge port (B port) model to connect
geographically dispersed fabrics. This model uses B ports as described in the T11 Standard FC-BB-2.
Figure 52-1 on page 52-2 depicts a typical SAN extension over an IP network.
If an FCIP peer is a SAN extender device that only supports Fibre Channel B ports, you need to enable
the B port mode for the FCIP link. When a B port is enabled, the E port functionality is also enabled and
they coexist. If the B port is disabled, the E port functionality remains enabled (see Chapter 52,
Configuring IP Storage).
Auto Mode
Interfaces configured in auto mode can operate in one of the following modes: F port, FL port, E port,
TE port, or TF port. The port mode is determined during interface initialization. For example, if the
interface is connected to a node (host or disk), it operates in F port or FL port mode depending on the N
port or NL port mode. If the interface is attached to a third-party switch, it operates in E port mode. If
the interface is attached to another switch in the Cisco MDS 9000 Family, it may become operational in
TE port mode (see Chapter 24, Configuring Trunking).
TL ports and SD ports are not determined during initialization and are administratively configured.
Note Fibre Channel interfaces on Storage Services Modules (SSMs) cannot be configured in auto mode.
About Interface States

The interface state depends on the administrative configuration of the interface and the dynamic state of
the physical link.
Administrative States
The administrative state refers to the administrative configuration of the interface as described in
Table 20-1.

Table 20-1 Administrative States
Administrative State Description

Up Interface is enabled.
Down Interface is disabled. If you administratively disable an interface by shutting
down that interface, the physical link layer state change is ignored.
Operational States
The operational state indicates the current operational state of the interface as described in Table 20-2.
Table 20-2 Operational States
Operational State Description

Up Interface is transmitting or receiving traffic as desired. To be in this state, an
interface must be administratively up, the interface link layer state must be up, and
the interface initialization must be completed.
Down Interface cannot transmit or receive (data) traffic.
Trunking Interface is operational in TE or TF mode.
Reason Codes
Reason codes are dependent on the operational state of the interface as described in Table 20-3.
Table 20-3 Reason Codes for Interface States
Administrative Operational
Configuration Status Reason Code
Up Up None.
Down Down Administratively downIf you administratively configure an interface
as down, you disable the interface. No traffic is received or transmitted.
Up Down See Table 20-4.
Note Only some of the reason codes are listed in Table 20-4.
If the administrative state is up and the operational state is down, the reason code differs based on the
nonoperational reason code as described in Table 20-4.

Table 20-4 Reason Codes for Nonoperational States
Applicable
Reason Code (long version) Description Modes
Link failure or not connected The physical layer link is not operational. All
SFP not present The small form-factor pluggable (SFP) hardware is not
plugged in.
Initializing The physical layer link is operational and the protocol
initialization is in progress.
Reconfigure fabric in progress The fabric is currently being reconfigured.
Offline The Cisco NX-OS software waits for the specified
R_A_TOV time before retrying initialization.
Inactive The interface VSAN is deleted or is in a suspended
state.
To make the interface operational, assign that port to a
configured and active VSAN.
Hardware failure A hardware failure is detected.
Error disabled Error conditions require administrative attention.
Interfaces may be error-disabled for various reasons.
For example:
Configuration failure.
Incompatible buffer-to-buffer credit configuration.
To make the interface operational, you must first fix the
error conditions causing this state; and next,
administratively shut down or enable the interface.
FC redirect failure A port is isolated because a Fibre Channel redirect is
unable to program routes.
No port activation license A port is not active because it does not have a port
available license.
SDM failure A port is isolated because SDM is unable to program
routes.

Table 20-4 Reason Codes for Nonoperational States (continued)
Applicable
Reason Code (long version) Description Modes
Isolation due to ELP failure The port negotiation failed. Only E ports
Isolation due to ESC failure The port negotiation failed. and TE ports
Isolation due to domain The Fibre Channel domains (fcdomain) overlap.

overlap
Isolation due to domain ID The assigned domain ID is not valid.
assignment failure
Isolation due to the other side The E port at the other end of the link is isolated.
of the link E port isolated
Isolation due to invalid fabric The port is isolated due to fabric reconfiguration.
reconfiguration
Isolation due to domain The fcdomain feature is disabled.
manager disabled
Isolation due to zone merge The zone merge operation failed.
failure
Isolation due to VSAN The VSANs at both ends of an ISL are different.
mismatch
Nonparticipating FL ports cannot participate in loop operations. It may Only FL
happen if more than one FL port exists in the same ports and TL
loop, in which case all but one FL port in that loop ports
automatically enters nonparticipating mode.
PortChannel administratively The interfaces belonging to the PortChannel are down. Only
down PortChannel
Suspended due to incompatible The interfaces belonging to the PortChannel have interfaces
speed incompatible speeds.
Suspended due to incompatible The interfaces belonging to the PortChannel have
mode incompatible modes.
Suspended due to incompatible An improper connection is detected. All interfaces in a
remote switch WWN PortChannel must be connected to the same pair of
switches.
For the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric Switch for IBM
BladeCenter, you can configure a range of interfaces among internal ports or external ports, but you
cannot mix both interface types within the same range. For example, bay 1-10, bay 12 or ext 0, ext
15-18 are valid ranges, but bay 1-5, ext 15-17 is not.

Graceful Shutdown
Interfaces on a port are shut down by default (unless you modified the initial configuration).
The Cisco NX-OS software implicitly performs a graceful shutdown in response to either of the
following actions for interfaces operating in the E port mode:
If you shut down an interface.
If a Cisco NX-OS software application executes a port shutdown as part of its function.
A graceful shutdown ensures that no frames are lost when the interface is shutting down. When a
shutdown is triggered either by you or the Cisco NX-OS software, the switches connected to the
shutdown link coordinate with each other to ensure that all frames in the ports are safely sent through
the link before shutting down. This enhancement reduces the chance of frame loss.
A graceful shutdown is not possible in the following situations:
If you physically remove the port from the switch.
If in-order-delivery (IOD) is enabled (see In-Order Delivery section on page 32-15).
If the Min_LS_interval interval is higher than 10 seconds ().
Note This feature is only triggered if both switches at either end of this E port interface are MDS switches and
are running Cisco SAN-OS Release 2.0(1b) or later, or MDS NX-OS Release 4.1(1a) or later.
Setting the Interface Administrative State

To disable or enable an interface using Fabric Manager, follow these steps:
Step 1 Either expand Switches > Interfaces and then select Gigabit Ethernet or expand Switches > Interfaces
and then select FC Physical. You see the interface configuration in the Information pane.
Step 2 Click the General tab.
Step 3 Click Admin.
You see the drop-down box shown in Figure 20-3.
Figure 20-3 Changing the Administrative Status of a Switch
Step 4 Set the status to down (disable) or up (enable).

Step 5 (Optional) Set other configuration parameters using the other tabs.
Step 6 Click Apply Changes.
Configuring Interface Modes
Note To ensure that ports that are part of ISLs do not get changed to port mode F, configure the ports in port
mode E, rather than in Auto mode.
To configure the interface mode using Fabric Manager, follow these steps:
Step 1 Expand Switches > Interfaces, and then select FC Physical.

You see the interface configuration in the Information pane.
Step 3 Click Mode Admin. Set the desired interface mode from the Admin drop-down menu.
Step 5 Click Apply Changes icon.
Configuring Administrative Speeds

By default, the port administrative speed for an interface is automatically calculated by the switch.
Caution Changing the port administrative speed is a disruptive operation.
To configure administrative speed of the interface using Fabric Manager, follow these steps:

Step 3 Click Speed Admin. Set the desired speed from the drop-down menu.
The number indicates the speed in megabits per second (Mbps). You can set the speed to 1-Gbps, 2-Gbps,
4-Gbps, 8-Gbps, or auto (default).
For internal ports on the Cisco Fabric Switch for HP c_Class BladeSystem and Cisco Fabric Switch for
IBM BladeCenter, a port speed of 1 Gbps is not supported. Auto-negotiation is supported between 2
Gbps and 4 Gbps only. Also, if the BladeCenter is a T chassis, then port speeds are fixed at 2 Gbps and
auto-negotiation is not enabled.

Autosensing
Autosensing speed is enabled on all 4-Gbps and 8-Gbps switching module interfaces by default. This
configuration enables the interfaces to operate at speeds of 1 Gbps, 2 Gbps, or 4 Gbps on the 4-Gbps
switching modules, and 8-Gbps on the 8-Gbps switching modules. When autosensing is enabled for an
interface operating in dedicated rate mode, 4-Gbps of bandwidth is reserved, even if the port negotiates
at an operating speed of 1-Gbps or 2-Gbps.
To avoid wasting unused bandwidth on 48-port and 24-port 4-Gbps and 8-Gbps Fibre Channel switching
modules, you can specify that only 2 Gbps of required bandwidth be reserved, not the default of 4 Gbps
or 8-Gbps. This feature shares the unused bandwidth within the port group provided that it does not
exceed the rate limit configuration for the port. You can also use this feature for shared rate ports that
are configured for autosensing.
Tip When migrating a host that supports up to 2-Gbps traffic (that is, not 4-Gbps with autosensing
capabilities) to the 4-Gbps switching modules, use autosensing with a maximum bandwidth of 2-Gbps.
When migrating a host that supports up to 4-Gbps traffic (that is, not 8-Gbps with autosensing
capabilities) to the 8-Gbps switching modules, use autosensing with a maximum bandwidth of 4-Gbps.
Specifying a Port Owner

Using the port owner feature, you can specify the owner of a port and the purpose for which a port is
used so that the other administrators are informed.
Note The port guard and port owner features are available for all ports irrespective of the operational mode.

To specify or remove the port owner using the Fabric Manager, follow these steps:
Step 1 Expand Switches > Interfaces and then select FC Physical.

Step 2 Click the General tab (see Figure 20-4) and then select the port.
Figure 20-4 Fabric Manager - Port Owner
Step 3 In the Owner text box, enter a port owner and the purpose for which port is used.

To specify or remove the port owner using the Device Manager, follow these steps:
Step 1 Double-click the interface in the modules panel.

Figure 20-5 Device Manager - Port Owner
Step 3 In the Owner text box, enter a port owner and the purpose for which the port is used.
Step 4 Click Apply.

Configuring Port Guard

Using the port guard feature, you can restrict the number of error reports and bring a malfunctioning port
to down state dynamically. The link failure can be caused by the following reasons:
General link failure.
Link failure due to loss of signal (LOS) or not operational (NOS).
High bit error rate.
Too many interrupts.
Cable is disconnected.
BB_credit buffers overflow.
Hardware recoverable errors.
The connected device rebooted (F ports only).
The connected linecard rebooted (ISL only).
The port guard feature is intended for use in environments where the system and application environment
does not adapt quickly and efficiently to a port going down and back up, or to a port rapidly cycling up
and down, which can happen in some failure modes. For example, if a system takes five seconds to
stabilize after a port goes down, but the port is going up and down once a second, this might ultimately
cause a more severe failure in the fabric.
The port guard feature gives the SAN administrator the ability to prevent this issue from occurring in
environments that are vulnerable to these problems. The port can be configured to stay down after the
first failure, or after specified number of failures in specified time period. This allows the SAN
administrator to intervene and control the recovery, avoiding any problems caused by the cycling.
Note Even if the link does not flap due to failure of the link, and port guard is not enabled, the port goes into
a down state if too many invalid FLOGI requests are received from the same host.
To enable port guard using the Fabric Manager, follow these steps:


Step 2 Click the Port Guard tab and then select the port (see Figure 20-6).
Figure 20-6 Fabric Manager - Port Guard Tab
Step 3 Check the check box in the Enable column.

Step 4 (Optional) Enter the Duration in seconds and NumFlaps. If the values are 0, the port is brought to down
state if the link flaps even once. Otherwise, the link is brought to down state if the link flaps for the
NumFlaps times within the Duration (in seconds).
Step 5 Click Apply to activate the configuration.
To enable port guard for multiple interfaces using the Device Manager, follow these steps:
Step 1 From the menu bar, select Interface > FC All.

You see the FC Interfaces configuration window.
Step 2 Click the Port Guard tab and then select the port (see Figure 20-7).
Figure 20-7 Device Manager - Port Guard Tab
Step 3 Check the check box in the Enable column.

Step 4 (Optional) Enter the Duration in seconds and NumFlaps. If the values are 0, the port goes into a down
state even if the link flaps once. Otherwise, the link goes into a down state if the link flaps for the
To enable port guard for a single interface using the Device Manager, follow these steps:
Step 1 Right-click the interface in the module panel, and then choose Configure from the menu.
You see the Interface configuration window.
Step 2 Click the Port Guard tab (see Figure 20-8).
Figure 20-8 Device Manager - Interface Port Guard Tab
Step 3 Check the Enable check box.

Step 4 (Optional) Enter the Duration in seconds and NumFlaps. If the values are 0, the port goes into a down
state even if the link flaps once. Otherwise, the link goes into a down state if the link flaps for the
About Interface Descriptions

Interface descriptions should help you identify the traffic or use for that interface. The interface
description can be any alphanumeric string.
About Frame Encapsulation

You can set the frame format to EISL for all frames transmitted by the interface in SD port mode. If you
sent the frame encapsulation to EISL, all outgoing frames are transmitted in the EISL frame format,
irrespective of the SPAN source(s). See the Monitoring Network Traffic Using SPAN section on
page 60-1.
Refer to the Cisco MDS 9000 Family CLI Configuration Guide to configure frame encapsulation on an
interface.

About Receive Data Field Size

You can also configure the receive data field size for Fibre Channel interfaces. If the default data field
size is 2112 bytes, the frame length will be 2148 bytes.
Configuring Receive Data Field Size

You can also configure the receive data field size for Fibre Channel interfaces. If the default data field
size is 2112 bytes, the frame length will be 2148 bytes.
To configure the receive data field size using Fabric Manager, follow these steps:

Step 2 Click the Other tab and set the RxDataFieldSize field (see Figure 20-9).
Figure 20-9 Changing Rx Data Size
Identifying the Beacon LEDs

Figure 20-10 displays the status, link, and speed LEDs in a 16-port switching module.

Figure 20-10 Cisco MDS 9000 Family Switch Interface Modes
77686
1 3 4
1 Status LED1 3 Link LEDs1 and speed LEDs2

2 1/2-Gbps Fibre Channel port group 4 Asset tag3
1. See the Identifying Module LEDs section on page 19-9.
2. See the About Speed LEDs section on page 20-20.
3. Refer to the Cisco MDS 9000 Family hardware installation guide for your platform.
About Speed LEDs

Each port has one link LED on the left and one speed LED on the right.
The speed LED displays the speed of the port interface:
OffThe interface attached to that port is functioning at 1000 Mbps.
On (solid green)The interface attached to that port is functioning at 2000 Mbps (for 2 Gbps
interfaces).
The speed LED also displays if the beacon mode is enabled or disabled:
Off or solid greenBeacon mode is disabled.
Flashing greenThe beacon mode is enabled. The LED flashes at one-second intervals.
Note Generation 2 and Generation 3 modules and Frabic Switches do not have speed LEDs.
About Beacon Mode

By default, the beacon mode is disabled on all switches. The beacon mode is indicated by a flashing
green light that helps you identify the physical location of the specified interface.
Configuring the beacon mode has no effect on the operation of the interface.
Configuring Beacon Mode

To enable beacon mode for a specified interface or range of interfaces using Fabric Manager, follow
these steps:
Step 1 Expand Switches > Interfaces and then select Gigabit Ethernet.

Step 2 Enable the Beacon Mode option for the selected switch.
Note The flashing green light turns on automatically when an external loopback is detected that causes the
interfaces to be isolated. The flashing green light overrides the beacon mode configuration. The state of
the LED is restored to reflect the beacon mode configuration after the external loopback is removed.
About Bit Error Thresholds

The bit error rate threshold is used by the switch to detect an increased error rate before performance
degradation seriously affects traffic.
The bit errors can occur for the following reasons:
Faulty or bad cable.
Faulty or bad GBIC or SFP.
GBIC or SFP is specified to operate at 1 Gbps but is used at 2 Gbps.
GBIC or SFP is specified to operate at 2 Gbps but is used at 4 Gbps.
Short haul cable is used for long haul or long haul cable is used for short haul.
Momentary sync loss.
Loose cable connection at one or both ends.
Improper GBIC or SFP connection at one or both ends.
A bit error rate threshold is detected when 15 error bursts occur in a 5-minute period. By default, the
switch disables the interface when the threshold is reached. You can to reenable the interface.
You can configure the switch to not disable an interface when the threshold is crossed. By default, the
threshold disables the interface.
Refer to the Cisco MDS 9000 Family CLI Configuration Guide to disable the bit error threshold for an
interface.
Note Regardless of disabling the switch port ignore bit-error threshold for an interface, the switch generates
a syslog message when bit error threshold events are detected.
Switch Port Attribute Default Values

You can configure attribute default values for various switch port attributes. These attributes will be
applied globally to all future switch port configurations, even if you do not individually specify them at
that time.
Refer to the Cisco MDS 9000 Family CLI Configuration Guide to configure switch port attributes.

About SFP Transmitter Types

The small form-factor pluggable (SFP) hardware transmitters are identified by their acronyms when
displayed. Table 20-5 defines the acronyms used for SFPs (see the Displaying SFP Transmitter Types
Table 20-5 SFP Transmitter Acronym Definitions
Definition Acronym
Standard transmitters defined in the GBIC specifications
short wavelaser swl
long wavelaser lwl
long wavelaser cost reduced lwcr
electrical elec
Extended transmitters assigned to Cisco-supported SFPs
CWDM-1470 c1470
CWDM-1490 c1490
CWDM-1510 c1510
CWDM-1530 c1530
CWDM-1550 c1550
CWDM-1570 c1570
CWDM-1590 c1590
CWDM-1610 c1610
Displaying SFP Transmitter Types

To show the SFP types for an interface using Fabric Manager, follow these steps:
Step 1 Expand Switches > Interfaces and then select FC Physical. You see the interface configuration in the
Information pane.
Step 2 Click the Physical tab to see the transmitter type for the selected interface.
About Gathering Interface Statistics

You can use Fabric Manager or Device Manager to collect interface statistics on any switch. These
statistics are collected at intervals that you can set.

TL Ports for Private Loops
Gathering Interface Statistics
Note In Fabric Manager, you can collect interface statistics by expanding Switches > ISLs and selecting
Statistics from the Physical Attributes pane.
To gather and display interface counters using Device Manager, follow these steps:
Step 1 Right-click an interface and select Monitor.

You see the Interface Monitor dialog box.
Step 2 Set both the number of seconds at which you want to poll the interface statistics and how you want the
data represented in the Interval drop-down menus. For example, click 10s and LastValue/sec.
Step 3 Select any tab shown in Figure 20-11 to view those related statistics.
Figure 20-11 Device Manager Interface Monitor Dialog Box
Step 4 (Optional) Click the Pencil icon to reset the cumulative counters.
Step 5 (Optional) Click the Save icon to save the gathered statistics to a file or select the Print icon to print the
statistics.
Step 6 Click Close when you are finished gathering and displaying statistics.

Private loops require setting the interface mode to TL. This section describes TL ports and includes the
following sections:
About TL Ports, page 20-24
Configuring TL Ports, page 20-25
About TL Port ALPA Caches, page 20-25

About TL Ports
TL port mode is not supported on the following:
Generation 2 switching module interfaces
Cisco MDS 9124 Fabric Switch
Private loop devices refer to legacy devices that reside on arbitrated loops. These devices are not aware
of a switch fabric because they only communicate with devices on the same physical loop.
The legacy devices are used in Fibre Channel networks and devices outside the loop may need to
communicate with them. The communication functionality is provided through TL ports. See the About
Interface Modes section on page 20-3.
Follow these guidelines when configuring private loops:
A maximum of 64 fabric devices can be proxied to a private loop.
Fabric devices must be in the same zone as private loop devices to be proxied to the private loop.
Each private device on a TL port may be included in a different zone.
All devices on the loop are treated as private loops. You cannot mix private and public devices on
the loop if the configured port mode is TL.
The only FC4-type supported by TL ports is SCSI (FCP).
Communication between a private initiator to a private target on the same private loop does not
invoke TL port services.
Table 20-6 lists the TL port translations supported in Cisco MDS 9000 Family switches. Figure 20-12
shows examples of TL port translation support.
Table 20-6 Supported TL Port Translations
Translation from Translation to Example

Private initiator Private target From I1 to T1 or vice versa
Private initiator Public target N port From I1 to T2 or vice versa
Private initiator Public target NL port From I4 to T3 or vice versa
Public initiator N port Private target From I2 to T1 or vice versa
Public initiator NL port Private target From I3 to T1 or vice versa

Figure 20-12 TL Port Translation Support Examples
Private
initiator (I1)
Public
target (T2)
NL port
Private
initiator (I4) Private
loop
N port
Private
target (T1) Public
NL port F port initiator (I2)
TL port
NL port Private TL port N port
loop F port
FL port
Public
NL port Public
target (3) loop
NL port
91699
Public
initiator (I3)
Configuring TL Ports
To configure the TL interface mode using Fabric Manager, follow these steps:
Information pane.
Step 2 Click the General tab and click Mode Admin.
Step 3 Set the Mode Admin drop-down menu to TL.
About TL Port ALPA Caches

Although TL ports cannot be automatically configured, you can manually configure entries in arbitrated
loop physical address (ALPA) caches. Generally, ALPA cache entries are automatically populated when
an ALPA is assigned to a device. Each device is identified by its port world wide name (pWWN). When
a device is allocated an ALPA, an entry for that device is automatically created in the ALPA cache.

Buffer Credits
A cache contains entries for recently allocated ALPA values. These caches are maintained on various TL
ports. If a device already has an ALPA, the Cisco NX-OS software attempts to allocate the same ALPA
to the device each time. The ALPA cache is maintained in persistent storage and saves information across
switch reboots. The maximum cache size is 1000 entries. If the cache is full, and a new ALPA is
allocated, the Cisco NX-OS software discards an inactive cache entry (if available) to make space for
the new entry. See the TL Port section on page 20-5 for more information on TL ports.
Refer to the Cisco MDS 9000 Family CLI Configuration Guide to manage the TL Port ALPA cache.
Buffer Credits
Fibre Channel interfaces use buffer credits to ensure all packets are delivered to their destination. This
section describes the different buffer credits available on the Cisco MDS Family switches and includes
the following topics:
About Buffer-to-Buffer Credits, page 20-26
Configuring Buffer-to-Buffer Credits, page 20-26
About Performance Buffers, page 20-27
Configuring Performance Buffers, page 20-27
About Extended BB_credits, page 20-28
Configuring Extended BB_credits, page 20-29
About Buffer-to-Buffer Credits

Buffer-to-buffer credits (BB_credits) are a flow control mechanism to ensure that FC switches do not
run out of buffers, because switches must not drop frames. BB_credits are negotiated on a per-hop basis.
The receive BB_credit (fcrxbbcredit) value may be configured for each FC interface. In most cases, you
do not need to modify the default configuration.
The receive BB_credit values depend on the module type and the port mode, as follows:
For 16-port switching modules and full rate ports, the default value is 16 for Fx mode and 255 for E or
TE modes. The maximum value is 255 in all modes. This value can be changed as required.
For 32-port switching modules and host-optimized ports, the default value is 12 for Fx, E, and TE modes.
These values cannot be changed.
For Generation 2 and Generation 3 switching modules, see the Buffer Pools section on page 22-10.
Note In the Cisco MDS 9100 Series, the groups of ports on the left outlined in white are full line rate. The
other ports are host-optimized. Each group of 4 host-optimized ports have the same features as for the
32-port switching module.
Configuring Buffer-to-Buffer Credits

To configure BB_credits for a Fibre Channel interface using Fabric Manager, follow these steps:

Buffer Credits
Information pane.
Step 2 Click the Bb Credit tab.
You see the buffer credits.
Step 3 Set any of the buffer-to-buffer credits for an interface.
This example shows the output of the do show int fc1/1 command:
intfc1/1 is up
...
16 receive B2B credit remaining
3 transmit B2B credit remaining
About Performance Buffers
Note Performance buffers are not supported on the Cisco MDS 9124 Fabric Switch, the Cisco Fabric Switch
for HP c-Class BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter.
Regardless of the configured receive BB_credit value, additional buffers, called performance buffers,
improve switch port performance. Instead of relying on the built-in switch algorithm, you can manually
configure the performance buffer value for specific applications (for example, forwarding frames over
FCIP interfaces).
For each physical Fibre Channel interface in any switch in the Cisco MDS 9000 Family, you can specify
the amount of performance buffers allocated in addition to the configured receive BB_credit value.
The default performance buffer value is 0. If you set the performance buffer value to 0, the built-in
algorithm is used. If you do not specify the performance buffer value, 0 is automatically used.
Configuring Performance Buffers

To configure performance buffers for a Fibre Channel interface using Fabric Manager, follow these
steps:

Step 2 Click the BB Credit tab.
You see performance buffer information in the columns Perf Bufs Admin and Perf Bufs Oper.
Step 3 Set the performance buffers for an interface.

Buffer Credits
About Extended BB_credits

You can use the extended BB_credits flow control mechanism in addition to BB_credits for long haul
links.
Extended BB_credits on Generation 1 Switching Modules, page 20-28
Extended BB_credits on Generation 2 and Generation 3 Switching Modules, page 20-29
Extended BB_credits on Generation 1 Switching Modules

The BB_credits feature allows you to configure up to 255 receive buffers on Generation 1 switching
modules. To facilitate BB_credits for long haul links, you can configure up to 3,500 receive BB_credits
on a Fibre Channel port on a Generation 1 switching module.
To use this feature on Generation 1 switching modules, you must meet the following requirements:
Obtain the ENTERPRISE_PKG license (see Chapter 10, Obtaining and Installing Licenses).
Configure this feature in any port of the full-rate 4-port group in either the Cisco MDS 9216i Switch
or in the MPS-14/2 module (see Figure 20-13).
Figure 20-13 Port Group Support for the Extended BB_Credits Feature
1 2
LINK- LINK-
1 2 3 4 5 6 7 8 9 10 11 12 13 14
GIGABIT E THERNET
STATUS
LINK SPEED LINK SPEED LINK SPEED
120479
Group 1 Group 2 Group 3
Extended credits
not supported
The port groups that support extended credit configurations are as follows:
Any one port in ports 1 to 4 (identified as Group 1 in Figure 20-2).
Note The last two Fibre Channel ports (port 13 and port 14) and the two Gigabit Ethernet ports
do not support the extended BB_credits feature (see Figure 20-2).
Explicitly enable this feature in the required Cisco MDS switch.

Disable the remaining three ports in the 4-port group if you need to assign more than 2,400
BB_credits to the first port in the port group.
If you assign less than 2,400 extended BB_credits to any one port in a port group, the remaining
three ports in that port group can retain up to 255 BB_credits based on the port mode.
Note The receive BB_credit value for the remaining three ports depends on the port mode.
The default value is 16 for the Fx mode and 255 for E or TE modes. The maximum value
is 255 in all modes. This value can be changed as required without exceeding the
maximum value of 255 BB_credits.

Management Interfaces
If you assign more than 2,400 (up to a maximum of 3,500) extended BB_credits to the port in
a port group, you must disable the other three ports.
Be aware that changing the BB_credit value results in the port being disabled and then reenabled.
Disable (explicitly) this feature if you need to nondisruptively downgrade to Cisco SAN-OS Release
1.3 or earlier. When you disable this feature, the existing extended BB_credit configuration is
completely erased.
Note The extended BB_credit configuration takes precedence over the receive BB_credit and performance
buffer configurations.
Extended BB_credits on Generation 2 and Generation 3 Switching Modules

To use this feature on Generation 2 or Generation 3 switching modules, you must meet the following
requirements:
You see the interface configuration in the Information pane (see Figure 20-14).
Obtain the Enterprise package (ENTERPRISE_PKG) license (see Chapter 10, Obtaining and
Installing Licenses).
Configure this feature in any port on a Generation 2 switch module. See the Extended BB_Credits
section on page 22-23 for more information on extended BB_credits on Generation 2 switching
modules.
Note Extended BB_credits are not supported on the Cisco MDS 9124 Fabric Switch.
Configuring Extended BB_credits

To configure extended BB_credits for an MDS-14/2 interface, for a Generation 2 switching module
interface, or for an interface in a Cisco MDS 9216i switch using Fabric Manager, follow these steps:
Information pane.
Step 2 Click the BB Credit tab.
Step 3 In the Extended column, set the extended BB_credits for the selected interface.
Management Interfaces
You can remotely configure the switch through the management interface (mgmt0). To configure a
connection on the mgmt0 interface, you must configure either the IP version 4 (IPv4) parameters (IP
address, subnet mask, and default gateway) or the IP version 6 (IPv6) parameters so that the switch is
reachable.
This section describes the management interfaces and includes the following topics:

VSAN Interfaces
About Management Interfaces, page 20-30

Configuring Management Interfaces, page 20-30
About Management Interfaces

Before you begin to configure the management interface manually, obtain the switchs IPv4 address and
subnet mask, or the IPv6 address.
The management port (mgmt0) is autosensing and operates in full-duplex mode at a speed of
10/100/1000 Mbps. Autosensing supports both the speed and the duplex mode. On a Supervisor-1
module, the default speed is 100 Mbps and the default duplex mode is auto. On a Supervisor-2 module,
the default speed is auto and the default duplex mode is auto.
Note You need to explicitly configure a default gateway to connect to the switch and send IP packets or add a
route for each subnet.
Configuring Management Interfaces

To configure the mgmt0 Ethernet interface using Fabric Manager, follow these steps:
Step 1 Select a VSAN in the Logical Domains pane.

Step 2 Expand Switches > Interfaces and then select Management.
Step 4 Set the IP Address/Mask field.
Step 5 Set Admin to up.
VSAN Interfaces
VSANs apply to Fibre Channel fabrics and enable you to configure multiple isolated SAN topologies
within the same physical infrastructure. You can create an IP interface on top of a VSAN and then use
this interface to send frames to this VSAN. To use this feature, you must configure the IP address for
this VSAN. VSAN interfaces cannot be created for nonexisting VSANs.
This section describes VSAN interfaces and includes the following topics:
About VSAN Interfaces, page 20-31
Creating VSAN Interfaces, page 20-31

VSAN Interfaces
About VSAN Interfaces

Follow these guidelines when creating or deleting VSAN interfaces:
Create a VSAN before creating the interface for that VSAN. If a VSAN does not exist, the interface
cannot be created.
Create the interface VSANit is not created automatically.
If you delete the VSAN, the attached interface is automatically deleted.
Configure each interface only in one VSAN.
Tip After configuring the VSAN interface, you can configure an IP address or Virtual Router Redundancy
Protocol (VRRP) feature (see Chapter 51, Configuring IP Services).
Creating VSAN Interfaces

To create a VSAN interface using Fabric Manager, follow these steps:
Step 1 Expand Switches > Interfaces and then select Management.
Figure 20-14 General Management Tab
Step 2 Click Create Row.

You see the Create Interface dialog box (see Figure 20-15).

Default Settings
Figure 20-15 Create Interface Dialog Box
Step 3 Select the switch and VSAN ID for which you want to configure a VSAN interface.
Note You can only create a VSAN interface for an existing VSAN. If the VSAN does not exist, you
cannot create a VSAN interface for it.
Step 4 Set IPAddress/Mask to the IP address and subnet mask for the new VSAN interface.
Step 5 Click Create to create the VSAN interface or click Close to close the dialog box without creating the
VSAN interface.
Default Settings
Table 20-7 lists the default settings for interface parameters.
Table 20-7 Default Interface Parameters
Parameters Default
Interface mode Auto
Interface speed Auto
Administrative state Shutdown (unless changed during initial setup)
Trunk mode On (unless changed during initial setup) on
non-NPV and NPIV core switches. Off on NPV
switches.
Trunk-allowed VSANs or VF-IDs 1 to 4093
Interface VSAN Default VSAN (1)
Beacon mode Off (disabled)
EISL encapsulation Disabled
Data field size 2112 bytes

CH A P T E R 21
Configuring N Port Virtualization
N port virtualization (NPV) reduces the number of Fibre Channel domain IDs in SANs. Switches
operating in the NPV mode do not join a fabric. They pass traffic between NPV core switch links and
end devices, which eliminates the domain IDs for these edge switches.
NPV is supported by the following Cisco MDS 9000 switches and Cisco Nexus 5000 Series switches
only:
Cisco MDS 9134 Fabric Switch
Cisco Nexus 5000 Series switches
Note NPV is available on these switches only while in NPV mode; if in switch mode, NPV is not available.

About NPV, page 21-1
NPV Guidelines and Requirements, page 21-6
Configuring NPV, page 21-7
Using the NPV Setup Wizard, page 21-12
About NPV
Typically, Fibre Channel networks are deployed using a core-edge model with a large number of fabric
switches connected to core devices. However, as the number of ports in the fabric increases, the number
of switches deployed also increases, and you can end up with a dramatic increase in the number of
domain IDs (the maximum number supported is 239). This challenge becomes even more difficult when
additional blade chassis are deployed in Fibre Channel networks.
NPV addresses the increase in the number of domain IDs needed to deploy a large number of the ports
by making a fabric or module switch appear as a host to the core Fibre Channel switch, and as a Fibre
Channel switch to the servers in the fabric or blade switch. NPV aggregates multiple locally connected

Chapter 21 Configuring N Port Virtualization
About NPV
N ports into one or more external NP links, which shares the domain ID of the NPV core switch among
multiple NPV switches (see Figure 21-1). NPV also allows multiple devices to attach to the same port
on the NPV core switch, thereby reducing the need for more ports on the core.
Figure 21-1 Cisco NPV Fabric Configuration
NPV-Core Switch
(MDS or 3rd party switch
with NPIV support)
FC FC
F-port
10.1.1 20.2.1
VSAN 10
5 VS
N AN
V SA 15
NP-port Can have
multiple uplinks
NPV Device uses on different Up to 100
the same domains VSANs NPV switches
as the NPV-core
switches
E-port (server port)
Cisco Fabric Switch
for HP c-Class BladeSystem
10.5.2 10.5.7
Cisco Fabric Switch
FC
for IBM BladeCenter
in a Blade Chassis
Blade Server 1 Target 20.5.1 Initiator
Blade Server 2 (no FL ports)
184639
Blade Server n
While NPV is similar to N port identifier virtualization (NPIV), it does not offer exactly the same
functionality. NPIV provides a means to assign multiple FC IDs to a single N port, and allows multiple
applications on the N port to use different identifiers. NPIV also allows access control, zoning, and port
security to be implemented at the application level. NPV makes use of NPIV to get multiple FCIDs
allocated from the core switch on the NP port.
Figure 21-2 shows a more granular view of an NPV configuration at the interface level.
Figure 21-2 Cisco NPV ConfigurationInterface View
t
NPV Device
N-Port F-Port NP-Port F-Port
NPV Core Switch
NPIV enable
N-Port F-Port NP-Port F-Port
184631
t NPV Device

About NPV
NPV Mode
A switch is in NPV mode after a user has enabled NPV and the switch has successfully rebooted. NPV
mode applies to an entire switch. All end devices connected to a switch that is in NPV mode must log in
as an N port to use this feature (loop-attached devices are not supported). All links from the edge
switches (in NPV mode) to the NPV core switches are established as NP ports (not E ports), which are
used for typical interswitch links. NPIV is used by the switches in NPV mode to log in to multiple end
devices that share a link to the NPV core switch.
Note In-order data delivery is not required in NPV mode because the exchange between two end devices
always takes the same uplink to the core from the NPV device. For traffic beyond the NPV device, core
switches will enforce in-order delivery if needed and/or configured.
NP Ports
An NP port (proxy N port) is a port on a device that is in NPV mode and connected to the NPV core
switch using an F port. NP ports behave like N ports except that in addition to providing N port behavior,
they also function as proxies for multiple, physical N ports.
NP Links
An NP link is basically an NPIV uplink to a specific end device. NP links are established when the uplink
to the NPV core switch comes up; the links are terminated when the uplink goes down. Once the uplink
is established, the NPV switch performs an internal FLOGI to the NPV core switch, and then (if the
FLOGI is successful) registers itself with the NPV core switchs name server. Subsequent FLOGIs from
end devices in this NP link are converted to FDISCs. For more details refer to the Internal FLOGI
Parameters section on page 21-3.
Server links are uniformly distributed across the NP links. All the end devices behind a server link will
be mapped to only one NP link.
Internal FLOGI Parameters

When an NP port comes up, the NPV device first logs itself in to the NPV core switch and sends a FLOGI
request that includes the following parameters:
The fWWN (fabric port WWN) of the NP port used as the pWWN in the internal login.
The VSAN-based sWWN (switch WWN) of the NPV device used as nWWN (node WWN) in the
internal FLOGI.
After completing its FLOGI request, the NPV device registers itself with the fabric name server using
the following additional parameters:
Switch name and interface name (for example, fc1/4) of the NP port is embedded in the symbolic
port name in the name server registration of the NPV device itself.
The IP address of the NPV device is registered as the IP address in the name server registration of
the NPV device.

About NPV
Note The BB_SCN of internal FLOGIs on NP ports is always set to zero. The BB_SCN is supported at the
F-port of the NPV device.
Figure 21-3 shows the internal FLOGI flows between an NPV core switch and an NPV device.
Figure 21-3 Internal FLOGI Flows
NPV Core Switch
fc 5/10 fwwn
fc 1/5 pwwn
nwwn
184572
NPV Device
Table 21-1 identifies the internal FLOGI parameters that appear in Figure 21-3.
Table 21-1 Internal FLOGI Parameters
Parameter Derived From

pWWN The fWWN of the NP port.
nWWN The VSAN-based sWWN of the NPV device.
fWWN The fWWN of the F port on the NPV core switch.
symbolic port name The switch name and NP port interface string.
Note If there is no switch name available, then the output will display
switch. For example, switch: fc1/5.
IP address The IP address of the NPV device.
symbolic node name The NPV switch name.
Although fWWN-based zoning is supported for NPV devices, it is not recommended because:
Zoning is not enforced at the NPV device (rather, it is enforced on the NPV core switch).
Multiple devices behind an NPV device log in via the same F port on the core (they use same fWWN
and cannot be separated into different zones).
The same device might log in using different fWWNs on the core switch (depending on the NPV
link it uses) and may need to be zoned using different fWWNs.

About NPV
Default Port Numbers

Port numbers on NPV-enabled switches will vary depending on the switch model. For details about port
numbers for NPV-eligible switches, see Chapter 11, On-Demand Port Activation Licensing.
NPV CFS Distribution over IP

NPV devices use only IP as the transport medium. CFS uses multicast forwarding for CFS distribution.
NPV devices do not have ISL connectivity and FC domain. To use CFS over IP, multicast forwarding has
to be enabled on the ethernet IP switches all along the network that physically connects the NPV switch.
You can also manually configure the static IP peers for CFS distribution over IP on NPV-enabled
switches. For more information, see the Configuring Static IP Peers for CFS over IP section on
page 7-17.
NPV Traffic Management

This sections discusses the following aspects of load balancing:
Auto, page 21-5
Traffic Map, page 21-5
Disruptive, page 21-6
Auto
Before Cisco MDS SAN-OS Release 3.3(1a), NPV supported automatic selection of external links.
When a server interface is brought up, an external interface with the minimum load is selected from the
available links. There is no manual selection on the server interfaces using the external links. Also, when
a new external interface was brought up, the existing load was not distributed automatically to the newly
available external interface. This newly brought up interface is used only by the server interfaces that
come up after this interface.
Traffic Map
As in Cisco MDS SAN-OS Release 3.3(1a) and NX-OS Release 4.1(1a), NPV supports traffic
management by allowing you to select and configure the external interfaces that the server uses to
connect to the core switches.
Note When the NPV traffic management is configured, the server uses only the configured external interfaces.
Any other available external interface will not be used.
The NPV traffic management feature provides the following benefits:

Facilitates traffic engineering by providing dedicated external interfaces for the servers connected
to NPV.
Uses the shortest path by selecting external interfaces per server interface.
Uses the persistent FC ID feature by providing the same traffic path after a link break, or reboot of
the NPV or core switch.

NPV Guidelines and Requirements
Balances the load by allowing the user to evenly distribute the load across external interfaces.
Disruptive
Disruptive load balance works intependent of automatic selection of interfaces and configured traffic
map of external interfaces. This feature forces re-init of the server interfaces to achieve load balance
when this feature is enabled and whenever a new external interface comes up. To avoid flapping the
server interfaces too often undesirably, enable this feature once and then disable it whenever the needed
load balance is achieved.
If disruptive load balance is not enabled, you need to manually flap the server interface to move some
of the load to a new external interface.
Multiple VSAN Support

By grouping devices into different NPV sessions based on VSANs, it is possible to support multiple
VSANs on the NPV-enabled switch. The correct uplink must be selected based on the VSAN that the
uplink is carrying.
NPV Guidelines and Requirements

Following are recommended guidelines and requirements when deploying NPV:
NPV core switches must support NPIV.
You can have up to 100 NPV devices.
Nondisruptive upgrades are supported. See Chapter 15, Software Images.
Port tracking is supported. See Chapter 65, Configuring Port Tracking.
You can configure zoning for end devices that are connected to NPV devices using all available
member types on the NPV core switch. If fWWN, sWWN, domain, or port-based zoning is used,
then fWWN, sWWN or the domain/port of the NPV core switch should be used.
Port security is supported on the NPV core switch for devices logged in via NPV.
NPV uses a load balancing algorithm to automatically assign end devices in a VSAN to one of the
NPV core switch links (in the same VSAN) upon initial login. If there are multiple NPV core switch
links in the same VSAN, then you cannot assign a specific one to an end device.
Both servers and targets can be connected to an NPV device.
Remote SPAN is not supported.
Local switching is not supported; all traffic is switched using the NPV core switch.
NPV devices can connect to multiple NPV core switches. In other words, different NP ports can be
connected to different NPV core switches.
NPV supports NPIV-capable module servers (nested NPIV).
Only F, NP, and SD ports are supported in NPV mode.
In the case of servers that are booted over the SAN with NPV, if an NPV link failover occurs, servers
will lose access to their boot LUN temporarily.
NPV switches do not recognize the BB_SCN configuration on the xNP ports because of
interoperability issues with the third-party core switches.

Configuring NPV
NPV Traffic Management Guidelines

When deploying NPV traffic management, follow these guidelines:
Use NPV traffic management only when the automatic traffic engineering by the NPV device is not
sufficient for the network requirements.
Do not configure traffic maps for all the servers. For non-configured servers, NPV will use
automatic traffic engineering.
Configure the Persisten FC ID on the core switch. Traffic engineering directs the associated server
interface to external interfaces that lead to the same core switch. The server will be assigned the
same FC ID for every log in. This guideline is not applicable if a 91x4 switch is used as the core
switch.
Server interfaces configured to a set of external interfaces cannot use any other available external
interfaces, even if the configured interfaces are not available.
Do not configure disruptive load balancing because this involves moving a device from one external
interface to another interface. Moving the device between external interfaces requires NPV relogin
to the core switch through F port leading to traffic disruption.
Link a set of servers to a core switch by configuring the server to a set of external interfaces that are
linked to the core switch.
Configuring NPV
When you enable NPV, the system configuration is erased and the system reboots with the NPV mode
enabled.
Note We recommend that you save the current configuration either on bootflash or a TFTP server before NPV
(if the configuration is required for later use). Use the following commands to save either your non-NPV
or NPV configuration:
switch# copy running bootflash:filename
The configuration can be reapplied later using the following command:
switch# copy bootflash:filename running-config
SUMMARY STEPS
1. Enable NPIV on the NPV core switch. Enable NPV on the NPV device.
2. Configure the interfaces connected to the NPV core switch as NP ports. Configure the port VSAN
for the NP ports.
3. Configure NPV link as an F port on the NPV core switch. Configure the port VSAN for the F ports.
4. Configure server link on the NPV device.
Note On the 91x4 platform, before you upgrade to 3.2(2c) or downgrade from 3.2(2c), shut the F ports
connected to NPIV-capable hosts, and then disable the NPIV feature. After the upgrade or
downgrade is complete, enable the NPIV feature and then bringup the F ports.

Configuring NPV
On the 91x4 platform, before you downgrade from 3.2(2c) to earlier versions, shut the F port, enable
and disable the FC domain persistency for that VSAN and then up the F port.
To use Fabric Manager and Device Manager to configure NPV, follow these steps:
Step 1 Launch Device Manager from the core NPV switch to enable NPIV on the core NPV switch. From the
Admin drop-down menu, select Feature Control. Select enable for the NPIV feature (see Figure 21-4).
Figure 21-4 Enabling NPIV and NPV
Step 2 Click Apply.

Step 3 From the Interface drop-down menu, select FC All to configure the NPIV core switch port as an F Port.
Step 4 In the Mode Admin column, select the F port mode and click Apply.
Step 5 Launch Device Manager from the NPV device to enable NPV on the NPV device. From the Admin
drop-down menu, select Feature Control. Select enable for the NPV feature and click Apply.
Step 6 From the Interface drop-down menu, select FC All to configure the external interfaces on the NPV
device.
Step 7 In the Mode Admin column, select the NP port mode and click Apply.
Step 8 From the Interface drop-down menu, select FC All to configure the server interfaces on the NPV device.
Step 9 In the Mode Admin column, select F port mode and click Apply.
Step 10 The default Admin status is down. After configuring port modes, you must select up Admin Status to
bring up the links.

Configuring NPV
Configuring NPV Traffic Management

The NPV traffic management feature is enabled after configuring NPV. Configuring NPV traffic
management involves configuring a list of external interfaces to the servers, and enabling or disabling
disruptive load balancing.
Configuring List of External Interfaces per Server Interface

A list of external interfaces are linked to the server interfaces when the server interface is down, or if the
specified external interface list includes the external interface already in use.
To configure the list of external interfaces per server interface using Fabric Manager, perform the
following tasks:
Step 1 Choose Physical Attributes > Switches > N_Port Virtualizer (NPV) as shown in Figure 21-5.

Configuring NPV
Figure 21-5 NPV Traffic Map Tab
Step 2 Click the Traffic Map tab.

Step 3 Click the icon in the toolbar or right click and then select Create Row....

Configuring NPV
Step 4 Select the Switch from the drop-down list as shown in Figure 21-6.
Figure 21-6 Map Entry Dialog Box
Step 5 Type the port numbers or click the [...] button (not available on blade server switches) to select the Server
Interface and External Interfaces from the port selection dialog box as shown in Figure 21-7.
Figure 21-7 Port Selection Dialog Box
Note You can select only one Server Interface but multiple External Interfaces can be mapped on to
it. Previously selected ports are disabled and cannot be selected.
To delete the map entry, select the row from the Traffic Map tab, and then click the icon in the
toolbar or right click and select Delete Row.
Enabling or Disabling the Global Policy for Disruptive Load Balancing

Disruptive load balancing allows you to review the load on all the external interfaces and balance the
load disruptively. Disruptive load balancing is done by moving the servers using heavily loaded external
interfaces, to the external interfaces running with fewer loads.
To enable disruptive load balancing using Fabric Manager, perform the following tasks:
Step 1 Choose Physical Attributes > Switches > N_Port Virtualizer (NPV) as shown in Figure 21-8.
Step 2 Click the Load Balance tab.
Step 3 Check the Enable checkbox to enable disruptive load balancing on the switch.

Configuring NPV
To enable disruptive load balancing on all the switches, check the Enable All check box as shown in
Figure 21-8.
Figure 21-8 NPV Load Balance Tab
Using the NPV Setup Wizard
Note For Cisco Nexus 5000 Series switches, you must first enable the NPV mode for the switch by choosing
Switches > N_Port Virtualization (NPV) in the Physical Attributes pane, and then use the NPV wizard
to configure other NPV-related settings on the switch.

Configuring NPV
To configure NPV using the wizard, follow these steps:
Step 1 Select Tools > NPV > NPV Setup... to launch NPV Setup Wizard from Fabric Manager.
(See Figure 21-9.)
Figure 21-9 Launching NPV Setup Wizard
Before the wizard starts, Fabric Manager checks if there are any NPV- and NPIV-capable switches from
the clients SAN. An NPV-capable switch has to be a Cisco MDS 9124, 9134, a Cisco Nexus 5000 Series
switch, an HP Blade Server, or an IBM Blade Server with SAN-OS version 3.2.2 and later. An
NPIV-capable switch has to be Cisco switch with SAN-OS 3.0.1 and later. If there are no NPV-capable
switches, Fabric Manager displays an error message. (See Figure 21-10.)

Configuring NPV
Figure 21-10 Error in Launching

Configuring NPV
Step 2 Select the NPV devices as shown in Figure 21-11.
Figure 21-11 Selecting the NPV Devices
A table lists all the available NPV-capable switches including the switches on which NPV is not yet
enabled. Check the check boxes to select the required NPV devices. On devices that are not NPV
enabled, this wizard will enable NPV on the devices in the final step.

Configuring NPV
If you choose switches that are NPV disabled and click Next, a warning message appears with a list of
IP addresses of the NPV devices on which NPV will be enabled. Enabling NPV on the switch will result
in reboot of the switch. Boot variables of the switches have to be set, to enable NPV on them through
this wizard. (See Figure 21-12.)
Figure 21-12 Warning to Enable NPV Feature on NPV-Capable Switches

Configuring NPV
Step 3 Select the NPIV core switches as shown in Figure 21-13.
Figure 21-13 Selecting the NPIV Core Switches
Check the check boxes to select the required NPIV core switches. The table lists all the available NPIV
core switches including the core switches that have not yet enabled the NPIV feature. The NPIV core
switches which are not NPIV enabled, this wizard will enable NPIV on them in the final step.

Configuring NPV
Step 4 Create new NPV device and NPIV core switch pairs as required. (See Figure 21-14.)
Figure 21-14 Creating NPV Device and NPIV Core Switch Pairs
Based on selections in the previous steps, the wizard displays all available NPV devices and NPIV core
switches in separate lists. You can select one from each list and click Add or Remove buttons to create
new NPV device and NPIV core switch combinations or pairs.
The NPV wizard checks if there are any NPIV core switches that are already connected to the NPV
devices selected in the previous step. Click the Add Connected Pairs button to add a list of all the
existing pairs that are interconnected, to the Selected table.
The Selected table is then populated with both the existing and the intended pairs. Each NPIV core
switch can be paired with multiple NPV devices.
After Step 6, the wizard prompts you to physically connect the new pairs that are not yet connected.
On the switches that are not paired, the NPV wizard enables the NPV and NPIV modes. However, there
is a possibility that these unpaired switches may be segmented and lose their presence on the fabric.

Configuring NPV
After you click the Next button in Step 3 of 6, the wizard determines if you have selected all the
connected pairs. A warning message is displayed (See Figure 21-17), that lists all the connected pairs
that you have not selected and warns that they will be segmented after the NPV setup.
Note NPV wizard does not detect ports that are in a channel group and that are not connected by ISLs.
The wizard does not configure any port in a Port Channel Group to F ports on the core switch. Port
channel grouping is not applicable to NPV devices. (See Figure 21-15.)
Remove the port channel groups if you need to select those particular ports as F ports during the
setup. For more information, see the Configuring Port Security section on page 46-1.
Figure 21-15 Port Channel Group Detected

Configuring NPV
Figure 21-16 Warning, NPV Setup Wizard
Figure 21-17 Warning, NPV Setup Wizard Continued

Configuring NPV
Step 5 You can configure NPV associated ports either through automated or manual methods.
(See Figure 21-18.)
Figure 21-18 Configuring NPV Associated Ports by the Automatic Method
The Auto Port Selection has two options:

Choosing the first option allows you to convert the existing ISLs to be run as NPV links. If you want
ISLs to take priority, then choose the Convert existing ISLs option.
The wizard discovers ISLs (Up or Down) between the selected switches, that are available at the time of
wizard launch.
Choosing the second option allows the NPV wizard to automatically configure free ports for NPV usage.
In the second option, you can choose up to a maximum of six additional NPV links per NPV device and
core switch pair.
During automatic port selection on the NPV switch, ports are defined as licensed FC ports with
Operational status = Auto and Status Cause = none(2), offline(8), or sfp not present(29), and
Operational Status = TE or E.
Ports on the NPV switch are selected in the following way:

Configuring NPV
The ISLs are considered in the second method. The selection algorithm spreads out the free port
selections, so that the first port in every four ports is selected, for example, the 1st, 5th, 9th, etc. If after
going through the 1st port in every four ports, you still have not selected enough ports (because the
preferred ports were not free) then move to the second port in every four, for example, the 2nd, 6th, 10th
etc. Different switches have different port preferences.
Ports on the NPIV switch are selected in the following way:
During automatic port selection on the NPIV switch free ports are defined as ports that are licensed FC
ports and ports that have "Operational status" = Auto and "Status Cause" =none(2), offline(8) or sfp not
present(29). If the ports are found in any other operational state, (for example F, NP, E, TE etc), then
they are considered used, except for E and TE ports that are in ISLs connected to NPV device switches
that will be enabled for NPV mode in this wizard session, as they will be considered to be free.
However, these ISL ports will not necessarily be the ports selected by the automatic port selection
algorithm as they are treated no different then any other free port. If you want to convert those used
ISL ports, then choose the Convert existing ISLs option first and then run the wizard a second time
choosing Automatic port selection (option 2) to add additional links.
When you choose to configure ports from available ports, the wizard searches for ports that are not
currently participating in NP link configuration. It is possible that all ports can be participating in NP
port configuration. In that case a warning message is displayed. (See Figure 21-19.)
Note In both manual and automatic methods of Configuring NPV associated ports, the ports that are unhealthy
or which are in adminDown state are not considered during port selection.

Configuring NPV
Figure 21-19 Warning, not Enough Number of Ports
Figure 21-20 Configuring NPV Associated Ports by the Manual Method
Select the Manual method to manually create port pairs (see Figure 21-20.) Click on a satellite switch
and select the NP device port expanded under each of the NPV switches listed. Then select the required
F port on the NPIV core switch and click Add for them to pair.

Configuring NPV
During manual selection from the list for NPV and NPIV, ports are defined as the licensed FC ports with
"Operational status" = Auto and "Status Cause" = none(2), offline(8), or sfp not present(29) and
'Operational Status" = TE or E.
Note Failed ports with the Auto operational status will not be listed. Failed ports with the E
operational status will be listed and available for NPV configuration.
Based on user selection, the wizard decides which ports are set to NP ports on the NPV device side and
which are F ports on the core switch side to make an NPV connection.
Note Some times the Manual selection in step 4 does not show any port when the NPV switch tree is expanded
as the NPV Wizard filters out ports that are in fail or down status. Only healthy ports are made visible
in the NPV Switch tree. Check your port settings.
Figure 21-21 Message Alert to Connect Port Pair

Configuring NPV
Step 6 Select a VSAN as shown in Figure 21-22.
Figure 21-22 Selecting a VSAN
From the drop-down list select a VSAN or enter a VSAN ID to specify the VSAN. All selected NPV
devices and NPIV core switches are added to the specified VSAN. All ports on the selected NPV devices
and associated ports on the NPIV core switches are added to the VSAN.

Configuring NPV
The VSAN configuration is applied in the final step.

Step 7 Map the server interfaces with external interfaces for disruptive load balancing as shown in
Figure 21-23.
Figure 21-23 Mapping Server Interfaces with External Interfaces for Load Balancing

Configuring NPV
To select the NPV devices that need load balancing, click Configure Load Balancing, and then select
the NPV devices for disruptive load balancing as shown in Figure 21-24.
Figure 21-24 Select the NPV Devices for Load Balancing
To set up the traffic management map, select at least one switch of version 4.1(1a) or above, a server
interface, and external interfaces. To add a map entry, follow these steps:
a. Click Add to create a new map row.
b. Double-click the NPV Device cell and select the switch from the drop-down list.
c. Double-click the Server Interface cell and then type the port numbers or click the [...] button (not
available on blade server switches) in the cell to display the port selection dialog box. In the port
selection dialog box, click the numbered buttons to select the ports as shown in Figure 21-25.
Figure 21-25 Select the Interfaces
Note You can select only one Server If port in a row, but multiple External IF ports can be mapped
to it. Previously selected ports are disabled and cannot be selected.
d. Double-click the External Interfaces cell and type the port numbers or click the [...] button (not
available on blade server switches) in the cell to display the port selection dialog box. In the port
selection dialog box, click the numbered buttons to select the ports as shown in Figure 21-25.
To delete an exsiting map entry, select the row, and then click Delete.
To delete all the existing map entries, click Delete All.

Configuring NPV
Step 8 Review all the NPV Setup configurations you entered in the earlier steps and click Finish to complete
the setup as shown in Figure 21-26.
Figure 21-26 Completing the NPV Setup
Enable Switch Feature lists the switches, the impending actions against them with reference to features,
and the resultant status.
Set Port Type lists the switches and the ports to be set on the switches to configure NPV associate ports.
Configure VSAN lists the switches and ports to be added to the specified VSAN.
Click >> to view the expanded the panes. Click << to collapse the panes.
A progress bar at the bottom of the window indicates the overall extent of completion of the
configuration tasks. A text message that runs below the progress bar indicates the current task in
progress.
The status cells against each item indicate In progress, Success, and Error states. When a configuration
cannot be applied, the status cell against the task is changed to Error. Click Error to view Details. A
message is displayed in place of the progress bar stating, Cannot apply all configurations as shown in
Figure 21-27

Configuring NPV
Figure 21-27 Error in Applying Configurations and Details
After the completion of all the tasks a link View NPV Port Connections is displayed in the place of the
progress bar. (See Figure 21-27.)
Click View NPV Port Connections to view the NPV port connections in a table (See Figure 21-29).
Refer to this list to verify the physical connections between NP Port on NPV devices and Auto ports) on
NPIV core switches. The physical connections already exist in case of the ISLs and they have to be
verified. In some cases when the physical connections do not exist, they have to be established manually.

Configuring NPV
Figure 21-28 New NPV Port Pairs

Configuring NPV
Figure 21-29 New NPV Port Pairs, Details
DPVM Configuration
When NPV is enabled, the following requirements must be met before you configure DPVM on the NPV
core switch:
You must explicitly configure the WWN of the internal FLOGI in DPVM. If DPVM is configured
on the NPV core switch for an end device that is connected to the NPV device, then that end device
must be configured to be in the same VSAN. Logins from a device connected to an NPV device will
fail if the device is configured to be in a different VSAN. To avoid VSAN mismatches, ensure that
the internal FLOGI VSAN matches the port VSAN of the NP port.
The first login from an NP port determines the VSAN of that port. If DPVM is configured for this
first login, which is the internal login of the NPV device, then the NPV core switchs VSAN F port
is located in that VSAN. Otherwise, the port VSAN remains unchanged.
For details about DPVM configuration, see Chapter 28, Creating Dynamic VSANs.
NPV and Port Security

Port security is enabled on the NPV core switch on a per interface basis. To enable port security on the
NPV core switch for devices logging in via NPV, you must adhere to the following requirements:
The internal FLOGI must be in the port security database; in this way, the port on the NPV core
switch will allow communications/links.
All the end device pWWNs must also be in the port security database.

Configuring NPV
Once these requirements are met, you can enable port security as you would in any other context. For
details about enabling port security, see Chapter 46, Configuring Port Security.

CH A P T E R 22
Configuring Generation 2 and Generation 3
Switching Modules
Cisco MDS 9000 Family hardware modules and switches are categorized into generations based on the
time of introduction, capabilities, features, and compatibilities:
Generation 1Modules and switches with a maximum port speed of 2 Gbps.
This chapter describes how to configure these modules and switches, including the following sections:
About Generations of Modules and Switches, page 22-1
Port Groups and Port Rate Modes, page 22-3
Buffer Credit Allocation, page 22-10
Combining Generation 1, Generation 2, and Generation 3 Modules, page 22-24
Configuring Module Interface Shared Resources, page 22-28
Displaying SFP Diagnostic Information, page 22-41
About Generations of Modules and Switches

In addition to supporting Generation 2 modules, the Cisco MDS 9500 Series Switches and the Cisco
MDS 9222i Switch support another set of modules called Generation 3 modules. Similar to Generation
2, each Generation 3 module can have one or more ports in port groups that share common resources
such as bandwidth and buffer credits.
Generation 3 Fibre Channel modules are supported on the Cisco MDS 9506 and 9509 switches with
Supervisor-2 modules, and on the MDS 9513 Director with Fabric 2 modules. The MDS 9222i switch
supports the 4/44-port Host-Optimized Fibre Channel Switching module. MDS NX-OS Release 4.1(1)
is required to support the Generation 3 modules.

Chapter 22 Configuring Generation 2 and Generation 3 Switching Modules
About Generations of Modules and Switches
Table 22-1 identifies the modules supported by the Cisco MDS 9500 Series switches and Cisco MDS
9216A and Cisco MDS 9216i switches, as well as the Fabric switches.
Table 22-1 Fibre Channel Modules and Fabric Switches
Part Number Product Name/Description

Generation 3 Modules
DS-X9248-96K9 48-port 8-Gbps Fibre Channel switching module
DS-X9224-96K9 24-port 8-Gbps Fibre Channel switching module
DS-X9248-48K9 4/44-port 8-Gbps Host-Optimized Fibre Channel switching module
DS-13SLT-FAB2 Fabric 2 module that enables the 48-port 8-Gbps Fibre Channel switching
module to use the full 96-Gbps backplane bandwidth with any-to-any
connectivity without reducing bandwidth utilization when one fabric card goes
down on the MDS 9513 Director.
DS-X9148 48-port 4-Gbps Fibre Channel switching module
DS-X9304-18K9 18-port 4-Gbps Fibre Channel switching module with 4-Gigabit Ethernet ports
DS-X9530-SF2-K9 Supervisor-2 module for Cisco MDS 9500 Series switches.
Generation 2 Fabric Switches
DS-C9134-K9 Cisco MDS 9134 Fabric switch
32-port 4-Gbps Fabric switch with 2 additional 10-Gbps ports
DS-C9124 Cisco MDS 9124 Fabric switch
24-port 4-Gbps Fabric switch
DS-C9222i-K9 Cisco MDS 9222i Multiservice Modular switch
18-port 4-Gbps switch with 4-Gigabit Ethernet IP storage services ports, and a
modular expansion slot to host Cisco MDS 9000 Family Switching and
Services Modules
Note Generation 2 Fibre Channel switching modules are not supported on the Cisco MDS 9216 switch;
however, they are supported by both the Supervisor-1 module and the Supervisor-2 module.
For detailed information about the installation and specifications for these modules and switches, refer
to the hardware installation guide for your switch.

Port Groups and Port Rate Modes

Port Groups, page 22-3
Port Rate Modes, page 22-4
Dedicated Rate Mode Configurations for the 8-Gbps Modules, page 22-7
Reserving Bandwidth Quickly for the 8-Gbps Modules, page 22-8
Dynamic Bandwidth Management, page 22-9
Out-of-Service Interfaces, page 22-10
Port Groups
Each module or switch can have one or more ports in port groups that share common resources such as
bandwidth and buffer credits. Port groups are defined by the hardware consisting of sequential ports. For
example, ports 1 through 12, ports 13 through 24, ports 25 through 36, and ports 37 through 48 are the
port groups on the 48-port 4-Gbps Fibre Channel switching modules.
Table 22-2 shows the port groups for the Generation 2 and Generation 3 Fibre Channel modules, and
Generation 2 Fabric switches.
Table 22-2 Bandwidth and Port Groups for the Fibre Channel Modules and Fabric Switches
Bandwidth Per Maximum

Product Name/ Number of Ports Port Group Bandwidth Per Port
Part Number Description Per Port Group (Gbps) (Gbps)
DS-X9248-96K9 48-port 8-Gbps 6 12.8 8 Gbps
Fibre Channel
switching module
Fibre Channel
switching module
DS-X9248-48K9 4/44-port 8-Gbps 12 12.8 8/4 Gbps1
Host-Optimized
Fibre Channel
switching module
DS-X9148 48-port 4-Gbps 12 12.8 4 Gbps
Fibre Channel
switching module
Fibre Channel
switching module

Table 22-2 Bandwidth and Port Groups for the Fibre Channel Modules and Fabric Switches
Bandwidth Per Maximum

Product Name/ Number of Ports Port Group Bandwidth Per Port
Part Number Description Per Port Group (Gbps) (Gbps)
Fibre Channel
(MSM-18/4
switching module
Multiservice
with 4-Gigabit
module)
Ethernet ports
Fibre Channel
switching module
DS-X9704 4-port 10-Gbps 1 10 10 Gbps
Fibre Channel
switching module
Generation 2 Fabric Switches
DS-C9134-K9 32-port 4-Gbps 4 16 4 Gbps
Fabric switch
(Cisco MDS 9134
Fabric switch) 2-port 10-Gbps 1 10 10 Gbps
Fabric switch
DS-C9124K9 24-port 4-Gbps 4 16 4 Gbps
(Cisco MDS 9124 Fabric switch
Fabric switch)
DS-C9222i-K9 18-port 4-Gbps 6 12.8 4 Gbps
(Cisco MDS 9222i
Multiservice
Modular switch)
1. A maximum of 4 ports (one per port group) in a 4/44-port 8-Gbps switching module can operate at 8 Gbps bandwidth in
dedicated or shared mode. All the other ports can operate at a maximum of 4 Gbps in shared mode or dedicated mode.
Port Rate Modes

In Generation 2 and Generation 3 modules, you can configure the port rate modes. The port rate mode
configuration is used to determine the bandwidth allocation for ports in a port group. Two port rate
modes are supported:
Dedicated Rate ModeA port is allocated required fabric bandwidth to sustain line traffic at the
maximum operating speed configured on the port. For more information, see the Dedicated Rate
Mode section on page 22-6
Shared Rate ModeMultiple ports in a port group share data paths to the switch fabric and share
bandwidth. For more information, see the Shared Rate Mode section on page 22-7.
Note In Generation 1 modules, you cannot configure the port rate modes. The mode is determined implicitly
based on the port mode and line card type.

Note Port rate modes are not supported on the Cisco Fabric Switch for HP c-Class BladeSystem, and the Cisco
Fabric Switch for IBM BladeCenter.
Table 22-3 shows the modules that support dedicated, shared, and the default rate modes.
Table 22-3 Port Rate Mode Support on Generation 2 and Generation 3 Modules and Switches
Supports Supports Default Speed

Product Name/ Dedicated Rate Shared Rate Mode and Rate
Part Number Description Mode Mode Mode on All Ports
DS-X9248-96K9 48-Port 8-Gbps Fibre Yes Yes1 Auto, Shared
Channel switching module
DS-X9224-96K9 24-Port 8-Gbps Fibre Yes Yes1 Auto, Shared
DS-X9248-48K9 4/44-Port 8-Gbps Yes Yes1 Auto Max 4 Gbps,
Host-Optimized Fibre Shared
DS-X9148 48-port 4-Gbps Fibre Yes Yes Auto, Shared
Channel switching module2
DS-X9124 24-port 4-Gbps Fibre Yes Yes Auto, Shared
DS-X9304-18K9 18-port 4-Gbps Fibre Yes Yes Auto, Shared
(MSM-18/4
with 4-Gigabit Ethernet
Multiservice
ports
module)
DS-X9112 12-port 4-Gbps Fibre Yes No Auto, Dedicated
DS-X9704 4-port 10-Gbps Fibre Yes No Auto, Dedicated
Generation 2 Switches
DS-C9134-K9 32-port 4-Gbps Fabric Yes Yes Auto, Shared
switch
(Cisco MDS 9134
Fabric switch) 2-port 10-Gbps Fabric Yes No Auto, Dedicated
switch

Table 22-3 Port Rate Mode Support on Generation 2 and Generation 3 Modules and Switches
Supports Supports Default Speed

Product Name/ Dedicated Rate Shared Rate Mode and Rate
Part Number Description Mode Mode Mode on All Ports
DS-C9124 24-port 4-Gbps Fabric Yes No Auto, Dedicated
switch3
(Cisco MDS 9124
Fabric switch)
DS-C9222i-K9 18-port 4-Gbps Fibre Yes Yes Auto, Shared
Channel switch with
(Cisco MDS 9222i
4-Gigabit Ethernet IP
Multiservice
storage services ports, and
Modular switch)
a modular expansion slot to
host Cisco MDS 9000
Family Switching and
Services Modules
1. Shared rate mode is supported on Fx ports only and no ISLs.
2. All ports in a 48-port 4-Gbps switching module can operate in dedicated rate mode with a 1-Gbps operating speed. However,
if you configure one or more ports to operate in 2-Gbps or 4-Gbps dedicated rate mode, some of the other ports in the port
group would have to operate in shared mode.
3. All ports in a 24-port 4-Gbps switching module can operate in dedicated rate mode with a 2-Gbps operating speed. However,
if you configure one or more ports to operate in 4-Gbps dedicated rate mode, some of the other ports in the port group would
have to operate in shared mode
Dedicated Rate Mode

When port rate mode is configured as dedicated, a port is allocated required fabric bandwidth and related
resources to sustain line rate traffic at the maximum operating speed configured for the port. In this
mode, ports do not use local buffering and all receive buffers are allocated from a global buffer pool (see
the Buffer Pools section on page 22-10).
Table 22-4 shows the bandwidth provided by the various port speed configurations on the 8-Gbps Fibre
Channel switching modules.
Table 22-4 Bandwidth Reserved for the Port Speeds on Generation 3 Switching Modules
Configured Speed Reserved Bandwidth

Auto 8 Gbps
8-Gbps
Auto with 4-Gbps maximum 4 Gbps
4-Gbps
2-Gbps
1-Gbps 1 Gbps

Table 22-5 show the amount of bandwidth reserved for a configured port speed on 4-Gbps switching
modules.
Table 22-5 Bandwidth Reserved for the Port Speeds on Generation 2 Switching Modules
Configured Speed Reserved Bandwidth

Auto 4 Gbps
4-Gbps
2-Gbps
1-Gbps 1 Gbps
Note The 4-Port 10-Gbps Fibre Channel module ports in auto mode only support auto speed mode at 10 Gbps.
Shared Rate Mode

When port rate mode is configured as shared, multiple ports within a port group share data paths to the
switch fabric so that fabric bandwidth and related resources are shared. Often, the available bandwidth
to the switch fabric may be less than the negotiated operating speed of a port. Ports in this mode use local
buffering for the BB_credit buffers.
All ports in 4-Gbps Fibre Channel switching modules where bandwidth is shared support 1-Gbps,
2-Gbps, or 4-Gbps traffic. However, it is possible to configure one or more ports in a port group to
operate in dedicated rate mode with 1-Gbps, 2-Gbps or 4-Gbps operating speed.
All ports in the 48-Port and 24-Port 8-Gbps Fibre Channel switching modules where bandwidth is shared
support 1-Gbps, 2-Gbps, 4-Gbps, or 8-Gbps traffic.
In the 4/44-Port 8-Gbps Host-Optimized Fibre Channel switching module, all the ports where bandwidth
is shared support 1-Gbps, 2-Gbps, 4-Gbps in a maximum of 44 ports, or 8 Gbps in a maximum of 4 ports.
Dedicated Rate Mode Configurations for the 8-Gbps Modules

Table 22-2 shows the maximum possible dedicated rate mode configuration scenarios for the Generation
3 Fibre Channel modules.
Table 22-6 Dedicated Rate Mode Bandwidth Reservation for Generation 3 Fibre Channel
Modules
Dedicated Maximum
Product Name/ Bandwidth Allowed Ports
Part Number Description per Port that can come up Ports in Shared Mode
DS-X9248-96K9 48-port 8-Gbps 8 Gbps 8 Ports All the remaining ports
Fibre Channel 4 Gbps 24 Ports are 8 Gbps shared.
switching module
2 Gbps 48 Ports
DS-X9224-96K9 24-port 8-Gbps 8 Gbps 8 Ports All the remaining ports
Fibre Channel 4 Gbps 24 Ports are 8 Gbps shared.
switching module

Table 22-6 Dedicated Rate Mode Bandwidth Reservation for Generation 3 Fibre Channel
Modules (continued)
Dedicated Maximum
Product Name/ Bandwidth Allowed Ports
Part Number Description per Port that can come up Ports in Shared Mode
DS-X9248-48K9 4/44-port 8-Gbps 8 Gbps 4 Ports All the remaining ports
Host-Optimized 4 Gbps 12 Ports are 4 Gbps shared (8 Gbps
Fibre Channel of bandwidth can be
switching module 2 Gbps 24 Ports provided only to one port
1 Gbps 48 Ports per port group in
Dedicated or Shared rate
mode).
Reserving Bandwidth Quickly for the 8-Gbps Modules

To quickly reserve bandwidth for all the ports in the port groups on the Generation 3 Fibre Channel
modules using the Device Manager, follow these steps:
Step 1 On the Device Manager window, right-click the 8-Gbps Fibre Channel module.
Figure 22-1 Device Manager - 8 Gbps Module - Pop-Up Menu
Step 2 From the pop up menu, select Bandwidth Reservation Config...

Step 3 In the Bandwidth Reservation Configuration dialog box that is displayed, choose a bandwidth
reservation scheme. (Figure 22-2).

Figure 22-2 RateMode Configuration Dialog Box
Table 22-7 describes the default RateMode configuration schemes available in the Bandwidth
Reservation Configuration dialog box for the 8-Gbps modules.
Table 22-7 RateMode Configuration Schemes
Module Available RateMode Config Macros

DS-X9248-96K9 Dedicated 4 Gbps on the first port of each group and the remaining ports
48-Port 8-Gbps Fibre 8 Gbps shared
Channel module Dedicated 8 Gbps on the first port of each group and the remaining ports
8 Gbps shared
Shared 8 Gbps on all ports (initial & default settings)
8G shared
24-Port 8-Gbps Fibre
Channel module Shared Auto1 on all ports (initial & default settings)
4 Gbps shared
4/44-Port 8-Gbps
Host-Optimized Fibre Dedicated 8 Gbps on the first port of each group and the remaining ports
Channel module 4 Gbps shared
Shared Auto with Maximumu of 4 Gbps on all ports (initial & default
settings)
1. Auto is 8 Gbps.
Step 4 Click Apply.
Dynamic Bandwidth Management

On port switching modules where bandwidth is shared, the bandwidth available to each port within a port
group can be configured based on the port rate mode and speed configurations. Within a port group, some
ports can be configured in dedicated rate mode while others operate in shared mode.

Buffer Credit Allocation
Ports configured in dedicated rate mode are allocated the required bandwidth to sustain a line rate of
traffic at the maximum configured operating speed, and ports configured in shared mode share the
available remaining bandwidth within the port group. Bandwidth allocation among the shared mode
ports is based on the operational speed of the ports. For example, if four ports operating at speeds 1 Gbps,
1 Gbps, 2 Gbps, and 4 Gbps share bandwidth of 8 Gbps, the ratio of allocation would be 1:1:2:4.
Out-of-Service Interfaces
On supported modules and fabric switches, you might need to allocate all the shared resources for one
or more interfaces to another interface in the port group or module. You can take interfaces out of service
to release shared resources that are needed for dedicated bandwidth. When an interface is taken out of
service, all shared resources are released and made available to the other interface in the port group or
module. These shared resources include bandwidth, rate mode, BB_credits, and extended BB_credits.
All shared resource configurations are returned to their default values when the interface is brought back
into service. Corresponding resources must be made available in order for the port to be successfully
returned to service.
Caution If you need to bring an interface back into service, you might disrupt traffic if you need to release shared
resources from other interfaces in the same port group.

This section describes how buffer credits are allocated to switches and modules, and includes the
following topics:
Buffer Pools, page 22-10
BB_Credit Buffers for Switching Modules, page 22-13
BB_Credit Buffers for Fabric Switches, page 22-22
Extended BB_Credits, page 22-23
Buffer Pools
In the architecture of Generation 2 and Generation 3 modules, receive buffers shared by a set of ports
are called buffer groups. The receive buffer groups are organized into global and local buffer pools.
The receive buffers allocated from the global buffer pool to be shared by a port group are called a global
recieve buffer pool. Global receive buffer pools include the following buffer groups:
Reserved internal buffers
Allocated BB_credit buffers for each Fibre Channel interface (user configured or assigned by
default)
Common unallocated buffer pool for BB_credits, if any, to be used for additional BB_credits as
needed
Performance buffers (only used on 12-port 4-Gbps and 4-port 10-Gbps switching modules)

Note The 48-Port and 24-Port 8-Gbps modules have dual global buffer pools. Each buffer pool in the 48-port
modules support 24 ports and in the 24-port modules each buffer pool supports 12 ports.
Figure 22-3 shows the allocation of BB_credit buffers on linecards (24-port and 48-port 4-Gbps line
cards).
Figure 22-3 Receive Buffers for Fibre Channel Ports in a Global Buffer Pool
Reserved Internal Buffers (not user configurable)

Maximim Receive
Performance Buffers (Shared Pool)

buffers
Total BB_credit
Common unallocated buffer pool for BB_credits
buffers
Allocated BB_credit buffers
1 2 3 for each front panel FC ports N
185164
Figure 22-4 shows the default BB_credit buffer allocation model for 48-port 8-Gbps switching modules.
The minimum BB_credits required to bring up a port is two buffers.
Figure 22-4 BB_Credit Buffer Allocation in 48-port 8-Gbps Switching Modules
48-port module
All ports All ports

shared (8 Gpbs) dedicated (2 Gbps)
Mixed
32 BB credits 250 BB credits
Dedicated Shared
32 BB credits
1 Gbps 2 Gbps 4 Gbps 8 Gbps

250 BB credits 250 BB credits 250 BB credits 250 BB credits 189048

24-port module
All ports All ports

Mixed
Dedicated Shared
32 BB credits
189047
500 BB credits 500 BB credits 500 BB credits 500 BB credits
Figure 22-6 shows the default BB_credit buffer allocation model for 4/44-port 8-Gbps Host-Optimized
switching modules. The minimum BB_credits required to bring up a port is two buffers.
Figure 22-6 BB_Credit Buffer Allocation in 4/44-port 8-Gbps Switching Modules
4/44-port module
All ports All ports

Mixed
Dedicated Shared
32 BB credits

189049
250 BB credits 250 BB credits 250 BB credits 125 BB credits

24-port module
All ports All ports

Mixed
Dedicated Shared
16 BB credits
1 Gbps 2 Gbps 4 Gbps
144856
250 BB credits 250 BB credits 250 BB credits
Note The default BB_credit buffer allocation is the same for all port speeds.
BB_Credit Buffers for Switching Modules

This section describes how buffer credits are allocated to Cisco MDS 9000 switching modules, and
includes the following topics:
48-Port 8-Gbps Fibre Channel Module BB_Credit Buffers, page 22-14
4/44-Port 8-Gbps Host-Optimized Fibre Channel Module BB_Credit Buffers, page 22-16
18-Port Fibre Channel/4-Port Gigabit Ethernet Multiservice Module BB_Credit Buffers, page 22-19
4-Port 10-Gbps Switching Module BB_Credit Buffers, page 22-21

48-Port 8-Gbps Fibre Channel Module BB_Credit Buffers

Table 22-8 lists the BB_credit buffer allocation for the 48-port 8-Gbps Fibre Channel switching module.
Table 22-8 48-Port 8-Gbps Switching Module BB_Credit Buffer Allocation
BB_Credit Buffers Per Port

Dedicated Rate Mode Shared Rate Mode
8-Gbps Speed 8-Gbps Speed
BB_Credit Buffer Allocation ISL Fx Port Fx Port
Default BB_credit buffers 250 32 32
Maximum BB_credit buffers 500 500 32
Total Number of BB_Credit Buffers per Module
Ports 1 through 24 6000
The following guidelines apply to BB_credit buffers on 48-port 8-Gbps Fibre Channel switching
modules:
BB_credit buffers allocated for ports 1 through 24 and 25 through 48 can be a maximum of 6000
each so that the load is distributed.
BB_credit buffers for ISL connections can be configured from a minimum of 2 buffers to a
maximum of 500 buffers for dedicated rate mode.
BB_credit buffers for Fx port mode connections can be configured. The minimum is 2 buffers and
the maximum of 500 buffers for dedicated rate mode or 32 buffers for shared rate mode.
Performance buffers are not supported on this module.
Each port group on the 48-port 8-Gbps Fibre Channel switching module consists of six ports. The ports
in shared rate mode in a port group can have a maximum bandwidth oversubscription of 10:1 considering
that each port group has 12.8-Gbps bandwidth.
The following example configurations are supported by the 48-port 8-Gbps Fibre Channel switching
modules:
Six ports with shared rate mode and 8-Gbps speed (4:1 oversubscription) (default)
One port with dedicated rate mode and 8-Gbps speed plus
five ports with shared rate mode and 8-Gbps speed (10:1 oversubscription)
Two ports with dedicated rate mode and 4-Gbps speed plus
four ports with shared rate mode and 4-Gbps speed (4:1 oversubscription)
three ports with dedicated rate mode and 2-Gbps speed plus
two ports with shared rate mode and 4-Gbps speed (4:1 oversubscription)
Six ports with dedicated rate mode and 2-Gbps speed


Table 22-9 lists the BB_credit buffer allocation for the 24-port 8-Gbps Fibre Channel switching module.

1 1
Total Number of BB_Credit Buffers per Module
1. When connected to Generation 1 modules, reduce the maximum BB_credit allocation to 250.
The following guidelines apply to BB_credit buffers on 24-port 8-Gbps Fibre Channel switching
modules:
BB_credit buffers allocated for ports 1 through 12 and 13 through 24 can be a maximum of 6000
each so that the load is distributed.
Each port group on the 24-port 8-Gbps Fibre Channel switching module consists of three ports. The ports
modules:
Three ports with shared rate mode and 8-Gbps speed (2:1 oversubscription) (default)
one port with dedicated rate mode and 4-Gbps speed plus
one port with shared rate mode and 8-Gbps speed (10:1 oversubscription)
one port with shared rate mode and 8-Gbps speed (2:1 oversubscription)
Three ports with dedicated rate mode and 4-Gbps speed

4/44-Port 8-Gbps Host-Optimized Fibre Channel Module BB_Credit Buffers

Table 22-10 lists the BB_credit buffer allocation for the 4/44-port 8-Gbps Fibre Channel switching
module.
Table 22-10 4/44-Port 8-Gbps Switching Module BB_Credit Buffer Allocation

Total number of BB_credit buffers per module 6000
The following guidelines apply to BB_credit buffers on 4/44-port 8-Gbps Fibre Channel switching
modules:
Each port group on the 24-port 8-Gbps Fibre Channel switching module consists of 12 ports. The ports
The following example configurations are supported by the 4/44-port 8-Gbps Fibre Channel switching
modules:
Twelve ports with shared rate mode and 4-Gbps speed (5:1 oversubscription) (default)
eleven ports with shared rate mode and 4-Gbps speed (10:1 oversubscription)
eight ports with shared rate mode and 4-Gbps speed (2:1 oversubscription)
Twelve ports with dedicated rate mode and 1-Gbps speed


Table 22-11 lists the BB_credit buffer allocation for 48-port 4-Gbps Fibre Channel switching modules.

BB_Credit Buffer Allocation ISL1 Fx Port Fx Port
1. ISL = E port or TE port.
The following considerations apply to BB_credit buffers on 48-port 4-Gbps Fibre Channel switching
modules:
maximum of 250 buffers for dedicated rate mode or 16 buffers for shared rate mode.
Each port group on the 48-port 4-Gbps Fibre Channel switching module consists of 12 ports. The ports
in shared rate mode have bandwidth oversubscription of 2:1 by default. However, some configurations
of the shared ports in a port group can have maximum bandwidth oversubscription of 4:1 (considering
that each port group has 12.8-Gbps bandwidth).
modules:
Twelve ports with shared rate mode and 4-Gbps speed (4:1 oversubscription) (default)
11 ports with shared rate mode and 4-Gbps speed (5:1 oversubscription)
11 ports with shared rate mode and 2-Gbps speed (2.5:1 oversubscription)
10 ports with shared rate mode and 4-Gbps speed (5:1 oversubscription)
10 ports with shared rate mode and 2-Gbps speed (2.5:1 oversubscription)
Twelve ports with dedicated rate mode and 1-Gbps speed
Three ports with dedicated rate mode and 4-Gbps speed plus
four ports with shared rate mode and 1-Gbps speed plus
five ports put out-of-service (see Figure 22-8)

Figure 22-8 Example Speed and Rate Configuration on a 48-Port 4-Gbps Switching Module
1 3 5 7 9 11
4-Gbps 4-Gbps 1-Gbps 1-Gbps
Dedicated Dedicated Shared Shared Out of Out of

Service Service
2 4 6 8 10 12
4-Gbps 1-Gbps 1-Gbps
Dedicated Shared Shared Out of Out of Out of
144858
Service Service Service
Six ports with dedicated rate mode and 2-Gbps speed plus
four ports with shared rate mode and 1-Gbps speed plus
two ports put out-of-service (see Figure 22-9)
1 3 5 7 9 11
2-Gbps 2-Gbps 2-Gbps 1-Gbps 1-Gbps
Dedicated Dedicated Dedicated Shared Shared Out of

Service
2 4 6 8 10 12
2-Gbps 2-Gbps 2-Gbps 1-Gbps 1-Gbps
Dedicated Dedicated Dedicated Shared Shared Out of

144859
Service

Table 22-12 lists the BB_credit buffer allocation for 24-port 4-Gbps Fibre Channel switching modules.
Table 22-12 24 Port 4-Gbps Switching Module BB_Credit Buffer Allocation


Table 22-12 24 Port 4-Gbps Switching Module BB_Credit Buffer Allocation

Total number of BB_credits buffers per module 6000
The following considerations apply to BB_credit buffers on 24-port 4-Gbps Fibre Channel switching
modules:
Each port group on the 24-port 4-Gbps Fibre Channel switching module consists of six ports. The ports
in shared rate mode have a bandwidth oversubscription of 2:1 by default. However, some configurations
of the shared ports in a port group can have a maximum bandwidth oversubscription of 4:1 (considering
that each port group has 12.8-Gbps bandwidth).
modules:
Six ports with shared rate mode and 4-Gbps speed (2:1 oversubscription) (default)
four ports with shared rate mode and 4-Gbps speed (with 4:1 oversubscription)
Six ports with dedicated rate mode and 2-Gbps speed
Three ports with dedicated rate mode and 4-Gbps speed plus
three ports with shared rate mode and 1-Gbps speed (see Figure 22-10)
1 2 3 4 5 6
4-Gbps 4-Gbps 4-Gbps 1-Gbps 1-Gbps 1-Gbps

144857
Dedicated Dedicated Dedicated Shared Shared Shared
18-Port Fibre Channel/4-Port Gigabit Ethernet Multiservice Module BB_Credit Buffers

Table 22-12 lists the BB_credit buffer allocation for 18-port 4-Gbps multiservice modules.

Table 22-13 18-Port 4-Gbps Multiservice Module BB_Credit Buffer Allocation

BB_Credit Buffer Allocation ISL1 Fx Port ISL1 Fx Port
Defualt BB_credit buffers 250 16 16 16
Maximum BB_credit buffers 250 250 16 16
The following considerations apply to BB_credit buffers on18-port 4-Gbps Fibre Channel switching
modules:
12-Port 4-Gbps Switching Module BB_Credit Buffers

Table 22-14 lists the BB_credit buffer allocation for 12-port 4-Gbps switching modules.

Dedicated Rate Mode
4-Gbps Speed
BB_Credit Buffer Allocation Type ISL 1 Fx Port
Default BB_credit buffers 250 16
Maximum BB_credit buffers 250 16
Default Performance buffers 145 12
Total number of performance buffers per module 512 (shared)
The following considerations apply to BB_credit buffers on 12-port 4-Gbps switching modules:
maximum of 250 buffers.
BB_credit buffers for Fx port mode connections can be configured from a minimum of 2 buffers to
a maximum of 250 buffers.

By default, 512 performance buffers are preallocated and are shared by all the ports. These buffers
are configurable and the buffers are assigned to the port based on the availability of the buffers in
the shared pool.
There are 2488 extra buffers available as extended BB_credit buffers after allocating all the default
BB_credit buffers for all the ports in ISL mode (5488 - (250 * 12)).
Note Extended BB_credits are allocated across all ports on the switch. That is, they are not allocated
by port group.
Note By default, the ports in the 12-port 4-Gbps switching modules come up in 4-Gbps dedicated rate mode
but can be configured as 1-Gbps and 2-Gbps dedicated rate mode. Shared mode is not supported.
4-Port 10-Gbps Switching Module BB_Credit Buffers

Table 22-15 lists the BB_credit buffer allocation for 4-port 10-Gbps switching modules.

Dedicated Rate Mode
10-Gbps Speed
BB_Credit Buffer Allocation Type ISL1 F port2
Default BB_credit buffers 250 16
Maximum BB_credit buffers 750 16
Maximum BB_credit buffers on one of the ports with 4095
Enterprise license
Default Performance buffers 145 12
Total number of performance buffers per module 512 (shared)
2. Ports on the 4-port 10-Gbps cannot operate in FL port mode.
Note The ports in the 4-port 10-Gbps switching module only support 10-Gbps dedicated rate mode. FL port
mode and shared rate mode are not supported.
The following considerations apply to BB_credit buffers on 4-port 10-Gbps switching modules:
maximum of 750 buffers.

By default, 512 performance buffers are preallocated and are shared by all the ports. These buffers
are configurable and the buffers are assigned to the port based on the availability of the buffers in
the shared pool.
There are 2488 extra buffers available as extended BB_credits after allocating all the default
BB_credit buffers for all the ports in ISL mode (5488 - (750 * 4)).
Note Extended BB_credits are allocated across all ports on the switch. That is, they are not allocated
by port group.
BB_Credit Buffers for Fabric Switches

This section describes how buffer credits are allocated to Cisco MDS 9000 Fabric switches, and includes
Cisco MDS 9134 Fabric Switch BB_Credit Buffers, page 22-22
Cisco MDS 9124 Fabric Switch BB_Credit Buffers, page 22-23
Cisco MDS 9222i Multiservice Modular Switch BB_Credit Buffers, page 22-23
Cisco MDS 9134 Fabric Switch BB_Credit Buffers

Table 22-16 lists the BB_credit buffer allocation for 32-port 4-Gbps Fibre Channel switches.
Table 22-16 32-Port 4-Gbps Switching Module BB_Credit Buffer Allocation Defaults
BB_Credit
Buffers Per
BB_Credit Buffer Allocation Type Port Group BB_Credit Buffers Per Port
ISL1 Fx Port
User-configurable BB_credit buffers on 4-Gbps 64 64 64
mode
The following considerations apply to BB_credit buffers on 32-port 4-Gbps switches:

BB_credit buffers can be configured from a minimum of 1 buffer to a maximum of 61 buffers per
port when the ports are in F mode and in 4-Gbps speed mode.
BB_credit buffers can be configured from a minimum of 2 buffers to a maximum of 64 buffers per
port when the ports are in auto or E mode and in 4-Gbps speed mode.
BB_credit buffers can be configured from a minimum of 64 buffers to a maximum of 64 buffers per
port when a port is in 10-Gbps speed mode. There can be only one port per port group configured
in 10-Gbps mode. The rest of the three ports must be in down state.

Cisco MDS 9124 Fabric Switch BB_Credit Buffers

Table 22-17 lists the BB_credit buffer allocation for 24-port 4-Gbps Fibre Channel switches.
BB_Credit
Buffers Per BB_Credit Buffers Per Port
BB_Credit Buffer Allocation Type Port Group Defaults
ISL1 Fx Port
User-configurable BB_credit buffers 64 16 16
Cisco MDS 9222i Multiservice Modular Switch BB_Credit Buffers

Table 22-18 lists the BB_credit buffer allocation for 18-port 4-Gbps Multiservice Modular switches.
BB_Credit
Buffers Per BB_Credit Buffers Per Port
BB_Credit Buffer Allocation Type Port Group Defaults
ISL1 Fx Port
User-configurable BB_credit buffers 4509 250 16
Extended BB_Credits
Note Extended BB_credits are not supported on the Cisco MDS 9124 Fabric Switch, Cisco MDS 9134 Fabric
Switch, Cisco MDS 9222i Fabric Switch, the Cisco Fabric Switch for HP c-Class BladeSystem, and the
Cisco Fabric Switch for IBM BladeCenter.
To facilitate BB_credits for long haul links, the extended BB_credits feature allows the user to configure
the receive buffers above the maximum value on all Generation 2 switching modules (see the Buffer
Credit Allocation section on page 22-10). When necessary, you can reduce the buffers on one port and
assign them to another port, exceeding the default maximum. The minimum extended BB_credits per
port is 256 and the maximum is 4095.
In general, the user can configure any port in a port group to dedicated rate mode. To do this, you must
first release the buffers from the other ports before configuring larger extended BB_credits for a port.
Note The ENTERPRISE_PKG license is required to use extended BB_credits on Generation 2 switching
modules. Also, extended BB_credits are not supported by ports in shared rate mode.
All ports on the Generation 2 switching modules support extended BB_credits. There are no limitations

Combining Generation 1, Generation 2, and Generation 3 Modules
for how many extended BB_credits you can assign to a port (except for the maximum and minimum
limits). If necessary, you can take interfaces out of service to make more extended BB_credits available
to other ports.
Combining Generation 1, Generation 2, and Generation 3

Modules
Cisco MDS NX-OS Release 4.1(1) and later supports combining Generation 1, Generation 2, and
Generation 3 modules and switches with the following considerations:
MDS NX-OS Release 4.1(1) and later features are not supported on Generation 1 switches and
modules.
Generation 3 modules do not support the following Generation 1 hardware:
Supervisor 1 module
4-Port IP Storage Services module
8-Port IP Storage Services module
MDS 9216 Switch
MDS 9216A switch
MDS 9020 switch
MDS 9120 switch
MDS 9140 swtich
Supervisor-1 modules must be upgraded to Supervisor-2 modules on the MDS 9506 and MDS 9509
Directors.
IPS-4 and IPS-8 modules must be upgraded to the MSM-18/4 Multiservice modules.
Fabric 1 modules must be upgraded to Fabric 2 modules on the MDS 9513 Director to use the
48-port or the 24-port 8-Gbps module, and the Fabric 2 modules must be configured in active-active
mode.
MDS Fabric Manager Release 4.x supports MDS SAN-OS Release 3.x and NX-OS 4.x in mixed
mode through Interswitch Link (ISL) connectivity.
Note When a Cisco or a other vendor switch port is connected to a Generation 1 module port (ISL
connection), the receive buffer-to-buffer credits of the port connected to the Generation 1 module port
should not exceed 255.
Port Indexes
Cisco MDS 9000 switches allocate index identifiers for the ports on the modules. These port indexes
cannot be configured. You can combine Generation 1, Generation 2, and Generation 3 switching
modules, with either Supervisor-1 modules or Supervisor-2 modules. However, combining switching
modules and supervisor modules has the following port index limitations:
Supervisor-1 modules only support a maximum of 252 port indexes, regardless of the type of
switching modules.

Supervisor-2 modules support a maximum of 1020 port indexes when all switching modules in the
chassis are Generation 2 or Generation 3.
Supervisor-2 modules only support a maximum of 252 port indexes when only Generation 1
switching modules, or a combination of Generation 1, Generation 2, or Generation 3 switching
modules, are installed in the chassis.
Note On a switch with the maximum limit of 252 port index maximum limit, any new module that exceeds the
limit when installed does not power up.
Generation 1 switching modules have specific numbering requirements. If these requirements are not
met, the module does not power up. The port index numbering requirements include the following:
If port indexes in the range of 256 to 1020 are assigned to operational ports, Generation 1 switching
modules do not power up.
A block of contiguous port indexes is available. If this block of port indexes is not available,
Generation 1 modules do not power up. Table 22-19 shows the port index requirements for the
Generation 1 modules.
Note If the switch has Supervisor-1 modules, the block of 32 contiguous port indexes must begin on the slot
boundary. The slot boundary for slot 1 is 0, for slot 2 is 32, and so on. For Supervisor-2 modules, the
contiguous block can start anywhere.
Table 22-19 Port Index Requirements for Generation 1 Modules
Number of Port Indexes Required

Generation 1 Module Supervisor-1 Module Supervisor-2 Module
16-port 2-Gbps Fibre Channel module 16 16
32-port 2-Gbps Fibre Channel module 32 32
8-port Gigabit Ethernet IP Storage Services module 32 32
4-port Gigabit Ethernet IP Storage Services module 32 16
32-port 2-Gbps Fibre Channel Storage Services 32 32
Module (SSM).
14-port Fibre Channel/2-port Gigabit Ethernet 32 22
Multiprotocol Services (MPS-14/2) module
The allowed mix of Generation 1 and Generation 2 switching modules in a chassis is determined at
run-time, either when booting up the switch or when installing the modules. In some cases, the sequence
in which switching modules are inserted into the chassis determines if one or more modules is powered
up. When a module does not power up because of a resource limitation, you can see the reason by
viewing the module information in the Information pane.
For information on recovering a module powered-down because port indexes are not available, refer to
the Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x.

PortChannels
PortChannels have the following restrictions:
The maximum number of PortChannels allowed is 256 if all switching modules are Generation 2 or
Generation 3, or both.
The maximum number of PortChannels allowed is 128 whenever there is a Generation 1 switching
module in use with a Generation 2 or Generation 3 switching module.
Ports need to be configured in dedicated rate mode on the Generation 2 and Generation 3 switching
module interfaces to be used in the PortChannel.
Note The number of PortChannels allowed does not depend on the type of supervisor module. However,
Generation 3 modules require the Supervisor 2 module on the MDS 9506 and 9509 switches.
The Generation1, Generation 2, and Generation 3 modules have the following restrictions for
PortChannel configuration:
Generation 1 switching module interfaces do not support auto speed with a maximum of 2 Gbps.
Generation 1 and Generation 2 module interfaces do not support auto speed with maximum of 4
Gbps.
Generation 2 and Generation 3 switching module interfaces cannot be forcefully added to a
PortChannel if sufficient resources are not available.
When configuring PortChannels on switches with Generation 1, Generation 2, and Generation 3
switching modules, follow one of these procedures:
Configure the PortChannel, and then configure the Generation 2 and Generation 3 interfaces to auto
with a maximum of 2 Gbps.
Configure the Generation 1 switching modules followed by the Generation 2 switching modules, and
then the Generation 3 switching modules, and then configure the PortChannel.
When configuring PortChannels on switches with only Generation 2 and Generation 3 switching
modules, follow one of these procedures:
Configure the PortChannel, and then configure the Generation 3 interfaces to auto with a maximum
of 4 Gbps.
Configure the Generation 2 switching modules, followed by the Generation 3 switching modules,
and then configure the PortChannel.
Table 22-20 describes the results of adding a member to a PortChannel for various configurations.

Table 22-20 PortChannel Configuration and Addition Results
PortChannel Configured Speed New Member

Members PortChannel New Member Type Addition Type Result
No members Any Any Generation 1 or Force Pass
Generation 2 or
Generation 3
Auto Auto Generation 1 or Normal or force Pass
Generation 2 or
Generation 3
Auto Auto max 2000 Generation 2 or Normal Fail
Generation 3 Force Pass or
fail1
Auto Auto max 4000 Generation 3
Auto max 2000 Auto Generation 2 or Normal Fail
Generation 3 Force Pass
Auto max 2000 Auto max 4000 Generation 3
Auto max 4000 Auto Generation 2 or
Generation 3
Auto max 4000 Auto max 2000 Generation 2 or

Generation 3
Generation 1 Auto Auto Generation 2 or Normal Fail
interfaces Generation 3 Force Pass
Auto max 2000 Auto Generation 1 Normal or force Pass
Generation 3 Force Pass or
fail1
Auto max 4000 Auto Generation 1 or
Generation 2
Auto max 4000 Auto Generation 3
Generation 2 Auto Auto Generation 1 Normal or force Fail

interfaces Auto max 2000 Auto Generation 1 Normal or force Pass
Auto Auto max 2000 Generation 2 or Normal Fail

Configuring Module Interface Shared Resources
Table 22-20 PortChannel Configuration and Addition Results (continued)
PortChannel Configured Speed New Member

Members PortChannel New Member Type Addition Type Result
Generation 3 Auto Auto Generation 1 Normal or force Fail
interfaces Auto max 2000 Auto Generation 1 Normal or force Pass
Auto max 2000 Auto Generation 2 Normal Fail
Force Pass
Auto Auto max 2000 Generation 2 Normal Fail
Force Pass
Auto max 2000 Auto Generation 3 Normal Fail
Force Pass
Auto Auto max 2000 Generation 3 Normal Fail
Force Pass
1. If resources are not available.

This section describes how to configure Generation 2 and Generation 3 module interface shared
resources and contains the following sections:
Configuration Guidelines for 48-Port, 24-Port, and 4/44-Port 8-Gbps Fibre Channel Switching
Modules, page 22-28
Configuration Guidelines for 48-Port and 24-Port 4-Gbps Fibre Channel Switching Modules,
page 22-30
Configuration Guidelines for 12-Port 4-Gbps Switching Module Interfaces, page 22-31
Configuration Guidelines for 4-Port 10-Gbps Switching Module Interfaces, page 22-31
Configuring Port Speed, page 22-32
Configuring Rate Mode, page 22-33
Configuring Oversubscription Ratio Restrictions, page 22-34
Configuring Bandwidth Fairness, page 22-37
Taking Interfaces Out of Service, page 22-40
Releasing Shared Resources in a Port Group, page 22-41
Configuration Guidelines for 48-Port, 24-Port, and 4/44-Port 8-Gbps Fibre

Channel Switching Modules
The 48-Port, 24-Port, and 4/44-Port 8-Gbps Fibre Channel switching modules support the following
features:
1-Gbps, 2-Gbps, 4-Gbps, and 8-Gbps speed traffic

Shared and dedicated rate mode

ISL and Fx port modes
Extended BB_credits
Migrating from Shared Mode to Dedicated Mode

To configure 48-port, 24-port, 4/44-port 8-Gbps Fibre Channel switching modules when starting with
the default configuration or when migrating from shared rate mode to dedicated rate mode, follow these
guidelines:
1. Take unused interfaces out of service to release resources for other interfaces, if necessary.
See the Taking Interfaces Out of Service section on page 22-40.
2. Configure the traffic speed to use (1 Gbps, 2 Gbps, 4 Gbps, 8 Gbps, or autosensing with a maximum
of 2 Gbps or 4 Gbps).
See the Configuring Port Speed section on page 22-32.
3. Configure the rate mode (dedicated or shared).
See the Configuring Rate Mode section on page 22-33.
4. Configure the port mode.
See the About Interface Modes section on page 20-3.
Note ISL ports cannot operate in shared rate mode.
5. Configure the BB_credits and extended BB_credits, as necessary.

See the Extended BB_Credits section on page 22-23.
Migrating from Dedicated Mode to Shared Mode

To configure 48-port, 24-port, 4/44-port 8-Gbps Fibre Channel switching modules migrating from
dedicated rate mode to shared rate mode, follow these guidelines:
See the BB_Credit Buffers for Switching Modules section on page 22-13, BB_Credit Buffers for
Fabric Switches section on page 22-22, and the Extended BB_Credits section on page 22-23.
4. Configure the rate mode (dedicated or shared) to use.

5. Configure the traffic speed (1 Gbps, 2 Gbps, 4 Gbps, 8 Gbps, or autosensing with a maximum of 2
Gbps or 4 Gbps) to use.

Configuration Guidelines for 48-Port and 24-Port 4-Gbps Fibre Channel

Switching Modules
The 48-port and 24-port 4-Gbps Fibre Channel switching modules support the following features:
1-Gbps, 2-Gbps, and 4-Gbps speed traffic
Shared and dedicated rate mode
ISL (E or TE) and Fx (F or FL) port modes
Extended BB_credits
Migrating from Shared Mode to Dedicated Mode

To configure 48-port and 24-port 4-Gbps Fibre Channel switching modules when starting with the
default configuration or when migrating from shared rate mode to dedicated rate mode, follow these
guidelines:
2. Configure the traffic speed to use (1 Gbps, 2 Gbps, 4 Gbps, or autosensing with a maximum of
2 Gbps or 4 Gbps).

See the Extended BB_Credits section on page 22-23.
Migrating from Dedicated Mode to Shared Mode

To configure 48-port and 24-port 4-Gbps Fibre Channel switching modules migrating from dedicated
rate mode to shared rate mode, follow these guidelines:


5. Configure the traffic speed (1 Gbps, 2 Gbps, 4 Gbps, or autosensing with a maximum of 2 Gbps or
4 Gbps) to use.
Configuration Guidelines for 12-Port 4-Gbps Switching Module Interfaces

The 12-port 4-Gbps switching modules support the following features:
1-Gbps, 2-Gbps, and 4-Gbps speed traffic
Only dedicated rate mode
ISL (E or TE) and Fx (F or FL) port modes
Extended BB_credits
Performance buffers
To configure 4-port 10-Gbps switching modules when starting with the default configuration, follow
these guidelines:
1. Configure the traffic speed (1 Gbps, 2 Gbps, 4 Gbps, or autosensing with a maximum of 2 Gbps or
4 Gbps) to use.
3. Configure the BB_credits, performance buffers, and extended BB_credits, as necessary.
Note If you change the port bandwidth reservation parameters on a 48-port or 24-port module, the change
affects only the changed port. No other ports in the port group are affected.
Configuration Guidelines for 4-Port 10-Gbps Switching Module Interfaces

The 4-port 10-Gbps switching modules support the following features:
Only 10-Gbps speed traffic
Only dedicated rate mode
ISL (E or TE) and F port modes
Extended BB_credits
Performance buffers

Use the following guidelines to configure 4-port 10-Gbps switching modules when starting with the
default configuration:
2. Configure the BB_credits, performance buffers, and extended BB_credits, as necessary.
Configuring Port Speed

The port speed on an interface, combined with the rate mode, determines the amount of shared resources
available to the ports in the port group on a 48-port, 24-port 4-Gbps, or any 8-Gbps Fibre Channel
switching module. Especially in the case of dedicated rate mode, the port group resources are reserved
even though the bandwidth is not used. For example, on Generation 2 modules, if an interface is
configured for autosensing (auto) and dedicated rate mode, then 4 Gbps of bandwidth is reserved even
though the maximum operating speed is 2 Gbps. For the same interface, if autosensing with a maximum
speed of 2 Gbps (auto max 2000) is configured, then only 2 Gbps of bandwidth is reserved and the
unused 2 Gbps is shared with the other interface in the port group.
Note The Generation 2, 4-port 10-Gbps switching module supports 10-Gbps traffic only.
On Generation 3, 8-Gbps modules, setting the port speed to auto enables autosensing, which
negotiates to a maximum speed of 8 Gbps.
On Generation 2, 4-Gbps modules, setting the port speed to auto enables autosensing, which
negotiates to a maximum speed of 4 Gbps.
Caution Changing port speed and rate mode disrupts traffic on the port. Traffic on other ports in the port group
is not affected.
To configure dedicated bandwidth on an interface using Fabric Manager, follow these steps:
Step 2 Expand Switches, expand Interfaces and select FC Physical from the Physical Attributes pane.
You see the FC Physical > General tab in the Interfaces pane.
Step 3 Scroll until you see the row containing the switch and port you want to configure.
Step 4 Select auto, 1Gb, 4Gb, or autoMax2G from the Speed Admin column (see Figure 22-11).
Note The Generation 3, 8-Gbps Fibre Channel swtiching modules support the following speed
configurations: 1G, 2G, 4G, 8G, autoMax2G, autoMax4G and the auto speed configuration
configures autosensing for the interface with 8 Gbps of bandwidth reserved.

Figure 22-11 Speed Admin Column in Port Configuration
The auto parameter enables autosensing on the interface. The autoMax2G parameter enables autosensing
on the interface with a maximum speed of 2 Gbps.
Note If you change the port bandwidth reservation parameters on a 48-port or 24-port 4-Gbps, or any
8-Gbps Fibre Channel switching module, the change affects only the changed port. No other
ports in the port group are affected.
Configuring Rate Mode

To configure the rate mode (dedicated or shared) on an interface on a 4-Gbps or 8-Gbps Fibre Channel
switching module using Fabric Manager, follow these steps:
Step 2 Expand Switches > Interfaces and then select FC Physical from the Physical Attributes pane.
You see the FC Physical > General tab in the Interfaces pane.
Step 3 Scroll until you see the row containing the switch and port you want to configure.
Step 4 Select dedicated or shared from the Rate Mode column (see Figure 22-12).
Figure 22-12 Rate Mode Port Configuration

Caution Changing port speed and rate mode disrupts traffic on the port.
Configuring Oversubscription Ratio Restrictions

The 48-port and 24-port 4-Gbps, and all 8-Gbps Fibre Channel switching modules support
oversubscription on switches with shared rate mode configurations. By default, all 48-port and 24-port
4-Gbps, and 8-Gbps Fibre Channel switching modules have restrictions on oversubscription ratios
enabled. As of Cisco SAN-OS Release 3.1(1) and NX-OS Release 4.1(1), you can disable restrictions
on oversubscription ratios.
Table 22-21 describes the bandwidth allocation for oversubscribed interfaces configured in shared mode
on the 4-Gbps modules.
Table 22-21 Bandwidth Allocation for Oversubscribed Interfaces
Reserved Bandwidth (Gbps) Maximum

Switching Bandwidth
Module Configured Speed Ratios enabled Ratios disabled (Gbps)
48-Port 8-Gbps Auto 8 Gbps 0.36 0.2 8
Fibre Channel Auto Max 4 Gbps 0.24 0.1 4
Module
Auto Max 2 Gbps 0.12 0.05 2
24-Port 8-Gbps Auto 8 Gbps 0.8 0.8 8
Module
Auto Max 2 Gbps 0.2 0.2 2
4/44-Port 8 Gbps 0.87 0.16 8
8-Gbps Auto Max 4 Gbps 0.436 0.08 4
Host-Optimized
Module 1 Gbps 0.109 0.02 1
48-port 4-Gbps Auto 4 Gbps 0.8 0.09 4
switching
module 1 Gbps 0.2 0.0225 1
24-port 4-Gbps Auto 4 Gbps 1 0.27 4
switching
module 1 Gbps 0.25 0.067 1
All ports in the 48-port and 24-port 4-Gbps modules can be configured to operate at 4 Gbps in shared
mode even if other ports in the port group are configured in dedicated mode, regardless of available
bandwidth. However, when oversubscription ratio restrictions are enabled, you may not have all shared
4-Gbps module ports operating at 4 Gbps.

All ports in the 48-port and 24-port 8-Gbps modules can be configured to operate at 8 Gbps in shared
mode even if other ports in the port group are configured in dedicated mode, regardless of available
bandwidth. However, when oversubscription ratio restrictions are enabled you may not have all shared
8-Gbps module ports operating at 8 Gbps.
On the 48-port and 24-port 8-Gbps modules, if you have configured one 8-Gbps dedicated port in one
port group, no other ports in the same port group can be configured to operate at 8-Gbps dedicated mode.
You can have any number of 8-Gbps shared and 4-Gbps dedicated or shared ports. On the 4/44-port
8-Gbps module, only one port per port group can be configured in 8-Gbps dedicated or shared mode.
In the following example, a 24-port 4-Gbps module has oversubscription ratios enabled and three
dedicated ports in one port group operating at 4-Gbps. No other ports in the same port group can be
configured to operate at 4 Gbps.
For dedicated ports, oversubscription ratio restrictions do not apply to the shared pool in port groups. So
if oversubscription ratio restrictions are disabled, and you have configured three 4-Gbps dedicated ports
in one port group, then you can configure all other ports in the same port group to operate at a shared
rate of 4 Gbps.
When disabling restrictions on oversubscription ratios, all ports in shared mode on 48-port and 24-port
4-Gbps or any 8-Gbps Fibre Channel switching modules must be shut down. When applying restrictions
on oversubscription ratios, you must take shared ports out of service.
Note When restrictions on oversubscription ratios are disabled, the bandwidth allocation among the shared
ports is proportionate to the configured speed. If the configured speed is auto on Generation 2 modules,
then bandwidth is allocated assuming a speed of 4 Gbps. For example, if you have three shared ports
configured at 1, 2, and 4 Gbps, then the allocated bandwidth ratio is 1:2:4.
As of Cisco SAN-OS Release 3.0 and NX-OS Release 4.1(1) or when restrictions on oversubscription
ratios are enabled, the port bandwidths are allocated in equal proportions, regardless of port speed, so,
the bandwidth allocation for the same three ports mentioned in the example would be 1:1:1.
Disabling Restrictions on Oversubscription Ratios

Before disabling restrictions on oversubscription ratios, ensure that you have explicitly shut down shared
ports. To disable restrictions on oversubscription ratios on multiple 48-port or 24-port 4-Gbps, or any
8-Gbps Fibre Channel switching modules using Device Manager, follow these steps:
Step 1 Choose Physical > Modules.

You see the Module dialog box as shown in Figure 22-13.
Figure 22-13 Module Dialog Box

Caution This feature is only supported on 48-port and 24-port 4-Gbps, and 8-Gbps Fibre Channel
switching modules.
Step 2 Select disabled from the RateModeOversubscriptionLimit drop-down list for each module for which
you want to disable restrictions on oversubscription ratios.
To disable restrictions on oversubscription ratios on a single 48-port or 24-port 4-Gbps, or any 8-Gbps
Fibre Channel switching module using Device Manager, follow these steps:
Step 1 Right-click a module and select Configure.

Step 2 Click the disabled radio button to disable restrictions on oversubscription ratios.

Enabling Restrictions on Oversubscription Ratios
Caution You must enable restrictions on oversubscription ratios before you can downgrade modules to a previous
release.
Before enabling restrictions on oversubscription ratios, ensure that you have explicitly configured shared
ports to out-of-service mode. To enable restrictions on oversubscription ratios on multiple 48-port or
24-port 4-Gbps, or any 8-Gbps Fibre Channel switching modules using Device Manager, follow these
steps:

Step 2 Select enabled from the RateModeOversubscriptionLimit drop-down list for each module for which you
want to enable restrictions on oversubscription ratios.
To enable restrictions on oversubscription ratios on a single 48-port or 24-port 4-Gbps, or any 8-Gbps
Fibre Channel switching module using Device Manager, follow these steps:

Step 2 Click the enabled radio button to enable restrictions on oversubscription ratios.
Configuring Bandwidth Fairness

This feature improves fairness of bandwidth allocation among all ports and provides better throughput
average to individual data streams. Bandwidth fairness can be configured per module.
As of Cisco SAN-OS Release 3.1(2), all 48-port and 24-port 4-Gbps Fibre Channel switching modules,
as well as 18-port Fibre Channel/4-port Gigabit Ethernet Multiservice modules, have bandwidth fairness
enabled by default. As of Cisco NX-OS Release 4.1(1), all the 8-Gbps Fibre Channel switching modules
have bandwidth fairness enabled by default.
Caution When you disable or enable bandwidth fairness, the change does not take effect until you reload the
module.
Note This feature is supported only on the 48-port and 24-port 4-Gbps modules, the 8-Gbps modules, and the
18/4-port Multiservice Module (MSM).

Enabling Bandwidth Fairness

To enable bandwidth fairness on multiple 48-port or 24-port 4-Gbps, or any 8-Gbps Fibre Channel
switching modules using Device Manager, follow these steps:

Step 2 Select enable from the BandwidthFairnessConfig drop-down list for each module for which you want to
enable bandwidth fairness.
To enable bandwidth fairness on a single 48-port or 24-port 4-Gbps Fibre Channel switching module


Step 2 Click the enable radio button to enable bandwidth fairness.

Disabling Bandwidth Fairness
Note If you disable bandwidth fairness, up to a 20 percent increase in internal bandwidth allocation is possible
for each port group; however, bandwidth fairness is not guaranteed when there is a mix of shared and
full-rate ports in the same port group.
To disable bandwidth fairness on multiple 48-port or 24-port 4-Gbps, or 8-Gbps Fibre Channnel
switching modules using Device Manager, follow these steps:

Step 2 Select disable from the BandwidthFairnessConfig drop-down list for each module for which you want
to disable bandwidth fairness.
To disable bandwidth fairness on a single 48-port or 24-port 4-Gbps, or 8-Gbps Fibre Channel switching
module using Device Manager, follow these steps:

Step 2 Click the disable radio button to disable bandwidth fairness.

Upgrade or Downgrade Scenario

When you are upgrading from a release earlier than Cisco SAN-OS Release 3.1(2), all modules operate
with bandwidth fairness disabled until the next module reload. After the upgrade, any new module that
is inserted has bandwidth fairness enabled.
When you are downgrading to a release earlier than Cisco SAN-OS Release 3.1(2), all modules keep
operating in the same bandwidth fairness configuration prior to the downgrade. After the downgrade,
any new module that is inserted has bandwidth fairness disabled.
Taking Interfaces Out of Service

You can take interfaces out of service on Generation 2 and Generation 3 switching modules. When an
interface is out of service, all the shared resources for the interface are released as well as the
configuration associated with those resources.
Note The interface must be disabled before it can be taken out of service.
Caution Taking interfaces out of service releases all the shared resources to ensure that they are available to other
interfaces. This causes the configuration in the shared resources to revert to default when the interface
is brought back into service. Also, an interface cannot come back into service unless the default shared
resources for the port are available. The operation to free up shared resources from another port is
disruptive.
Note The interface cannot be a member of a PortChannel.
To take an interface out of service using Fabric Manager, follow these steps:
Step 2 Expand Switches, expand Interfaces and select FC Physical in the Physical Attributes pane.
You see the FC Physical > General tab in the Information pane.
Step 3 Scroll down until you see the row containing the switch and port you want to configure.
Step 4 Scroll right (if necessary) until you see the Status Service column.
Step 5 Select in or out from the Status Service column.

Displaying SFP Diagnostic Information
Releasing Shared Resources in a Port Group

When you want to reconfigure the interfaces in a port group on a Generation 2 or Generation 3 module,
you can return the port group to the default configuration to avoid problems with allocating shared
resources.
Note The interface cannot be a member of a PortChannel.
Caution Releasing shared resources disrupts traffic on the port. Traffic on other ports in the port group is not
affected.
To release the shared resources for a port group using Fabric Manager, follow these steps:
You see the FC Physical > General tab in the Information pane.
Step 3 Scroll down until you see the row containing the switch and port you want to configure.
Step 4 Scroll right (if necessary) until you see the Status Service column (see Figure 22-17).
Figure 22-17 Status Service Column for FC Physical
Step 5 Select the out status from the Status Service column.
Step 7 Select the in status from the Status Service column.

To view diagnostic information for multiple ports using Device Manager, follow these steps:
Step 1 Choose Interface > FC All and click the Diagnostics tab or hold down the Control key, and then click
each port for which you want to view diagnostic information.

Step 2 Right-click the selected ports, select Configure, and click the Diagnostics tab.
You see the FC Interfaces dialog box shown in Figure 22-18.
Figure 22-18 FC Interfaces Dialog Box
Step 3 Click Refresh to view the latest diagnostic information.
To view diagnostic information for a single port using Device Manager, follow these steps:
Step 1 Right-click a port, select Configure, and click the Diagnostics tab.
You see the port licensing options for the selected port shown in Figure 22-19.
Figure 22-19 Diagnostics Tab for Selected Port
Step 2 Click Refresh to view the latest diagnostic information.

Default Settings
Default Settings
Table 22-22 lists the default settings for Generation 2 interface parameters.
Table 22-22 Default Generation 2 Interface Parameters
Default
48-Port 4-Gbps 24-Port 4-Gbps 12-Port 4-Gbps 4-Port 10-Gbps
Parameter Switching Module Switching Module Switching Module Switching Module
Speed mode auto1 auto1 auto1 auto2
Rate mode shared shared dedicated dedicated
3
Port mode Fx Fx auto auto4
BB_credit 16 16 250 250
buffers
Performance 1455 1455
buffers
1. Auto speed mode on the 4-Gbps switching modules enables autosensing and negotiates to a maximum speed of 4 Gbps.
2. The 4-port 10-Gbps switching module only supports 10-Gbps traffic.
3. Auto port mode on the 12-port 4-Gbps switching module interfaces can operate in E port mode, TE port mode, and Fx port
mode.
4. Auto port mode on the 4-port 10-Gbps switching module interfaces can operate in E port mode, TE port mode, and F port
mode.
5. Performance buffers are shared among all ports on the module.
Table 22-23 lists the default settings for Generation 3 interface parameters.
Table 22-23 Default Generation 3 Interface Parameters
Default
4/44-Port 8-Gbps
48-Port 8-Gbps 24-Port 8-Gbps Host-Optimized Switching
Parameter Switching Module Switching Module Module
Speed mode auto1 auto1 auto_max_4G2
Rate mode shared shared shared
Port mode Fx Fx Fx
BB_credit buffers 32 32 32
1. Auto speed mode on the 8-Gbps switching modules enables autosensing and negotiates to a maximum speed of 8 Gbps.
2. Auto_max_4G speed mode on the 4/44-port 8-Gbps switching module negotiates to a maximum speed of
4 Gbps.

Default Settings

CH A P T E R 23
Configuring PortChannels
This chapter discusses the PortChannel feature provided in the switch and includes the following
sections:
About PortChannels, page 23-1
PortChannel Configuration, page 23-9
Interfaces in a PortChannel, page 23-17
PortChannel Protocols, page 23-20
Verifying the PortChannel Configuration, page 23-24
About PortChannels
PortChannels refer to the aggregation of multiple physical interfaces into one logical interface to provide
higher aggregated bandwidth, load balancing, and link redundancy (See Figure 23-1). PortChannels can
connect to interfaces across switching modules, so a failure of a switching module cannot bring down
the PortChannel link.
Figure 23-1 PortChannel Flexibility
Switch 1 Switch 2
PortChannel A
PortChannel B
79529
PortChannel C

Chapter 23 Configuring PortChannels
About PortChannels
PortChannels on Cisco MDS 9000 Family switches allow flexibility in configuration. Figure 23-1
illustrates three possible PortChannel configurations:
PortChannel A aggregates two links on two interfaces on the same switching module at each end of
a connection.
PortChannel B also aggregates two links, but each link is connected to a different switching module.
If the switching module goes down, traffic is not affected.
PortChannel C aggregates three links. Two links are on the same switching module at each end,
while one is connected to a different switching module on switch 2.
About E PortChannels, page 23-2
About F and TF PortChannels, page 23-3
About PortChanneling and Trunking, page 23-3
About Load Balancing, page 23-4
About PortChannel Modes, page 23-6
Configuration Guidelines and Restrictions, page 23-7
About E PortChannels
An E PortChannel refers to the aggregation of multiple physical Ethernet interfaces into one logical interface
to provide higher aggregated bandwidth, load balancing, and link redundancy. PortChannels can connect to
interfaces across switching modules, so a failure of a switching module cannot bring down the
PortChannel link.
A PortChannel has the following features and restrictions:
Provides a point-to-point connection over ISL (E ports) or EISL (TE ports). Multiple links can be
combined into a PortChannel.
Increases the aggregate bandwidth on an ISL by distributing traffic among all functional links in the
channel.
Load balances across multiple links and maintains optimum bandwidth utilization. Load balancing
is based on the source ID, destination ID, and exchange ID (OX ID).
Provides high availability on an ISL. If one link fails, traffic previously carried on this link is switched
to the remaining links. If a link goes down in a PortChannel, the upper protocol is not aware of it. To
the upper protocol, the link is still there, although the bandwidth is diminished. The routing tables
are not affected by link failure. PortChannels may contain up to 16 physical links and may span
multiple modules for added high availability.
Note See the Fail-Over Scenarios for PortChannels and FSPF Links section on page 32-3 for failover
scenarios.

About PortChannels
About F and TF PortChannels

An F PortChannel is also a logical interface that combines a set of F ports connected to the same Fibre
Channel node and operates as one link between the F ports and the NP ports. The F port channels support
bandwidth utilization and availability like the E port channels. F PortChannels are mainly used to
connect MDS core and NPV switches to provide optimal bandwidth utilization and transparent failover
between the uplinks of a VSAN.
An F PortChannel trunk combines the functionality and advantages of a TF port and an F PortChannel.
This logical link uses the Cisco PTP and PCP protocols over Cisco EPP (ELS).
Note If a Cisco MDS 9124 or 9134 switch is used as a core switch, only a nontrunking F PortChannel is
supported. Trunking is not supported on this platform when NPIV enabled.
About PortChanneling and Trunking

Trunking is a commonly used storage industry term. However, the Cisco NX-OS software and switches
in the Cisco MDS 9000 Family implement trunking and PortChanneling as follows:
PortChanneling enables several physical links to be combined into one aggregated logical link.
Trunking enables a link transmitting frames in the EISL format to carry (trunk) multiple VSAN
traffic. For example, when trunking is operational on an E port, that E port becomes a TE port. A
TE port is specific to switches in the Cisco MDS 9000 Family. An industry standard E port can link
to other vendor switches and is referred to as a nontrunking interface (see Figure 23-2 and
Figure 23-3).
See Chapter 24, Configuring Trunking, for information on trunked interfaces.
Figure 23-2 Trunking Only
Switch 1 Any other Switch 1 Switch 2

switch
ISL EISL
E port E port TE port TE port
79938
Trunking
PortChanneling and trunking are used separately across an ISL:
Figure 23-3 PortChanneling and Trunking
Switch 1 Switch 2 Switch 1 Switch 2

ISL 1 EISL 1
ISL 2 EISL 2
ISL 3 EISL 3
79939
Port channel Port channel

and trunking
PortChannelingInterfaces can be channeled between the following sets of ports:

E ports and TE ports

About PortChannels
F ports and NP ports

TF ports and TNP ports
TrunkingTrunking permits carrying traffic on multiple VSANs between switches.
See Chapter 26, Configuring and Managing VSANs.
Both PortChanneling and trunking can be used between TE ports over EISLs.
About Load Balancing

Two mechanisms support the load balancing functionality:
Flow basedAll frames between source and destination follow the same links for a given flow. That
is, whichever link is selected for the first exchange of the flow is used for all subsequent exchanges.
Exchange basedThe first frame in an exchange picks a link and subsequent frames in the exchange
follow the same link. However, subsequent exchanges can use a different link. This provides more
granular load balancing while preserving the order of frames for each exchange.
Figure 23-4 illustrates how source ID 1 (SID1) and destination ID1 (DID1) based load balancing works.
When the first frame in a flow is received on an interface for forwarding, link 1 is selected. Each
subsequent frame in that flow is sent over the same link. No frame in SID1 and DID1 utilizes link 2.

About PortChannels
Figure 23-4 SID1 and DID1 Based Load Balancing
Link 1
Frame 1
Frame 2
Link 2
Frame 3
SID1, DID1,
Exchange 1
Frame n
Link 1
Frame 1
Frame 2
Link 2
Frame 3
SID1, DID1,
Exchange 2
Frame n
Frame 1 Link 1
Frame 2
Frame 3 Link 2
SID2, DID2
Exchange 1
Frame n
79530
Figure 23-5 illustrates how exchange-based load balancing works. When the first frame in an exchange
is received for forwarding on an interface, link 1 is chosen by a hash algorithm. All remaining frames in
that particular exchange are sent on the same link. For exchange 1, no frame uses link 2. For the next
exchange, link 2 is chosen by the hash algorithm. Now all frames in exchange 2 use link 2.

About PortChannels
Figure 23-5 SID1, DID1, and Exchange Based Load Balancing
Link 1
Frame 1
Frame 2
Link 2
Frame 3
SID1, DID1,
Exchange 1
Frame n
Frame 1 Link 1
Frame 2
Link 2
Frame 3
SID1, DID1,
Exchange 2
Frame n
79531
For more information on configuring load balancing and in-order delivery features, see the About
VSANs section on page 26-1.
About PortChannel Modes

You can configure each PortChannel with a channel group mode parameter to determine the PortChannel
protocol behavior for all member ports in this channel group. The possible values for a channel group
mode are as follows.
ON (default)The member ports only operate as part of a PortChannel or remain inactive. In this
mode, the PortChannel protocol is not initiated. However, if a PortChannel protocol frame is
received from a peer port, the software indicates its nonnegotiable status. This mode is backward
compatible with the existing implementation of PortChannels in releases prior to Release 2.0(1b),
where the channel group mode is implicitly assumed to be ON. In Cisco MDS SAN-OS Releases
1.3 and earlier, the only available PortChannel mode was the ON mode. PortChannels configured in
the ON mode require you to explicitly enable and disable the PortChannel member ports at either
end if you add or remove ports from the PortChannel configuration. You must physically verify that
the local and remote ports are connected to each other.
ACTIVEThe member ports initiate PortChannel protocol negotiation with the peer port(s)
regardless of the channel group mode of the peer port. If the peer port, while configured in a channel
group, does not support the PortChannel protocol, or responds with a nonnegotiable status, it will
default to the ON mode behavior. The ACTIVE PortChannel mode allows automatic recovery
without explicitly enabling and disabling the PortChannel member ports at either end.

About PortChannels
Table 23-1 compares ON and ACTIVE modes.
Table 23-1 Channel Group Configuration Differences
ON Mode ACTIVE Mode

No protocol is exchanged. A PortChannel protocol negotiation is performed
with the peer ports.
Moves interfaces to the suspended state if its Moves interfaces to the isolated state if its
operational values are incompatible with the operational values are incompatible with the
PortChannel. PortChannel.
When you add or modify a PortChannel member When you add or modify a PortChannel interface,
port configuration, you must explicitly disable the PortChannel automatically recovers.
(shut) and enable (no shut) the PortChannel
member ports at either end.
Port initialization is not synchronized. There is synchronized startup of all ports in a
channel across peer switches.
All misconfigurations are not detected as no Consistently detect misconfigurations using a
protocol is exchanged. PortChannel protocol.
Transitions misconfigured ports to the suspended Transitions misconfigured ports to the isolated
state. You must explicitly disable (shut) and state to correct the misconfiguration. Once you
enable (no shut) the member ports at either end. correct the misconfiguration, the protocol ensures
automatic recovery.
This is the default mode. You must explicitly configure this mode.
Configuration Guidelines and Restrictions

Cisco MDS 9000 Family switches support the following number of PortChannels per switch:
Switches with only Generation 1 switching modules do not support F and TF PortChannels.
Switches with Generation 1 switching modules, or a combination of Generation 1 and Generation 2
switching modules, support a maximum of 128 PortChannels. Only Generation 2 ports can be
included in the PortChannels.
Switches with only Generation 2 switching modules or Generation 2 and Generation 3 modules
support a maximum of 256 PortChannels with 16 interfaces per PortChannel.
A PortChannel number refers to the unique identifier for each channel group. This number ranges
from of 1 to 256.
Generation 1 PortChannel Restrictions

This section includes the restrictions on creation and addition of PortChannel members to a PortChannel
on Generation 1 hardware:
32-port 2-Gbps or 1-Gbps switching module
MDS 9124 and 9134 switches
When configuring the host-optimized ports on Generation 1 hardware, the following PortChannel
guidelines apply:

About PortChannels
If you execute the write erase command on a 32-port switching module, and then copy a saved
configuration to the switch from a text file that contains the no system default switchport
shutdown command, you need to copy the text file to the switch again for the E ports to come up
without manual configuration.
Any (or all) full line rate port(s) in the Cisco MDS 9100 Series can be included in a PortChannel.
The host-optimized ports in the Cisco MDS 9100 Series are subject to the same PortChannel rules
as 32-port switching modules; only the first port of each group of 4 ports is included in a
PortChannel.
You can configure only the first port in each 4-port group as an E port (for example, the first
port in ports 14, the fifth port in ports 58, and so on). If the first port in the group is configured
as a PortChannel, the other three ports in each group (ports 24, 68, and so on) are not usable
and remain in the shutdown state.
If any of the other three ports are configured in a no shutdown state, you cannot configure the
first port to be a PortChannel. The other three ports continue to remain in a no shutdown state.
F and TF PortChannel Restrictions

The following guidelines and restrictions are applicable for F and TF PortChannels:
The ports must be in F mode.
Automatic creation is not supported.
The PortChannel interface must be in ACTIVE mode when multiple FCIP interfaces are grouped
with WA.
ON mode is not supported. Only ACTIVE-ACTIVE mode is supported. By default, the mode is
ACTIVE on the NPV switches.
Devices logged in through F PortChannel on an MDS switch are not supported in IVR non-NAT
configuration. The devices are supported only in IVR NAT configuration.
Port security rules are enforced only on physical PWWNs at the single link level.
FC-SP authenticates only the first physical FLOGI of every PortChannel member.
Since the FLOGI payload carries only the VF bits to trigger the use of a protocol after the FLOGI
exchange, those bits will be overridden. In the case of the NPV switches, the core has a Cisco WWN
and will try to initiate the PCP protocol.
The name server registration of the N ports logging in through an F PortChannel will use the FWWN
of the PortChannel interface.
DPVM configuration is not supported.
The PortChannel port VSAN cannot be configured using DPVM.
The Dynamic Port VSAN Management (DPVM) database will be queried only for the first physical
FLOGI of each member, so that the port VSAN can be configured automatically.
DPVM does not bind FC_IDs to VSANs, but PWWNs to VSANs. It will be queried only for the
physical FLOGI.
Switches must be running NX-OS Release 4.1(1a) or later.

PortChannel Configuration
PortChannels are created with default values. You can change the default configuration just like any
other physical interface.
Figure 23-6 provides examples of valid PortChannel configurations.
Figure 23-6 Valid PortChannel Configurations
Channel Group 10 Channel Group 20 Channel Group 10 Channel Group 20
1 1 1 1
2 2 2 2
Cisco MDS Cisco MDS Cisco MDS Cisco MDS
Switch A 3 3 Switch B Switch A 3 3 Switch B
4 4 4 4
120480
Channel Group 1 Channel Group 2
Figure 23-7 provides examples of invalid configurations. Assuming that the links are brought up in the
1, 2, 3, 4 sequence, links 3 and 4 will be operationally down as the fabric is misconfigured.

Figure 23-7 Misconfigured Configurations
Channel Group 10 Channel Group 20 Channel Group 10 Channel Group 20
1 1 1 1
2 2 2 2
Cisco MDS Cisco MDS Cisco MDS Cisco MDS
Switch A 3 3 Switch B Switch A 3 3 Switch B
X X
4 4 4 4
X X
1 1
Cisco MDS
Switch B
2 2
Cisco MDS
Switch A
3 3
X Cisco MDS
Switch C
4 4
X
120488
This section shows how to configure and modify PortChannels and contains the following topics:
About PortChannel Configuration, page 23-10
Configuring PortChannels Using the Wizard, page 23-11
About PortChannel Modes, page 23-6
About PortChannel Deletion, page 23-16
Deleting PortChannels, page 23-16
About PortChannel Configuration

Before configuring a PortChannel, consider the following guidelines:
Configure the PortChannel across switching modules to prevent redundancy on switching module
reboots or upgrades.
Ensure that one PortChannel is not connected to different sets of switches. PortChannels require
point-to-point connections between the same set of switches.
Note On switches with Generation 1 switching modules, or a combination of Generation 1 and Generation 2
switching modules, you can configure a maximum of 128 PortChannels. On switches with only
Generation 2 switching modules, or Generation 2 and Generation 3 switching modules, you can
configure a maximum of 256 PortChannels.

If you misconfigure PortChannels, you may receive a misconfiguration message. If you receive this
message, the PortChannels physical links are disabled because an error has been detected.
A PortChannel error is detected if the following requirements are not met:
Each switch on either side of a PortChannel must be connected to the same number of interfaces.
Each interface must be connected to a corresponding interface on the other side (see Figure 23-7 for
an example of an invalid configuration).
Links in a PortChannel cannot be changed after the PortChannel is configured. If you change the
links after the PortChannel is configured, be sure to reconnect the links to interfaces within the
PortChannel and reenable the links.
If all three conditions are not met, the faulty link is disabled.
Configuring PortChannels Using the Wizard

To create a PortChannel using the PortChannel Wizard in Fabric Manager, follow these steps:
Step 1 Click the PortChannel Wizard icon in the toolbar (see Figure 23-8).
Figure 23-8 PortChannel Wizard Icon

144891
Port Channel Wizard
You see the first PortChannel Wizard screen.

Step 2 Select a switch pair. Figure 23-9 shows a list of the switch pairs.

Figure 23-9 Select Switch Pairs
Step 3 Click Next.

Step 4 Select the ISLs. Figure 23-10 shows a list of the ISLs.

Figure 23-10 Select ISLs
Step 5 (Optional) Check the Dynamically form Port Channel Group from selected ISLs check box if you
want to dynamically create the PortChannel and make the ISL properties identical for the Admin, Trunk,
Speed, and VSAN attributes.
Step 6 Click Next.
Step 7 If you chose to dynamically form a PortChannel from selected ISLs, you see the final PortChannel
Wizard screen (see Figure 23-11). Set the VSAN List, Trunk Mode, and Speed and proceed to Step 11.

Figure 23-11 Dynamically Form a PortChannel
Step 8 If you did not choose to dynamically form a PortChannel, you see the third PortChannel Wizard dialog
box(see Figure 23-12).
Note Dynamic VSAN creation is not supported on NPV switches.

Figure 23-12 Create a PortChannel
Step 9 Change the channel ID or description for each switch, if necessary.

Step 10 Review the attributes at the bottom of the screen, and set them if applicable.
The following attributes are shown in Figure 23-12:
VSAN ListThis gives a list of VSANs to which the ISLs belong.
Trunk ModeYou can enable trunking on the links in the PortChannel. Select trunking if your link
is between TE ports. Select nontrunking if your link is between E ports. Select auto if you are not
sure.
Force Admin, Trunk, Speed, and VSAN attributes to be identicalThis check box ensures that the
same parameter settings are used in all physical ports in the channel. If these settings are not
identical, the ports cannot become part of the PortChannel.
SpeedThe port speed values are auto, 1Gb, 2Gb, 4Gb, 8Gb, autoMax2G, and autoMax4G.
Step 11 Click OK.
The PortChannel is created. Note that it may take a few minutes before the new PortChannel is visible
in the Fabric pane.

Configuring the PortChannel Mode

By default, the CLI and the Device Manager create the PortChannel in ON mode in the NPIV core
switches and ACTIVE mode on the NPV switches. The Fabric Manager creates all PortChannels in
ACTIVE mode. We recommend that you create PortChannels in ACTIVE mode. An F PortChannel is
supported only on ACTIVE mode.
To configure ACTIVE mode using Fabric Manager, follow these steps:
Step 1 Expand ISLs and then select Port Channels in the Physical Attributes pane.
You see the PortChannels configured in the Information pane.
Step 2 Click the Protocols tab, and then from the Mode drop-down menu, select the appropriate mode for the
Port Channel.
Step 3 Click the Apply Changes icon to save any modifications.
About PortChannel Deletion

When you delete the PortChannel, the corresponding channel membership is also deleted. All interfaces
in the deleted PortChannel convert to individual physical links. After the PortChannel is removed,
regardless of the mode used (ACTIVE and ON), the ports at either end are gracefully brought down,
indicating that no frames are lost when the interface is going down (see the Graceful Shutdown section
on page 20-11).
If you delete the PortChannel for one port, then the individual ports within the deleted PortChannel
retain the compatibility parameter settings (speed, mode, port VSAN, allowed VSAN, and port security).
You can explicitly change those settings as required.
If you use the default ON mode to avoid inconsistent states across switches and to maintain
consistency across switches, then the ports shut down. You must explicitly enable those ports again.
If you use the ACTIVE mode, then the PortChannel ports automatically recover from the deletion.
Deleting PortChannels
To delete a PortChannel using the PortChannel Wizard in Fabric Manager, follow these steps:
Step 1 Click the PortChannel Wizard icon in the toolbar (see Figure 23-13).
Figure 23-13 PortChannel Wizard Icon

144891
Port Channel Wizard
You see the first PortChannel Wizard screen.

Step 2 Select the existing PortChannel that you want to delete and click Next. You see a list of the ISLs
currently associated with this PortChannel.

Interfaces in a PortChannel
Step 3 Click Next. You see an editable list of associated ISLs and available ISLs for this PortChannel.
Step 4 Click each associated ISL and click the left arrow to remove all ISLs from the PortChannel.
Step 5 Check the Delete Port Channel If Empty check box to delete this PortChannel.
Step 6 Click Finish to save any modifications or click Cancel to discard any changes.
You can add or remove a physical interface (or a range of interfaces) to an existing PortChannel. The
compatible parameters on the configuration are mapped to the PortChannel. Adding an interface to a
PortChannel increases the channel size and bandwidth of the PortChannel. Removing an interface from
a PortChannel decreases the channel size and bandwidth of the PortChannel.
This section describes interface configuration for a PortChannel and includes the following topics:
About Interface Addition to a PortChannel, page 23-17
Adding an Interface to a PortChannel, page 23-18
Forcing an Interface Addition, page 23-19
About PortChannel Deletion, page 23-16
Deleting an Interface from a PortChannel, page 23-20
About Interface Addition to a PortChannel

You can add a physical interface (or a range of interfaces) to an existing PortChannel. The compatible
parameters on the configuration are mapped to the PortChannel. Adding an interface to a PortChannel
increases the channel size and bandwidth of the PortChannel.
A port can be configured as a member of a static PortChannel only if the following configurations are
the same in the port and the PortChannel:
Speed
Mode
Rate mode
Port VSAN
Trunking mode
Allowed VSAN list or VF-ID list
After the members are added, regardless of the mode (ACTIVE and ON) used, the ports at either end are
gracefully brought down, indicating that no frames are lost when the interface is going down (see the
Generation 1 PortChannel Restrictions section on page 23-7 and Graceful Shutdown section on
page 20-11).
Compatibility Check
A compatibility check ensures that the same parameter settings are used in all physical ports in the
channel. Otherwise, they cannot become part of a PortChannel. The compatibility check is performed
before a port is added to the PortChannel.

The check ensures that the following parameters and settings match at both ends of a PortChannel:
Capability parameters (type of interface, Gigabit Ethernet at both ends, or Fibre Channel at both
ends).
Administrative compatibility parameters (speed, mode, rate mode, port VSAN, allowed VSAN list,
and port security).
Note Ports in shared rate mode can also form a PortChannel or a trunking PortChannel.
Operational parameters (remote switch WWN and trunking mode).

A port addition procedure fails if the capability and administrative parameters in the remote switch are
incompatible with the capability and administrative parameters in the local switch. If the compatibility
check is successful, the interfaces are operational and the corresponding compatibility parameter
settings apply to these interfaces.
Suspended and Isolated States

If the operational parameters are incompatible, the compatibility check fails and the interface is placed
in a suspended or isolated state based on the configured mode:
An interface enters the suspended state if the interface is configured in the ON mode.
An interface enters the isolated state if the interface is configured in the ACTIVE mode.
See the Reason Codes section on page 20-8.
Adding an Interface to a PortChannel
Note By default, the CLI adds a interface normally to a PortChannel, while the Fabric Manager adds the
interface by force, unless specified explicitly.
To add an interface or range of interfaces to a PortChannel using Fabric Manager, follow these steps:
You see the PortChannels configured in the Information pane (see Figure 23-14).

Figure 23-14 Port Channels
Step 2 Click the Channels tab and find the switch and PortChannel that you want to edit.
Step 3 Set Members Admin to the interface or list of interfaces that you want to add to the PortChannel.
Step 4 Click the Apply Changes icon to save any modifications or click Undo Changes to discard any changes.
Forcing an Interface Addition

You can force the port configuration to be overwritten by the PortChannel. In this case, the interface is
added to a PortChannel.
If you use the ACTIVE mode, then the PortChannel ports automatically recover from the addition.
Note When PortChannels are created from within an interface, the force option cannot be used.
After the members are forcefully added, regardless of the mode (ACTIVE and ON) used, the ports at
either end are gracefully brought down, indicating that no frames are lost when the interface is going
down (see the 32-Port Switching Module Configuration Guidelines section on page 17-3).
To force the addition of a port to a PortChannel using Fabric Manager, follow these steps:
Step 1 Expand ISLs and then select Port Channels in the Physical Attributes pane. You see the PortChannels
configured in the Information pane.
Step 3 Set Members Admin to the interface or list of interfaces that you want to add to the PortChannel.
Step 4 Check the Force check box to force this interface addition.
Step 5 Click the Apply Changes icoon to save any modifications.

PortChannel Protocols
About Interface Deletion from a PortChannel

When a physical interface is deleted from the PortChannel, the channel membership is automatically
updated. If the deleted interface is the last operational interface, then the PortChannel status is changed
to a down state. Deleting an interface from a PortChannel decreases the channel size and bandwidth of
the PortChannel.
If you use the ACTIVE mode, then the PortChannel ports automatically recover from the deletion.
After the members are deleted, regardless of the mode (ACTIVE and ON) used, the ports at either end
are gracefully brought down, indicating that no frames are lost when the interface is going down (see the
Generation 1 PortChannel Restrictions section on page 23-7 and Graceful Shutdown section on
page 20-11).
Deleting an Interface from a PortChannel

To delete a physical interface (or a range of physical interfaces) from a PortChannel using Fabric
You see the PortChannels configured in the Information pane.
Step 3 Remove the interface or list of interfaces you want deleted in the Members the Admin column.
In earlier Cisco SAN-OS releases, PortChannels required additional administrative tasks to support
synchronization. The Cisco NX-OS software provides robust error detection and synchronization
capabilities. You can manually configure channel groups or they can be automatically created. In both
cases, the channel groups have the same capability and configurational parameters. Any change in
configuration applied to the associated PortChannel interface is propagated to all members of the
channel group.
A protocol to exchange PortChannel configurations is available in all Cisco MDS switches. This addition
simplifies PortChannel management with incompatible ISLs. An additional autocreation mode enables
ISLs with compatible parameters to automatically form channel groups without manual intervention.
The PortChannel protocol is enabled by default.
The PortChannel protocol expands the PortChannel functional model in Cisco MDS switches. It uses the
exchange peer parameters (EPP) services to communicate across peer ports in an ISL. Each switch uses
the information received from the peer ports along with its local configuration and operational values to
decide if it should be part of a PortChannel. The protocol ensures that a set of ports are eligible to be
part of the same PortChannel. They are only eligible to be part of the same port channel if all the ports
have a compatible partner.

The PortChannel protocol uses two subprotocols:

Bringup protocolAutomatically detects misconfigurations so you can correct them. This protocol
synchronizes the PortChannel at both ends so that all frames for a given flow (as identified by the
source FC ID, destination FC ID and OX_ID) are carried over the same physical link in both
directions. This helps make applications such as write acceleration, work for PortChannels over
FCIP links.
Autocreation protocolAutomatically aggregates compatible ports into a PortChannel.
This section describes how to configure the PortChannel protocol and includes the following sections:
About Channel Group Creation, page 23-21
About Autocreation, page 23-22
Enabling and Configuring Autocreation, page 23-23
About Manually Configured Channel Groups, page 23-23
Converting to Manually Configured Channel Groups, page 23-23
About Channel Group Creation
Note Channel groups are not supported on internal ports in the Cisco Fabric Switch for HP c-Class
BladeSystem and the Cisco Fabric Switch for IBM BladeSystem.
Assuming link A1-B1 comes up first in Figure 23-15, that link is operational as an individual link.When
the next link, say A2-B2 comes up, the PortChannel protocol identifies if this link is compatible with
link A1-B1 and automatically creates channel groups 10 and 20 in the respective switches. If link A3-B3
can join the channel groups (the PortChannels), the respective ports have compatible configurations. If
link A4-B4 operates as an individual link, it is because of the incompatible configuration of the two end
ports with the other member ports in this channel group.
Figure 23-15 Autocreating Channel Groups
po10 po20
1 1
2 2
Cisco MDS Cisco MDS
Switch A Switch B
3 3
4 4
120489
The channel group numbers are selected dynamically, and as such, the administrative configuration of
the ports forming the channel group at either end are applicable to the newly created channel group. The
channel group number being chosen dynamically may be different across reboots for the same set of
PortChannels based on the order of ports that are initialized in the switch.
Table 23-2 identifies the differences between user-configured and auto-configured channel groups.

Table 23-2 Channel Group Configuration Differences
User-Configured Channel Group Autocreated Channel Group

Manually configured by the user. Created automatically when compatible links come
up between two compatible switches, if channel
group autocreation is enabled in all ports at both
ends.
Member ports cannot participate in autocreation None of these ports are members of a
of channel groups. The autocreation feature user-configured channel group.
cannot be configured.
You can form the PortChannel with a subset of the All ports included in the channel group participate
ports in the channel group. Incompatible ports in the PortChannelno member port becomes
remain in a suspended or isolated state depending isolated or suspended; instead, the member port is
on the ON or ACTIVE mode configuration. removed from the channel group when the link is
found to be incompatible.
Any administrative configuration made to the Any administrative configuration made to the
PortChannel is applied to all ports in the channel PortChannel is applied to all ports in the channel
group, and you can save the configuration for the group, but the configurations are saved for the
PortChannel interface. member ports; no configuration is saved for the
PortChannel interface. You can explicitly convert
this channel group, if required.
You can remove any channel group and add You cannot remove a channel group, or add/remove
members to a channel group. any of its members. The channel group is removed
when no member ports exist.
Note Autocreation is not supported as of MDS NX-OS Release 4.1(1b) and later.
About Autocreation
The autocreation protocol has the following functionality:
A port is not allowed to be configured as part of a PortChannel when the autocreation feature is
enabled. These two configurations are mutually exclusive.
Autocreation must be enabled in both the local and peer ports to negotiate a PortChannel.
Aggregation occurs in one of two ways:
A port is aggregated into a compatible autocreated PortChannel.
A port is aggregated with another compatible port to form a new PortChannel.
Newly created PortChannels are allocated from the maximum possible PortChannel (128 for
Generation 1 or a combination of Generation 1 and Generation 2 switches, or 256 for Generation 2
switches) in a decreasing order based on availability. If all 128 (or 256) numbers are used up,
aggregation is not allowed.
You cannot change the membership or delete an autocreated PortChannel.
When you disable autocreation, all member ports are removed from the autocreated PortChannel.

Once the last member is removed from an autocreated PortChannel, the channel is automatically
deleted and the number is released for reuse.
An autocreated PortChannel is not persistent through a reboot. An autocreated PortChannel can be
manually configured to appear the same as a persistent PortChannel. Once the PortChannel is made
persistent, the autocreation feature is disabled in all member ports.
You can enable or disable the autocreation feature on a per-port basis or for all ports in the switch.
When this configuration is enabled, the channel group mode is assumed to be active. The default for
this task is disabled.
If autocreation of channel groups is enabled for an interface, you must first disable autocreation
before downgrading to earlier software versions or before configuring the interface in a manually
configured channel group.
Tip When enabling autocreation in any switch in the Cisco MDS 9000 Family, we recommend that you retain
at least one interconnected port between the switches without any autocreation configuration. If all ports
between two switches are configured with the autocreation feature at the same time, you may face a
possible traffic disruption between these two switches as the ports are automatically disabled and
reenabled when ports are added to an autocreated PortChannel.
Enabling and Configuring Autocreation

To configure PortChannel autocreation, check the Dynamically form Port Channel Group from
selected ISLs option in the PortChannel Wizard. For more information, see the Configuring
PortChannels Using the Wizard section on page 23-11.
About Manually Configured Channel Groups

A user-configured channel group cannot be converted to an autocreated channel group. However, you
can convert an autocreated channel group to a manual channel group. Once performed, this task is
irreversible. The channel group number does not change, but the member ports operate according to the
properties of the manually configured channel group, and the autocreation of channel group is implicitly
disabled for all member ports.
Tip If you enable persistence, be sure to enable it at both ends of the PortChannel.
Converting to Manually Configured Channel Groups

To convert an autocreated channel group to a user-configured channel group using Fabric Manager,
follow these steps:
Step 1 Expand ISLs and then select Port Channels in the Physical Attributes pane. Click the Protocol tab.
You see the switch protocols as shown in Figure 23-16.

Verifying the PortChannel Configuration
Figure 23-16 Switch Protocols
Step 2 Check the Persist check box for each channel that you want to convert to a manually configured channel
group.
Verifying the PortChannel Configuration

You can use the Information pane in Fabric Manager to verify your PortChannel Configuration (see
Figure 23-17).
Figure 23-17 PortChannel Summary in Fabric Manager

Default Settings
Default Settings
Table 23-3 lists the default settings for PortChannels.
Table 23-3 Default PortChannel Parameters
Parameters Default
PortChannels FSPF is enabled by default.
Create PortChannel Administratively up.
Default PortChannel mode ON mode on non-NPV and NPIV core switches.
ACTIVE mode on NPV switches.
Autocreation Disabled.

Default Settings

CH A P T E R 24
Configuring Trunking
This chapter describes the trunking feature provided in Cisco MDS 9000 switches. It includes the
following sections:
About Trunking, page 24-1
Trunking Guidelines and Restrictions, page 24-3
Configuring Trunk Mode and VSAN List, page 24-7
Example F Port Trunking Configuration, page 16-13
About Trunking
Trunking, also known as VSAN trunking, is a feature specific to switches in the Cisco MDS 9000
Family. Trunking enables interconnect ports to transmit and receive frames in more than one VSAN, over
the same physical link. Trunking is supported on E ports and F ports. (See Figure 24-1 and Figure 24-2).
Trunking E Ports, page 24-2
Trunking F Ports, page 24-2
Key Concepts, page 24-3
Trunking Misconfiguration Examples, page 24-4
Upgrade and Downgrade Restrictions, page 24-5
Difference Between TE Ports and TF-TNP Ports, page 24-5

Chapter 24 Configuring Trunking
About Trunking
Trunking E Ports
Trunking the E ports enables interconnect ports to transmit and receive frames in more than one VSAN,
over the same physical link, using enhanced ISL (EISL) frame format.
Figure 24-1 Trunking E Ports
Switch 1 Any other Switch 1 Switch 2

switch
ISL EISL
E port E port TE port TE port
79938
Trunking
Note Trunking is not supported by internal ports on both the Cisco Fabric Switch for HP c_Class BladeSystem
and the Cisco Fabric Switch for IBM BladeCenter.
Trunking F Ports
Trunking F ports allows interconnected ports to transmit and receive tagged frames in more than one
VSAN, over the same physical link. Figure 24-2 represents the possible trunking scenarios in a SAN
with MDS core switches, NPV switches, third-party core switches, and HBAs.
Figure 24-2 Trunking F Ports
3rd party Core MDS Core EVFP

Switch Switch 1a
TF F TF TF
TN
3 4 2
HB A
EPP EPP EPP
5 NP TNP TNP
TNP NPV Switch

EVFP
F TF
1b
EVFP
N TN
192090
HB A HB A

Trunking Guidelines and Restrictions
Link Number Link Description

1a and 1b F port trunk with N port.1
2 F port trunk with NP port.
3 F PortChannnel with NP port.
4 Trunked F PortChannel with NP port.
5 Trunking NP port with third-party core switch F port.1
1. These features are not supported currently.
Key Concepts
The trunking feature includes the following key concepts:
TE portIf trunk mode is enabled in an E port and that port becomes operational as a trunking E
port, it is referred to as a TE port.
TF portIf trunk mode is enabled in an F port (see the link 2 in Figure 24-2) and that port becomes
operational as a trunking F port, it is referred to as a TF port.
TN portIf trunk mode is enabled (not currently supported) in an N port (see the link 1b in
Figure 24-2) and that port becomes operational as a trunking N port, it is referred to as a TN port.
TNP portIf trunk mode is enabled in an NP port (see the link 2 in Figure 24-2) and that port
becomes operational as a trunking NP port, it is referred to as a TNP port.
TF PortChannelIf trunk mode is enabled in an F PortChannel (see the link 4 in Figure 24-2) and
that PortChannel becomes operational as a trunking F PortChannel, it is referred to as TF
PortChannel. Cisco Port Trunking Protocol (PTP) is used to carry tagged frames.
TF-TN port linkA single link can be established to connect an F port to an HBA to carry tagged
frames (see the link 1a and 1b in Figure 24-2) using Exchange Virtual Fabrics Protocol (EVFP). A
server can reach multiple VSANs through a TF port without inter-VSAN routing (IVR).
TF-TNP port linkA single link can be established to connect an TF port to an TNP port using the
PTP protocol to carry tagged frames (see the link 2 in Figure 24-2). PTP is used because PTP also
supports trunking PortChannels.
Note The TF-TNP port link between a third-party NPV core and a Cisco NPV switch is
established using the EVFP protocol.
A Fibre Channel VSAN is called Virtual Fabric and uses a VF_ID in place of the VSAN ID. By
default, the VF_ID is 1 for all ports. When an N port supports trunking, a PWWN is defined for each
VSAN and called as logical PWWN. In the case of MDS core switches, the PWWNs for which the
N port requests additional FC_IDs are called virtual PWWNs.

The trunking feature includes the following guidelines and restrictions:
F ports support trunking in Fx mode.

Switches must be running NX-OS Release 4.1(1a) or later.

The trunk-allowed VSANs configured for TE, TF, and TNP links are used by the trunking protocol
to determine the allowed active VSANs in which frames can be received or transmitted.
If a trunking enabled E port is connected to a third-party switch, the trunking protocol ensures
seamless operation as an E port.
Trunking F ports and trunking F PortChannels are not supported on the following hardware:
91x4 switches, if NPIV is enabled and used as the NPIV core switch.
Generation 1 2-Gbps Fibre Channel switching modules.
On core switches, the FC-SP authentication will be supported only for the physical FLOGI from the
physical PWWN.
No FC-SP authentication is supported by the NPV switch on the server F ports.
MDS does not enforce the uniqueness of logical PWWNs across VSANs.
DPVM is not supported on trunked F port logins.
The DPVM feature is limited to the control of the port VSAN, since the EVFP protocol does not
allow changing the VSAN on which a logical PWWN has done FLOGI.
The port security configuration will be applied to both the first physical FLOGI and the per VSAN
FLOGIs.
Trunking is not supported on F ports that have FlexAttach enabled.
On MDS 91x4 core switches, hard zoning can be done only on F ports that are doing either NPIV
or trunking. However, in NPV mode, this restriction does not apply since zoning is enforced on the
core F port.
Trunking Misconfiguration Examples

If you do not configure the VSANs correctly, issues with the connection may occur. For example, if you
merge the traffic in two VSANs, both VSANs will be mismatched. The trunking protocol validates the
VSAN interfaces at both ends of a link to avoid merging VSANs (see Figure 24-3).
Figure 24-3 VSAN Mismatch
Switch 1 Switch 2
Isolated
E port E port
VSAN 2 VSAN 3
85471
VSAN mismatch
In this example, the trunking protocol detects potential VSAN merging and isolates the ports involved.
The trunking protocol cannot detect merging of VSANs when a third-party switch is placed in between
two Cisco MDS 9000 Family switches (see Figure 24-4).

Figure 24-4 Third-Party Switch VSAN Mismatch
Third-party switches
VSAN 2 VSAN 3
E port E port
85472
Switch 1 Switch 2 Switch 3
VSAN 2 and VSAN 3 are effectively merged with overlapping entries in the name server and the zone
applications. The Cisco MDS 9000 Fabric Manager helps detect such topologies.
Upgrade and Downgrade Restrictions

The trunking and channeling feature includes the following upgrade and downgrade restrictions:
When F port trunking or channeling is configured on a link, the switch cannot be downgraded to
Cisco MDS SAN-OS Release 3.x and NX-OS Release 4.1(1b), or earlier.
Affect of an Upgrade on the EVFP Isolated VSANIf you are upgrading from a SAN-OS Release
3.x to NX-OS Release 4.1(3a), and you have not created VSAN 4079, the NX-OS software will
automatically create VSAN 4079 and reserve it for EVFP use.
If VSAN 4079 is reserved for EVFP use, the switchport trunk allowed vsan command will filter out
VSAN 4079 from the allowed list, as shown in the following example:
switch(config-if)# switchport trunk allowed vsan 1-4080
1-4078,4080
switch(config-if)#
If you have created VSAN 4079, the upgrade to NX-OS Release 4.1(3a) will have no affect onVSAN
4079.
If you downgrade after NX-OS Release 4.1(3a) creates VSAN 4079 and reserves it for EVFP use,
the VSAN will no longer be reserved.
Difference Between TE Ports and TF-TNP Ports

In case of TE ports, the VSAN will in be init state when VSAN is coming up on that interface and when
peers are in negotiating phase. Once the handshake is done, VSAN will be moved to up state in the
successful case, and isolated state in the case of failure. Deveice Manager will show the port status as
Amber during initializing state and it will be green once VSANs are up.
In case of TF ports, after the handshake, one of the allowed VSAN will be moved to Up state. And all
other VSAN will be in init state even though the handshake with the peer is completed and successful.
Each VSAN will be moved from initializing state to up state when a server or target logins through the
trunked F or NP ports in the corresponding VSAN.
Note In case of TF or TNP ports, the Device Manager will show port status in Amber even after port is up and
there is no failure. It will be changed to green once all the VSAN has successful logins.

Enabling the Trunking Protocols
Enabling the Trunking Protocols

This section explains how to enable or disable the required trunking and channeling protocols
represented in Figure 24-2 and includes the following topics:
About Trunking Protocols, page 24-6
Enabling the Cisco Trunking and Channeling Protocols, page 16-8
Enabling the F Port Trunking and Channeling Protocol, page 24-7
About Trunking Protocols

The trunking protocol is important for trunking operations on the ports. The protocols enable the
following activities:
Dynamic negotiation of operational trunk mode.
Selection of a common set of trunk-allowed VSANs.
Detection of a VSAN mismatch across an ISL.
Table 24-1 specifies the protocols used for trunking and channeling.
Table 24-1 Supported Trunking Protocols
Trunk Link Default

TE-TE port link Cisco EPP (PTP)
1
TF-TN port link FC-LS Rev 1.62 EVFP
TF-TNP port link Cisco EPP (PTP)
E or F PortChannel Cisco EPP (PCP)
TF Port Channel Cisco EPP (PTP and PCP)
1
Third-party TF-TNP port link FC-LS Rev 1.62 EVFP
1. These features are not currently supported.
By default, the trunking protocol is enabled. If the trunking protocol is disabled on a switch, no port on
that switch can apply new trunk configurations. Existing trunk configurations are not affected. The TE
port continues to function in trunk mode, but only supports traffic in VSANs that it negotiated with
previously (when the trunking protocol was enabled). Also, other switches that are directly connected to
this switch are similarly affected on the connected interfaces. In some cases, you may need to merge
traffic from different port VSANs across a non-trunking ISL. If so, disable the trunking protocol.
Note We recommend that both ends of a trunking link belong to the same port VSAN. On certain switches or
fabric switches where the port VSANs are different, one end returns an error and the other end is not
connected.
Tip To avoid inconsistent configurations, shut all ports before enabling or disabling the trunking protocols.

Configuring Trunk Mode and VSAN List
Enabling the F Port Trunking and Channeling Protocol
Note The trunking protocols must be enabled to support trunking, and NPIV must be enabled on the core
switch to activate a TF-TNP link.
To enable or disable the F port trunking and channeling protocols using the Fabric Manager, follow these
steps:
Step 1 From the Physical Interfaces panel, expand Switches and then select F_Port_Channel/Trunk.
You see the list of switches in the Fabric with F port trunking and channeling enabled.
Step 2 From the Status column, select enable or disable.

About Trunk Modes, page 24-7
Configuring Trunk Mode, page 24-8
About Trunk-Allowed VSAN Lists and VF_IDs, page 24-9
Configuring an Allowed-Active List of VSANs, page 24-11
About Trunk Modes

By default, trunk mode is enabled in all Fibre Channel and Ethernet interfaces. You can configure trunk
mode as on (enabled), off (disabled), or auto (automatic). The default trunk mode is auto. The trunk
mode configuration at the two ends of an ISL, between two switches, determine the trunking state of the
link and the port modes at both ends (see Table 24-2).
Table 24-2 Trunk Mode Status Between Switches
Your Trunk Mode Configuration Resulting State and Port Mode

Port Type Switch 1 Switch 2 Trunking State Port Mode
E ports On Auto or on Trunking (EISL) TE port
Off Auto, on, or off No trunking (ISL) E port
Auto Auto No trunking (ISL) E port
Port Type Core Switch NPV Switch Trunking State Link Mode
F and NP On Auto or on Trunking TF-TNP link
ports Auto On Trunking TF-TNP link
Off Auto, on, or off No trunking F-NP link

Tip The preferred configuration on the Cisco MDS 9000 Family switches is one side of the trunk set to auto
and the other side set to on.
Note When connected to a third-party switch, the trunk mode configuration on E ports has no effect. The ISL
is always in a trunking disabled state. In the case of F ports, if the third-party core switch ACC's physical
FLOGI with the EVFP bit is configured, then EVFP protocol enables trunking on the link.
Configuring Trunk Mode

To configure trunk mode using Fabric Manager, follow these steps:
Step 1 Expand Interfaces and then select FC Physical. You see the interface configuration in the Information
pane.
Step 2 Click the Trunk Config tab to modify the trunking mode for the selected interface.
Figure 24-5 Trunking Configuration
Step 3 Make changes to the Admin and Allowed VSANs values.

Step 4 Click the Trunk Failures tab to check if a link did not come up.
You see the reason listed in the FailureCause column (see Figure 24-6).
Figure 24-6 Trunk Failures Tab

About Trunk-Allowed VSAN Lists and VF_IDs

Each Fibre Channel interface has an associated trunk-allowed VSAN list. In TE-port mode, frames are
transmitted and received in one or more VSANs specified in this list. By default, the VSAN range (1
through 4093) is included in the trunk-allowed list.
The common set of VSANs that are configured and active in the switch are included in the trunk-allowed
VSAN list for an interface, and they are called allowed-active VSANs. The trunking protocol uses the
list of allowed-active VSANs at the two ends of an ISL to determine the list of operational VSANs in
which traffic is allowed.
In Figure 24-7, switch 1 has VSANs 1 through 5, switch 2 has VSANs 1 through 3, and switch 3 has
VSANs 1, 2, 4, and 5 with a default configuration of trunk-allowed VSANs. All VSANs configured in
all three switches are allowed-active. However, only the common set of allowed-active VSANs at the
ends of the ISL become operational as shown in Figure 24-7.
For all F, N, and NP ports, the default VF_ID is 1 when there is no VF_ID configured. The trunk-allowed
VF_ID list on a port is same as the list of trunk-allowed VSANs. VF_ID 4094 is called the control VF_ID
and it is used to define the list of trunk-allowed VF-IDs when trunking is enabled on the link.
If F port trunking and channeling is enabled, or if switchport trunk mode on is configured in npv mode
for any interface, or if NP PortChannel is configured, the VSAN and VF-ID ranges available for
configuration are as follows:
Table 24-3 VSAN and VF-ID Reservations
VSAN or VF-ID Description

000h Cannot be used as Virtual Fabric Identifier
001h(1) to EFFh(3839) This VSAN range is available for user configuration
F00h(3840) to FEEh(4078) Reserved VSANs and they are not available for user
configuration.
FEFh(4079) EVFP isolated VSAN
FF0h(4080) to FFEh(4094) Used for vendor-specific VSANs
FFFh Cannot be used as Virtual Fabric Identifier
Note If the VF_ID of the F port and the N port do not match, then no tagged frames can be exchanged.

Figure 24-7 Default Allowed-Active VSAN Configuration
Switch 2
VSAN1
VSAN2
al. VSAN3
ration
re ope
3a
VSANs 1 and 2 are operational.

d
2 , an
s1 ,
AN
Switch 1 VS
VSAN1
VSAN2
VSAN3
VSAN4
VSAN5 VS
AN
s 1, 2
, 4,
5a
re o
per
atio
nal
.
Switch 3
VSAN1
VSAN2
79945
VSAN4
VSAN5
You can configure a select set of VSANs (from the allowed-active list) to control access to the VSANs
specified in a trunking ISL.
Using Figure 24-7 as an example, you can configure the list of allowed VSANs on a per-interface basis
(see Figure 24-8). For example, if VSANs 2 and 4 are removed from the allowed VSAN list of ISLs
connecting to switch 1, the operational allowed list of VSANs for each ISL would be as follows:
The ISL between switch 1 and switch 2 includes VSAN 1 and VSAN 3.
The ISL between switch 2 and switch 3 includes VSAN 1 and VSAN 2.
The ISL between switch 3 and switch 1 includes VSAN 1, 2, and 5.
Consequently, VSAN 2 can only be routed from switch 1 through switch 3 to switch 2.

Default Settings
Figure 24-8 Operational and Allowed VSAN Configuration
Switch 2
VSAN1
list.
wed VSAN2
llo . VSAN3
ea nal
o n th eratio
VSANs 1 and 2 are on the allowed list.

re op
3a are
and 3
and
VSANs 1 and 2 are operational.

s1
AN Ns 1
VS A
VS
Switch 1
VSAN1
VSAN2
VSAN3
VSAN4
VSAN5
VS
VS
AN ANs 1
s1
, 2, , 2, 5 a
5a
re o re ope
n th ra
e a tional
llow .
ed
list. Switch 3
VSAN1
VSAN2
79946
VSAN4
VSAN5
Configuring an Allowed-Active List of VSANs

To configure an allowed-active list of VSANs for an interface using Fabric Manager, follow these steps:
Step 1 Expand Interfaces and then select FC Physical.

Step 2 Click the Trunk Config tab.
You see the current trunk configuration.
Step 3 Set Allowed VSANs to the list of allowed VSANs for each interface that you want to configure.
Step 4 Click Apply Changes to save these changes or click Undo Changes to discard any unsaved changes.
Default Settings
Table 24-4 lists the default settings for trunking parameters.
Table 24-4 Default Trunk Configuration Parameters
Parameters Default
Switch port trunk mode ON on non-NPV and MDS core switches.
OFF on NPV switches.
Allowed VSAN list 1 to 4093 user-defined VSAN IDs.

Default Settings
Table 24-4 Default Trunk Configuration Parameters (continued)
Parameters Default
Allowed VF-ID list 1 to 4093 user-defined VF-IDs.
Trunking protocol (E ports) Enabled.
F port trunking protocol Disabled

CH A P T E R 25
Configuring Domain Parameters
The Fibre Channel domain (fcdomain) feature performs principal switch selection, domain ID
distribution, FC ID allocation, and fabric reconfiguration functions as described in the FC-SW-2
standards. The domains are configured on a per VSAN basis. If you do not configure a domain ID, the
local switch uses a random ID.
Caution Changes to fcdomain parameters should not be performed on a daily basis. These changes should be
made by an administrator or individual who is completely familiar with switch operations.
Tip When you change the configuration, be sure to save the running configuration. The next time you reboot
the switch, the saved configuration is used. If you do not save the configuration, the previously saved
startup configuration is used.

Fibre Channel Domains, page 25-2
Domain IDs, page 25-8
FC IDs, page 25-16
Displaying fcdomain Statistics, page 25-22

Chapter 25 Configuring Domain Parameters
Fibre Channel Domains

This section describes each fcdomain phase:
Principal switch selectionThis phase guarantees the selection of a unique principal switch across
the fabric.
Domain ID distributionThis phase guarantees each switch in the fabric obtains a unique domain
ID.
FC ID allocationThis phase guarantees a unique FC ID assignment to each device attached to the
corresponding switch in the fabric.
Fabric reconfigurationThis phase guarantees a resynchronization of all switches in the fabric to
ensure they simultaneously restart a new principal switch selection phase.
Figure 25-1 shows a sample fcdomain configuration.
Figure 25-1 Sample fcdomain Configuration
Switch 2 (principal)
Local WWN
20:01:ab:ba:cd:dc:f4:00
7.0.1 Configured domain ID

0 (zero) preferred
Runtime domain ID = 2
Switch 7 (subordinate)
Configured priority = 128
Local WWN
20:02:ab:ba:cd:dc:f4:00 Runtime priority = 2
Configured domain ID Runtime fabric name 99.0.1
7.0.2 0 (zero) preferred 20:01:ab:ba:cd:cd:dc:f4
Runtime domain ID = 7 99.0.2
Configured priority = 128 Local WWN
7.0.0 20:03:ab:ba:cd:dc:f4:00
Runtime priority = 128
Configured domain ID
Runtime fabric name 0 (zero) preferred 99.0.3
20:01:ab:ba:cd:cd:dc:f4
Runtime domain ID = 102
Configured priority = 128

Runtime priority = 128 99.1.2
Runtime fabric name

20:01:ab:ba:cd:cd:dc:f4
Switch 99 (subordinate)
79953
99.1.1
Note Domain IDs and VSAN values used in all procedures are only provided as examples. Be sure to use IDs
and values that apply to your configuration.
This section describes the fcdomain feature and includes the following topics:
About Domain Restart, page 25-3

Restarting a Domain, page 25-3

About Switch Priority, page 25-5
Configuring Switch Priority, page 25-5
About fcdomain Initiation, page 25-5
Enabling or Disabling fcdomains, page 25-6
Configuring Fabric Names, page 18-8
About Incoming RCFs, page 25-6
Rejecting Incoming RCFs, page 25-7
About Autoreconfiguring Merged Fabrics, page 25-7
Enabling Autoreconfiguration, page 25-8
About Domain Restart

Fibre Channel domains can be started disruptively or nondisruptively. If you perform a disruptive restart,
reconfigure fabric (RCF) frames are sent to other switches in the fabric and data traffic is disrupted on
all the switches in the VSAN (including remotely segmented ISLs). If you perform a nondisruptive
restart, build fabric (BF) frames are sent to other switches in the fabric and data traffic is disrupted only
on the switch.
If you are attempting to resolve a domain ID conflict, you must manually assign domain IDs. A
disruptive restart is required to apply most configuration changesincluding manually assigned domain
IDs. Nondisruptive domain restarts are acceptable only when changing a preferred domain ID into a
static one (and the actual domain ID remains the same).
Note A static domain is specifically configured by the user and may be different from the runtime domain. If
the domain IDs are different, the runtime domain ID changes to take on the static domain ID after the
next restart, either disruptive or nondisruptive.
Tip If a VSAN is in interop mode, you cannot restart the fcdomain for that VSAN disruptively.
You can apply most of the configurations to their corresponding runtime values. Each of the following
sections provide further details on how the fcdomain parameters are applied to the runtime values.
Restarting a Domain

To restart the fabric disruptively or nondisruptively using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx > VSANxx and then select Domain Manager in the Logical Domains pane for the
fabric and VSAN that you want to restart.
You see the Running tab configuration of the domain in the Information pane.
Figure 25-2 Running Domain Configuration
Step 2 Click the Configuration tab.

You see the switch configuration shown in Figure 25-3.
Figure 25-3 Configuring Domains
Step 3 Set the Restart drop-down menu to disruptive or nonDisruptive for any switch in the fabric that you
want to restart the fcdomain.
Step 4 Click the Apply Changes icon to issue this fcdomain restart.

About Switch Priority

By default, the configured priority is 128. The valid range to set the priority is between 1 and 254.
Priority 1 has the highest priority. Value 255 is accepted from other switches, but cannot be locally
configured.
Any new switch can become the principal switch when it joins a stable fabric. During the principal
switch selection phase, the switch with the highest priority becomes the principal switch. If two switches
have the same configured priority, the switch with the lower WWN becomes the principal switch.
The priority configuration is applied to runtime when the fcdomain is restarted (see the About Domain
Restart section on page 25-3). This configuration is applicable to both disruptive and nondisruptive
restarts.
Configuring Switch Priority

To configure the priority for the principal switch using Fabric Manager, follow these steps:
fabric and VSAN that you want to set the principal switch priority for.
You see the domains running configuration in the Information pane shown in Figure 25-4.
Figure 25-4 Running Domain Configuration
Step 2 Set Priority to a high value for the switch in the fabric that you want to be the principal switch.
Step 3 Click the Apply Changes icon to save these changes.
About fcdomain Initiation

By default, the fcdomain feature is enabled on each switch. If you disable the fcdomain feature in a
switch, that switch can no longer participate with other switches in the fabric. The fcdomain
configuration is applied to runtime through a disruptive restart.

Enabling or Disabling fcdomains

To disable fcdomains in a single VSAN or a range of VSANs using Fabric Manager, follow these steps:
fabric and VSAN that you want to disable fcdomain for.
You see the domains running configuration in the Information pane.
Step 2 Click the Configuration tab and uncheck the Enable check box (see Figure 25-5) for each switch in the
fabric that you want to disable fcdomain on.
Figure 25-5 Configuring Domains
Setting Fabric Names

To set the fabric name value for a disabled fcdomain using Fabric Manager, follow these steps:
fabric and VSAN that you want to set the fabric name for.
You see the running configuration of the domain in the Information pane.
Step 2 Click the Configuration tab and set the fabric name for each switch in the fabric.
About Incoming RCFs

You can choose to reject RCF request frames on a per-interface, per-VSAN basis. By default, the RCF
reject option is disabled (that is, RCF request frames are not automatically rejected).
The RCF reject option takes immediate effect to runtime through a disruptive restart (see the About
Domain Restart section on page 25-3).

Rejecting Incoming RCFs

To reject incoming RCF request frames using Fabric Manager, follow these steps:
Step 1 Expand Switches > Interfaces and then select FC Physical in the Physical Attributes pane.
You see the Fibre Channel configuration in the Information pane.
Step 2 Click the Domain Mgr tab.
You see the information in Figure 25-6.
Figure 25-6 Rejecting Incoming RCF Request Frames
Step 3 Check the RcfReject check box for each interface that you want to reject RCF request frames on.
About Autoreconfiguring Merged Fabrics

By default, the autoreconfigure option is disabled. When you join two switches belonging to two
different stable fabrics that have overlapping domains, the following cases apply:
If the autoreconfigure option is enabled on both switches, a disruptive reconfiguration phase is
started.
If the autoreconfigure option is disabled on either or both switches, the links between the two
switches become isolated.
The autoreconfigure option takes immediate effect at runtime. You do not need to restart the fcdomain.
If a domain is currently isolated due to domain overlap, and you later enable the autoreconfigure option
on both switches, the fabric continues to be isolated. If you enabled the autoreconfigure option on both
switches before connecting the fabric, a disruptive reconfiguration (RCF) will occur. A disruptive
reconfiguration may affect data traffic. You can nondisruptively reconfigure the fcdomain by changing
the configured domains on the overlapping links and getting rid of the domain overlap.

Domain IDs
Enabling Autoreconfiguration
To enable automatic reconfiguration in a specific VSAN (or range of VSANs) using Fabric Manager,
follow these steps:
fabric and VSAN that you want to enable automatic reconfiguration for.
Step 2 Select the Configuration tab and check the Auto Reconfigure check box for each switch in the fabric
that you want to automatically reconfigure.
Domain IDs
Domain IDs uniquely identify a switch in a VSAN. A switch may have different domain IDs in different
VSANs. The domain ID is part of the overall FC ID.
This section describes how to configure domain IDs and includes the following topics:
About Domain IDs, page 25-8
Specifying Static or Preferred Domain IDs, page 25-10
About Allowed Domain ID Lists, page 25-11
Configuring Allowed Domain ID Lists, page 25-11
About CFS Distribution of Allowed Domain ID Lists, page 25-12
Enabling Distribution, page 25-12
Clearing a Fabric Lock, page 25-14
Displaying Pending Changes, page 25-14
Displaying Session Status, page 25-15
About Contiguous Domain ID Assignments, page 25-15
Enabling Contiguous Domain ID Assignments, page 25-15
About Domain IDs

The configured domain ID can be preferred or static. By default, the configured domain ID is 0 (zero)
and the configured type is preferred.
Note The 0 (zero) value can be configured only if you use the preferred option.

Domain IDs
If you do not configure a domain ID, the local switch sends a random ID in its request. We recommend
that you use static domain IDs.
When a subordinate switch requests a domain, the following process takes place (see Figure 25-7):
1. The local switch sends a configured domain ID request to the principal switch.
2. The principal switch assigns the requested domain ID if available. Otherwise, it assigns another
available domain ID.
Figure 25-7 Configuration Process Using the preferred Option
Switch 7 (subordinate) Switch 2 (principal)

Local WWN Local WWN
20:02:ab:ba:cd:dc:f4:00 20:01:ab:ba:cd:dc:f4:00
Configured domain ID 1. Request configured Configured domain ID

7 preferred 0 (zero) preferred
domain ID (7).
Runtime domain ID = 7 Runtime domain ID = 3
Configured priority = 128 Configured priority = 128
Runtime priority = 128 Runtime priority = 2

2. Requested domain
Runtime fabric name ID assigned, Runtime fabric name
20:01:ab:ba:cd:cd:dc:f4 20:01:ab:ba:cd:cd:dc:f4
if available (7).
Local WWN Local WWN

20:03:ab:ba:cd:dc:f4:00 20:04:ab:ba:cd:dc:f4:00
Configured domain ID Configured domain ID

7 preferred 0 (zero) preferred
Runtime domain ID = 51 3. Otherwise, another Runtime domain ID = 3
Configured priority = 128 available domain Configured priority = 128

ID assigned (51).
Runtime priority = 128 Runtime priority = 2
Runtime fabric name Runtime fabric name

20:01:ab:ba:cd:cd:dc:f4 20:01:ab:ba:cd:cd:dc:f4
79954
Switch 7 (subordinate) Switch 2 (principal)
The behavior for a subordinate switch changes based on three factors:

The allowed domain ID lists.
The configured domain ID.
The domain ID that the principal switch has assigned to the requesting switch.
In specific situations, the changes are as follows:
When the received domain ID is not within the allowed list, the requested domain ID becomes the
runtime domain ID and all interfaces on that VSAN are isolated.
When the assigned and requested domain IDs are the same, the preferred and static options are not
relevant, and the assigned domain ID becomes the runtime domain ID.
When the assigned and requested domain IDs are different, the following cases apply:
If the configured type is static, the assigned domain ID is discarded, all local interfaces are
isolated, and the local switch assigns itself the configured domain ID, which becomes the
runtime domain ID.

Domain IDs
If the configured type is preferred, the local switch accepts the domain ID assigned by the
principal switch and the assigned domain ID becomes the runtime domain ID.
If you change the configured domain ID, the change is only accepted if the new domain ID is included
in all the allowed domain ID lists currently configured in the VSAN. Alternatively, you can also
configure zero-preferred domain ID.
Tip When the FICON feature is enabled in a given VSAN, the domain ID for that VSAN remains in the static
state. You can change the static ID value but you cannot change it to the preferred option.
Note In an IVR without NAT configuration, if one VSAN in the IVR topology is configured with static domain
IDs, then the other VSANs (edge or transit) in the topology should also be configured with static domain
IDs.
In an IVR NAT configuration, if one VSAN in the IVR topology is configured with static domain IDs,
then the IVR domains that can be exported to that VSAN must also be assigned static domains.
Caution You must restart the fcdomainif you want to apply the configured domain changes to the runtime
domain.
Note If you have configured an allow domain ID list, the domain IDs that you add must be in that range for
the VSAN. See the About Allowed Domain ID Lists section on page 25-11.
Specifying Static or Preferred Domain IDs

When you assign a static domain ID type, you are requesting a particular domain ID. If the switch does
not get the requested address, it will isolate itself from the fabric. When you specify a preferred domain
ID, you are also requesting a particular domain ID; however, if the requested domain ID is unavailable,
then the switch will accept another domain ID.
While the static option can be applied at runtime after a disruptive or non-disruptive restart, the preferred
option is applied at runtime only after a disruptive restart (see the About Domain Restart section on
page 25-3).
Note Within a VSAN all switches should have the same domain ID type (either static or preferred). If a
configuration is mixed (some switches with static domain types and others with preferred) then you may
experience link isolation.
To specify a static or preferred domain ID using Fabric Manager, follow these steps:
fabric and VSAN that you want to configure the domain ID for.

Domain IDs
Step 2 Enter a value for the Config DomainID and click static or preferred from the Config Type drop-down
menu to set the domain ID for switches in the fabric.
About Allowed Domain ID Lists

By default, the valid range for an assigned domain ID list is from 1 to 239. You can specify a list of
ranges to be in the allowed domain ID list and separate each range with a comma. The principal switch
assigns domain IDs that are available in the locally configured allowed domain list.
Use allowed domain ID lists to design your VSANs with non-overlapping domain IDs. This helps you
in the future if you need to implement IVR without the NAT feature.
Tip If you configure an allowed list on one switch in the fabric, we recommend you configure the same list
in all other switches in the fabric to ensure consistency or use CFS to distribute the configuration.
An allowed domain ID list must satisfy the following conditions:

If this switch is a principal switch, all the currently assigned domain IDs must be in the allowed list.
If this switch is a subordinate switch, the local runtime domain ID must be in the allowed list.
The locally configured domain ID of the switch must be in the allowed list.
The intersection of the assigned domain IDs with other already configured domain ID lists must not
be empty.
Configuring Allowed Domain ID Lists

To configure the allowed domain ID list using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx > VSANxx > Domain Manager and then select Allowed in the Logical Domains pane
for the fabric and VSAN for which you want to set the allowed domain ID list.
You see the CFS configuration in the Information pane (see Figure 25-8).
Figure 25-8 Allowed CFS Configuration Information
Step 2 Set the Admin drop-down menu to enable and set the Global drop-down menu to enable.

Domain IDs
Step 3 Click Apply Changes to enable CFS distribution for the allowed domain ID list.
Step 4 Select the Allowed DomainIds tab.
You see the Allowed Domain ID screen shown in Figure 25-9.
Figure 25-9 Allowed Domain ID List
Step 5 Set the list to the allowed domain IDs list for this domain.
Step 6 Select the CFS tab and set Config Action to commit.
Step 7 Click the Apply Changes icon to commit this allowed domain ID list and distribute it throughout the
VSAN.
About CFS Distribution of Allowed Domain ID Lists

You can enable the distribution of the allowed domain ID lists configuration information to all Cisco
MDS switches in the fabric using the Cisco Fabric Services (CFS) infrastructure. This feature allows you
to synchronize the configuration across the fabric from the console of a single MDS switch. Since the
same configuration is distributed to the entire VSAN, you avoid possible misconfiguration and the
likelihood that two switches in the same VSAN have configured incompatible allowed domains.
Note All switches in the fabric must be running Cisco SAN-OS Release 3.0(1) or later to distribute the allowed
domain ID list using CFS.
Use CFS to distribute the allowed domain ID list to ensure consistency in the allowed domain ID lists
on all switches in the VSAN.
Note We recommend configuring the allow domain ID list and committing it on the principle switch.
For more information about CFS, see Chapter 13, Using the CFS Infrastructure.
Enabling Distribution
CFS distribution of allowed domain ID lists is disabled by default. You must enable distribution on all
switches to which you want to distribute the allowed domain ID lists.
To enable (or disable) allowed domain ID list configuration distribution using Fabric Manager, follow
these steps:

Domain IDs
for the fabric and VSAN that you want to set the allowed domain ID list for.
You see the CFS configuration in the Information pane.
Step 2 Set the Admin drop-down menu to enable and the Global drop-down menu to enable to enable CFS
distribution for the allowed domain ID list.
Step 3 Click the Apply Changes icon to enable CFS distribution for the allowed domain ID list.
Locking the Fabric

The first action that modifies the existing configuration creates the pending configuration and locks the
feature in the fabric. Once you lock the fabric, the following conditions apply:
No other user can make any configuration changes to this feature.
A pending configuration is created by copying the active configuration. Modifications from this
point on are made to the pending configuration and remain there until you commit the changes to
the active configuration (and other switches in the fabric) or discard them.
Committing Changes
To apply the pending domain configuration changes to other MDS switches in the VSAN, you must
commit the changes. The pending configuration changes are distributed and, on a successful commit, the
configuration changes are applied to the active configuration in the MDS switches throughout the VSAN
and the fabric lock is released.
To commit pending domain configuration changes and release the lock using Fabric Manager, follow
these steps:
Step 2 Set the Config Action drop-down menu to commit.
Step 3 Click the Apply Changes icon to commit the allowed domain ID list and distribute it throughout the
VSAN.
Discarding Changes
At any time, you can discard the pending changes to the domain configuration and release the fabric lock.
If you discard (abort) the pending changes, the configuration remains unaffected and the lock is released.
To discard pending domain configuration changes and release the lock using Fabric Manager, follow
these steps:

Domain IDs
Step 2 Set the Config Action drop-down menu to abort.
Step 3 Click the Apply Changes icon to discard any pending changes to the allowed domain ID list.
Clearing a Fabric Lock

If you have performed a domain configuration task and have not released the lock by either committing
or discarding the changes, an administrator can release the lock from any switch in the fabric. If the
administrator performs this task, your pending changes are discarded and the fabric lock is released.
Tip The pending changes are only available in the volatile directory and are discarded if the switch is
restarted.
To release a fabric lock using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx > VSANxx > Domain Manager and then select AllowedId in the Logical Domains
pane for the fabric and VSAN for which you want the allowed domain ID list.
Step 2 Set the Config Action drop-down menu to clear.
Step 3 Click the Apply Changes icon to clear the fabric lock.
Displaying Pending Changes

To display the pending configuration changes using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx > VSANxx > Domain Manager > Allowed in the Logical Domains pane for the fabric
and VSAN that you want to set the allowed domain ID list for.
Step 2 Set the Config View As drop-down menu to pending.
Step 3 Click the Apply Changes icon to clear the fabric lock.
Step 4 Click the AllowedDomainIds tab.
You see the pending configuration for the allowed domain IDs list.

Domain IDs
Displaying Session Status

To display the status of the distribution session using Fabric Manager, follow these steps:
for the fabric and VSAN for which you want to set the allowed domain ID list.
Step 2 View the CFS configuration and session status in the Information pane.
About Contiguous Domain ID Assignments

By default, the contiguous domain assignment is disabled. When a subordinate switch requests the
principal switch for two or more domains and the domains are not contiguous, the following cases apply:
If the contiguous domain assignment is enabled in the principal switch, the principal switch locates
contiguous domains and assigns them to the subordinate switches. If contiguous domains are not
available, the NX-OS software rejects this request.
If the contiguous domain assignment is disabled in the principal switch, the principal switch assigns
the available domains to the subordinate switch.
Enabling Contiguous Domain ID Assignments

FC IDs
To enable contiguous domains in a specific VSAN (or a range of VSANs) using Fabric Manager, follow
these steps:
fabric and VSAN that you want to enable contiguous domains for.
Step 2 Click the Configuration tab and check the Contiguous Allocation check box for each switch in the
fabric that will have contiguous allocation.
FC IDs
When an N or NL port logs into a Cisco MDS 9000 Family switch, it is assigned an FC ID. By default,
the persistent FC ID feature is enabled. If this feature is disabled, the following consequences apply:
An N or NL port logs into a Cisco MDS 9000 Family switch. The WWN of the requesting N or NL
port and the assigned FC ID are retained and stored in a volatile cache. The contents of this volatile
cache are not saved across reboots.
The switch is designed to preserve the binding FC ID to the WWN on a best-effort basis. For
example, if one N port disconnects from the switch and its FC ID is requested by another device,
this request is granted and the WWN with the initial FC ID association is released.
The volatile cache stores up to 4000 entries of WWN to FC ID binding. If this cache is full, a new
(more recent) entry overwrites the oldest entry in the cache. In this case, the corresponding WWN
to FC ID association for the oldest entry is lost.
The switch connection behavior differs between N ports and NL ports:
N ports receive the same FC IDs if disconnected and reconnected to any port within the same
switch (as long as it belongs to the same VSAN).
NL ports receive the same FC IDs only if connected back to the same port on the switch to which
they were originally connected.
This section describes configuring FC IDs and includes the following topics:
About Persistent FC IDs, page 25-17
Enabling the Persistent FC ID Feature, page 25-17
About Persistent FC ID Configuration, page 25-17
Configuring Persistent FC IDs, page 25-18
About Unique Area FC IDs for HBAs, page 25-19
Configuring Unique Area FC IDs for an HBA, page 25-19
About Persistent FC ID Selective Purging, page 25-21
Purging Persistent FC IDs, page 25-21

FC IDs
About Persistent FC IDs

When persistent FC IDs are enabled, the following consequences apply:
The currently in use FC IDs in the fcdomain are saved across reboots.
The fcdomain automatically populates the database with dynamic entries that the switch has learned
about after a device (host or disk) is plugged into a port interface.
Note If you connect to the switch from an AIX or HP-UX host, be sure to enable the persistent FC ID feature
in the VSAN that connects these hosts.
Note FC IDs are enabled by default. This change of default behavior from releases prior to Cisco MDS
SAN-OS Release 2.0(1b) prevents FC IDs from being changed after a reboot. You can disable this option
for each VSAN.
A persistent FC ID assigned to an F port can be moved across interfaces and can continue to maintain
the same persistent FC ID.
Note Persistent FC IDs with loop-attached devices (FL ports) need to remain connected to the same port in
which they were configured.
Note Due to differences in Arbitrated Loop Physical Address (ALPA) support on devices, FC ID persistency
for loop-attached devices is not guaranteed.
Enabling the Persistent FC ID Feature

To enable the persistent FC ID feature using Fabric Manager, follow these steps:
fabric and VSAN that you want to enable the Persistent FC ID feature for.
Step 2 Select the Persistent Setup tab and check the enable check box for each switch in the fabric that will
have persistent FC ID enabled.
About Persistent FC ID Configuration

When the persistent FC ID feature is enabled, you can enter the persistent FC ID submode and add static
or dynamic entries in the FC ID database. By default, all added entries are static. Persistent FC IDs are
configured on a per-VSAN basis. Follow these requirements to manually configure a persistent FC ID:
Ensure that the persistent FC ID feature is enabled in the required VSAN.

FC IDs
Ensure that the required VSAN is an active VSANpersistent FC IDs can only be configured on
active VSANs.
Verify that the domain part of the FC ID is the same as the runtime domain ID in the required VSAN.
If the software detects a domain mismatch, the command is rejected.
Verify that the port field of the FC ID is 0 (zero) when configuring an area.
Note FICON uses a different scheme for allocating FC IDs based in the front panel port number. This scheme
takes precedence over FC ID persistence in FICON VSANs.
Configuring Persistent FC IDs

FC IDs
To configure persistent FC IDs using Fabric Manager, follow these steps:
fabric and VSAN that you want to configure the Persistent FC ID list for.
Step 2 Click the Persistent FcIds tab and click Create Row.
You see the Create Persistent FC IDs dialog box shown in Figure 25-10.
Figure 25-10 Create Persistent FC IDs Dialog Box
Step 3 Select the switch, WWN, and FC ID that you want to make persistent.
Step 4 Set the Mask radio button to single or area.
Step 5 Set the Assignment radio button to static or dynamic.
About Unique Area FC IDs for HBAs
Note Only read this section if the HBA port and the storage port are connected to the same switch.
Some HBA ports require a different area ID than storage ports when they are both connected to the same
switch. For example, if the storage port FC ID is 0x6f7704, the area for this port is 77. In this case, the
HBA ports area can be anything other than 77. The HBA ports FC ID must be manually configured to
be different from the storage ports FC ID.
Switches in the Cisco MDS 9000 Family facilitate this requirement with the FC ID persistence feature.
You can use this feature to preassign an FC ID with a different area to either the storage port or the HBA
port. The procedure in this example uses a switch domain of 111(6f hex). The HBA port connects to
interface fc1/9 and the storage port connects to interface fc 1/10 in the same switch.
Configuring Unique Area FC IDs for an HBA

To configure a different area ID for the HBA port using Fabric Manager, follow these steps:

FC IDs
Step 1 Expand End Device in the Physical Attributes pane and select the FLOGI tab in the Information pane
to obtain the port WWN (Port Name field) of the HBA (see Figure 25-11.
Figure 25-11 FLOGI Database Information in Fabric Manager
Note Both FC IDs in this setup have the same area 00 assignment.
Step 3 Set the Status Admin drop-down menu to down for the interface that the HBA is connected to.
This shuts down the HBA interface in the MDS switch.
Step 4 Expand Fabricxx > VSANxx and then select Domain Manager.
Step 5 Click the Persistent Setup tab in the Information pane to verify that the FC ID feature is enabled (see
Figure 25-12).
Figure 25-12 Persistent FC ID Information in Fabric Manager
If this feature is disabled, continue with this procedure to enable persistent FC ID.
If this feature is already enabled, skip to Step 7.
Step 6 Check the Enable check box to enable the persistent FC ID feature in the Cisco MDS switch (see
Figure 25-13).
Step 7 Select the Persistent FcIds tab and assign a new FC ID with a different area allocation in the FcId field.
In this example, we replace 00 with ee (see Figure 25-13).

FC IDs
Figure 25-13 Setting the FC ID in Fabric Manager
Step 8 Click Apply Changes to save this new FC ID.

Step 9 Compare the FC ID values to verify the FC ID of the HBA.
Note Both FC IDs now have different area assignments.
Step 10 EXpand Switches > Interfaces and then select FC Physical from the Physical Attributes pane. Set the
Status Admin drop-down menu to up for the interface that the HBA is connected to.
Step 11 This enables the HBA interface in the MDS switch.
About Persistent FC ID Selective Purging

Persistent FC IDs can be purged selectively. Static entries and FC IDs currently in use cannot be deleted.
Table 25-1 identifies the FC ID entries that are deleted or retained when persistent FC IDs are purged.
Table 25-1 Purged FC IDs
Persistent FC ID state Persistent Usage State Action

Static In use Not deleted
Static Not in use Not deleted
Dynamic In use Not deleted
Dynamic Not in use Deleted
Purging Persistent FC IDs

To purge persistent FC IDs using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx > All VSANs > Domain Manager in the Logical Domains pane for the fabric that you
want to purge the Persistent FC IDs for. You see the running configuration of the domain in the
Information pane.
Step 2 Click the Persistent Setup tab.
You see the persistent FC ID setup in the Information pane shown in Figure 25-14.

Displaying fcdomain Statistics
Figure 25-14 Persistent FC ID Information in Fabric Manager
Step 3 Check the Purge check box for the switch that you want to purge persistent FC IDs on (see
Figure 25-14).
Displaying fcdomain Statistics

Fabric Manager collects statistics for fcdomain and displays them in the Information pane.
To display fcdomain statistics using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx > All VSANs and then select Domain Manager in the Logical Domains pane for the
fabric that you want to display statistics for.
Step 2 Click the Statistics tab. You see the FC ID statistics in the Information pane.
Default Settings
Table 25-2 lists the default settings for all fcdomain parameters.
Table 25-2 Default fcdomain Parameters
Parameters Default
fcdomain feature Enabled.
Configured domain ID 0 (zero).
Configured domain Preferred.
autoreconfigure option Disabled.
contiguous-allocation option Disabled.
Priority 128.
Allowed list 1 to 239.
Fabric name 20:01:00:05:30:00:28:df.

Default Settings
Table 25-2 Default fcdomain Parameters (continued)
Parameters Default
rcf-reject Disabled.
Persistent FC ID Enabled.
Allowed domain ID list configuration distribution Disabled.

Default Settings

PA R T 4
Fabric Configuration
CH A P T E R 26
Configuring and Managing VSANs
You can achieve higher security and greater stability in Fibre Channel fabrics by using virtual SANs
(VSANs) on Cisco MDS 9000 Family switches and Cisco Nexus 5000 Series switches. VSANs provide
isolation among devices that are physically connected to the same fabric. With VSANs you can create
multiple logical SANs over a common physical infrastructure. Each VSAN can contain up to 239
switches and has an independent address space that allows identical Fibre Channel IDs (FC IDs) to be
used simultaneously in different VSANs. This chapter includes the following sections:
About VSANs, page 26-1
VSAN Configuration, page 26-5
About VSANs
A VSAN is a virtual storage area network (SAN). A SAN is a dedicated network that interconnects hosts
and storage devices primarily to exchange SCSI traffic. In SANs you use the physical links to make these
interconnections. A set of protocols run over the SAN to handle routing, naming, and zoning. You can
design multiple SANs with different topologies.
This section describes VSANs and includes the following topics:
VSANs Topologies, page 26-1
VSAN Advantages, page 26-3
VSANs Versus Zones, page 26-4
VSANs Topologies
With the introduction of VSANs, the network administrator can build a single topology containing
switches, links, and one or more VSANs. Each VSAN in this topology has the same behavior and
property of a SAN. A VSAN has the following additional features:
Multiple VSANs can share the same physical topology.
The same Fibre Channel IDs (FC IDs) can be assigned to a host in another VSAN, thus increasing
VSAN scalability.
Every instance of a VSAN runs all required protocols such as FSPF, domain manager, and zoning.
Fabric-related configurations in one VSAN do not affect the associated traffic in another VSAN.

Chapter 26 Configuring and Managing VSANs
About VSANs
Events causing traffic disruptions in one VSAN are contained within that VSAN and are not
propagated to other VSANs.
The switch icons shown in both Figure 26-1 and Figure 26-2 indicate that these features apply to any
switch in the Cisco MDS 9000 Family.
Figure 26-1 shows a fabric with three switches, one on each floor. The geographic location of the
switches and the attached devices is independent of their segmentation into logical VSANs. No
communication between VSANs is possible. Within each VSAN, all members can talk to one another.
Figure 26-1 Logical VSAN Segmentation
Engineering Marketing Accounting

VSAN VSAN VSAN
Switch 1
Floor 3
Switch 2
Floor 2
Switch 3
79532
Floor 1
Figure 26-2 shows a physical Fibre Channel switching infrastructure with two defined VSANs: VSAN
2 (dashed) and VSAN 7 (solid). VSAN 2 includes hosts H1 and H2, application servers AS2 and AS3,
and storage arrays SA1 and SA4. VSAN 7 connects H3, AS1, SA2, and SA3.

About VSANs
Figure 26-2 Example of Two VSANs
H2 H3 AS1 AS2 AS3
H1
FC FC FC FC
SA1 SA2 SA3 SA4
Link in VSAN 2
Link in VSAN 7 79533
Trunk link
The four switches in this network are interconnected by trunk links that carry both VSAN 2 and
VSAN 7 traffic. The inter-switch topology of both VSAN 2 and VSAN 7 are identical. This is not a
requirement and a network administrator can enable certain VSANs on certain links to create different
VSAN topologies.
Without VSANs, a network administrator would need separate switches and links for separate SANs. By
enabling VSANs, the same switches and links may be shared by multiple VSANs. VSANs allow SANs
to be built on port granularity instead of switch granularity. Figure 26-2 illustrates that a VSAN is a
group of hosts or storage devices that communicate with each other using a virtual topology defined on
the physical SAN.
The criteria for creating such groups differ based on the VSAN topology:
VSANs can separate traffic based on the following requirements:
Different customers in storage provider data centers
Production or test in an enterprise network
Low and high security requirements
Backup traffic on separate VSANs
Replicating data from user traffic
VSANs can meet the needs of a particular department or application.
VSAN Advantages
VSANs offer the following advantages:

About VSANs
Traffic isolationTraffic is contained within VSAN boundaries and devices reside only in one
VSAN ensuring absolute separation between user groups, if desired.
ScalabilityVSANs are overlaid on top of a single physical fabric. The ability to create several
logical VSAN layers increases the scalability of the SAN.
Per VSAN fabric servicesReplication of fabric services on a per VSAN basis provides increased
scalability and availability.
RedundancySeveral VSANs created on the same physical SAN ensure redundancy. If one VSAN
fails, redundant protection (to another VSAN in the same physical SAN) is configured using a
backup path between the host and the device.
Ease of configurationUsers can be added, moved, or changed between VSANs without changing
the physical structure of a SAN. Moving a device from one VSAN to another only requires
configuration at the port level, not at a physical level.
Up to 1024 VSANs can be configured in a switch. Of these, one is a default VSAN (VSAN 1), and
another is an isolated VSAN (VSAN 4094). User-specified VSAN IDs range from 2 to 4093.
VSANs Versus Zones

You can define multiple zones in a VSAN. Because two VSANs are equivalent to two unconnected
SANs, zone A on VSAN 1 is different and separate from zone A in VSAN 2. Table 26-1 lists the
differences between VSANs and zones.
Table 26-1 VSAN and Zone Comparison
VSAN Characteristic Zone Characteristic

VSANs equal SANs with routing, naming, and zoning protocols. Routing, naming, and zoning protocols are not available
on a per-zone basis.
Zones are always contained within a VSAN. Zones never
span two VSANs.
VSANs limit unicast, multicast, and broadcast traffic. Zones limit unicast traffic.
Membership is typically defined using the VSAN ID to Fx ports. Membership is typically defined by the pWWN.
An HBA or a storage device can belong only to a single An HBA or storage device can belong to multiple zones.
VSANthe VSAN associated with the Fx port.
VSANs enforce membership at each E port, source port, and Zones enforce membership only at the source and
destination port. destination ports.
VSANs are defined for larger environments (storage service Zones are defined for a set of initiators and targets not
providers). visible outside the zone.
VSANs encompass the entire fabric. Zones are configured at the fabric edge.
Figure 26-3 shows the possible relationships between VSANs and zones. In VSAN 2, three zones are
defined: zone A, zone B, and zone C. Zone C overlaps both zone A and zone B as permitted by Fibre
Channel standards. In VSAN 7, two zones are defined: zone A and zone D. No zone crosses the VSAN
boundarythey are completely contained within the VSAN. Zone A defined in VSAN 2 is different and
separate from zone A defined in VSAN 7.

VSAN Configuration
Figure 26-3 VSANS with Zoning
Physical Topology
AS2 AS3
Zone A
H2 SA1
VSAN 2
Zone C
H1 SA4
Zone B
H3
Zone D
VSAN 7
Zone A
AS1 SA2 SA3
79534
VSAN Configuration
VSANs have the following attributes:
VSAN IDThe VSAN ID identifies the VSAN as the default VSAN (VSAN 1), user-defined
VSANs (VSAN 2 to 4093), and the isolated VSAN (VSAN 4094).
StateThe administrative state of a VSAN can be configured to an active (default) or suspended
state. Once VSANs are created, they may exist in various conditions or states.
The active state of a VSAN indicates that the VSAN is configured and enabled. By enabling a
VSAN, you activate the services for that VSAN.
The suspended state of a VSAN indicates that the VSAN is configured but not enabled. If a port
is configured in this VSAN, it is disabled. Use this state to deactivate a VSAN without losing
the VSANs configuration. All ports in a suspended VSAN are disabled. By suspending a
VSAN, you can preconfigure all the VSAN parameters for the whole fabric and activate the
VSAN immediately.
VSAN nameThis text string identifies the VSAN for management purposes. The name can be
from 1 to 32 characters long and it must be unique across all VSANs. By default, the VSAN name
is a concatenation of VSAN and a four-digit string representing the VSAN ID. For example, the
default name for VSAN 3 is VSAN0003.
Note A VSAN name must be unique.
Load balancing attributesThese attributes indicate the use of the source-destination ID (src-dst-id)
or the originator exchange OX ID (src-dst-ox-id, the default) for load balancing path selection.

VSAN Configuration
Note OX ID based load balancing of IVR traffic from IVR- enabled switches is not supported on
Generation 1 switching modules. OX ID based load balancing of IVR traffic from a non-IVR
MDS switch should work. Generation 2 switching modules support OX ID based load
balancing of IVR traffic from IVR-enabled switches.
This section describes how to create and configure VSANs and includes the following topics:
About VSAN Creation, page 26-6
Creating VSANs Statically, page 26-6
About Port VSAN Membership, page 26-8
Assigning Static Port VSAN Membership, page 26-8
About the Default VSAN, page 26-8
About the Isolated VSAN, page 26-8
Displaying Isolated VSAN Membership, page 26-9
Operational State of a VSAN, page 26-9
Mapping VSANs to VLANs, page 26-9
About Static VSAN Deletion, page 26-12
Deleting Static VSANs, page 26-13
About Load Balancing, page 26-13
Configuring Load Balancing, page 26-13
About Interop Mode, page 26-14
About FICON VSANs, page 26-14
About VSAN Creation

A VSAN is in the operational state if the VSAN is active and at least one port is up. This state indicates
that traffic can pass through this VSAN. This state cannot be configured.
Creating VSANs Statically

You cannot configure any application-specific parameters for a VSAN before creating the VSAN.
To create and configure VSANs using Fabric Manager, follow these steps:
Step 1 Click the Create VSAN icon (see Figure 26-4).
Figure 26-4 Create VSAN Icon

VSAN Configuration
You see the Create VSAN dialog box in Figure 26-5.
Figure 26-5 Create VSAN Dialog Box
Note As of Cisco SAN-OS Release 3.1(2) and later, if you check the Static Domain IDs check box,
Fabric Manager creates the VSAN in suspended mode and then automatically activates the
VSAN.
Step 2 Check the switches that you want in this VSAN.

Step 3 Fill in the VSAN Name and VSAN ID fields.
Step 4 Set the LoadBalancing value and the InterOperValue.
Step 5 Set the Admin State to active or suspended.
Step 6 Check the Static Domain Ids check box to assign an unused static domain ID to the VSAN.
Step 7 (Optional) Select the FICON and Enable Fabric Binding for Selected Switches options if you want
these features enabled.
See the Configuring FICON section on page 36-1 and Configuring Fabric Binding, page 47-1 for
details.
Step 8 Complete the fields in this dialog box and click Create to add the VSAN or click Close.

VSAN Configuration
About Port VSAN Membership

Port VSAN membership on the switch is assigned on a port-by-port basis. By default, each port belongs
to the default VSAN. You can assign VSAN membership to ports using one of two methods:
StaticallyBy assigning VSANs to ports.
See the Assigning Static Port VSAN Membership section on page 26-8.
DynamicallyBy assigning VSANs based on the device WWN. This method is referred to as
dynamic port VSAN membership (DPVM).
See Chapter 28, Creating Dynamic VSANs.
Trunking ports have an associated list of VSANs that are part of an allowed list (see Chapter 24,
Configuring Trunking).
Assigning Static Port VSAN Membership

To statically assign VSAN membership for an interface using Fabric Manager, follow these steps:
Step 1 Choose Interfaces > FC Physical from the Physical Attributes pane. You see the interface configuration
in the Information pane.
You see the Fibre Channel general physical information. Double-click and complete the PortVSAN field.
Step 3 Click Apply Changes to save these changes, or click Undo Changes to discard any unsaved changes.
About the Default VSAN

The factory settings for switches in the Cisco MDS 9000 Family have only the default VSAN 1 enabled.
We recommend that you do not use VSAN 1 as your production environment VSAN. If no VSANs are
configured, all devices in the fabric are considered part of the default VSAN. By default, all ports are
assigned to the default VSAN.
Note VSAN 1 cannot be deleted, but it can be suspended.
Note Up to 1024 VSANs can be configured in a switch. Of these, one is a default VSAN (VSAN 1), and
About the Isolated VSAN

VSAN 4094 is an isolated VSAN. All non-trunking ports are transferred to this VSAN when the VSAN
to which they belong is deleted. This avoids an implicit transfer of ports to the default VSAN or to
another configured VSAN. All ports in the deleted VSAN are isolated (disabled).

VSAN Configuration
Note When you configure a port in VSAN 4094 or move a port to VSAN 4094, that port is immediately
isolated.
Caution Do not use an isolated VSAN to configure ports.
Note Up to 1024 VSANs can be configured in a switch. Of these, one is a default VSAN (VSAN 1), and
Displaying Isolated VSAN Membership

To display interfaces that exist in the isolated VSAN using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx and then select All VSANs in the Logical Domains pane.
You see the VSAN configuration in the Information pane.
Step 2 Click the Isolated Interfaces tab.
You see the interfaces that are in the isolated VSAN.
Operational State of a VSAN

A VSAN is in the operational state if the VSAN is active and at least one port is up. This state indicates
that traffic can pass through this VSAN. This state cannot be configured.
Mapping VSANs to VLANs
Note This section applies to Cisco Nexus 5000 Series switches only.
A VSAN-VLAN mapping indicates the VLAN that is used to transport Fibre Channel traffic for a
specific VSAN. Each virtual Fibre Channel interface is associated with only one VSAN. Any VSAN
with associated virtual Fibre Channel interfaces must be mapped to a dedicated Fibre Channel over
Ethernet (FCoE)-enabled VLAN. FCoE is not supported on private VLANs.
This section provides information about how to configure a virtual Fibre Channel interface and includes
Mapping VSANs to VLANs Using Fabric Manager, page 26-10
Mapping VSANs to VLANs Using Device Manager, page 26-11

VSAN Configuration
Mapping VSANs to VLANs Using Fabric Manager

To create a mapping between a VSAN and its associated VLAN using Fabric Manager, follow these
steps:
Note You must have a Cisco Nexus 5000 Series switch in the fabric to map a VSAN to a VLAN using the
VSAN-VLAN Mapping tab in the Information pane.
Step 1 In the Logical Domains pane, choose All VSANs.

You see the VSAN information pane, as shown in Figure 26-6.
Figure 26-6 VSAN Information Pane
Step 2 In the Information pane, click the VSAN-VLAN Mapping tab.

You see the VSAN-VLAN Mapping tab, as shown in Figure 26-7.
Figure 26-7 VSAN-VLAN Mapping Tab
The table shows the existing VSAN-VLAN mappings and the operational state of each VLAN.
Note You cannot modify an existing VSAN-VLAN mapping.

VSAN Configuration
Step 3 Click Create Row to create a new mapping.

You see the Create dialog box appears, as shown in Figure 26-8.
Figure 26-8 Insert VSAN-VLAN Mapping
Step 4 From the Switch drop-down list, choose a Cisco Nexus 5000 Series switch.
Step 5 In the VSAN Id and VLAN Id fields, enter the VSAN ID and the VLAN ID that will be mapped together.
Step 6 Click Create to create the mapping.
Mapping VSANs to VLANs Using Device Manager

To create a mapping between a VSAN and its associated VLAN using Device Manager, follow these
steps:
Step 1 Launch Device Manager from the Cisco Nexus 5000 Series switch, as described in the Launching
Device Manager section on page 6-2.
Step 2 Choose FC > VSANs.
You see the VSAN dialog box. In the dialog box, the Membership tab displays the virtual Fibre Channel
interfaces associated with a VSAN.
Step 3 Click the VSAN-VLAN Mapping tab.
In the VSAN-VLAN Mapping tab, the table lists the existing VSAN-VLAN mappings and the
operational state of each VLAN.
Note You cannot modify an existing VSAN-VLAN mapping.
Step 4 Click Create to create a new mapping.

You see the Create VSAN-VLAN Mapping dialog box as shown in Figure 26-9.

VSAN Configuration
Figure 26-9 Create VSAN-VLAN Mapping
Step 5 In the VSAN Id and VLAN Id fields, enter the VSAN ID and the VLAN ID that will be mapped together.
Step 6 Click Create to create the mapping.
About Static VSAN Deletion

When an active VSAN is deleted, all of its attributes are removed from the running configuration.
VSAN-related information is maintained by the system software as follows:
VSAN attributes and port membership details are maintained by the VSAN manager. This feature is
affected when you delete a VSAN from the configuration. When a VSAN is deleted, all the ports in
that VSAN are made inactive and the ports are moved to the isolated VSAN. If the same VSAN is
recreated, the ports do not automatically get assigned to that VSAN. You must explicitly reconfigure
the port VSAN membership (see Figure 26-10).
Figure 26-10 VSAN Port Membership Details
Before After
Default VSAN 7 Default VSAN 7
VSAN VSAN
fc1/1 fc1/3 fc1/1 fc1/3

fc1/2 fc1/4 fc1/2 fc1/4
Isolated VSAN 12 Isolated VSAN 12

VSAN VSAN
fc1/5 fc1/5 fc1/5

fc1/6 fc1/6 fc1/6
79947
Switch 1 Switch 1
VSAN-based runtime (name server), zoning, and configuration (static routes) information is
removed when the VSAN is deleted.
Configured VSAN interface information is removed when the VSAN is deleted.
Note The allowed VSAN list is not affected when a VSAN is deleted (see Chapter 24, Configuring
Trunking).

VSAN Configuration
Any commands for a nonconfigured VSAN are rejected. For example, if VSAN 10 is not configured in
the system, then a command request to move a port to VSAN 10 is rejected.
Deleting Static VSANs

To delete a VSAN and its attributes using Fabric Manager, follow these steps:
Step 1 Select All VSANs from the Logical Domains pane.

The VSANs in the fabric are listed in the Information pane.
Step 2 Right-click the VSAN that you want to delete and select Delete Row from the drop-down menu (see
Figure 26-11).
Figure 26-11 Deleting a VSAN
You see a confirmation dialog box.

Step 3 Click Yes to confirm the deletion or No to close the dialog box without deleting the VSAN.
About Load Balancing

Load balancing attributes indicate the use of the source-destination ID (src-dst-id) or the originator
exchange OX ID (src-dst-ox-id, the default) for load balancing path selection.
Configuring Load Balancing

To configure load balancing on an existing VSAN using Fabric Manager, follow these steps:
Step 1 Choose Fabricxx > All VSANs from the Logical Domains pane.
You see the VSAN configuration in the Information pane shown in Figure 26-12.

Default Settings
Figure 26-12 All VSAN Attributes
Step 2 Select a VSAN and complete the LoadBalancing field.

About Interop Mode

Interoperability enables the products of multiple vendors to come into contact with each other. Fibre
Channel standards guide vendors towards common external Fibre Channel interfaces. See the Switch
Interoperability section on page 37-8.
About FICON VSANs

You can enable FICON in up to eight VSANs. See the FICON VSAN Prerequisites section on
page 36-7.
Default Settings
Table 26-2 lists the default settings for all configured VSANs.
Table 26-2 Default VSAN Parameters
Parameters Default
Default VSAN VSAN 1.
State Active state.
Name Concatenation of VSAN and a four-digit string representing the
VSAN ID. For example, VSAN 3 is VSAN0003.
Load-balancing attribute OX ID (src-dst-ox-id).

CH A P T E R 27
SAN Device Virtualization
This chapter describes how to configure virtual devices to represent physical end devices for switches
running Cisco MDS SAN-OS Release 3.1(2) and later, or NX-OS Release 4.1(1a) and later.
Cisco SAN device virtualization (SDV) is a licensed feature included in the Cisco MDS 9000 Family
Enterprise package (ENTERPRISE_PKG). See Chapter 10, Obtaining and Installing Licenses, for
details about acquiring licenses.
About SDV, page 27-1
Configuring SDV, page 27-4
About SDV
As of Cisco SAN-OS Release 3.1(2) and NX-OS Release 4.1(1a), you can use Cisco SDV to create
virtual devices that represent physical end-devices. Virtualization of SAN devices accelerates swapout
or failover to a replacement disk array, and it also minimizes downtime when replacing host bus adapters
(HBAs) or when re-hosting an application on a different server.
SAN devices that are virtualized can be either initiators or targets. You can virtualize targets to create a
virtual target, and also virtualize initiators to create a virtual initiator. Such configurations do not
distinguish between virtual initiators and virtual targets (see Figure 27-1 and Figure 27-2).
Figure 27-1 Target Virtualization
Primary target
Virtual
Server target
Traffic from
server
183017
Secondary target

Chapter 27 SAN Device Virtualization
About SDV
Figure 27-2 Initiator Virtualization
Primary
initiator
Virtual
initiator
Traffic from
server
183018
Secondary
initiator
Note While most of the examples in this chapter describe target virtualization, the initiator virtualization
functions similarly.
Typically, todays deployments for handling device failures are designed for high availability (HA), with
redundancy being a key part of this design. Consider the situation where a target is designed to be
redundant. Two arrays are deployeda primary and secondary in this situation. Enterprises often use
some type of consistency technology (such as EMF SRDF) between the primary and secondary arrays
to ensure that the secondary is a mirrored copy of the production LUN. However, if the primary array
fails, it must be replaced by the secondary because all I/O must occur on the secondary array. Problems
can occur because the time required to bring the secondary array up and have it working often takes
longer than most can afford (Figure 27-3 illustrates this dilemma).
Figure 27-3 Typical Deployment for Handling Device Failures Before SDV
Primary
Device
Servers
I/O - Normal
SAN Asychronous
Replication
I/O - After primary
failure
Secondary 182097
Device
If a storage array is replaced without using Cisco SDV, then it may require the following actions:
Taking down a server to modify zoning and account for the new array.
Changing the Cisco NX-OS configuration to accommodate Fibre Channel IDs (FC IDs) and
pWWNs of the new array.
Changing a server configuration to accommodate the new FC IDs and pWWNs.
More specifically, without SDV you might experience the following conditions:
It can take a considerable amount of time to configure a secondary device for a typical production
environment.
In the zoning configuration, all the initiators must be rezoned with the secondary device, and certain
initiators must also be reconfigured. For example, the WWN and FC ID of the secondary device are
different, so driver files must be changed and the server must be rebooted.

About SDV
Clustering (multiple initiators) compounds the problem, and the failover procedure must be repeated
for each server of the cluster. Think of a server cluster as a set of HBAsany storage array FC ID
changes must be performed for each HBA.
SDV enables you to achieve the following performance targets:
Reduce the amount of time it takes for data migration, and ultimately the overall amount of
downtime.
Easily scale to larger numbers of devices.
Figure 27-4 illustrates the benefits of SDV. In this configuration, disk array Y replaces disk array X.
When disk array X was deployed, the user created virtual devices for all the Fibre Channel interfaces
using SDV. After data replication from disk array X was completed, the user briefly pauses activity on
the application server and relinked disk array Y to the virtual devices used by the server, completing the
swapout of disk array X. No zoning changes or host operating system configuration changes were
required during the time-critical period when the swap was performed; this significantly minimized
application downtime.
Note The array administrator will likely have to perform actions on array Y for it to become a primary device
and accept server logins before linking the virtual device to the array Y pWWN.
Figure 27-4 SDV Example
Storage Arrays
Server
X Y
Physical to Virtual Mapping
Virtual
Device
159897
Key Concepts
The following terms are used throughout this chapter:
Virtual deviceThe virtualized or proxy representation of the real device, which is registered with
the name server and has a pWWN and FC ID. A virtual device exists as long as its real (physical)
counterpart is online. The virtual device pWWN and FC ID must be unique and cannot clash with
any real device pWWNs and FC IDs.
Virtual domainReserved by SDV to assign FC IDs to virtual devices. If the switch that reserved
the domain goes down, another switch takes over its role using the same domain.
Primary deviceThe device that is configured as primary. By default, the primary device becomes
the active device if it is online.

Configuring SDV
Secondary deviceThe additional device that is configured. By default, the secondary device is
standby.
Active deviceThe device that is currently virtualized is called the active device. By default, the
primary device becomes the active device if it is online. The active device is indicated by a (*)
symbol.
Automatic Failover and Fallback

As of Cisco MDS NX-OS Release 4.1(1a), SAN device virtualization supports automatic failover and
fallback configurations for the virtual devices. In all of the earlier releases, when there was a failure, you
needed to manually configure the device as primary to make it active. With the introduction of automatic
failover and fallback configurations, the active device is distinguished from the primary device indicated
by a (*) symbol.
Auto failoverWhen there is a failure, the failover auto attribute automatically shuts down the
primary device and brings up the secondary device to active state. When the primary device comes
back online, it requires user intervention to switchover.
Auto failover with fallbackIn addition to automatic failover, when the primary device comes back
online after a failover, the primary device is brought to active state and the secondary device moved
to standby state.
Configuring SDV
SDV is a distributed service and uses Cisco Fabric Services (CFS) distribution to synchronize the
databases. When you configure SDV, it starts a CFS session and locks the fabric. When a fabric is locked,
Cisco NX-OS software does not allow any configuration changes from a switch other than the switch
holding the lockand issues a message to inform users about the locked status. Configuration changes
are held in a pending database for the application. You must perform a commit operation to make the
configuration active and to release the lock for all switches.
See Chapter 13, Using the CFS Infrastructure for more details about CFS,
Note When you enable SDV, CFS distribution is also enabled; CFS distribution cannot be disabled for SDV.
The following sections describe how to configure SDV:

Configuring a Virtual Device, page 27-4
Linking a Virtual Device with a Physical Device, page 27-7
Resolving Fabric Merge Conflicts, page 27-8
Configuring a Virtual Device

A virtual device is identified by an alphanumeric name of up to 32 characters and defines all the real
devices (one primary and one or more secondary) that it represents. Upon the successful creation of a
virtual device, the virtual device name is internally registered as the device alias name with the device
alias database; the pWWN is automatically assigned by the system using Cisco Organizational Unique

Configuring SDV
Identifier (OUI). A virtual device appears as a real, physical device. You can enumerate up to 128 devices
for a virtual device. There is a limit of 4095 on the number of virtual devices that you can create in a
single VSAN.
Figure 27-5 shows a configuration that includes a new virtual device, vt1.
Figure 27-5 Creating a Virtual Device
i1pwwn i2pwwn i3pwwn

i1 i2 i3
SAN Device
Virtualization Virtual
vtpwwn Device
vt1
VT
t1pwwn t2pwwn
t1 t2
159900
Primary Secondary
As of MDS NX-OS Release 4.1(1a), the following conditions must be considered when configuring the
virtual device failover attributes:
The attribute configuration is supported only with MDS NX-OS Release 4.1(1a) and later. In a
mixed mode fabric where earlier releases are combined, the attribute configuration will fail.
When the failover attribute is configured, if the primary device is offline then the secondary device
becomes active.
When the failover attribute is deleted after the primary device failover to the secondary device, then
the primary becomes active if the primary device is online. If the primary device is not online, then
the SDV virtual device is shut down.
Note The SDV attributes configuration is supported in MDS Fabric Manager Release 4.1(2) and later.
To configure a virtual target and commit it to the fabric configuration using Fabric Manager, follow these
steps:
Step 1 Expand SAN in the Logical Domains pane. Then expand the fabric in which your VSAN resides.
Step 2 Expand the VSAN in which you wish to create the virtual target and select SDV. You see the switches
in the VSAN that you selected listed in the Information pane.
Step 3 In the Control tab, select enable from the drop-down menu in the Command column to enable SAN
device virtualization for a particular switch in the VSAN(see Figure 27-6).

Configuring SDV
Figure 27-6 Enabling SAN Device Virtualization
Step 4 Click the Apply Changes icon to commit the configuration change.
Step 5 Click the CFS tab. Confirm that the SAN device virtualization feature is enabled for the switch.
Step 6 Click the Virtual Devices tab and then click the Create Row icon.
You see the Create Virtual Devices dialog box (see Figure 27-7).
Figure 27-7 Create Virtual Devices Dialog Box
Step 7 Select the Virtual Device ID from the drop-down list (ranges from 1 to 4096).
Step 8 Enter a Name for the Virtual Device. Select the Virtual Domain and enter a Virtual FC ID for the virtual
target.
Step 9 Check only the autoFailover check box, or check the autoFailover and primFallback check boxes. For
more information, see the Automatic Failover and Fallback section on page 27-4. You can also change
the option in the Option column of the Virtual Devices tab. (See Figure 27-8).

Configuring SDV
Figure 27-8 Virtual Devices tab
Step 10 Click Create to create the virtual target.

Step 11 Click the CFS icon to commit and distribute the configuration changes.
The pWWN of the virtual target does not appear in the zoning end devices database in Fabric Manager.
If you want to zone the virtual device with a pWWN, you must enter it in the Add Member to Zone dialog
box when creating a zone. However, if the device alias is in enhanced mode, the virtual device names
appear in the device alias database in the Fabric Manager zoning window. In this case, users can choose
to select either the device alias name or enter the pWWN in the Add Member to Zone dialog box.
For more information, see the Adding Zone Members section on page 30-14.
Set the device alias mode to enhanced when using SDV (because the pWWN of a virtual device could
change).
For example, SDV is enabled on a switch and a virtual device is defined. SDV assigns a pWWN for the
virtual device, and it is zoned based on the pWWN in a zone. If you later disable SDV, this configuration
is lost. If you reenable SDV and create the virtual device using the same name, there is no guarantee that
it will get the same pWWN again. You would have to rezone the pWWN-based zone. However, if you
perform zoning based on the device-alias name, there are no configuration changes required if or when
the pWWN changes.
Be sure you understand how device alias modes work before enabling them. Refer to Chapter 31,
Distributing Device Alias Services for details and requirements about device alias modes.
Linking a Virtual Device with a Physical Device

After creating a virtual device and configuring it as part of a zone, you can define the primary device for
it using the link command, which is also used to fail over to the secondary device.
Note When a link operation fails over to the secondary device, the virtual device is taken offline, and then
brought online.
As of MDS NX-OS Release 4.1(1a), the following conditions must be considered before linking a
device:
If you link to the secondary device which is currently active because of failover, the primary tag is
moved to the secondary device and the secondary device becomes the primary device.
When the secondary device is active, if you link to a third device, and if the fallback attribute was
not configured, the third device becomes the primary device but the secondary device continues to
be the active device.

Configuring SDV
When the secondary device is active, if you link to a third device, and if the fallback attribute was
configured, then the third device becomes the primary device as well as the active device.
To link a virtual target with a physical target using Fabric Manager, follow these steps:
Step 1 Click the Real Devices tab and then click the Create Row icon.
Step 2 Select the Virtual Device ID from the pull-down list or enter an existing ID for the virtual target that you
are linking with a physical target(see Figure 27-9).
Step 3 Select the Real Device ID of the physical target that you are linking with the virtual target.
Figure 27-9 Create Real Devices Dialog Box
SAN Device SAN Device Virtualization Zone

Virtualization i1pwwn i2pwwn i3pwwn
i1 i2 i3
vtpwwn
vt1
Virtual
Device
t1pwwn t2pwwn
t1 t2
159901
Primary Secondary
Step 4 Choose either the pWWN or deviceAlias radio button, and select the appropriate pWWN or device alias
from the pull-down menu. Note that the Name field is automatically populated when you select the
pWWN or device alias.
Step 5 Choose either the primary or secondary radio button for the Map Type.
Step 6 Click the CFS icon to save and distribute these changes, or click Close to discard any unsaved changes.
Resolving Fabric Merge Conflicts

Whenever two fabrics merge SDV merges its database. A merge conflict can occur when there is a
run-time information conflict or configuration mismatch. Run-time conflicts can occur due to:
Identical pWWNs being assigned to different virtual devices
The same virtual devices are assigned different pWWNs.
The virtual device and virtual FC ID are mismatched.

SDV Requirements and Guidelines
A blank commit is a commit operation that does not contain configuration changes, and enforces the SDV
configuration of the committing switch fabric-wide. A blank commit operation resolves merge conflicts
by pushing the configuration from the committing switch throughout the fabric, which reinitializes the
conflicting virtual devices. Exercise caution while performing this operation, as it can easily take some
virtual devices offline.
Merge failures resulting from a pWWN conflict can cause a failure with the device alias as well. A blank
commit operation on a merge-failed VSAN within SDV should resolve the merge failure in the device
alias.
You can avoid merge conflicts due to configuration mismatch by ensuring that:
The pWWN and device alias entries for a virtual device are identical (in terms of primary and
secondary).
There are no virtual device name conflicts across VSANs in fabrics.
SDV Requirements and Guidelines

Be aware of the following requirements and guidelines as you plan and configure SDV:
SDV should be enabled on switches where devices that are part of SDV zones are connected.
SDV does not work for devices connected to non-MDS switches.
Broadcast zoning is not supported for a zone with a virtual device.
IVR and SDV cannot be used for the same device. In other words, a SDV-virtualized device cannot
be part of a IVR zone or zoneset.
Virtual device names should be unique across VSANs because they are registered with the device
alias server, which is unaware of VSANs. For example, if you have enabled SDV and have registered
a name, vt1 in both VSAN 1 and VSAN 2, then the device alias server cannot store both entries
because they have the same name.
You cannot specify the same primary device for different virtual devices.
SDV does not work with soft zoning (Soft zoning means that zoning restrictions are applied only
during interaction between the name server and the end device. If an end device somehow knows the
FC ID of a device outside its zone, it can access that device), nor does it work with the zone
default-zone permit vsan operation (which would otherwise permit or deny traffic to members in
the default zone).
If devices are not already zoned with the initiators, then you can configure SDV virtual device zones
with no negative impact. If they are already zoned, then zoning changes are required.
The real device-virtual device zone cannot coexist with the real device-real device zone. If the real
devices are not already zoned together, then you can configure the real device-virtual device zone
with no negative impact. If these devices are already zoned, then adding the real device-virtual
device zone may cause the zone activation to fail. If this occurs, then you must delete one of the
zones before activation.
For example, a user attempts to create a configuration with zone A, which consists of I, the initiator,
and T, the target (I,T), and zone B, which consists of a virtual initiator, VI, and real target, T (zone
VI, T). Such a configuration would fail. Likewise, an attempt to configure zone C, which consists
of an initiator, I, and target T, with zone D, which consists of an initiator, I, and virtual target, VT
(zone I, VT), would also fail.

Default Settings
Caution There must be at least one SDV-enabled switch that is not a Cisco MDS 9124 Switch between the server
and the device that are being virtualized. In other words, SDV does not work when initiators and primary
devices are connected to the same Cisco MDS 9124 Switch.
Default Settings
Table 27-1 lists the default settings for SDV parameters.
Table 27-1 Default SDV Configuration Parameters
Parameters Default
enable disabled

CH A P T E R 28
Creating Dynamic VSANs
Port VSAN membership on the switch is assigned on a port-by-port basis. By default each port belongs
to the default VSAN.
You can dynamically assign VSAN membership to ports by assigning VSANs based on the device
WWN. This method is referred to as Dynamic Port VSAN Membership (DPVM). DPVM offers
flexibility and eliminates the need to reconfigure the port VSAN membership to maintain fabric
topology when a host or storage device connection is moved between two Cisco MDS switches or two
ports within a switch. It retains the configured VSAN regardless of where a device is connected or
moved. To assign VSANs statically, see Chapter 26, Configuring and Managing VSANs.
DPVM, page 28-1
DPVM Database Distribution, page 28-10
DPVM
DPVM configurations are based on port world wide name (pWWN) and node world wide name (nWWN)
assignments. A DPVM database contains mapping information for each device pWWN/nWWN
assignment and the corresponding VSAN. The Cisco NX-OS software checks the database during a
device FLOGI and obtains the required VSAN details.
The pWWN identifies the host or device and the nWWN identifies a node consisting of multiple devices.
You can assign any one of these identifiers or any combination of these identifiers to configure DPVM
mapping. If you assign a combination, then preference is given to the pWWN.
DPVM uses the Cisco Fabric Services (CFS) infrastructure to allow efficient database management and
distribution. DPVM uses the application driven, coordinated distribution mode and the fabric-wide
distribution scope (see Chapter 13, Using the CFS Infrastructure).
Note DPVM does not cause any changes to device addressing. DPVM only pertains to the VSAN membership
of the device, ensuring that the host gets same VSAN membership on any port on the switch. For
example, if a port on the switch has a hardware failure, you can move the host connection to another port
on the switch and not need to update the VSAN membership manually.

Chapter 28 Creating Dynamic VSANs
DPVM
Note DPVM is not supported on FL ports. DPVM is supported only on F ports.
This section describes DPVM and includes the following topics:

About DPVM Configuration, page 28-2
Configuring DPVM with the DPVM Wizard, page 28-2
Figure 28-2DPVM Setup Wizard: Select Master Switch, page 28-3
Configuring DPVM Config and Pending Databases, page 28-5
Activating DPVM Config Databases, page 28-7
Viewing the Pending Database, page 28-8
About Autolearned Entries, page 28-8
Enabling Autolearning, page 28-9
Clearing Learned Entries, page 28-9
About DPVM Configuration

To use the DPVM feature as designed, be sure to verify the following requirements:
The interface through which the dynamic device connects to the Cisco MDS 9000 Family switch
must be configured as an F port.
The static port VSAN of the F port should be valid (not isolated, not suspended, and in existence).
The dynamic VSAN configured for the device in the DPVM database should be valid (not isolated,
not suspended, and in existence).
Note The DPVM feature overrides any existing static port VSAN membership configuration. If the VSAN
corresponding to the dynamic port is deleted or suspended, the port is shut down.
To begin configuring DPVM, you must explicitly enable DPVM on the required switches in the fabric.
By default, this feature is disabled in all switches in the Cisco MDS 9000 Family.
Configuring DPVM with the DPVM Wizard

To use the DPVM Setup Wizard in Fabric Manager to set up dynamic port VSAN membership, follow
these steps:
Step 1 Click the DPVM Setup Wizard icon in the Fabric Manager toolbar (See Figure 28-1).

DPVM
Figure 28-1 DPVM Wizard Icon
You see the Select Master Switch page.

Step 2 Click the switch you want to be the master switch. This switch controls the distribution of the DPVM
database to other switches in the fabric.
Step 3 Click Next.
You see the AutoLearn Current End Devices page.
Step 4 (Optional) Click the Create Configuration From Currently Logged In End Devices check box if you
want to turn on autolearning.
Step 5 Click Next.
You see the Edit and Activate Configuration page.
Step 6 Verify the current or autolearned configuration. Optionally, click Insert to add more entries into the
DPVM config database.
Step 7 Click Finish to update the DPVM config database, distribute the changes using CFS, and activate the
database, or click Cancel to exit the DPVM Setup Wizard without saving changes.
Figure 28-2 DPVM Setup Wizard: Select Master Switch
Step 8 Select the switch you want to be the master switch. This switch controls the distribution of the DPVM
database to other switches in the fabric.
Step 9 Click Next.
You see the AutoLearn Current End Devices page as shown in Figure 28-3.

DPVM
Figure 28-3 DPVM Setup Wizard: AutoLearn Current End Devices
Step 10 (Optional) Check the Create Configuration From Currently Logged In End Devices check box if you
want to enable autolearning.
Step 11 Click Next.
You see the Edit and Activate Configuration page as shown in Figure 28-4.
Figure 28-4 DPVM Setup Wizard: Edit and Activate Configuration
Step 12 Verify the current or autolearned configuration. Optionally, click Insert to add more entries into the
DPVM config database.

DPVM
Step 13 Click Finish to update the DPVM config database, distribute the changes using CFS, and activate the
database, or click Cancel to exit the DPVM Setup Wizard without saving changes.
About DPVM Databases

The DPVM database consists of a series of device mapping entries. Each entry consists of a device
pWWN or nWWN assignment along with the dynamic VSAN to be assigned. You can configure a
maximum of 16,000 DPVM entries in the DPVM database. This database is global to the whole switch
(and fabric) and is not maintained for each VSAN.
The DPVM feature uses three databases to accept and implement configurations.
Configuration (config) databaseAll configuration changes are stored in the configuration database
when distribution is disabled.
Active databaseThe database currently enforced by the fabric.
Pending databaseAll configuration changes are stored in the DPVM pending database when
distribution is enabled (see the DPVM Database Distribution section on page 28-10).
Changes to the DPVM config database are not reflected in the active DPVM database until you activate
the DPVM config database. Changes to the DPVM pending database are not reflected in the config or
active DPVM database until you commit the DPVM pending database. This database structure allows
you to create multiple entries, review changes, and let the DPVM config and pending databases take
effect.
Figure 28-5 shows an example of the DPVM databases in the Information pane in Fabric Manager.
Figure 28-5 DPVM Configuration in Fabric Manager
Configuring DPVM Config and Pending Databases

To create and populate the config and pending databases using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx> All VSANs and then select DPVM in the Logical Attributes pane.
You see the DPVM configuration in the Information pane.
Step 2 Click the CFS tab and select a master switch by checking a check box in the Master column.

DPVM
Note You must click on the CFS tab inorder to activate the other tabs
Step 3 Click the Config Database tab and then click the Create Row to insert a new entry.
You see the Create Config Database dialog box shown in Figure 28-6.
Figure 28-6 Create Config Database
Step 4 Choose an available WWN and VSAN combination or fill in the pWWN and Login VSAN fields.
Step 5 Click Create to save these changes in the config or pending database or click Close to discard any
unsaved changes.
Step 6 Click the CFS tab and select the Config Action drop-down menu for the master database.
You see the options shown in Figure 28-7.
Figure 28-7 Config Action Drop-down Menu
Step 7 Select commit from the drop-down menu to distribute these changes or abort to discard the changes.

DPVM
Activating DPVM Config Databases

When you explicitly activate the DPVM config database, the DPVM config database becomes the active
DPVM database. Activation may fail if conflicting entries are found between the DPVM config database
and the currently active DPVM database. However, you can force activation to override conflicting
entries.
To activate the DPVM config database using Fabric Manager, follow these steps:
Step 1 Expand Fabricxx> All VSANs and then select DPVM from the Logical Attributes pane.
Step 2 Click the Action tab and set the Action drop-down menu to activate or forceActivate to activate the
DPVM config database (see Figure 28-8).
Figure 28-8 Activate a Configured Database
Step 3 Click the CFS tab and select the Config Action drop-down menu for the master database.
You see the options shown in Figure 28-9.
Figure 28-9 Config Action Drop-down Menu
Step 4 Select commit from the drop-down menu to distribute these changes or abort to discard the changes.
Note To disable DPVM, you must explicitly deactivate the currently active DPVM database.

DPVM
Viewing the Pending Database

To view the pending database using Fabric Manager, follow these steps:
Step 2 Click the CFS tab and set the Config View drop-down menu to pending (see Figure 28-10).
Figure 28-10 CFS Tab with Master Switch Checked

Step 4 Click the Config Database tab.
You see the pending database entries.
About Autolearned Entries

The DPVM database can be configured to automatically learn (autolearn) about new devices within each
VSAN. The autolearn feature can be enabled or disabled at any time. Learned entries are created by
populating device pWWNs and VSANs in the active DPVM database. The active DPVM database should
already be available to enable autolearn.
You can delete any learned entry from the active DPVM database when you enable autolearn. These
entries only become permanent in the active DPVM database when you disable autolearn.
Note Autolearning is only supported for devices connected to F ports. Devices connected to FL ports are not
entered into the DPVM database because DPVM is not supported on FL ports.
The following conditions apply to learned entries:

If a device logs out while autolearn is enabled, that entry is automatically deleted from the active
DPVM database.
If the same device logs multiple times into the switch through different ports, then the VSAN
corresponding to last login is remembered.
Learned entries do not override previously configured and activated entries.
Learning is a two-part processEnabling autolearning followed by disabling autolearning. When
the auto-learn option is enabled, the following applies:
Learning currently logged-in devicesOccurs from the time learning is enabled.

DPVM
Learning new device logins Occurs as and when new devices log in to the switch.
Enabling Autolearning
To enable autolearning using Fabric Manager, follow these steps:
Step 2 Click the Actions tab and check the Auto Learn Enable check box to enable autolearning (see
Figure 28-11).
Figure 28-11 DPVM Actions Tab
Step 3 Click the CFS tab and select commit to distribute these changes or abort to discard the changes.
Clearing Learned Entries

You can clear DPVM entries from the active DPVM database (if autolearn is still enabled) using one of
two methods.
To clear a single autolearn entry using Fabric Manager, follow these steps:
Step 2 Click the Actions tab and select clearOnWWN from the Auto Learn Clear drop-down men.
Step 3 Check the clear WWN check box next to the WWN of the autolearned entry that you want to clear.
Step 4 Click CFS and select commit to distribute these changes or abort to discard the changes.
To clear all autolearn entries using Fabric Manager, follow these steps:
Step 2 Click the Actions tab.
You see the DPVM Actions menu shown in Figure 28-12.

DPVM Database Distribution
Figure 28-12 DPVM Actions Tab
Step 3 Select clear from the Auto Learn Clear drop-down menu.
Step 4 Click the CFS tab and select commit to distribute these changes or abort to discard the changes.
Note These two procedures do not start a session and can only be issued in the local switch.

If the DPVM database is available on all switches in the fabric, devices can be moved anywhere and offer
the greatest flexibility. To enable database distribution to the neighboring switches, the database should
be consistently administered and distributed across all switches in the fabric. The Cisco NX-OS software
uses the Cisco Fabric Services (CFS) infrastructure to achieve this requirement (see Chapter 13, Using
the CFS Infrastructure).
This section describes how to distribute the DPVM database and includes the following topics:
About DPVM Database Distribution, page 28-10
Disabling DPVM Database Distribution, page 28-11
About Locking the Fabric, page 28-11
Clearing a Locked Session, page 28-13
About DPVM Database Distribution

Using the CFS infrastructure, each DPVM server learns the DPVM database from each of its
neighboring switches during the ISL bring-up process. If you change the database locally, the DPVM
server notifies its neighboring switches, and that database is updated by all switches in the fabric.
If fabric distribution is enabled, all changes to the configuration database are stored in the DPVM
pending database. These changes include the following tasks:
Adding, deleting, or modifying database entries.
Activating, deactivating, or deleting the configuration database.
Enabling or disabling autolearning.

These changes are distributed to all switches in a fabric when you commit the changes. You can also
discard (abort) the changes at this point.
Tip See the Viewing the Pending Database section on page 28-8 to view the contents of the of the pending
database.
Disabling DPVM Database Distribution

These changes are distributed to all switches in a fabric when you commit the changes. You can also
discard (abort) the changes at this point.
Tip See the Viewing the Pending Database section on page 28-8 to view the contents of the pending
database.
To disable DPVM database distribution to the neighboring switches using Fabric Manager, follow these
steps:
Step 2 Click the CFS tab and select disable from the Admin drop-down menu.
Step 3 Click Apply Changes to save this change or click Undo Changes to discard the change.
About Locking the Fabric

The first action that modifies the existing configuration creates the DPVM pending database and locks
the feature in the fabric. Once you lock the fabric, the following conditions apply:
A copy of the configuration database becomes the DPVM pending database. Modifications from this
point on are made to the DPVM pending database. The DPVM pending database remains in effect
until you commit the modifications to the DPVM pending database or discard (abort) the changes
to the DPVM pending database.
Locking the Fabric

To lock the fabric and apply changes to the DPVM pending database using Fabric Manager, follow these
steps:
Step 2 Click the Config Database tab and Create Row.
You see the Create Config Database dialog box shown in Figure 28-13.

Figure 28-13 Create Config Database
Step 3 Choose an available pWWN and login VSAN.

Step 4 Click Create to save this change to the pending database or click Close to discard any unsaved change.
Committing Changes
If you commit the changes made to the configuration, the configuration in the DPVM pending database
are distributed to other switches. On a successful commit, the configuration change is applied throughout
the fabric and the lock is released.
To commit the DPVM pending database using Fabric Manager, follow these steps:
Step 2 Click the CFS tab and select commit from the Config Action drop-down menu.

Discarding Changes
If you discard (abort) the changes made to the DPVM pending database, the configurations remain
unaffected and the lock is released.
To discard the DPVM pending database using Fabric Manager, follow these steps:
Step 2 Click the CFS tab and select abort from the Config Action drop-down menu.
Clearing a Locked Session

If you have performed a DPVM task and have forgotten to release the lock by either committing or
administrator performs this task, your changes to the DPVM pending database are discarded and the
fabric lock is released.
Tip The DPVM pending database is only available in the volatile directory and is subject to being discarded
if the switch is restarted.
To use administrative privileges and release a locked DPVM session using Fabric Manager, follow these
steps:
Step 2 Click the CFS tab and select clear from the Config Action drop-down menu.

A database merge refers to a union of the configuration database and static (unlearned) entries in the
active DPVM database. See the CFS Merge Support section on page 13-9 for detailed concepts.
When merging the DPVM database between two fabrics, follow these guidelines:
Verify that the activation status and the auto-learn status is the same is both fabrics.
Verify that the combined number of device entries in each database does not exceed 16 K.
Caution If you do not follow these two conditions, the merge will fail. The next distribution will forcefully
synchronize the databases and the activation states in the fabric.

This section describes how to merge DPVM databases and includes the following topics:
About Copying DPVM Databases, page 28-14
Copying DPVM Databases, page 28-14
Comparing Database Differences, page 28-14
About Copying DPVM Databases

The following circumstances may require the active DPVM database to be copied to the DPVM config
database:
If the learned entries are only added to the active DPVM database.
If the DPVM config database or entries in the DPVM config database are accidently deleted.
Note If you copy the DPVM database and fabric distribution is enabled, you must commit the changes.
Copying DPVM Databases

To copy the currently active DPVM database to the DPVM config database using Fabric Manager, follow
these steps:
Step 1 Expand Fabricxx> All VSANs and then select DPVM in the Logical Attributes pane.
Step 2 Click the Actions tab and check the CopyActive to Config check box.
Step 3 Click the CFS tab and select commit from the Config Action drop-down menu.
Comparing Database Differences

To compare the currently active database entries to the DPVM config database using Fabric Manager,
follow these steps:
Step 2 Click the Active Database tab.
You see the DPVM active database in the Information pane.
Step 3 Select Config from the Compare With drop-down menu.
You see the comparison dialog box.
Step 4 Select Close to close the comparison dialog box.

Default Settings
Default Settings
Table 28-1 lists the default settings for DPVM parameters.
Table 28-1 Default DPVM Parameters
Parameters Default
DPVM Disabled.
DPVM distribution Enabled.
Autolearning Disabled.

Default Settings

CH A P T E R 29
Configuring Inter-VSAN Routing
This chapter explains the Inter-VSAN routing (IVR) feature and provides details on sharing resources
across VSANs using IVR management interfaces provided in the switch.
Inter-VSAN Routing, page 29-1
About the IVR Zone Wizard, page 29-7
Manual IVR Configuration, page 29-9
IVR Zones and IVR Zone Sets, page 29-21
Inter-VSAN Routing
Virtual SANs (VSANs) improve storage area network (SAN) scalability, availability, and security by
allowing multiple Fibre Channel SANs to share a common physical infrastructure of switches and ISLs.
These benefits are derived from the separation of Fibre Channel services in each VSAN and isolation of
traffic between VSANs. Data traffic isolation between the VSANs also inherently prevents sharing of
resources attached to a VSAN, such as robotic tape libraries. Using IVR, you can access resources across
VSANs without compromising other VSAN benefits.
About IVR, page 29-2
IVR Features, page 29-3
IVR Limits Summary, page 29-4
IVR Terminology, page 29-3
Fibre Channel Header Modifications, page 29-4
IVR NAT, page 29-5
IVR VSAN Topology, page 29-6
IVR Interoperability, page 29-7

Chapter 29 Configuring Inter-VSAN Routing
Inter-VSAN Routing
About IVR
Note IVR is not supported on the Cisco MDS 9124 Fabric Switch, the Cisco MDS 9134 Fabric Switch, the
Cisco Fabric Switch for HP c-Class BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter.
Data traffic is transported between specific initiators and targets on different VSANs without merging
VSANs into a single logical fabric. Fibre Channel control traffic does not flow between VSANs, nor can
initiators access any resource across VSANs other than the designated ones. Valuable resources such as
tape libraries are easily shared across VSANs without compromise.
IVR is in compliance with Fibre Channel standards and incorporates third-party switches, however,
IVR-enabled VSANs may have to be configured in one of the interop modes.
IVR is not limited to VSANs present on a common switch. Routes that traverse one or more VSANs
across multiple switches can be established, if necessary, to establish proper interconnections. IVR used
in conjunction with FCIP provides more efficient business continuity or disaster recovery solutions (see
Figure 29-1).
Figure 29-1 Traffic Continuity Using IVR and FCIP
FC or FCIP links (multiple links for redundancy)
IVR-Enabled Transit VSAN (VSAN 4)

Switch
MDS1 MDS2 MDS3 MDS4
FC FC FC FC FC FC
T S1 S2
105294
VSAN 2 VSAN 3
VSAN 1
Note OX ID based load balancing of IVR traffic from IVR- enabled switches is not supported on Generation
1 switching modules. OX ID based load balancing of IVR traffic from a non-IVR MDS switch should
work. Generation 2 switching modules support OX ID based load balancing of IVR traffic from
IVR-enabled switches.

Inter-VSAN Routing
IVR Features
IVR supports the following features:
Accesses resources across VSANs without compromising other VSAN benefits.
Transports data traffic between specific initiators and targets on different VSANs without merging
VSANs into a single logical fabric.
Shares valuable resources (like tape libraries) across VSANs without compromise.
Provides efficient business continuity or disaster recovery solutions when used in conjunction with
FCIP.
Is in compliance with Fibre Channel standards.
Incorporates third-party switches, however, IVR-enabled VSANs may have to be configured in one
of the interop modes.
IVR Terminology
The following IVR-related terms are used in this chapter:
Native VSANThe VSAN to which an end device logs on is the native VSAN for that end device.
Current VSANThe VSAN currently being configured for IVR.
Inter-VSAN routing zone (IVR zone)A set of end devices that are allowed to communicate across
VSANs within their interconnected SAN fabric. This definition is based on their port world wide
names (pWWNs) and their native VSAN associations. Prior to Cisco SAN-OS Release 3.0(3), you
can configure up to 2000 IVR zones and 10,000 IVR zone members on the switches in the network.
As of Cisco SAN-OS Release 3.0(3), you can configure up to 8000 IVR zones and 20,000 IVR zone
members on the switches in the network.
Inter-VSAN routing zone sets (IVR zone sets)One or more IVR zones make up an IVR zone set.
You can configure up to 32 IVR zone sets on any switch in the Cisco MDS 9000 Family. Only one
IVR zone set can be active at any time.
IVR pathAn IVR path is a set of switches and Inter-Switch Links (ISLs) through which a frame
from an end device in one VSAN can reach another end device in some other VSAN. Multiple paths
can exist between two such end devices.
IVR-enabled switchA switch on which the IVR feature is enabled.
Edge VSANA VSAN that initiates (source edge-VSAN) or terminates (destination edge-VSAN)
an IVR path. Edge VSANs may be adjacent to each other or they may be connected by one or more
transit VSANs. In Figure 29-1, VSANs 1, 2, and 3 are edge VSANs.
Note An edge VSAN for one IVR path can be a transit VSAN for another IVR path.
Transit VSANA VSAN that exists along an IVR path from the source edge VSAN of that path to
the destination edge VSAN of that path. In Figure 29-1, VSAN 4 is a transit VSAN.
Note When the source and destination edge VSANs are adjacent to each other, then a transit
VSAN is not required between them.

Inter-VSAN Routing
Border switchAn IVR-enabled switch that is a member of two or more VSANs. Border switches,
such as the IVR-enabled switch between VSAN 1 and VSAN 4 in Figure 29-1, span two or more
different color-coded VSANs.
Edge switchA switch to which a member of an IVR zone has logged in. Edge switches are
unaware of the IVR configurations in the border switches. Edge switches need not be IVR enabled.
Autonomous fabric identifier (AFID)Allows you to configure more than one VSAN in the
network with the same VSAN ID and avoid downtime when enabling IVR between fabrics that
contain VSANs with the same ID.
IVR Limits Summary

Table 29-1 summarizes the configuration limits for IVR. See Appendix E, Configuration Limits for
Cisco MDS SAN-OS Release 3.1(x) and 3.2(x), for a complete list of Cisco MDS NX-OS feature
configuration limits.
Table 29-1 IVR Configuration Limits
IVR Feature Maximum Limit

IVR zone members 20,000 IVR zone members per physical fabric as
of Cisco SAN-OS Release 3.0(3).
10,000 IVR zone members per physical fabric
prior to Cisco SAN-OS Release 3.0(3).
IVR zones 8000 IVR zones per physical fabric as of Cisco
SAN-OS Release 3.0(3).
2000 IVR zones per physical fabric prior to Cisco
SAN-OS Release 3.0(3).
IVR zone sets 32 IVR zone sets per physical fabric.
Fibre Channel Header Modifications

IVR works by virtualizing the remote end devices in the native VSAN using a virtual domain. When IVR
is configured to link end devices in two disparate VSANs, the IVR border switches are responsible for
modifying the Fibre Channel headers for all communication between the end devices. The sections of
the Fibre Channel frame headers that are modified include:
VSAN number
Source FCID
Destination FCID
When a frame goes from the initiator to the target, the Fibre Channel frame header is modified such that
the initiator VSAN number is changed to the target VSAN number. If IVR Network Address Translation
(NAT) is enabled, then the source and destination FCIDs are also translated at the edge border switch. If
IVR NAT is not enabled, then you must configure unique domain IDs for all switches involved in the
IVR path.

Inter-VSAN Routing
IVR NAT
Without Network Address Translation (NAT), IVR requires unique domain IDs for all switches in the
fabric. You can enable IVR NAT to allow non-unique domain IDs. This feature simplifies the deployment
of IVR in an existing fabric where non-unique domain IDs might be present.
To use IVR NAT, it must be enabled in all IVR-enabled switches in the fabric IVR configuration
distribution . By default, IVR NAT and IVR configuration distribution are disabled in all switches in the
Cisco MDS 9000 Family.
IVR NAT Requirements and Guidelines

Following are requirements and guidelines for using IVR NAT:
IVR NAT port login (PLOGI) requests received from hosts are delayed a few seconds to perform the
rewrite on the FC ID address. If the host's PLOGI timeout value is set to a value less than five
seconds, it may result in the PLOGI being unnecessarily aborted and the host being unable to access
the target. We recommend that you configure the host bus adapter for a timeout of at least ten
seconds (most HBAs default to a value of 10 or 20 seconds).
Note IVR NAT requires Cisco MDS SAN-OS Release 2.1(1a) or later on all switches in the fabric performing
IVR. If you have isolated switches with an earlier release that are involved in IVR, you must remove any
isolated fabrics from monitoring by Fabric Manager server and then re-open the fabric to use IVR NAT.
See the Selecting a Fabric to Manage Continuously section on page 3-3.
Load balancing of IVR NAT traffic across equal cost paths from an IVR-enabled switch is not
supported. However, load balancing of IVR NAT traffic over PortChannel links is supported. The
load balancing algorithm for IVR NAT traffic over port-channel with Generation 1 linecards is
SRC/DST only. Generation 2 linecards support SRC/DST/OXID based load balancing of IVR NAT
traffic across a port-channel.
You cannot configure IVR NAT and preferred Fibre Channel routes on Generation 1 module
interfaces.
IVR NAT allows you to set up IVR in a fabric without needing unique domain IDs on every switch in
the IVR path. IVR NAT virtualizes the switches in other VSANs by using local VSAN for the destination
IDs in the Fibre Channel headers. In some Extended Link Service message types, the destinations IDs
are part of the payload. In these cases, IVR NAT replaces the actual destination ID with the virtualized
destination ID. IVR NAT supports destination ID replacement in the Extended Link Service messages
described in Table 29-2.
Table 29-2 Extended Link Service Messages Supported by IVR NAT
Link Service Command

Extended Link Service Messages (LS_COMMAND) Mnemonic
Abort Exchange 0x06 00 00 00 ABTX
Discover Address 0x52 00 00 00 ADISC
Discover Address Accept 0x02 00 00 00 ADISC ACC
Fibre Channel Address Resolution Protocol 0x55 00 00 00 FARP-REPLY
Reply

Inter-VSAN Routing
Table 29-2 Extended Link Service Messages Supported by IVR NAT (continued)
Link Service Command

Extended Link Service Messages (LS_COMMAND) Mnemonic
Fibre Channel Address Resolution Protocol 0x54 00 00 00 FARP-REQ
Request
Logout 0x05 00 00 00 LOGO
Port Login 0x30 00 00 00 PLOGI
Read Exchange Concise 0x13 00 00 00 REC
Read Exchange Concise Accept 0x02 00 00 00 REC ACC
Read Exchange Status Block 0x08 00 00 00 RES
Read Exchange Status Block Accept 0x02 00 00 00 RES ACC
Read Link Error Status Block 0x0F 00 00 00 RLS
Read Sequence Status Block 0x09 00 00 00 RSS
Reinstate Recovery Qualifier 0x12 00 00 00 RRQ
Request Sequence Initiative 0x0A 00 00 00 RSI
Scan Remote Loop 0x7B 00 00 00 RSL
Third Party Process Logout 0x24 00 00 00 TPRLO
Third Party Process Logout Accept 0x02 00 00 00 TPRLO ACC
If you have a message that is not recognized by IVR NAT and contains the destination ID in the payload,
you cannot use IVR with NAT in your topology. You can still use IVR with unique domain IDs.
IVR VSAN Topology

IVR uses a configured IVR VSAN topology to determine how to route traffic between the initiator and
the target across the fabric. You can configure this IVR VSAN topology manually on an IVR-enabled
switch and distribute the configuration using CFS in Cisco MDS SAN-OS Release 2.0(1b) or later.
Alternately, in Cisco MDS SAN-OS Release 2.1(1a) or later, you can configure IVR topology in auto
mode. Prior to Cisco MDS SAN-OS Release 2.0(1b), you need to manually copy the IVR VSAN
topology to each switch in the fabric.
Auto mode automatically builds the IVR VSAN topology and maintains the topology database when
fabric reconfigurations occur. Auto mode distributes the IVR VSAN topology to IVR-enabled switches
using CFS.
Using auto mode, you no longer need to manually update the IVR VSAN topology when
reconfigurations occur in your fabric. If a manually configured IVR topology database exists, auto mode
initially uses that topology information. This reduces disruption in the network by gradually migrating
from the user-specified topology database to the automatically learned topology database. User
configured topology entries that are not part of the network are aged out in about three minutes. New
entries that are not part of the user configured database are added as they are discovered in the network.
When auto IVR topology is turned on it starts with the previously active, if any, manual IVR topology.
Auto topology then commences its discovery process, and may come up with new, alternate or better
paths. If the traffic is switched to an alternate or better path, there may be temporary traffic disruptions
that are normally associated with switching paths.

About the IVR Zone Wizard
Note IVR topology in auto mode requires Cisco MDS SAN-OS Release 2.1(1a) or later and enabling CFS for
IVR on all switches in the fabric.
Autonomous Fabric ID
The autonomous fabric ID (AFID) distinguishes segmented VSANS (that is, two VSANs that are
logically and physically separate but have the same VSAN number). Cisco MDS NX-OS supports AFIDs
from 1 through 64. AFIDs are used in conjunction with auto mode to allow segmented VSANS in the
IVR VSAN topology database. You can configure up to 64 AFIDs.
The AFID can be configured individually for each switch and list of VSANs, or the default AFID can be
configured for each switch.
Note Two VSANs with the same VSAN number but different AFIDs are counted as two VSANs out of the
total 128 VSANs allowed in the fabric.
IVR Interoperability
When using the IVR feature, all border switches in a given fabric must be Cisco MDS switches.
However, other switches in the fabric may be non-MDS switches. For example, end devices that are
members of the active IVR zone set may be connected to non-MDS switches. Non-MDS switches may
also be present in the transit VSAN(s) or in the edge VSANs if one of the interop modes is enabled.
See the Switch Interoperability section on page 37-8.

The IVR Zone Wizard simplifies the steps required to configure IVR zones in a fabric. The IVR Zone
Wizard checks the following conditions and prompts you for any issues:
Checks if all switches in the fabric are Cisco MDS SAN-OS Release 2.1(1a) or later and if so, asks
if you want to migrate to using IVR NAT with auto-topology.
Checks if any switches in the fabric are earlier than Cisco MDS SAN-OS Release 2.1(1a) and if so,
asks you to upgrade the necessary switches or to disable IVR NAT or auto-topology if they are
enabled.
Configuring IVR Using the IVR Zone Wizard

To configure IVR and IVR zones using the IVR Zone Wizard in Fabric Manager, follow these steps:
Step 1 Click the IVR Zone Wizard icon in the Zone toolbar (see Figure 29-2).

Figure 29-2 IVR Zone Wizard Icon
To migrate to IVR NAT mode click Yes, otherwise click No. You see the IVR Zone Wizard dialog box.
Step 2 Select the VSANs that will participate in IVR in the fabric. Click Next.
You see the Select End Devices dialog box shown in Figure 29-3.
Figure 29-3 Select End Devices Dialog Box
Step 3 Select the end devices that you want to communicate over IVR.
Note If you are not using IVR NAT, Fabric Manager may display an error message if all the switches
participating in IVR do not have unique domain IDs. You must reconfigure those switches before
configuring IVR. Go to Step 5.
Step 4 If you enable IVR NAT, verify switches that Fabric Manager will enable with IVR NAT, CFS for IVR,
and IVR topology in auto mode.
Step 5 Enter the VSAN ID of the VSAN you want to use as the transit VSAN between the VSANs selected for
the IVR zone. Click Next.
Step 6 Optionally, configure a unique AFID for switches in the fabric that have non-unique VSAN IDs in the
Select AFID dialog box.

Manual IVR Configuration
Step 7 If you did not enable IVR NAT, verify the transit VSAN or configure the transit VSAN if Fabric Manager
cannot find an appropriate transit VSAN.
Step 8 Set the IVR zone and IVR zone set.
Step 9 Verify all steps that Fabric Manager will take to configure IVR in the fabric.
Step 10 Click Finish if you want to enable IVR NAT and IVR topology and to create the associated IVR zones
and IVR zone set.
You see the Save Configuration dialog box. You can save the configuration of the master switch to be
copied to other IVR-enabled switches.
Step 11 Click Continue Activation, or you may click Cancel.
Note IVR NAT and auto-topology can be configured independently if you configure these features outside the
IVR Zone Wizard. See the Manual IVR Configuration section on page 29-9.

You can configure IVR using the IVR tables in the Information pane in Fabric Manager. Use these tables
only if you are familiar with all IVR concepts. We recommend you configure IVR using the IVR Wizard.
Note Most tabs in the Information pane for features using CFS are dimmed until you click the CFS tab. The
CFS tab shows which switches have CFS enabled and shows the master switch for this feature. Once the
CFS tab is clicked, the other tabs in the Information pane are activated.
This section describes manually configuring IVR and includes the following topics:
About IVR NAT and Auto Topology, page 29-10
Configuring IVR NAT and IVR Auto Topology, page 29-11
About AFIDs, page 29-11
Configuring Default AFIDs, page 29-12
Configuring Individual AFIDs, page 29-12
About IVR Without IVR NAT or Auto Topology, page 23-23
Configuring IVR Without NAT, page 29-14
Manually Creating the IVR Topology, page 29-15
Activating a Manually Configured IVR Topology, page 29-16
Clearing the Configured IVR Topology, page 29-17
Migrating from IVR Auto Topology Mode to Manual Mode, page 29-17
About IVR Virtual Domains, page 29-18
Configuring IVR Virtual Domains, page 29-18
About Persistent FC IDs for IVR, page 29-19

Configuring Persistent FC IDs for IVR, page 29-19

Configuring IVR Logging Levels, page 29-20
About IVR NAT and Auto Topology

Before configuring an IVR SAN fabric to use IVR NAT and auto-topology, consider the following
guidelines:
Configure IVR only in the relevant switches.
Enable CFS for IVR on all switches in the fabric. You must first click the CFS tab in order for the
other tabs on the dialog boxes to become available.
Verify that all switches in the fabric are running Cisco MDS SAN-OS Release 2.1(1a) or later.
Acquire a mandatory Enterprise License Package or SAN-EXTENSION license package if you have
Cisco MDS SAN-OS Release2.1(1a) or later and one active IPS card for this feature (see Chapter 10,
Obtaining and Installing Licenses).
Note The IVR over FCIP feature is bundled with the Cisco MDS 9216i Switch and does not require the SAN
extension over IP package for the fixed IP ports on the supervisor module.
Tip If you change any FSPF link cost, ensure that the FSPF path distance (that is, the sum of the link costs
on the path) of any IVR path is less than 30,000.
Note IVR-enabled VSANs can be configured when the interop mode is enabled (any interop mode) or disabled
(no interop mode).
Transit VSAN Guidelines

Consider the following guidelines for transit VSANs:
Besides defining the IVR zone membership, you can choose to specify a set of transit VSANs to
provide connectivity between two edge VSANs:
If two edge VSANs in an IVR zone overlap, then a transit VSAN is not required (though, not
prohibited) to provide connectivity.
If two edge VSANs in an IVR zone do not overlap, you may need one or more transit VSANs
to provide connectivity. Two edge VSANs in an IVR zone will not overlap if IVR is not enabled
on a switch that is a member of both the source and destination edge VSANs.
Traffic between the edge VSANs only traverses through the shortest IVR path.
Transit VSAN information is common to all IVR zone sets. Sometimes, a transit VSAN can also act
as an edge VSAN in another IVR zone.
Border Switch Guidelines

Before configuring border switches, consider the following guidelines:

Border switches require Cisco MDS SAN-OS Release 2.1(1a) or later.

A border switch must be a member of two or more VSANs.
A border switch that facilities IVR communications must be IVR enabled.
IVR can (optionally) be enabled on additional border switches to provide redundant paths between
active IVR zone members.
The VSAN topology configuration updates automatically when a border switch is added or removed.
Configuring IVR NAT and IVR Auto Topology

To configure IVR in NAT mode and IVR topology in auto mode from Fabric Manager, follow these steps:
Step 1 Expand All VSANs and then select IVR in the Logical Domains pane.
You see the inter-VSAN routing configuration in the Information pane shown in Figure 29-4.
Figure 29-4 IVR Routing Configuration Control Tab
Step 2 Select enable from the Admin column drop-down menu for the primary switch.
Step 3 Click the Apply Changes icon to distribute this change to all switches in the fabric.
Step 4 Click the Action tab.
Step 5 Check the Enable IVR NAT check box to enable IVR in NAT mode.
Step 6 Check the Auto Discover Topology check box to enable IVR topology in auto mode.
Step 7 Click the Apply Changes icon to enable IVR on the switches.
About AFIDs
You can configure AFIDs individually for VSANs, or you can set the default AFIDs for all VSANs on
a switch. If you configure an individual AFID for a subset of the VSANs on a switch that has a default
AFID, that subset uses the configured AFID while all other VSANs on that switch use the default AFID.
IVR supports a maximum of 64 AFIDs.

Note You can only use AFID configuration when the VSAN topology mode is automatic. In user-configured
VSAN topology mode, the AFIDs are specified in the VSAN topology configuration itself and a separate
AFID configuration is not needed.
Configuring Default AFIDs

To configure default AFIDs using Fabric Manager, follow these steps:
You see the IVR configuration in the Information pane.
Step 2 Click the Default Fabric ID tab to display the existing default AFIDs.
Step 3 Click the Create Row icon to create a default AFID.
Step 4 Check the check boxes next to each switch involved in IVR that you want to use this default AFID.
Step 5 Provide a name for each SwitchWWN and set the default Fabric ID.
Step 6 Click Create to create this entry.
Step 7 Repeat Step 1 through Step 6 for all default AFIDs that you want to configure in your IVR topology.
Configuring Individual AFIDs

To configure individual AFIDs using Fabric Manager, follow these steps:
Figure 29-5 Fabric ID Tab
Step 2 Click the Fabric ID tab to display the existing AFIDs (see Figure 29-5).
Step 3 Click the Create Row icon to create an AFID.

Step 4 Check the check box next to each switch involved in IVR that you want to use this default AFID.
Step 5 Provide a name for each SwitchWWN and set the Fabric ID.
Step 6 Enter a comma-separated list of VSAN IDs in the VSAN List text box.
Step 7 Click Create to create this entry.
Step 8 Repeat Step 1 through Step 6 for all switches and AFIDs you want to configure in your IVR topology.
Configuring IVR Without IVR NAT or Auto Topology

Before configuring an IVR SAN fabric without IVR in NAT mode or IVR topology in auto mode,
consider the following guidelines:
Configure unique domain IDs across all VSANs and switches participating in IVR operations if you
are not using IVR NAT. The following switches participate in IVR operations:
All edge switches in the edge VSANs (source and destination)
All switches in transit VSANs
Configure IVR only in the relevant border switches.
Acquire a mandatory Enterprise License Package or SAN-EXTENSION license package and one
active IPS card for this feature.
Tip If you change any FSPF link cost, ensure that the FSPF path distance (that is, the sum of the link costs
on the path) of any IVR path is less than 30,000.
Note IVR-enabled VSANs can be configured when the interop mode is enabled (any interop mode) or disabled
(no interop mode).
Domain ID Guidelines
Domain IDs must be unique across inter-connected VSANs when not using IVR NAT. To ensure unique
domain IDs across inter-connected VSANs, consider these guidelines:
Minimize the number of switches that require a domain ID assignment. This ensures minimum
traffic disruption.
Minimize the coordination between interconnected VSANs when configuring the SAN for the first
time as well as when you add each new switch.
You can configure domain IDs using one of two options:
Configure the allowed-domains list so that the domains in different VSANs are non-overlapping on
all participating switches and VSANs.
Configure static, non-overlapping domains for each participating switch and VSAN.

Note In a configuration involving IVR without NAT, if one VSAN in the IVR topology is configured with
static domain IDs, then the other VSANs (edge or transit) in the topology should be configured with
static domain IDs.
Transit VSAN Guidelines

Before configuring transit VSANs, consider the following guidelines:
Besides defining the IVR zone membership, you can choose to specify a set of transit VSANs to
provide connectivity between two edge VSANs:
If two edge VSANs in an IVR zone overlap, then a transit VSAN is not required (though, not
prohibited) to provide connectivity.
If two edge VSANs in an IVR zone do not overlap, you may need one or more transit VSANs
to provide connectivity. Two edge VSANs in an IVR zone will not overlap if IVR is not enabled
on a switch that is a member of both the source and destination edge VSANs.
Traffic between the edge VSANs only traverses through the shortest IVR path.
Transit VSAN information is common to all IVR zone sets. Sometimes, a transit VSAN can also act
as an edge VSAN in another IVR zone.
Border Switch Guidelines

Before configuring border switches, consider the following guidelines:
Border switches require Cisco MDS SAN-OS Release 1.3(1) or later.
A border switch must be a member of two or more VSANs.
A border switch that facilities IVR communications must be IVR enabled.
IVR can (optionally) be enabled on additional border switches to provide redundant paths between
active IVR zone members.
The VSAN topology configuration must be updated before a border switch is added or removed.
Configuring IVR Without NAT

To enable IVR in NAT mode from Fabric Manager, follow these steps:
Figure 29-6 Action Tab


Step 3 Uncheck the Enable IVR NAT check box (see Figure 29-6).
Step 4 Click the Apply Changes icon to distribute this change to all switches in the fabric.
Manually Creating the IVR Topology

You must create the IVR topology in every IVR-enabled switch in the fabric if you have not configured
IVR topology in auto mode. You can have up to 128 VSANs in an IVR topology. Specify the IVR
topology using the following information:
The switch WWNs of the IVR-enabled switches.
A minimum of two VSANs to which the IVR-enabled switch belongs.
The AFID, which distinguishes two VSANs that are logically and physically separate, but have the
same VSAN number. You can specify up to 64 AFIDs. See Figure 29-7.
Figure 29-7 Example IVR Topology with Non-Unique VSAN IDs Using AFIDs
VSAN 10 VSAN 10
AF ID 2 AF ID 5
VSAN 5
IVR-Enabled IVR-Enabled
MDS switch MDS switch
Transit VSAN
130184
Note If two VSANs in an IVR topology have the same VSAN ID and different AFIDs, they count as two
VSANs for the 128-VSAN limit for IVR.
Note The use of a single AFID does not allow for segmented VSANs in an inter-VSAN routing topology.
Caution You can only configure a maximum of 128 IVR-enabled switches and 128 distinct VSANs in an IVR
topology (see the Database Merge Guidelines section on page 29-31).
To create the IVR topology using Fabric Manager, follow these steps:

Figure 29-8 Local Topology Tab
Step 2 Click the Local Topology tab to display the existing IVR topology.
Step 3 Click the Create Row icon to create rows in the IVR topology (see Figure 29-8).
Step 4 Select the switch, switch WWN, and a comma-separated list of VSAN IDs for this topology.
Step 5 Click Create to create this new row.
Step 6 Click the Apply Changes icon to create the IVR topology.
Note Repeat this configuration in all IVR-enabled switches or distribute using CFS.
Tip Transit VSANs are deduced based on your configuration. The IVR feature does not have an explicit
transit-VSAN configuration.
Activating a Manually Configured IVR Topology

After manually configuring the IVR topology , you must activate it.
Caution Active IVR topologies cannot be deactivated. You can only switch to IVR topology automatic mode.
To activate the manually configured IVR topology using Fabric Manager, follow these steps:
Step 2 Click the Action tab to display the existing IVR topology.
Step 3 Check the Activate Local Topology check box (see Figure 29-9).

Step 4 Click the Apply Changes icon to activate the IVR topology.
Clearing the Configured IVR Topology

You can only clear manually created IVR VSAN topology entries from the configured database.
To clear the IVR topology using Fabric Manager, follow these steps:
Step 2 Click the Control tab if it is not already displayed.
Step 3 Highlight the rows you want to delete from the IVR topology.
Step 4 Click the Delete Row icon to delete these rows from the IVR topology.
Step 5 Click the Apply Changes icon to delete the IVR topology.
Migrating from IVR Auto Topology Mode to Manual Mode

If you want to migrate the active IVR VSAN topology database from automatic mode to user-configured
mode, first copy the active IVR VSAN topology database to the user-configured IVR VSAN topology
database before switching modes.
To migrate from automatic mode to manual mode using Fabric Manager, follow these steps:

Step 3 Highlight the switch on which you want to disable auto topology mode.
Step 4 Uncheck the Auto Discover Topology check box (see Figure 29-10).

About IVR Virtual Domains

In a remote VSAN, the IVR application does not automatically add the virtual domain to the assigned
domains list. Some switches (for example, the Cisco SN5428) do not query the remote name server until
the remote domain appears in the assigned domains list in the fabric. In such cases, add the IVR virtual
domains in a specific VSAN(s) to the assigned domains list in that VSAN. When adding IVR domains,
all IVR virtual domains that are currently present in the fabric (and any virtual domain that is created in
the future) will appear in the assigned domain list for that VSAN.
Tip Be sure to add IVR virtual domains if Cisco SN5428 or MDS 9020 switches exist in the VSAN.
When you enable the IVR virtual domains, links may fail to come up due to overlapping virtual domain
identifiers. If so, temporarily withdraw the overlapping virtual domain from that VSAN.
Note Withdrawing an overlapping virtual domain from an IVR VSAN disrupts IVR traffic to and from that
domain.
Tip Only add IVR domains in the edge VSANs and not in transit VSANs.
Configuring IVR Virtual Domains

To add IVR virtual domains using Fabric Manager, follow these steps:
Figure 29-11 Domains Tab
Step 2 Click the Domains tab to display the existing IVR topology.
Step 3 Click the Create Row icon to create rows in the IVR topology (see Figure 29-11).
Step 4 Enter the Current Fabric, Current VSAN, Native Fabric, Native VSAN and Domain ID in the dialog box.
These are the VSANs that will add the IVR virtual domains to the assigned domains list.

About Persistent FC IDs for IVR

You can configure persistent FC IDs for IVR. FC ID persistence across reboot improves IVR
management by providing the following features:
Allows you to control and assign a specific virtual domain to use for a native VSAN.
Allows you to control and assign a specific virtual FC ID to use for a device.
The benefits of persistent FC IDs for IVR are as follows:
Host devices always see the same FC ID for targets.
It helps you plan your SAN layout better by assigning virtual domains for IVR to use.
It can make SAN monitoring and management easier. When you see the same domain or FC ID
consistently assigned, you can readily determine the native VSAN or device to which it refers.
You can configure two types of database entries for persistent IVR FC IDs:
Virtual domain entriesContain the virtual domain that should be used to represent a native VSAN
in a specific VSAN (current VSAN). These entries contain the following information:
Native AFID
Native VSAN
Current AFID
Current VSAN
Virtual domain to be used for the native AFID and VSAN in current AFID and VSAN
Virtual FC ID entriesContain the virtual FC ID that should be used to represent a device in a
specific VSAN (current VSAN). These entries contain the following information:
Port WWN
Current AFID
Current VSAN
Virtual FC ID to be used to represent a device for the given pWWN in the current AFID and
VSAN
Note If you use persistent FC IDs for IVR, we recommend that you use them for all the devices in the IVR
zoneset. We do not recommend using persistent FC IDs for some of the IVR devices while using
automatic allocation for others.
Note IVR NAT must be enabled to use IVR persistent FC IDs.
Note In an IVR NAT configuration, if one VSAN in the IVR topology is configured with static domain IDs,
then the IVR domains that can be exported to that VSAN must also be assigned static domains.
Configuring Persistent FC IDs for IVR

To configure persistent FC IDs for IVR using Fabric Manager, follow these steps:

Figure 29-12 FCID Tab
Step 2 Click the FCID tab.

Step 3 Click the Create Row icon to create an FC ID (see Figure 29-12).
Step 4 Select the switch for which you are configuring the virtual FC ID to be used to represent a device in a
specific VSAN (current VSAN).
Step 5 Enter the current fabrc in the Current Fabric ID field for the fcdomain database.
Step 6 Enter the current VSAN in the Current VSAN ID field for the fcdomain database.
Step 7 Enter the pWWN.
Step 8 Click the drop-down menu to select the FC ID to map to the pWWN you selected.
Configuring IVR Logging Levels

To configure the severity level for logging messages from the IVR feature using Fabric Manager, follow
these steps:
Step 1 Expand Switches > Events and then select Syslog from the Physical Attributes pane.
Step 2 Click the Severity Levels tab.
Step 3 Click the Facility column header to sort the table by facility name.
Step 4 Select the severity level at which the IVR logs system messages from the Severity drop-down menu (see
Figure 29-13).

IVR Zones and IVR Zone Sets
Figure 29-13 Syslog Severity Drop-Down Menu
Tip Setting the severity to warning means that all IVR messages at the warning level or above will
be logged to Fabric Manager.
Step 5 Click the Apply Changes icon to save these changes locally.

As part of the IVR configuration, you need to configure one or more IVR zone to enable cross-VSAN
communication. To achieve this result, you must specify each IVR zone as a set of (pWWN, VSAN)
entries. Like zones, several IVR zone sets can be configured to belong to an IVR zone. You can define
several IVR zone sets and activate only one of the defined IVR zone sets.
Note The same IVR zone set must be activated on all of the IVR-enabled switches.
Caution Prior to Cisco SAN-OS Release 3.0(3) you can only configure a total of 10,000 zone members on all
switches in a network. As of Cisco SAN-OS Release 3.0(3) you can only configure a total of 20,000 zone
members on all switches in a network. A zone member is counted twice if it exists in two zones. See the
Database Merge Guidelines section on page 29-31.
This section describes configuring IVR zones and IVR zone sets and includes the following topics:
About IVR Zones, page 29-22
Configuring IVR Zones and IVR Zone Sets, page 29-23
About Activating Zone Sets and Using the force Option, page 29-26
Recovering an IVR Full Zone Database, page 29-28
Recovering an IVR Full Topology, page 29-29

About LUNs in IVR Zoning, page 29-30

Configuring LUNs in IVR Zoning, page 29-30
About QoS in IVR Zones, page 29-30
Configuring QoS for IVR Zones, page 29-30
Clearing the IVR Zone Database, page 29-31
Configuring IVR Using Read-Only Zoning, page 29-31
System Image Downgrading Considerations, page 29-31
About IVR Zones

Table 29-3 identifies the key differences between IVR zones and zones.
Table 29-3 Key Differences Between IVR Zones and Zones
IVR Zones Zones

IVR zone membership is specified using the VSAN and Zone membership is specified using pWWN,
pWWN combination. fabric WWN, sWWN, or the AFID.
Default zone policy is always deny (not configurable). Default zone policy is deny (configurable).
Automatic IVR Zone Creation

Figure 29-14 depicts an IVR zone consisting of four members. To allow pwwn1 to communicate with
pwwn2, they must be in the same zone in VSAN 1, as well as in VSAN 2. If they are not in the same
zone, then the hard-zoning ACL entries will prohibit pwwn1 from communicating with pwwn2.
A zone corresponding to each active IVR zone is automatically created in each edge VSAN specified in
the active IVR zone. All pWWNs in the IVR zone are members of these zones in each VSAN.

Figure 29-14 Creating Zones Upon IVR Zone Activation
Active zone in VSAN 1:
pwwn1
pwwn2
pwwn3
pwwn4
Zone name: Active zone in VSAN 2:

Active IVZ IVRZ_OLTP_Backup
VSAN1, pwwn1 pwwn1
VSAN2, pwwn2 pwwn2
VSAN2, pwwn3 pwwn3
VSAN3, pwwn4 pwwn4
IVR zone name:

OLTP_Backup
pwwn1
pwwn2
pwwn3
pwwn4
105255
Active zone in VSAN 3:
The zones are created automatically by the IVR process when an IVR zone set is activated. They are not
stored in a full zone set database and are lost when the switch reboots or when a new zone set is activated.
The IVR feature monitors these events and adds the zones corresponding to the active IVR zone set
configuration when a new zone set is activated. Like zone sets, IVR zone sets are also activated
nondisruptively.
Note If pwwn1 and pwwn2 are in an IVR zone in the current as well as the new IVR zone set, then activation
of the new IVR zone set does not cause any traffic disruption between them.
IVR zone and IVR zone set names are restricted to 64 alphanumeric characters.
Caution Prior to Cisco SAN-OS Release 3.0(3) you can only configure a total of 2000 IVR zones and 32 IVR
zone sets on the switches in the network. As of Cisco SAN-OS Release 3.0(3) you can only configure a
total of 8000 IVR zones and 32 IVR zone sets on the switches in the network. See the Database Merge
Guidelines section on page 29-31.
Configuring IVR Zones and IVR Zone Sets

To create IVR zones and IVR zone sets using Fabric Manager, follow these steps:
Step 1 Choose Zone > IVR > Edit Local Full Zone Database.
You see the Edit IVR Local Full Zone Database dialog box for the selected VSAN (see Figure 29-15).

Figure 29-15 Edit IVR Local Full Zone Database Dialog Box
If you want to view zone membership information, right-click in the Members column, and then click
Show Details for the current row or all rows from the pop-up menu.
Step 2 Click Zones in the left pane and click the Insert icon to create a zone.
You see the Create IVR Zone dialog box shown in Figure 29-16.
Figure 29-16 Create IVR Zone Dialog Box
Step 3 Enter an IVR zone name.

Step 4 Check one of the following check boxes:
a. Read OnlyThe zone permits read and denies write.
b. Permit QoS traffic with PriorityYou set the priority from the drop-down menu.
Step 5 Click OK to create the IVR zone.
Step 6 To add members to this zone, select the members you want to add from the Fabric pane (see
Figure 29-17) and click Add to Zone.

Figure 29-17 Edit IVR Local Full Zone Database Dialog Box
Step 7 Alternatively, click the zone where you want to add members and click the Insert icon.
You see the Add Member to Zone dialog box shown in Figure 29-18.
Figure 29-18 Add Member to IVR Zone Dialog Box
Step 8 If you added a zone set, select the new zone set and then click Activate.
You see the Save Configuration dialog box shown in Figure 29-19.

Figure 29-19 Save Configuration Dialog Box
Step 9 Check the Save Running to Startup Configuration check box to save all changes to the startup
configuration.
Step 10 Click Continue Activation to activate the zone set.
Note Sometimes zone names beginning with prefix IVRZ and a zone set with name nozoneset appear
in a logical view. The zones with prefix IVRZ are IVR zones that get appended to regular active
zones. The prefix IVRZ is appended to active IVR zones by the system. Similarly the zone set
with name nozoneset is an IVR active zone set created by the system if no active zone set is
available for that VSAN and if the ivrZonesetActivateForce flag is enabled on the switch.
In the server.properties file, you can set the property zone.ignoreIVRZones to true or false to
either hide or view IVR zones as part of regular active zones. See the Fabric Manager Server
Properties File section on page 3-4 for more information on the server.properties file.
Note Do not create a zone with prefix the IVRZ or a zone set with name no zoneset. These names are
used by the system for identifying IVR zones.
Step 11 Select the new zone or zone set from the list in the Information pane and then click Distribute.
About Activating Zone Sets and Using the force Option

Once the zone sets have been created and populated, you must activate the zone set. When you activate
an IVR zone set, IVR automatically adds an IVR zone to the regular active zone set of each edge VSAN.
If a VSAN does not have an active zone set, IVR can only activate an IVR zone set using the force option,
which causes IVR to create an active zone set called nozoneset and adds the IVR zone to that active
zone set.
Caution If you deactivate the regular active zone set in a VSAN, the IVR zone set is also deactivated. This occurs
because the IVR zone in the regular active zone set, and all IVR traffic to and from the switch, is stopped.
To reactivate the IVR zone set, you must reactivate the regular zone set.

Note If IVR and iSLB are enabled in the same fabric, at least one switch in the fabric must have both features
enabled. Any zoning related configuration or activation operation (for normal zones, IVR zones, or iSLB
zones) must be performed on this switch. Otherwise, traffic might be disrupted in the fabric.
You can also use the force activate option to activate IVR zone sets. Table 29-4 lists the various
scenarios with and without the force activate option.
Table 29-4 IVR Scenarios with and without the Force Activate Option
Force
Default Activate IVR Zone Set Active IVR Possible
Zone Active Zone Set before IVR Option Activation Zone Traffic
Case Policy Zone Activation Used? Status Created? Disruption
1 Deny No active zone set No Failure No No
2 Yes Success Yes No
1
3 Deny Active zone set present No/Yes Success Yes No
4 Permit No active zone set No Failure No No
5 or Yes Success Yes Yes
Active zone set present
1. We recommend that you use the Case 3 scenario.
Caution Using the force activate option of IVR zone set activation may cause traffic disruption, even for devices
that are not involved in IVR. For example, if your configuration does not have any active zone sets and
the default zone policy is permit, then an IVR zone set activation will fail. However, IVR zone set
activation will go through if the force activateoption is used. Because zones are created in the edge
VSANs corresponding to each IVR zone, traffic may be disrupted in edge VSANs where the default zone
policy is permit.
To activate or deactivate an existing IVR zone set using Fabric Manager, follow these steps:
Step 1 Click Zone and then select Edit Local Full Zone Database as shown in Figure 29-20.
Figure 29-20 Zone Menu
You see the Edit Local Full Zone Database dialog box in Figure 29-21.

Figure 29-21 Edit Zone Database Dialog Box
Step 2 Select a Zoneset folder and then click Activate to activate the zone set (shown in Figure 29-21) or click
Deactivate to deactivate an activated zone set.
Figure 29-22 Save Configuration Options for a New Zone Set
Step 3 (Optional) Check one of the Save Running to Configuration check boxes to save these changes to the
startup configuration (see Figure 29-22).
Step 4 Click Continue Activation to activate the zone set (see Figure 29-22) or Yes if you are deactivating the
zone set.
Note The active zone set in Edit Zone is shown in bold if any change has been made to the full zone
set resulting in a difference between the active zone set and full zone set. Activating the zone set
unbolds it.
Recovering an IVR Full Zone Database

You can recover an IVR zone database by copying the IVR full zone database from another switch.
To recover an IVR zone database using Fabric Manager, follow these steps:
You see the Edit IVR Local Full Zone Database dialog box.

Step 2 Choose Edit > Copy Full Zone Database.

You see the Copy Full Zone Database dialog box shown in Figure 29-23.
Figure 29-23 Copy Full Zone Database Dialog Box
Step 3 Choose either Active or Full, depending on which type of IVR database you want to copy.
Step 4 Select the source switch from which to copy the information from the drop-down list.
Step 5 Select the destination switch from the drop-down list.
Step 6 Click Copy to copy the database.
Recovering an IVR Full Topology

You can recover a topology by copying from the active zone database or the full zone database.
To recover a zone topology using Fabric Manager, follow these steps:
You see the Edit IVR Local Full Zone Database dialog box.
Step 2 Choose Edit > Copy Full Topology.
You see the Copy Full Topology dialog box shown in Figure 29-24.
Figure 29-24 Copy Full Topology Dialog Box
Step 3 Choose either Active or Full, depending on which type of IVR database you want to copy from.
Step 4 Select the source switch from which to copy the information from the drop-down list.

Step 6 Click Copy to copy the topology.
About LUNs in IVR Zoning

LUN zoning can be used between members of active IVR zones. You can configure the service by
creating and activating LUN zones between the desired IVR zone members in all relevant edge VSANs
using the zoning interface or you can use LUN zoning directly supported by IVR. For more details on
the advantages of LUN zoning, see the About LUN Zoning section on page 30-40.
Configuring LUNs in IVR Zoning

You can configure LUN zoning in an IVR zone set setup.
To configure LUNs in IVR zoning, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
About QoS in IVR Zones

You can configure a QoS attribute for an IVR zone. The default QoS attribute setting is low.
Configuring QoS for IVR Zones

To configure QoS for an IVR zone using Fabric Manager, follow these steps:
Step 1 Choose Zone > Edit Local Full Zone Database.

You see the Edit IVR Local Full Zone Database dialog box for the VSAN you selected.
Step 2 Select Zones or a zone set.
Step 3 Check the QoS check box and set the QoS priority.
Step 4 Click Activate to make the changes.
Note If other QoS attributes are configured, the highest setting takes priority.
Renaming IVR Zones and IVR Zone Sets

You can rename IVR zones and IVR zone sets.
To rename an IVR zone or IVR zone set, using Fabric Manager, follow the steps below:

You see the Edit IVR Local Full Zone Database dialog box for the VSAN you selected.

Step 2 Click a zone or zone set in the left pane.

Step 3 Choose Edit > Rename.
An edit box appears around the zone or zone set name.
Step 4 Enter a new name.
Step 5 Click Activate or Commit Changes.
Clearing the IVR Zone Database

Clearing a zone set only erases the configured zone database, not the active zone database.
To clear the IVR zone database, refer to the Cisco MDS 9000 CLI Configuration Guide.
Configuring IVR Using Read-Only Zoning

Read-only zoning (with or without LUNs) can be used between members of active IVR zones. To
configure this service, you must create and activate read-only zones between the desired IVR zone
members in all relevant edge VSANs using the zoning interface.
Note Read-only zoning cannot be configured in an IVR zone set setup.
System Image Downgrading Considerations

As of Cisco MDS SAN-OS Release 3.0(3), you can configure 8000 IVR zones and 20,000 IVR zone
members. If you want to downgrade to a release prior to Cisco SAN-OS Release 3.0(3), the number of
IVR zones cannot exceed 2000 and the number of IVR zone members cannot exceed 10,000.

active database. See the CFS Merge Support section on page 13-9 for detailed concepts.
Be aware of the following conditions when merging two IVR fabrics:
The IVR configurations are merged even if two fabrics contain different configurations.
If dissimilar zones exist in two merged fabrics, the zone from each fabric is cloned in the
distributed zone set with appropriate names (see Figure 29-25).

Figure 29-25 Fabric Merge Consequences
Fabrics with Both zones contained

dissimilar zones in the zone set
Fabric X Fabric XY
Cisco MDS switch Cisco MDS switch

Fabric Y
Cisco MDS switch Cisco MDS switch Cisco MDS switch Cisco MDS switch
witch
ISL
ivzs1 ivzs1 ivzs1 ivzs1

ivz1 ivz1 ivz1 ivz1
wwn1 wwn3 wwn1 wwn1
wwn2 wwn4 wwn2 wwn2
ivz1 wwnC ivz1 wwnC
wwn3 wwn3
120541
wwn4 wwn4
You can configure different IVR configurations in different Cisco MDS switches.
Be aware that the merge follows more liberal approach in order to avoid traffic disruption. After the
merge, the configuration will be a union of the configurations that were present on the two switches
involved in the merge.
The configurations are merged even if both fabrics have different configurations.
A union of zones and zone sets are used to get the merged zones and zone sets. If a dissimilar
zone exists in two fabrics, the dissimilar zones are cloned into the zone set with appropriate
names so both zones are present.
The merged topology contains a union of the topology entries for both fabrics.
The merge will fail if the merged database contains more topology entries than the allowed
maximum.
The total number of VSANs across the two fabrics cannot exceed 128.
Note VSANs with the same VSAN ID but different AFIDs are counted as two separate VSANs.
The total number of IVR-enabled switches across the two fabrics cannot exceed 128.
The total number of zone members across the two fabrics cannot exceed 10,000. As of Cisco
SAN-OS Release 3.0(3), the total number of zone members across the two fabrics cannot exceed
20,000. A zone member is counted twice if it exists in two zones.

Note If only some of the switches in the fabrics are running Cisco SAN-OS Release 3.0(3) or later, and the
number of zone members exceeds 10,000, you must either reduce the number of zone members in the
fabric or upgrade all switches in both fabrics to Cisco SAN-OS Release 3.0(3) or later.
The total number of zones across the two fabrics cannot exceed 2000. As of Cisco SAN-OS
Release 3.0(3), the total number of zones across the two fabrics cannot exceed 8000.
Note If only some of the switches in the fabrics are running Cisco SAN-OS Release 3.0(3) or later, and if the
number of zones exceeds 2000, you must either reduce the number of zones in the fabric or upgrade all
switches in both fabrics to Cisco SAN-OS Release 3.0(3) or later.
The total number or zone sets across the two fabrics cannot exceed 32.
Table 29-5 describes the results of a CFS merge of two IVR-enabled fabrics under different conditions.
Table 29-5 Results of Merging Two IVR-Enabled Fabrics
IVR Fabric 1 IVR Fabric 2 After Merge

NAT enabled NAT disabled Merge succeeds and NAT
enabled
Auto mode on Auto mode off Merge succeeds and auto mode
on
Conflicting AFID database Merge fails
Conflicting IVR zone set database Merge succeeds with new zones
created to resolve conflicts
Combined configuration exceeds limits (such as maximum number Merge fails
of zones or VSANs)
Service group 1 Service group 2 Merge succeeds with service
groups combined
User-configured VSAN topology configuration with conflicts Merge fails
User-configured VSAN topology configuration without conflicts Merge succeeds
Caution If you do not follow these conditions, the merge will fail. The next distribution will forcefully
Resolving Database Merge Failures

If a merge failure occurs, use the following commands to display the error conditions:
show ivr merge status
show cfs merge status name ivr
show logging last lines (and look for MERGE failures)
Depending on the failure indicated in the show command outputs, you can perform the following:

Default Settings
If the failure is due to exceeding the maximum configuration limits in a fabric where the switches
are running more than one Cisco SAN-OS release, then either upgrade the switches running the
earlier release or reduce the number of IVR zones and IIVR zone members on the switches running
the more recent release to the earlier release limit (see theIVR Limits Summary section on
page 29-4).
If the failure is due to exceeding maximum limits in a fabric where all switches are running the same
Cisco SAN-OS release, identify the switch that has the correct configuration and perform a CFS
commit to distribute the IVR configuration (see the Configuring Default AFIDs section on
page 29-12 and theIVR Limits Summary section on page 29-4).
For other failures, resolve the error causing the merge failure on the switch that has the correct
configuration and perform a CFS commit to distribute the IVR configuration (see the Configuring
Individual AFIDs section on page 29-12).
After a successful CFS commit, the merge will be successful.
Default Settings
Table 29-6 lists the default settings for IVR parameters.
Table 29-6 Default IVR Parameters
Parameters Default
IVR feature Disabled.
IVR VSANs Not added to virtual domains.
IVR NAT Disabled.
QoS for IVR zones Low.
Configuration distribution Disabled.

CH A P T E R 30
Configuring and Managing Zones
Zoning enables you to set up access control between storage devices or user groups. If you have
administrator privileges in your fabric, you can create zones to increase network security and to prevent
data loss or corruption. Zoning is enforced by examining the source-destination ID field.
Advanced zoning capabilities specified in the FC-GS-4 and FC-SW-3 standards are provided. You can
use either the existing basic zoning capabilities or the advanced, standards-compliant zoning
capabilities.
About Zoning, page 30-1
Using the Quick Config Wizard, page 30-7
Zone Configuration, page 30-10
Zone Sets, page 30-15
Zone Set Distribution, page 30-26
Zone Set Duplication, page 30-29
Advanced Zone Attributes, page 30-36
Displaying Zone Information, page 30-42
Enhanced Zoning, page 30-43
Compacting the Zone Database for Downgrading, page 30-47
Note Table 26-1 on page 26-4 lists the differences between zones and VSANs.
About Zoning
Zoning has the following features:
A zone consists of multiple zone members.
Members in a zone can access each other; members in different zones cannot access each other.
If zoning is not activated, all devices are members of the default zone.
If zoning is activated, any device that is not in an active zone (a zone that is part of an active
zone set) is a member of the default zone.

Chapter 30 Configuring and Managing Zones
About Zoning
Zones can vary in size.

Devices can belong to more than one zone.
A physical fabric can have a maximum of 16,000 members. This includes all VSANs in the
fabric.
A zone set consists of one or more zones.
A zone set can be activated or deactivated as a single entity across all switches in the fabric.
Only one zone set can be activated at any time.
A zone can be a member of more than one zone set.
A zone switch can have a maximum of 500 zone sets.
Zoning can be administered from any switch in the fabric.
When you activate a zone (from any switch), all switches in the fabric receive the active zone
set. Additionally, full zone sets are distributed to all switches in the fabric, if this feature is
enabled in the source switch.
If a new switch is added to an existing fabric, zone sets are acquired by the new switch.
Zone changes can be configured nondisruptively. New zones and zone sets can be activated without
interrupting traffic on unaffected ports or devices.
Zone membership criteria is based mainly on WWNs or FC IDs.
Port world wide name (pWWN)Specifies the pWWN of an N port attached to the switch as a
member of the zone.
Fabric pWWNSpecifies the WWN of the fabric port (switch ports WWN). This membership
is also referred to as port-based zoning.
FC IDSpecifies the FC ID of an N port attached to the switch as a member of the zone.
Interface and switch WWN (sWWN)Specifies the interface of a switch identified by the
sWWN. This membership is also referred to as interface-based zoning.
Interface and domain IDSpecifies the interface of a switch identified by the domain ID.
Domain ID and port numberSpecifies the domain ID of an MDS domain and additionally
specifies a port belonging to a non-Cisco switch.
IPv4 addressSpecifies the IPv4 address (and optionally the subnet mask) of an attached
device.
IPv6 addressThe IPv6 address of an attached device in 128 bits in colon(:)-separated
hexadecimal format.
Default zone membership includes all ports or WWNs that do not have a specific membership
association. Access between default zone members is controlled by the default zone policy.
You can configure up to 8000 zones per VSAN and a maximum of 8000 zones for all VSANs on the
switch.
Zoning Example
Figure 30-1 illustrates a zone set with two zones, zone 1 and zone 2, in a fabric. Zone 1 provides access
from all three hosts (H1, H2, H3) to the data residing on storage systems S1 and S2. Zone 2 restricts the
data on S3 to access only by H3. Note that H3 resides in both zones.

About Zoning
Figure 30-1 Fabric with Two Zones
Zone 1
H1 S1
Fabric
H2 S2
Zone 2
79535
H3 S3
Of course, there are other ways to partition this fabric into zones. Figure 30-2 illustrates another
possibility. Assume that there is a need to isolate storage system S2 for the purpose of testing new
software. To achieve this, zone 3 is configured, which contains only host H2 and storage S2. You can
restrict access to just H2 and S2 in zone 3, and to H1 and S1 in zone 1.
Figure 30-2 Fabric with Three Zones
Zone 1
H1 S1
Fabric
H2 Zone 3 S2
79536
H3 Zone 2 S3
Zone Implementation
All switches in the Cisco MDS 9000 Family automatically support the following basic zone features (no
additional configuration is required):
Zones are contained in a VSAN.
Hard zoning cannot be disabled.
Name server queries are soft-zoned.
Only active zone sets are distributed.
Unzoned devices cannot access each other.
A zone or zone set with the same name can exist in each VSAN.

About Zoning
Each VSAN has a full database and an active database.

Active zone sets cannot be changed, without activating a full zone database.
Active zone sets are preserved across switch reboots.
Changes to the full database must be explicitly saved.
Zone reactivation (a zone set is active and you activate another zone set) does not disrupt existing
traffic.
If required, you can additionally configure the following zone features:
Propagate full zone sets to all switches on a per VSAN basis.
Change the default policy for unzoned members.
Interoperate with other vendors by configuring a VSAN in the interop mode. You can also configure
one VSAN in the interop mode and another VSAN in the basic mode in the same switch without
disrupting each other.
Bring E ports out of isolation.
Zone Member Configuration Guidelines

All members of a zone can communicate with each other. For a zone with N members, N*(N-1) access
permissions need to be enabled. The best practice is to avoid configuring large number of targets and or
or large numbers of initiators in a single zone. Such configuration wastes switch resources by
provisioning and managing many communicating pairs (initiator-to-initiator or target-to-target) which
will never actually communicate with each other. For this reason, single initiator with a single target is
the most efficient approach to zoning.
The following guidelines must be considered when creating zone members:
Configuring only one initiator and one target for a zone provides most efficient use of the switch
resources.
Configuring the same initiator to multiple targets is accepted.
Configuring multiple initiators to multiple targets is not recommended.
Active and Full Zone Set Considerations

Before configuring a zone set, consider the following guidelines:
Each VSAN can have multiple zone sets but only one zone set can be active at any given time.
When you create a zone set, that zone set becomes a part of the full zone set.
When you activate a zone set, a copy of the zone set from the full zone set is used to enforce zoning,
and is called the active zone set. An active zone set cannot be modified. A zone that is part of an
active zone set is called an active zone.
The administrator can modify the full zone set even if a zone set with the same name is active.
However, the modification will be enforced only upon reactivation.
When the activation is done, the active zone set is automatically stored in persistent configuration.
This enables the switch to preserve the active zone set information across switch resets.
All other switches in the fabric receive the active zone set so they can enforce zoning in their
respective switches.

About Zoning
Hard and soft zoning are implemented using the active zone set. Modifications take effect during
zone set activation.
An FC ID or Nx port that is not part of the active zone set belongs to the default zone and the default
zone information is not distributed to other switches.
Note If one zone set is active and you activate another zone set, the currently active zone set is automatically
deactivated. You do not need to explicitly deactivate the currently active zone set before activating a new
zone set.
Figure 30-3 shows a zone being added to an activated zone set.

About Zoning
Figure 30-3 Active and Full Zone Sets
Full zone set

Zone set Z1 Zone set Z2 Zone set Z3
Zone A Zone C Zone A

Zone B Zone D Zone C
Zone C Zone E Zone D
No active Zone set

Full zone set

Active
Zone set Z1
zone set
Zone A
Zone B
Zone C
After activating Zone set Z1

Full zone set

Zone D
Active
Zone set Z1
zone set
Zone A
Zone B
Zone C
After adding Zone D to Zone set Z1
Full zone set


Zone D
Active
Zone set Z1
zone set
Zone A
Zone B
Zone C
Zone D
79948
After activating Zone set Z1 again

Using the Quick Config Wizard

Note The Quick Config Wizard supports only switch interface zone members.
As of Cisco SAN-OS Release 3.1(1) and NX-OS Release 4.1(2), you can use the Quick Config Wizard
on the Cisco MDS 9124 Switch to add or remove zone members per VSAN. You can use the Quick
Config Wizard to perform interface-based zoning and to assign zone members for multiple VSANs using
Device Manager.
Note The Quick Config Wizard is supported on the Cisco MDS 9124 Fabric Switch, the Cisco MDS 9134
Fabric Switch, the Cisco Fabric Switch for HP c-Class BladeSystem, and the Cisco Fabric Switch for
IBM BladeCenter.
Caution The Quick Config Wizard can only be used on stand-alone switches that do not have any existing zoning
defined on the switch.
To add or remove ports from a zone and to zone only the devices within a specific VSAN using Device
Manager on the Cisco MDS 9124 Switch, follow these steps:
Step 1 Choose FC > Quick Config or click the Zone icon in the toolbar.
You see the Quick Config Wizard (see Figure 30-5) with all controls disabled and the Discrepancies
dialog box (see Figure 30-4), which shows all unsupported configurations.
Note You will see the Discrepancies dialog box only if there are any discrepancies.

Figure 30-4 Discrepancies Dialog Box
Step 2 Click OK to continue.

You see the Quick Config Wizard dialog box shown in Figure 30-5.
Caution If there are discrepancies and you click OK, the affected VSANs in the zone databases are
cleared. This may become disruptive if the switch is in use.

Figure 30-5 Quick Config Wizard
Step 3 Check the check box in the Ports Zoned To column for the port you want to add or remove from a zone.
The check box for the matching port is similarly set. The selected port pair is added or removed from
the zone, creating a two-device zone.
The VSAN drop-down menu provides a filter that enables you to zone only those devices within a
selected VSAN.
Step 4 Right-click any of the column names to show or hide a column.
Step 5 Click Next to verify the changes.
You see the Confirm Changes dialog box shown in Figure 30-6.

Zone Configuration
Figure 30-6 Confirm Changes Dialog Box
Step 6 If you want to see the CLI commands, right-click in the dialog box and click CLI Commands from the
pop-up menu.
Step 7 Click Finish to save the configuration changes.
Zone Configuration
This section describes how to configure zones and includes the following topics:
About the Edit Local Full Zone Database Tool, page 30-11
Configuring a Zone Using the Zone Configuration Tool, page 30-12
Adding Zone Members, page 30-14

Zone Configuration
About the Edit Local Full Zone Database Tool

The Edit Local Full Zone Database tool allows you to zone across multiple switches and all zoning
features are available through the Edit Local Full Zone Database dialog box (see Figure 30-7).
Figure 30-7 Edit Local Full Zone Database Dialog Box
1 You can display information by VSAN by 3 You can add zoning characteristics based on
using the drop-down menu without closing alias in different folders.
the dialog box, selecting a VSAN, and
re-entering.
2 You can use the Add to zone button to move 4 You can triple-click to rename zone sets,
devices up or down by alias or by zone. zones, or aliases in the tree.
Note The Device Alias radio button is visible only if device alias is in enhanced mode. For more information,
see Creating a Device Alias section on page 31-6.
Tip Expand Switches from the Physical Attributes pane to retrieve the sWWN. If you do not provide a
sWWN, the software automatically uses the local sWWN.

Zone Configuration
Note Interface-based zoning only works with Cisco MDS 9000 Family switches. Interface-based zoning does
not work if interop mode is configured in that VSAN.
Configuring a Zone Using the Zone Configuration Tool

To create a zone and move it into a zone set using Fabric Manager, follow these steps:
Step 1 Click the Zone icon in the toolbar (See Figure 30-8).
Figure 30-8 Zone Icon
You see the Select VSAN dialog box.

Step 2 Select the VSAN where you want to create a zone and click OK.
You see the Edit Local Full Zone Database dialog box shown in Figure 30-9.
If you want to view zone membership information, right-click in the All Zone Membership(s) column,
and then click Show Details for the current row or all rows from the pop-up menu.
Step 3 Click Zones in the left pane and click the Insert icon to create a zone.

Zone Configuration
You see the Create Zone dialog box shown in Figure 30-10.
Figure 30-10 Create Zone Dialog Box
Step 4 Enter a zone name.

Step 5 Check one of the following check boxes:
a. Read OnlyThe zone permits read and denies write.
b. Permit QoS traffic with PriorityYou set the priority from the drop-down menu.
c. Restrict Broadcast Frames to Zone Members
Step 6 Click OK to create the zone.
If you want to move this zone into an existing zone set, skip to Step 8.
Step 7 Click Zoneset in the left pane and click the Insert icon to create a zone set.
You see the Zoneset Name dialog box shown in Figure 30-11.
Figure 30-11 Zoneset Name Dialog Box
Step 8 Enter a zone set name and click OK.
Note One of these symbols ($, -, ^, _) or all alphanumeric characters are supported. In interop mode
2 and 3, this symbol (_) or all alphanumeric characters are supported.
Step 9 Select the zone set where you want to add a zone and click the Insert icon or you can drag and drop
Zone3 over Zoneset1.
You see the Select Zone dialog box shown in Figure 30-12.

Zone Configuration
Figure 30-12 Select Zone Dialog Box
Step 10 Click Add to add the zone.
Adding Zone Members

Once you create a zone, you can add members to the zone. You can add members using multiple port
identification types.
To add a member to a zone using Fabric Manager, follow these steps:

Step 2 Select a VSAN and click OK.
You see the Edit Local Full Zone Database dialog box for the selected VSAN.

Zone Sets
Step 3 Select the members you want to add from the Fabric pane (see Figure 30-13) and click Add to Zone or
click the zone where you want to add members and click the Insert icon.
Figure 30-14 Add Member to Zone Dialog Box
Note The Device Alias radio button is visible only if device alias is in enhanced mode. For more
information, see Creating a Device Alias section on page 31-6.
Step 4 Click the browse button and select a port name or check the LUN check box and click the browse button
to configure LUNs.
Step 5 Click Add to add the member to the zone.
Note When configuring a zone member, you can specify that a single LUN has multiple IDs depending
on the operating system. You can select from six different operating systems.
Zone Sets
This section describes zone sets and includes the following topics:
About Zone Set Creation, page 30-16
Activating a Zone Set, page 30-17
Displaying Zone Membership Information, page 30-20
About the Default Zone, page 30-20
Configuring the Default Zone, page 30-21

Zone Sets
About FC Alias Creation, page 30-21

Creating FC Aliases, page 30-22
Adding Members to Aliases, page 30-22
Converting Zone Members to pWWN-based Members, page 30-24
Zone Enforcement, page 30-26
About Zone Set Creation

In Figure 30-15, two separate sets are created, each with its own membership hierarchy and zone
members.
Figure 30-15 Hierarchy of Zone Sets, Zones, and Zone Members
Zone set A Zone set B
Zone 1 Zone 2 Zone 3

H1, H3, S1 H3, S2 H2, S2
79537
H1 H2 H3 S1 S2
Zones provide a mechanism for specifying access control, while zone sets are a grouping of zones to
enforce access control in the fabric. Either zone set A or zone set B can be activated (but not together).
Tip Zone sets are configured with the names of the member zones and the VSAN (if the zone set is in a
configured VSAN).

Zone Sets
Activating a Zone Set

Changes to a zone set do not take effect in a full zone set until you activate it.
To activate an existing zone set using Fabric Manager, follow these steps:

Step 3 Click Activate to activate the zone set.
You see the pre-activation check dialog box shown in Figure 30-16.
Figure 30-16 Pre-Activation Check Dialog Box
Step 4 Click Yes to review the differences.

You see the Local vs. Active Differences dialog box shown in Figure 30-17.
Figure 30-17 Local vs Active Differences Dialog Box


Zone Sets
Figure 30-18 Save Configuration Dialog Box
Step 6 Check the Save Running to Startup Configuration check box to save all changes to the startup
configuration.
Step 7 Click Continue Activation to activate the zone set, or click Cancel to close the dialog box and discard
any unsaved changes.
You see the Zone Log dialog box, which shows if the zone set activation was successful (see
Figure 30-19).
Figure 30-19 Zone Log Dialog Box
Deactivating a Zoneset
To deactivate an existing zone set, follow these steps:
Step 1 Right-click the zone set you want to deactivate and then click Deactivate from the pop-up menu.
You see the Deactivate Zoneset dialog box as shown in Figure 30-20.

Zone Sets
Figure 30-20 Deactivate Zoneset Dialog Box
Step 2 Enter deactivate in the text box and then click OK.
You see the Input dialog box as shown in Figure 30-21.
Figure 30-21 Input Dialog Box
Step 3 Enter deactivate in the text box and then click OK to deactivate the zone set.
Note To enable this option, you need to modify the server.properties file. See Fabric Manager Server
Properties File, page 3-4 to know more about modifying server.properties file.

Zone Sets
Displaying Zone Membership Information

To display zone membership information for members assigned to zones in Fabric Manager, follow these
steps:

Step 3 Click Zones in the left pane. The right pane lists the members for each zone.
Note The default zone members are explicitly listed only when the default zone policy is configured
as permit. When the default zone policy is configured as deny, the members of this zone are not
shown. See the Displaying Zone Information section on page 30-42.
About the Default Zone

Each member of a fabric (in effect a device attached to an Nx port) can belong to any zone. If a member
is not part of any active zone, it is considered to be part of the default zone. Therefore, if no zone set is
active in the fabric, all devices are considered to be in the default zone. Even though a member can
belong to multiple zones, a member that is part of the default zone cannot be part of any other zone. The
switch determines whether a port is a member of the default zone when the attached port comes up.
Note Unlike configured zones, default zone information is not distributed to the other switches in the fabric.
Traffic can either be permitted or denied among members of the default zone. This information is not
distributed to all switches; it must be configured in each switch.
Note When the switch is initialized for the first time, no zones are configured and all members are considered
to be part of the default zone. Members are not permitted to talk to each other.
Configure the default zone policy on each switch in the fabric. If you change the default zone policy on
one switch in a fabric, be sure to change it on all the other switches in the fabric.
Note The default settings for default zone configurations can be changed.
The default zone members are explicitly listed when the default policy is configured as permit or when
a zone set is active. When the default policy is configured as deny, the members of this zone are not
explicitly enumerated when you view the active zone set.
You can change the default zone policy for any VSAN by choosing VSANxx > Default Zone from the
Fabric Manager menu tree and clicking the Policies tab. It is recommended that you establish
connectivity among devices by assigning them to a non-default zone.

Zone Sets
Configuring the Default Zone

To permit or deny traffic to members in the default zone using Fabric Manager, follow these steps:
Step 1 Expand a VSAN and then select Default Zone in the Fabric Manager Logical Domains pane.
Step 2 Click the Policies tab in the Information pane.
You see the zone policies information in the Information pane (see Figure 30-22).
Figure 30-22 Default Zone Policies
The active zone set is shown in italic type. After you make changes to the active zone set and before you
activate the changes, the zone set is shown in boldface italic type.
Step 3 In the Default Zone Behaviour field, choose either permit or deny from the drop-down menu.
About FC Alias Creation

You can assign an alias name and configure an alias member using the following values:
pWWNThe WWN of the N or NL port is in hex format (for example, 10:00:00:23:45:67:89:ab).
fWWNThe WWN of the fabric port name is in hex format (for example,
10:00:00:23:45:67:89:ab).
FC IDThe N port ID is in 0xhhhhhh format (for example, 0xce00d1).
Domain IDThe domain ID is an integer from 1 to 239. A mandatory port number of a non-Cisco
switch is required to complete this membership configuration.
IPv4 addressThe IPv4 address of an attached device is in 32 bits in dotted decimal format along
with an optional subnet mask. If a mask is specified, any device within the subnet becomes a member
of the specified zone.
IPv6 addressThe IPv6 address of an attached device is in 128 bits in colon- (:) separated)
hexadecimal format.
InterfaceInterface-based zoning is similar to port-based zoning because the switch interface is
used to configure the zone. You can specify a switch interface as a zone member for both local and
remote switches. To specify a remote switch, enter the remote switch WWN (sWWN) or the domain
ID in the particular VSAN.
Tip The Cisco NX-OS software supports a maximum of 2048 aliases per VSAN.

Zone Sets
Creating FC Aliases
To create an FC alias using Fabric Manager, follow these steps:

Step 3 Click Aliases in the lower left pane (see Figure 30-23). The right pane lists the existing aliases.
Figure 30-23 Creating an FC Alias
Step 4 Click the Insert icon to create an alias.

You see the Create Alias dialog box shown in Figure 30-24.
Figure 30-24 Create Alias Dialog Box
Step 5 Set the Alias Name and the pWWN.

Step 6 Click OK to create the alias.
Adding Members to Aliases

To add a member to an alias using Fabric Manager, follow these steps:

Zone Sets

You see the Edit Local Full Zone Database dialog box for the selected VSAN as shown in Figure 30-25.
Step 3 Select the member(s) you want to add from the Fabric pane (see Figure 30-25) and click Add to Alias
or click the alias where you want to add members and click the Insert icon.
You see the Add Member to Alias dialog box shown in Figure 30-26.

Zone Sets
Figure 30-26 Add Member to Alias Dialog Box
Note The Device Alias radio button is visible only if device alias is in enhanced mode. For more
information, see Creating a Device Alias section on page 31-6.
Step 4 Click the browse button and select a port name or check the LUN check box and click the browse button
to configure LUNs.
Step 5 Click Add to add the member to the alias.
Converting Zone Members to pWWN-based Members

You can convert zone and alias members from switch port or FC ID based membership to pWWN-based
membership. You can use this feature to convert to pWWN so that your zone configuration does not
change if a card or switch is changed in your fabric.
To convert switch port and FC ID members to pWWN members using Fabric Manager, follow these
steps:

Step 3 Click the zone you want to convert.
Step 4 Choose Tools > Convert Switch Port/FCID members to By pWWN.
You see the conversion dialog box, listing all members that will be converted.
Step 5 Verify the changes and click Continue Conversion.

Zone Sets
Step 6 Click Yes in the confirmation dialog box to convert that member to pWWN-based membership.
Note If one zone set is active and you activate another zone set, the currently active zone set is
automatically deactivated.
Tip You do not have to copy the running configuration to the startup configuration to store the active zone
set. However, you need to copy the running configuration to the startup configuration to explicitly store
full zone sets. It is not available across switch resets.
Caution If you deactivate the active zone set in a VSAN that is also configured for IVR, the active IVR zone set
(IVZS) is also deactivated and all IVR traffic to and from the switch is stopped. This deactivation can
disrupt traffic in more than one VSAN. Before deactivating the active zone set, check the active zone
analysis for the VSAN . To reactivate the IVZS, you must reactivate the regular zone set (see the
Configuring IVR Zones and IVR Zone Sets section on page 29-23).
Caution If the currently active zone set contains IVR zones, activating the zone set from a switch where IVR is
not enabled disrupts IVR traffic to and from that VSAN. We strongly recommend that you always
activate the zone set from an IVR-enabled switch to avoid disrupting IVR traffic.
Note The pWWN of the virtual target does not appear in the zoning end devices database in Fabric Manager.
If you want to zone the virtual device with a pWWN, you must enter it in the Add Member to Zone dialog
box when creating a zone. However, if the device alias is in enhanced mode, the virtual device names
appear in the device alias database in the Fabric Manager zoning window. In this case, users can choose
to select either the device alias name or enter the pWWN in the Add Member to Zone dialog box.
For more information, see the Adding Zone Members section on page 30-14.
Note Set the device alias mode to enhanced when using SDV (because the pWWN of a virtual device could
change).
For example, SDV is enabled on a switch and a virtual device is defined. SDV assigns a pWWN for the
virtual device, and it is zoned based on the pWWN in a zone. If you later disable SDV, this configuration
is lost. If you reenable SDV and create the virtual device using the same name, there is no guarantee that
it will get the same pWWN again. Hence, you would have to rezone the pWWN-based zone. However,
if you perform zoning based on the device-alias name, there are no configuration changes required if or
when the pWWN changes.
Be sure you understand how device alias modes work before enabling them. Refer to Chapter 31,
Distributing Device Alias Services for details and requirements about device alias modes.

Zone Set Distribution
Zone Enforcement
Zoning can be enforced in two ways: soft and hard. Each end device (N port or NL port) discovers other
devices in the fabric by querying the name server. When a device logs in to the name server, the name
server returns the list of other devices that can be accessed by the querying device. If an Nx port does
not know about the FC IDs of other devices outside its zone, it cannot access those devices.
In soft zoning, zoning restrictions are applied only during interaction between the name server and the
end device. If an end device somehow knows the FC ID of a device outside its zone, it can access that
device.
Hard zoning is enforced by the hardware on each frame sent by an Nx port. As frames enter the switch,
source-destination IDs are compared with permitted combinations to allow the frame at wirespeed. Hard
zoning is applied to all forms of zoning.
Note Hard zoning enforces zoning restrictions on every frame, and prevents unauthorized access.
Switches in the Cisco MDS 9000 Family support both hard and soft zoning.

You can distribute full zone sets using one of two methods: one-time distribution or full zone set
distribution. Table 30-1 lists the differences between these distribution methods.
Table 30-1 Zone Set Distribution Differences
One-Time Distribution Full Zone Set Distribution
Distributes the full zone set immediately. Does not distribute the full zone set immediately.
Does not distribute the full zone set information Remembers to distribute the full zone set
along with the active zone set during activation, information along with the active zone set during
deactivation, or merge process. activation, deactivation, and merge processes.
This section describes zone set distribution and includes the following topics:
Enabling Full Zone Set Distribution, page 30-26
Enabling a One-Time Distribution, page 30-27
About Recovering from Link Isolation, page 30-28
Importing and Exporting Zone Sets, page 30-28
Enabling Full Zone Set Distribution

All switches in the Cisco MDS 9000 Family distribute active zone sets when new E port links come up
or when a new zone set is activated in a VSAN. The zone set distribution takes effect while sending
merge requests to the adjacent switch or while activating a zone set.
To enable full zone set and active zone set distribution to all switches on a per VSAN basis using Fabric

Step 1 Expand a VSAN and select a zone set in the Logical Domains pane.
You see the zone set configuration in the Information pane. The Active Zones tab is the default.
Step 2 Click the Policies tab.
You see the configured policies for the zone (see Figure 30-27).
Figure 30-27 Configured Policies for the Zone
Step 3 In the Propagation column, choose fullZoneset from the drop-down menu.
Step 4 Click Apply Changes to propagate the full zone set.
Enabling a One-Time Distribution

You can perform a one-time distribution of inactive, unmodified zone sets throughout the fabric. To
propagate a one-time distribution of the full zone set using Fabric Manager, follow these steps:

You see the Edit Local Full Zone Database dialog box.
Step 2 Click the appropriate zone from the list in the left pane.
Step 3 Click Distribute to distribute the full zone set across the fabric.
This procedure only distributes the full zone set information; it does not save the information to the
startup configuration. You must explicitly save the running configuration to the startup configuration
issue the to save the full zone set information to the startup configuration.
Note The one-time distribution of the full zone set is supported in interop 2 and interop 3 modes, not in
interop 1 mode.

About Recovering from Link Isolation

When two switches in a fabric are merged using a TE or E port, these TE and E ports may become
isolated when the active zone set databases are different between the two switches or fabrics. When a TE
port or an E port become isolated, you can recover that port from its isolated state using one of three
options:
Import the neighboring switch's active zone set database and replace the current active zone set (see
Figure 30-28).
Export the current database to the neighboring switch.
Manually resolve the conflict by editing the full zone set, activating the corrected zone set, and then
bringing up the link.
Figure 30-28 Importing and Exporting the Database
From Switch 1, Import

database forces Switch 1
to use the database
Isolated port due to configured in Switch 2
active zone set mismatch
Switch 1 Switch 2
From Switch 1, Export

database forces Switch 2
to use the database
79949
configured in Switch 1
Importing and Exporting Zone Sets

To import or export the zone set information from or to an adjacent switch using Fabric Manager, follow
these steps:
Step 1 Choose Tools > Zone Merge Fail Recovery.

You see the Zone Merge Failure Recovery dialog box shown in Figure 30-29.

Zone Set Duplication
Figure 30-29 Zone Merge Failure Recovery Dialog Box
Step 2 Click the Import Active Zoneset or the Export Active Zoneset radio button.
Step 3 Select the switch from which to import or export the zone set information from the drop-down list.
Step 4 Select the VSAN from which to import or export the zone set information from the drop-down list.
Step 5 Select the interface to use for the import process.
Step 6 Click OK to import or export the active zone set.
Note Issue the import and export from a single switch. Importing from one switch and exporting from
another switch can lead to isolation again.

You can make a copy and then edit it without altering the existing active zone set. You can copy an active
zone set from the bootflash: directory, volatile: directory, or slot0, to one of the following areas:
To the full zone set
To a remote location (using FTP, SCP, SFTP, or TFTP)
The active zone set is not part of the full zone set. You cannot make changes to an existing zone set and
activate it, if the full zone set is lost or is not propagated.
Caution Copying an active zone set to a full zone set may overwrite a zone with the same name, if it already exists
in the full zone set database.

Copying Zone Sets, page 30-30
About Backing Up and Restoring Zones, page 30-30
Backing Up Zones, page 30-31
Renaming Zones, Zone Sets, and Aliases, page 30-34
Cloning Zones, Zone Sets, FC Aliases, and Zone Attribute Groups, page 30-35

Migrating a Non-MDS Database, page 30-35

Clearing the Zone Server Database, page 30-36
Copying Zone Sets

On the Cisco MDS Family switches, you cannot edit an active zone set. However, you can copy an active
zone set to create a new zone set that you can edit.
To make a copy of a zone set using Fabric Manager, follow these steps:
Step 1 Choose Edit > Copy Full Zone Database.

You see the Copy Full Zone Database dialog box (Figure 30-30).
Figure 30-30 Copy Full Zone Database Dialog Box
Step 2 Click the Active or the Full radio button, depending on which type of database you want to copy.
Step 3 Select the source VSAN from the drop-down list.
Step 4 If you selected Copy Full, select the source switch and the destination VSAN from those drop-down
lists.
Step 6 Click Copy to copy the database.
Caution If the Inter-VSAN Routing (IVR) feature is enabled and if IVR zones exist in the active zone set, then a
zone set copy operation copies all the IVR zones to the full zone database. To prevent copying to the IVR
zones, you must explicitly remove them from the full zone set database before performing the copy
operation. Refer to the Chapter 29, Configuring Inter-VSAN Routing for more information on the IVR
feature.
About Backing Up and Restoring Zones

You can back up the zone configuration to a workstation using TFTP. This zone backup file can then be
used to restore the zone configuration on a switch. Restoring the zone configuration overwrites any
existing zone configuration on a switch.

Backing Up Zones
To back up the full zone configuration using Fabric Manager, follow these steps:

Figure 30-31 Edit Local Full Zone Database
Step 3 Choose File > Backup > This VSAN Zones to back up the existing zone configuration to a workstation
using TFTP, SFTP, SCP, or FTP.
You see the Backup Zone Configuration dialog box shown in Figure 30-32.

Figure 30-32 Backup Zone Configuration Dialog Box
You can edit this configuration before backing up the data to a remote server.
Step 4 Provide the following Remote Options information to back up data onto a remote server:
a. UsingSelect the protocol.
b. Server IP AddressEnter the IP adress of the server.
c. UserNameEnter the name of the user.
d. PasswordEnter the password for the user.
e. File Name(Root Path)Enter the path and the filename.
Step 5 Click Backup or click Cancel to close the dialog box without backing up.
Restoring Zones
To restore the full zone configuration using Fabric Manager, follow these steps:


Figure 30-33 Edit Local Full Zone Database
Step 3 Choose File > Restore to restore a saved zone configuration using TFTP, SFTP, SCP or FTP.
You see the Restore Zone Configuration dialog box shown in Figure 30-34.
Figure 30-34 Restore Zone Configuration Dialog Box
You can edit this configuration before restoring it to the switch.

Step 4 Provide the following Remote Options information to restore data from a remote server:
a. UsingSelect the protocol.
b. Server IP AddressEnter the IP address of the server.
c. UserNameEnter the name of the user.

d. PasswordEnter the password for the user.

e. File NameEnter the path and the filename.
Step 5 Click Restore to continue or click Cancel to close the dialog box without restoring.
Note Click View Config to see information on how the zone configuration file from a remote server will be
restored. When you click Yes in this dialog box, you will be presented with the CLI commands that are
executed. To close the dialog box, click Close.
Note Backup and Restore options are available to switches that run Cisco NX-OS Release 4.1(3a) or later.
Renaming Zones, Zone Sets, and Aliases

To rename a zone, zone set, or alias using Fabric Manager, follow these steps:

You see the Edit Local Full Zone Database dialog box for the selected VSAN (see Figure 30-35).
Step 3 Click a zone or zone set in the left pane.

Step 4 Choose Edit > Rename.

An edit box appears around the zone or zone set name.

Step 5 Enter a new name.
Step 6 Click Activate or Distribute.
Cloning Zones, Zone Sets, FC Aliases, and Zone Attribute Groups

To clone a zone, zone set, fcalias, or zone attribute group, follow these steps:

Step 3 Choose Edit > Clone.
You see the Clone Zoneset dialog box shown in Figure 30-36. The default name is the word Clone
followed by the original name.
Figure 30-36 Clone Zoneset Dialog Box
Step 4 Change the name for the cloned entry.

Step 5 Click OK to save the new clone.
The cloned database now appears along with the original database.
Migrating a Non-MDS Database

To use the Zone Migration Wizard to migrate a non-MDS database using Fabric Manager, follow these
steps:
Step 1 Choose Zone > Migrate Non-MDS Database.

You see the Zone Migration Wizard.
Step 2 Follow the prompts in the wizard to migrate the database.

Advanced Zone Attributes
Clearing the Zone Server Database

You can clear all configured information in the zone server database for the specified VSAN.To clear the
zone server database, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
Note Clearing a zone set only erases the full zone database, not the active zone database.
Note After clearing the zone server database, you must explicitly copy the running configuration to the startup
configuration to ensure that the running configuration is used when the switch reboots.

This section describes advanced zone attributes and includes the following topics:
About Zone-Based Traffic Priority, page 30-36
Configuring Zone-Based Traffic Priority, page 30-37
Configuring Default Zone QoS Priority Attributes, page 30-37
Configuring the Default Zone Policy, page 30-38
About Broadcast Zoning, page 30-38
Configuring Broadcast Zoning, page 30-39
About LUN Zoning, page 30-40
Configuring a LUN-Based Zone, page 30-40
Assigning LUNs to Storage Subsystems, page 30-41
About Read-Only Zones, page 30-41
Configuring Read-Only Zones, page 30-42
About Zone-Based Traffic Priority

The zoning feature provides an additional segregation mechanism to prioritize select zones in a fabric
and set up access control between devices. Using this feature, you can configure the quality of service
(QoS) priority as a zone attribute. You can assign the QoS traffic priority attribute to be high, medium,
or low. By default, zones with no specified priority are implicitly assigned a low priority. See the VSAN
Versus Zone-Based QoS section on page 64-5 for more information.
To use this feature, you need to obtain the ENTERPRISE_PKG license see Chapter 10, Obtaining and
Installing Licenses and you must enable QoS in the switch (see the About Data Traffic section on
page 64-4).
This feature allows SAN administrators to configure QoS in terms of a familiar data flow identification
paradigm. You can configure this attribute on a zone-wide basis rather than between zone members.
Caution If zone-based QoS is implemented in a switch, you cannot configure the interop mode in that VSAN.

Configuring Zone-Based Traffic Priority

To configure the zone priority using Fabric Manager, follow these steps:
Step 1 Expand a VSAN and then select a zone set in the Logical Domains pane.
You see the Zone policy information in the Information pane (see Figure 30-37).
Figure 30-37 Zone Policies Tab in the Information Pane
Step 3 Use the check boxes and drop-down menus to configure QoS on the default zone.
Step 4 Click Apply Changes to save the changes.
Configuring Default Zone QoS Priority Attributes

QoS priority attribute configuration changes take effect when you activate the zone set of the associated
zone.
Note If a member is part of two zones with two different QoS priority attributes, the higher QoS value is
implemented. This situation does not arise in the VSAN-based QoS as the first matching entry is
implemented.
To configure the QoS priority attributes for a default zone using Fabric Manager, follow these steps:

Step 3 Choose Edit > Edit Default Zone Attributes to configure the default zone QoS priority attributes (see
Figure 30-38).

Figure 30-38 QoS Priority Attributes
Step 4 Check the Permit QoS Traffic with Priority check box and set the Qos Priority drop-down menu to
low, medium, or high.
Step 5 Click OK to save these changes.
Configuring the Default Zone Policy

To permit or deny traffic in the default zone using Fabric Manager, follow these steps:

Step 3 Choose Edit > Edit Default Zone Attributes to configure the default zone QoS priority attributes.
You see the Modify Default Zone Properties dialog box shown in Figure 30-39.
Figure 30-39 Modify Default Zone Properties Dialog Box
Step 4 Set the Policy drop-down menu to permit to permit traffic in the default zone, or set it to deny to block
traffic in the default zone.
Step 5 Click OK to save these changes.
About Broadcast Zoning
Note Broadcast zoning is not supported on the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco

You can configure broadcast frames in the basic zoning mode. By default, broadcast zoning is disabled
and broadcast frames are sent to all Nx ports in the VSAN. When enabled, broadcast frames are only
sent to Nx ports in the same zone, or zones, as the sender. Enable broadcast zoning when a host or storage
device uses this feature.
Table 30-2 identifies the rules for the delivery of broadcast frames.
Table 30-2 Broadcasting Requirements
Active Zoning? Broadcast Enabled? Frames Broadcast? Comments

Yes Yes Yes Broadcast to all Nx ports that share a
broadcast zone with the source of
broadcast frames.
No Yes Yes Broadcast to all Nx ports.
Yes No No Broadcasting is disabled.
Tip If any NL port attached to an FL port shares a broadcast zone with the source of the broadcast frame,
then the frames are broadcast to all devices in the loop.
Caution If broadcast zoning is enabled on a switch, you cannot configure the interop mode in that VSAN.
Configuring Broadcast Zoning

To broadcast frames in the basic zoning mode using Fabric Manager, follow these steps:
You see the Zone policy information in the Information pane in Figure 30-40.
Figure 30-40 Zone Policy Information
Step 3 Check the Broadcast check box to enable broadcast frames on the default zone.
Step 4 Click Apply Changes to save these changes.

About LUN Zoning

Logical unit number (LUN) zoning is a feature specific to switches in the Cisco MDS 9000 Family.
Caution LUN zoning can only be implemented in Cisco MDS 9000 Family switches. If LUN zoning is
implemented in a switch, you cannot configure the interop mode in that switch.
A storage device can have multiple LUNs behind it. If the device port is part of a zone, a member of the
zone can access any LUN in the device. With LUN zoning, you can restrict access to specific LUNs
associated with a device.
Note When LUN 0 is not included within a zone, then, as per standards requirements, control traffic to LUN
0 (for example, REPORT_LUNS, INQUIRY) is supported, but data traffic to LUN 0 (for example,
READ, WRITE) is denied.
Host H1 can access LUN 2 in S1 and LUN 0 in S2. It cannot access any other LUNs in S1 or S2.
Host H2 can access LUNs 1 and 3 in S1 and only LUN 1 in S2. It cannot access any other LUNs in
S1 or S2.
Note Unzoned LUNs automatically become members of the default zone.
Figure 30-41 shows a LUN-based zone example.
Figure 30-41 LUN Zoning Access
H1 S1
Zone 1 LUN 0
LUN 1
LUN 2
Zone 2 S1 LUN 3
Fabric
LUN 0
LUN 1
Zone 2 LUN 2
79540
H2 S2 LUN 3
Configuring a LUN-Based Zone

To configure a LUN-based zone using Fabric Manager, follow these steps:


Step 3 Click the zone where you want to add members and click the Insert icon.
Figure 30-42 Add Member to Zone Dialog Box
Step 4 Click either the WWN or FCID radio button from the Zone By options to create a LUN-based zone.
Step 5 Check the LUN check box and click the browse button to configure LUNs.
Step 6 Click Add to add this LUN-based zone.
Assigning LUNs to Storage Subsystems

LUN masking and mapping restricts server access to specific LUNs. If LUN masking is enabled on a
storage subsystem and if you want to perform additional LUN zoning in a Cisco MDS 9000 Family
switch, obtain the LUN number for each host bus adapter (HBA) from the storage subsystem and then
configure the LUN-based zone procedure provided in the Configuring a LUN-Based Zone section on
page 30-40.
Note Refer to the relevant user manuals to obtain the LUN number for each HBA.
Caution If you make any errors when assigning LUNs, you might lose data.
About Read-Only Zones

By default, an initiator has both read and write access to the target's media when they are members of
the same Fibre Channel zone. The read-only zone feature allows members to have only read access to
the media within a read-only Fibre Channel zone.
You can also configure LUN zones as read-only zones.
Any zone can be identified as a read-only zone. By default all zones have read-write permission unless
explicitly configured as a read-only zone.
Follow these guidelines when configuring read-only zones:
If read-only zones are implemented, the switch prevents write access to user data within the zone.
If two members belong to a read-only zone and to a read-write zone, the read-only zone takes
priority and write access is denied.
LUN zoning can only be implemented in Cisco MDS 9000 Family switches. If LUN zoning is
implemented in a switch, you cannot configure interop mode in that switch.

Displaying Zone Information
Read-only volumes are not supported by some operating system and file system combinations (for
example, Windows NT or Windows 2000 and NTFS file system). Volumes within read-only zones
are not available to such hosts. However, if these hosts are already booted when the read-only zones
are activated, then read-only volumes are available to those hosts.
The read-only zone feature behaves as designed if either the FAT16 or FAT32 file system is used
with the previously mentioned Windows operating systems.
Configuring Read-Only Zones

To configure read-only zones using Fabric Manager, follow these steps:

Step 3 Click Zones in the left pane and click the Insert icon to add a zone.
You see the Create Zone Dialog Box as shown in Figure 30-43.
Figure 30-43 Create Zone Dialog Box
Step 4 Check the Read Only check box to create a read-only zone.
Step 5 Click OK.
Note To configure the read-only option for a default zone, see Configuring the Default Zone Policy section
on page 30-38.
Displaying Zone Information

To view zone information and statistics using Fabric Manager, follow these steps:
Step 1 Expand a VSAN and select a zone set in the Logical Domains pane.
You see the zone configuration in the Information pane.

Enhanced Zoning
Step 2 Click the Read Only Violations, Statistics tab, or LUN Zoning Statistics tab to view statistics for the
selected zone.
Enhanced Zoning
The zoning feature complies with the FC-GS-4 and FC-SW-3 standards. Both standards support the basic
zoning functionalities explained in the previous section and the enhanced zoning functionalities
described in this section.
About Enhanced Zoning, page 30-43
Changing from Basic Zoning to Enhanced Zoning, page 30-44
Changing from Enhanced Zoning to Basic Zoning, page 30-44
Enabling Enhanced Zoning, page 30-45
Creating Attribute Groups, page 30-45
Merging the Database, page 30-45
Analyzing a Zone Merge, page 30-46
Configuring Zone Merge Control Policies, page 30-47
About Enhanced Zoning

Table 30-3 lists the advantages of the enhanced zoning feature in all switches in the Cisco MDS 9000
Family.
Table 30-3 Advantages of Enhanced Zoning
Basic Zoning Enhanced Zoning Enhanced Zoning Advantages

Administrators can make simultaneous Performs all configurations within a One configuration session for
configuration changes. Upon activation, one single configuration session. When you the entire fabric to ensure
administrator can overwrite another administrators begin a session, the switch locks the consistency within the fabric.
changes. entire fabric to implement the change.
If a zone is part of multiple zone sets, you create an References to the zone are used by the Reduced payload size as the
instance of this zone in each zone set. zone sets as required once you define zone is referenced. The size
the zone. is more pronounced with
bigger databases.
The default zone policy is defined per switch. To Enforces and exchanges the default Fabric-wide policy
ensure smooth fabric operation, all switches in the zone setting throughout the fabric. enforcement reduces
fabric must have the same default zone setting. troubleshooting time.
To retrieve the results of the activation on a per Retrieves the activation results and the Enhanced error reporting
switch basis, the managing switch provides a nature of the problem from each remote eases the troubleshooting
combined status about the activation. It does not switch. process.
identify the failure switch.

Enhanced Zoning
Table 30-3 Advantages of Enhanced Zoning (continued)
Basic Zoning Enhanced Zoning Enhanced Zoning Advantages

To distribute the zoning database, you must Implements changes to the zoning Distribution of zone sets
reactivate the same zone set. The reactivation may database and distributes it without without activation avoids
affect hardware changes for hard zoning on the local reactivation. hardware changes for hard
switch and on remote switches. zoning in the switches.
The MDS-specific zone member types (IPv4 Provides a vendor ID along with a Unique vendor type.
address, IPv6 address, symbolic node name, and vendor-specific type value to uniquely
other types) may be used by other non-Cisco identify a member type.
switches. During a merge, the MDS-specific types
can be misunderstood by the non-Cisco switches.
The fWWN-based zone membership is only Supports fWWN-based membership in The fWWN-based member
supported in Cisco interop mode. the standard interop mode (interop type is standardized.
mode 1).
Changing from Basic Zoning to Enhanced Zoning

To change to the enhanced zoning mode from the basic mode, follow these steps:
Step 1 Verify that all switches in the fabric are capable of working in the enhanced mode.
If one or more switches are not capable of working in enhanced mode, then your request to move to
enhanced mode is rejected.
Step 2 Set the operation mode to enhanced zoning mode. By doing so, you will automatically start a session,
acquire a fabric wide lock, distribute the active and full zoning database using the enhanced zoning data
structures, distribute zoning policies and then release the lock. All switches in the fabric then move to
the enhanced zoning mode.
Tip After moving from basic zoning to enhanced zoning, we recommend that you save the running
configuration.
Changing from Enhanced Zoning to Basic Zoning

The standards do not allow you to move back to basic zoning. However, Cisco MDS switches allow this
move to enable you to downgrade and upgrade to other Cisco SAN-OS or Cisco NX-OS releases.
To change to the basic zoning mode from the enhanced mode, follow these steps:
Step 1 Verify that the active and full zone set do not contain any configuration that is specific to the enhanced
zoning mode.
If such configurations exist, delete them before proceeding with this procedure. If you do not delete the
existing configuration, the Cisco NX-OS software automatically removes them.

Enhanced Zoning
Step 2 Set the operation mode to basic zoning mode. By doing so, you will automatically start a session, acquire
a fabric wide lock, distribute the zoning information using the basic zoning data structure, apply the
configuration changes and release the lock from all switches in the fabric. All switches in the fabric then
move to basic zoning mode.
Note If a switch running Cisco SAN-OS Release 2.0(1b) and NX-OS 4(1b) or later, with enhanced
zoning enabled is downgraded to Cisco SAN-OS Release 1.3(4), or earlier, the switch comes up
in basic zoning mode and cannot join the fabric because all the other switches in the fabric are
still in enhanced zoning mode.
Enabling Enhanced Zoning

By default, the enhanced zoning feature is disabled in all switches in the Cisco MDS 9000 Family.
To enable enhanced zoning in a VSAN using Fabric Manager, follow these steps:
You see the zone set configuration in the Information pane.
Step 2 Click the Enhanced tab.
You see the current enhanced zoning configuration.
Step 3 From the Action drop-down menu, choose enhanced to enable enhanced zoning in this VSAN.
Step 4 Click Apply Changes to save these changes.
Creating Attribute Groups

In enhanced mode, you can directly configure attributes using attribute groups.
To configure attribute groups, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
Merging the Database

The merge behavior depends on the fabric-wide merge control setting:
RestrictIf the two databases are not identical, the ISLs between the switches are isolated.
AllowThe two databases are merged using the merge rules specified in Table 30-4.

Enhanced Zoning
Table 30-4 Database Zone Merge Status
Local Database Adjacent Database Merge Status Results of the Merge

1
The databases contain zone sets with the same name but Successful. The union of the local and
different zones, aliases, and attributes groups. adjacent databases.
The databases contains a zone, zone alias, or zone Failed. ISLs are isolated.
attribute group object with same name1 but different
members.
Empty. Contains data. Successful. The adjacent database
information populates the
local database.
Contains data. Empty. Successful. The local database
information populates the
adjacent database.
1. In the enhanced zoning mode, the active zone set does not have a name in interop mode 1. The zone set names are only present
for full zone sets.
Caution Remove all non-pWWN-type zone entries on all MDS switches running Cisco SAN-OS prior to merging
fabrics if there is a Cisco MDS 9020 switch running FabricWare in the adjacent fabric.
The merge process operates as follows:

1. The software compares the protocol versions. If the protocol versions differ, then the ISL is isolated.
2. If the protocol versions are the same, then the zone policies are compared. If the zone policies differ,
then the ISL is isolated.
3. If the zone merge options are the same, then the comparison is implemented based on the merge
control setting.
a. If the setting is restrict, the active zone set and the full zone set should be identical. Otherwise
the link is isolated.
b. If the setting is allow, then the merge rules are used to perform the merge.
Analyzing a Zone Merge

To perform a zone merge analysis using Fabric Manager, follow these steps:
Step 1 Choose Zone > Merge Analysis.

You see the Zone Merge Analysis dialog box shown in Figure 30-44.

Compacting the Zone Database for Downgrading
Figure 30-44 Zone Merge Analysis Dialog Box
Step 2 Select the first switch to be analyzed from the Check Switch 1 drop-down list.
Step 3 Select the second switch to be analyzed from the And Switch 2 drop-down list.
Step 4 Enter the VSAN ID where the zone set merge failure occurred in the For Active Zoneset Merge Problems
in VSAN Id field.
Step 5 Click Analyze to analyze the zone merge.
Step 6 Click Clear to clear the analysis data in the Zone Merge Analysis dialog box.
Configuring Zone Merge Control Policies

To configure merge control policies, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
Compacting the Zone Database for Downgrading

Prior to Cisco SAN-OS Release 3.0(1), only 2000 zones are supported per VSAN. If you add more than
2000 zones to a VSAN, a configuration check is registered to indicate that downgrading to a previous
release could cause you to lose the zones over the limit. To avoid the configuration check, delete the
excess zones and compact the zone database for the VSAN. If there are 2000 zones or fewer after
deleting the excess zones, the compacting process assigns new internal zone IDs and the configuration
can be supported by Cisco SAN-OS Release 2.x or earlier. Perform this procedure for every VSAN on
the switch with more than 2000 zones.
Note A merge failure occurs when a switch supports more than 2000 zones per VSAN but its neighbor does
not. Also, zone set activation can fail if the switch has more than 2000 zones per VSAN and not all
switches in the fabric support more than 2000 zones per VSAN.
To compact the zone database for downgrading, refer to the Cisco MDS 9000 Family CLI Configuration
Guide.

Default Settings
Default Settings
Table 30-5 lists the default settings for basic zone parameters.
Table 30-5 Default Basic Zone Parameters
Parameters Default
Default zone policy Denied to all members.
Full zone set distribute The full zone set(s) is not distributed.
Zone based traffic priority Low.
Read-only zones Read-write attributes for all zones.
Broadcast frames Sent to all Nx ports.
Broadcast zoning Disabled.
Enhanced zoning Disabled.

CH A P T E R 31
Distributing Device Alias Services
All switches in the Cisco MDS 9000 Family support Distributed Device Alias Services (device alias) on
a per-VSAN basis and on a fabric-wide basis. Device alias distribution allows you to move host bus
adapters (HBAs) between VSANs without manually reentering alias names.
About Device Aliases, page 31-1
About Device Alias Modes, page 31-1
Device Alias Databases, page 31-4
Legacy Zone Alias Conversion, page 31-7
Device Alias Statistics Cleanup, page 31-8
About Device Aliases

When the port WWN of a device must be specified to configure different features (zoning, QoS, port
security) in a Cisco MDS 9000 Family switch, you must assign the correct device name each time you
configure these features. An incorrect device name may cause unexpected results. You can avoid this
problem if you define a user-friendly name for a port WWN and use this name in all of the configuration
commands as required. These user-friendly names are referred to as device aliases in this chapter.
About Device Alias Modes

Device alias supports two modes: basic and enhanced mode.
When device alias runs in the basic mode, all applications function like the applications on the 3.0
switches. When you configure the basic mode using device aliases, the application immediately
expands to pWWNs. This behavior continues until the mode is changed to enhanced.
When device alias runs in the enhanced mode, all applications accept the device-alias configuration
in the native format. The applications store the device alias name in the configuration and distribute
it in the device alias format instead of expanding to pWWN. The applications track the device alias
database changes and take actions to enforce it.
A native device-alias configuration is not accepted in the interop mode VSAN. IVR zoneset activation
will fail in interop mode VSANs if the corresponding twilight zones being injected are native device
alias members.

Chapter 31 Distributing Device Alias Services
Changing Mode Settings

When the device alias mode is changed from basic to enhanced mode, the applications are informed
about the change. The applications start accepting the device alias based configuration in the native
format.
Note Because the device alias was previously running in the basic mode, the applications do not have any prior
native device alias configuration.
The applications check for an exisiting device alias cofiguration in the native format. If the device alias
is in the native format, the applications reject the request and device alias mode cannot be changed to
basic.
All native device alias configurations (both on local and remote switches) must be explicitly removed,
or all device alias members must be replaced with the corresponding pWWN before changing the mode
back to basic.
The process can be automated using the force option. Use the no device-alias mode enhanced force
command to enable applications to automatically replace all device alias members with the
corresponding pWWNs. If a device alias member does not have a corresponding pWWN mapping in the
device alias database, the configuration will be removed.
Device Alias Mode Distribution

If the device alias distribution is turned on, it is distributed to the other switches in the network whenever
there is a change in the mode. You cannot change the mode from basic to enhanced unless all the
switches are upgraded to Release 3.1. The device alias enhancements will not apply unless the entire
fabric is upgraded to Release 3.1.
Note When all the switches are upgraded to Release 3.1, you cannot automatically convert to enhanced mode.
You do not need to change to enhanced mode, you can continue working in the basic mode.
Merging Device Alias

If two fabrics are running different device alias modes and are joined together, the device alias merge
will fail. There is no automatic conversion of one mode to the other during the merge process. You will
need to resolve the issue.
Note Release 3.0 switches run in basic mode.
At the application level, a merger takes place between the applications and the fabric. For example, zone
merge occurs when the E port is up and the IVR/PSM/DPVM merge occurs due to CFS. This merge is
completely independent of the device alias merge.
If the application running on an enhanced fabric has a native device alias configuration, the application
must fail the merge. The application has to fail the merge though the other fabric is capable of supporting
the native device alias based configuration, but running in the basic mode. You will need to resolve the
issue. Once the device alias merge issue is resolved, each application must be fixed accordingly.

Resolving Merge and Device Alias Mode Mismatch

If two fabrics are running in different modes and the device alias merge fails between the fabrics, the
conflict can be resolved by selecting one mode or the other. If you choose the enhanced mode, ensure
that all the switches are running at least the Release 3.1 version. Otherwise, the enhanced mode cannot
be turned on. If you choose the basic mode, the applications running on the enhanced fabric have to
comply with the device alias merge.
The device alias merge fails because of mode mismatch, but the application's merge succeeds if it does
not have any native device alias configurations.
If the native device alias configuration is attempted on an application from a Release 3.1 switch, the
commit must be rejected because of device alias mode mismatch on some of the applications.
Note The applications should not accept any native device alias configuration over SNMP if the device alias
is running in the basic mode on that particular switch.
Note Confcheck will be added when the enhanced mode is turned on and removed when it is turned off.
Applications have to add confcheck if they have a device alias configuration in the native format. They
have to remove confcheck once the configuration is removed.
Device Alias Features

Device aliases have the following features:
The device alias information is independent of your VSAN configuration.
The device alias configuration and distribution is independent of the zone server and the zone server
database.
You can import legacy zone alias configurations without losing data.
The device alias application uses the Cisco Fabric Services (CFS) infrastructure to enable efficient
database management and distribution. Device aliases use the coordinated distribution mode and the
fabric-wide distribution scope (see Chapter 13, Using the CFS Infrastructure).
When you configure zones, IVR zones, or QoS features using device aliases, and if you display these
configurations, you will automatically see that the device aliases are displayed along with their
respective pWWNs.
Device Alias Requirements

Device aliases have the following requirements:
You can only assign device aliases to pWWNs.
The mapping between the pWWN and the device alias to which it is mapped must have a one-to-one
relationship. A pWWN can be mapped to only one device alias and vice versa.
A device alias name is restricted to 64 alphanumeric characters and may include one or more of the
following characters:
a to z and A to Z

Device Alias Databases
1 to 9
- (hyphen) and _ (underscore)
$ (dollar sign) and ^ (up caret)
Zone Aliases Versus Device Aliases

Table 31-1 compares the configuration differences between zone-based alias configuration and device
alias configuration.
Table 31-1 Comparison Between Zone Aliases and Device Aliases
Zone-Based Aliases Device Aliases

Aliases are limited to the specified VSAN. You can define device aliases without specifying the VSAN
number. You can also use the same definition in one or more
VSANs without any restrictions.
Zone aliases are part of the zoning configuration. The Device aliases can be used with any feature that uses the pWWN.
alias mapping cannot be used to configure other features.
You can use any zone member type to specify the end Only pWWNs are supported along with new device aliases like IP
devices. addresses.
Configuration is contained within the Zone Server Device aliases are not restricted to zoning. Device alias
database and is not available to other features. configuration is available to the FCNS, zone, fcping, traceroute,
and IVR applications.

The device alias feature uses two databases to accept and implement device alias configurations.
Effective databaseThe database currently used by the fabric.
Pending databaseYour subsequent device alias configuration changes are stored in the pending
database.
If you modify the device alias configuration, you need to commit or discard the changes as the fabric
remains locked during this period.
About Device Alias Distribution, page 31-4
Legacy Zone Alias Conversion, page 31-7
About Device Alias Distribution

By default, device alias distribution is enabled. The device alias feature uses the coordinated distribution
mechanism to distribute the modifications to all switches in a fabric.
If you have not committed the changes and you disable distribution, then a commit task will fail.

Distributing the Device Alias Database

To enable the device alias distribution using Fabric Manager, follow these steps:
Step 1 Expand End Devices and then select Device Alias in the Physical Attributes pane.
You see the device alias configuration in the Information pane Figure 31-1.
Figure 31-1 Device Aliases in Fabric Manager
The CFS tab is the default tab.

Step 2 Select enable from the Global drop-down menus to enabled switch aliases.
Step 3 Select commit from the Config Action drop-down menu for the newly enabled switches.
Step 4 Click Apply Changes to commit and distribute these changes or click Undo Changes to discard any
unsaved changes.
About Creating a Device Alias

When you perform the first device alias task (regardless of which device alias task), the fabric is
automatically locked for the device alias feature. Once you lock the fabric, the following situations
apply:
A copy of the effective database is obtained and used as the pending database. Modifications from
this point on are made to the pending database. The pending database remains in effect until you
commit the modifications to the pending database or discard (abort) the changes to the pending
database.

Creating a Device Alias

To lock the fabric and create a device alias in the pending database using Fabric Manager, follow these
steps:
You see the device alias configuration in the Information pane.
Step 2 Click the Configuration tab and click the Create Row icon.
You see the Device Alias Creation dialog box in Figure 31-2.
Figure 31-2 Create Device Alias Dialog Box
Step 3 Select a switch from the drop-down menu.

Step 4 Complete the Alias name and pWWN fields.
Step 5 Click Create to create this alias or click Close to discard any unsaved changes.
Committing Changes
If you commit the changes made to the pending database, the following events occur:
1. The pending database contents overwrites the effective database contents.
2. The pending database is emptied of its contents.
3. The fabric lock is released for this feature.
To commit the changes to the device alias database using Fabric Manager, follow these steps:

Legacy Zone Alias Conversion
You see the device alias configuration in the Information pane. The CFS tab is the default tab.
Step 2 Select enable from the Global drop-down menus to enabled switch aliases.
Step 3 Select commit from the Config Action drop-down menu for the newly enabled switches.
Step 4 Click Apply Changes to commit and distribute these changes or click Undo Changes to discard any
unsaved changes.
Discarding Changes
If you discard the changes made to the pending database, the following events occur:
1. The effective database contents remain unaffected.
2. The pending database is emptied of its contents.
3. The fabric lock is released for this feature.
To discard the device alias session using Fabric Manager, follow these steps:
You see the device alias configuration in the Information pane. The CFS tab is the default tab.
Step 2 Select abort from the Config Action drop-down menu.
Step 3 Click Apply Changes to discard the session.
Legacy Zone Alias Conversion

You can import legacy zone alias configurations to use this feature without loosing data, if they satisfy
the following restrictions:
Each zone alias has only one member.
The member type is pWWN.
The name and definition of the zone alias should not be the same as any existing device alias name.
If any name conflict exists, the zone aliases are not imported.
Tip Ensure to copy any required zone aliases to the device alias database as required by your configuration.
When an import operation is complete, the modified alias database is distributed to all other switches in
the physical fabric when you perform the commit operation. At this time if you do not want to distribute
the configuration to other switches in the fabric, you can perform the abort operation and the merge
changes are completely discarded.

Using Device Aliases or FC Aliases, page 31-8

Device Alias Statistics Cleanup, page 31-8
Using Device Aliases or FC Aliases

You can change whether Fabric Manager uses FC aliases or global device aliases from Fabric Manager
client without restarting Fabric Manager Server.
To change whether Fabric Manager uses FC aliases or global device aliases, follow these steps:
Step 1 Click Server > Admin.

You see the Admin dialog box in Figure 31-3.
Figure 31-3 Server Admin Dialog Box
Step 2 For each fabric that you are monitoring with Fabric Manager Server, check the Device Alias check box
to use global device aliases, or uncheck to use FC aliases.
Step 3 Click Apply to save these changes or click Close to exit the dialog box without saving any changes.
Device Alias Statistics Cleanup

To clear device alias statistics (for debugging purposes), refer to the Cisco MDS 9000 Family CLI
Configuration Guide.

Refer to the CFS Merge Support section on page 13-9 for detailed concepts.
When merging two device alias databases, follow these guidelines:
Verify that two device aliases with different names are not mapped to the same pWWN.
Verify that two different pWWNs are not mapped to the same device aliases
Verify that the combined number of the device aliases in both databases does not exceed 8191 (8K).
For example, if database N has 6000 device aliases and database M has 2192 device aliases, this
merge operation will fail.

Default Settings
Default Settings
Table 31-2 lists the default settings for device alias parameters.
Table 31-2 Default Device Alias Parameters
Parameters Default
Database in use Effective database.
Database to accept changes Pending database.
Device alias fabric lock state Locked with the first device alias task.

Default Settings

CH A P T E R 32
Configuring Fibre Channel Routing Services and
Protocols
Fabric Shortest Path First (FSPF) is the standard path selection protocol used by Fibre Channel fabrics.
The FSPF feature is enabled by default on all Fibre Channel switches. Except in configurations that
require special consideration, you do not need to configure any FSPF services. FSPF automatically
calculates the best path between any two switches in a fabric. Specifically, FSPF is used to:
Dynamically compute routes throughout a fabric by establishing the shortest and quickest path
between any two switches.
Select an alternative path in the event of the failure of a given path. FSPF supports multiple paths
and automatically computes an alternative path around a failed link. It provides a preferred route
when two equal paths are available.
This chapter provides details on Fibre Channel routing services and protocols. It includes the following
sections:
About FSPF, page 32-2
FSPF Global Configuration, page 32-4
FSPF Interface Configuration, page 32-6
FSPF Routes, page 32-12
In-Order Delivery, page 32-15

Chapter 32 Configuring Fibre Channel Routing Services and Protocols
About FSPF
About FSPF
FSPF is the protocol currently standardized by the T11 committee for routing in Fibre Channel networks.
The FSPF protocol has the following characteristics and features:
Supports multipath routing.
Bases path status on a link state protocol.
Routes hop by hop, based only on the domain ID.
Runs only on E ports or TE ports and provides a loop free topology.
Runs on a per VSAN basis. Connectivity in a given VSAN in a fabric is guaranteed only for the
switches configured in that VSAN.
Uses a topology database to keep track of the state of the links on all switches in the fabric and
associates a cost with each link.
Guarantees a fast reconvergence time in case of a topology change. Uses the standard Dijkstra's
algorithm, but there is a static dynamic option for a more robust, efficient, and incremental Dijkstra's
algorithm. The reconvergence time is fast and efficient as the route computation is done on a per
VSAN basis.
FSPF Examples
This section provides examples of topologies and applications that demonstrate the benefits of FSPF.
Note The FSPF feature can be used on any topology.
Fault Tolerant Fabric

Figure 32-1 depicts a fault tolerant fabric using a partial mesh topology. If a link goes down anywhere in the
fabric, any switch can still communicate with all others in the fabric. In the same way, if any switch goes
down, the connectivity of the rest of the fabric is preserved.
Figure 32-1 Fault Tolerant Fabric
A B C
79541
D E
For example, if all links are of equal speed, the FSPF calculates two equal paths from A to C: A-D-C
(green) and A-E-C (blue).

About FSPF
Redundant Links
To further improve on the topology in Figure 32-1, each connection between any pair of switches can be
replicated; two or more links can be present between a pair of switches. Figure 32-2 shows this
arrangement. Because switches in the Cisco MDS 9000 Family support PortChanneling, each pair of
physical links can appear to the FSPF protocol as one single logical link.
By bundling pairs of physical links, FSPF efficiency is considerably improved by the reduced database
size and the frequency of link updates. Once physical links are aggregated, failures are not attached to a
single link but to the entire PortChannel. This configuration also improves the resiliency of the network.
The failure of a link in a PortChannel does not trigger a route change, thereby reducing the risks of
routing loops, traffic loss, or fabric downtime for route reconfiguration.
Figure 32-2 Fault Tolerant Fabric with Redundant Links
A B C
1
2
4 3
79542
D E
For example, if all links are of equal speed and no PortChannels exist, the FSPF calculates four equal
paths from A to C: A1-E-C, A2-E-C, A3-D-C, and A4-D-C. If PortChannels exist, these paths are
reduced to two.
Fail-Over Scenarios for PortChannels and FSPF Links

The SmartBits traffic generator was used to evaluate the scenarios displayed in Figure 32-3. Two links
between switch 1 and switch 2 exist as either equal-cost ISLs or PortChannels. There is one flow from
traffic generator 1 to traffic generator 2. The traffic was tested at 100% utilization at 1 Gbps in two
scenarios:
Disabling the traffic link by physically removing the cable (see Table 32-1).
Shutting down either switch 1 or switch 2 (see Table 32-2).
Figure 32-3 Fail-Over Scenario Using Traffic Generators
Traffic Generator 1 Traffic Generator 2

99278
Switch 1 Switch 2
Table 32-1 Physically Removing the Cable for the SmartBits Scenario
PortChannel Scenario FSPF Scenario (Equal cost ISL)

110 msec (~2K frame drops) 130+ msec (~4k frame drops)
100 msec (hold time when a signal loss is reported as mandated by the standard)

FSPF Global Configuration
Table 32-2 Shutting Down the Switch for the SmartBits Scenario
PortChannel Scenario FSPF Scenario (Equal cost ISL)

~0 msec (~8 frame 110 msec (~2K frame 130+ msec (~4K frame drops)
drops) drops)
No hold time needed Signal loss on switch 1 No hold time needed Signal loss on switch 1

By default, FSPF is enabled on switches in the Cisco MDS 9000 Family.
Some FSPF features can be globally configured in each VSAN. By configuring a feature for the entire
VSAN, you do not have to specify the VSAN number for every command. This global configuration
feature also reduces the chance of typing errors or other minor configuration errors.
Note FSPF is enabled by default. Generally, you do not need to configure these advanced features.
Caution The default for the backbone region is 0 (zero). You do not need to change this setting unless your region
is different from the default. If you are operating with other vendors using the backbone region, you can
change this default to be compatible with those settings.

About SPF Computational Hold Times, page 32-4
About Link State Records, page 32-4
Configuring FSPF on a VSAN, page 32-5
Resetting FSPF to the Default Configuration, page 32-5
Enabling or Disabling FSPF, page 32-6
About SPF Computational Hold Times

The SPF computational hold time sets the minimum time between two consecutive SPF computations
on the VSAN. Setting this to a small value means that FSPF reacts faster to any fabric changes by
recomputing paths on the VSAN. A small SPF computational hold time uses more switch CPU time.
About Link State Records

Each time a new switch enters the fabric, a link state record (LSR) is sent to the neighboring switches,
and then flooded throughout the fabric. Table 32-3 displays the default settings for switch responses.

Table 32-3 LSR Default Settings
LSR Option Default Description

Acknowledgment 5 seconds The time a switch waits for an acknowledgment from the LSR
interval (RxmtInterval) before retransmission.
Refresh time 30 minutes The time a switch waits before sending an LSR refresh
(LSRefreshTime) transmission.
Maximum age (MaxAge) 60 minutes The time a switch waits before dropping the LSR from the
database.
The LSR minimum arrival time is the period between receiving LSR updates on this VSAN. Any LSR
updates that arrive before the LSR minimum arrival time are discarded.
The LSR minimum interval time is the frequency at which this switch sends LSR updates on a VSAN.
Configuring FSPF on a VSAN

To configure an FSPF feature for the entire VSAN using Fabric Manager, follow these steps:
Step 1 Expand a Fabric, expand a VSAN and select FSPF for a VSAN that you want to configure for FSPF.
You see the FSPF configuration in the Information pane as shown in Figure 32-4.
Figure 32-4 FSPF General Information
Step 2 The RegionID, Spf Comp Holdtime, LSR Min Arrival, and LSR Min Interval field values are applied
across all interfaces on the VSAN. You can change them here or, if they do not exist create them here.
Resetting FSPF to the Default Configuration

To return the FSPF VSAN global configuration to its factory default using Fabric Manager, follow these
steps:
Step 2 Check the SetToDefault check box for a switch.

FSPF Interface Configuration
Enabling or Disabling FSPF

To enable or disable FSPF using Fabric Manager, follow these steps:
Step 2 Set the Status Admin drop-down menu to up to enable FSPF or to down to disable FSPF.

Several FSPF commands are available on a per interface basis. These configuration procedures apply to
an interface in a specific VSAN.
About FSPF Link Cost, page 32-6
Configuring FSPF Link Cost, page 32-7
About Hello Time Intervals, page 32-7
Configuring Hello Time Intervals, page 32-8
About Dead Time Intervals, page 32-8
Configuring Dead Time Intervals, page 32-8
About Retransmitting Intervals, page 32-8
Configuring Retransmitting Intervals, page 32-9
About Disabling FSPF for Specific Interfaces, page 32-9
Disabling FSPF for Specific Interfaces, page 32-9
Displaying the FSPF Database, page 32-10
Viewing FSPF Statistics, page 32-11
About FSPF Link Cost

FSPF tracks the state of links on all switches in the fabric, associates a cost with each link in its database,
and then chooses the path with a minimal cost. The cost associated with an interface can be
administratively changed to implement the FSPF route selection. The integer value to specify cost can
range from 1 to 65,535. The default cost for 1 Gbps is 1000 and for 2 Gbps is 500.

Configuring FSPF Link Cost

To configure FSPF link cost using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Interfaces and then select FC Physical.

Step 2 Click the FSPF tab.
You see the FSPF interface configuration in the Information pane as shown in Figure 32-5.
Figure 32-5 Fibre Channel Physical FSPF Interface
Step 3 Double-click in the Cost field of a switch and change the value.
About Hello Time Intervals

You can set the FSPF Hello time interval to specify the interval between the periodic hello messages sent
to verify the health of the link. The integer value can range from 1 to 65,535 seconds.
Note This value must be the same in the ports at both ends of the ISL.

Configuring Hello Time Intervals

To configure the FSPF Hello time interval using Fabric Manager, follow these steps:

Step 3 Change the Hello Interval field for a switch.
About Dead Time Intervals

You can set the FSPF dead time interval to specify the maximum interval for which a hello message must
be received before the neighbor is considered lost and removed from the database. The integer value can
range from 1 to 65,535 seconds.
Note This value must be the same in the ports at both ends of the ISL.
Caution An error is reported at the command prompt if the configured dead time interval is less than the hello
time interval.
Configuring Dead Time Intervals

To configure the FSPF dead time interval using Fabric Manager, follow these steps:

Step 3 Double-click the Dead Interval field for a switch and provide a new value.
About Retransmitting Intervals

You can specify the time after which an unacknowledged link state update should be transmitted on the
interface. The integer value to specify retransmit intervals can range from 1 to 65,535 seconds.

Note This value must be the same on the switches on both ends of the interface.
Configuring Retransmitting Intervals

To configure the FSPF retransmit time interval using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Interfaces, and then select FC Physical.

Step 3 Double-click the ReTx Interval field and enter a value.
About Disabling FSPF for Specific Interfaces

You can disable the FSPF protocol for selected interfaces. By default, FSPF is enabled on all E ports and
TE ports. This default can be disabled by setting the interface as passive.
Note FSPF must be enabled at both ends of the interface for the protocol to work.
Disabling FSPF for Specific Interfaces

To disable FSPF for a specific interface using Fabric Manager, follow these steps:

You see the FSPF interface configuration in the Information pane shown in Figure 32-5.
Step 3 Set a switch Admin Status drop-down menu to down.

Displaying the FSPF Database

The FSPF database for a specified VSAN includes the following information:
Link State Record (LSR) type
Domain ID of the LSR owner
Domain ID of the advertising router
LSR age
LSR incarnation member
Number of links
To display the FSPF database using Device Manager, follow these steps:
Step 1 Choose FC > Advanced > FSPF.

You see the FSPF dialog box shown in Figure 32-6.
Figure 32-6 FSPF Dialog Box in Device Manager
Step 2 Click the LSDB LSRs tab.

You see the FSPF database information shown in Figure 32-7.

Figure 32-7 FSPF Database Information in the LSDB LSRs Tab
Viewing FSPF Statistics

To view FSPF statistics using Fabric Manager, follow these steps:
Step 1 Expand a Fabric, expand a VSAN, and then select FSPF in the Logical Domains pane.
You see the FSPF configuration dialog box.
Step 2 Click the Statistics tab.
You see the FSPF VSAN statistics in the Information pane (see Figure 32-8).
Figure 32-8 FSPF VSAN Statistics
Step 3 Click the Interface Statistics tab.

FSPF Routes
You see the FSPF interface statistics in the Information pane.
FSPF Routes
FSPF routes traffic across the fabric, based on entries in the FSPF database. These routes can be learned
dynamically, or configured statically.
About Fibre Channel Routes, page 32-12
Configuring Fibre Channel Routes, page 32-12
About Broadcast and Multicast Routing, page 32-14
About Multicast Root Switch, page 32-14
Setting the Multicast Root Switch, page 32-14
About Fibre Channel Routes

Each port implements forwarding logic, which forwards frames based on its FC ID. Using the FC ID for
the specified interface and domain, you can configure the specified route (for example FC ID 111211
and domain ID 3) in the switch with domain ID 1 (see Figure 32-9).
Figure 32-9 Fibre Channel Routes
Domain ID 7
fc1/1
Domain ID 1 Domain ID 3
79944
FC ID 111211
Note Other than in VSANs, runtime checks are not performed on configured and suspended static routes.
Configuring Fibre Channel Routes

If you disable FSPF, you can manually configure a Fibre Channel route.
To configure a Fibre Channel route using Device Manager, follow these steps:
Step 1 Click FC > Advanced > Routes.

You see the FC Static Route Configuration dialog box shown in Figure 32-10.

FSPF Routes
Figure 32-10 Fibre Channel Static Route Configuration Dialog Box
Step 2 Click Create to create a static route.

You see the Create Route dialog box shown in Figure 32-11.
Figure 32-11 Create Fibre Channel Route Dialog Box
Step 3 Select the VSAN ID that for which you are configuring this route.
Step 4 Fill in the destination address and destination mask for the device you are configuring a route.
Step 5 Select the interface that you want to use to reach this destination.
Step 6 Select the next hop domain ID and route metric.
Step 7 Select either the local or remote radio button.
Step 8 Click Create to save these changes, or click Close to discard any unsaved changes.

FSPF Routes
About Broadcast and Multicast Routing

Broadcast and multicast in a Fibre Channel fabric uses the concept of a distribution tree to reach all
FSPF provides the topology information to compute the distribution tree. Fibre Channel defines 256
multicast groups and one broadcast address for each VSAN. Switches in the Cisco MDS 9000 Family
only use broadcast routing. By default, they use the principal switch as the root node to derive a loop-free
distribution tree for multicast and broadcast routing in a VSAN.
Caution All switches in the fabric should run the same multicast and broadcast distribution tree algorithm to
ensure the same distribution tree.
To interoperate with other vendor switches (following FC-SW3 guidelines), the SAN-OS and NX-OS
4.1(1b) and later software uses the lowest domain switch as the root to compute the multicast tree in
interop mode.
About Multicast Root Switch

By default, the native (non-interop) mode uses the principal switch as the root. If you change the default,
be sure to configure the same mode in all switches in the fabric. Otherwise, multicast traffic could face
potential loop and frame-drop problems.
Note The operational mode can be different from the configured interop mode. The interop mode always uses
the lowest domain switch as the root.
Setting the Multicast Root Switch

To use the lowest domain switch for the multicast tree computation using Fabric Manager, follow these
steps:
Step 1 Expand a fabric, expand a VSAN, and then select Advanced for the VSAN that you want to configure
FSPF on.
You see the advanced Fibre Channel configuration in the Information pane.
Step 2 Select the Multicast Root tab.
You see the multicast root configuration in the Information pane as shown in Figure 32-12.

In-Order Delivery
Figure 32-12 Multicast Root Configuration
Step 3 Set the Config Mode drop-down menu to lowestDomainSwitch.

In-Order Delivery
In-Order Delivery (IOD) of data frames guarantees frame delivery to a destination in the same order that
they were sent by the originator.
Some Fibre Channel protocols or applications cannot handle out-of-order frame delivery. In these cases,
switches in the Cisco MDS 9000 Family preserve frame ordering in the frame flow. The source ID (SID),
destination ID (DID), and optionally the originator exchange ID (OX ID) identify the flow of the frame.
On any given switch with IOD enabled, all frames received by a specific ingress port and destined to a
certain egress port are always delivered in the same order in which they were received.
Use IOD only if your environment cannot support out-of-order frame delivery.
Tip If you enable the in-order delivery feature, the graceful shutdown feature is not implemented.

About Reordering Network Frames, page 32-15
About Reordering PortChannel Frames, page 32-16
About Enabling In-Order Delivery, page 32-17
Enabling In-Order Delivery Globally, page 32-18
Enabling In-Order Delivery for a VSAN, page 32-18
Configuring the Drop Latency Time, page 32-18
About Reordering Network Frames

When you experience a route change in the network, the new selected path may be faster or less
congested than the old route.

In-Order Delivery
Figure 32-13 Route Change Delivery
Old path
Frame 2 Frame 1 New path
Frame 4 Frame 3
85474
Switch 4
In Figure 32-13, the new path from Switch 1 to Switch 4 is faster. In this scenario, Frame 3 and Frame
4 may be delivered before Frame 1 and Frame 2.
If the in-order guarantee feature is enabled, the frames within the network are treated as follows:
Frames in the network are delivered in the order in which they are transmitted.
Frames that cannot be delivered in order within the network latency drop period are dropped inside
the network.
About Reordering PortChannel Frames

When a link change occurs in a PortChannel, the frames for the same exchange or the same flow can
switch from one path to another faster path.
Figure 32-14 Link Congestion Delivery
Old path
Switch 1 Switch 2
Frame 2 Frame 1 New path
Frame 4 Frame 3
85475
In Figure 32-14, the port of the old path (red dot) is congested. In this scenario, Frame 3 and Frame 4
can be delivered before Frame 1 and Frame 2.
The in-order delivery feature attempts to minimize the number of frames dropped during PortChannel
link changes when the in-order delivery is enabled by sending a request to the remote switch on the
PortChannel to flush all frames for this PortChannel.
Note Both switches on the PortChannel must be running Cisco SAN-OS Release 3.0(1) for this IOD
enhancement. For earlier releases, IOD waits for the switch latency period before sending new frames.
When the in-order delivery guarantee feature is enabled and a PortChannel link change occurs, the
frames crossing the PortChannel are treated as follows:
Frames using the old path are delivered before new frames are accepted.

In-Order Delivery
The new frames are delivered through the new path after the switch latency drop period has elapsed
and all old frames are flushed.
Frames that cannot be delivered in order through the old path within the switch latency drop period are
dropped. See the Configuring the Drop Latency Time section on page 32-18.
About Enabling In-Order Delivery

You can enable the in-order delivery feature for a specific VSAN or for the entire switch. By default,
in-order delivery is disabled on switches in the Cisco MDS 9000 Family.
Tip We recommend that you only enable this feature when devices that cannot handle any out-of-order
frames are present in the switch. Load-balancing algorithms within the Cisco MDS 9000 Family ensure
that frames are delivered in order during normal fabric operation. The load-balancing algorithms based
on source FC ID, destination FC ID, and exchange ID are enforced in hardware without any performance
degradation. However, if the fabric encounters a failure and this feature is enabled, the recovery will be
delayed because of an intentional pausing of fabric forwarding to purge the fabric of resident frames that
could potentially be forwarded out-of-order.

In-Order Delivery
Enabling In-Order Delivery Globally

To ensure that the in-order delivery parameters are uniform across all VSANs on an MDS switch, enable
in-order delivery globally.
Only enable in-order delivery globally if this is a requirement across your entire fabric. Otherwise,
enable IOD only for the VSANs that require this feature.
Note Enable in-order delivery on the entire switch before performing a downgrade to Cisco MDS SAN-OS
Release 1.3(3) or earlier.
Enabling In-Order Delivery for a VSAN

When you create a VSAN, that VSAN automatically inherits the global in-order-guarantee value. You
can override this global value by enabling or disabling in-order-guarantee for the new VSAN.
To use the lowest domain switch for the multicast tree computation using Fabric Manager, follow these
steps:
Step 1 Expand a fabric and select All VSANS.

Step 2 Select the Attributes tab.
You see the general VSAN attributes in the Information pane shown in Figure 32-15.
Figure 32-15 General VSAN Attributes
Step 3 Check the InOrder Delivery check box to enable IOD for the switch.
Configuring the Drop Latency Time

You can change the default latency time for either the entire switch or a specified VSAN in a switch.
To configure the drop latency time for a switch using Fabric Manager, follow these steps:

Default Settings
Step 1 Expand a fabric and select All VSANS.

You see the VSAN configuration in the Information pane.
Step 2 Select the Attributes tab.
You see the general VSAN attributes in the Information pane shown in Figure 32-16.
Figure 32-16 General VSAN Attributes
Step 3 Double-click the Network Latency field and change the value.
Default Settings
Table 32-4 lists the default settings for FSPF features.
Table 32-4 Default FSPF Settings
Parameters Default
FSPF Enabled on all E ports and TE ports.
SPF computation Dynamic.
SPF hold time 0.
Backbone region 0.
Acknowledgment interval (RxmtInterval) 5 seconds.
Refresh time (LSRefreshTime) 30 minutes.
Maximum age (MaxAge) 60 minutes.
Hello interval 20 seconds.
Dead interval 80 seconds.
Distribution tree information Derived from the principal switch (root node).

Default Settings
Table 32-4 Default FSPF Settings (continued)
Parameters Default
Routing table FSPF stores up to 16 equal cost paths to a given
destination.
Load balancing Based on destination ID and source ID on different, equal
cost paths.
In-order delivery Disabled.
Drop latency Disabled.
Static route cost If the cost (metric) of the route is not specified, the
default is 10.
Remote destination switch If the remote destination switch is not specified, the
default is direct.
Multicast routing Uses the principal switch to compute the multicast tree.

CH A P T E R 33
Dense Wavelength Division Multiplexing
About DWDM
Dense Wavelength-Division Multiplexing (DWDM) multiplexes multiple optical carrier signals on a
single optical fiber. DWDM uses different wavelengths to carry various signals.
To establish a DWDM link, both ends of an Inter Switch Link (ISL) need to be connected with DWDM
SPFs (small form-factor pluggable) at each end of the link. To identify a DWDM link, Fabric Manager
discovers the connector type on the Fiber Channel (FC) ports. If the ISL link is associated with the FC
ports at each end, then the FC port uses DWDM SFP to connect the links.
Fabric Manager Server discovers FC ports with DWDM SFPs and the ISLs associated with the FC ports.
The Fabric Manager Client displays ISL with DWDM attribute on the topology map.
Note The FSPF (Fabric Shortest Path First) database only displays an ISL link, which is connected with
DWDM SPFs at both ends.
Viewing DWDM Links

The Fabric Manager Client displays DWDM links with dash-dash pattern. The tooltip for the link
displays DWDM to indicate its link type.
To view the DWDM link, follow these steps:
Step 1 Select the switch in the Logical Domain region.

Step 2 Select ISL in the Physical Attributes region.
The Information pane diplays the ISLs information.
Step 3 Click the Physical tab.
You see the ISL in the Information pane as shown in Figure 33-1.

Chapter 33 Dense Wavelength Division Multiplexing
Viewing DWDM Links
Figure 33-1 Fabric Manager with ISL Link
Step 4 The ISLs Physical table displays the connector type as sfpDwdm as shown in Figure 33-2.
Figure 33-2 Connector Type Displayed as sfpDwdm

Viewing DWDM Links
Step 5 Move the mouse over the link to see the tooltip as DWDM indicating the link type as shown in
Figure 33-3.
Figure 33-3 Tooltip Showing DWDM
Step 6 Perform a Dump Discovery of ISL to list all ISLs. DWDM links are listed with [DWDM] as shown in
Figure 33-4.
Figure 33-4 ISL List Displayed in the Information Pane

Viewing DWDM Links

CH A P T E R 34
Managing FLOGI, Name Server, FDMI, and RSCN
Databases
This chapter describes the fabric login database, the name server features, the Fabric-Device
Management Interface, and Registered State Change Notification (RSCN) information provided in the
Cisco MDS 9000 Family. It includes the following sections:
FLOGI, page 34-1
Displaying FLOGI Details, page 34-1
Name Server Proxy, page 34-2
FDMI, page 34-4
Displaying FDMI, page 34-4
RSCN, page 34-5
FLOGI
In a Fibre Channel fabric, each host or disk requires an FC ID. If the required device is displayed in the
FLOGI table, the fabric login is successful. Examine the FLOGI database on a switch that is directly
connected to the host HBA and connected ports. See the Default Company ID list section on page 37-8
and the Switch Interoperability section on page 37-8.
Displaying FLOGI Details

To verify that a storage device is in the fabric login (FLOGI) table using Fabric Manager, follow these
steps:

Step 2 Click the FLOGI tab.
You see all end devices that are logged into the fabric (see Figure 34-1).

Chapter 34 Managing FLOGI, Name Server, FDMI, and RSCN Databases
Name Server Proxy
Figure 34-1 FLOGI Physical Interfaces
Name Server Proxy

The name server functionality maintains a database containing the attributes for all hosts and storage
devices in each VSAN. Name servers allow a database entry to be modified by a device that originally
registered the information.
The proxy feature is useful when you wish to modify (update or delete) the contents of a database entry
that was previously registered by a different device.
About Registering Name Server Proxies, page 34-2
Registering Name Server Proxies, page 34-2
About Rejecting Duplicate pWWN, page 34-3
Rejecting Duplicate pWWNs, page 34-3
About Name Server Database Entries, page 34-3
Viewing Name Server Database Entries, page 34-3
About Registering Name Server Proxies

All name server registration requests come from the same port whose parameter is registered or changed.
If it does not, then the request is rejected.
This authorization enables WWNs to register specific parameters for another node.
Registering Name Server Proxies

To register the name server proxy using Fabric Manager, follow these steps:
Step 1 Expand a fabric, expand a VSAN, and then select Advanced.

You see the VSAN advanced configuration in the Information pane.
Step 2 Click the NS Proxies tab.
You see the existing name server proxy for the selected VSAN shown in Figure 34-2.

Name Server Proxy
Figure 34-2 Name Server Proxies
Step 3 Double-click the PortName field to register a new name server proxy.
Step 4 Click Apply Changes to save these changes, or click Undo Changes to cancel any unsaved changes.
About Rejecting Duplicate pWWN

You can prevent malicious or accidental log in using another devices pWWN. These pWWNs are
allowed to log in to the fabric and replace the first device in the name server database.
Rejecting Duplicate pWWNs

To reject duplicate pWWNs, refer to the Cisco MDS 9000 Family CLI Configuration Guide
About Name Server Database Entries

The name server stores name entries for all hosts in the FCNS database. The name server permits an Nx
port to register attributes during a PLOGI (to the name server) to obtain attributes of other hosts. These
attributes are deregistered when the Nx port logs out either explicitly or implicitly.
In a multiswitch fabric configuration, the name server instances running on each switch shares
information in a distributed database. One instance of the name server process runs on each switch.
Viewing Name Server Database Entries

To view the name server database using Device Manager, follow these steps:
Step 1 Click FC > Name Server.

You see the Name Server dialog box as shown in Figure 34-3.

FDMI
Figure 34-3 Name Server Dialog Box
The General tab is the default tab; you see the name server database.
You see the name server statistics.
FDMI
Cisco MDS 9000 Family switches provide support for the Fabric-Device Management Interface (FDMI)
functionality, as described in the FC-GS-4 standard. FDMI enables management of devices such as Fibre
Channel Host Bus Adapters (HBAs) through in-band communications. This addition complements the
existing Fibre Channel name server and management server functions.
Using the FDMI functionality, the NX-OS software can extract the following management information
about attached HBAs and host operating systems without installing proprietary host agents:
Manufacturer, model, and serial number
Node name and node symbolic name
Hardware, driver, and firmware versions
Host operating system (OS) name and version number
All FDMI entries are stored in persistent storage and are retrieved when the FDMI process is started.
Displaying FDMI
To display the FDMI database information using Device Manager, choose FC > Advanced > FDMI.
You see the FDMI dialog box.

RSCN
RSCN
The Registered State Change Notification (RSCN) is a Fibre Channel service that informs hosts about
changes in the fabric. Hosts can receive this information by registering with the fabric controller
(through SCR). These notifications provide a timely indication of one or more of the following events:
Disks joining or leaving the fabric.
A name server registration change.
A new zone enforcement.
IP address change.
Any other similar event that affects the operation of the host.
About RSCN Information, page 34-5
Displaying RSCN Information, page 34-5
About the multi-pid Option, page 34-6
Configuring the multi-pid Option, page 34-6
Clearing RSCN Statistics, page 34-7
RSCN Timer Configuration Distribution Using CFS, page 34-7
Configuring the RSCN Timer with CFS, page 34-8
About RSCN Information

Apart from sending these events to registered hosts, a switch RSCN (SW-RSCN) is sent to all reachable
Note The switch sends an RSCN to notify registered nodes that a change has occurred. It is up to the nodes to
query the name server again to obtain the new information. The details of the changed information are
not delivered by the switch in the RSCN sent to the nodes.
Displaying RSCN Information

To display RSCN information using Fabric Manager, follow these steps:
Step 1 Expand a fabric, expand a VSAN and then select Advanced.

Step 2 Select the RSCN Reg tab or the RSCN Statistics tab (see Figure 34-4).

RSCN
Figure 34-4 RSCN Statistics
About the multi-pid Option

If the RSCN multi-pid option is enabled, then RSCNs generated to the registered Nx ports may contain
more than one affected port IDs. In this case, zoning rules are applied before putting the multiple affected
port IDs together in a single RSCN. By enabling this option, you can reduce the number of RSCNs. For
example: Suppose you have two disks (D1, D2) and a host (H) connected to switch 1. Host H is registered
to receive RSCNs. D1, D2 and H belong to the same zone. If disks D1 and D2 are online at the same
time, then one of the following applies:
The multi-pid option is disabled on switch 1: two RSCNs are generated to host Hone for the disk
D1 and another for disk D2.
The multi-pid option is enabled on switch 1: a single RSCN is generated to host H, and the RSCN
payload lists the affected port IDs (in this case, both D1 and D2).
Note Some Nx ports may not understand multi-pid RSCN payloads. If so, disable the RSCN multi-pid option.
Configuring the multi-pid Option

To configure the multi-pid option using Fabric Manager, follow these steps:
Step 1 Expand a fabric, expand a VSAN and then select Advanced.

Step 2 Click the RSCN Multi-PID tab.

RSCN
Figure 34-5 RSCN Multi-PID

Clearing RSCN Statistics

You can clear the counters and later view the counters for a different set of events. For example, you can
keep track of how many RSCNs or SW-RSCNs are generated on a particular event (like ONLINE or
OFFLINE events). You can use these statistics to monitor responses for each event in the VSAN.
To clear the RSCN statistics for the specified VSAN, refer to the Cisco MDS 9000 Family CLI
Configuration Guide.
RSCN Timer Configuration Distribution Using CFS

Because the timeout value for each switch is configured manually, a misconfiguration occurs when
different switches time out at different times. This means different N-ports in a network can receive
RSCNs at different times. Cisco Fabric Services (CFS) alleviates this situation by automatically
distributing configuration information to all switches in a fabric. This also reduces the number of
SW-RSCNs.
RSCN supports two modes, distributed and nondistributed. In distributed mode, RSCN uses CFS to
distribute configuration to all switches in the fabric. In nondistributed mode, only the configuration
commands on the local switch are affected.
Note All configuration commands are not distributed. Only the rscn event-tov tov vsan vsan command is
distributed.
The RSCN timer is registered with CFS during initialization and switchover. For high availability, if the
RSCN timer distribution crashes and restarts or a switchover occurs, it resumes normal functionality
from the state prior to the crash or switchover.

Default Settings
Note Before performing a downgrade, make sure that you revert the RCSN timer value in your network to the
default value. Failure to do so will disable the links across your VSANs and other devices.
Compatibility across various Cisco MDS NX-OS releases during an upgrade or downgrade is supported
by conf-check provided by CFS. If you attempt to downgrade from Cisco MDS SAN-OS Release 3.0,
you are prompted with a conf-check warning. You are required to disable RSCN timer distribution
support before you downgrade.
By default, the RSCN timer distribution capability is disabled and is therefore compatible when
upgrading from any Cisco MDS SAN-OS release earlier than Release 3.0.
Configuring the RSCN Timer with CFS

To configure the RSCN timer with CFS using Fabric Manager, follow these steps:
Step 1 Expand a fabric, expand a VSAN and then select Advanced in the Logical Domains pane.
Step 2 Select the RSCN Event tab.
You see the VSAN advanced configuration in the Information pane shown in Figure 34-6.
Figure 34-6 VSAN Advanced Configuration
Step 3 Double-click the TimeOut value to change the value (in milliseconds) for the selected VSAN.
Default Settings
Table 34-1 lists the default settings for RSCN.

Default Settings
Table 34-1 Default RSCN Settings
Parameters Default
RSCN timer value 2000 milliseconds for Fibre Channel VSANs
1000 milliseconds for FICON VSANs
RSCN timer configuration distribution Disabled

Default Settings

CH A P T E R 35
Discovering SCSI Targets
This chapter describes the SCSI LUN discovery feature provided in switches in the Cisco MDS 9000
Family. It includes the following sections:
About SCSI LUN Discovery, page 35-1
Displaying SCSI LUN Information, page 35-3
About SCSI LUN Discovery

Small Computer System Interface (SCSI) targets include disks, tapes, and other storage devices. These
targets do not register logical unit numbers (LUNs) with the name server.
The name server requires LUN information for the following reasons:
To display LUN storage device information so an NMS can access this information.
To report device capacity, serial number, and device ID information.
To register the initiator and target features with the name server.
The SCSI LUN discovery feature uses the local domain controller Fibre Channel address. It uses the
local domain controller as the source FC ID, and performs SCSI INQUIRY, REPORT LUNS, and READ
CAPACITY commands on SCSI devices.
The SCSI LUN discovery feature is initiated on demand, through CLI or SNMP. This information is also
synchronized with neighboring switches, if those switches belong to the Cisco MDS 9000 Family.
About Starting SCSI LUN Discovery, page 35-1
Starting SCSI LUN Discovery, page 35-2
About Initiating Customized Discovery, page 35-2
Initiating Customized Discovery, page 35-2
About Starting SCSI LUN Discovery

SCSI LUN discovery is done on demand.
Only Nx ports that are present in the name server database and that are registered as FC4 Type =
SCSI_FCP are discovered.

Chapter 35 Discovering SCSI Targets
About SCSI LUN Discovery
Starting SCSI LUN Discovery

To begin SCSI LUN discovery using Device Manager, follow these steps:
Step 1 Choose FC > Advanced > LUNs.

You see the LUN Configuration dialog box.
Figure 35-1 LUN Configuration Dialog Box
Step 2 Set StartDiscovery to local, remote or both.

Step 3 Choose the DiscoveryType and OS.
Step 4 Click Apply to begin discovery.
About Initiating Customized Discovery

Customized discovery consists of a list of VSAN and domain pairs that are selectively configured to
initiate a discovery. The domain ID is a number from 0 to 255 in decimal or a number from 0x0 to 0xFF
in hex.
Initiating Customized Discovery

To initiate a customized discovery using Device Manager, follow these steps:
Step 1 Click the VSAN drop-down menu and select the VSAN in which you want to initiate a customized
discovery.
Step 2 Click FC > Advanced > LUNs.
Step 3 Set StartDiscovery to local, remote or both.
Step 4 Fill in the DiscoveryType and OS fields.

Displaying SCSI LUN Information
Step 5 Click Apply to begin discovery.

To display the results of the discovery using Device Manager, follow these steps:
Step 1 Click FC > Advanced > LUNs

Step 2 Click the LUN tab or the Targets tab.


CH A P T E R 36
Configuring FICON
Fibre Connection (FICON) interface capabilities enhance the Cisco MDS 9000 Family by supporting
both open systems and mainframe storage network environments. Inclusion of Control Unit Port (CUP)
support further enhances the MDS offering by allowing in-band management of the switch from FICON
processors.
The fabric binding feature helps prevent unauthorized switches from joining the fabric or disrupting
current fabric operations (see Chapter 47, Configuring Fabric Binding). The Registered Link Incident
Report (RLIR) application provides a method for a switch port to send an LIR to a registered Nx port.
Note Cisco Fabric Manager release 3.x does not support FICON management of Cisco MDS 9000 Family
switches running SAN-OS release 2.(x).

About FICON, page 36-1
FICON Port Numbering, page 36-8
Configuring FICON, page 36-15
Configuring FICON Ports, page 36-24
FICON Configuration Files, page 36-28
Port Swapping, page 36-31
FICON Tape Acceleration, page 36-33
CUP In-Band Management, page 36-37
Calculating FICON Flow Load Balance, page 36-39
Displaying FICON Information, page 36-40
About FICON
The FICON feature is not supported on:
Cisco MDS 9120 switches

Chapter 36 Configuring FICON
About FICON
The 32-port Fibre Channel switching module

Cisco Fabric Switch for IBM BladeSystem
The Cisco MDS 9000 Family supports the Fibre Channel Protocol (FCP), FICON, iSCSI, and FCIP
capabilities within a single, high availability platform. This solution simplifies purchasing, reduces
deployment and management costs, and reduces the complex evolution to shared mainframe and open
systems storage networks (see Figure 36-1).
Figure 36-1 Shared System Storage Network
FICON VSAN
Mainframe Control
systems unit
Open Open
systems storage
Open systems VSANs
105211
FCP and FICON are different FC4 protocols and their traffic is independent of each other. Devices using
these protocols should be isolated using VSANs.
FICON Requirements, page 36-2
MDS-Specific FICON Advantages, page 36-3
FICON Cascading, page 36-7
FICON VSAN Prerequisites, page 36-7
FICON Requirements
The FICON feature has the following requirements:
You can implement FICON features in the following switches:
Any switch in the Cisco MDS 9500 Series.
Any switch in the Cisco MDS 9200 Series (including the Cisco MDS 9222i Multiservice
Modular Switch).
Cisco MDS 9134 Multilayer Fabric Switch.
MDS 9000 Family 18/4-Port Multiservice Module.

About FICON
You need the MAINFRAME_PKG license to configure FICON parameters. To extendyour FICON
configuration over a WAN link using FCIP, you need the appropriate SAN_EXTN_OVER_IP
license for the module you are using. For more information, see Chapter 10, Obtaining and
Installing Licenses.
MDS-Specific FICON Advantages

This section explains the additional FICON advantages in Cisco MDS switches and includes the
following topics:
Fabric Optimization with VSANs, page 36-3
FCIP Support, page 36-5
PortChannel Support, page 36-5
VSANs for FICON and FCP Mixing, page 36-5
Cisco MDS-Supported FICON Features, page 36-5
Fabric Optimization with VSANs

Generally, separate physical fabrics have a high level of switch management and have a higher
implementation cost. Further, the ports in each island may be over-provisioned depending on the fabric
configuration.
By using the Cisco MDS-specific VSAN technology, you can introduce greater efficiency between these
physical fabrics by lowering the cost of over-provisioning and reducing the number of switches to be
managed. VSANs also help you to move unused ports nondisruptively and provide a common redundant
physical infrastructure (see Figure 36-2).

About FICON
Figure 36-2 VSAN-Specific Fabric Optimization
Separate physical fabrics Collapsed fabric with

Disk VSANs
arrays
Application
servers
Department no. 1
Common
storage pool
SAN island for found among
department no.1 VSANs
SAN island for

department no. 2
Department no. 2 Department no.3

VSAN VSAN
SAN island for
department no. 3
105212
VSANs enable global SAN consolidation by allowing you to convert existing SAN islands into virtual
SAN islands on a single physical network. It provides hardware-enforced security and separation
between applications or departments to allow coexistence on a single network. It also allows virtual
rewiring to consolidate your storage infrastructure. You can move assets between departments or
applications without the expense and disruption of physical relocation of equipment.
Note While you can configure VSANs in any Cisco MDS switch, you can enable FICON in at most eight of
these VSANs. The number of VSANs configured depends on the platform.
Note Mainframe users can think of VSANs as being like FICON LPARs in the MDS SAN fabric. You can
partition switch resources into FICON LPARs (VSANs) that are isolated from each other, in much the
same way that you can partition resources on a zSeries or DS8000. Each VSAN has its own set of fabric
services (such as fabric server and name server), FICON Control Unit Port, domain ID, Fabric Shortest
Path First (FSPF) routing, operating mode, IP address, and security profile.
FICON LPARs can span line cards and are dynamic in size. For example, one FICON LPAR with 10
ports can span 10 different line cards. FICON LPARs can also include ports on more than one switch in
a cascaded configuration. The consistent fairness of the Cisco MDS 9000 switching architecture means
that all ports are created equal, simplifying provisioning by eliminating the local switching issues
seen on other vendors platforms.

About FICON
Addition of ports to a FICON LPAR is a nondisruptive process. The maximum number of ports for a
FICON LPAR is 255 due to FICON addressing limitations.
FCIP Support
The multilayer architecture of the Cisco MDS 9000 Family enables a consistent feature set over a
protocol-agnostic switch fabric. Cisco MDS 9500 Series and 9200 Series switches transparently
integrate Fibre Channel, FICON, and Fibre Channel over IP (FCIP) in one system. The FICON over
FCIP feature enables cost-effective access to remotely located mainframe resources. With the Cisco
MDS 9000 Family platform, storage replication services such as IBM PPRC and XRC can be extended
over metro to global distances using ubiquitous IP infrastructure and thus simplifies business
continuance strategies.
See Chapter 48, Configuring FCIP.
PortChannel Support
The Cisco MDS implementation of FICON provides support for efficient utilization and increased
availability of Inter-Switch Links (ISLs) necessary to build stable large-scale SAN environments.
PortChannels ensure an enhanced ISL availability and performance in Cisco MDS switches.
See Chapter 23, Configuring PortChannels for more information on PortChannels.
VSANs for FICON and FCP Mixing

Cisco MDS 9000 Family FICON-enabled switches simplify deployment of even the most complex
mixed environments. Multiple logical FICON, Z-Series Linux/FCP, and Open-Systems Fibre Channel
Protocol (FCP) fabrics can be overlaid onto a single physical fabric by simply creating VSANs as
required for each service. VSANs provide both hardware isolation and protocol specific fabric services,
eliminating the complexity and potential instability of zone-based mixed schemes.
By default, the FICON feature is disabled in all switches in the Cisco MDS 9000 Family. When the
FICON feature is disabled, FC IDs can be allocated seamlessly. Mixed environments are addressed by
the Cisco NX-OS software. The challenge of mixing FCP and FICON protocols are addressed by Cisco
MDS switches when implementing VSANs.
Switches and directors in the Cisco MDS 9000 Family support FCP and FICON protocol mixing at the
port level. If these protocols are mixed in the same switch, you can use VSANs to isolate FCP and
FICON ports.
Tip When creating a mixed environment, place all FICON devices in one VSAN (other than the default
VSAN) and segregate the FCP switch ports in a separate VSAN (other than the default VSAN). This
isolation ensures proper communication for all connected devices.
Cisco MDS-Supported FICON Features

The Cisco MDS 9000 Family FICON features include:
Flexibility and investment protectionThe Cisco MDS 9000 Family shares common switching and
service modules across the Cisco MDS 9500 Series and the 9200 Series.

About FICON
Refer to the Cisco MDS 9500 Series Hardware Installation Guide and the Cisco MDS 9200 Series
Hardware Installation Guide.
High-availability FICON-enabled directorThe Cisco MDS 9500 Series combines nondisruptive
software upgrades, stateful process restart and failover, and full redundancy of all major components
for a new standard in director-class availability. It supports up to 528 autosensing, 4/2/1-Gbps,
10-Gbps, FICON or FCP ports in any combination in a single chassis. See Chapter 17, Configuring
High Availability.
Infrastructure protectionCommon software releases provide infrastructure protection across all
Cisco MDS 9000 platforms. See Chapter 15, Software Images.
VSAN technologyThe Cisco MDS 9000 Family provides VSAN technology for
hardware-enforced, isolated environments within a single physical fabric for secure sharing of
physical infrastructure and enhanced FICON mixed support. See Chapter 26, Configuring and
Managing VSANs.
Port-level configurationsThere are BB_credits, beacon mode, and port security for each port. See
the About Buffer-to-Buffer Credits section on page 20-26, Identifying the Beacon LEDs section
on page 20-19, and Chapter 24, Configuring Trunking.
Alias name configurationProvides user-friendly aliases instead of the WWN for switches and
attached node devices. See Chapter 30, Configuring and Managing Zones.
Comprehensive security frameworkThe Cisco MDS 9000 Family supports RADIUS and
TACACS+ authentication, Simple Network Management Protocol Version 3 (SNMPv3), role-based
access control, Secure Shell Protocol (SSH), Secure File Transfer Protocol (SFTP), VSANs,
hardware-enforced zoning, ACLs, fabric binding, Fibre Channel Security Protocol (FC-SP), LUN
zoning, read-only zones, and VSAN-based access control. See Chapter 41, Configuring RADIUS
and TACACS+ Chapter 45, Configuring FC-SP and DHCHAP, and Chapter 47, Configuring
Fabric Binding.
Traffic encryptionIPSec is supported over FCIP. You can encrypt FICON and Fibre Channel
traffic that is carried over FCIP. See Chapter 44, Configuring IPsec Network Security.
Local accounting logView the local accounting log to locate FICON events. See the MSCHAP
Authentication section on page 41-24 and Local AAA Services section on page 41-26.
Unified storage managementCisco MDS 9000 FICON-enabled switches are fully IBM CUP
standard compliant for in-band management using the IBM S/A OS/390 I/O operations console. See
the CUP In-Band Management section on page 36-37.
Port address-based configurationsConfigure port name, blocked or unblocked state, and the
prohibit connectivity attributes. See the Configuring FICON Ports section on page 36-24.
You can display the following information:
Individual Fibre Channel ports, such as the port name, port number, Fibre Channel address,
operational state, type of port, and login data.
Nodes attached to ports.
Port performance and statistics.
See the Calculating FICON Flow Load Balance section on page 36-39.
Configuration filesStore and apply configuration files. See the FICON Configuration Files
FICON and Open Systems Management Server features if installed. See the VSANs for FICON
and FCP Mixing section on page 36-5.
Enhanced cascading supportSee the CUP In-Band Management section on page 36-37.

About FICON
Date and timeSet the date and time on the switch. See the Allowing the Host to Control the
Timestamp section on page 36-22.
Configure SNMP trap recipients and community namesSee the Configuring SNMP Control of
FICON Parameters section on page 36-22.
Call Home configurationsConfigure the director name, location, description, and contact person.
See Chapter 62, Configuring Call Home.
Configure preferred domain ID, FC ID persistence, and principal switch prioritySee Chapter 25,
Configuring Domain Parameters.
Sophisticated SPAN diagnosticsThe Cisco MDS 9000 Family provides industry-first intelligent
diagnostics, protocol decoding, and network analysis tools as well as integrated Call Home
capability for added reliability, faster problem resolution, and reduced service costs. See Chapter 60,
Monitoring Network Traffic Using SPAN.
Configure R_A_TOV, E_D_TOV See the Fibre Channel Time Out Values section on
page 37-2.
Director-level maintenance tasksPerform maintenance tasks for the director including
maintaining firmware levels, accessing the director logs, and collecting data to support failure
analysis. See Chapter 68, Monitoring System Processes and Logs.
FICON Cascading
The Cisco MDS NX-OS software allows multiple switches in a FICON network. To configure multiple
switches, you must enable and configure fabric binding in that switch (see the Calculating FICON Flow
Load Balance section on page 36-39).
FICON VSAN Prerequisites

To ensure that a FICON VSAN is operationally up, be sure to verify the following requirements:
Set the default zone to permit, if you are not using the zoning feature. See the About the Default
Zone section on page 30-20.
Enable in-order delivery on the VSAN. See Chapter 32, Configuring Fibre Channel Routing
Services and Protocols.
Enable (and if required, configure) fabric binding on the VSAN. See the Calculating FICON Flow
Load Balance section on page 36-39. Chapter 47, Configuring Fabric Binding.
Verify that conflicting persistent FC IDs do not exist in the switch. See Chapter 25, Configuring
Domain Parameters.
Verify that the configured domain ID and requested domain ID match. See Chapter 25, Configuring
Domain Parameters.
Add the CUP (area FE) to the zone, if you are using zoning. See the CUP In-Band Management
If any of these requirements are not met, the FICON feature cannot be enabled.

FICON Port Numbering

With reference to the FICON feature, ports in Cisco MDS switches are identified by a statically defined
8-bit value known as the port number. A maximum of 255 port numbers are available. You can use the
following port numbering schemes:
Default port numbers based on the chassis type
Reserved port numbers
Default FICON Port Numbering Scheme, page 36-8
Port Addresses, page 36-11
Implemented and Unimplemented Port Addresses, page 36-11
About the Reserved FICON Port Numbering Scheme, page 36-11
Installed and Uninstalled Ports, page 36-12
FICON Port Numbering Guidelines, page 36-12
Assigning FICON Port Numbers to Slots, page 36-13
About Port Numbers for FCIP and PortChannel, page 36-13
About the Reserved FICON Port Numbering Scheme, page 36-11
FC ID Allocation, page 36-14
Note You must enable FICON on the switch before reserving FICON port number (see the About Enabling
FICON on a VSAN section on page 36-17).
Default FICON Port Numbering Scheme

Default FICON port numbers are assigned by the Cisco MDS NX-OS software based on the module and
the slot in the chassis. The first port in a switch always starts with a zero (0) (see Figure 36-3).

Figure 36-3 Default FICON Port Number in Numbering on the Cisco MDS 9000 Family Switch
Module 1 16-Port module

0 1 2 3 4 5 6 7 8 9 10 11 11 13 14 15
Module 2 16-Port module

32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
105217
The default FICON port number is assigned based on the front panel location of the port and is specific
to the slot in which the module resides. Thirty-two (32) port numbers are assigned to each slot on all
Cisco MDS 9000 Family switches except for the Cisco MDS 9513 Director, which has 16 port numbers
assigned for each slot. These default numbers are assigned regardless of the modules physical presence
in the chassis, the port status (up or down), or the number of ports on the module (4, 12, 16, 24, or 48).
If a module has fewer ports than the number of port numbers assigned to the slot, then the excess port
numbers are unused. If a module has more ports than the number of port numbers assigned to the slot,
the excess ports cannot be used for FICON traffic unless you manually assign the port numbers.
Note Follow the steps in Assigning FICON Port Numbers to Slots section on page 36-13 to make use of
excess ports by manually assigning more port numbers to the slot. Before doing this, however, we
recommend that you review the default port number assignments for Cisco MDS 9000 switches shown
in Table 36-3 on page 36-42, and that you read the following sections to gain a complete understanding
of FICON port numbering: About the Reserved FICON Port Numbering Scheme section on
page 36-11, FICON Port Numbering Guidelines section on page 36-12, and Assigning FICON Port
Numbers to Slots section on page 36-13.
Note Only Fibre Channel, PortChannel, and FCIP ports are mapped to FICON port numbers. Other types of
interfaces do not have a corresponding port number.
Table 36-3 lists the default port number assignment for the Cisco MDS 9000 Family of switches and
directors.

Table 36-1 Default FICON Port Numbering in the Cisco MDS 9000 Family
Slot Implemented Port Allocation Unimplemented

Product Number To Ports To PortChannel/FCIP Ports Notes
Cisco MDS Slot 1 0 through 31 64 through 89 90 through 253 Similar to a switching module.
9200 Series Slot 2 32 through 63 and port 255
Cisco MDS Slot 1 0 through 31 64 through 89 90 through 253 The first 4, 12, 16, or 24 port
9222i Series Slot 2 32 through 63 and port 255 numbers in a 4-port, 12-port,
16-port, or 24-port module are
used and the rest remain
unused. Extra 16 ports on
48-port modules are not
allocated numbers.
Cisco MDS Slot 1 0 through 31 128 through 153 154 through 253 Supervisor modules are not
9506 Director Slot 2 32 through 63 and port 255 allocated port numbers.
Slot 3 64 through 95
Slot 5 None
Slot 6 None
Cisco MDS Slot 1 0 through 33 34 through 59 60 through 253
9134 Director and port 255
Cisco MDS Slot 1 0 through 31 224 through 249 250 through 253 The first 4, 12, 16, or 24 port
9509 Director Slot 2 32 through 63 and port 255 numbers in a 4-port, 12-port,
16-port, or 24-port module are
Slot 3 64 through 95 used and the rest remain
Slot 4 96 through 127 unused. Extra 16 ports on
allocated port numbers.
Slot 5 None Supervisor modules are not
Slot 6 None allocated port numbers.
Slot 7 128 through 159 The first 4, 12, 16, or 24 port

Slot 8 160 through 191 numbers are used for a 4-port,
12-port,16-port, or 24-port
Slot 9 192 through 223 module and the rest remain
unused. Extra 16 ports on

Table 36-1 Default FICON Port Numbering in the Cisco MDS 9000 Family (continued)
Slot Implemented Port Allocation Unimplemented

Product Number To Ports To PortChannel/FCIP Ports Notes
Cisco MDS Slot 1 0 through 15 224 through 249 250 through 253 The first 4, 12 or 16 port
9513 Director Slot 2 16 through 31 and port 255 numbers are used for a 4-port,
12-port or 16-port module and
Slot 3 32 through 47 the rest remain unused. Extra
Slot 4 48 through 63 ports on 24-port, 32-port, and
Slot 7 None Supervisor modules are not
Slot 8 None allocated port numbers.
Slot 9 96 through 111 The first 4 or 12 port numbers

Slot 10 112 through 127 are used for a 4-port or 12-port
module and the rest remain
Slot 11 128 through 143 unused. Extra ports on 24-port,
Slot 12 144 through 159 32-port, and 48-port modules
are not allocated port numbers.
Port Addresses
By default, port numbers are the same as port addresses. You can swap the port addresses (see the Port
Swapping section on page 36-31).
Implemented and Unimplemented Port Addresses

An implemented port refers to any port address that is assigned by default to a slot in the chassis (see
Table 36-3). An unimplemented port refers to any port address that is not assigned by default to a slot in
the chassis (see Table 36-3).
About the Reserved FICON Port Numbering Scheme

A range of 250 port numbers are available for you to assign to all the ports on a switch. Table 36-3 shows
that you can have more than 250 physical ports on a switch and the excess ports do not have port numbers
in the default numbering scheme. When you have more than 250 physical ports on your switch, you can
have ports without a port number assigned if they are not in a FICON VSAN, or you can assign duplicate
port numbers if they are not used in the same FICON VSAN. For example, you can configure port
number 1 on interface fc1/1 in FICON VSAN 10 and fc10/1 in FICON VSAN 20.
Note A VSAN can have a maximum of 250 port numbers.

Note FICON port numbers are not changed for ports that are active. You must first disable the interfaces using
the shutdown command.
Note You can configure port numbers even when no module is installed in the slot.
Installed and Uninstalled Ports

An installed port refers to a port for which all required hardware is present. A specified port number in
a VSAN can be implemented, and yet not installed, if any of the following conditions apply:
The module is not presentFor example, if module 1 is not physically present in slot 1 in a Cisco
MDS 9509 Director, ports 0 to 31 are considered uninstalled.
The small form-factor pluggable (SFP) port is not presentFor example, if a 16-port module is
inserted in slot 2 in a Cisco MDS 9509 Director, ports 48 to 63 are considered uninstalled.
For slot 1, ports 0 to 31, or 0 to 15 have been assigned. Only the physical port fc1/5 with port number
4 is in VSAN 2. The rest of the physical ports are not in VSAN 2. The port numbers 0 to 249 are
considered implemented for any FICON-enabled VSAN. Therefore, VSAN 2 has port numbers 0 to
249 and one physical port, fc1/4. The corresponding physical ports 0 to 3,and 5 to 249 are not in
VSAN 2. When the FICON VSAN port address is displayed, those port numbers with the physical
ports not in VSAN 2 are not installed (for example, ports 0 to 3, or 5 to 249).
Another scenario is if VSANs 1 through 5 are FICON-enabled, and trunking-enabled interface fc1/1
has VSANs 3 through 10, then port address 0 is uninstalled in VSAN 1 and 2.
The port is part of a PortChannelFor example, if interface fc 1/1 is part of PortChanne1 5, port
address 0 is uninstalled in all FICON VSANs. See Table 36-3.
FICON Port Numbering Guidelines

The following guidelines apply to FICON port numbers:
Supervisor modules do not have port number assignments.
Port numbers do not change based on TE ports. Since TE ports appear in multiple VSANs,
chassis-wide unique port numbers should be reserved for TE ports.
Each PortChannel must be explicitly associated with a FICON port number.
When the port number for a physical PortChannel becomes uninstalled, the relevant PortChannel
configuration is applied to the physical port.
Each FCIP tunnel must be explicitly associated with a FICON port number. If the port numbers are
not assigned for PortChannels or for FCIP tunnels, then the associated ports will not come up.
See the About Port Numbers for FCIP and PortChannel section on page 36-13.

Assigning FICON Port Numbers to Slots
Caution When you assign, change, or release a port number, the port reloads.
To assign FICON port numbers to slots using Device Manager, follow these steps:
Step 1 Click FICON and then select Port Numbers.

You see the FICON port numbers (see Figure 36-4).
Figure 36-4 FICON Port Numbers
Step 2 Enter the chassis slot port numbers in the Reserved Port Numbers field.
Step 3 Click Apply.
About Port Numbers for FCIP and PortChannel

FCIP and PortChannels cannot be used in a FICON-enabled VSAN unless they are explicitly bound to
a port number.
See the Configuring FICON Ports section on page 36-24 and the Reserving FICON Port Numbers for
FCIP and PortChannel Interfaces section on page 36-13.
You can use the default port numbers if they are available (see Table 36-1 on page 36-10) or if you
reserve port numbers from the pool of port numbers that are not reserved for Fibre Channel interfaces
(see the FICON Port Numbering section on page 36-8).
Reserving FICON Port Numbers for FCIP and PortChannel Interfaces

You must reserve port numbers for logical interfaces, such as FCIP and PortChannels, if you plan to use
them.
To reserve FICON port numbers for FCIP and PortChannel interfaces using Device Manager, follow
these steps:

Step 1 Click FICON > Port Numbers.

You see the FICON port numbers dialog box (see Figure 36-4).
Step 2 Click the Logical tab to see the reserved port numbers for the slot (see Figure 36-5).
Figure 36-5 Reserved Port Numbers for the Selected Slot
Step 3 Enter the chassis slot port numbers. These are the reserved port numbers for one chassis slot. There can
be up to 64 port numbers reserved for each slot in the chassis.
Step 4 Click Apply.
FC ID Allocation
FICON requires a predictable and static FC ID allocation scheme. When FICON is enabled, the FC ID
allocated to a device is based on the port address of the port to which it is attached. The port address
forms the middle byte of the fabric address. Additionally, the last byte of the fabric address should be
the same for all devices in the fabric. By default, the last byte value is 0 and can be configured (see the
Assigning FC ID Last Byte section on page 36-20).
Note You cannot configure persistent FC IDs in FICON-enabled VSANs.
Cisco MDS switches have a dynamic FC ID allocation scheme. When FICON is enabled or disabled on
a VSAN, all the ports are shut down and restarted to switch from the dynamic to static FC IDs and vice
versa (see Figure 36-6).
Figure 36-6 Static FC ID Allocation for FICON
Static Domain Port Address Last Byte
5 0x44 0
113134
Static FC ID allocation for interface fc3/5 includes the

static domain ID (5), the port address (0x44), and the last byte value (0).

Configuring FICON
Configuring FICON
By default FICON is disabled in all switches in the Cisco MDS 9000 Family. You can enable FICON on
a per VSAN basis by using the Device Manager.
About Enabling FICON on a VSAN, page 36-15
Setting Up a Basic FICON Configuration, page 36-16
Manually Enabling FICON on a VSAN, page 36-18
Deleting FICON VSANs, page 36-18
Suspending a FICON VSAN, page 36-19
Configuring the code-page Option, page 36-19
Assigning FC ID Last Byte, page 36-20
Allowing the Host to Move the Switch Offline, page 36-21
Allowing the Host to Change FICON Port Parameters, page 36-22
Allowing the Host to Control the Timestamp, page 36-22
Configuring SNMP Control of FICON Parameters, page 36-22
FICON Information Refresh, page 36-23
About FICON Device Allegiance, page 36-23
Automatically Saving the Running Configuration, page 36-23
About Enabling FICON on a VSAN

By default FICON is disabled in all VSANs on the switch.
You can enable FICON on a per VSAN basis in one of the following ways:
Manually addressing each prerequisite.
See the About FICON section on page 36-1.
Use Device Manager.
When you enable the FICON feature in Cisco MDS switches, the following restrictions apply:
You cannot disable in-order delivery for the FICON-enabled VSAN.
You cannot disable fabric binding or static domain ID configurations for the FICON-enabled VSAN.
The load balancing scheme is changed to Source ID (SID)Destination ID (DID). You cannot
change it back to SIDDIDOXID.
The IPL configuration file is automatically created.
See the About FICON Configuration Files section on page 36-29.

Configuring FICON
Tip Using Device Manager, FICON auto-save can be invoked by multiple users logged on to the same
FICON-enabled switch. Device Manager performs a periodic auto-save on any FICON-enabled switch
causing increments in the FICON key counter. These increments highlight a change that has actually not
occurred. To avoid this we recommend that only one instance of Device Manager monitor a
FICON-enabled switch.
Setting Up a Basic FICON Configuration

This section steps you through the procedure to set up FICON on a specified VSAN in a Cisco MDS
9000 Family switch.
To create a FICON-enabled VSAN using Fabric Manager, follow these steps:
Step 1 Click the Create VSAN icon (see Figure 36-7).
Figure 36-7 Create VSAN Icon
You see the Create VSAN dialog box (see Figure 36-8).

Configuring FICON
Figure 36-8 Create VSAN Dialog Box
Step 2 Select the switches you want to be in the VSAN.

Step 3 Enter a VSAN ID.
Step 4 Enter the name of the VSAN, if desired.
Step 5 Select the type of load balancing, the interop value, and the administrative state for this VSAN.
Step 6 Check the FICON check box.
Note You cannot enable interop modes on FICON-enabled VSANs.
Step 7 Check the option, if appropriate, to enable fabric binding for the selected switches.
Step 8 Check the All Ports Prohibited option if all ports in this VSAN are prohibited.
Step 9 Click Create to create the VSAN.
Step 10 Choose Tools > Device Manager to open Device Manager for each switch in the FICON VSAN.
Step 11 Click FC > VSANs.
You see the VSAN dialog box (see Figure 36-9).

Configuring FICON
Figure 36-9 VSAN Dialog Box in Device Manager
Step 12 Enter the VSAN membership information.

Step 13 Click the VSAN you want to become a FICON VSAN and select Add from the FICON drop-down menu.
Manually Enabling FICON on a VSAN
Note This section describes the procedure to manually enable FICON on a VSAN. If you have already enabled
FICON on the required VSAN using the automated setup (recommended), skip to the Automatically
Saving the Running Configuration section on page 36-23.
To manually enable FICON on a VSAN using Fabric Manager, follow these steps:
Step 1 Choose VSAN > FICON.

You see the FICON VSAN configuration information in the Information pane.
Step 2 Select the switch in the VSAN on which you want to enable FICON.
Step 3 Click enable from the Command drop-down menu.
Deleting FICON VSANs

To delete a FICON VSAN using Fabric Manager, follow these steps:
Step 1 Select All VSANS.

You see the VSAN table in the Information pane (see Figure 36-10).

Configuring FICON
Figure 36-10 All VSANs Table
Step 2 Click anywhere in the row of the VSAN that you want to delete.
Step 3 Click Delete Row to delete the VSAN.
Note Deleting the VSAN will also delete the associated FICON configuration file, and the file cannot
be recovered.
Suspending a FICON VSAN

To suspend a FICON VSAN using Fabric Manager, follow these steps:
Step 1 Click All VSANs.

You see all the VSANs listed in the Information pane.
Step 2 Select the VSAN that you want to suspend.
Step 3 Set the Admin drop-down menu for a VSAN to suspended.
Note This command can be issued by the host if the host is allowed to do so (see the Allowing the Host to
Move the Switch Offline section on page 36-21).
Configuring the code-page Option

FICON strings are coded in Extended Binary-Coded Decimal Interchange Code (EBCDIC) format.
Refer to your mainframe documentation for details on the code page options.
Cisco MDS switches support international-5, france, brazil, germany, italy, japan,
spain-latinamerica, uk, and us-canada (default) EBCDIC format options.

Configuring FICON
Tip This is an optional configuration. If you are not sure of the EBCDIC format to be used, we recommend
retaining the us-canada (default) option.
To modify the code-page option using Device Manager, follow these steps:
Step 1 Choose FICON > VSANs.

You see the FICON VSAN configuration dialog box (see Figure 36-11). The VSANs tab is the default
tab.
Figure 36-11 FICON VSANs Tab in Device Manager
Step 2 Choose an option from the CodePage drop-down menu for the FICON VSAN you want to configure
(US-Canada is configured in Figure 36-11).
Assigning FC ID Last Byte
Caution If the FICON feature is configured in cascaded mode, the Cisco MDS switches use ISLs to connect to
other switches.
To assign the last byte for the FC ID using Fabric Manager, follow these steps:
Step 1 Choose All VSANs > Domain Manager.

Step 2 Click the Persistent FCIDs tab.
You see the Persistent FcIds tab (see Figure 36-12).

Configuring FICON
Figure 36-12 Persistent FcIds Tab
Step 3 Select single in the Mask column and then assign the entire FC ID at once. The single option allows you
to enter the FC ID in the ###### format.
Allowing the Host to Move the Switch Offline

By default, hosts are allowed to move the switch to an offline state. To do this, the host sends "Set offline"
command (x'FD') to control unit port (CUP).
To allow the host (mainframe) to move the switch to an offline state using Fabric Manager, follow these
steps:

You see a list of switches under the Control tab in the Information pane.
Step 2 Click the VSANs tab.
You see the FICON VSAN configuration information in the Information pane (see Figure 36-13).
Figure 36-13 FICON VSANs in Fabric Manager
Step 3 Check the Host Can Offline Sw check box to allow the mainframe to move a switch to the offline state.
Step 4 Check the Host Can Sync Time check box to allow the mainframe to set the system time on the switch.
Step 5 Click the Apply Changes icon to save the changes.

Configuring FICON
Allowing the Host to Change FICON Port Parameters

By default, mainframe users are not allowed to configure FICON parameters on Cisco MDS
switchesthey can only query the switch.
To allow the host (mainframe) to configure FICON parameters on the Cisco MDS switch using Fabric

Step 3 Check the Port Control By Host check box to allow the mainframe to control a switch.
Allowing the Host to Control the Timestamp

By default, the clock in each VSAN is the same as the switch hardware clock. Each VSAN in a Cisco
MDS 9000 Family switch represents a virtual director. The clock and time present in each virtual director
can be different.To maintain separate clocks for each VSAN, the Cisco NX-OS software maintains the
difference of the VSAN-specific clock and the hardware-based director clock. When a host (mainframe)
sets the time, the Cisco NX-OS software updates this difference between the clocks. When a host reads
the clock, it computes the difference between the VSAN-clock and the current director hardware clock
and presents a value to the mainframe.
To configure host (mainframe) control for the VSAN time stamp using Fabric Manager, follow these
steps:

Step 3 Check the Host Can Sync Time checkbox to allow the mainframe to set the system time on the switch.
Configuring SNMP Control of FICON Parameters

By default, SNMP users can configure FICON parameters through the Cisco MDS 9000 Family Fabric
Manager.

Configuring FICON
Note If you disable SNMP in the Cisco MDS switch, you cannot configure FICON parameters using the Fabric
Manager.
To configure SNMP control of FICON parameters using Fabric Manager, follow these steps:

Step 3 Check the Port Control By SNMP checkbox to allow SNMP users to configure FICON on the switch.
FICON Information Refresh

When viewing FICON information through the Device Manager dialog boxes, you must manually
refresh the display by clicking the Refresh button to see the latest updates. You need to take this step
whether you configure FICON through the CLI or through the Device Manager.
There is no automatic refresh of FICON information. This information would be refreshed so often that
it would affect performance.
About FICON Device Allegiance

FICON requires serialization of access among multiple mainframes, CLI, and SNMP sessions be
maintained on Cisco MDS 9000 Family switches by controlling device allegiance for the currently
executing session. Any other session is denied permission to perform configuration changes unless the
required allegiance is available.
Caution This task discards the currently executing session.
Automatically Saving the Running Configuration

Cisco MDS NX-OS provides an option to automatically save any configuration changes to the startup
configuration. This ensures that the new configuration is present after a switch reboot. The Active=Saved
option can be enable on any FICON VSAN.
Table 36-2 displays the results of the Active = Saved option and the implicit copy from the running
configuration to the startup configuration (copy running start) in various scenarios.
If the Active=Saved option is enabled in any FICON-enabled VSAN in the fabric, then the following
apply (see Number 1 and 2 in Table 36-2):
All configuration changes (FICON-specific or not) are automatically saved to persistent storage
(implicit copy running start) and stored in the startup configuration.

Configuring FICON Ports
FICON-specific configuration changes are immediately saved to the IPL file (see the FICON
Configuration Files section on page 36-28).
If the Active=Saved option is not enabled in any FICON-enabled VSAN in the fabric, then
FICON-specific configuration changes are not saved in the IPL file and an implicit copy running
startup command is not issued, you must explicitly save the running configuration to the startup
configuration (see number 3 in Table 36-2).
Table 36-2 Saving the Active FICON and Switch Configuration
FICON- Implicitcopy
enabled active equals saved running start
Number VSAN? Enabled? Issued? Notes
1 Yes Yes (in all FICON Implicit FICON changes written to the IPL file.
VSANs)
Non-FICON changes saved to startup configuration and
persistent storage.
2 Yes Yes (even in one Implicit FICON changes written to IPL file for only the VSAN that
FICON VSAN) has active equals saved option enabled.
Non-FICON changes saved to startup configuration and
persistent storage.
3 Yes Not in any FICON Not implicit FICON changes are not written to the IPL file.
VSAN
Non-FICON changes are saved in persistent storageonly
if you explicitly issue the copy running start command.
4 No Not applicable
To save the running config, follow these steps:

Step 3 Check the Active=Saved check box to automatically save the running configuration to the startup
configuration whenever there is a FICON configuration change.

You can perform FICON configurations on a per-port address basis in the Cisco MDS 9000 Family of
switches.
Even if a port is uninstalled, the port address-based configuration is accepted by the Cisco MDS switch.
This configuration is applied to the port when the port becomes installed.
Configuring Port Blocking, page 36-25

Viewing ESCON Style Ports, page 36-26

Port Prohibiting, page 36-26
Assigning a Port Address Name, page 36-27
About RLIR, page 36-27
Displaying RLIR Information, page 36-27
Configuring Port Blocking

If you block a port, the port is retained in the operationally down state. If you unblock a port, a port
initialization is attempted. When a port is blocked, data and control traffic are not allowed on that port.
Physical Fibre Channel port blocks will continue to transmit an Off-line state (OLS) primitive sequence
on a blocked port.
Caution You cannot block or prohibit the CUP port (0XFE).
If a port is shut down, unblocking that port does not initialize the port.
Note The shutdown/no shutdown port state is independent of the block/no block port state.
To block or unblock port addresses in a VSAN using Device Manager, follow these steps:

Step 2 Select a VSAN ID and click Port Configuration.
You see the FICON Port Configuration dialog box for the selected VSAN (see Figure 36-14).
Figure 36-14 FICON Port Configuration Dialog Box
Step 3 Check the Blocked check box for the port that you want to block.

Viewing ESCON Style Ports

To view the available and prohibited ESCON style ports using Device Manager, follow these steps:
Step 1 Check the ESCON Style check box to see the available and prohibited ESCON style ports.
In Figure 36-15, A stands for available and P stands for prohibited.
When the port address is highlighted red, it represents the E/TE port or multiple interfaces.
Figure 36-15 ESCON Style
Port Prohibiting
To prevent implemented ports from talking to each other, configure prohibits between two or more ports.
If you prohibit ports, the specified ports are prevented from communicating with each other.
Tip You cannot prohibit a PortChannel or FCIP interface.
Unimplemented ports are always prohibited. In addition, prohibit configurations are always
symmetrically appliedif you prohibit port 0 from talking to port 15, port 15 is automatically prohibited
from talking to port 0.
Note If an interface is already configured in E or TE mode and you try to prohibit that port, your prohibit
configuration is rejected. Similarly, if a port is not up and you prohibit that port, the port is not allowed
to come up in E mode or in TE mode.
Configuring Port Prohibiting

To prohibit port addresses in a VSAN using Device Manager, follow these steps:


Step 2 Select a VASAN ID and click Port Configuration.
You see the FICON Port Configuration dialog box (see Figure 36-14).
Step 3 Set the port prohibit configuration for the selected FICON VSANs.
Assigning a Port Address Name
Note To view the latest FICON information, you must click the Refresh button. See the Automatically
To assign a port address name in Device Manager, follow these steps:

You see the FICON Port Configuration dialog box (see Figure 36-14).
Step 3 Enter the Port Configuration information.
Step 4 Click Apply to save the configuration information.
About RLIR
The Registered Link Incident Report (RLIR) application provides a method for a switch port to send an
Link Incident Record (LIR) to a registered Nx port. It is a highly available application.
When an LIR is detected in FICON-enabled switches in the Cisco MDS 9000 Family from a RLIR
Extended Link Service (ELS), the switch sends that record to the members in its Established Registration
List (ERL).
In case of multi-switch topology, a Distribute Registered Link Incident Record (DRLIR) Inter-Link
Service (ILS) is sent to all reachable remote domains along with the RLIR ELS. On receiving the DRLIR
ILS, the switch extracts the RLIR ELS and sends it to the members of the ERL.
The Nx ports interested in receiving the RLIR ELS send the Link Incident Record Registration (LIRR)
ELS request to the management server on the switch. The RLIRs are processed on a per-VSAN basis.
The RLIR data is written to persistent storage when you copy the running configuration to the startup
configuration.
Displaying RLIR Information

To view RLIR information using Device Manager, follow these steps:

FICON Configuration Files
Step 1 Choose FICON > RLIR ERL.

You see the Show RLIR ERL dialog box (see Figure 36-16).
Figure 36-16 Show RLIR ELR Dialog Box

You can save up to 16 FICON configuration files on each FICON-enabled VSAN (in persistent storage).
The file format is proprietary to IBM. These files can be read and written by IBM hosts using the in-band
CUP protocol. Additionally, you can use the Cisco MDS CLI or Fabric Manager applications to operate
on these FICON configuration files.
Note Multiple FICON configuration files with the same name can exist in the same switch, provided they
reside in different VSANs. For example, you can create a configuration file named XYZ in both VSAN
1 and VSAN 3.
When you enable the FICON feature in a VSAN, the switches always use the startup FICON
configuration file, called IPL. This file is created with a default configuration as soon as FICON is
enabled in a VSAN.
Caution When FICON is disabled on a VSAN, all the FICON configuration files are irretrievably lost.
FICON configuration files contain the following configuration for each implemented port address:
Block
Prohibit mask
Port address name

Note Normal configuration files used by Cisco MDS switches include FICON-enabled attributes for a VSAN,
port number mapping for PortChannels and FCIP interfaces, port number to port address mapping, port
and trunk allowed VSAN configuration for ports, in-order guarantee, static domain ID configuration, and
fabric binding configuration.
See the Chapter 12, Initial Configuration, for details on the normal configuration files used by Cisco
MDS switches.
About FICON Configuration Files, page 36-29
Applying the Saved Configuration Files to the Running Configuration, page 36-29
Editing FICON Configuration Files, page 36-30
Displaying FICON Configuration Files, page 36-30
Copying FICON Configuration Files, page 36-31
About FICON Configuration Files

Only one user can access the configuration file at any given time:
If this file is being accessed by user 1, user 2 cannot access this file.
If user 2 does attempt to access this file, an error is issued to user 2.
If user 1 is inactive for more than 15 seconds, the file is automatically closed and available for use
by any other permitted user.
FICON configuration files can be accessed by any host, SNMP, or CLI user who is permitted to access
the switch. The locking mechanism in the Cisco NX-OS software restricts access to one user at a time
per file. This lock applies to newly created files and previously saved files. Before accessing any file,
you must lock the file and obtain the file key. A new file key is used by the locking mechanism for each
lock request. The key is discarded when the lock timeout of 15 seconds expires. The lock timeout value
cannot be changed.
Applying the Saved Configuration Files to the Running Configuration

To apply the saved configuration files to the running configuration using Device Manager, follow these
steps:

Step 2 Click the Files tab.
You see the FICON Files dialog box (see Figure 36-17).

Figure 36-17 FICON VSANs Dialog Box
Step 3 Highlight the file you want to apply and click Apply File to apply the configuration to the running
configuration.
Editing FICON Configuration Files

The configuration file submode allows you to create and edit FICON configuration files. If a specified
file does not exist, it is created. Up to 16 files can be saved. Each file name is restricted to eight
alphanumeric characters.
To edit the contents of a specified FICON configuration file using Device Manager, follow these steps:

You see the FICON VSANs dialog box (see Figure 36-17).
Step 3 Select a VSAN ID and then click Open to edit the FICON configuration file.
Step 4 Select a VSAN ID and then click Delete to delete the FICON configuration file.
Step 5 Click Apply to apply the changed FICON configuration file.
Displaying FICON Configuration Files

To open and view configuration files in Fabric Manager, follow these steps:
Step 1 Choose FICON > VSAN.

You see the FICON configuration table in the Information pane.
Step 3 Select the file you want to open.

Port Swapping
Step 4 Click Open.
Copying FICON Configuration Files

To copy an existing FICON configuration file using Device Manager, follow these steps:

You see the FICON VSANs dialog box (see Figure 36-17).
Step 3 Click Create to create a FICON configuration file.
You see the Create FICON VSANs Files dialog box shown in Figure 36-18.
Figure 36-18 Create FICON VSANs Files Dialog Box in Device Manager
a. Select a VSAN ID for the FICON VSAN you want to configure.

b. Enter the file name and the description.
c. Click Create to create the file.
Step 4 Click Copy to copy the file to a new file.
Step 5 Click Apply to apply the FICON configuration file.
Port Swapping
The FICON port-swapping feature is only provided for maintenance purposes.
The FICON port-swapping feature causes all configurations associated with old-port-number and new
port-number to be swapped, including VSAN configurations.
Cisco MDS switches allow port swapping for nonexistent ports as follows:
Only FICON-specific configurations (prohibit, block, and port address mapping) are swapped.
No other system configuration is swapped.
All other system configurations are only maintained for existing ports.

Port Swapping
If you swap a port in a module that has unlimited oversubscription ratios enabled with a port in a
module that has limited oversubscription ratios, then you may experience a degradation in
bandwidth.
Tip If you check the Active=Saved check box on any FICON VSAN, then the swapped configuration is
automatically saved to startup. Otherwise, you must explicitly save the running configuration
immediately after swapping the ports.
Once you swap ports, the switch automatically performs the following actions:
Shuts down both the old and new ports.
Swaps the port configuration.
If you attempt to bring the port up, you must explicitly shut down the port to resume traffic.

About Port Swapping, page 36-32
Swapping Ports, page 36-33
About Port Swapping

Be sure to follow these guidelines when using the FICON port swapping feature:
Port swapping is not supported for logical ports (PortChannels, FCIP links). Neither the
old-port-number nor the new-port-number can be a logical port.
Port swapping is not supported between physical ports that are part of a PortChannel. Neither the
old-port-number nor the new-port-number can be a physical port that is part of a PortChannel.
Before performing a port swap, the Cisco NX-OS software performs a compatibility check. If the
two ports have incompatible configurations, the port swap is rejected with an appropriate reason
code. For example, if a port with BB_credits as 25 is being swapped with an OSM port for which a
maximum of 12 BB_credits is allowed (not a configurable parameter), the port swapping operation
is rejected.
Before performing a port swap, the Cisco NX-OS software performs a compatibility check to verify
the extended BB_credits configuration.
If ports have default values (for some incompatible parameters), then a port swap operation is
allowed and the ports retain their default values.
Port tracking information is not included in port swapping. This information must be configured
separately (see Chapter 65, Configuring Port Tracking).
Note The 32-port module guidelines also apply for port swapping configurations .

FICON Tape Acceleration
Swapping Ports
To swap ports using Device Manager, follow these steps:
Step 1 Select two Fibre Channel ports by holding down the CTRL key and clicking them.
Step 2 Choose FICON > Swap Selected Ports (see Figure 36-19).
Figure 36-19 FICON Swap Selected Ports

The sequential nature of tape devices causes each I/O operation to the tape device over an FCIP link to
incur the latency of the FCIP link. Throughput drastically decreases as the round-trip time through the
FCIP link increases, leading to longer backup windows. Also, after each I/O operation, the tape device
is idle until the next I/O arrives. Starting and stopping of the tape head reduces the lifespan of the tape,
except when I/O operations are directed to a virtual tape.
Cisco MDS NX-OS software provides acceleration for the following FICON tape write operations:
The link between mainframe and native tape drives (both IBM and Sun/STK)
The back-end link between the VSM (Virtual Storage Management) and tape drive (Sun/STK)
FICON tape acceleration over FCIP provides the following advantages:
Efficiently utilizes the tape device by decreasing idle time
More sustained throughput as latency increases
Similar to FCP tape acceleration, and does not conflict with it
Note FICON tape read acceleration over FCIP is not supported.
Figure 36-20 through Figure 36-23 show supported configurations:

Figure 36-20 Host Directly Accessing IBM/STK (StorageTek) Library
FICON FICON over FICON

FCIP
144880
IBM Cisco MDS Cisco MDS Tape library
OS/390
Figure 36-21 Host Accessing Standalone IBM-VTS (Virtual Tape Server) /STK-VSM (Virtual Shared
Memory)
FICON over FICON over

FCIP FCIP
144881
VSM Cisco MDS Tape library
Figure 36-22 Host Accessing Peer-to-Peer VTS (Virtual Tape Server)
4 VTCs
Master + I/O
OS/390 VTC VTS 0 Distribution library
VTC 349x
VTC Tape Lib
< 14m
VTC
FICON FICON
Over FCIP Over FCIP
< 14m 349x

VTC
Tape Lib
VTC
VTC VTS 1 Distribution library
I/O UI Library
VTC
144882
4 VTCs

Figure 36-23 Host Accessing Peer-to-Peer VTS (Virtual Tape Server)
OS/390 VTSS
349x
Tape Lib
VTCS
FICON FICON
Over FCIP Over FCIP
349x
Tape Lib
144883
VTSS
Note For information about FCIP tape acceleration, see FCIP Tape Acceleration section on page 48-32.
Configuring FICON Tape Acceleration

FICON tape acceleration has the following configuration considerations:
In addition to the normal FICON configuration, FICON tape acceleration must be enabled on both
ends of the FCIP interface. If only one end has FICON tape acceleration enabled, acceleration does
not occur.
FICON tape acceleration is enabled on a per VSAN basis.
FICON tape acceleration cannot function if multiple ISLs are present in the same VSAN
(PortChannels or FSPF load balanced).
You can enable both Fibre Channel write acceleration and FICON tape acceleration on the same
FCIP interface.
Enabling or disabling FICON tape acceleration disrupts traffic on the FCIP interface.
To configure FICON tape acceleration over FCIP in Fabric Manager, follow these steps:
Step 1 Expand ISL and then select FCIP in the Physical Attributes pane.
Step 2 Click the Tunnels tab in the Information pane.
You see a list of available switches (Figure 36-24).

Figure 36-24 FCIP Tunnels Tab in Fabric Manager
Step 3 Click the Create Row icon to create an FCIP tunnel.

You see the Create FCIP Tunnel dialog box shown in Figure 36-25.

CUP In-Band Management
Figure 36-25 Create FCIP Tunnel Dialog Box
Step 4 Configure the tunnel with the options shown in Figure 36-25.
Step 5 Check the TapeAccelerator check box to enable FICON tape acceleration over this FCIP tunnel.

The Control Unit Port (CUP) protocol configures access control and provides unified storage
management capabilities from a mainframe computer. Cisco MDS 9000 FICON-enabled switches are
fully IBM CUP standard compliant for in-band management using the IBM S/A OS/390 I/O operations
console.
Note The CUP specification is proprietary to IBM.

CUP is supported by switches and directors in the Cisco MDS 9000 Family. The CUP function allows
the mainframe to manage the Cisco MDS switches.
Host communication includes control functions such as blocking and unblocking ports, as well as
monitoring and error reporting functions.
Step 1 In Fabric Manager, choose Zone > Edit Full Zoneset, and then choose Edit > Edit Default Zone
Attributes to set the default zone to permit for the required VSAN. (See Figure 36-26.)
Figure 36-26 Setting the Default Zone Policy
Step 2 In Device Manager, choose FC > Name Server... for the required VSAN and obtain the FICON:CUP
WWN. See Figure 36-27.
Figure 36-27 Finding pWWN for FICON:CUP
Note If more than one FICON:CUP WWN exists in this fabric, be sure to add all the FICON:CUP pWWNs
to the required zone.
Step 3 In Fabric Manager, choose Zone > Edit Full Zoneset and add the FICON:CUP pWWN to the zone
database. (See Figure 36-28.)

Calculating FICON Flow Load Balance
Figure 36-28 Adding FICON:CUP WWN to Zone
Calculating FICON Flow Load Balance

The FICON Flow Load Balance Calculator allows you to get the best load balancing configuration for
your FICON flows. The calculator does not rely on any switch or flow discovery in the fabric. It is
available from the Fabric Manager Tools menu.
To use the FICON Flow Load Balance Calculator from Fabric Manager, follow these steps:
Step 1 Choose Tools > Other > Flow Load Balance Calculator.
You see the Flow Load Balance Calculator (see Figure 36-29).

Displaying FICON Information
Figure 36-29 Flow Load Balance Calculator
Step 2 Click Add to enter the source and destination(s) flows.

Step 3 Enter source and destination using 2 byte hex (by domain and area IDs).You can copy and paste these
IDs, and then edit them if required.
Step 4 Enter (or select) the number of ISLs between the two switches (for example, between domain ID 0a and
0b).
Step 5 Select a row to remove it and click Remove.
Step 6 Select the module for which you are calculating the load balance.
Step 7 Click Calculate to show the recommended topology.
Note If you change flows or ISLs, you must click Calculate to see the new recommendation.

Receiving FICON Alerts, page 36-41
Displaying FICON Port Address Information, page 36-41
Displaying IPL File Information, page 36-41
Viewing the History Buffer, page 36-41

Receiving FICON Alerts

To receive an alert to indicate any changes in the FICON configuration using Device Manager, follow
these steps:

You see the FICON VSANs dialog box.
Step 2 Check the User Alert Mode check box to receive an alert when the FICON configuration changes.
Step 3 Click Apply to apply this change.
Displaying FICON Port Address Information
To display FICON port address information using Device Manager, follow these steps:

You see the FICON Port Configuration dialog box.
Displaying IPL File Information

To display the IPL file information using Device Manager, follow these steps:
Step 1 Select VSANs from the FICON menu.

Step 3 Select the file that you want to view and click Open.
Viewing the History Buffer

In the directory history buffer, the Key Counter column displays the 32-bit value maintained by Cisco
MDS switches. This value is incremented when any port changes state in that VSAN. The key counter
(a 32-bit value) is incremented when a FICON-related configuration is changed. Host programs can
increment this value at the start of the channel program and then perform operations on multiple ports.
The director history buffer keeps a log of which port address configuration was changed for each
key-counter value.

Default Settings
The director history buffer provides a mechanism to determine the change in the port state from the
previous time when a value was contained in the key counter.
To view the directory history buffer using Device Manager, follow these steps:

Step 2 Click the Director History button.
You see the history buffer dialog box.
Default Settings
Table 36-3 lists the default settings for FICON features.
Table 36-3 Default FICON Settings
Parameters Default
FICON feature Disabled.
Port numbers Same as port addresses.
FC ID last byte value 0 (zero).
EBCDIC format option US-Canada.
Switch offline state Hosts are allowed to move the switch to an offline state.
Mainframe users Allowed to configure FICON parameters on Cisco MDS
switches.
Clock in each VSAN Same as the switch hardware clock.
Host clock control Allows host to set the clock on this switch.
SNMP users Configure FICON parameters.
Port address Not blocked.
Prohibited ports Ports 90253 and 255 for the Cisco MDS 9200 Series
switches.
Ports 250253 and 255 for the Cisco MDS 9500 Series
switches.

CH A P T E R 37
Advanced Features and Concepts
This chapter describes the advanced features provided in switches in the Cisco MDS 9000 Family. It
includes the following sections:
Common Information Model, page 37-1
Fibre Channel Time Out Values, page 37-2
World Wide Names, page 37-5
FC ID Allocation for HBAs, page 37-7
Switch Interoperability, page 37-8
Common Information Model

Common Information Model (CIM) is an object-oriented information model that extends the existing
standards for describing management information in a network/enterprise environment.
CIM messages are independent of platform and implementation because they are encoded in N
Extensible Markup Language (XML). CIM consists of a specification and a schema. The specification
defines the syntax and rules for describing management data and integrating with other management
models. The schema provides the actual model descriptions for systems, applications, networks, and
devices.
For more information about CIM, refer to the specification available through the Distributed
Management Task Force (DMTF) website at the following URL: http://www.dmtf.org/
For further information about Cisco MDS 9000 Family support for CIM servers, refer to the Cisco MDS
9000 Family CIM Programming Reference Guide.
A CIM client is required to access the CIM server. The client can be any client that supports CIM.
SSL Certificate Requirements and Format

To limit access to the CIM server to authorized clients, you can enable the HTTPS transport protocol
between the CIM server and client. On the switch side, this requires that you install a Secure Socket
Library (SSL) certificate generated on the client and enable the HTTPS server. Certificates may be
generated using third party tools such as 'openssl' (available for UNIX, Mac and Windows) and may be
certified by a CA or self signed.
The SSL certificate that you install on the switch must meet the following requirements:

Chapter 37 Advanced Features and Concepts
Fibre Channel Time Out Values
The certificate file contains the certificate and the private key.
The private key must be RSA type.
The certificate file should be in PEM (Private Electronic Mail) style format and have .pem as the
extension.
-----BEGIN CERTIFICATE-----
(certificate goes here)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(private key goes here)
-----END RSA PRIVATE KEY-----
Only one certificate file can be installed at a time.

You can modify Fibre Channel protocol related timer values for the switch by configuring the following
time out values (TOVs):
Distributed services TOV (D_S_TOV)The valid range is from 5,000 to 10,000 milliseconds. The
default is 5,000 milliseconds.
Error detect TOV (E_D_TOV)The valid range is from 1,000 to 10,000 milliseconds. The default
is 2,000 milliseconds. This value is matched with the other end during port initialization.
Resource allocation TOV (R_A_TOV)The valid range is from 5,000 to 10,000 milliseconds. The
default is 10,000 milliseconds. This value is matched with the other end during port initialization.
Note The fabric stability TOV (F_S_TOV) constant cannot be configured.

Timer Configuration Across All VSANs, page 37-2
Timer Configuration Per-VSAN, page 37-3
About fctimer Distribution, page 37-4
Enabling or Disabling fctimer Distribution, page 37-4
Timer Configuration Across All VSANs

You can modify Fibre Channel protocol related timer values for the switch.
Caution The D_S_TOV, E_D_TOV, and R_A_ TOV values cannot be globally changed unless all VSANs in the
switch are suspended.
Note If a VSAN is not specified when you change the timer value, the changed value is applied to all VSANs
in the switch.

To configure timers in Fabric Manager, expand Switches > FC Services and then select Timers &
Policies in the Physical Attributes pane. You see the timers for multiple switches in the Information
pane. Click the Change Timeouts button to configure the timeout values.
You see the dialog box as shown in Figure 37-1.
Figure 37-1 Configure Timers in Fabric Manager
To configure timers in Device Manager, click FC > Advanced > Timers/Policies. You see the timers for
a single switch in the dialog box as shown in Figure 37-2.
Figure 37-2 Configure Timers in Device Manager
Timer Configuration Per-VSAN

You can also issue the fctimer for a specified VSAN to configure different TOV values for VSANs with
special links like FC or IP tunnels. You can configure different E_D_TOV, R_A_TOV, and D_S_TOV
values for individual VSANs. Active VSANs are suspended and activated when their timer values are
changed.
Caution You cannot perform a nondisruptive downgrade to any earlier version that does not support per-VSAN
FC timers.
Note This configuration must be propagated to all switches in the fabricbe sure to configure the same value
in all switches in the fabric.

If a switch is downgraded to Cisco MDS SAN-OS Release 1.2 or 1.1 after the timer is configured for a
VSAN, an error message is issued to warn against strict incompatibilities. the Cisco MDS 9000 Family
Troubleshooting Guide.
To configure per-VSAN Fiber Channel timers using Device Manager, follow these steps:
Step 1 Click FC > Advanced > VSAN Timers.

You see the VSANs Timer dialog box as shown in Figure 37-3.
Figure 37-3 VSAN Timers in Device Manager
Step 2 Fill in the timer values that you want to configure.

About fctimer Distribution

You can enable per-VSAN fctimer fabric distribution for all Cisco MDS switches in the fabric. When
you perform fctimer configurations, and distribution is enabled, that configuration is distributed to all
the switches in the fabric.
You automatically acquire a fabric-wide lock when you issue the first configuration command after you
enabled distribution in a switch. The fctimer application uses the effective and pending database model
to store or commit the commands based on your configuration.
See Chapter 13, Using the CFS Infrastructure, for more information on the CFS application.
Enabling or Disabling fctimer Distribution

To enable and distribute fctimer configuration changes using Device Manager, follow these steps:
Step 1 Choose FC > Advanced > VSAN Timers.

You see the VSANs Timer dialog box as shown in Figure 37-3.
Step 2 Fill in the timer values that you want to configure.

World Wide Names

Step 4 Select commit from the CFS drop-down menu to distribute these changes or select abort from the CFS
drop-down menu to discard any unsaved changes.
When you commit the fctimer configuration changes, the effective database is overwritten by the
configuration changes in the pending database and all the switches in the fabric receive the same
configuration. When you commit the fctimer configuration changes without implementing the session
feature, the fctimer configurations are distributed to all the switches in the physical fabric.

See the CFS Merge Support section on page 13-9 for detailed concepts.
When merging two fabrics, follow these guidelines:
Be aware of the following merge conditions:
The merge protocol is not implemented for distribution of the fctimer valuesyou must
manually merge the fctimer values when a fabric is merged.The per-VSAN fctimer
configuration is distributed in the physical fabric.
The fctimer configuration is only applied to those switches containing the VSAN with a
modified fctimer value.
The global fctimer values are not distributed.
Do not configure global timer values when distribution is enabled.
Note The number of pending fctimer configuration operations cannot be more than 15. At that point, you must
commit or abort the pending configurations before performing any more operations.
World Wide Names

The world wide name (WWN) in the switch is equivalent to the Ethernet MAC address. As with the MAC
address, you must uniquely associate the WWN to a single device. The principal switch selection and
the allocation of domain IDs rely on the WWN. The WWN manager, a process-level manager residing
on the switchs supervisor module, assigns WWNs to each switch.
Cisco MDS 9000 Family switches support three network address authority (NAA) address formats (see
Table 37-1).
Table 37-1 Standardized NAA WWN Formats
NAA Address NAA Type WWN Format

IEEE 48-bit address Type 1 = 0001b 000 0000 0000b 48-bit MAC address
IEEE extended Type 2 = 0010b Locally assigned 48-bit MAC address
IEEE registered Type 5 = 0101b IEEE company ID: 24 bits VSID: 36 bits

World Wide Names
Caution Changes to the world-wide names should be made by an administrator or individual who is completely
familiar with switch operations.

Displaying WWN Information, page 37-6
Link Initialization WWN Usage, page 37-6
Configuring a Secondary MAC Address, page 37-6
Displaying WWN Information

To display WWN information using Device Manager, choose FC > Advanced > WWN Manager. You
see the list of allocated WWNs.
Link Initialization WWN Usage

Exchange Link Protocol (ELP) and Exchange Fabric Protocol (EFP) use WWNs during link
initialization. The usage details differ based on the Cisco NX-OS software release.
Both ELPs and EFPs use the VSAN WWN by default during link initialization. However, the ELP usage
changes based on the peer switchs usage:
If the peer switch ELP uses the switch WWN, then the local switch also uses the switch WWN.
If the peer switch ELP uses the VSAN WWN, then the local switch also uses the VSAN WWN.
Note As of Cisco SAN-OS Release 2.0(2b), the ELP is enhanced to be compliant with FC-SW-3.
Configuring a Secondary MAC Address

To allocate secondary MAC addresses using Device Manager, follow these steps:
Step 1 Choose FC > Advanced > WWN Manager.

You see the list of allocated WWNs as shown in Figure 37-4.

FC ID Allocation for HBAs
Figure 37-4 Allocated World Wide Names in Device Manager
Step 2 Supply the BaseMacAddress and MacAddressRange fields.

Step 3 Click Apply to save these changes, or click Close to discard any unsaved changes.

Fibre Channel standards require a unique FC ID to be allocated to an N port attached to a Fx port in any
switch. To conserve the number of FC IDs used, Cisco MDS 9000 Family switches use a special
allocation scheme.
Some HBAs do not discover targets that have FC IDs with the same domain and area. Prior to Cisco
SAN-OS Release 2.0(1b), the Cisco SAN-OS software maintained a list of tested company IDs that do
not exhibit this behavior. These HBAs were allocated with single FC IDs, and for others a full area was
allocated.
The FC ID allocation scheme available in Release 1.3 and earlier, allocates a full area to these HBAs.
This allocation isolates them to that area and are listed with their pWWN during a fabric login. The
allocated FC IDs are cached persistently and are still available in Cisco SAN-OS Release 2.0(1b) (see
the FC ID Allocation for HBAs section on page 37-7).
To allow further scalability for switches with numerous ports, the Cisco NX-OS software maintains a
list of HBAs exhibiting this behavior. Each HBA is identified by its company ID (also known as
Organizational Unique Identifier, or OUI) used in the pWWN during a fabric log in. A full area is
allocated to the N ports with company IDs that are listed and for the others, a single FC ID is allocated.
Irrespective of the kind (whole area or single) of FC ID allocated, the FC ID entries remain persistent.
Default Company ID list, page 37-8
Verifying the Company ID Configuration, page 37-8

Switch Interoperability
Default Company ID list

All switches in the Cisco MDS 9000 Family that ship with Cisco SAN-OS Release 2.0(1b) or later, or
NX-OS 4.1(1) contain a default list of company IDs that require area allocation. Using the company ID
reduces the number of configured persistent FC ID entries. You can configure or modify these entries
using the CLI.
Caution Persistent entries take precedence over company ID configuration. If the HBA fails to discover
a target, verify that the HBA and the target are connected to the same switch and have the same
area in their FC IDs, then perform the following procedure:
1. Shut down the port connected to the HBA.

2. Clear the persistent FC ID entry.
3. Get the company ID from the Port WWN.
4. Add the company ID to the list that requires area allocation.
5. Bring up the port.
The list of company IDs have the following characteristics:

A persistent FC ID configuration always takes precedence over the list of company IDs. Even if the
company ID is configured to receive an area, the persistent FC ID configuration results in the
allocation of a single FC ID.
New company IDs added to subsequent releases are automatically added to existing company IDs.
The list of company IDs is saved as part of the running and saved configuration.
The list of company IDs is used only when the fcinterop FC ID allocation scheme is in auto mode.
By default, the interop FC ID allocation is set to auto, unless changed.
Tip We recommend that you set the fcinterop FC ID allocation scheme to auto and use the company
ID list and persistent FC ID configuration to manipulate the FC ID device allocation.
Refer to the Cisco MDS 9000 Family CLI Configuration Guide to change the FC ID allocation.
Verifying the Company ID Configuration

To view the configured company IDs using Device Manager, choose FC > Advanced > FcId Area
Allocation. You can implicitly derive the default entries shipped with a specific release by combining
the list of Company IDs displayed without any identification with the list of deleted entries.
Some WWN formats do not support company IDs. In these cases, you may need to configure the FC ID
persistent entry.
Interoperability enables the products of multiple vendors to come into contact with each other. Fibre
Channel standards guide vendors towards common external Fibre Channel interfaces.

If all vendors followed the standards in the same manner, then interconnecting different products would
become a trivial exercise. However, not all vendors follow the standards in the same way, thus resulting
in interoperability modes. This section briefly explains the basic concepts of these modes.
Each vendor has a regular mode and an equivalent interoperability mode, which specifically turns off
advanced or proprietary features and provides the product with a more amiable standards compliant
implementation.
About Interop Mode, page 37-9
Configuring Interop Mode 1, page 37-11
Verifying Interoperating Status, page 37-12
About Interop Mode

Cisco NX-OS software supports the following four interop modes:
Mode 1 Standards based interop mode that requires all other vendors in the fabric to be in interop
mode.
Mode 2Brocade native mode (Core PID 0).
Mode 3Brocade native mode (Core PID 1).
Mode 4McData native mode.
For information about configuring interop modes 2, 3, and 4, refer to the Cisco MDS 9000 Family
Switch-to-Switch Interoperability Configuration Guide.
Table 37-2 lists the changes in switch behavior when you enable interoperability mode. These changes
are specific to switches in the Cisco MDS 9000 Family while in interop mode.
Table 37-2 Changes in Switch Behavior When Interoperability Is Enabled
Switch Feature Changes if Interoperability Is Enabled

Domain IDs Some vendors cannot use the full range of 239 domains within a fabric.
Domain IDs are restricted to the range 97-127. This is to accommodate
McDatas nominal restriction to this same range. They can either be set up
statically (the Cisco MDS switch accept only one domain ID, if it does not get
that domain ID it isolates itself from the fabric) or preferred. (If it does not get
its requested domain ID, it accepts any assigned domain ID.)
Timers All Fibre Channel timers must be the same on all switches as these values are
exchanged by E ports when establishing an ISL. The timers are F_S_TOV,
D_S_TOV, E_D_TOV, and R_A_TOV.
F_S_TOV Verify that the Fabric Stability Time Out Value timers match exactly.
D_S_TOV Verify that the Distributed Services Time Out Value timers match exactly.
E_D_TOV Verify that the Error Detect Time Out Value timers match exactly.
R_A_TOV Verify that the Resource Allocation Time Out Value timers match exactly.
Trunking Trunking is not supported between two different vendors switches. This
feature may be disabled on a per port or per switch basis.
Default zone The default zone behavior of permit (all nodes can see all other nodes) or deny
(all nodes are isolated when not explicitly placed in a zone) may change.

Table 37-2 Changes in Switch Behavior When Interoperability Is Enabled (continued)
Switch Feature Changes if Interoperability Is Enabled

Zoning attributes Zones may be limited to the pWWN and other proprietary zoning methods
(physical port number) may be eliminated.
Note Brocade uses the cfgsave command to save fabric-wide zoning
configuration. This command does not have any effect on Cisco MDS
9000 Family switches if they are part of the same fabric. You must
explicitly save the configuration on each switch in the Cisco MDS 9000
Family.
Zone propagation Some vendors do not pass the full zone configuration to other switches, only
the active zone set gets passed.
Verify that the active zone set or zone configuration has correctly propagated
to the other switches in the fabric.
VSAN Interop mode only affects the specified VSAN.
Note Interop modes cannot be enabled on FICON-enabled VSANs.

TE ports and TE ports and PortChannels cannot be used to connect Cisco MDS to non-Cisco
PortChannels MDS switches. Only E ports can be used to connect to non-Cisco MDS
switches. TE ports and PortChannels can still be used to connect an Cisco MDS
to other Cisco MDS switches even when in interop mode.
FSPF The routing of frames within the fabric is not changed by the introduction of
interop mode. The switch continues to use src-id, dst-id, and ox-id to load
balance across multiple ISL links.
Domain This is a switch-wide impacting event. Brocade and McData require the entire
reconfiguration switch to be placed in offline mode and/or rebooted when changing domain
disruptive IDs.
Domain This event is limited to the affected VSAN. Only Cisco MDS 9000 Family
reconfiguration switches have this capabilityonly the domain manager process for the
nondisruptive affected VSAN is restarted and not the entire switch.
Name server Verify that all vendors have the correct values in their respective name server
database.
IVR IVR-enabled VSANs can be configured in no interop (default) mode or in any
of the interop modes.

Configuring Interop Mode 1

The interop mode1 in Cisco MDS 9000 Family switches can be enabled disruptively or nondisruptively.
Note Brocades msplmgmtdeactivate command must explicitly be run prior to connecting from a Brocade
switch to either Cisco MDS 9000 Family switches or to McData switches. This command uses Brocade
proprietary frames to exchange platform information, which Cisco MDS 9000 Family switches or
McData switches do not understand. Rejecting these frames causes the common E ports to become
isolated.
To configure interop mode 1 for a VSAN using Fabric Manager, follow these steps:
Step 1 Choose VSANxxx > VSAN Attributes from the Logical Domains pane.
Step 2 Select Interop-1 from the Interop drop-down menu.
Step 3 Click Apply Changes to save this interop mode.
Step 4 Expand VSANxxx and then select Domain Manager from the Logical Domains pane.
You see the Domain Manager configuration in the Information pane as shown in Figure 37-5.
Figure 37-5 Domain Manager Configuration
Step 5 Set the Domain ID in the range of 97 (0x61) through 127 (0x7F).
a. Click the Configuration tab.
b. Click in the Configure Domain ID column under the Configuration tab.
c. Click the Running tab and check that the change has been made.
Note This is a limitation imposed by the McData switches.
Note When changing the domain ID, the FC IDs assigned to N ports also change.
Step 6 Change the Fibre Channel timers (if they have been changed from the system defaults).

Note The Cisco MDS 9000, Brocade, and McData FC error detect (ED_TOV) and resource allocation
(RA_TOV) timers default to the same values. They can be changed if needed. The RA_TOV
default is 10 seconds, and the ED_TOV default is 2 seconds. Per the FC-SW2 standard, these
values must be the same on each switch within the fabric.
a. Expand Switches > FC Services and then select Timers and Policies. You see the timer settings in
the Information pane.
b. Click Change Timeouts to modify the time-out values.
c. Click Apply to save the new time-out values.
Step 7 (Optional) Choose VSANxxx > Domain Manager> Configuration tab and select disruptive or
nonDisruptive in the Restart column to restart the domain.
Verifying Interoperating Status

This section highlights the steps used to verify if the fabric is up and running in interoperability mode.
To verify the interoperability status of any switch in the Cisco MDS 9000 Family using Fabric Manager,
follow these steps:
Step 1 Choose Switches in the Physical Attributes pane and check the release number in the Information pane
to verify the Cisco NX-OS release.
Step 2 Expand Switches > Interfaces and then select FC Physical to verify the interface modes for each
switch.
Step 3 Expand Fabricxx in the Logical Domains pane and then select All VSANs to verify the interop mode
for all VSANs.
Step 4 Expand Fabricxx > All VSANs and then select Domain Manager to verify the domain IDs, local, and
principal sWWNs for all VSANs (see Figure 37-6).
Figure 37-6 Domain Manager Information
Step 5 Using Device Manager, choose FC > Name Server to verify the name server information.
You see the Name Server dialog box as shown in Figure 37-7.

Default Settings
Figure 37-7 Name Server Dialog Box
Note The Cisco MDS name server shows both local and remote entries, and does not time out the entries.
Default Settings
Table 37-3lists the default settings for the features included in this chapter.
Table 37-3 Default Settings for Advanced Features
Parameters Default
CIM server Disabled
CIM server security protocol HTTP
D_S_TOV 5,000 milliseconds.
E_D_TOV 2,000 milliseconds.
R_A_TOV 10,000 milliseconds.
Timeout period to invoke fctrace 5 seconds.
Number of frame sent by the fcping feature 5 frames.
Remote capture connection protocol TCP.
Remote capture connection mode Passive.
Local capture frame limit s 10 frames.
FC ID allocation mode Auto mode.
Loop monitoring Disabled.
D_S_TOV 5,000 msec
E_D_TOV 2,000 msec
R_A_TOV 10,000 msec
Interop mode Disabled

Default Settings

PA R T 5
Security
CH A P T E R 38
Configuring FIPS
The Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for
Cryptographic Modules, details the U.S. government requirements for cryptographic modules. FIPS
140-2 specifies that a cryptographic module should be a set of hardware, software, firmware, or some
combination that implements cryptographic functions or processes, including cryptographic algorithms
and, optionally, key generation, and is contained within a defined cryptographic boundary.
FIPS specifies certain crypto algorithms as secure, and it also identifies which algorithms should be used
if a cryptographic module is to be called FIPS compliant.
Note Cisco MDS SAN-OS Release 3.1(1) and NX-OS Release 4.1(1b) or later implements FIPS features and
is currently in the certification process with the U.S. government, but it is not FIPS compliant at this
time.

Configuration Guidelines, page 38-1
Enabling FIPS Mode, page 38-2
FIPS Self-Tests, page 38-3
Configuration Guidelines
Follow these guidelines before enabling FIPS mode:
Make your passwords a minimum of eight characters in length.
Disable Telnet. Users should log in using SSH only.
Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be
authenticated.
Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for
SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
Disable VRRP.
Delete all IKE policies that either have MD5 for authentication or DES for encryption. Modify the
policies so they use SHA for authentication and 3DES/AES for encryption.
Delete all SSH Server RSA1 key-pairs.

Chapter 38 Configuring FIPS
Enabling FIPS Mode
Enabling FIPS Mode

To enable FIPS mode using Fabric Manager, follow these steps:
Step 1 Expand Switches from the Physical Attributes pane. Expand Security and then select FIPS.
You see the FIPS activation details in the Information pane as shown in Figure 38-1.
Figure 38-1 FIPS Activation in Fabric Manager
Step 2 Check the ModeActivation check box next to the switch for which you want to enable FIPS mode.
Step 3 Click Apply Changes to commit and distribute these changes.
Step 4 Click Undo Changes to discard any unsaved changes.
To enable FIPS mode using Device Manager, follow these steps:
Step 1 Choose Physical > System or right-click and select Configure.

You see the System dialog box as shown in Figure 38-2.
Figure 38-2 System Dialog Box
Step 2 Check the FIPSModeActivation check box to enable FIPS mode on the selected switch.

FIPS Self-Tests

FIPS Self-Tests
A cryptographic module must perform power-up self-tests and conditional self-tests to ensure that it is
functional.
Note FIPS power-up self-tests automatically run when FIPS mode is enabled . A switch is in FIPS mode only
after all self-tests are successfully completed. If any of the self-tests fail, then the switch is rebooted.
Power-up self-tests run immediately after FIPS mode is enabled. A cryptographic algorithm test using a
known answer must be run for all cryptographic functions for each FIPS 140-2-approved cryptographic
algorithm implemented on the Cisco MDS 9000 Family.
Using a known-answer test (KAT), a cryptographic algorithm is run on data for which the correct output
is already known, and then the calculated output is compared to the previously generated output. If the
calculated output does not equal the known answer, the known-answer test fails.
Conditional self-tests must be run when an applicable security function or operation is invoked. Unlike
the power-up self-tests, conditional self-tests are executed each time their associated function is
accessed.
Conditional self-tests include the following:
Pair-wise consistency testThis test is run when a public-private key-pair is generated.
Continuous random number generator testThis test is run when a random number is generated.
Both of these tests automatically run when a switch is in FIPS mode.

FIPS Self-Tests

CH A P T E R 39
Configuring Users and Common Roles
The CLI and SNMP use common roles in all switches in the Cisco MDS 9000 Family. You can use the
CLI to modify a role that was created using SNMP and vice versa.
Users, passwords, and roles for all CLI and SNMP users are the same. A user configured through the
CLI can access the switch using SNMP (for example, the Fabric Manager or the Device Manager) and
vice versa.
Role-Based Authorization, page 39-1
Role Distributions, page 39-7
User Accounts, page 39-10
SSH Services, page 39-15
Recovering the Administrator Password, page 39-20
Configuring Cisco ACS Servers, page 39-21
Role-Based Authorization
Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based
authorization limits access to switch operations by assigning users to roles. This kind of authentication
restricts you to management operations based on the roles to which you have been added.
When you execute a command, perform command completion, or obtain context sensitive help, the
switch software allows the operation to progress if you have permission to access that command.
About Roles, page 39-2
Configuring Roles and Profiles, page 39-2
Deleting Common Roles, page 39-3
About the VSAN Policy, page 39-3
Modifying the VSAN Policy, page 39-4
About Rules and Features for Each Role, page 39-4
Modifying Rules, page 39-5
Displaying Role-Based Information, page 39-7

Chapter 39 Configuring Users and Common Roles
About Roles
Each role can contain multiple users and each user can be part of multiple roles. For example, if role1
users are only allowed access to configuration commands, and role2 users are only allowed access to
debug commands, then if Joe belongs to both role1 and role2, he can access configuration as well as
debug commands.
Note If you belong to multiple roles, you can execute a union of all the commands permitted by these roles.
Access to a command takes priority over being denied access to a command. For example, suppose you
belong to a TechDocs group and you were denied access to configuration commands. However, you also
belong to the engineering group and have access to configuration commands. In this case, you will have
access to configuration commands.
Tip Any role, when created, does not allow access to the required commands immediately. The administrator
must configure appropriate rules for each role to allow access to the required commands.
Configuring Roles and Profiles

To create an additional role or to modify the profile for an existing role using Fabric Manager, follow
these steps:
Step 1 Expand Switches > Security and then select Users and Roles from the Physical Attributes pane. Click
the Roles tab in the Information pane.
You see the information as shown in Figure 39-1
Figure 39-1 Roles Tab in Users and Roles Screen
Step 2 Click Create Row to create a role in Fabric Manager.

You see the Create Roles dialog box in Figure 39-2.
Figure 39-2 Create Roles Dialog Box
Step 3 Select the switches on which to configure a role.

Step 4 Enter the name of the role in the Name field.
Step 5 Enter the description of the role in the Description field.
Step 6 (Optional) check the Enable check box to enable the VSAN scope and enter the list of VSANs in the
Scope field to which you want to restrict this role.
Step 7 Click Create to create the role, or click Close to close the Roles - Create dialog box without creating
the common role.
Note Device Manager automatically creates six roles that are required for Device Manager to display a view
of a switch. These roles are system, snmp, module, interface, hardware, and environment.
Deleting Common Roles

To delete a common role using Fabric Manager, follow these steps:
Step 2 Click the role you want to delete.
Step 3 Click Delete Row to delete the common role.
Step 4 Click Yes to confirm the deletion or No to cancel it.
About the VSAN Policy

Configuring the VSAN policy requires the ENTERPRISE_PKG license (see Chapter 10, Obtaining and

You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By
default, the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs. You
can configure a role that only allows tasks to be performed for a selected set of VSANs. To selectively
allow VSANs for a role, set the VSAN policy to deny, and then set the configuration to permit or the
appropriate VSANs.
Note Users configured in roles where the VSAN policy is set to deny cannot modify the configuration for E
ports. They can only modify the configuration for F or FL ports (depending on whether the configured
rules allow such configuration to be made). This is to prevent such users from modifying configurations
that may impact the core topology of the fabric.
Tip Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN
administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their
VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, then the
VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
Users belonging to roles in which the VSAN policy is set to deny are referred to as VSAN-restricted
users.
Modifying the VSAN Policy

To modify the VSAN policy for an existing role using Fabric Manager, follow these steps:
Step 2 Check the Scope Enable check box if you want to enable the VSAN scope and restrict this role to a
subset of VSANs.
Step 3 Enter the list of VSANs in the Scope VSAN Id List field that you want to restrict this role to.
About Rules and Features for Each Role

Up to 16 rules can be configured for each role. These rules reflect what CLI commands are allowed. The
user-specified rule number determines the order in which the rules are applied. For example, rule 1 is
applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the
network-admin role cannot perform commands related to roles.
For example, if user A is permitted to perform all show CLI commands, user A cannot view the output
of the show role CLI command if user A does not belong to the network-admin role.
A rule specifies operations that can be performed by a specific role. Each rule consists of a rule number,
a rule type (permit or deny), a CLI command type (for example, config, clear, show, exec, debug), and
an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface).

Note In this case, exec CLI commands refer to all commands in the EXEC mode that do not fall in the show,
debug, and clear CLI command categories.
Modifying Rules
To modify the rules for an existing role using Device Manager, follow these steps:
Step 1 Click Security > Roles.

Step 2 You see the Common Roles dialog box shown in Figure 39-3.
Figure 39-3 Common Roles Dialog Box in Device Manager
Step 3 Click the role for which you want to edit the rules.
Step 4 Click Rules to view the rules for the role.

You see the Rules dialog box shown in Figure 39-4. It may take a few minutes to display.
Figure 39-4 Edit Common Role Rules Dialog Box
Step 5 Edit the rules you want to enable or disable for the common role.
Step 6 Click Apply to apply the new rules and close the Rules dialog box, or click Close to close the Rules
dialog box without applying the rules.
Rule 1 is applied first, thus permitting, for example, sangroup users access to all config CLI commands.
Rule 2 is applied next, denying FSPF configuration to sangroup users. As a result, sangroup users can
perform all other config CLI commands, except fspf CLI configuration commands.
Note The order of rule placement is important. If you had swapped these two rules and issued the deny config
feature fspf rule first and issued the permit config rule next, you would be allowing all sangroup users
to perform all configuration commands because the second rule globally overrode the first rule.

Role Distributions
Displaying Role-Based Information

The rules are displayed by rule number and are based on each role. All roles are displayed if the role
name is not specified.
To view rules for a role using Device Manager, follow these steps:
Step 1 Click Security > Roles.

You see the Roles dialog box.
Step 2 Select a role name and click Rules.
You see the Rules dialog box.
Step 3 Click Summary to get a summarized view of the rules configured for this role.
Role Distributions
Role-based configurations use the Cisco Fabric Services (CFS) infrastructure to enable efficient
database management, and to provide a single point of configuration for the entire fabric (see
Chapter 13, Using the CFS Infrastructure).
The following configurations are distributed:
Role names and descriptions
List of rules for the roles
VSAN policy and the list of permitted VSANs
About Role Databases, page 39-7
Committing the Changes, page 39-8
Discarding the Changes, page 39-9
Clearing Sessions, page 39-9
Displaying Roles When Distribution is Enabled, page 39-10
About Role Databases

Role-based configurations use two databases to accept and implement configurations.
Configuration databaseThe running database currently enforced by the fabric.
Pending databaseYour subsequent configuration changes are stored in the pending database. If
you modify the configuration, you need to commit or discard the pending database changes to the
configuration database. The fabric remains locked during this period. Changes to the pending
database are not reflected in the configuration database until you commit the changes.

Role Distributions
Locking the Fabric

The first action that modifies the database creates the pending database and locks the feature in the entire
fabric. Once you lock the fabric, the following situations apply:
A copy of the configuration database becomes the pending database along with the first change.
Committing the Changes

If you commit the changes made to the pending database, the configuration is committed to all the
switches in the fabric. On a successful commit, the configuration change is applied throughout the fabric
and the lock is released. The configuration database now contains the committed changes and the
pending database is now cleared.
To commit role-based configuration changes using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select Users and Roles in the Physical Attributes pane. Click the
Roles CFS tab in the Information pane.
Figure 39-5 Roles CFS Tab
Step 2 Set the Global drop-down menu to enable to enable CFS.

Step 3 Click Apply Changes to save this change.
Step 4 Set the Config Action drop-down menu to commit to commit the roles using CFS.

Role Distributions
Discarding the Changes

If you discard (abort) the changes made to the pending database, the configuration database remains
unaffected and the lock is released.
To discard role-based configuration changes using Fabric Manager, follow these steps:
Step 2 Set the Config Action drop-down menu to abort to discard any uncommitted changes.
To enable role-based configuration distribution using Fabric Manager, follow these steps:
Step 2 Set the Global drop-down menu to enable to enable CFS distribution.
Clearing Sessions
To forcibly clear the existing role session in the fabric using Fabric Manager, follow these steps:
Step 2 Set the Config Action drop-down menu to clear to clear the pending database.
Note Any changes in the pending database are lost when you clear a session.

User Accounts

Fabric merge does not modify the role database on a switch. If two fabrics merge, and the fabrics have
different role databases, the software generates an alert message.
Verify that the role database is identical on all switches in the entire fabric.
Be sure to edit the role database on any switch to the desired database and then commit it. This
synchronizes the role databases on all the switches in the fabric.
Displaying Roles When Distribution is Enabled

When you enable distribution for roles, you can view either the pending role database (the database
before it is distributed) or the running database.
To view the roles using Fabric Manager, follow these steps:
Roles CFS tab in the Information pane (see Figure 39-6).
Figure 39-6 Roles CFS Tab
Step 2 Set the Config View As drop-down value to pending to view the pending database or set the Config View
drop-down menu to running to view the running database.
User Accounts
Every Cisco MDS 9000 Family switch user has the account information stored by the system. Your
authentication information, user name, user password, password expiration date, and role membership
are stored in your user profile.
The tasks explained in this section enable you to create users and modify the profile of an existing user.
These tasks are restricted to privileged users as determined by your administrator.

User Accounts
The password should have the strong characteristics, such as the following:
Are at least eight characters long
Not contain many consecutive characters (such as abcd)
Not contain many repeating characters (such as aaabbb)
Not contain dictionary words
Contain both upper- and lowercase characters
Contain numbers
The following are examples of strong passwords:
If2CoM18
2004AsdfLkj30
Cb1955S21
Note Clear test passwords can only contain alphanumeric characters. Special characters such as the dollar sign
($) or the percent sign (%) are not allowed.

About Users, page 39-11
Configuring Users, page 39-12
Deleting a User, page 39-15
Displaying User Account Information, page 39-15
About Users
The passphrase specified in the snmp-server user option and the password specified username option
are synchronized (see the SNMPv3 CLI User Management and AAA Integration section on
page 40-2).
By default, the user account does not expire unless you explicitly configure it to expire. The expire
option determines the date on which the user account is disabled. The date is specified in the
YYYY-MM-DD format.
Tip The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync,
shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs,
gdm, mtsuser, ftpuser, man, and sys.
Note User passwords are not displayed in the switch configuration file.
Tip If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Be sure to
configure a strong password as shown in the sample configuration. Passwords are case-sensitive.
admin is no longer the default password for any Cisco MDS 9000 Family switch. You must explicitly
configure a strong password.

User Accounts
Caution Cisco MDS SAN-OS does not support all numeric user names, whether created with TACACS+ or
RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric user
name exists on an AAA server and is entered during login, the user is not logged in.
Configuring Users
To configure a new user or to modify the profile of an existing user using Fabric Manager, follow these
steps:
the Users tab in the Information pane to see a list of users like the one in Figure 39-7.
Figure 39-7 Users listed under the Users Tab

User Accounts
You see the Create Users dialog box shown in Figure 39-8.
Figure 39-8 Create Users Dialog Box
Step 3 (Optional) alter the Switches check boxes to specify one or more switches.
Step 4 Enter the user name in the New User field.
Step 5 Select a role from the Role drop-down menu. You can also enter a new role name in the field if you do
not want to select one from the drop-down menu. If you do this, go back and configure this role
appropriately (see the User Accounts section on page 39-10).
Step 6 Enter the password for the user in the New Password and Confirm Password fields. Enter the same new
password in the New Password and Confirm Password fields.
Step 7 Check the Privacy check box and complete the password fields to encrypt management traffic.
Step 8 Click Create to create the entry or click Close to discard any unsaved changes and close the dialog box.
Changing Administrator Password using Fabric Manager

To change the administrator password in Fabric Manager, follow these steps:
Step 1 Click the Open tab in the control panel.

Step 2 Click the password field to change the password for an already existing user for the fabric.
Step 3 Click Open to open the fabric.

User Accounts
Note New password will be saved after the fabric is open. The user name and password fields are
editable in the Fabric tab only after you unmanage fabric.

SSH Services
Deleting a User
To delete a user using Fabric Manager, follow these steps:
the Users tab in the Information pane to see a list of users.
Step 2 Click the name of the user you want to delete.
Step 3 Click Delete Row to delete the selected user.
Displaying User Account Information

To display configured information about user accounts using Fabric Manager, follow these steps:
Step 1 Expand Security and then select Users and Roles in the Physical Attributes pane.
Step 2 Click the Users tab. You see the list of SNMP users shown in Figure 39-9 in the Information pane.
Figure 39-9 Users Listed under the Users Tab
SSH Services
The Telnet service is enabled by default on all Cisco MDS 9000 Family switches. Before enabling the
SSH service, generate a server key pair (see the Generating the SSH Server Key Pair section on
page 39-17).
About SSH, page 39-16
About the SSH Server Key Pair, page 39-16

SSH Services
Generating the SSH Server Key Pair, page 39-17

Overwriting a Generated Key Pair, page 39-18
Enabling SSH or Telnet Service, page 39-18
SSH Authentication Using Digital Certificates, page 39-19
About SSH
SSH provides secure communications to the Cisco NX-OS CLI. You can use SSH keys for the following
SSH options:
SSH1
SSH2, using RSA
SSH2 using DSA
About the SSH Server Key Pair

Be sure to have an SSH server key pair with the appropriate version before enabling the SSH service.
Generate the SSH server key pair according to the SSH client version used. The number of bits specified
for each key pair ranges from 768 to 2048.
The SSH service accepts three types of key pairs for use by SSH versions 1 and 2.
The rsa1 option generates the RSA1 key pair for the SSH version 1 protocol.
The dsa option generates the DSA key pair for the SSH version 2 protocol.
The rsa option generates the RSA key pair for the SSH version 2 protocol.
Caution If you delete all of the SSH keys, you cannot start a new SSH session.

SSH Services
Generating the SSH Server Key Pair

To generate the SSH server key pair, follow these steps:
Step 1 Expand Switches > Security and then select SSH and Telnet.
You see the configuration shown in Figure 39-10 in the Information pane.
Figure 39-10 SSH and Telnet Configuration

You see the SSH and Telnet Key Create dialog box shown in Figure 39-11.
Figure 39-11 Create SSH and Telnet Dialog Box
Step 3 Check the switches you want to assign to this SSH key pair.
Step 4 Choose the key pair option type from the listed Protocols. The listed protocols are SSH1, SSH2(rsa), and
SSH2(dsa).
Step 5 Set the number of bits that will be used to generate the key pairs in the NumBits drop-down menu.
Step 6 Click Create to generate these keys or click Close to discard any unsaved changes.
Note 1856 DSA NumberKeys are not supported by switches that running Cisco MDS NX-OS software
version 4.1(1) and later.

SSH Services
Overwriting a Generated Key Pair

If the SSH key pair option is already generated for the required version, you can force the switch to
overwrite the previously generated key pair.
To overwrite a previously generated key pair using Fabric Manager, follow these steps:
You see the configuration in the Information pane.
Step 2 Highlight the key that you want to overwrite and click Delete Row.
Step 3 Click Apply Changes to save these changes or click the Undo Changes to discard unsaved changes.
Step 4 Click the Create Row.
You see the SSH and Telnet Key Create dialog box.
Step 5 Check the switches you want to assign this SSH key pair.
Step 6 Choose the key pair option type from the Protocols radio buttons.
Step 7 Set the number of bits that will be used to generate the key pairs in the NumBits drop-down menu.
Step 8 Click Create to generate these keys or click Close to discard any unsaved changes.
Enabling SSH or Telnet Service

By default, the SSH service is disabled. Fabric Manager enables SSH automatically when you configure
it.
To enable or disable SSH using Fabric Manager, follow these steps:
Step 2 Select the Control tab and check an SSH check box or Telnet check box for each switch as shown in
Figure 39-12.
Figure 39-12 Control Tab under SSH and Telnet
Step 3 Click Apply Changes to save this change or click Undo Changes to discard unsaved changes.

SSH Services
Note If you are logging in to a switch through SSH and you have issued the aaa authentication login
default none CLI command, you must enter one or more key strokes to log in. If you press the
Enter key without entering at least one keystroke, your log in will be rejected.
SSH Authentication Using Digital Certificates

SSH authentication on the Cisco MDS 9000 Family switches provide X.509 digital certificate support
for host authentication. An X.509 digital certificate is a data item that vouches for the origin and integrity
of a message. It contains encryption keys for secured communications and is signed by a trusted
certification authority (CA) to verify the identity of the presenter. The X.509 digital certificate support
provides either DSA or RSA algorithms for authentication.
The certificate infrastructure uses the first certificate that supports the Secure Socket Layer (SSL) and
is returned by the security infrastructure, either through query or notification. Verification of certificates
is successful if the certificates are from any of the trusted CAs.
You can configure your switch for either SSH authentication using an X.509 certificate or SSH
authentication using a Public Key Certificate, but not both. If either of them is configured and the
authentication fails, you will be prompted for a password.
For more information on CAs and digital certificates, see Chapter 43, Configuring Certificate
Authorities and Digital Certificates.
Creating or Updating Users

The passphrase specified in the snmp-server user option and the password specified username option
are synchronized.
By default, the user account does not expire unless you explicitly configure it to expire. The expire
option determines the date on which the user account is disabled. The date is specified in the
YYYY-MM-DD format.
Tip The following words are reserved and cannot be used to configure users: bin, daemon, adm, lp, sync,
shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, nscd, mailnull, rpc, rpcuser, xfs,
gdm, mtsuser, ftpuser, man, and sys.
Note User passwords are not displayed in the switch configuration file.
Tip If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Be sure to
configure a strong password as shown in the sample configuration. Passwords are case-sensitive.
admin is no longer the default password for any Cisco MDS 9000 Family switch. You must explicitly
configure a strong password.

Recovering the Administrator Password
Caution Cisco MDS NX-OS does not support all numeric usernames, whether created with TACACS+ or
RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric
username exists on an AAA server and is entered during login, the user is not logged in.
Tip To issue commands with the internal keyword for troubleshooting purposes, you must have an account
that is a member of the network-admin group.
Note Only the network-admin users are allowed to modify other user's privileges.
To configure a new user or to modify the profile of an existing user using Fabric Manager, follow these
steps:
the Users tab in the Information pane to see the user information.
Step 2 Click Create Row to create a user.
You see the Create Users dialog box.
Step 3 Select the switches to which this user will be allowed access.
Step 4 Assign a new user name and password.
Note User account names must contain non-numeric characters.
Step 5 Select the roles that you want to assign to this new user.
Step 6 Select the digest and encryption for the user that you are creating or updating.
Step 7 (Optional) enter an expiry date and an SSH file name for the user.
Step 8 Click Create to create the user or Close to discard the changes.
Recovering the Administrator Password

You can recover the administrator password using one of two methods:
From the CLI with a user name that has network-admin privileges.
Power cycling the switch.
Note To recover an administrators password, refer to the Cisco MDS 9000 Family CLI Configuration Guide.

Configuring Cisco ACS Servers

The Cisco Access Control Server (ACS) uses TACACS+ and RADIUS protocols to provide AAA
services that ensure a secure environment.When using the AAA server, user management is normally
done using Cisco ACS. Figure 39-13, Figure 39-14, Figure 39-15, and Figure 39-16 display ACS server
user setup configurations for network-admin roles and multiple roles using either TACACS+ or
RADIUS.
RADIUS, or created locally. Local users with all numeric names cannot be created. If an all numeric user
name exists on an AAA server and is entered during login, the user is not logged in.
Note Each role specified in the cisco-av-pair must exist in the MDS, or the user will have the network-operator
role.
Figure 39-13 Configuring the Network-admin Role When Using RADIUS

Figure 39-14 Configuring Multiple Roles with SNMPv3 Attributes When Using RADIUS

Figure 39-15 Configuring the network-admin Role with SNMPv3 Attributes When Using TACACS+

Default Settings
Figure 39-16 Configuring Multiple Roles with SNMPv3 Attributes When Using TACACS+
Default Settings
Table 39-1 lists the default settings for all switch security features in any switch.
Table 39-1 Default Switch Security Settings
Parameters Default
Roles in Cisco MDS Switches Network operator (network-operator).
AAA configuration services Local.
Authentication port 1812.
Accounting port 1813.
Preshared key communication Clear text.
RADIUS server time out 1 (one) second.

Default Settings
Table 39-1 Default Switch Security Settings (continued)
Parameters Default
RADIUS server retries Once.
TACACS+ Disabled.
TACACS+ servers None configured.
TACACS+ server timeout 5 seconds.
AAA server distribution Disabled.
VSAN policy for roles Permit.
User account No expiry (unless configured).
Password None.
Accounting log size 250 KB.
SSH service Disabled.
Telnet service Enabled.

Default Settings

CH A P T E R 40
Configuring SNMP
The CLI and SNMP use common roles in all switches in the Cisco MDS 9000 Family. You can use
SNMP to modify a role that was created using the CLI and vice versa.
Users, passwords, and roles for all CLI and SNMP users are the same. A user configured through the
CLI can access the switch using SNMP (for example, the Fabric Manager or the Device Manager) and
vice versa.
About SNMP Security, page 40-1
SNMPv3 CLI User Management and AAA Integration, page 40-2
Creating and Modifying Users, page 40-4
SNMP Trap and Inform Notifications, page 40-8
About SNMP Security

SNMP is an application layer protocol that facilitates the exchange of management information between
network devices. In all Cisco MDS 9000 Family switches, three SNMP versions are available: SNMPv1,
SNMPv2c, and SNMPv3 (see Figure 40-1).
Figure 40-1 SNMP Security
SNMP v1 or v2c
(network operator level)
Switch 1
SNMP request
GET or SET
SNMP response SNMP commands
(response depends on successful authentication)
85473

Chapter 40 Configuring SNMP
SNMPv3 CLI User Management and AAA Integration

SNMP Version 1 and Version 2c, page 40-2
SNMP Version 3, page 40-2
Assigning SNMP Switch Contact and Location Information, page 40-2
SNMP Version 1 and Version 2c

SNMP Version 1 (SNMPv1) and SNMP Version 2c (SNMPv2c) use a community string match for user
authentication. Community strings provided a weak form of access control in earlier versions of SNMP.
SNMPv3 provides much improved access control using strong authentication and should be preferred
over SNMPv1 and SNMPv2c wherever it is supported.
SNMP Version 3
SNMP Version 3 (SNMPv3) is an interoperable standards-based protocol for network management.
SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames
over the network. The security features provided in SNMPv3 are:
Message integrityEnsures that a packet has not been tampered with in-transit.
AuthenticationDetermines the message is from a valid source.
EncryptionScrambles the packet contents to prevent it from being seen by unauthorized sources.
SNMPv3 provides for both security models and security levels. A security model is an authentication
strategy that is set up for a user and the role in which the user resides. A security level is the permitted
level of security within a security model. A combination of a security model and a security level
determines which security mechanism is employed when handling an SNMP packet.
Assigning SNMP Switch Contact and Location Information

You can assign the switch contact information, which is limited to 32 characters (without spaces) and
the switch location.
To configure contact and location information, using Fabric Manager, follow these steps:
Step 1 Expand Switches from the Physical Attributes pane. You see the switch settings in the Information pane.
Step 2 Fill in the Location and Contact fields for each switch.

The Cisco NX-OS software implements RFC 3414 and RFC 3415, including user-based security model
(USM) and role-based access control. While SNMP and the CLI have common role management and
share the same credentials and access privileges, the local user database was not synchronized in earlier
releases.

SNMPv3 user management can be centralized at the AAA server level. This centralized user
management allows the SNMP agent running on the Cisco MDS switch to leverage the user
authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are
processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the
group names to apply the access/role policy that is locally available in the switch.
CLI and SNMP User Synchronization, page 40-3
Restricting Switch Access, page 40-3
Group-Based SNMP Access, page 40-3
CLI and SNMP User Synchronization

Any configuration changes made to the user group, role, or password results in database synchronization
for both SNMP and AAA.
Users are synchronized as follows:
Deleting a user using either command results in the user being deleted for both SNMP and the CLI.
User-role mapping changes are synchronized in SNMP and the CLI.
Note When the passphrase/password is specified in localized key/encrypted format, the password is
not synchronized.
Note Starting in 3.0(1), the temporary SNMP login created for FM is no longer 24 hours. It is one
hour.
Existing SNMP users continue to retain the auth and priv passphrases without any changes.
If the management station creates an SNMP user in the usmUserTable, the corresponding CLI user
is created without any password (login is disabled) and will have the network-operator role.
Restricting Switch Access

You can restrict access to a Cisco MDS 9000 Family switch using IP Access Control Lists (IP-ACLs).
See the Chapter 42, Configuring IPv4 and IPv6 Access Control Lists..
Group-Based SNMP Access
Note Because group is a standard SNMP term used industry-wide, we refer to role(s) as group(s) in this SNMP
section.
SNMP access rights are organized by groups. Each group in SNMP is similar to a role through the CLI.
Each group is defined with three accesses: read access, write access, and notification access. Each access
can be enabled or disabled within each group.

Creating and Modifying Users
You can begin communicating with the agent once your user name is created, your roles are set up by
your administrator, and you are added to the roles.

You can create users or modify existing users using SNMP, Fabric Manager, or the CLI.
SNMPCreate a user as a clone of an existing user in the usmUserTable on the switch. Once you
have created the user, change the cloned secret key before activating the user. Refer to RFC 2574.
Fabric ManagerSee the Configuring Users section on page 39-12.
CLICreate a user or modify an existing user using the snmp-server user command.
A network-operator and network-admin roles are available in a Cisco MDS 9000 Family switch. There
is also a default-role if you want to use the GUI (Fabric Manager and Device Manager). You can also
use any role that is configured in the Common Roles database (see the Configuring User Accounts
Tip All updates to the CLI security database and the SNMP user database are synchronized. You can use the
SNMP password to log into either Fabric Manager or Device Manager. However, after you use the CLI
password to log into Fabric Manager or Device Manager, you must use the CLI password for all future
logins. If a user exists in both the SNMP database and the CLI database before upgrading to Cisco MDS
SAN-OS Release 2.0(1b), then the set of roles assigned to the user becomes the union of both sets of
roles after the upgrade.

About AES Encryption-Based Privacy, page 40-4
Enforcing SNMPv3 Message Encryption, page 40-5
Assigning SNMPv3 Users to Multiple Roles, page 40-6
Adding Communities, page 40-7
Deleting a Community String, page 40-7
About AES Encryption-Based Privacy

The Advanced Encryption Standard (AES) is the symmetric cipher algorithm. The Cisco NX-OS
software uses AES as one of the privacy protocols for SNMP message encryption and conforms with
RFC 3826.
The priv option offers a choice of DES or 128-bit AES encryption for SNMP security encryption. The
priv option along with the aes-128 token indicates that this privacy password is for generating a 128-bit
AES key. The AES priv password can have a minimum of eight characters. If the passphrases are
specified in clear text, you can specify a maximum of 64 characters. If you use the localized key, you
can specify a maximum of 130 characters.
Note For an SNMPv3 operation using the external AAA server, user configurations in the external AAA server
require AES to be the privacy protocol to use SNMP PDU encryption.

Enforcing SNMPv3 Message Encryption

By default the SNMP agent allows the securityLevel parameters of authNoPriv and authPriv for the
SNMPv3 messages that use user-configured SNMPv3 message encryption with auth and priv keys.
To enforce the message encryption for a user using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select Users and Roles from the Physical Attributes pane.
Step 2 Click the Users tab in the Information pane to see a list of users like the one shown in Figure 40-2.
Figure 40-2 User Information Under the User Tab

You see the Create Users dialog box.
Step 4 Enter the user name in the New User field.
Step 5 Select the role from the Role drop-down menu. You can enter a new role name in the field if you do not
want to select one from the drop-down menu. If you do this, you must go back and configure this role
appropriately (see the User Accounts section on page 39-10).
Step 6 Enter a password for the user in Password field.
Step 7 Click the Privacy tab (see Figure 40-3).
Figure 40-3 Privacy Tab
Step 8 Check the Enforce SNMP Privacy Encryption check box to encrypt management traffic.
Step 9 Click Create to create the new entry.
To enforce the SNMPv3 message encryption globally on all the users using Fabric Manager, follow these
steps:

Step 1 Select a VSAN in the Logical Domains pane. This will not work if you select All VSANS.
Global tab in the Information pane.
Step 3 Check the GlobalEnforcePriv check box.
Assigning SNMPv3 Users to Multiple Roles

The SNMP server user configuration is enhanced to accommodate multiple roles (groups) for SNMPv3
users. After the initial SNMPv3 user creation, you can map additional roles for the user.
Note Only users belonging to a network-admin role can assign roles to other users.
To add multiple roles to a new user using Fabric Manager, follow these steps:
Step 2 Click the Users tab in the Information pane to see a list of users like the one in Figure 40-2.
You see the Create Users dialog box shown in Figure 40-4.
Figure 40-4 Create Users Dialog Box
Step 4 Choose roles using the check boxes.

Step 5 Choose an option for Digest and one for Encryption.

Step 6 (Optional) Provide an expiration date for the user and the file name of an SSH key.
Step 7 Click Create to create the new roles.
Adding Communities
You can configure read-only or read-write access for SNMPv1 and SNMPv2 users. Refer to RFC 2576.
To create an SNMPv1 or SNMPv2c community string using Fabric Manager, follow these steps:
Step 2 Click the Communities tab in the Information pane.
You see the existing communities (see Figure 40-5).
Figure 40-5 Communities Tab Under Users and Roles

You see the Create Community String dialog box.
Step 4 Check the Switch check boxes to specify one or more switches.
Step 5 Enter the community name in the Community field.
Step 6 Select the role from Role drop-down list.
Note You can enter a new role name in the field if you do not want to select one from the drop-down
list. If you do this, you must go back and configure this role appropriately (see the Role-Based
Authorization section on page 39-1).
Step 7 Click Create to create the new entry.
Deleting a Community String

To delete a community string using Fabric Manager, follow these steps:
Step 2 Click the Communities tab in the Information pane.

SNMP Trap and Inform Notifications
Step 3 Click the name of the community you want to delete.

Step 4 Click Delete Row to delete this community.

You can configure the Cisco MDS switch to send notifications to SNMP managers when particular
events occur.
Note Use the SNMP-TARGET-MIB to obtain more information on the destinations to which notifications are
to be sent either as traps or as informs. Refer to the Cisco MDS 9000 Family MIB Quick Reference.

Configuring SNMPv2c Notifications, page 40-8
Configuring SNMPv3 Notifications, page 40-9
Enabling SNMP Notifications, page 40-9
Configuring the Notification Target User, page 40-11
Configuring Event Security, page 40-11
Viewing the SNMP Events Log, page 40-12
Configuring SNMPv2c Notifications

To configure SNMPv2c notifications using Fabric Manager, follow these steps:
Step 1 Expand Switches > Events and then select SNMP Traps in the Physical Attributes pane.
You see the SNMP notification configuration in the Information pane shown in Figure 40-6.
Figure 40-6 SNMP Notifications
Step 2 Click the Destinations tab to add or modify a receiver for SNMP notifications.
Step 3 Click Create Row to create a new notification destination.
You see the Create Destinations dialog box shown in Figure 40-7.

Figure 40-7 Create Destinations Dialog Box
Step 4 Check the switches for which you want to configure a new destination.
Step 5 Set the destination IP address and UDP port.
Step 6 Choose either the trap or inform radio button.
Step 7 (Optional) Set the timeout or retry count values.
Step 8 Click Create to add this destination to the selected switches.
Step 9 (Optional) Click the Other tab to enable specific notification types per switch.
Step 10 Click the Apply changes icon to create the entry.
Note Switches can forward events (SNMP traps and informs) up to 10 destinations.
Configuring SNMPv3 Notifications
Note To configure SNMPv3 notifications using IPv4 using Fabric Manager, select v3 from the Security
drop-down list in the Create Destinations dialog box (see Figure 40-7). Optionally, set the inform time
out and retry values. Click Create to add this destination to the selected switches.
Note In the case of SNMPv3 notifications, the SNMP manager is expected to know the user credentials
(authKey/PrivKey) based on the switchs engineID to authenticate and decrypt the SNMP messages.
Enabling SNMP Notifications

Notifications (traps and informs) are system alerts that the switch generates when certain events occur.
You can enable or disable notifications. By default, no notification is defined or issued. If a notification
name is not specified, all notifications are disabled or enabled.

Table 40-1 lists the Fabric Manager procedures that enable the notifications for Cisco MDS MIBs.
Choose Switches > Events > SNMP Traps to see the check boxes listed in this table.
Note Choosing Switches > Events > SNMP Traps enables both traps and informs, depending on how you
configured notifications. See notifications with the Configuring SNMPv3 Notifications section on
page 40-9 .
Table 40-1 Enabling SNMP Notifications
MIB Fabric Manager Check boxes

CISCO-ENTITY-FRU-CONTROL-MIB Select the Other tab and check FRU Changes.
CISCO-FCC-MIB Select the Other tab and check FCC.
CISCO-DM-MIB Select the FC tab and check Domain Mgr RCF.
CISCO-NS-MIB Select the FC tab and check Name Server.
CISCO-FCS-MIB Select the Other tab and check FCS Rejects
CISCO-FDMI-MIB Select the Other tab and check FDMI.
CISCO-FSPF-MIB Select the FC tab and check FSPF Neighbor
Change.
CISCO-LICENSE-MGR-MIB Select the Other tab and check License Manager.
CISCO-IPSEC-SIGNALLING-MIB Select the Other tab and check IPSEC.
CISCO-PSM-MIB Select the Other tab and check Port Security.
CISCO-RSCN-MIB Select the FC tab and check RSCN ILS, and RCSN
ELS.
SNMPv2-MIB Select the Other tab and check SNMP
AuthFailure.
VRRP-MIB, CISCO-IETF-VRRP-MIB Select the Other tab and check VRRP.
CISCO-ZS-MIB Select the FC tab and check Zone Rejects, Zone
Merge Failures, Zone Merge Successes, Zone
Default Policy Change, and Zone Unsuppd Mode.
The following notifications are enabled by default:

entity fru
license
link ietf-extended
All other notifications are disabled by default.
To enable individual notifications using Fabric Manager, follow these steps:
Step 1 Expand Switches > Events and then select SNMP Traps in the Physical Attributes pane.
You see the SNMP notification configuration in the Information pane.
Step 2 Click the FC tab to enable Fibre Channel related notifications.
Step 3 Check each notification check box that you want to enable.

Step 4 Click the Other tab to enable other notifications.

Step 5 Check each notification check box that you want to enable.
Step 6 Click the Apply changes icon to create the entry.
Configuring the Notification Target User

You must configure a notification target user on the switch for sending SNMPv3 inform notifications to
the SNMP manager.
To configure the notification target user, refer to the Cisco MDS 9000 Family CLI Configuration Guide.
The credentials of the notification target user are used for encrypting the SNMPv3 inform notification
messages to the configured SNMP .
Note For authenticating and decrypting the received INFORM PDU, the SNMP manager should have the same
user credentials in its local configuration data store of users.
Configuring Event Security
Caution This is an advanced function that should only be used by administrators having experience with
SNMPv3.
SNMP events can be secured against interception or eavesdropping in the same way that SNMP
messages are secured. Fabric Manager or Device Manager allow you to configure the message
processing model, the security model, and the security level for the SNMP events that the switch
generates.
To configure SNMP event security using Fabric Manager, follow these steps:
Step 1 Expand Switches > Events and then select SNMP Traps.
Step 2 Click the Security tab in the Information pane.
You see the security information for SNMP notifications.
Step 3 Set the message protocol model (MPModel), security model, security name, and security level.
Step 4 Click the Apply Changes icon to save and apply your changes.

Default Settings
Viewing the SNMP Events Log

To view the SNMP events log from Fabric Manager, click the Events tab (see Figure 40-8). You see the
Events listed with a log of events for a single switch.
Figure 40-8 Events Information
Note The MDS syslog manager must be set up before you can view the event logs.
Caution Changing these values from different Fabric Manager workstations at the same time may cause
unpredictable results.
Default Settings
Table 40-2 lists the default settings for all SNMP features in any switch.
Table 40-2 Default SNMP Settings
Parameters Default
User account No expiry (unless configured).
Password None.

CH A P T E R 41
Configuring RADIUS and TACACS+
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access
to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use RADIUS
and TACACS+ protocols to provide solutions using remote AAA servers.
Based on the user ID and password combination provided, switches perform local authentication or
authorization using the local database or remote authentication or authorization using a AAA server. A
preshared secret key provides security for communication between the switch and AAA servers. This
secret key can be configured for all AAA servers or for only a specific AAA server. This security feature
provides a central management capability for AAA servers.
Switch Management Security, page 41-1
Switch AAA, page 41-2
Configuring RADIUS Server Monitoring Parameters, page 41-7
Configuring TACACS+ Server Monitoring Parameters, page 41-14
Server Groups, page 41-19
AAA Server Distribution, page 41-21
MSCHAP Authentication, page 41-24
Local AAA Services, page 41-26
Configuring Cisco Access Control Servers, page 41-26
Switch Management Security

Management security in any switch in the Cisco MDS 9000 Family provides security to all management
access methods, including the command-line interface (CLI) or Simple Network Management Protocol
(SNMP).
Fabric Manager Security Options, page 41-2
SNMP Security Options, page 41-2

Chapter 41 Configuring RADIUS and TACACS+
Switch AAA
Fabric Manager Security Options

You can access Fabric Manager using the console (serial connection), Telnet, or Secure Shell (SSH). For
each management path (console, Telnet, and SSH), you can configure one or more of the following
security control options: local, remote (RADIUS or TACACS+), or none.
Remote security control
Using RADIUS. See the Configuring RADIUS Server Monitoring Parameters section on
page 41-7.
Using TACACS+. See the Configuring TACACS+ Server Monitoring Parameters section on
page 41-14.
Local security control. See the Local AAA Services section on page 41-26.
These security features can also be configured for the following scenarios:
iSCSI authentication (see the iSCSI Authentication Setup Guidelines and Scenarios section on
page 50-56).
Fibre Channel Security Protocol (FC-SP) authentication (see Chapter 45, Configuring FC-SP and
DHCHAP)
SNMP Security Options

The SNMP agent supports security features for SNMPv1, SNMPv2c, and SNMPv3. Normal SNMP
security features apply to all applications that use SNMP (for example, Cisco MDS 9000 Fabric
Manager).
SNMP security options also apply to the Fabric Manager and Device Manager.
See Chapter 40, Configuring SNMP.
Switch AAA
Using the CLI or Fabric Manager, you can configure AAA switch functionalities on any switch in the
Authentication, page 41-3
Authorization, page 41-3
Accounting, page 41-3
Remote AAA Services, page 41-4
Remote Authentication Guidelines, page 41-4
Server Groups, page 41-4
AAA Configuration Options, page 41-4
Authentication and Authorization Process, page 41-6

Switch AAA
Authentication
Authentication is the process of verifying the identity of the person or device accessing the switch. This
identity verification is based on the user ID and password combination provided by the entity trying to
access the switch. Cisco MDS 9000 Family switches allow you to perform local authentication (using
the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
Note When you log in to a Cisco MDS switch successfully using the Fabric Manager or Device Manager
through Telnet or SSH and if that switch is configured for AAA server-based authentication, a temporary
SNMP user entry is automatically created with an expiry time of one day. The switch authenticates the
SNMPv3 protocol data units (PDUs) with your Telnet or SSH login name as the SNMPv3 user. The
management station can temporarily use the Telnet or SSH login name as the SNMPv3 auth and priv
passphrase. This temporary SNMP login is only allowed if you have one or more active MDS shell
sessions. If you do not have an active session at any given time, your login is deleted and you will not
be allowed to perform SNMPv3 operations.
Note Fabric Manager does not support AAA passwords with trailing white space, for example passwordA.
Authorization
The following authorization roles exist in all Cisco MDS switches:
Network operator (network-operator)Has permission to view the configuration only. The operator
cannot make any configuration changes.
Network administrator (network-admin) Has permission to execute all commands and make
configuration changes. The administrator can also create and customize up to 64 additional roles.
Default-roleHas permission to use the GUI (Fabric Manager and Device Manager). This access is
automatically granted to all users for accessing the GUI.
These roles cannot be changed or deleted. You can create additional roles and configure the following
options:
Configure role-based authorization by assigning user roles locally or using remote AAA servers.
Configure user profiles on a remote AAA server to contain role information. This role information
is automatically downloaded and used when the user is authenticated through the remote AAA
server.
Note If a user belongs only to one of the newly created roles and that role is subsequently deleted, then the
user immediately defaults to the network-operator role.
Accounting
The accounting feature tracks and maintains a log of every management configuration used to access the
switch. This information can be used to generate reports for troubleshooting and auditing purposes.
Accounting logs can be stored locally or sent to remote AAA servers.

Switch AAA
Remote AAA Services

Remote AAA services provided through RADIUS and TACACS+ protocols have the following
advantages over local AAA services:
User password lists for each switch in the fabric can be managed more easily.
AAA servers are already deployed widely across enterprises and can be easily adopted.
The accounting log for all switches in the fabric can be centrally managed.
User role mapping for each switch in the fabric can be managed more easily.
Remote Authentication Guidelines

If you prefer using remote AAA servers, follow these guidelines:
A minimum of one AAA server should be IP reachable.
Be sure to configure a desired local AAA policy as this policy is used if all AAA servers are not
reachable.
AAA servers are easily reachable if an overlay Ethernet LAN is attached to the switch (see
Chapter 52, Configuring IP Storage). We recommend this method.
SAN networks connected to the switch should have at least one gateway switch connected to the
Ethernet LAN reaching the AAA servers.
Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server
groups. A server group is a set of remote AAA servers implementing the same AAA protocol. The
purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond.
If the first remote server in the group fails to respond, the next remote server in the group is tried until
one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that
server group option is considered a failure. If required, you can specify multiple server groups. If the
Cisco MDS switch encounters errors from the servers in the first group, it tries the servers in the next
server group.
AAA Configuration Options

AAA configuration in Cisco MDS 9000 Family switches is service based. You can have separate AAA
configurations for the following services:
Telnet or SSH login (Fabric Manager and Device Manager login)
Console login
iSCSI authentication (see Chapter 50, Configuring iSCSI)
FC-SP authentication (see Chapter 45, Configuring FC-SP and DHCHAP)
Accounting
In general, server group, local, and none are the three options that can be specified for any service in an
AAA configuration. Each option is tried in the order specified. If all the options fail, local is tried.

Switch AAA
RADIUS, or created locally. Local username with all numerics cannot be created. If an all numeric
username exists on an AAA server and is entered during login, the user is not logged in.
Note Even if local is not specified as one of the options, it is tried when all other configured options fail.
When RADIUS times out, local login is always attempted. For this local login to be successful, a local
account for the user with the same password should exist, and the RADIUS timeout and retries should
take less than 40 seconds. The user is authenticated if the username and password exist in the local
authentication configuration.
AAA Server Monitoring

An unresponsive AAA server introduces a delay in the processing of AAA requests. An MDS switch can
periodically monitor an AAA server to check whether it is responding (or alive) to save time in
processing AAA requests. The MDS switch marks unresponsive AAA servers as dead and does not send
AAA requests to any dead AAA servers. An MDS switch periodically monitors dead AAA servers and
brings them to the alive state once they are responding. This monitoring process verifies that an AAA
server is in a working state before real AAA requests are sent its way. Whenever an AAA server changes
to the dead or alive state, an SNMP trap is generated and the MDS switch warns the administrator that
a failure is taking place before it can impact performance. See Figure 41-1 for AAA server states.
Figure 41-1 AAA Server States
Alive and Process Response from

Application used application remote server
request request
No
response
Idle timer Alive and Test AAA packets
Alive Dead
expired testing sent
Directed
AAA request
Test
Dead and Dead timer expired

154534
testing
Note The monitoring interval for alive servers and dead servers is different and can be configured by the user.
The AAA server monitoring is performed by sending a test authentication request to the AAA server.
The user name and password to be used in the test packet can be configured.
See the Configuring RADIUS Server Monitoring Parameters section on page 41-7.

Switch AAA
Authentication and Authorization Process

Authentication is the process of verifying the identity of the person managing the switch. This identity
verification is based on the user ID and password combination provided by the person managing the
switch. The Cisco MDS 9000 Family switches allow you to perform local authentication (using the
lookup database) or remote authentication (using one or more RADIUS servers or TACACS+ servers).
The following steps explain the authorization and authentication process:
Step 1 Log in to the required switch in the Cisco MDS 9000 Family, using the Telnet, SSH, Fabric
Manager/Device Manager, or console login options.
Step 2 When you have configured server groups using the server group authentication method, an
authentication request is sent to the first AAA server in the group.
If the AAA server fails to respond, then the next AAA server is contacted and so on until the remote
server responds to the authentication request.
If all AAA servers in the server group fail to respond, then the servers in the next server group are
contacted.
If all configured methods fail, then the local database is used for authentication.
Step 3 When you are successfully authenticated through a remote AAA server, then the following possible
actions are taken:
If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are
downloaded with an authentication response.
If the AAA server protocol is TACACS+, then another request is sent to the same server to get the
user roles specified as custom attributes for the shell.
If user roles are not successfully retrieved from the remote AAA server, then the user is assigned the
network-operator role.
Step 4 When your user name and password are successfully authenticated locally, you are allowed to log in, and
you are assigned the roles configured in the local database.
Figure 41-2 shows a flow chart of the authorization and authentication process.

Configuring RADIUS Server Monitoring Parameters
Figure 41-2 Switch Authorization and Authentication Flow
Start
Incoming
Incoming Local
access
access
request to
switch
switch
Remote
No more
First or Local
servers left Success Access
next server database
lookup permitted
lookup
Found a Failure
RADIUS server
RADIUS Denied
Lookup No access
response
Accept
Access
permitted 105229
Note No more server groups left = no response from any server in all server groups.
No more servers left = no response from any server within this server group.

Cisco MDS 9000 Family switches can use the RADIUS protocol to communicate with remote AAA
servers. You can configure multiple RADIUS servers and server groups and set timeout and retry counts.
RADIUS is a distributed client/server protocol that secures networks against unauthorized access. In the
Cisco implementation, RADIUS clients run on Cisco MDS 9000 Family switches and send
authentication requests to a central RADIUS server that contains all user authentication and network
service access information.
This section defines the RADIUS operation, identifies its network environments, and describes its
configuration possibilities.


About RADIUS Server Default Configuration, page 41-8
About the Default RADIUS Server Encryption Type and Preshared Key, page 41-8
Configuring the Default RADIUS Server Encryption Type and Preshared Key, page 41-8
About RADIUS Servers, page 41-9
Configuring a RADIUS Server, page 41-10
About Validating a RADIUS Server, page 41-11
Periodically Validating a RADIUS Server, page 41-11
Displaying RADIUS Server Statistics, page 41-12
About Users Specifying a RADIUS Server at Login, page 41-12
Allowing Users to Specify a RADIUS Server at Login, page 41-12
About Vendor-Specific Attributes, page 41-13
About RADIUS Server Default Configuration

Fabric Manager allows you to set up a default configuration that can be used for any RADIUS server that
you configure the switch to communicate with. The default configuration includes:
Encryption type
Timeout value
Number of retransmission attempts
Allowing the user to specify a RADIUS server at login
About the Default RADIUS Server Encryption Type and Preshared Key
You need to configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The
length of the key is restricted to 64 characters and can include any printable ASCII characters (white
spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations
on the switch.
You can override this global key assignment by explicitly using the key option when configuring an
individual RADIUS server.
Configuring the Default RADIUS Server Encryption Type and Preshared Key
To configure the default RADIUS server encryption type and preshared key using Fabric Manager,
follow these steps:
Step 1 Expand Switches > Security > AAA, and then select RADIUS.
You see the RADIUS configuration in the Information pane.
Step 2 Click the Defaults tab.
You see the RADIUS default settings as shown in Figure 41-3.

Figure 41-3 RADIUS Default Settings
Step 3 Select plain or encrypted from the AuthType drop-down menu.

Step 4 Set the key in the Auth Key field.
Setting the Default RADIUS Server Timeout Interval and Retransmits

By default, a switch retries transmission to a RADIUS server only once before reverting to local
authentication. You can increase this number up to a maximum of five retries per server. You can also
configure the timeout value for the RADIUS server.
To configure the number of retransmissions and the time between retransmissions to the RADIUS
servers using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security > AAA and then select RADIUS.
Step 2 Choose the Defaults tab.
You see the RADIUS default settings.
Step 3 Fill in the Timeout and Retransmits fields for authentication attempts.
About RADIUS Servers

You can add up to 64 RADIUS servers. RADIUS keys are always stored in encrypted form in persistent
storage. The running configuration also displays encrypted keys. When you configure a new RADIUS
server, you can use the default configuration or modify any of the parameters to override the default
RADIUS configuration.

Configuring a RADIUS Server

To configure a RADIUS server and all its options using Fabric Manager, follow these steps:
Step 2 Click the Servers tab.
You see any existing RADIUS servers.
Step 3 Click Create Row to add a new RADIUS server.
You see the Create RADIUS Server dialog box shown in Figure 41-4.
Figure 41-4 Create RADIUS Server
Step 4 Select the switches that you want to assign as RADIUS servers.
Step 5 Assign an index number to identify the RADIUS server.
Step 6 Select the IP address type for the RADIUS server.
Step 7 Fill in the IP address or name for the RADIUS server.
Step 8 (Optional) Modify the authentication and accounting ports used by this RADIUS server.
Step 9 Select the appropriate key type for the RADIUS server.
Step 10 Select the TimeOut value in seconds. The valid range is 0 to 60 seconds.
Step 11 Select the number of times the switch tries to connect to a RADIUS server(s) before reverting to local
authentication.
Step 12 Enter the test idle time interval value in minutes. The valid range is 1 to 1440 minutes.

Step 13 Enter the test user with the default password. The default username is test.
Step 14 Click Create to save these changes.
Configuring the Test Idle Timer

The test idle timer specifies the interval during which a RADIUS server receives no requests before the
MDS switch sends out a test packet.
Note The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic RADIUS
server monitoring is not performed.
To configure the test idle timer, see Configuring a RADIUS Server section on page 41-10.
Configuring Test User Name

You can configure a username and password for periodic RADIUS server status testing. You do not need
to configure the test username and password to issue test messages to monitor RADIUS servers. You can
use the default test username (test) and default password (test).
Note We recommend that the test username not be the same as an existing username in the RADIUS database
for security reasons.
To configure the optional username and password for periodic RADIUS server status testing, see
Configuring a RADIUS Server section on page 41-10.
About Validating a RADIUS Server

As of Cisco SAN-OS Release 3.0(1), you can periodically validate a RADIUS server. The switch sends a
test authentication to the server using the username and password that you configure. If the server does
not respond to the test authentication, then the server is considered non responding.
Note For security reasons we recommend that you do not use a username that is configured on your RADIUS
server as a test username.
You can configure this option to test the server periodically, or you can run a one-time only test.
Periodically Validating a RADIUS Server

To configure the switch to periodically test a RADIUS server using Fabric Manager, follow these steps:

You see any existing RADIUS servers.

Step 3 Click Create Row to add a new RADIUS server.
You see the Create RADIUS Server dialog box (see Figure 41-4).
Step 4 Fill in the IP address.
Step 5 Modify the authentication and accounting ports used by this RADIUS server.
Step 6 Fill in the TestUser field and, optionally, the TestPassword field. The default password for the test is
Cisco.
Step 7 Set the IdleTime field for the time that the server is idle before you send a test authentication.
Displaying RADIUS Server Statistics

To display RADIUS server statistics using Fabric Manager, follow these steps:
You see the RADIUS server statistics.
About Users Specifying a RADIUS Server at Login

By default, an MDS switch forwards an authentication request to the first server in the RADIUS server
group. You can configure the switch to allow the user to specify which RADIUS server to send the
authenticate request by enabling the directed request option. If you enable this option, the user can log
in as username@hostname, where the hostname is the name of a configured RADIUS server.
Allowing Users to Specify a RADIUS Server at Login

To allow users logging into an MDS switch to select a RADIUS server for authentication using Fabric
You see the RADIUS default settings.
Step 3 Check the DirectedReq check box for the RADIUS server.

About Vendor-Specific Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF
uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for
general use. The Cisco RADIUS implementation supports one vendor-specific option using the format
recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1,
which is named cisco-avpair. The value is a string with the following format:
protocol : attribute separator value *
Where protocol is a Cisco attribute for a particular type of authorization, separator is = (equal sign) for
mandatory attributes, and * (asterisk) is for optional attributes.
When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the
RADIUS protocol directs the RADIUS server to return user attributes, such as authorization
information, along with authentication results. This authorization information is specified through
VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco NX-OS software:
Shell protocolUsed in Access-Accept packets to provide user profile information.
Accounting protocolUsed in Accounting-Request packets. If a value contains any white spaces,
it should be put within double quotation marks.
The following attributes are supported by the Cisco NX-OS software:
rolesThis attribute lists all the roles to which the user belongs. The value field is a string storing
the list of group names delimited by white space. For example, if you belong to roles vsan-admin
and storage-admin, the value field would be vsan-admin storage-admin. This subattribute is
sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be
used with the shell protocol value. These are two examples using the roles attribute:
shell:roles=network-admin vsan-admin
shell:roles*network-admin vsan-admin
When an VSA is specified as shell:roles*network-admin vsan-admin, this VSA is flagged as
an optional attribute, and other Cisco devices ignore this attribute.
accountinginfoThis attribute stores additional accounting information besides the attributes
covered by a standard RADIUS accounting protocol. This attribute is only sent in the VSA portion
of the Account-Request frames from the RADIUS client on the switch, and it can only be used with
the accounting protocol-related PDUs.
Specifying SNMPv3 on AAA Servers

The vendor/custom attribute cisco-av-pair can be used to specify users role mapping using the format:
shell:roles="roleA roleB "
If the roll option in the cisco-av-pair attribute is not set, the default user role is network-operator.
The VSA format optionally specifies your SNMPv3 authentication and privacy protocol attributes also
as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128

Configuring TACACS+ Server Monitoring Parameters
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are
AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server,
MD5 and DES are used by default.

A Cisco MDS switch uses the Terminal Access Controller Access Control System Plus (TACACS+)
protocol to communicate with remote AAA servers. You can configure multiple TACACS+ servers and
set timeout values.
About TACACS+, page 41-14
About TACACS+ Server Default Configuration, page 41-14
About the Default TACACS+ Server Encryption Type and Preshared Key, page 41-15
Setting the Default TACACS+ Server Encryption Type and Preshared Key, page 41-15
Setting the Default TACACS+ Server Timeout Interval and Retransmits, page 41-15
About TACACS+ Servers, page 41-16
Configuring a TACACS+ Server, page 41-16
About Validating a TACACS+ Server, page 41-17
Displaying TACACS+ Server Statistics, page 41-18
About Users Specifying a TACACS+ Server at Login, page 41-18
Allowing Users to Specify a TACACS+ Server at Login, page 41-18
About Custom Attributes for Roles, page 41-19
Supported TACACS+ Servers, page 41-19
About TACACS+
TACACS+ is a client/server protocol that uses TCP (TCP port 49) for transport requirements. All
switches in the Cisco MDS 9000 Family provide centralized authentication using the TACACS+
protocol. The TACACS+ has the following advantages over RADIUS authentication:
Provides independent, modular AAA facilities. Authorization can be done without authentication.
Uses the TCP transport protocol to send data between the AAA client and server, making reliable
transfers with a connection-oriented protocol.
Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data
confidentiality. The RADIUS protocol only encrypts passwords.
About TACACS+ Server Default Configuration

Fabric Manager allows you to set up a default configuration that can be used for any TACACS+ server
that you configure the switch to communicate with. The default configuration includes:
Encryption type
Preshared key

Timeout value
Number of retransmission attempts
Allowing the user to specify a TACACS+ server at login
About the Default TACACS+ Server Encryption Type and Preshared Key
You need to configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server.
The length of the key is restricted to 64 characters and can include any printable ASCII characters (white
spaces are not allowed). You can configure a global key to be used for all TACACS+ server
configurations on the switch.
You can override this global key assignment by explicitly using the key option when configuring and
individual TACACS+ server.
Setting the Default TACACS+ Server Encryption Type and Preshared Key
To configure the default TACACS+ server encryption type and preshared key using Fabric Manager,
follow these steps:
Step 1 Expand Switches > Security > AAA, and then select TACACS+.
You see the TACACS+ configuration in the Information pane.
Step 2 If the Defaults tab is dimmed, click the CFS tab.
You see the TACACS+ default settings.
Step 4 Select plain or encrypted from the AuthType drop-down menu and set the key in the Auth Key field.
Setting the Default TACACS+ Server Timeout Interval and Retransmits

By default, a switch retries a TACACS+ server only once. This number can be configured. The maximum
is five retries per server. You can also configure the timeout value for the TACACS+ server.
To configure the number of retransmissions and the time between retransmissions to the TACACS+
servers using Fabric Manager, follow these steps:
Step 2 Choose the Defaults tab. (If the Defaults tab is disabled, click the CFS tab first.)
Step 3 Supply values for the Timeout and Retransmits fields for authentication attempts.

About TACACS+ Servers

By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. Fabric
Manager or Device Manager enables the TACACS+ feature automatically when you configure a
TACACS+ server.
If a secret key is not configured for a configured server, a warning message is issued if a global key is
not configured. If a server key is not configured, the global key (if configured) is used for that server.
Note Prior to Cisco MDS SAN-OS Release 2.1(2), you can use the dollar sign ($) in the key but the key must
be enclosed in double quotes, for example k$. The percent sign (%) is not allowed. In Cisco MDS
SAN-OS Release 2.1(2) and later, you can use the dollar sign ($) without double quotes and the percent
sign (%) in global secret keys.
You can configure global values for the secret key for all TACACS+ servers.
Note If secret keys are configured for individual servers, those keys override the globally configured key.
Configuring a TACACS+ Server

To configure a TACACS+ server and all its options using Fabric Manager, follow these steps:
Step 2 Choose the Servers tab.
You see any existing TACACS+ servers.
Step 3 Click Create Row to add a new TACACS+ server.
You see the Create TACACS+ Server dialog box as shown in Figure 41-5.

Figure 41-5 Create TACACS+ Server Dialog Box
Step 4 Select the switches that you want to assign as TACACS servers.
Step 5 Assign an index number to identify the TACACS server.
Step 6 Select the IP address type for the TACACS server.
Step 7 Fill in the IP address or name for the TACACS server.
Step 8 Modify the authentication and accounting ports used by this TACACS server.
Step 9 Select the appropriate key type for the TACACS server.
Step 10 Select the TimeOut value in seconds. The valid range is 0 to 60 seconds.
Step 11 Select the number of times the switch tries to connect to a TACACS server(s) before reverting to local
authentication.
Step 12 Enter the test idle time interval value in minutes. The valid range is 1 to 1440 minutes.
Step 13 Enter the test user with the default password. The default username is test.
About Validating a TACACS+ Server

As of Cisco SAN-OS Release 3.0(1), you can periodically validate a TACACS+ server. The switch sends
a test authentication to the server using the test username and test password that you configure. If the
server does not respond to the test authentication, then the server is considered nonresponding.
Note We recommend that you do not configure the test user on your TACACS+ server for security reasons.

You can configure this option to test the server periodically, or you can run a one-time only test.
Periodically Validating a TACACS+ Server

To configure the switch to periodically test a TACACS+ server using Fabric Manager, see the
Configuring TACACS+ Server Monitoring Parameters section on page 41-14.
Displaying TACACS+ Server Statistics

To display TACACS+ server statistics using Fabric Manager, follow these steps:
Step 2 Choose the Statistics tab.
You see the TACACS+ server statistics.
About Users Specifying a TACACS+ Server at Login

By default, an MDS switch forwards an authentication request to the first server in the TACACS+ server
group. You can configure the switch to allow the user to specify which TACACS+ server to send the
authenticate request. If you enable this feature, the user can log in as username@hostname, where the
hostname is the name of a configured TACACS+ server.
Allowing Users to Specify a TACACS+ Server at Login

To configure the switch to allow users to specify a TACACS+ server at login using Fabric Manager,
follow these steps:
Step 3 Check the DirectedReq check box.

Server Groups
About Custom Attributes for Roles

Cisco MDS 9000 Family switches use the TACACS+ custom attribute for service shells to configure
roles to which a user belongs. TACACS+ attributes are specified in name=value format. The attribute
name for this custom attribute is cisco-av-pair. The following example illustrates how to specify roles
using this attribute:
cisco-av-pair=shell:roles=network-admin vsan-admin
You can also configure optional custom attributes to avoid conflicts with non-MDS Cisco switches using
the same AAA servers.
cisco-av-pair*shell:roles="network-admin vsan-admin"
Additional custom attribute shell:roles are also supported:

shell:roles="network-admin vsan-admin"
or
shell:roles*"network-admin vsan-admin
Note TACACS+ custom attributes can be defined on an Access Control Server (ACS) for various services (for
example, shell). Cisco MDS 9000 Family switches require the TACACS+ custom attribute for the service
shell to be used for defining roles.
Supported TACACS+ Servers

The Cisco NX-OS software currently supports the following parameters for the listed TACACS+ servers:
TACACS+
cisco-av-pair=shell:roles="network-admin"
Cisco ACS TACACS+

shell:roles="network-admin"
shell:roles*"network-admin"
cisco-av-pair*shell:roles="network-admin"
cisco-av-pair*shell:roles*"network-admin"
cisco-av-pair=shell:roles*"network-admin"
Open TACACS+
cisco-av-pair*shell:roles="network-admin"
cisco-av-pair=shell:roles*"network-admin"
Server Groups
You can specify one or more remote AAA servers to authenticate users using server groups. All members
of a group must belong to the same protocol, either RADIUS or TACACS+. The servers are tried in the
same order in which you configure them.
The AAA server monitoring feature can mark an AAA server as dead. You can configure a period of time
in minutes to elapse before the switch sends requests to a dead AAA server. (See the AAA Server
Monitoring section on page 41-5.)

Server Groups

About Configuring Server Groups, page 41-20
Configuring Server Groups, page 41-20
About Configuring Server Groups

You can configure these server groups at any time but they only take effect when you apply them to an
AAA service. You configure AAA policies for CLI users or Fabric Manager or Device Manager users.
Configuring Server Groups

To configure a RADIUS or TACACS+ server group using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security, and then select AAA.

You see the AAA configuration in the Information pane shown in Figure 41-6. If you do not see the
screen in Figure 41-6, click the Server Groups tab.
You see the RADIUS or TACACS+ server groups configured.
Figure 41-6 AAA Server Groups
Step 2 Click Create Row to create a server group.

You see the Create Server dialog box.
Step 3 Select the radius radio button to add a RADIUS server group or select tacacs+ to add a TACACS+ server
group.
Step 4 Supply server names for the ServerIdList field.
Step 5 Set the DeadTime field for the number of minutes that a server can be nonresponsive before it is marked
as bypassed. See the About Bypassing a Nonresponsive Server section on page 41-21.
Step 6 Click Create to create this server group.
Step 7 Click the Applications tab to assign this server group to an application (see Figure 41-7).
You can associate a server group with all applications or you can specify certain applications.

AAA Server Distribution
Figure 41-7 Applications Tab
About Bypassing a Nonresponsive Server

As of Cisco SAN-OS Release 3.0(1), you can bypass a nonresponsive AAA server within a server group.
If the switch detects a nonresponsive server, it will bypass that server when authenticating users. Use
this feature to minimize login delays caused by a faulty server. Instead of sending a request to a
nonresponsive server and waiting for the authentication request to timeout, the switch sends the
authentication request to the next server in the server group. If there are no other responding servers in
the server group, the switch continues to attempt authentications against the nonresponsive server.

Configuration for RADIUS and TACACS+ AAA on an MDS switch can be distributed using the Cisco
Fabric Services (CFS). The distribution is disabled by default (see Chapter 13, Using the CFS
Infrastructure).
After enabling the distribution, the first server or global configuration starts an implicit session. All
server configuration commands entered thereafter are stored in a temporary database and applied to all
switches in the fabric (including the originating one) when you explicitly commit the database. The
various server and global parameters are distributed, except the server and global keys. These keys are
unique secrets to a switch and should not be shared with other switches.
Note Server group configurations are not distributed.

Enabling AAA Server Distribution, page 41-22
Starting a Distribution Session on a Switch, page 41-22
Displaying the Session Status, page 41-23
Displaying the Configuration to be Distributed, page 41-23
Committing the Distribution, page 41-23
Discarding the Distribution Session, page 41-23
Clearing Sessions, page 41-24

Merge Guidelines for RADIUS and TACACS+ Configurations, page 41-24
Note For an MDS switch to participate in AAA server configuration distribution, it must be running Cisco
MDS SAN-OS Release 2.0(1b) or later, or Cisco NX-OS 4.1(1).
Enabling AAA Server Distribution

Only switches where distribution is enabled can participate in the distribution activity.
To enable RADIUS server distribution using Fabric Manager, follow these steps:
Step 2 Click the CFS tab. You see the RADIUS CFS configuration.
Step 3 Choose enable from the Admin drop-down list for all switches that you want to enable CFS for
RADIUS.
Step 4 Click Apply Changes to distribute these changes through the fabric.
To enable TACACS+ server distribution using Fabric Manager, follow these steps:
You see the TACACS+ CFS configuration.
Step 3 Choose enable from the Admin drop-down list for all switches that you want to enable CFS on for
TACACS+.
Step 4 Click Apply Changes to distribute these changes through the fabric.
Starting a Distribution Session on a Switch

A distribution session starts the moment you begin a RADIUS/TACACS+ server or global configuration.
For example, the following tasks start an implicit session:
Specifying the global timeout for RADIUS servers.
Specifying the global timeout for TACACS+ servers.
Note After you issue the first configuration command related to AAA servers, all server and global
configurations that are created (including the configuration that caused the distribution session start) are
stored in a temporary buffer, not in the running configuration.

Displaying the Session Status

Once the implicit distribution session has started, you can check the session statusfrom Fabric Manager
by expanding Switches > Security > AAA, and selecting RADIUS or TACACS+. You see the
distribution status on the CFS tab .
Displaying the Configuration to be Distributed

To display the RADIUS or TACACS+ global and/or server configuration stored in the temporary buffer
using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security > AAA, and then select RADIUS or select TACACS+.
You see the distribution status on the CFS tab.
Step 3 Click the pending or running radio button.
Step 5 Click the Servers tab to view the pending or running configuration.
Committing the Distribution

The RADIUS or TACACS+ global and/or server configuration stored in the temporary buffer can be
applied to the running configuration across all switches in the fabric (including the originating switch).
To distribute a RADIUS or TACACS+ configuration using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security > AAA, and then select either RADIUS or TACACS+. You see the
RADIUS or TACACS+ configuration in the Information pane.
Step 2 Choose the CFS tab. You see the RADIUS or TACACS+ CFS configuration.
Step 3 Choose commitChanges in the Config Action drop-down list for all switches that you want to enable
CFS for RADIUS or TACACS+.
Step 4 Click Apply Changes to distribute the changes through the fabric.
Discarding the Distribution Session

Discarding the distribution of a session in progress causes the configuration in the temporary buffer to
be dropped. The distribution is not applied.

MSCHAP Authentication
To discard RADIUS or TACACS+ distribution using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security > AAA, and then select either RADIUS or TACACS+. You see either the
RADIUS or TACACS+ configuration in the Information pane.
Step 2 Click the CFS tab. You see either the RADIUS or TACACS+ CFS configuration.
Step 3 Choose abort from the Config Action drop-down list for each switch that should discard the pending
RADIUS or TACACS+ distribution.
Clearing Sessions
To clear a RADIUS or TACACS+ distribution using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security > AAA and then select either RADIUS or TACACS+.
You see either the RADIUS or TACACS+ configuration in the Information pane.
Step 2 Choose the CFS tab. You see either the RADIUS or TACACS+ CFS configuration.
Step 3 Choose clear from the Config Action drop-down list for each switch that should clear the pending
RADIUS or TACACS+ distribution.
Merge Guidelines for RADIUS and TACACS+ Configurations

The RADIUS and TACACS+ server and global configuration are merged when two fabrics merge. The
merged configuration is applied to CFS distribution-enabled switches.
When merging the fabric, be aware of the following conditions:
The server groups are not merged.
The server and global keys are not changed during the merge.
The merged configuration contains all servers found on all CFS enabled switches.
The timeout and retransmit parameters of the merged configuration are the largest values found per
server and global configuration.
Caution If there is a conflict between two switches in the server ports configured, the merge fails.
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP.
You can use MSCHAP for user logins to an MDS switch through a remote authentication server
(RADIUS or TACACS+).

About Enabling MSCHAP

By default, the switch uses Password Authentication Protocol (PAP) authentication between the switch
and the remote server. If you enable MSCHAP, you need to configure your RADIUS server to recognize
the MSCHAP vendor-specific attributes. See the About Vendor-Specific Attributes section on
page 41-13. Table 41-1 shows the RADIUS vendor-specific attributes required for MSCHAP.
Table 41-1 MSCHAP RADIUS Vendor-Specific Attributes
Vendor-ID
Number Vendor-Type Number Vendor-Specific Attribute Description
311 11 MSCHAP-Challenge Contains the challenge sent by an AAA server to an
MSCHAP user. It can be used in both
Access-Request and Access-Challenge packets.
211 11 MSCHAP-Response Contains the response value provided by an
MS-CHAP user in response to the challenge. It is
only used in Access-Request packets.
Enabling MSCHAP Authentication

To enable MSCHAP authentication using Device Manager, follow these steps:
Step 1 Click Security > AAA.

You see the AAA configuration in the Information pane as shown in Figure 41-8.
Figure 41-8 AAA Configuration in Device Manager

You see the MSCHAP configuration as shown in Figure 41-9.
Figure 41-9 MSCHAP Configuration
Step 3 Check the AuthTypeMSCHAP check box to use MSCHAP to authenticate users on the switch.

Local AAA Services
Local AAA Services

The system maintains the username and password locally and stores the password information in
encrypted form. You are authenticated based on the locally stored user information. See the Configuring
Roles and Profiles section on page 39-2.
You can turn off password verification using the none option. If you configure this option, users can log
in without giving a valid password. But the user should at least exist locally on the Cisco MDS 9000
Family switch.
Caution Use this option cautiously. If configured, any user can access the switch at any time.
Refer to the Cisco MDS 9000 Family CLI Configuration Guide to configure this option.
Configuring Cisco Access Control Servers

The Cisco Access Control Server (ACS) uses TACACS+ and RADIUS protocols to provide AAA
services that ensure a secure environment.When using the AAA server, user management is normally
done using Cisco ACS. Figure 41-10, Figure 41-11, Figure 41-12, and Figure 41-13 display ACS server
user setup configurations for network-admin roles and multiple roles using either RADIUS or
TACACS+.
Caution Cisco MDS NX-OS does not support all numeric usernames, whether created with RADIUS or
TACACS+, or created locally. Local users with all numeric names cannot be created. If an all numeric
user name exists on an AAA server and is entered during login, the user is not logged in.

Figure 41-10 Configuring the network-admin Role When Using RADIUS

Figure 41-11 Configuring Multiple Roles with SNMPv3 Attributes When Using RADIUS

Figure 41-12 Configuring the network-admin Role with SNMPv3 Attributes When Using TACACS+

Default Settings
Figure 41-13 Configuring Multiple Roles with SNMPv3 Attributes When Using TACACS+
Default Settings
Table 41-2 lists the default settings for all switch security features in any switch.
Table 41-2 Default Switch Security Settings
Parameters Default
Roles in Cisco MDS switches Network operator (network-operator)
AAA configuration services Local
Authentication port 1812
Accounting port 1813
Preshared key communication Clear text

Default Settings
Table 41-2 Default Switch Security Settings (continued)
Parameters Default
RADIUS server timeout 1 (one) second
RADIUS server retries Once
RADIUS server directed requests Disabled
TACACS+ Disabled
TACACS+ servers None configured
TACACS+ server timeout 5 seconds
TACACS+ server directed requests Disabled
AAA server distribution Disabled
Accounting log size 250 KB

Default Settings

CH A P T E R 42
Configuring IPv4 and IPv6 Access Control Lists
Cisco MDS 9000 Family switches can route IP version 4 (IPv4) traffic between Ethernet and Fibre
Channel interfaces. The IP static routing feature routes traffic between VSANs. To do so, each VSAN
must be in a different IPv4 subnetwork. Each Cisco MDS 9000 Family switch provides the following
services for network management systems (NMS):
IP forwarding on the out-of-band Ethernet interface (mgmt0) on the front panel of the supervisor
modules.
IP forwarding on the in-band Fibre Channel interface using the IP over Fibre Channel (IPFC)
functionIPFC specifies how IP frames can be transported over Fibre Channel using encapsulation
techniques. IP frames are encapsulated into Fibre Channel frames so NMS information can cross the
Fibre Channel network without using an overlay Ethernet network.
IP routing (default routing and static routing)If your configuration does not need an external
router, you can configure a default route using static routing.
Switches are compliant with RFC 2338 standards for Virtual Router Redundancy Protocol (VRRP)
features. VRRP is a restartable application that provides a redundant, alternate path to the gateway
switch.
IPv4 Access Control Lists (IPv4-ACLs and IPv6-ACLs) provide basic network security to all switches
in the Cisco MDS 9000 Family. IPv4-ACLs and IPv6-ACLs restrict IP-related traffic based on the
configured IP filters. A filter contains the rules to match an IP packet, and if the packet matches, the rule
also stipulates if the packet should be permitted or denied.
Each switch in the Cisco MDS 9000 Family can have a maximum total of 128 IPv4-ACLs or 128
IPv6-ACLs and each IPv4-ACL or IPv6-ACL can have a maximum of 256 filters.
IPv4-ACL and IPv6-ACL Configuration Guidelines, page 42-2
About Filter Contents, page 42-2
Creating IPv4-ACLs or IPv6-ACLs with the IP-ACL Wizard, page 42-5
Creating IPv4-ACLs or IPv6-ACLs in Device Manager, page 42-6
Reading the IP-ACL Log Dump, page 42-9
Applying an IP-ACL to an Interface, page 42-10
Example IP-ACL Configuration, page 42-12

Chapter 42 Configuring IPv4 and IPv6 Access Control Lists
IPv4-ACL and IPv6-ACL Configuration Guidelines
IPv4-ACL and IPv6-ACL Configuration Guidelines

Follow these guidelines when configuring IPv4-ACLs or IPv6-ACLs in any switch or director in the
Cisco MDS 9000 Family:
You can apply IPv4-ACLs or IPv6-ACLs to VSAN interfaces, the management interface, Gigabit
Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel interfaces.
Tip If IPv4-ACLs or IPv6-ACLs are already configured in a Gigabit Ethernet interface, you cannot
add this interface to an Ethernet PortChannel group. See the Gigabit Ethernet IPv4-ACL
Guidelines section on page 53-6 for guidelines on configuring IPv4-ACLs.
Caution Do not apply IPv4-ACLs or IPv6-ACLs to only one member of a PortChannel group. Apply
IPv4-ACLs or IPv6-ACLs to the entire channel group.
Configure the order of conditions accurately. As the IPv4-ACL or the IPv6-ACL filters are
sequentially applied to the IP flows, only the first match determines the action taken. Subsequent
matches are not considered. Be sure to configure the most important condition first. If no conditions
match, the software drops the packet.
Configure explicit deny on the IP Storage Gigabit Ethernet ports to apply IP ACLs because implicit
deny does not take effect on these ports.
About Filter Contents

An IP filter contains rules for matching an IP packet based on the protocol, address, port, ICMP type,
and type of service (TS).
Protocol Information, page 42-2
Address Information, page 42-3
Port Information, page 42-3
ICMP Information, page 42-4
ToS Information, page 42-5
Protocol Information
The protocol information is required in each filter. It identifies the name or number of an IP protocol.
You can specify the IP protocol in one of two ways:
Specify an integer ranging from 0 to 255. This number represents the IP protocol.
Specify the name of a protocol including, but not restricted to, Internet Protocol (IP), Transmission
Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol
(ICMP).

Note When configuring IPv4-ACLs or IPv6-ACLs on Gigabit Ethernet interfaces, only use the TCP
or ICMP options.
Address Information
The address information is required in each filter. It identifies the following details:
SourceThe address of the network or host from which the packet is being sent.
Source-wildcardThe wildcard bits applied to the source.
DestinationThe number of the network or host to which the packet is being sent.
Destination-wildcardThe wildcard bits applied to the destination.
Specify the source and source-wildcard or the destination and destination-wildcard in one of two ways:
Using the 32-bit quantity in four-part, dotted decimal format (10.1.1.2/0.0.0.0 is the same as host
10.1.1.2).
Each wildcard bit set to zero indicates that the corresponding bit position in the packet's IPv4
address must exactly match the bit value in the corresponding bit position in the source.
Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding
position of the packet's IPv4 or IPv6 address will be considered a match to this access list entry.
Place ones in the bit positions you want to ignore. For example, 0.0.255.255 requires an exact
match of only the first 16 bits of the source. Wildcard bits set to one do not need to be contiguous
in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
Using the any option as an abbreviation for a source and source-wildcard or destination and
destination-wildcard (0.0.0.0/255.255.255.255)
Port Information
The port information is optional. To compare the source and destination ports, use the eq (equal) option,
the gt (greater than) option, the lt (less than) option, or the range (range of ports) option. You can specify
the port information in one of two ways:
Specify the number of the port. Port numbers range from 0 to 65535. Table 42-1 displays the port
numbers recognized by the Cisco NX-OS software for associated TCP and UDP ports.
Specify the name of a TCP or UDP port as follows:
TCP port names can only be used when filtering TCP.
UDP port names can only be used when filtering UDP.

Table 42-1 TCP and UDP Port Numbers
Protocol Port Number

UDP dns 53
tftp 69
ntp 123
radius accounting 1646 or 1813
radius authentication 1645 or 1812
snmp 161
snmp-trap 162
syslog 514
1
TCP ftp 20
ftp-data 21
ssh 22
telnet 23
smtp 25
tasacs-ds 65
www 80
sftp 115
http 143
wbem-http 5988
wbem-https 5989
1. If the TCP connection is already established, use the established option to find matches. A match occurs if the TCP datagram
has the ACK, FIN, PSH, RST, or URG control bit set.
ICMP Information
IP packets can be filtered based on the following optional ICMP conditions:
icmp-typeThe ICMP message type is a number from 0 to 255.
icmp-codeThe ICMP message code is a number from 0 to 255.
Table 42-2 displays the value for each ICMP type.
Table 42-2 ICMP Type Value
ICMP Type1 Code

echo 8
echo-reply 0
destination unreachable 3
traceroute 30
time exceeded 11

Creating IPv4-ACLs or IPv6-ACLs with the IP-ACL Wizard
1. ICMP redirect packets are always rejected.
ToS Information
IP packets can be filtered based on the following optional ToS conditions:
ToS levelThe level is specified by a number from 0 to 15.
ToS nameThe name can be max-reliability, max-throughput, min-delay, min-monetary-cost, and
normal.

Traffic coming into the switch is compared to IPv4-ACL or IPv6-ACL filters based on the order that the
filters occur in the switch. New filters are added to the end of the IPv4-ACL or the IPv6-ACL. The switch
keeps looking until it has a match. If no matches are found when the switch reaches the end of the filter,
the traffic is denied. For this reason, you should have the frequently hit filters at the top of the filter.
There is an implied deny for traffic that is not permitted. A single-entry IPv4-ACL or IPv6-ACL with
only one deny entry has the effect of denying all traffic.
To configure an IPv4-ACL or an IPv6-ACL, follow these steps:
Step 1 Create an IPv4-ACL or an IPv6-ACL by specifying a filter name and one or more access condition(s).
Filters require the source and destination address to match a condition. Use optional keywords to
configure finer granularity.
Note The filter entries are executed in sequential order. You can only add the entries to the end of the
list. Take care to add the entries in the correct order.
Step 2 Apply the access filter to specified interfaces.
To create an ordered list of IP filters in a named IPv4-ACL or IPv6-ACL profile using the IPv4-ACL
Wizard in Fabric Manager, follow these steps:
Step 1 Click the IP ACL Wizard icon from the Fabric Manager toolbar (see Figure 42-1).
Figure 42-1 IP ACL Wizard
You see the IP ACL Wizard.

Step 2 Enter a name for the IP-ACL.

Note If you are creating an IPv6-ACL, check the IPv6 check box.
Step 3 Click Add to add a new rule to this IP-ACL. You see a new rule in the table with default values.
Step 4 Modify the Source IP and Source Mask as necessary for your filter.
Note The IP-ACL Wizard only creates inbound IP filters.
Step 5 Choose the appropriate filter type from the Application drop-down list.
Step 6 Choose permit or deny from the Action drop-down list.
Step 7 Repeat Step 3 through Step 6 for additional IP filters.
Step 8 Click Up or Down to order the filters in this IP-ACL.
Tip Order the IP filters carefully. Traffic is compared to the IP filters in order. The first match is
applied and the rest are ignored.
Step 9 Click Next.

You see a list of switches that you can apply this IP-ACL.
Step 10 Uncheck any switches that you do not want to apply this IP-ACL.
Step 11 Select the Interface you want to apply this IP-ACL.
Step 12 Click Finish to create this IP-ACL and apply it to the selected switches.
Creating IPv4-ACLs or IPv6-ACLs in Device Manager

To add entries to an existing IPv4-ACL or an IPv6-ACL using Device Manager, follow these steps:
Step 1 Choose Security > IP ACL.

You see the IP ACL dialog box shown in Figure 42-2.
Figure 42-2 IP ACL Dialog Box
Step 2 Click Create to create an IP-ACL profile.

You see the Create IP ACL Profiles dialog box shown in Figure 42-3.
Figure 42-3 Create IP ACL Profiles Dialog Box
Step 3 Enter an IP-ACL profile name.

Step 4 Click Create and then click Close.
This creates a new IP-ACL profile.
Step 5 Click the IP-ACL you created and click Rules.
After you create an IPv4-ACL or an IPv6-ACL, you can add subsequent IP filters at the end of the
IPv4-ACL or the IPv6-ACL if you are using Device Manager. Fabric Manager allows you to reorder
existing rules for a profile. You cannot insert filters in the middle of an IPv4-ACL or an IPv6-ACL. Each
configured entry is automatically added to the end of a IPv4-ACL or an IPv6-ACL.
You see the IP ACL dialog box shown in Figure 42-4.
Figure 42-4 IP ACL Profile Dialog Box
Step 6 Click Create to create an IP filter.

You see the Create IP Filter dialog box shown in Figure 42-5.

Figure 42-5 Create IP Filter Dialog Box
Step 7 Choose either permit or deny for the Action and set the IP Number in the Protocol field. The drop-down
menu provides common filtered protocols.
Step 8 Set the source IP address you want this filter to match against and the wildcard mask, or check the any
check box to match this filter against any IP address.
This creates an IP filter that will check the source IP address of frames.
Note The wildcard mask denotes a subset of the IP address you want to match against. This allows a
range of addresses to match against this filter.
Step 9 Set the transport layer source port range if the protocol chosen is TCP or UDP.
Step 10 Repeat Step 8 and Step 9 for the destination IP address and port range.
This creates an IP filter that will check the destination IP address of frames.
Step 11 Set the ToS, ICMPType, and ICMPCode fields as appropriate.
Step 12 Check the TCPEstablished check box if you want to match TCP connections with
ACK,FIN,PSH,RST,SYN or URG control bits set.
Step 13 Check the LogEnabled check box if you want to log all frames that match this IP filter.
Step 14 Click Create to create this IP filter and add it to your IP-ACL.
Removing IP Filters from an Existing IPv4-ACL or IPv6-ACL

To remove configured entries from an IPv4-ACL or an IPv6-ACL using Device Manager, follow these
steps:
Step 1 Choose Security > IP ACLs.

You see the IP-ACL dialog box (seeFigure 42-2).

Reading the IP-ACL Log Dump
Step 2 Click the IP-ACL you want to modify and click Rules.
You see the list of IP filters associated with this IP-ACL (see Figure 42-4).
Step 3 Select the filter that you want to delete and click Delete to delete that IP filter.
Deleting IP-ACLs
You must delete the association between the IP-ACL and interfaces before deleting the IP-ACL.
To delete an IP-ACL using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select IP ACL from the Physical Attributes pane.
You see the IP-ACL configuration in the Information pane.
Step 2 Click the Profiles tab.
You see a list of switches, ACLs, and profile names.
Step 3 Select the row you want to delete. To delete multiple rows, hold down the Shift key while selecting rows.
Step 4 Click Delete Row. The IP-ACLs are deleted.
Reading the IP-ACL Log Dump

Use the LogEnabled check box option during IP filter creation to log information about packets that
match this filter. The log output displays the ACL number, permit or deny status, and port information.
For the input ACL, the log displays the raw MAC information. The keyword MAC= does not refer to
showing an Ethernet MAC frame with MAC address information. It refers to the Layer 2 MAC-layer
information dumped to the log. For the output ACL, the raw Layer 2 information is not logged.
The following example is an input ACL log dump:
Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN=vsan1 OUT=
MAC=10:00:00:05:30:00:47:df:10:00:00:05:30:00:8a:1f:aa:aa:03:00:00:00:08:00:45:00:00:54:00
:00:40:00:40:01:0e:86:0b:0b:0b:0c:0b:0b:0b:02:08:00:ff:9c:01:15:05:00:6f:09:17:3f:80:02:01
:00:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24
:25:26:27:28:29:2a:2b SRC=11.11.11.12 DST=11.11.11.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=277 SEQ=1280
The following example is an output ACL log dump:

Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN= OUT=vsan1 SRC=11.11.11.2 DST=11.11.11.12 LEN=84 TOS=0x00 PREC=0x00
TTL=255 ID=38095 PROTO=ICMP TYPE=0 CODE=0 ID=277 SEQ=1280

Applying an IP-ACL to an Interface
Applying an IP-ACL to an Interface

You can define IP-ACLs without applying them. However, the IP-ACLs will have no effect until they are
applied to an interface on the switch. You can apply IP-ACLs to VSAN interfaces, the management
interface, Gigabit Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel
interfaces.
Tip Apply the IP-ACL on the interface closest to the source of the traffic.
When you are trying to block traffic from source to destination, you can apply an inbound IPv4-ACL to
M0 on Switch 1 instead of an outbound filter to M1 on Switch 3 (see Figure 42-6).
Figure 42-6 Denying Traffic on the Inbound Interface
traffic M0 M1 traffic
source destination
120711
The access-group option controls access to an interface. Each interface can only be associated with one
IP-ACL per direction. The ingress direction can have a different IP-ACL than the egress direction. The
IP-ACL becomes active when applied to the interface.
Tip Create all conditions in an IP-ACL before applying it to the interface.
Caution If you apply an IP-ACL to an interface before creating it, all packets in that interface are dropped because
the IP-ACL is empty.
The terms in, out, source, and destination are used as referenced by the switch:
InTraffic that arrives at the interface and goes through the switch; the source is where it
transmitted from and the destination is where it is transmitted to (on the other side of the router).
Tip The IP-ACL applied to the interface for the ingress traffic affects both local and remote traffic.
OutTraffic that has already been through the switch and is leaving the interface; the source is
where it transmitted from and the destination is where it is transmitted to.
Tip The IP-ACL applied to the interface for the egress traffic only affects local traffic.

Applying an IP-ACL to mgmt0
Applying an IP-ACL to mgmt0

A system default ACL called mgmt0 exists on the mgmt0 interface. This ACL is not visible to the user,
so mgmt0 is a reserved ACL name that cannot be used. The mgmt0 ACL blocks most ports and only
allows access to required ports in line with accepted security policies.
To apply an IP-ACL to an interface using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select IP ACL in the Physical Attributes pane.
You see the IP-ACL configuration in the Information pane.
Step 2 Click the Interfaces tab.
You see a list of interfaces and associated IP-ACLs.
You see the Create Interfaces dialog box shown in Figure 42-7.
Figure 42-7 Create Interfaces Dialog Box
Step 4 (Optional) remove the switches you do not want to include in the IP-ACL by unchecking the check boxes
next to the switch addresses.
Set the interface you want associated with an IPv4-ACL or IPv6-ACL in the Interface field.
Step 5 Choose a ProfileDirection (either inbound or outbound).
Step 6 Enter the IP-ACL name in the Profile Name field.
Note This IP-ACL name must have already been created using the Create Profiles dialog box. If not,
no filters will be enabled until you to go to the Create Profiles dialog box and create the profile.
Step 7 Click Create to associate the IP-ACL.

You see the newly associated access list in the list of IP-ACLs.

Example IP-ACL Configuration

To define an IP-ACL that restricts management access using Device Manager, follow these steps:
Step 1 Choose Security > IP ACL.

You see the IP-ACL dialog box in Figure 42-2.
Step 2 Click Create to create an IP-ACL.
You see the Create IP ACL Profiles dialog box shown in Figure 42-3.
Step 3 Enter RestrictMgmt as the profile name and click Create.
This creates an empty IP-ACL named RestrictMgmt (see Figure 42-8).
Figure 42-8 RestrictMgmt Profile Added to the List
Step 4 Select RestrictMgmt and click Rules.

You see an empty list of IP filters associated with this IP-ACL.
Step 5 Click Create to create the first IP filter.
You see the Create IP Filter dialog box shown in Figure 42-5.
Step 6 Create an IP filter to allow management communications from a trusted subnet:
a. Choose the permit Action and select 0 IP from the Protocol drop-down menu.
b. Set the source IP address to 10.67.16.0 and the wildcard mask to 0.0.0.255.
Note The wildcard mask denotes a subset of the IP Address you want to match against. This
allows a range of addresses to match against this filter.
c. Check the any check box for the destination address.

d. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.
Repeat Step a through Step d to create an IP filter that allows communications for all addresses in the
10.67.16.0/24 subnet.
Step 7 Create an IP filter to allow ICMP ping commands:
a. Choose the permit Action and select 1-ICMP from the Protocol drop-down menu.
b. Check the any check box for the source address.

d. Select 8 echo from the ICMPType drop-down menu.

e. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL .
Repeat Step a through Step e to create an IP filter that allows ICMP ping.
Step 8 Create a final IP Filter to block all other traffic:
a. Choose the deny Action and select 0 IP from the Protocol drop-down menu.
b. Check the any check box for the source address.
d. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.
e. Click Close to close the Create IP Filter dialog box.
Repeat Step a through Step d to create an IP filter that blocks all other traffic.
Step 9 Apply the RestrictMgmt IP ACL to the mgmt0 interface:
a. Click Security, select IP ACL and then click the Interfaces tab in the IP ACL dialog box.
b. Click Create.
You see the Create IP-ACL Interfaces dialog box.
c. Select mgmt0 from the Interfaces drop-down menu.
d. Select the inbound Profile Director.
e. Select RestrictMgmt from the ProfileName drop-down menu.
f. Click Create to apply the RestrictMgmt IP-ACL to the mgmt0 interface.
Repeat Step a through Step f to apply the new IP-ACL to the mgmt0 interface.


CH A P T E R 43
Configuring Certificate Authorities and Digital
Certificates
Public Key Infrastructure (PKI) support provides the means for the Cisco MDS 9000 Family switches to
obtain and use digital certificates for secure communication in the network. PKI support provides
manageability and scalability for IPsec/IKE and SSH.
About CAs and Digital Certificates, page 43-1
Configuring CAs and Digital Certificates, page 43-6
Example Configurations, page 43-17
Maximum Limits, page 43-36
About CAs and Digital Certificates

This section provides information about certificate authorities (CAs) and digital certificates, and
includes the following topics:
Purpose of CAs and Digital Certificates, page 43-2
Trust Model, Trust Points, and Identity CAs, page 43-2
RSA Key-Pairs and Identity Certificates, page 43-2
Multiple Trusted CA Support, page 43-3
PKI Enrollment Support, page 43-4
Manual Enrollment Using Cut-and-Paste Method, page 43-4
Multiple RSA Key-Pair and Identity CA Support, page 43-4
Peer Certificate Verification, page 43-5
CRL Downloading, Caching, and Checking Support, page 43-5
OCSP Support, page 43-5
Import and Export Support for Certificates and Associated Key Pairs, page 43-5

Chapter 43 Configuring Certificate Authorities and Digital Certificates
Purpose of CAs and Digital Certificates

CAs manage certificate requests and issue certificates to participating entities such as hosts, network
devices, or users. The CAs provide centralized key management for the participating entities.
Digital signatures, based on public key cryptography, digitally authenticate devices and individual users.
In public key cryptography, such as the RSA encryption system, each device or user has a key-pair
containing both a private key and a public key. The private key is kept secret and is known only to the
owning device or user only. However, the public key is known to everybody. The keys act as
complements. Anything encrypted with one of the keys can be decrypted with the other. A signature is
formed when data is encrypted with a senders private key. The receiver verifies the signature by
decrypting the message with the senders public key. This process relies on the receiver having a copy
of the senders public key and knowing with a high degree of certainty that it really does belong to the
sender and not to someone pretending to be the sender.
Digital certificates link the digital signature to the sender. A digital certificate contains information to
identify a user or device, such as the name, serial number, company, department, or IP address. It also
contains a copy of the entitys public key. The certificate is itself signed by a CA, a third party that is
explicitly trusted by the receiver to validate identities and to create digital certificates.
To validate the signature of the CA, the receiver must first know the CAs public key. Normally this
process is handled out-of-band or through an operation done at installation. For instance, most web
browsers are configured with the public keys of several CAs by default. The Internet Key Exchange
(IKE), an essential component of IPsec, can use digital signatures to scalably authenticate peer devices
before setting up security associations.
Trust Model, Trust Points, and Identity CAs

The trust model used in PKI support is hierarchical with multiple configurable trusted CAs. Each
participating entity is configured with a list of CAs to be trusted so that the peers certificate obtained
during the security protocol exchanges can be verified, provided it has been issued by one of the locally
trusted CAs. To accomplish this, CAs self signed root certificate (or certificate chain for a subordinate
CA) is locally stored. The process of securely obtaining a trusted CAs root certificate (or the entire chain
in the case of a subordinate CA) and storing it locally is called CA authentication and is a mandatory
step in trusting a CA.
The information about a trusted CA that is locally configured is called the trust point and the CA itself
is called a trust point CA. This information consists of CA certificate (or certificate chain in case of a
subordinate CA) and the certificate revocation checking information.
The MDS switch can also enroll with a trust point to obtain an identity certificate (for example, for
IPsec/IKE). This trust point is called an identity CA.
RSA Key-Pairs and Identity Certificates

You can generate one or more RSA key-pairs and associate each RSA key-pair with a trust point CA
where the MDS switch intends to enroll to obtain an identity certificate. The MDS switch needs only one
identity per CA, which consists of one key-pair and one identity certificate per CA.
Cisco MDS NX-OS allows you to generate RSA key-pairs with a configurable key size (or modulus).
The default key size is 512. You can also configure an RSA key-pair label. The default key label is the
switch fully qualified domain name (FQDN).

The following list summarizes the relationship between trust points, RSA key-pairs, and identity
certificates:
A trust point corresponds to a specific CA that the MDS switch trusts for peer certificate verification
for any application (such as IKE or SSH).
An MDS switch can have many trust points and all applications on the switch can trust a peer
certificate issued by any of the trust point CAs.
A trust point is not restricted to a specific application.
An MDS switch enrolls with the CA corresponding to the trust point to obtain an identity certificate.
You can enroll your switch with multiple trust points thereby obtaining a separate identity certificate
from each trust point. The identity certificates are used by applications depending upon the purposes
specified in the certificate by the issuing CA. The purpose of a certificate is stored in the certificate
as certificate extensions.
When enrolling with a trust point, you must specify an RSA key-pair to be certified. This key-pair
must be generated and associated to the trust point before generating the enrollment request. The
association between the trust point, key-pair, and identity certificate is valid until it is explicitly
removed by deleting the certificate, key-pair, or trust point.
The subject name in the identity certificate is the fully qualified domain name for the MDS switch.
You can generate one or more RSA key-pairs on a switch and each can be associated to one or more
trust points. But no more than one key-pair can be associated to a trust point, which means only one
identity certificate is allowed from a CA.
If multiple identity certificates (each from a distinct CA) have been obtained, the certificate that an
application selects to use in a security protocol exchange with a peer is application specific (see the
IPsec Digital Certificate Support section on page 44-7 and the SSH Authentication Using Digital
Certificates section on page 39-19).
You do not need to designate one or more trust points for an application. Any application can use
any certificate issued by any trust point as long as the certificate purpose satisfies the application
requirements.
You do not need more than one identity certificate from a trust point or more than one key-pair to
be associated to a trust point. A CA certifies a given identity (name) only once and does not issue
multiple certificates with the same subject name. If you need more than one identity certificate for
a CA, then define another trust point for the same CA, associate another key-pair to it, and have it
certified, provided CA allows multiple certificates with the same subject name.
Multiple Trusted CA Support

An MDS switch can be configured to trust multiple CAs by configuring multiple trust points and
associating each with a distinct CA. With multiple trusted CAs, you do not have to enroll a switch with
the specific CA that issued a certificate to a peer. Instead, you configure the switch with multiple trusted
CAs that the peer trusts. A switch can then use a configured trusted CA to verify certificates offered by
a peer that were not issued by the same CA defined in the identity of the switch.
Configuring multiple trusted CAs allows two or more switches enrolled under different domains
(different CAs) to verify the identity of each other when using IKE to set up IPsec tunnels.

PKI Enrollment Support

Enrollment is the process of obtaining an identity certificate for the switch that is used for applications
such as IPsec/IKE or SSH. It occurs between the switch requesting the certificate and the certificate
authority.
The PKI enrollment process for a switch involves the following steps:
1. Generate an RSA private and public key-pair on the switch.
2. Generate a certificate request in standard format and forward it to the CA.
3. Manual intervention at the CA server by the CA administrator may be required to approve the
enrollment request, when it is received by the CA.
4. Receive the issued certificate back from the CA, signed with the CAs private key.
5. Write the certificate into a nonvolatile storage area on the switch (bootflash).
Manual Enrollment Using Cut-and-Paste Method

Cisco MDS NX-OS supports certificate retrieval and enrollment using a manual cut-and-paste method.
Cut-and-paste enrollment literally means you must cut and paste the certificate requests and resulting
certificates between the switch and the CA, as follows:
1. Create an enrollment certificate request, which is displayed in base64-encoded text form.
2. Cut and paste the encoded certificate request text in an e-mail message or in a web form and send it
to the CA.
3. Receive the issued certificate (in base64-encoded text form) from the CA in an e-mail message or
in a web browser download.
4. Cut and paste the issued certificate to the switch using the certificate import facility.
Note Fabric Manager does not support cut and paste. Instead, it allows the enrollment request (certificate
signing request) to be saved in a file to be sent manually to the CA.
Multiple RSA Key-Pair and Identity CA Support

Multiple identity CA support enables the switch to enroll with more than one trust point. This results in
multiple identity certificates; each from a distinct CA. This allows the switch to participate in IPsec and
other applications with many peers using certificates issued by appropriate CAs that are acceptable to
those peers.
The multiple RSA key-pair support feature allows the switch to maintain a distinct key pair for each CA
with which it is enrolled. Thus, it can match policy requirements for each CA without conflicting the
requirements specified by the other CAs, such as key length. The switch can generate multiple RSA
key-pairs and associate each key-pair with a distinct trust point. Thereafter, when enrolling with a trust
point, the associated key-pair is used to construct the certificate request.

Peer Certificate Verification

The PKI support on an MDS switch provides the means to verify peer certificates. The switch verifies
certificates presented by peers during security exchanges pertaining to applications, such as IPsec/IKE
and SSH. The applications verify the validity of the peer certificates presented to them. The peer
certificate verification process involves the following steps:
Verifies that the peer certificate is issued by one of the locally trusted CAs.
Verifies that the peer certificate is valid (not expired) with respect to current time.
Verifies that the peer certificate is not yet revoked by the issuing CA.
For revocation checking, two methods are supported: certificate revocation list (CRL) and Online
Certificate Status Protocol (OCSP). A trust point uses one or both of these methods to verify that the
peer certificate has not been revoked.
CRL Downloading, Caching, and Checking Support

Certificate revocation lists (CRLs) are maintained by CAs to give information of prematurely revoked
certificates, and the CRLs are published in a repository. The download URL is made public and also
specified in all issued certificates. A client verifying a peers certificate should obtain the latest CRL
from the issuing CA and use it to determine if the certificate has been revoked. A client can cache the
CRLs of some or all of its trusted CAs locally and use them later if necessary until the CRLs expire.
Cisco MDS NX-OS allows the manual configuration of pre-downloaded of CRLs for the trust points,
and then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by
IPsec or SSH, the issuing CAs CRL is consulted only if the CRL has already been cached locally and
the revocation checking is configured to use CRL. Otherwise, CRL checking is not performed and the
certificate is considered to be not revoked if no other revocation checking methods are configured. This
mode of CRL checking is called CRL optional.
OCSP Support
Online Certificate Status Protocol (OCSP) facilitates online certificate revocation checking. You can
specify an OCSP URL for each trust point. Applications choose the revocation checking mechanisms in
a specified order. The choices are CRL, OCSP, none, or a combination of these methods.
Import and Export Support for Certificates and Associated Key Pairs
As part of the CA authentication and enrollment process, the subordinate CA certificate (or certificate
chain) and identity certificates can be imported in standard PEM (base64) format.
The complete identity information in a trust point can be exported to a file in the password-protected
PKCS#12 standard format. It can be later imported to the same switch (for example, after a system crash)
or to a replacement switch. The information in a PKCS#12 file consists of the RSA key-pair, the identity
certificate, and the CA certificate (or chain).

Configuring CAs and Digital Certificates

This section describes the tasks you must perform to allow CAs and digital certificates your Cisco MDS
switch device to interoperate. This section includes the following sections:
Configuring the Host Name and IP Domain Name, page 43-6
Generating an RSA Key-Pair, page 43-6
Creating a Trust Point CA Association, page 43-8
Copying Files to Bootflash, page 43-9
Authenticating the CA, page 43-10
Configuring Certificate Revocation Checking Methods, page 43-12
Generating Certificate Requests, page 43-12
Installing Identity Certificates, page 43-13
Saving Your Configuration, page 43-13
Ensuring Trust Point Configurations Persist Across Reboots, page 43-14
Monitoring and Maintaining CA and Certificates Configuration, page 43-14
Configuring the Host Name and IP Domain Name

You must configure the host name and IP domain name of the switch if they are not already configured.
This is required because switch FQDN is used as the subject in the identity certificate. Also, the switch
FQDN is used as a default key label when none is specified during key-pair generation. For example, a
certificate named SwitchA.example.com is based on a switch host name of SwitchA and a switch IP
domain name of example.com.
Caution Changing the host name or IP domain name after generating the certificate can invalidate the certificate.
To configure the host name and IP domain name, refer to the Cisco MDS 9000 NX-OS CLI Configuration
Guide.
Generating an RSA Key-Pair

RSA key-pairs are used to sign and/or encrypt and decrypt the security payload during security protocol
exchanges for applications such as IKE/IPsec and SSH, and they are required before you can obtain a
certificate for your switch.
To generate an RSA key-pair using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select PKI in the Information pane.
Step 2 Click the RSA Key-Pair tab.

Figure 43-1 PKI RSA Key-Pair Information

You see the Create RSA Key-Pair dialog box shown in Figure 43-2.
Figure 43-2 Create RSA Key-Pair Dialog Box
Step 4 Select the switches for which you want to create the RSA key-pair.
Step 5 Assign a name to the RSA key-pair.
Step 6 Select the Size or modulus values. Valid modulus values are 512, 768, 1024, 1536, and 2048.
Note The security policy (or requirement) at the local site (MDS switch) and at the CA (where
enrollment is planned) are considered in deciding the appropriate key modulus.
Note The maximum number of key-pairs you can configure on a switch is 16.
Step 7 Check the Exportable check box if you want the key to be exportable.
Caution The exportability of a key-pair cannot be changed after key-pair generation.
Note Only exportable key-pairs can be exported in PKCS#12 format.

Step 8 Click Create to create the RSA Key-Pair.
Creating a Trust Point CA Association

To create a trust point CA association using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security then select PKI in the Physical Attributes pane.
Step 2 Click the Trust Point tab in the Information Pane.
Figure 43-3 Trust Point Tab

You see the Create Trust Point dialog box shown in Figure 43-4.
Figure 43-4 Create Trust Point Dialog Box
Step 4 Select the switch for which you are creating the trust point CA from the Switch drop-down menu.
Step 5 Assign a name to the trust point CA.
Step 6 Select a key-pair name to be associated with this trust point for enrollment. It was generated earlier in
the Generating an RSA Key-Pair section on page 43-6. Only one RSA key-pair can be specified per
CA.
Step 7 From the RevokeCheckMethod drop-down menu, select the certificate revocation method that you would
like to use (see Figure 43-4). You can use CRL, OCSP, CRL OCSP, or OCSP CRL to check for certificate
revocation. The CRL OCSP option checks for revoked certificates first in the locally stored CRL. If not
found, the switch uses OCSP to check the revoked certificates on the URL specified in Step 7.
Step 8 Enter the OCSP URL if you selected an OCSP certificate revocation method.

Note The OSCP URL must be configured before configuring the revocation checking method.
Step 9 Click Create to successfully create the trust point CA.
Copying Files to Bootflash

To copy files to bootflash using Device Manager, follow these steps:
Step 1 Choose Admin > Flash Files.

Step 2 Select bootflash in the Device field.
You see a list of flash files in the dialog box shown in Figure 43-5.
Figure 43-5 Flash Files
Step 3 Click Copy.

You see the Copy Files dialog box shown in Figure 43-6.

Figure 43-6 Copy Files Dialog Box
Step 4 Select tftp as the Protocol field.

Step 5 Click the Browse button to locate the appropriate file to copy to bootflash.
Step 6 Click Apply to apply these changes.
Authenticating the CA
The configuration process of trusting a CA is complete only when the CA is authenticated to the MDS
switch. The switch must authenticate the CA. It does this by obtaining the self-signed certificate of the
CA in PEM format, which contains the public key of the CA. Because the certificate of the CA is
self-signed (the CA signs its own certificate) the public key of the CA should be manually authenticated
by contacting the CA administrator to compare the fingerprint of the CA certificate.
Note If the CA being authenticated is not a self-signed CA (that is, it is a subordinate CA to another CA, which
itself may be a subordinate to yet another CA, and so on, finally ending in a self-signed CA), then the
full list of the CA certificates of all the CAs in the certification chain needs to be input during the CA
authentication step. This is called the CA certificate chain of the CA being authenticated. The maximum
number of certificates in a CA certificate chain is 10.
To authenticate a CA using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security then select PKI in the Physical Attributes pane.
Step 2 Click the Trust Point Actions tab in the Information pane.
Figure 43-7 Trust Point Actions Tab

Step 3 From the Command field drop-down menu, select the appropriate option. Available options are caauth,
cadelete, certreq, certimport, certdelete, pkcs12import, and pkcs12export. The caauth option is
provided to authenticate a CA and install its CA certificate or certificate chain in a trust point.
Step 4 Click the Browse button in the URL field and select the appropriate import certificate file from the
Bootflash Files dialog box. It is the file name containing the CA certificate or chain in the
bootflash:filename format.
Note You can authenticate a maximum of 10 trust points to a specific CA.
Note If you do not see the required file in the Import Certificate dialog box, make sure that you copy
the file to bootflash. See Copying Files to Bootflash section on page 9.

Authentication is then confirmed or not confirmed depending on whether or not the certificate can be
accepted after manual verification of its fingerprint.
Note For subordinate CA authentication, the full chain of CA certificates ending in a self-signed CA is
required because the CA chain is needed for certificate verification as well as for PKCS#12 format
export.
Confirming CA Authentication
As mentioned in step 5 of Authenticating the CA section on page 43-10, CA authentication is required
to be followed by CA confirmation in order to accept the CA certificate based on its fingerprint
verification.
To confirm CA authentication using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select PKI in the Physical Attributes pane.
Step 2 Click the Trust Point Actions tab in the Information Pane.
Step 3 Make a note of the CA certificate fingerprint displayed in the IssuerCert FingerPrint column for the trust
point row in question. Compare the CA certificate fingerprint with the fingerprint already communicated
by the CA (obtained from the CA web site).
If the fingerprints match exactly, accept the CA with the certconfirm command in the Command
drop-down menu. Otherwise, reject the CA with the certnoconfirm command.
Step 4 If you selected certconfirm in step 3, click Command and select the certconfirm action from the
drop-down menu. Click Apply Changes.
If you selected certnoconfirm in step 3, click Command and select the certnoconfirm action
drop-down menu. Click Apply Changes.

Configuring Certificate Revocation Checking Methods

During security exchanges with a client (for example, an IKE peer or SSH user), the MDS switch
performs the certificate verification of the peer certificate sent by the client and the verification process
may involve certificate revocation status checking.
You can use different methods for checking for revoked sender certificates. You can configure the switch
to check the CRL downloaded from the CA (see the Configuring a CRL section on page 43-15), you
can use OSCP if it is supported in your network, or both. Downloading the CRL and checking locally
does not generate traffic in your network. However, certificates can be revoked between downloads and
your switch would not be aware of the revocation. OCSP provides the means to check the current CRL
on the CA. However, OCSP can generate network traffic that can impact network efficiency. Using both
local CRL checking and OCSP provides the most secure method for checking for revoked certificates.
Note You must authenticate the CA before configuring certificate revocation checking.
Fabric Manager allows you to configure certificate revocation checking methods when you are creating
a trust point CA. See Creating a Trust Point CA Association section on page 43-8.
Generating Certificate Requests

You must generate a request to obtain identity certificates from the associated trust point CA for each of
your switchs RSA key-pairs. You must then cut and paste the displayed request into an e-mail message
or in a website form for the CA.
To generate a request for signed certificates from the CA using Fabric Manager, follow these steps:
Step 2 Click the Trust Point Actions tab in the Information pane (see Figure 43-8).
Figure 43-8 Trust Point Actions Tab
Step 3 Select the certreq option from the Command drop-down menu. This generates a pkcs#10 certificate
signing request (CSR) needed for an identity certificate from the CA corresponding to this trust point
entry. This entry requires an associated key-pair. The CA certificate or certificate chain should already
be configured through the caauth action. See Authenticating the CA section on page 43-10.
Step 4 Enter the output file name for storing the generated certificate request. It will be used to store the CSR
generated in PEM format. Use the format bootflash:filename. This CSR should be submitted to the CA
to get the identity certificate. Once the identity certificate is obtained, it should be installed in this trust
point. See Installing Identity Certificates section on page 43-13.
Step 5 Enter the challenge password to be included in the CSR.

Note The challenge password is not saved with the configuration. This password is required in the
event that your certificate needs to be revoked, so you must remember this password.
Installing Identity Certificates

You receive the identity certificate from the CA by e-mail or through a web browser in base64 encoded
text form. You must install the identity certificate from the CA by cutting and pasting the encoded text.
To install an identity certificate received from the CA using Fabric Manager, follow these steps:
Step 2 Click the Trust Point Actions tab, in the Information pane.
Step 3 Select the certimport option from the Command drop-down menu to import an identity certificate in
this trust point. The identity certificate is obtained from the corresponding CA for a CSR generated
previously (see Generating Certificate Requests section on page 43-12).
Note The identity certificate should be available in PEM format in a file in bootflash.
Step 4 Enter the name of the certificate file that should have been copied to bootflash in the URL field in the
Step 5 Click Apply Changes to save your changes.
If successful, the values of the identity certificate and its related objects, like the certificate file name,
are automatically updated with the appropriate values as per the corresponding attributes in the identity
certificate.
Saving Your Configuration

Save your work when you make configuration changes or the information is lost when you exit.
To save your configuration using Fabric Manager, follow these steps:
Step 1 Expand Switches and then select Copy Configuration in the Physical Attributes pane.
Step 2 Select the switch configuration including the RSA key-pairs and certificates.

Ensuring Trust Point Configurations Persist Across Reboots

The trust point configuration is a normal Cisco NX-OS configuration that persists across system reboots
only if you copy it explicitly to the startup configuration. The certificates, key-pairs, and CRL associated
with a trust point are automatically persistent if you have already copied the trust point configuration in
the startup configuration. Conversely, if the trust point configuration is not copied to the startup
configuration, the certificates, key-pairs, and CRL associated with it are not persistent since they require
the corresponding trust point configuration after a reboot. Always copy the running configuration to the
startup configuration to ensure the that the configured certificates, key-pairs, and CRLs are persistent.
Also, save the running configuration after deleting a certificate or key-pair to ensure the deletions
permanent.
The certificates and CRL associated with a trust point automatically become persistent when imported
(that is, without an explicitly copying to the startup configuration) if the specific trust point is already
saved in startup configuration.
We also recommend that you create a password protected backup of the identity certificates nd save it to
an external server (see the Exporting and Importing Identity Information in PKCS#12 Format section
on page 43-14).
Note Copying the configuration to an external server does include the certificates and key-pairs.
Monitoring and Maintaining CA and Certificates Configuration

The tasks in the section are optional. This section includes the following topics:
Exporting and Importing Identity Information in PKCS#12 Format, page 43-14
Configuring a CRL, page 43-15
Deleting Certificates from the CA Configuration, page 43-16
Deleting RSA Key-Pairs from Your Switch, page 43-16
Exporting and Importing Identity Information in PKCS#12 Format

You can export the identity certificate along with the RSA key-pair and CA certificate of a trust point
to a PKCS#12 file for backup purposes. You can later import the certificate and RSA key-pair to recover
from a system crash on your switch or when you replace the supervisor modules.
Note Only bootflash:filename format is supported when specifying the export and import URL.
To export a certificate and key pair to a PKCS#12-formatted file using Fabric Manager, follow these
steps:
Step 2 Click the Trust Point Actions tab in the Information Pane (see Figure 43-9).
Step 3 Select the pkcs12export option in the Command drop-down menu to export the key-pair, identity
certificate, and the CA certificate or certificate chain in PKCS#12 format from the selected trust point.

Figure 43-9 Pkcs12export Option Exports a Key-Pair
Step 4 Enter the output file name as bootflash:filename to store the exported PKCS#12 identity.
Step 5 Enter the required password. The password is set for encoding the PKCS#12 data. On successful
completion, the exported data is available in bootflash in the specified file.
To import a certificate and key pair formatted as a PKCS#12 formatted file, follow these steps:
Step 2 Click the Trust Point Actions tab in the Information pane (see Figure 43-9).
Step 3 Select the pkcs12import option from the Command drop-down menu to import the key-pair, identity
certificate, and the CA certificate or certificate chain in the PKCS#12 format to the selected trust point.
Step 4 Enter the input in the bootflash:filename format, containing the PKCS#12 identity.
Step 5 Enter the required password. The password is set for decoding the PKCS#12 data. On completion, the
imported data is available in bootflash in the specified file.
On completion the trust point is created in the RSA key-pair table corresponding to the imported
key-pair. The certificate information is updated in the trust point.
Note The trust point must be empty (with no RSA key-pair associated with it and no CA is associated with it
using CA authentication) for the PKCS#12 file import to succeed.
Configuring a CRL
To configure the CRL from a file to a trust point using Fabric Manager, follow these steps:
Step 1 Click Switches > Security > PKI in the Physical Attributes pane.

Step 3 Select the crlimport option from the Command drop-down menu to import the CRL to the selected trust
point.
Step 4 Enter the input file name with the CRL in the bootflash:filename format, in the URL field.
Deleting Certificates from the CA Configuration

You can delete the identity certificates and CA certificates that are configured in a trust point. You must
first delete the identity certificate, followed by the CA certificates. After deleting the identity certificate,
you can disassociate the RSA key-pair from a trust point. The certificate deletion is necessary to remove
expired or revoked certificates, certificates whose key-pairs are compromised (or suspected to be
compromised) or CAs that are no longer trusted.
To delete the CA certificate (or the entire chain in the case of a subordinate CA) from a trust point using
Step 3 Select the cadelete option from the Command drop-down menu to delete the identity certificate from a
trust point.
Note If the identity certificate being deleted is the last-most or only identity certificate in the device,
you must use the forcecertdelete action to delete it. This ensures that the administrator does not
mistakenly delete the last-most or only identity certificate and leave the applications (such as
IKE and SSH) without a certificate to use.
To delete the identity certificate, click the Trust Point Actions tab and select the certdelete or
forcecertdelete in the Command drop-down menu.
Deleting RSA Key-Pairs from Your Switch

Under certain circumstances you may want to delete your switchs RSA key-pairs. For example, if you
believe the RSA key-pairs were compromised in some way and should no longer be used, you should
delete the key-pairs.
To delete RSA key-pairs from your switch, follow these steps:
Step 2 Click the RSA Key-Pair tab in the Information pane.

Example Configurations
Step 4 Click Yes or No in the Confirmation dialog box.
Note After you delete RSA key-pairs from a switch, ask the CA administrator to revoke your switchs
certificates at the CA. You must supply the challenge password you created when you originally
requested the certificates. See Generating Certificate Requests section on page 43-12.
This section shows an example of the tasks you can use to configure certificates and CRLs on the Cisco
MDS 9000 Family switches using the Microsoft Windows Certificate server.
Configuring Certificates on the MDS Switch, page 43-17
Downloading a CA Certificate, page 43-19
Requesting an Identity Certificate, page 43-24
Revoking a Certificate, page 43-30
Generating and Publishing the CRL, page 43-33
Downloading the CRL, page 43-34
Importingthe CRL, page 43-36
Configuring Certificates on the MDS Switch

To configure certificates on an MDS switch using Fabric Manager, follow these steps:
Step 1 Choose Switches and set the LogicalName field to configure the switch host name.
Step 2 Choose Switches > Interfaces > Management > DNS and set the DefaultDomainName field to
configure.
Step 3 To create an RSA key-pair for the switch, follow these steps:
a. Choose Switches > Security > PKI and select the RSA Key-Pair tab.
b. Click Create Row and set the name and size field.
c. Check the Exportable check box and click Create.
Step 4 To create a trust point and associate the RSA key-pairs with it, follow these steps:
a. Choose Switches > Security > PKI and select the Trustpoints tab.
b. Click Create Row and set the TrustPointName field.
c. Select the RSA key-pairs from the KeyPairName drop-down menu.
d. Select the certificates revocation method from the CARevoke drop-down menu.
e. Click Create.
Step 5 Choose Switches > Copy Configuration and click Apply Changes to copy the running to startup
configuration and save the trustpoint and key pair.

Step 6 Download the CA certificate from the CA that you want to add as the trustpoint CA.
Step 7 To authenticate the CA that you want to enroll to the trust point, follow these steps:.
a. Using Device Manager, choose Admin > Flash Files and select Copy and tftp copy the CA
certificate to bootflash.
b. Using Fabric Manager, choose Switches > Security > PKI and select the TrustPoint Actions tab.
c. Select cauth from the Command drop-down menu.
d. Click ... in the URL field and select the CA certificate from bootflash.
e. Click Apply Changes to authenticate the CA that you want to enroll to the trust point.
f. Click the Trust Point Actions tab in the Information Pane.
g. Make a note of the CA certificate fingerprint displayed in the IssuerCert FingerPrint column for the
trust point row in question. Compare the CA certificate fingerprint with the fingerprint already
communicated by the CA (obtained from the CA web site). If the fingerprints match exactly, accept
the CA by performing the certconfirm trust point action. Otherwise, reject the CA by performing
the certnoconfirm trust point action.
h. If you select certconfirm in step g, select the Trust Point Actions tab, select certconfirm from the
command drop-down menu and then click Apply Changes.
i. If you select certnoconfirm in step g, select the Trust Point Actions tab, select the certnoconfirm
from the command drop-down menu and then click Apply Changes.
Step 8 To generate a certificate request for enrolling with that trust point, follow these steps:
a. Select the Trust Point Actions tab in the Information pane.
b. Select certreq from the Command drop-down menu. This generates a pkcs#10 certificate signing
request (CSR) needed for an identity certificate from the CA corresponding to this trust point entry.
c. Enter the output file name for storing the generated certificate request. It should be specified in the
bootflash:filename format and will be used to store the CSR generated in PEM format.
d. Enter the challenge password to be included in the CSR. The challenge password is not saved with
the configuration. This password is required in the event that your certificate needs to be revoked,
so you must remember this password.
e. Click Apply Changes to save the changes.
Step 9 Request an identity certificate from the CA.
Note The CA may require manual verification before issuing the identity certificate.
Step 10 To import the identity certificate, follow these steps:

a. Using Device Manager, choose Admin > Flash Files and select Copy and use TFTP to copy the CA
certificate to bootflash.
b. Using Fabric Manager, choose Switches > Security > PKI and select the TrustPoint Actions tab.
c. Select the certimport option from the Command drop-down menu to import an identity certificate
in this trust point.
Note The identity certificate should be available in PEM format in a file in bootflash.

d. Enter the name of the certificate file which was copied to bootflash, in the URL field in the
e. Click Apply Changes to save your changes.
If successful, the values of the identity certificate and its related objects, like the certificate file
name, are automatically updated with the appropriate values as per the corresponding attributes in
the identity certificate.
Downloading a CA Certificate
To download a CA certificate from the Microsoft Certificate Services web interface, follow these steps:
Step 1 Select the Retrieve the CA certificate or certificate revocation task radio button in the Microsoft
Certificate Services web interface and click the Next button.
Step 2 Select the CA certificate file to download from the displayed list. Click the Base 64 encoded radio
button, and click the Download CA certificate link.

Step 3 Click the Open button in the File Download dialog box.
Step 4 Click the Copy to File button in the Certificate dialog box and click OK.

Step 5 Select the Base-64 encoded X.509 (CER) on the Certificate Export Wizard dialog box and click Next.
Step 6 Enter the destination file name in the File name: text box on the Certificate Export Wizard dialog box
and click Next.

Step 7 Click the Finish button on the Certificate Export Wizard dialog box.
Step 8 Display the CA certificate stored in Base-64 (PEM) format using the Microsoft Windows type
command.


Requesting an Identity Certificate

To request an identify certificate from a Microsoft Certificate server using a PKCS#10 certificate signing
request (CRS), follow these steps:
Step 1 Select the Request an identity certificate radio button on the Microsoft Certificate Services web interface
and click Next.
Step 2 Select the Advanced Request radio button and click Next.

Step 3 Select the Submit a certificate request using a base64 encoded PKCS#10 file or a renewal request
using a base64 encoded PKCS#7 file radio button and click Next.
Step 4 Paste the base64 PKCS#10 certificate request in the Saved Request text box and click Next. The
certificate request is copied from the MDS switch console (see the Generating Certificate Requests
section on page 43-12 and Configuring Certificates on the MDS Switch section on page 43-17).

Step 5 Wait one or two days until the certificate is issued by the CA administrator.
Step 6 The CA administrator approves the certificate request.

Step 7 Select the Check on a pending certificate radio button on the Microsoft Certificate Services web
interface and click Next.
Step 8 Select the certificate request you want to check and click Next.

Step 9 Select Base 64 encoded and click the Download CA certificate link.
Step 10 Click Open on the File Download dialog box.

Step 11 Click the Details tab on the Certificate dialog and click the Copy to File button. Select the Base-64
encoded X.509 (.CER) radio button on the Certificate Export Wizard dialog box and click Next.
Step 12 Enter the destination file name in the File name: text box on the Certificate Export Wizard dialog box,
then click Next.

Step 14 Display the identity certificate in base64-encoded format using the Microsoft Windows type command.
Revoking a Certificate
To revoke a certificate using the Microsoft CA administrator program, follow these steps:

Step 1 Click the Issued Certificates folder on the Certification Authority tree. From the list, right-click the
certificate you want to revoke.
Step 2 Select All Tasks > Revoke Certificate.

Step 3 Select a reason for the revocation from the Reason code drop-down list, and click Yes.
Step 4 Click the Revoked Certificates folder to list and verify the certificate revocation.

Generating and Publishing the CRL

To generate and publish the CRL using the Microsoft CA administrator program, follow these steps:
Step 1 Select Action > All Tasks > Publish on the Certification Authority screen.
Step 2 Click Yes on the Certificate Revocation List dialog box to publish the latest CRL.

Downloading the CRL

To download the CRL from the Microsoft CA website, follow these steps:
Step 1 Select Request the CA certificate or certificate revocation list radio button on the Microsoft
Certificate Services web interface and click Next.
Step 2 Click the Download latest certificate revocation list link.
Step 3 Click Save in the File Download dialog box.

Step 4 Enter the destination file name in the Save As dialog box and click Save.
Step 5 Display the CRL using the Microsoft Windows type command.

Maximum Limits
Importingthe CRL
To import the CRL to the trust point corresponding to the CA, follow these steps:
Step 3 Select the crlimport option from the Command drop-down menu to import the CRL to the selected trust
point.
Step 4 Enter the input file name with the CRL in the bootflash:filename format, in the URL field.
Note The identity certificate for the switch that was revoked (serial number 0A338EA1000000000074) is
listed at the end.
Maximum Limits
Table 43-1 lists the maximum limits for CAs and digital certificate parameters.

Default Settings
Table 43-1 Maximum Limits for CA and Digital Certificate
Feature Maximum Limit

Trust points declared on a switch 16
RSA key-pairs generated on a switch 16
Identity certificates configured on a switch 16
Certificates in a CA certificate chain 10
Trust points authenticated to a specific CA 10
Default Settings
Table 43-2 lists the default settings for CAs and digital certificate parameters.
Table 43-2 Default CA and Digital Certificate Parameters
Parameters Default
Trust point None
RSA key-pair None
RSA key-pair label Switch FQDN
RSA key-pair modulus 512
RSA key-pair exportable Yes
Revocation check method of trust point CRL.

Default Settings

CH A P T E R 44
Configuring IPsec Network Security
IP security (IPsec) protocol is a framework of open standards that provides data confidentiality, data
integrity, and data authentication between participating peers. It is developed by the Internet Engineering
Task Force (IETF). IPsec provides security services at the IP layer, including protecting one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a
host. The overall IPsec implementation is the latest version of RFC 2401. Cisco NX-OS IPsec
implements RFC 2402 through RFC 2410.
IPsec uses the Internet Key Exchange (IKE) protocol to handle protocol and algorithm negotiation and
to generate the encryption and authentication keys used by IPsec. While IKE can be used with other
protocols, its initial implementation is with the IPsec protocol. IKE provides authentication of the IPsec
peers, negotiates IPsec security associations, and establishes IPsec keys. IKE uses RFCs 2408, 2409,
2410, and 2412, and additionally implements the draft-ietf-ipsec-ikev2-16.txt draft.
Note The term IPsec is sometimes used to describe the entire protocol of IPsec data services and IKE security
protocols and is other times used to describe only the data services.

About IPsec, page 44-2
About IKE, page 44-3
IPsec Prerequisites, page 44-3
Using IPsec, page 44-4
IPsec Digital Certificate Support, page 44-7
Configuring IPsec Using FCIP Wizard, page 44-10
Manually Configuring IPsec and IKE, page 44-13
Optional IKE Parameter Configuration, page 44-16
Crypto IPv4-ACLs, page 44-21
IPsec Maintenance, page 44-37
Global Lifetime Values, page 44-37

Chapter 44 Configuring IPsec Network Security
About IPsec
About IPsec
Note IPsec is not supported by the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric
Switch for IBM BladeCenter.
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating
IPsec devices (peers).
IPsec provides the following network security services. In general, the local security policy dictates the
use of one or more of these services between two participating IPsec devices:
Data confidentialityThe IPsec sender can encrypt packets before transmitting them across a
network.
Data integrityThe IPsec receiver can authenticate packets sent by the IPsec sender to ensure that
the data has not been altered during transmission.
Data origin authenticationThe IPsec receiver can authenticate the source of the IPsec packets sent.
This service is dependent upon the data integrity service.
Anti-replay protectionThe IPsec receiver can detect and reject replayed packets.
Note The term data authentication is generally used to mean data integrity and data origin authentication.
Within this chapter it also includes anti-replay services, unless otherwise specified.
With IPsec, data can be transmitted across a public network without fear of observation, modification,
or spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets,
extranets, and remote user access.
IPsec as implemented in Cisco NX-OS software supports the Encapsulating Security Payload (ESP)
protocol. This protocol encapsulates the data to be protected and provides data privacy services, optional
data authentication, and optional anti-replay services.
Note The Encapsulating Security Payload (ESP) protocol is a header inserted into an existing TCP/IP packet,
the size of which depends on the actual encryption and authentication algorithms negotiated. To avoid
fragmentation, the encrypted packet fits into the interface maximum transmission unit (MTU). The path
MTU calculation for TCP takes into account the addition of ESP headers, plus the outer IP header in
tunnel mode, for encryption. The MDS switches allow 100 bytes for packet growth for IPsec encryption.
Note When using IPsec and IKE, each Gigabit Ethernet interface on the IPS module (either on 14+2 LC or
18+4 LC) must be configured in its own IP subnet. If there are multiple Gigabit Ethernet interfaces
configured with IP address or network-mask in the same IP subnet, IKE packets may not be sent to the
right peer and thus IPsec tunnel will not come up.
Figure 44-1 shows different IPsec scenarios.

About IKE
Figure 44-1 FCIP and iSCSI Scenarios Using MPS-14/2 Modules
iSCSI Servers
IPSec for
securing
iSCSI traffic
IPSec for
securing
MDS_Switch1 FCIP traffic
FC
MDS_Switch 2 MDS_Switch 3
FC
FC WAN
FC Servers IPsec for securing
traffic between
MDS and router
iSCSI Servers WAN MDS

Nonsecure
connection
Secure
120481
connection
About IKE
IKE automatically negotiates IPsec security associations and generates keys for all switches using the
IPsec feature. Specifically, IKE provides these benefits:
Allows you to refresh IPsec SAs.
Allows IPsec to provide anti-replay services.
Supports a manageable, scalable IPsec configuration.
Allows dynamic authentication of peers.
Note IKE is not supported on the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric
Switch for IBM BladeSystem.
IPsec Prerequisites
To use the IPsec feature, you need to perform the following tasks:
Obtain the ENTERPRISE_PKG license (see Chapter 10, Obtaining and Installing Licenses).
Configure IKE as described in the About IKE Initialization section on page 44-13.

Using IPsec
Note The IPsec feature inserts new headers in existing packets (see the Configuring the MTU Frame Size
section on page 53-3 for more information).
Using IPsec
To use the IPsec feature, follow these steps:
Step 1 Obtain the ENTERPRISE_PKG license to enable IPSEC for iSCSI to enable IPsec for FCIP. See
Chapter 10, Obtaining and Installing Licenses.
Step 2 Configure IKE as described in the Manually Configuring IPsec and IKE section on page 44-13.
Note The IPsec feature inserts new headers in existing packets (see the Configuring the MTU Frame
Size section on page 53-3).

IPsec Compatibility, page 44-4
IPsec and IKE Terminology, page 44-5
Supported IPsec Transforms and Algorithms, page 44-6
Supported IKE Transforms and Algorithms, page 44-6
IPsec Compatibility
IPsec features are compatible with the following Cisco MDS 9000 Family hardware:
Cisco 18/4-port Multi-Service Module (MSM-18/4) modules and MDS 9222i Module-1 modules.
Cisco 14/2-port Multiprotocol Services (MPS-14/2) modules in Cisco MDS 9200 Switches or Cisco
MDS 9500 Directors
Cisco MDS 9216i Switch with the 14/2-port multiprotocol capability in the integrated supervisor
module. Refer to the Cisco MDS 9200 Series Hardware Installation Guide for more information on
the Cisco MDS 9216i Switch.
The IPsec feature is not supported on the management interface.
IPsec features are compatible with the following fabric setup:
Two connected Cisco MDS 9200 Switches or Cisco MDS 9500 Directors running Cisco MDS
SAN-OS Release 2.0(1b) or later, or Cisco NX-OS 4.1(1).
A Cisco MDS 9200 Switches or Cisco MDS 9500 Directors running Cisco MDS SAN-OS Release
2.0(1b) or later, or Cisco NX-OS 4.1(1) connected to any IPsec compliant device.
The following features are not supported in the Cisco NX-OS implementation of the IPsec feature:
Authentication Header (AH).
Transport mode.

Using IPsec
Security association bundling.

Manually configuring security associations.
Per host security association option in a crypto map.
Security association idle timeout
Dynamic crypto maps.
Note Any reference to crypto maps in this document, only refers to static crypto maps.
IPsec and IKE Terminology

The terms used in this chapter are explained in this section.
Security association (SA) An agreement between two participating peers on the entries required
to encrypt and decrypt IP packets. Two SAs are required for each peer in each direction (inbound
and outbound) to establish bidirectional communication between the peers. Sets of bidirectional SA
records are stored in the SA database (SAD). IPsec uses IKE to negotiate and bring up SAs. Each
SA record includes the following information:
Security parameter index (SPI)A number which, together with a destination IP address and
security protocol, uniquely identifies a particular SA. When using IKE to establish the SAs, the
SPI for each SA is a pseudo-randomly derived number.
PeerA switch or other device that participates in IPsec. For example, a Cisco MDS switch or
other Cisco routers that support IPsec.
TransformA list of operations done to provide data authentication and data confidentiality.
For example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm.
Session keyThe key used by the transform to provide security services.
LifetimeA lifetime counter (in seconds and bytes) is maintained from the time the SA is
created. When the time limit expires the SA is no longer operational and, if required, is
automatically renegotiated (rekeyed).
Mode of operationTwo modes of operation are generally available for IPsec: tunnel mode and
transport mode. The Cisco NX-OS implementation of IPsec only supports the tunnel mode. The
IPsec tunnel mode encrypts and authenticates the IP packet, including its header. The gateways
encrypt traffic on behalf of the hosts and subnets.
The Cisco NX-OS implementation of IPsec does not support transport mode.
Note The term tunnel mode is different from the term tunnel, which is used to indicate a secure
communication path between two peers, such as two switches connected by an FCIP link.
Anti-replayA security service where the receiver can reject old or duplicate packets to protect
itself against replay attacks. IPsec provides this optional service by use of a sequence number
combined with the use of data authentication.
Data authenticationData authentication can refer either to integrity alone or to both integrity and
authentication (data origin authentication is dependent on data integrity).
Data integrityVerifies that data has not been altered.
Data origin authenticationVerifies that the data was actually sent by the claimed sender.

Using IPsec
Data confidentialityA security service where the protected data cannot be observed.
Data flowA grouping of traffic, identified by a combination of source address and mask or prefix,
destination address mask or prefix length, IP next protocol field, and source and destination ports,
where the protocol and port fields can have any of these values. Traffic matching a specific
combination of these values is logically grouped together into a data flow. A data flow can represent
a single TCP connection between two hosts, or it can represent traffic between two subnets. IPsec
protection is applied to data flows.
Perfect forward secrecy (PFS)A cryptographic characteristic associated with a derived shared
secret value. With PFS, if one key is compromised, previous and subsequent keys are not
compromised, because subsequent keys are not derived from previous keys.
Security Policy Database (SPD)An ordered list of policies applied to traffic. A policy decides if
a packet requires IPsec processing, if it should be allowed in clear text, or if it should be dropped.
The IPsec SPDs are derived from user configuration of crypto maps.
The IKE SPD is configured by the user.
Supported IPsec Transforms and Algorithms

The component technologies implemented for IPsec include the following transforms:
Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 or 256
bits using Cipher Block Chaining (CBC) or counter mode.
Data Encryption Standard (DES) is used to encrypt packet data and implements the mandatory
56-bit DES-CBC. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly
given in the IPsec packet.
Triple DES (3DES) is a stronger form of DES with 168-bit encryption keys that allow sensitive
information to be transmitted over untrusted networks.
Note Cisco NX-OS images with strong encryption are subject to United States government export
controls, and have a limited distribution. Images to be installed outside the United States require
an export license. Customer orders might be denied or subject to delay due to United States
government regulations. Contact your sales representative or distributor for more information,
or send e-mail to [email protected].
Message Digest 5 (MD5) is a hash algorithm with the HMAC variant. HMAC is a keyed hash variant
used to authenticate data.
Secure Hash Algorithm (SHA-1) is a hash algorithm with the Hash Message Authentication Code
(HMAC) variant.
AES-XCBC-MAC is a Message Authentication Code (MAC) using the AES algorithm.
Supported IKE Transforms and Algorithms

The component technologies implemented for IKE include the following transforms:
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to
establish session keys. Group 1 (768-bit), Group 2 (1024-bit), and Group 5 (1536-bit) are supported.

IPsec Digital Certificate Support
Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 bits using
Cipher Block Chaining (CBC) or counter mode.
Data Encryption Standard (DES) is used to encrypt packet data and implements the mandatory
56-bit DES-CBC. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly
given in the IPsec packet.
Triple DES (3DES) is a stronger form of DES with 168-bit encryption keys that allow sensitive
information to be transmitted over untrusted networks.
Note Cisco NX-OS images with strong encryption are subject to United States government export
controls, and have a limited distribution. Images to be installed outside the United States require
an export license. Customer orders might be denied or subject to delay due to United States
government regulations. Contact your sales representative or distributor for more information,
or send e-mail to [email protected].
Message Digest 5 (MD5) is a hash algorithm with the HMAC variant. HMAC is a keyed hash variant
used to authenticate data.
Secure Hash Algorithm (SHA-1) is a hash algorithm with the Hash Message Authentication Code
(HMAC) variant.
The switch authentication algorithm uses the preshared keys based on the IP address (see Setting
the Default RADIUS Server Timeout Interval and Retransmits section on page 41-9 for more
information on preshared keys).

This section describes the advantages of using certificate authorities (CAs) and digital certificates for
authentication.
For more information on CAs and digital certificates, see Chapter 43, Configuring Certificate
Authorities and Digital Certificates.
Implementing IPsec Without CAs and Digital Certificates

Without a CA and digital certificates, enabling IPsec services (such as encryption) between two Cisco
MDS switches requires that each switch has the key of the other switch (such as an RSA public key or
a shared key). You must manually specify either the RSA public keys or preshared keys on each switch
in the fabric using IPsec services. Also, each new device added to the fabric will require manual
configuration of the other switches in the fabric to support secure communication.
In Figure 44-2, each switch uses the key of the other switch to authenticate the identity of the other
switch; this authentication always occurs when IPsec traffic is exchanged between the two switches.
If you have multiple Cisco MDS switches in a mesh topology and wish to exchange IPsec traffic passing
among all of those switches, you must first configure shared keys or RSA public keys among all of those
switches.

Figure 44-2 Two IPsec Switches Without CAs and Digital Certificates
Cleartext Cleartext
Encrypted data
144693
data data
Every time a new switch is added to the IPsec network, you must configure keys between the new switch
and each of the existing switches. (In Figure 44-3, four additional two-part key configurations are
required to add a single encrypting switch to the network.)
Consequently, the more devices that require IPsec services, the more involved the key administration
becomes. This approach does not scale well for larger, more complex encrypting networks.
Figure 44-3 Four IPsec Switches Without a CA and Digital Certificates

144694
Implementing IPsec with CAs and Digital Certificates

With CA and digital certificates, you do not have to configure keys between all the encrypting switches.
Instead, you individually enroll each participating switch with the CA, requesting a certificate for the
switch. When this has been accomplished, each participating switch can dynamically authenticate all the
other participating switches. When two devices want to communicate, they exchange certificates and
digitally sign data to authenticate each other. When a new device is added to the network, you simply
enroll that device with a CA, and none of the other devices needs modification. When the new device
attempts an IPsec connection, certificates are automatically exchanged and the device can be
authenticated.
Figure 44-4 shows the process of dynamically authenticating the devices.

Figure 44-4 Dynamically Authenticating Devices with a CA
144695
Certificate
authority
To add a new IPsec switch to the network, you need only configure that new switch to request a
certificate from the CA, instead of making multiple key configurations with all the other existing IPsec
switches.
How CA Certificates Are Used by IPsec Devices

When two IPsec switches want to exchange IPsec-protected traffic passing between them, they must first
authenticate each otherotherwise, IPsec protection cannot occur. The authentication is done with IKE.
IKE can use two methods to authenticate the switches, using preshared keys without a CA and using RSA
key-pairs with a CA. Both methods require that keys must be preconfigured between the two switches.
Without a CA, a switch authenticates itself to the remote switch using either RSA-encrypted preshared
keys.
With a CA, a switch authenticates itself to the remote switch by sending a certificate to the remote switch
and performing some public key cryptography. Each switch must send its own unique certificate that was
issued and validated by the CA. This process works because the certificate of each switch encapsulates
the public key of the switch, each certificate is authenticated by the CA, and all participating switches
recognize the CA as an authenticating authority. This scheme is called IKE with an RSA signature.
Your switch can continue sending its own certificate for multiple IPsec sessions, and to multiple IPsec
peers until the certificate expires. When the certificate expires, the switch administrator must obtain a
new one from the CA.
CAs can also revoke certificates for devices that will no longer participate in IPsec. Revoked certificates
are not recognized as valid by other IPsec devices. Revoked certificates are listed in a certificate
revocation list (CRL), which each peer may check before accepting a certificate from another peer.
Certificate support for IKE has the following considerations:
The switch FQDN (host name and domain name) must be configured before installing certificates
for IKE.
Only those certificates that are configured for IKE or general usage are used by IKE.
The first IKE or general usage certificate configured on the switch is used as the default certificate
by IKE.
The default certificate is for all IKE peers unless the peer specifies another certificate.

Configuring IPsec Using FCIP Wizard
If the peer asks for a certificate which is signed by a CA that it trusts, then IKE uses that certificate,
if it exists on the switch, even if it is not the default certificate.
If the default certificate is deleted, the next IKE or general usage certificate, if any exists, is used by
IKE as the default certificate.
Certificate chaining is not supported by IKE.
IKE only sends the identity certificate, not the entire CA chain. For the certificate to be verified on
the peer, the same CA chain must also exist there.

Fabric Manager simplifies the configuration of IPsec and IKE by enabling and configuring these features
as part of the FCIP configuration using the FCIP Wizard. See the Using the FCIP Wizard section on
page 48-8.
To enable IPsec using the FCIP Wizard in Fabric Manager, follow these steps:
Step 1 Click the FCIP Wizard icon in the toolbar.
Figure 44-5 FCIP Wizard
Step 2 Choose the switches that act as endpoints for the FCIP link and click Next.
Note These switches must have MPS-14/2 modules installed to configure IPsec on this FCIP link.
Step 3 Choose the Gigabit Ethernet ports on each MPS-14/2 module that will form the FCIP link.
Step 4 Check the Enforce IPSEC Security check box and set IKE Auth Key (see Figure 44-6).

Figure 44-6 Enabling IPsec on an FCIP Link
Step 5 Click Next. In the Specify Tunnel Properties dialog, you see the TCP connection characteristics.
Step 6 Set the minimum and maximum bandwidth settings and round-trip time for the TCP connections on this
FCIP link. Click the Measure button to measure the round-trip time between the Gigabit Ethernet
endpoints.
Step 7 Check the Enable Write Acceleration check box to enable FCIP write acceleration on this FCIP link.
See the FCIP Write Acceleration section on page 48-29.
Step 8 Check the Enable Optimum Compression check box to enable IP compression on this FCIP link. See
the FCIP Compression section on page 48-37.
Step 9 Click Next to configure the FCIP tunnel parameters.
Step 10 Set the Port VSAN for nontrunk/auto and allowed VSAN list for the trunk tunnel. choose a Trunk Mode
for this FCIP link. See the Checking Trunk Status section on page 48-17.
Step 11 Click Finish to create this FCIP link or click Cancel to exit the FCIP Wizard without creating an FCIP
link.
To verify that IPsec and IKE are enabled using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select IPSEC in the Physical Attributes pane.
You see the IPsec configuration in the Information pane in Figure 44-7.

Figure 44-7 IPSec Configuration
Step 2 The Control tab is the default. Verify that the switches you want to modify for IPSec are enabled in the
Status column.
Step 3 Expand Switches > Security and then select IKE in the Physical Attributes pane.
You see the IKE configuration in the Information pane shown in Figure 44-8.
Figure 44-8 IKE Configuration
Step 4 The Control tab is the default. Verify that the switches you want to modify for IKE are enabled in the
Status column.

Manually Configuring IPsec and IKE

This section describes how to manually configure IPsec and IKE if you are not using the FCIP Wizard.
See Configuring IPsec Using FCIP Wizard, page 44-10.
IPsec provides secure data flows between participating peers. Multiple IPsec data flows can exist
between two peers to secure different data flows, with each tunnel using a separate set of SAs.
After you have completed IKE configuration, configure IPsec.
To configure IPsec in each participating IPsec peer, follow these steps:
Step 1 Identify the peers for the traffic to which secure tunnels should be established.
Step 2 Configure the transform set with the required protocols and algorithms.
Step 3 Create the crypto map and apply access control lists (IPv4-ACLs), transform sets, peers, and lifetime
values as applicable.
Step 4 Apply the crypto map to the required interface.

About IKE Initialization, page 44-13
About the IKE Domain, page 44-13
About IKE Tunnels, page 44-13
About IKE Policy Negotiation, page 44-14
Configuring an IKE Policy, page 44-15
About IKE Initialization

The IKE feature must first be enabled and configured so the IPsec feature can establish data flow with
the required peer. Fabric Manager initializes IKE when you first configure it.
You cannot disable IKE if IPsec is enabled. If you disable the IKE feature, the IKE configuration is
cleared from the running configuration.
About the IKE Domain

You must apply the IKE configuration to an IPsec domain to allow traffic to reach the supervisor module
in the local switch. Fabric Manager sets the IPsec domain automatically when you configure IKE.
About IKE Tunnels

An IKE tunnel is a secure IKE session between two endpoints. IKE creates this tunnel to protect IKE
messages used in IPsec SA negotiations.
Two versions of IKE are used in the Cisco NX-OS implementation.
IKE version 1 (IKEv1) is implemented using RFC 2407, 2408, 2409, and 2412.

IKE version 2 (IKEv2) is a simplified and more efficient version and does not interoperate with
IKEv1. IKEv2 is implemented using the draft-ietf-ipsec-ikev2-16.txt draft.
About IKE Policy Negotiation

To protect IKE negotiations, each IKE negotiation begins with a common (shared) IKE policy. An IKE
policy defines a combination of security parameters to be used during the IKE negotiation. By default,
no IKE policy is configured. You must create IKE policies at each peer. This policy states which security
parameters will be used to protect subsequent IKE negotiations and mandates how peers are
authenticated. You can create multiple, prioritized policies at each peer to ensure that at least one policy
will match a remote peer's policy.
You can configure the policy based on the encryption algorithm (DES, 3DES, or AES), the hash
algorithm (SHA or MD5), and the DH group (1, 2, or 5). Each policy can contain a different combination
of parameter values. A unique priority number identifies the configured policy. This number ranges from
1 (highest priority) to 255 (lowest priority). You can create multiple policies in a switch. If you need to
connect to a remote peer, you must ascertain that at least one policy in the local switch contains the
identical parameter values configured in the remote peer. If several policies have identical parameter
configurations, the policy with the lowest number is selected.
Table 44-1 provides a list of allowed transform combinations.
Table 44-1 IKE Transform Configuration Parameters
Parameter Accepted Values Keyword Default Value

encryption algorithm 56-bit DES-CBC des 3des
168-bit DES 3des
128-bit AES aes
hash algorithm SHA-1 (HMAC variant) sha sha
MD5 (HMAC variant) md5
authentication method Preshared keys Not configurable Preshared keys
DH group identifier 768-bit DH 1 1
1024-bit DH 2
1536-bit DH 5
The following table lists the supported and verified settings for IPsec and IKE encryption authentication
algorithms on the Microsoft Windows and Linux platforms:
Platform IKE IPsec

Microsoft iSCSI initiator, 3DES, SHA-1 or MD5, 3DES, SHA-1
Microsoft IPsec implementation DH group 2
on Microsoft Windows 2000
platform
Cisco iSCSI initiator, 3DES, MD5, DH group 1 3DES, MD5
Free Swan IPsec implementation
on Linux platform

Note When you configure the hash algorithm, the corresponding HMAC version is used as the authentication
algorithm.
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both peers. The peer
that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to
find a match. The remote peer looks for a match by comparing its own highest priority policy against the
other peer's received policies. The remote peer checks each of its policies in order of its priority (highest
priority first) until a match is found.
A match is found when the two peers have the same encryption, hash algorithm, authentication
algorithm, and DH group values. If a match is found, IKE completes the security negotiation and the
IPsec SAs are created.
If an acceptable match is not found, IKE refuses negotiation and the IPsec data flows will not be
established.
Configuring an IKE Policy

To configure the IKE policy negotiation parameters using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select IKE.

You see the IKE configuration in the Information pane in Figure 44-9.
Step 2 Click the Policies tab.

You see the existing IKE polices in the Information pane.
Step 3 Click Create Row to create an IKE policy.
You see the Create Policy dialog box shown in Figure 44-10.

Optional IKE Parameter Configuration
Figure 44-10 Create IKE
Step 4 Enter the Priority for this switch. You can enter a value from one through 255, one being the highest.
Step 5 Select appropriate values for the encryption, hash, authentication, and DHGroup fields.
Step 6 Enter the lifetime for the policy. You can enter a lifetime from 600 to 86400 seconds.
Step 7 Click Create to create this policy, or click Close to discard any unsaved changes.
Note When the authentication method is rsa-sig, make sure the identity hostname is configured for IKE
because the IKE certificate has a subject name of the FQDN type.

You can optionally configure the following parameters for the IKE feature:
The lifetime association within each policyThe lifetime ranges from 600 to 86,400 seconds. The
default is 86,400 seconds (equals one day). The lifetime association within each policy is configured
when you are creating an IKE policy. See the Configuring an IKE Policy section on page 44-15.
The keepalive time for each peer if you use IKEv2The keepalive ranges from 120 to 86,400
seconds. The default is 3,600 seconds (equals one hour).
The initiator version for each peerIKE v1 or IKE v2 (default). Your choice of initiator version
does not affect interoperability when the remote device initiates the negotiation. Configure this
option if the peer device supports IKEv1 and you can play the initiator role for IKE with the
specified device. Use the following considerations when configuring the initiator version with FCIP
tunnels:
If the switches on both sides of an FCIP tunnel are running MDS SAN-OS Release 3.0(1) or
later, or Cisco NX-OS 4.1(1) you must configure initiator version IKEv1 on both sides of an
FCIP tunnel to use only IKEv1. If one side of an FCIP tunnel is using IKEv1 and the other side
is using IKEv2, the FCIP tunnel uses IKEv2.
If the switch on one side of an FCIP tunnel is running MDS SAN-OS Release 3.0(1) or later, or
Cisco NX-OS 4.1(1b) and the switch on the other side of the FCIP tunnel is running MDS
SAN-OS Release 2.x, configuring IKEv1 on either side (or both) results in the FCIP tunnel
using IKEv1.

Note Only IKE v1 is supported to build IPsec between 2.x and 3.x MDS switches.
Caution You may need to configure the initiator version even when the switch does not behave as an
IKE initiator under normal circumstances. Always using this option guarantees a faster
recovery of traffic flows in case of failures.
Tip The keepalive time only applies to IKEv2 peers and not to all peers.
Note When IPsec implementations in the host prefer to initiate the IPsec rekey, be sure to configure the IPsec
lifetime value in the Cisco MDS switch to be higher than the lifetime value in the host.

Configuring the Keepalive Time for a Peer, page 44-17
Configuring the Initiator Version, page 44-18
Clearing IKE Tunnels or Domains, page 44-20
Refreshing SAs, page 44-20
Configuring the Keepalive Time for a Peer
To configure the keepalive time for each peer using Fabric Manager, follow these steps:

You see the IKE configuration in the Information pane (see Figure 44-11).

Step 2 Select the Global tab.

You see the global statistics of a specific IKE protocol in the Information pane (see Figure 44-12).
Figure 44-12 IKE Global Tab Information
Step 3 Enter a value (in seconds) in the KeepAliveInterval (sec). the The keepalive interval in seconds is used
by the IKE entity on the managed device with all the peers for the DOI corresponding to this conceptual
row.
Configuring the Initiator Version

To configure the initiator version using Fabric Manager, follow these steps:

Step 2 Select the Initiator Version tab.

You see the existing initiator versions for the peers in the Information pane.
Step 3 Click Create Row to create an initiator version.
You see the Create Initiator Version dialog box shown in Figure 44-14.
Figure 44-14 Create Initiator Version Dialog Box
Step 4 Select the Switches for the remote peer for which this IKE protocol initiator is configured.
Step 5 Enter the IP address of the remote peer.
IKEv1 represents the IKE protocol version used when connecting to a remote peer.

Step 6 Click Create to create this initiator version or click Close to discard any unsaved changes.
Clearing IKE Tunnels or Domains

If an IKE tunnel ID is not specified for the IKE configuration, you can clear all existing IKE domain
connections.
To clear all the IKE Tunnels or Domains using Fabric Manager, follow these steps:
Step 2 Click the Tunnels tab in the Information pane.

You see the IKE tunnels.
Step 3 Click the Action column and select Clear to clear the tunnel.
Refreshing SAs
To refresh the SAs after changing the IKEv2 configuration using Fabric Manager, follow these steps:
You see the IKE configuration shown in Figure 44-16.

Crypto IPv4-ACLs
Step 2 Click the Pre-Shared AuthKey tab in the Information pane.

Step 3 Click Refresh Values.
Crypto IPv4-ACLs
IP access control lists (IPv4-ACLs) provide basic network security to all switches in the Cisco MDS
9000 Family. IPv4 IP-ACLs restrict IP-related traffic based on the configured IP filters. See Chapter 42,
Configuring IPv4 and IPv6 Access Control Lists for details on creating and defining IPv4-ACLs.
In the context of crypto maps, IPv4-ACLs are different from regular IPv4-ACLs. Regular IPv4-ACLs
determine what traffic to forward or block at an interface. For example, IPv4-ACLs can be created to
protect all IP traffic between subnet A and subnet Y or Telnet traffic between host A and host B.
About Crypto IPv4-ACLs, page 44-22
Creating Crypto IPv4-ACLs, page 44-25
About Transform Sets in IPsec, page 44-25
Configuring Transform Sets, page 44-26
About Crypto Map Entries, page 44-28
Creating Crypto Map Entries, page 44-29
About SA Lifetime Negotiation, page 44-30
Setting the SA Lifetime, page 44-31
About the AutoPeer Option, page 44-32
Configuring the AutoPeer Option, page 44-33
About Perfect Forward Secrecy, page 44-34

Crypto IPv4-ACLs
Configuring Perfect Forward Secrecy, page 44-35

About Crypto Map Set Application, page 44-36
Applying a Crypto Map Set, page 44-36
About Crypto IPv4-ACLs

Crypto IPv4-ACLs are used to define which IP traffic requires crypto protection and which traffic does
not.
Crypto IPv4-ACLs associated with IPsec crypto map entries have four primary functions:
Select outbound traffic to be protected by IPsec (permit = protect).
Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when
initiating negotiations for IPsec SAs.
Process inbound traffic to filter out and discard traffic that should have been protected by IPsec.
Determine whether or not to accept requests for IPsec SAs on behalf of the requested data flows
when processing IKE negotiation from the IPsec peer.
Tip If you want some traffic to receive one type of IPsec protection (for example, encryption only) and other
traffic to receive a different type of IPsec protection (for example, both authentication and encryption),
create two IPv4-ACLs. Use both IPv4-ACLs in different crypto maps to specify different IPsec policies.
Note IPsec does not support IPv6-ACLs.
Crypto IPv4-ACL Guidelines

Follow these guidelines when configuring IPv4-ACLs for the IPsec feature:
The Cisco NX-OS software only allows name-based IPv4-ACLs.
When an IPv4-ACL is applied to a crypto map, the following options apply:
PermitApplies the IPsec feature to the traffic.
DenyAllows clear text (default).
Note IKE traffic (UDP port 500) is implicitly transmitted in clear text.
The IPsec feature only considers the source and destination IPv4 addresses and subnet masks,
protocol, and single port number. There is no support for IPv6 in IPsec.
Note The IPsec feature does not support port number ranges and ignores higher port number field,
if specified.
The permit option causes all IP traffic that matches the specified conditions to be protected by
crypto, using the policy described by the corresponding crypto map entry.

Crypto IPv4-ACLs
The deny option prevents traffic from being protected by crypto. The first deny statement causes the
traffic to be in clear text.
The crypto IPv4-ACL you define is applied to an interface after you define the corresponding crypto
map entry and apply the crypto map set to the interface.
Different IPv4-ACLs must be used in different entries of the same crypto map set.
Inbound and outbound traffic is evaluated against the same outbound IPv4-ACL. Therefore, the
IPv4-ACL's criteria is applied in the forward direction to traffic exiting your switch, and the reverse
direction to traffic entering your switch.
Each IPv4-ACL filter assigned to the crypto map entry is equivalent to one security policy entry. The
IPsec feature supports up to 120 security policy entries for each MPS-14/2 module and Cisco MDS
9216i Switch.
In Figure 44-17, IPsec protection is applied to traffic between switch interface S0 (IPv4 address
10.0.0.1) and switch interface S1 (IPv4 address 20.0.0.2) as the data exits switch A's S0 interface
enroute to switch interface S1. For traffic from 10.0.0.1 to 20.0.0.2, the IPv4-ACL entry on switch
A is evaluated as follows:
source = IPv4 address 10.0.0.1
dest = IPv4 address 20.0.0.2
For traffic from 20.0.0.2 to 10.0.0.1, that same IPv4-ACL entry on switch A is evaluated as follows:
source = IPv4 address 20.0.0.2
dest = IPv4 address 10.0.0.1
Figure 44-17 IPsec Processing of Crypto IPv4-ACLs
IPSec peers
MDS_Switch A MDS_Switch N
S0 Internet
S1
IPSec access list at S0:

access-list S0 permit ip 10.0.0.1 0.0.0.255 20.0.0.2 0.0.0.255
IPSec access list at S1:

access-list S1 permit ip 20.0.0.2 0.0.0.255 10.0.0.1 0.0.0.255
120485
Traffic exchanged between 10.0.0.1 and 20.0.0.2 is protected.
If you configure multiple statements for a given crypto IPv4-ACL that is used for IPsec, the first
permit statement that is matched is used to determine the scope of the IPsec SA. Later, if traffic
matches a different permit statement of the crypto IPv4-ACL, a new, separate IPsec SA is negotiated
to protect traffic matching the newly matched IPv4-ACL statement.
Unprotected inbound traffic that matches a permit entry in the crypto IPv4-ACL for a crypto map
entry flagged as IPsec is dropped, because this traffic was expected to be protected by IPsec.

Crypto IPv4-ACLs
For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures.
Mirror Image Crypto IPv4-ACLs

For every crypto IPv4-ACL specified for a crypto map entry defined at the local peer, define a mirror
image crypto IPv4-ACL at the remote peer. This configuration ensures that IPsec traffic applied locally
can be processed correctly at the remote peer.
Tip The crypto map entries themselves must also support common transforms and must refer to the other
system as a peer.
Figure 44-18 shows some sample scenarios with and without mirror image IPv4-ACLs.
Figure 44-18 IPsec Processing of Mirror Image Configuration
Subnet Y
Host B
Subnet X
Switch M Router N
S0 Internet
S1 Host C
IPSec access list at S0 IPSec access list at S1 1st packet Result

permits permits M B SAs established for
Case 1
Mirror image Switch M Host B Host B Switch M or B M Traffic M B (good
access lists at permits permits M B SAs established for
Switch M S0 Subnet X Subnet Y Subnet Y Subnet X or B M Traffic X Y (good
and Case 2 or M C
Router N S1
permits permits SAs established for
Case 3 M B
Switch M Host B Subnet Y Subnet X Traffic M B (good
SAs cannot be
Case 4 B M established and
packets from Host
B to Switch M are
dropped (bad)
As Figure 44-18 indicates, IPsec SAs can be established as expected whenever the two peers' crypto
IPv4-ACLs are mirror images of each other. However, an IPsec SA can be established only some of the
time when the IPv4-ACLs are not mirror images of each other. This can happen in the case when an entry
in one peer's IPv4-ACL is a subset of an entry in the other peer's IPv4-ACL, such as shown in cases 3
and 4 of Figure 44-18. IPsec SA establishment is critical to IPsec. Without SAs, IPsec does not work,
causing any packets matching the crypto IPv4-ACL criteria to be silently dropped instead of being
forwarded with IPsec security.

Crypto IPv4-ACLs
In case 4, an SA cannot be established because SAs are always requested according to the crypto
IPv4-ACLs at the initiating packet's end. In case 4, router N requests that all traffic between subnet X
and subnet Y be protected, but this is a superset of the specific flows permitted by the crypto IPv4-ACL
at switch M so the request is not permitted. Case 3 works because switch M's request is a subset of the
specific flows permitted by the crypto IPv4-ACL at router N.
Because of the complexities introduced when crypto IPv4-ACLs are not configured as mirror images at
peer IPsec devices, we strongly encourage you to use mirror image crypto IPv4-ACLs.
The any Keyword in Crypto IPv4-ACLs
Tip We recommend that you configure mirror image crypto IPv4-ACLs for use by IPsec and that you avoid
using the any option.
The any keyword in a permit statement is discouraged when you have multicast traffic flowing through
the IPsec interface. This configuration can cause multicast traffic to fail.
The permit any statement causes all outbound traffic to be protected (and all protected traffic sent to the
peer specified in the corresponding crypto map entry) and requires protection for all inbound traffic.
Then, all inbound packets that lack IPsec protection are silently dropped, including packets for routing
protocols, NTP, echo, echo response, and so forth.
You need to be sure you define which packets to protect. If you must use any in a permit statement, you
must preface that statement with a series of deny statements to filter out any traffic (that would otherwise
fall within that permit statement) that you do not want to be protected.
Creating Crypto IPv4-ACLs

To create crypto IPv4-ACLs refer to the Cisco MDS 9000 Family CLI Configuration Guide.
About Transform Sets in IPsec

A transform set represents a certain combination of security protocols and algorithms. During the IPsec
security association negotiation, the peers agree to use a particular transform set for protecting a
particular data flow.
You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto
map entry. The transform set defined in the crypto map entry is used in the IPsec security association
negotiation to protect the data flows specified by that crypto map entry's access list.
During IPsec security association negotiations with IKE, the peers search for a transform set that is the
same at both peers. When such a transform set is found, it is selected and applied to the protected traffic
as part of both peers' IPsec security associations.
Tip If you change a transform set definition, the change is only applied to crypto map entries that reference
the transform set. The change is not applied to existing security associations, but used in subsequent
negotiations to establish new security associations. If you want the new settings to take effect sooner,
you can clear all or part of the security association database.

Crypto IPv4-ACLs
Note When you enable IPsec, the Cisco NX-OS software automatically creates a default transform set
(ipsec_default_tranform_set) using AES-128 encryption and SHA-1 authentication algorithms.
Table 44-2 provides a list of allowed transform combinations for IPsec.
Table 44-2 IPsec Transform Configuration Parameters
Parameter Accepted Values Keyword

encryption algorithm 56-bit DES-CBC esp-des
168-bit DES esp-3des
128-bit AES-CBC esp-aes 128
1
128-bit AES-CTR esp-aes 128 ctr
256-bit AES-CBC esp-aes 256
1
256-bit AES-CTR esp-aes 256 ctr
hash/authentication algorithm1 SHA-1 (HMAC variant) esp-sha1-hmac
(optional)
MD5 (HMAC variant) esp-md5-hmac
AES-XCBC-MAC esp-aes-xcbc-mac
1. If you configure the AES counter (CTR) mode, you must also configure the authentication algorithm.
The following table lists the supported and verified settings for IPsec and IKE encryption authentication
algorithms on the Microsoft Windows and Linux platforms:
Platform IKE IPsec

Microsoft iSCSI initiator, 3DES, SHA-1 or MD5, 3DES, SHA-1
Microsoft IPsec implementation DH group 2
on Microsoft Windows 2000
platform
Cisco iSCSI initiator, 3DES, MD5, DH group 1 3DES, MD5
Free Swan IPsec implementation
on Linux platform
Configuring Transform Sets

To configure transform sets using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select IPSec in the Physical Attributes pane.
You see the IPSec configuration shown in Figure 44-19.

Crypto IPv4-ACLs
Figure 44-19 IPsec Configuration
Step 2 Click the Transform Set tab in the Information pane.

You see the Create IPSEC dialog box shown in Figure 44-20.
Figure 44-20 Create IPSEC
Step 4 Select the switches that you want to create a transform set for in the Create Transform Set dialog box.
Step 5 Assign a name and protocol for the transform set.
Step 6 Select the encryption and authentication algorithm. See Table 44-2 to verify the allowed transform
combinations.
Step 7 Click Create to create the transform set or you click Close.

Crypto IPv4-ACLs
About Crypto Map Entries

Once you have created the crypto IPv4-ACLs and transform sets, you can create crypto map entries that
combine the various parts of the IPsec SA, including the following:
The traffic to be protected by IPsec (per the crypto IPv4-ACL). A crypto map set can contain
multiple entries, each with a different IPv4-ACL.
The granularity of the flow to be protected by a set of SAs.
The IPsec-protected traffic destination (who the remote IPsec peer is).
The local address to be used for the IPsec traffic (applying to an interface).
The IPsec security to be applied to this traffic (selecting from a list of one or more transform sets).
Other parameters to define an IPsec SA.
Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped
into a crypto map set.
When you apply a crypto map set to an interface, the following events occur:
A security policy database (SPD) is created for that interface.
All IP traffic passing through the interface is evaluated against the SPD.
If a crypto map entry sees outbound IP traffic that requires protection, an SA is negotiated with the
remote peer according to the parameters included in the crypto map entry.
The policy derived from the crypto map entries is used during the negotiation of SAs. If the local switch
initiates the negotiation, it will use the policy specified in the crypto map entries to create the offer to be
sent to the specified IPsec peer. If the IPsec peer initiates the negotiation, the local switch checks the
policy from the crypto map entries and decides whether to accept or reject the peer's request (offer).
For IPsec to succeed between two IPsec peers, both peers' crypto map entries must contain compatible
configuration statements.
SA Establishment Between Peers

When two peers try to establish an SA, they must each have at least one crypto map entry that is
compatible with one of the other peer's crypto map entries.
For two crypto map entries to be compatible, they must at least meet the following criteria:
The crypto map entries must contain compatible crypto IPv4-ACLs (for example, mirror image
IPv4-ACLs). If the responding peer entry is in the local crypto, the IPv4-ACL must be permitted by
the peer's crypto IPv4-ACL.
The crypto map entries must each identify the other peer or must have auto peer configured.
If you create more than one crypto map entry for a given interface, use the seq-num of each map
entry to rank the map entries: the lower the seq-num, the higher the priority. At the interface that has
the crypto map set, traffic is evaluated against higher priority map entries first.
The crypto map entries must have at least one transform set in common, where IKE negotiations are
carried out and SAs are established. During the IPsec SA negotiation, the peers agree to use a
particular transform set when protecting a particular data flow.
When a packet matches a permit entry in a particular IPv4-ACL, the corresponding crypto map entry is
tagged, and the connections are established.

Crypto IPv4-ACLs
Crypto Map Configuration Guidelines

When configuring crypto map entries, follow these guidelines:
The sequence number for each crypto map decides the order in which the policies are applied. A
lower sequence number is assigned a higher priority.
Only one IPv4-ACL is allowed for each crypto map entry (the IPv4-ACL itself can have multiple
permit or deny entries).
When the tunnel endpoint is the same as the destination address, you can use the auto-peer option
to dynamically configure the peer.
For IPsec to interoperate effectively with Microsoft iSCSI initiators, specify the TCP protocol and
the local iSCSI TCP port number (default 3260) in the IPv4-ACL. This configuration ensures the
speedy recovery of encrypted iSCSI sessions following disruptions such as Gigabit Ethernet
interfaces shutdowns, VRRP switchovers, and port failures.
Creating Crypto Map Entries

To create mandatory crypto map entries using Fabric Manager, follow these steps:
You see the IPSec configuration in the Information pane (see Figure 44-21).
Step 2 Choose the CryptoMap Set Entry tab.

You see the existing crypto maps configured (see Figure 44-22).

Crypto IPv4-ACLs
Figure 44-22 Existing Crypto Maps
Step 3 (Optional) Click Create Row to create a crypto map entry.

You see the Create Crypto Map dialog box shown in Figure 44-23.
Figure 44-23 Create Crypto Map Dialog Box
Step 4 Select the switch that you want to configure or modify. If you are creating a crypto map, set the setName
and priority for this crypto map.
Step 5 Select the IPv4-ACL Profile and TransformSetIdList from the drop-down list for this crypto map.
Step 6 (Optional) Check the AutoPeer check box or set the peer address if you are creating a crypto map. See
the About the AutoPeer Option section on page 44-32.
Step 7 Choose the appropriate PFS selection. See the About Perfect Forward Secrecy section on page 44-34.
Step 8 Supply the Lifetime and LifeSize. See the About SA Lifetime Negotiation section on page 44-30.
Step 9 Click Create if you are creating a crypto map, or click Apply Changes if you are modifying an existing
crypto map.
About SA Lifetime Negotiation

You can override the global lifetime values (size and time) by configuring an SA-specific lifetime value.

Crypto IPv4-ACLs
To specify SA lifetime negotiation values, you can optionally configure the lifetime value for a specified
crypto map. If you do, this value overrides the globally set values. If you do not specify the crypto map
specific lifetime, the global value (or global default) is used.
See the Global Lifetime Values section on page 44-37 for more information on global lifetime values.
Setting the SA Lifetime

To set the SA lifetime for a specified crypto map entry using Fabric Manager, follow these steps:
You see the IP SEC configuration in the Information pane (see Figure 44-24).
Step 2 Choose the CryptoMap Set Entry tab.

You see the existing crypto maps configured (see Figure 44-25).
Figure 44-25 Existing Crypto Maps - Leftmost Columns
Step 3 Scroll to the right half of the dialog box.

Crypto IPv4-ACLs
You see more columns shown in Figure 44-26.
Figure 44-26 Existing Crypto Maps - Rightmost Columns
Step 4 Double-click and modify the value in the Life Time(sec) column.
About the AutoPeer Option

Setting the peer address as AutoPeer in the crypto map indicates that the destination endpoint of the
traffic should be used as the peer address for the SA. Using the same crypto map, a unique SA can be set
up at each of the endpoints in the subnet specified by the crypto map's IPv4-ACL entry. Auto-peer
simplifies configuration when traffic endpoints are IPsec capable. It is particularly useful for iSCSI,
where the iSCSI hosts in the same subnet do not require separate configuration.
Figure 44-27 shows a scenario where the auto-peer option can simplify configuration. Using the
auto-peer option, only one crypto map entry is needed for all the hosts from subnet X to set up SAs with
the switch. Each host will set up its own SA, but will share the crypto map entry. Without the auto-peer
option, each host needs one crypto map entry.

Crypto IPv4-ACLs
Figure 44-27 iSCSI with End-to-End IPsec Using the auto-peer Option
Subnet X
Host 2
Host 1
iPSEC
MDS A
iPSEC iPSEC
Router
iPSEC
Host 3
120879
Configuring the AutoPeer Option
To configure the AutoPeer option using Fabric Manager, follow these steps:
You see the IPsec configuration in the Information pane (see Figure 44-28).

Crypto IPv4-ACLs
Step 2 Click the CryptoMap Set Entry tab.

You see the existing crypto maps configured in Figure 44-29.
Step 3 Check or uncheck the AutoPeer option for the selected crypto map set entry.
About Perfect Forward Secrecy

To specify SA lifetime negotiation values, you can also optionally configure the perfect forward secrecy
(PFS) value in the crypto map.
The PFS feature is disabled by default. If you set the PFS group, you can set one of the DH groups: 1,
2, 5, or 14. If you do not specify a DH group, the software uses group 1 by default.

Crypto IPv4-ACLs
Configuring Perfect Forward Secrecy

To configure the PFS value using Fabric Manager, follow these steps:
Step 2 Click the CryptoMap Set Entry tab.

You see the existing crypto maps configured in Figure 44-31.
Step 3 In the drop-down list in the PFS column select the appropriate value.

Crypto IPv4-ACLs
About Crypto Map Set Application

You need to apply a crypto map set to each interface through which IPsec traffic will flow. Applying the
crypto map set to an interface instructs the switch to evaluate all the interface's traffic against the crypto
map set and to use the specified policy during connection or SA negotiation on behalf of the traffic to be
protected by crypto.
You can apply only one crypto map set to an interface. You can apply the same crypto map to multiple
interfaces. However, you cannot apply more than one crypto map set to each interface.
Applying a Crypto Map Set

To apply a crypto map set to an interface using Fabric Manager, follow these steps:

IPsec Maintenance
Step 2 Click the Interfaces tab.

You see the existing interface to crypto map configuration in Figure 44-33.
Figure 44-33 Crypto Map Interfaces
Step 3 Select the switch and interface you want to configure.

Step 4 Enter the name of the crypto map that you want to apply to this interface in the CryptomapSetName field.
Step 5 Click Create to apply the crypto map to the selected interface or click Close to exit the dialog box
without applying the crypto map.
IPsec Maintenance
Certain configuration changes will only take effect when negotiating subsequent security associations.
If you want the new settings to take immediate effect, you must clear the existing security associations
so that they will be reestablished with the changed configuration. If the switch is actively processing
IPsec traffic, it is desirable to clear only the portion of the security association database that would be
affected by the configuration changes (that is, clear only the security associations established by a given
crypto map set). Clearing the full security association database should be reserved for large-scale
changes, or when the router is processing very little other IPsec traffic.
Global Lifetime Values

If you have not configured a lifetime in the crypto map entry, the global lifetime values are used when
negotiating new IPsec SAs.
You can configure two lifetimes: timed or traffic-volume. An SA expires after the first of these lifetimes
is reached. The default lifetimes are 3,600 seconds (one hour) and 450 GB.
If you change a global lifetime, the new lifetime value will not be applied to currently existing SAs, but
will be used in the negotiation of subsequently established SAs. If you wish to use the new values
immediately, you can clear all or part of the SA database.

Global Lifetime Values
Assuming that the particular crypto map entry does not have lifetime values configured, when the switch
requests new SAs it will specify its global lifetime values in the request to the peer; it will use this value
as the lifetime of the new SAs. When the switch receives a negotiation request from the peer, it uses the
value determined by the IKE version in use:
If you use IKEv1 to set up IPsec SAs, the SA lifetime values are chosen to be the smaller of the two
proposals. The same values are programmed on both the ends of the tunnel.
If you use IKEv2 to set up IPsec SAs, the SAs on each end have their own set up of lifetime values
and thus the SAs on both sides expire independently.
The SA (and corresponding keys) will expire according to whichever comes sooner, either after the
specified amount of time (in seconds) has passed or after the specified amount of traffic (in bytes) has
passed.
A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that
negotiation completes before the existing SA expires.
The new SA is negotiated when one of the following thresholds is reached (whichever comes first):
30 seconds before the lifetime expires or
Approximately 10% of the lifetime in bytes remain
If no traffic has passed through when the lifetime expires, a new SA is not negotiated. Instead, a new SA
will be negotiated only when IPsec sees another packet that should be protected.
To configure global SA lifetimes using Fabric Manager, follow these steps:
Step 1 Choose Switches > Security and then select IPSEC in the Physical Attributes pane.
Step 2 You see the IP Sec configuration in the Information pane.
Step 3 Click the Global tab.
Step 4 Double-click and edit the value in the Life Time(sec) column (see Figure 44-34).
Figure 44-34 IP Sec Configuration Global Tab

Default Settings
Default Settings
Table 44-3 lists the default settings for IKE parameters.
Table 44-3 Default IKE Parameters
Parameters Default
IKE Disabled.
IKE version IKE version 2.
IKE encryption algorithm 3DES.
IKE hash algorithm SHA.
IKE authentication method Not configurable (uses preshared keys).
IKE DH group identifier Group 1.
IKE lifetime association 86,400 00 seconds (equals 24 hours).
IKE keepalive time for each peer (v2) 3,600 seconds (equals 1 hour).
Table 44-4 lists the default settings for IPsec parameters.
Table 44-4 Default IPsec Parameters
Parameters Default
IPsec Disabled.
Applying IPsec to the traffic. Denyallowing clear text.
IPsec PFS Disabled.
IPsec global lifetime (traffic-volume) 450 Gigabytes.
IPsec global lifetime (time) 3,600 seconds (one hour).

Default Settings

CH A P T E R 45
Configuring FC-SP and DHCHAP
Fibre Channel Security Protocol (FC-SP) capabilities provide switch-switch and host-switch
authentication to overcome security challenges for enterprise-wide fabrics. Diffie-Hellman Challenge
Handshake Authentication Protocol (DHCHAP) is an FC-SP protocol that provides authentication
between Cisco MDS 9000 Family switches and other devices. DHCHAP consists of the CHAP protocol
combined with the Diffie-Hellman exchange.
About Fabric Authentication, page 45-1
DHCHAP, page 45-2
About Fabric Authentication

All switches in the Cisco MDS 9000 Family enable fabric-wide authentication from one switch to
another switch, or from a switch to a host. These switch and host authentications are performed locally
or remotely in each fabric. As storage islands are consolidated and migrated to enterprise-wide fabrics
new security challenges arise. The approach of securing storage islands cannot always be guaranteed in
enterprise-wide fabrics. For example, in a campus environment with geographically distributed switches
someone could maliciously interconnect incompatible switches or you could accidentally do so,
resulting in Inter-Switch Link (ISL) isolation and link disruption. This need for physical security is
addressed by switches in the Cisco MDS 9000 Family (see Figure 45-1).

Chapter 45 Configuring FC-SP and DHCHAP
DHCHAP
Figure 45-1 Switch and Host Authentication
Trusted hosts
RADIUS server
FC-SP
(DH-CHAP)
Unauthorized
hosts and switches
FC-SP
(DH-CHAP)
Storage
Subsytems
105209
DHCHAP
DHCHAP is an authentication protocol that authenticates the devices connecting to a switch. Fibre
Channel authentication allows only trusted devices to be added to a fabric, thus preventing unauthorized
devices from accessing the switch.
Note The terms FC-SP and DHCHAP are used interchangeably in this chapter.
DHCHAP is a mandatory password-based, key-exchange authentication protocol that supports both

switch-to-switch and host-to-switch authentication. DHCHAP negotiates hash algorithms and DH
groups before performing authentication. It supports MD5 and SHA-1 algorithm-based authentication.
Configuring the DHCHAP feature requires the ENTERPRISE_PKG license (see Chapter 10, Obtaining
and Installing Licenses).
To configure DHCHAP authentication using the local password database, follow these steps:
Step 1 Enable DHCHAP.

Step 2 Identify and configure the DHCHAP authentication modes.

DHCHAP
Step 3 Configure the hash algorithm and DH group.

Step 4 Configure the DHCHAP password for the local switch and other switches in the fabric.
Step 5 Configure the DHCHAP timeout value for reauthentication.
Step 6 Verify the DHCHAP configuration.

DHCHAP Compatibility with Existing Cisco MDS Features, page 45-3
About Enabling DHCHAP, page 45-4
Enabling DHCHAP, page 45-4
About DHCHAP Authentication Modes, page 45-5
Configuring the DHCHAP Mode, page 45-5
About the DHCHAP Hash Algorithm, page 45-6
Configuring the DHCHAP Hash Algorithm, page 45-6
About the DHCHAP Group Settings, page 45-7
Configuring the DHCHAP Group Settings, page 45-7
About the DHCHAP Password, page 45-7
Configuring DHCHAP Passwords for the Local Switch, page 45-8
About Password Configuration for Remote Devices, page 45-8
Configuring DHCHAP Passwords for Remote Devices, page 45-8
About the DHCHAP Timeout Value, page 45-9
Configuring the DHCHAP Timeout Value, page 45-9
Configuring DHCHAP AAA Authentication, page 45-10
Enabling FC-SP on ISLs, page 45-10
DHCHAP Compatibility with Existing Cisco MDS Features

This sections identifies the impact of configuring the DHCHAP feature along with existing Cisco MDS
features:
PortChannel interfacesIf DHCHAP is enabled for ports belonging to a PortChannel, DHCHAP
authentication is performed at the physical interface level, not at the PortChannel level.
FCIP interfacesThe DHCHAP protocol works with the FCIP interface just as it would with a
physical interface.
Port security or fabric bindingFabric binding policies are enforced based on identities
authenticated by DHCHAP.
VSANsDHCHAP authentication is not done on a per-VSAN basis.
High availabilityDHCHAP authentication works transparently with existing HA features.

DHCHAP
About Enabling DHCHAP

By default, the DHCHAP feature is disabled in all switches in the Cisco MDS 9000 Family.
You must explicitly enable the DHCHAP feature to access the configuration and verification commands
for fabric authentication. When you disable this feature, all related configurations are automatically
discarded.
Enabling DHCHAP
To enable DHCHAP for a Cisco MDS switch using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Security and then select FC-SP.

You see the FC-SP (DHCHAP) configuration in the Information pane shown in Figure 45-2.
Figure 45-2 FC-SP Configuration
The Control tab is the default. You see the FC-SP enable state for all switches in the fabric.
Step 2 Set the Command drop-down menu to enable for all switches that you want to enable FC-SP on.
Step 3 Click the Apply Changes icon to enable FC-SP and DHCHAP on the selected switches.

DHCHAP
About DHCHAP Authentication Modes

The DHCHAP authentication status for each interface depends on the configured DHCHAP port mode.
When the DHCHAP feature is enabled in a switch, each Fibre Channel interface or FCIP interface may
be configured to be in one of four DHCHAP port modes:
OnDuring switch initialization, if the connecting device supports DHCHAP authentication, the
software performs the authentication sequence. If the connecting device does not support DHCHAP
authentication, the software moves the link to an isolated state.
Auto-ActiveDuring switch initialization, if the connecting device supports DHCHAP
authentication, the software performs the authentication sequence. If the connecting device does not
support DHCHAP authentication, the software continues with the rest of the initialization sequence.
Auto-Passive (default)The switch does not initiate DHCHAP authentication, but participates in
DHCHAP authentication if the connecting device initiates DHCHAP authentication.
OffThe switch does not support DHCHAP authentication. Authentication messages sent to such
ports return error messages to the initiating switch.
Note Whenever DHCHAP port mode is changed to a mode other than the Off mode, reauthentication is
performed.
Table 45-1 identifies the switch-to-switch authentication behavior between two Cisco MDS switches in
various modes.
Table 45-1 DHCHAP Authentication Status Between Two MDS Switches
Switch N Switch 1 DHCHAP Modes

DHCHAP
Modes on auto-active auto-passive off
FC-SP FC-SP authentication FC-SP authentication Link is brought
on authentication is is performed. is performed. down.
auto-Active performed. FC-SP
FC-SP authentication authentication is
auto-Passive is not performed. not performed.
Link is brought FC-SP authentication is not performed.

off down.
Configuring the DHCHAP Mode

To configure the DHCHAP mode for a particular interface using Fabric Manager, follow these steps:

You see the interface configuration in the Information Pane.
Step 2 Click the FC-SP tab.
You see the FC-SP (DHCHAP) configuration in the Information pane shown in Figure 45-3.

DHCHAP
Figure 45-3 FC-SP (DHCHAP) Interface Modes
Step 3 Set the Mode drop-down menu to the DHCHAP authentication mode you want to configure for that
interface.
Step 4 Click the Apply Changes icon to save these DHCHAP port mode settings.
About the DHCHAP Hash Algorithm

Cisco MDS switches support a default hash algorithm priority list of MD5 followed by SHA-1 for
DHCHAP authentication.
Tip If you change the hash algorithm configuration, then change it globally for all switches in the fabric.
Caution RADIUS and TACACS+ protocols always use MD5 for CHAP authentication. Using SHA-1 as the hash
algorithm may prevent RADIUS and TACACS+ usageeven if these AAA protocols are enabled for
DHCHAP authentication.
Configuring the DHCHAP Hash Algorithm

To configure the hash algorithm using Fabric Manager, follow these steps:
Step 1 Choose Switches > Security and then select FC-SP.

Step 2 Click the General/Password tab.
You see the DHCHAP general settings mode for each switch shown in Figure 45-4.
Figure 45-4 General/ Password Tab
Step 3 Change the DHCHAP HashList for each switch in the fabric.
Step 4 Click the Apply Changes icocn to save the updated hash algorithm priority list.

DHCHAP
About the DHCHAP Group Settings

All switches in the Cisco MDS Family support all DHCHAP groups specified in the standard: 0 (null
DH group, which does not perform the Diffie-Hellman exchange), 1, 2, 3, or 4.
Tip If you change the DH group configuration, change it globally for all switches in the fabric.
Configuring the DHCHAP Group Settings

To change the DH group settings using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select FC-SP.

Step 2 Choose the General/Password tab.
Step 3 Change the DHCHAP GroupList for each switch in the fabric.
Step 4 Click the Apply Changes icon to save the updated hash algorithm priority list.
About the DHCHAP Password

DHCHAP authentication in each direction requires a shared secret password between the connected
devices. To do this, you can use one of three approaches to manage passwords for all switches in the
fabric that participate in DHCHAP.
Approach 1Use the same password for all switches in the fabric. This is the simplest approach.
When you add a new switch, you use the same password to authenticate that switch in this fabric. It
is also the most vulnerable approach if someone from the outside maliciously attempts to access any
one switch in the fabric.
Approach 2Use a different password for each switch and maintain that password list in each
switch in the fabric. When you add a new switch, you create a new password list and update all
switches with the new list. Accessing one switch yields the password list for all switches in that
fabric.
Approach 3Use different passwords for different switches in the fabric. When you add a new
switch, multiple new passwords corresponding to each switch in the fabric must be generated and
configured in each switch. Even if one switch is compromised, the password of other switches are
still protected. This approach requires considerable password maintenance by the user.
Note All passwords are restricted to 64 alphanumeric characters and can be changed, but not deleted.
Tip We recommend using RADIUS or TACACS+ for fabrics with more than five switches. If you need to
use a local password database, you can continue to do so using Approach 3 and using the Cisco MDS
9000 Family Fabric Manager to manage the password database.

DHCHAP
Configuring DHCHAP Passwords for the Local Switch

To configure the DHCHAP password for the local switch using Fabric Manager, follow these steps:

You see the FC-SP configuration in the Information pane.
Step 2 Click the Local Passwords tab.
Step 3 Click the Create Row icon to create a new local password.
You see the Create Local Passwords dialog box.
Step 4 (Optional) Check the switches that you want to configure the same local password on.
Step 5 Select the switch WNN and fill in the Password field.
Step 6 Click Create to save the updated password.
About Password Configuration for Remote Devices

You can configure passwords in the local authentication database for other devices in a fabric. The other
devices are identified by their device name, which is also known as the switch WWN or device WWN.
The password is restricted to 64 characters and can be specified in clear text (0) or in encrypted text (7).
Note The switch WWN identifies the physical switch. This WWN is used to authenticate the switch and is
different from the VSAN node WWN.
Configuring DHCHAP Passwords for Remote Devices

To locally configure the remote DHCHAP password for another switch in the fabric using Fabric
Step 1 Right-click an ISL and select Enable FC-SP from the drop-down list (see Figure 45-5).
Figure 45-5 Enable FC-SP
You see the Enable FC-SP dialog box.

DHCHAP
Figure 45-6 Enable FC-SP Dialog Box
Step 2 Click Apply to save the updated password.
About the DHCHAP Timeout Value

During the DHCHAP protocol exchange, if the MDS switch does not receive the expected DHCHAP
message within a specified time interval, authentication failure is assumed. The time ranges from 20 (no
authentication is performed) to 1000 seconds. The default is 30 seconds.
When changing the timeout value, consider the following factors:
The existing RADIUS and TACACS+ timeout values.
The same value must also be configured on all switches in the fabric.
Configuring the DHCHAP Timeout Value

To configure the DHCHAP timeout value using Fabric Manager, follow these steps:

You see the FC-SP configuration in the Information pane.
Step 2 Click the General/Password tab.
You see the DHCHAP general settings mode for each switch (see Figure 45-7).
Figure 45-7 General/Password Tab
Step 3 Change the DHCHAP timeout value for each switch in the fabric.

Default Settings
Step 4 Click the Apply Changes icon to save the updated information.
Configuring DHCHAP AAA Authentication

You can individually set authentication options. If authentication is not configured, local authentication
is used by default.
To configure the AAA authenticationrefer to the Cisco MDS 9000 Family CLI Configuration Guide,
Enabling FC-SP on ISLs

There is an ISL pop-up menu in Fabric Manager called Enable FC-SP that enables FC-SP on switches
at either end of the ISL. You are prompted for an FC-SP generic password, then asked to set FC-SP
interface mode to ON for affected ports. Right-click an ISL and click Enable FC-SP to access this
feature.
Default Settings
Table 45-2 lists the default settings for all fabric security features in any switch.
Table 45-2 Default Fabric Security Settings
Parameters Default
DHCHAP feature Disabled.
DHCHAP hash algorithm A priority list of MD5 followed by SHA-1 for DHCHAP
authentication.
DHCHAP authentication mode Auto-passive.
DHCHAP group default priority 0, 4, 1, 2, and 3 respectively.
exchange order
DHCHAP timeout value 30 seconds.

CH A P T E R 46
Configuring Port Security
All switches in the Cisco MDS 9000 Family provide port security features that reject intrusion attempts
and report these intrusions to the administrator.
Note Port security is only supported for Fibre Channel ports.
About Port Security, page 46-1

Port Security Configuration Guidelines, page 46-3
Enabling Port Security, page 46-8
Activating Port Security, page 46-9
About Enabling Auto-learning, page 46-13
Port Security Manual Configuration, page 46-15
Port Security Configuration Distribution, page 46-17
Port Security Activation, page 46-9
Auto-learning, page 46-12
Port Security Manual Configuration, page 46-15
Port Security Configuration Distribution, page 46-17
Database Interaction, page 46-20
About Port Security

Typically, any Fibre Channel device in a SAN can attach to any SAN switch port and access SAN
services based on zone membership. Port security features prevent unauthorized access to a switch port
in the Cisco MDS 9000 Family in the following ways:
Login requests from unauthorized Fibre Channel devices (Nx ports) and switches (xE ports) are
rejected.

Chapter 46 Configuring Port Security
About Port Security
All intrusion attempts are reported to the SAN administrator through system messages.
Configuration distribution uses the CFS infrastructure, and is limited to those switches that are CFS
capable. Distribution is disabled by default.
Configuring the port security policy requires the ENTERPRISE_PKG license (see Chapter 10,
Obtaining and Installing Licenses).
Port Security Enforcement, page 46-2
About Auto-Learning, page 46-2
Port Security Activation, page 46-3
Port Security Enforcement

To enforce port security, configure the devices and switch port interfaces through which each device or
switch is connected, and activate the configuration.
Use the port world wide name (pWWN) or the node world wide name (nWWN) to specify the Nx
port connection for each device.
Use the switch world wide name (sWWN) to specify the xE port connection for each switch.
Each Nx and xE port can be configured to restrict a single port or a range of ports.
Enforcement of port security policies are done on every activation and when the port tries to come up.
The port security feature uses two databases to accept and implement configuration changes.
Configuration databaseAll configuration changes are stored in the configuration database.
Active databaseThe database currently enforced by the fabric. The port security feature requires
all devices connecting to a switch to be part of the port security active database. The software uses
this active database to enforce authorization.
About Auto-Learning
You can instruct the switch to automatically learn (auto-learn) the port security configurations over a
specified period. This feature allows any switch in the Cisco MDS 9000 Family to automatically learn
about devices and switches that connect to it. Use this feature when you activate the port security feature
for the first time as it saves tedious manual configuration for each port. You must configure auto-learning
on a per-VSAN basis. If enabled, devices and switches that are allowed to connect to the switch are
automatically learned, even if you have not configured any port access.
When auto-learning is enabled, learning happens only for the devices or interfaces that were not already
logged into the switch. Learned entries on a port are cleaned up after you shut down that port if
auto-learning is still enabled.
Learning does not override the existing configured port security policies. So, for example, if an interface
is configured to allow a specific pWWN, then auto-learning will not add a new entry to allow any other
pWWN on that interface. All other pWWNs will be blocked even in auto-learning mode.
No entries are learned for a port in the shutdown state.
When you activate the port security feature, auto-learning is also automatically enabled.

Port Security Configuration Guidelines
Note If you enable auto-learning before activating port security, you cannot activate until auto-learning is
disabled.
Port Security Activation

By default, the port security feature is not activated in any switch in the Cisco MDS 9000 Family.
By activating the port security feature, the following apply:
Auto-learning is also automatically enabled, which means:
From this point, auto-learning happens only for the devices or interfaces that were not logged
into the switch.
You cannot activate the database until you disable auto-learning.
All the devices that are already logged in are learned and are added to the active database.
All entries in the configured database are copied to the active database.
After the database is activated, subsequent device login is subject to the activated port bound WWN
pairs, excluding the auto-learned entries. You must disable auto-learning before the auto-learned entries
become activated.
When you activate the port security feature, auto-learning is also automatically enabled. You can choose
to activate the port security feature and disable auto-learning.
Tip If a port is shut down because of a denied login attempt, and you subsequently configure the database to
allow that login, the port does not come up automatically. You must explicitly issue a no shutdown CLI
command to bring that port back online.

The steps to configure port security depend on which features you are using. Auto-learning works
differently if you are using CFS distribution.
Configuring Port Security with Auto-Learning and CFS Distribution, page 46-3
Configuring Port Security with Auto-Learning without CFS, page 46-4
Configuring Port Security with Manual Database Configuration, page 46-4
Configuring Port Security with Auto-Learning and CFS Distribution

To configure port security, using auto-learning and CFS distribution, follow these steps:
Step 1 Enable port security. See the Enabling Port Security section on page 46-8.
Step 2 Enable CFS distribution. See the Enabling Distribution section on page 46-18.

Step 3 Activate port security on each VSAN. This turns on auto-learning by default. See the Activating Port
Security section on page 46-9.
Step 4 Issue a CFS commit to copy this configuration to all switches in the fabric. See the Committing the
Changes section on page 46-19. At this point, all switches are activated, and auto-learning.
Step 5 Wait until all switches and all hosts are automatically learned.
Step 6 Disable auto-learn on each VSAN. See theDisabling Auto-learning section on page 46-13.
Changes section on page 46-19. At this point, the auto-learned entries from every switch are combined
into a static active database that is distributed to all switches.
Step 8 Copy the active database to the configure database on each VSAN. See the Port Security Database
Copy section on page 46-22.
Changes section on page 46-19. This ensures that the configure database is the same on all switches in
the fabric.
Step 10 Copy the running configuration to the startup configuration, using the fabric option. This saves the port
security configure database to the startup configuration on all switches in the fabric.
Configuring Port Security with Auto-Learning without CFS

To configure port security using auto-learning without CFS, follow these steps:
Step 3 Wait until all switches and all hosts are automatically learned.
Step 4 Disable auto-learn on each VSAN. See the Disabling Auto-learning section on page 46-13.
Step 5 Copy the active database to the configure database on each VSAN. See the Port Security Database
Copy section on page 46-22.
Step 6 Copy the running configuration to the startup configuration This saves the port security configure
database to the startup configuration.
Step 7 Repeat Step 1 through Step 6 for all switches in the fabric.
Configuring Port Security with Manual Database Configuration

To configure port security and manually configure the port security database, follow these steps:
Step 2 Manually configure all port security entries into the configure database on each VSAN. See the Port
Security Manual Configuration section on page 46-15.

Step 4 Disable auto-learn on each VSAN. See the Disabling Auto-learning section on page 46-13.
Step 5 Copy the running configuration to the startup configuration This saves the port security configure
database to the startup configuration.
Step 6 Repeat Step 1 through Step 5 for all switches in the fabric.
Configuring Port Security Using Wizard

The Port Security Configuration wizard provides step-by-step procedures for setting up the Port Security
Policy for a selected VSAN. The Port Security Configuration wizard also supports the central
management through CFS,making it possible to complete the entire configuration at one place.
The wizard automatically conducts few essential operations. For example, if you want central
management, the wizard conducts operations to check CFS capability, enable CFS, and issue CFS
commit at the proper stages.
To manage security at a particular port, you do not need to run through the wizard to configure the port
security policy from the VSAN wide, but you can directly edit accesses on the port itself. This operation
can be done through the Port Binding dialog box. If the port's belonging switch has not enabled port
security yet, the dialog box enables security first. If the port security is enabled, the dialog box will edit
the policy database based on user operations.
Prerequisites
The prerequisites for configuring Port Security are as follows:
Port Security enabled on the switch.
Port Security Policy should be defined either manually by editing bound devices or switches or ports
or by using autolearning.
Port Security Policy is activated.
Activated and configured databases are synchronized through copy.
Activated database is copied to be the startup configuration.
CFS should be enabled on all switches in the VSAN. A CFS master switch is selected to do all
configurations. All changes will be distributed to the VSAN through the CFS commit command.
To configure port security, follow these steps:
Step 1 Click the Port Security button on the toolbar.

Before launching the Port Security Setup Wizard, Fabric Manager checks the CFS capability of the
switches in the VSAN.
If VSAN context is not available, the wizard prompts to select VSAN as shown in Figure 46-1.

Figure 46-1 Select VSAN Window
Step 2 Select the VSAN from the list and click OK.
You see the first page of the Port Security Setup Wizard as shown in Figure 46-2.
Figure 46-2 Select Master Switch Page
Step 3 Do the following in the Select Master Switch page:

Select the required master switch.
Select Automatically learn all logged in ports in VSAN to Autolearn port configuration.
Step 4 Click Next to proceed.

You see Edit and Activate Configuration page as shown in Figure 46-3.
Figure 46-3 Edit and Activate Configuration Page
Step 5 Click Insert to create port binding.

You see the Insert Port Security Devices dialog box as shown in Figure 46-4.
Figure 46-4 Insert Port Security Devices Dialog Box
Step 6 Two types of port binding can be created using the Insert Port Security Devices dialog box:
Port WWN-pWWN bound to an interface WWN.
Switch-Switch WWN bound to an interface. (Mainly useful for ISL binding.)
Step 7 Select the type of port binding by clicking the radio buttons and enter the supporting values.
Step 8 Click OK.

Enabling Port Security
Step 9 Click Close to exit the Insert Port Security window.
Note To delete an entry in the Edit and Activate Configuration page of the wizard, select the entry and
click the Delete button.
Step 10 Click Finish to complete the Port Security Configuration for the selected switch.
Enabling Port Security

By default, the port security feature is disabled in all switches in the Cisco MDS 9000 Family.
To enable port security using Fabric Manager, follow these steps:
Step 1 Expand a VSAN and then select Port Security in the Logical Domains pane.
You see the port security configuration for that VSAN in the Information pane (see Figure 46-5).
Figure 46-5 Port Security Configuration

You see the information show in Figure 46-6.
Figure 46-6 Port Security CFS
Step 3 Enable CFS on all participating switches in the VSAN by clicking each entry in the Global column and
selecting enable.
Step 4 Click Apply Changes to enable CFS distribution for the port security feature.

Step 5 Click the Control tab.

You see the port security enable state for all switches in the selected VSAN (see Figure 46-7).
Step 6 Set the Command column to enable for each switch in the VSAN.
Step 7 Click the CFS tab and set the Command column to commit on all participating switches in the VSAN.
Step 8 Click Apply Changes to distribute the enabled port security to all switches in the VSAN.

Activating Port Security, page 46-9
Database Activation Rejection, page 46-10
Forcing Port Security Activation, page 46-10
, page 46-11
Copying an Active Database to the Config Database, page 46-11
Displaying Activated Port Security Settings, page 46-12
Displaying Port Security Statistics, page 46-12
Displaying Port Security Violations, page 46-12
Activating Port Security

To activate port security using Fabric Manager, follow these steps: :
Step 1 Expand a VSAN and select Port Security in the Logical Domains pane.

Step 3 Click in the Action column under Activation, next to the switch or VSAN on which you want to activate
port security. You see a drop-down menu with the following options:
activateValid port security settings are activated.
activate (TurnLearningOff)Valid port security settings are activated and auto-learn turned off.
forceActivateActivation is forced.
forceActivate(TurnLearningOff)Activation is forced and auto-learn is turned off.
deactivateAll currently active port security settings are deactivated.
NoSelection No action is taken.
Step 4 Set the Action field you want for that switch.
Step 5 Uncheck the AutoLearn check box for each switch in the VSAN to disable auto-learning.
Step 6 Click the CFS tab and set the command column to commit on all participating switches in the VSAN.
Step 7 Click Apply Changes in Fabric Manager or Apply in Device Manager to save these changes.
Note If required, you can disable auto-learning (see the Disabling Auto-learning section on page 46-13).
Database Activation Rejection

Database activation is rejected in the following cases:
Missing or conflicting entries exist in the configuration database but not in the active database.
The auto-learning feature was enabled before the activation. To reactivate a database in this state,
disable auto-learning.
The exact security is not configured for each PortChannel member.
The configured database is empty but the active database is not.
If the database activation is rejected due to one or more conflicts listed in the previous section, you may
decide to proceed by forcing the port security activation.
Forcing Port Security Activation

If the port security activation request is rejected, you can force the activation.
Note An activation using the force option can log out existing devices if they violate the active database.
To forcefully activate the port security database using Fabric Manager, follow these steps:

port security and select the forceactivate option.
Step 4 Set the Action field you want for that switch.
Step 6 Click Apply Changes in Fabric Manager or Apply in Device Manager to save these changes.
Database Reactivation
Tip If auto-learning is enabled, and you cannot activate the database, you will not be allowed to proceed. .
To reactivate the port security database using Fabric Manager, follow these steps:
Step 1 Disable auto-learning.

Step 2 Copy the active database to the configured database.
Tip If the active database is empty, you cannot perform this step.
Step 3 Make the required changes to the configuration database.

Step 4 Activate the database.
Copying an Active Database to the Config Database

To copy the active database to the config database using Fabric Manager, follow these steps:
You see the switches for that VSAN.
Step 3 Check the CopyActive ToConfig check box next to the switch for which you want to copy the database.
The active database is copied to the config database when the security setting is activated.
Step 4 Uncheck the CopyActive ToConfig check box if you do not want the database copied when the security
setting is activated.

Auto-learning
Displaying Activated Port Security Settings

To display active port security settings using Fabric Manager, follow these steps:
Step 2 Click the Active Database tab.
You see the active port security settings for that VSAN.
Displaying Port Security Statistics

To display port security statistics using Fabric Manager, follow these steps:
You see the port security statistics for that VSAN.
Displaying Port Security Violations

Port violations are invalid login attempts (for example, login requests from unauthorized Fibre Channel
devices). You can display a list of these attempts on a per-VSAN basis, using Fabric Manager.
To display port security violations, follow these steps:
Step 2 Click the Violations tab. You see the port security violations for that VSAN.
Auto-learning
About Enabling Auto-learning, page 46-13
Enabling Auto-learning, page 46-13
Disabling Auto-learning, page 46-13
Auto-Learning Device Authorization, page 46-14
Authorization Scenarios, page 46-14

Auto-learning
About Enabling Auto-learning

The state of the auto-learning configuration depends on the state of the port security feature:
If the port security feature is not activated, auto-learning is disabled by default.
If the port security feature is activated, auto-learning is enabled by default (unless you explicitly
disabled this option).
Tip If auto-learning is enabled on a VSAN, you can only activate the database for that VSAN by using the
force option.
Enabling Auto-learning
To enable auto-learning using Fabric Manager, follow these steps:

port security. You see a drop-down menu with the following options:
activateValid port security settings are activated.
activate (TurnLearningOff)Valid port security settings are activated and auto-learn turned off.
forceActivateActivation is forced.
forceActivate(TurnLearningOff)Activation is forced and auto-learn is turned off.
deactivateAll currently active port security settings are deactivated.
NoSelection No action is taken.
Step 4 Select one of the port security options for that switch.
Step 5 Check the AutoLearn check box for each switch in the VSAN to enable auto-learning.
Disabling Auto-learning
To disable auto-learning using Fabric Manager, follow these steps:

Auto-learning
Step 3 Uncheck the AutoLearn check box next to the switch if you want to disable auto-learning.
Auto-Learning Device Authorization

Table 46-1 summarizes the authorized connection conditions for device requests.
Table 46-1 Authorized Auto-Learning Device Requests
Condition Device (pWWN, nWWN, sWWN) Requests Connection to Authorization

1 Configured with one or more switch A configured switch port Permitted
2 ports Any other switch port Denied
3 Not configured A switch port that is not Permitted if
configured auto-learning
enabled
4 Denied if
auto-learning
disabled
5 Configured or not configured A switch port that allows Permitted
any device
6 Configured to log in to any switch port Any port on the switch Permitted
7 Not configured A port configured with Denied
some other device
Authorization Scenarios
Assume that the port security feature is activated and the following conditions are specified in the active
database:
A pWWN (P1) is allowed access through interface fc1/1 (F1).
A nWWN (N1) is allowed access through interface fc1/2 (F2).
Any WWN is allowed access through interface fc1/3 (F3).
A nWWN (N3) is allowed access through any interface.
A sWWN (S1) is allowed access through interface fc1/10-13 (F10 to F13).

Port Security Manual Configuration
Table 46-2 summarizes the port security authorization results for this active database. The conditions
listed refer to the conditions from Table 46-1.
Table 46-2 Authorization Results for Scenario
Device Connection Request Authorization Condition Reason

P1, N2, F1 Permitted 1 No conflict.
P3, N2, F1 Denied 2 F1 is bound to P1/P2.
P1, N3, F1 Permitted 6 Wildcard match for N3.
P1, N1, F3 Permitted 5 Wildcard match for F3.
P1, N4, F5 Denied 2 P1 is bound to F1.
P5, N1, F5 Denied 2 N1 is only allowed on F2.
S1, F10 Permitted 1 No conflict.
S2, F11 Denied 7 P10 is bound to F11.
P4, N4, F5 (auto-learning on) Permitted 3 No conflict.
P4, N4, F5(auto-learning off) Denied 4 No match.
S3, F5 (auto-learning on) Permitted 3 No conflict.
S3, F5 (auto-learning off) Denied 4 No match.
P1, N1, F6 (auto-learning on) Denied 2 P1 is bound to F1.
P5, N5, F1 (auto-learning on) Denied 7 Only P1 and P2 bound to F1.
S3, F4 (auto-learning on) Denied 7 P3 paired with F4.
S1, F3 (auto-learning on) Permitted 5 No conflict.
P5, N3, F3 Permitted 6 Wildcard ( * ) match for F3
and N3.
P7, N3, F9 Permitted 6 Wildcard ( * ) match for N3.

To configure port security on any switch in the Cisco MDS 9000 Family, follow these steps:
Step 1 Identify the WWN of the ports that need to be secured.

Step 2 Secure the fWWN to an authorized nWWN or pWWN.
Step 3 Activate the port security database.
Step 4 Verify your configuration.

About WWN Identification, page 46-16
Adding Authorized Port Pairs, page 46-16

Deleting Port Security Setting, page 46-17
About WWN Identification

If you decide to manually configure port security, be sure to adhere to the following guidelines:
Identify switch ports by the interface or by the fWWN.
Identify devices by the pWWN or by the nWWN.
If an Nx port is allowed to log in to SAN switch port Fx, then that Nx port can only log in through
the specified Fx port..
If an Nx ports nWWN is bound to an Fx port WWN, then all pWWNs in the Nx port are implicitly
paired with the Fx port.
TE port checking is done on each VSAN in the allowed VSAN list of the trunk port.
All PortChannel xE ports must be configured with the same set of WWNs in the same PortChannel.
E port security is implemented in the port VSAN of the E port. In this case the sWWN is used to
secure authorization checks.
Once activated, the config database can be modified without any effect on the active database.
By saving the running configuration, you save the configuration database and activated entries in the
active database. Learned entries in the active database are not saved.
Adding Authorized Port Pairs

After identifying the WWN pairs that need to be bound, add those pairs to the port security database.
Tip Remote switch binding can be specified at the local switch. To specify the remote interfaces, you can
use either the fWWN or sWWN-interface combination.
To add authorized port pairs for port security using Fabric Manager, follow these steps:
Step 3 Click Create Row to add an authorized port pair.
You see the Create Port Security dialog box shown in Figure 46-9.

Port Security Configuration Distribution
Figure 46-9 Create Port Security Dialog Box
Step 4 Double-click the device from the available list for which you want to create the port security setting.
Step 5 Double-click the port from the available list to which you want to bind the device.
Step 6 Click Create to create the port security setting.
Deleting Port Security Setting

To delete a port security setting from the configured database on a switch, follow these steps:
You see the configured port security settings for that VSAN.
Step 3 Click the row you want to delete.
You see the confirmation dialog box.
Step 5 Click Yes to delete the row, or click No to close the confirmation dialog box without deleting the row.

The port security feature uses the Cisco Fabric Services (CFS) infrastructure to enable efficient database
management, provide a single point of configuration for the entire fabric in the VSAN, and enforce the
port security policies throughout the fabric (see Chapter 13, Using the CFS Infrastructure).


Committing the Changes, page 46-19
Activation and Auto-learning Configuration Distribution, page 46-19
All the configurations performed in distributed mode are stored in a pending (temporary) database. If
you modify the configuration, you need to commit or discard the pending database changes to the
configurations. The fabric remains locked during this period. Changes to the pending database are not
reflected in the configurations until you commit the changes.
Note Port activation or deactivation and auto-learning enable or disable do not take effect until after a CFS
commit if CFS distribution is enabled. Always follow any one of these operations with a CFS commit to
ensure proper configuration. See the Activation and Auto-learning Configuration Distribution section
on page 46-19.
Tip In this case, we recommend that you perform a commit at the end of each operation: after you activate
port security and after you enable auto learning.
To enable distribution using Fabric Manager, follow these steps:
Step 3 In the Command column, select enable or disable from the drop-down menu.
Locking the Fabric

The first action that modifies the existing configuration creates the pending database and locks the
feature in the VSAN. Once you lock the fabric, the following situations apply:
A copy of the configuration database becomes the pending database.

Committing the Changes

If you commit the changes made to the configurations, the configurations in the pending database are
distributed to other switches. On a successful commit, the configuration change is applied throughout
the fabric and the lock is released.
Activation and Auto-learning Configuration Distribution

Activation and auto-learning configurations in distributed mode are remembered as actions to be
performed when you commit the changes in the pending database.
Learned entries are temporary and do not have any role in determining if a login is authorized or not. As
such, learned entries do not participate in distribution. When you disable learning and commit the
changes in the pending database, the learned entries become static entries in the active database and are
distributed to all switches in the fabric. After the commit, the active database on all switches are identical
and learning can be disabled.
If the pending database contains more than one activation and auto-learning configuration when you
commit the changes, then the activation and auto-learning changes are consolidated and the behavior
may change (see Table 46-3).
Table 46-3 Scenarios for Activation and Auto-learning Configurations in Distributed Mode
Scenario Actions Distribution = OFF Distribution = ON

A and B exist in the 1. You activate the port configuration database = {A,B} configuration database = {A,B}
configuration security database and
active database = {A,B, C 1, D*} active database = {null}
database, enable auto-learning.
activation is not pending database = {A,B + activation to
done and devices be enabled}
C,D are logged in. 2. A new entry E is configuration database = {A,B, configuration database = {A,B}
added to the E}
active database = {null}
configuration active database = {A,B, C*, D*}
database. pending database = {A,B, E + activation
to be enabled}
3. You issue a commit. Not applicable configuration database = {A,B, E}
active database = {A,B, E, C*, D*}
pending database = empty

Table 46-3 Scenarios for Activation and Auto-learning Configurations in Distributed Mode (continued)
Scenario Actions Distribution = OFF Distribution = ON

A and B exist in the 1. You activate the port configuration database = {A,B} configuration database = {A,B}
configuration security database and
active database = {A,B, C*, D*} active database = {null}
database, enable auto-learning.
activation is not pending database = {A,B + activation to
done and devices be enabled}
C,D are logged in. 2. You disable learning. configuration database = {A,B} configuration database = {A,B}
active database = {A,B, C, D} active database = {null}
pending database = {A,B + activation to
be enabled +
learning to be disabled}
3. You issue a commit. Not applicable configuration database = {A,B}
active database = {A,B} and devices C
and D are logged out. This is equal to an
activation with auto-learning disabled.
pending database = empty
1. The * (asterisk) indicates learned entries.
Tip In this case, we recommend that you perform a commit at the end of each operation: after you activate
port security and after you enable auto learning.

active database. See the CFS Merge Support, page 13-9 for detaileds concepts.
When merging the database between two fabrics, follow these guidelines:
Verify that the activation status and the auto-learning status is the same in both fabrics.
Verify that the combined number of configurations for each VSAN in both databases does not
exceed 2 K.
Caution If you do not follow these two conditions, the merge will fail. The next distribution will forcefully
Database Interaction
Database Scenarios, page 46-21
Port Security Database Copy, page 46-22
Port Security Database Deletion, page 46-22

Port Security Database Cleanup, page 46-23
Database Scenarios
Figure 46-9 depicts various scenarios to depict the active database and the configuration database status
based on port security configurations.
Port Security Database Scenarios
Switch 1
Switch 1
config Database
config Database
<pwwn1, fwwn1>
<pwwn1, fwwn1> <pwwn2, fwwn2>
<pwwn2, fwwn2> Activating the
<pwwn3, fwwn3>
<pwwn3, fwwn3> database
CLI
active Database
active Database Note:
<pwwn1, fwwn1> Learned entries
<pwwn2, fwwn2> are saved in
EMPTY <pwwn3, fwwn3> the active
<pwwn4, fwwn4> database.
learned entires
<pwwn5, fwwn5>
Learning entries (pwwn4/5 already logged in)
Configuring authorized ports
Switch 1 Switch 1
config Database config Database

<pwwn5, fwwn5> learned entires <pwwn5, fwwn5>
active Database active Database

Note:
<pwwn1, fwwn1> Learned entries <pwwn1, fwwn1>
<pwwn2, fwwn2> are not saved <pwwn2, fwwn2>
<pwwn3, fwwn3>s in the startup <pwwn3, fwwn3>
configuration. <pwwn4, fwwn4>
<pwwn5, fwwn5>
99301
Saving the configuration (copy running start) Copying active database to config database

Port Security Database Copy
Tip We recommend that you copy the active database to the config database after disabling auto-learning.
This action will ensure that the configuration database is in sync with the active database. If distribution
is enabled, this command creates a temporary copy (and consequently a fabric lock) of the configuration
database. If you lock the fabric, you need to commit the changes to the configuration databases in all the
switches.
To copy the active database to the configuration database, using Fabric Manager, follow these steps:
Step 1 Expand a Fabric, expand a VSAN and then select Port Security in the Logical Domains pane.
Step 2 Click the Actions tab. You see all the configuration databases.
Step 3 Select the appropriate configuration database and check the Copy Active to Config checkbox.
Step 4 Click the Apply Changes icon to save your changes.
To view the differences between the active database and the configuration database using Fabric
You see the Port Security information in the Information pane.
Step 2 Click the Database Differences tab. You see all the configuration databases.
Step 3 Select the appropriate configuration database. Select the Active or Config option to compare the
differences between the selected database and the active or configuration database.
Port Security Database Deletion
Tip If the distribution is enabled, the deletion creates a copy of the database. An explicit deletion is required
to actually delete the database.
To delete a port security database using Fabric Manager, follow these steps:
Step 2 Click the Config Database tab. You see all the configuration databases.
Step 3 Select the appropriate configuration database and click the Delete Row button.
Step 4 Click Yes if you want to delete the configuration database.

Default Settings
Port Security Database Cleanup

To clear all existing statistics from the port security database for a specified VSAN using Fabric
You see the Port Security information in the Information pane (see Figure 46-8).
You see all the configuration databases.
Step 3 Select the appropriate configuration database and check the Clear option.
To clear any learned entries in the active database for a specified interface within a VSAN using Fabric
Step 2 Select the Actions tab. You see all the configuration databases.
Step 3 Select the appropriate configuration database and check the AutoLearn option.
Note You can clear the Statistics and the AutoLearn option only for switches that are local and do not acquire
locks. Also, learned entries are only local to the switch and do not participate in distribution.
Default Settings
Table 46-5 lists the default settings for all port security features in any switch.
Table 46-5 Default Security Settings
Parameters Default
Auto-learn Enabled if port security is enabled.
Port security Disabled.
Distribution Disabled.
Note Enabling distribution enables it on all VSANs in the switch.

Default Settings

CH A P T E R 47
Configuring Fabric Binding
This chapter describes the fabric binding feature provided in the Cisco MDS 9000 Family of directors
and switches. It includes the following sections:
About Fabric Binding, page 47-1
Fabric Binding Configuration, page 47-3
About Fabric Binding

The fabric binding feature ensures ISLs are only enabled between specified switches in the fabric
binding configuration. Fabric binding is configured on a per-VSAN basis.
This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric
operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of
authorized switches is identical in all switches in the fabric.
This section has the following topics:
Licensing Requirements, page 47-1
Port Security Versus Fabric Binding, page 47-1
Fabric Binding Enforcement, page 47-2
Licensing Requirements
Fabric binding requires that you install either the MAINFRAME_PKG license or the
ENTERPRISE_PKG license on your switch.
See Chapter 10, Obtaining and Installing Licenses, for more information on license feature support
and installation.
Port Security Versus Fabric Binding

Port security and fabric binding are two independent features that can be configured to complement each
other. Table 47-1 compares the two features.

Chapter 47 Configuring Fabric Binding
About Fabric Binding
Table 47-1 Fabric Binding and Port Security Comparison
Fabric Binding Port Security

Uses a set of sWWNs and a persistent domain Uses pWWNs/nWWNs or fWWNs/sWWNs.
ID.
Binds the fabric at the switch level. Binds devices at the interface level.
Authorizes only the configured sWWN stored in Allows a preconfigured set of Fibre Channel
the fabric binding database to participate in the devices to logically connect to a SAN ports. The
fabric. switch port, identified by a WWN or interface
number, connects to a Fibre Channel device (a host
or another switch), also identified by a WWN. By
binding these two devices, you lock these two ports
into a group (or list).
Requires activation on a per VSAN basis. Requires activation on a per VSAN basis.
Allows specific user-defined switches that are Allows specific user-defined physical ports to
allowed to connect to the fabric, regardless of the which another device can connect.
physical port to which the peer switch is
connected.
Does not learn about switches that are logging in. Learns about switches or devices that are logging in
if learning mode is enabled.
Cannot be distributed by CFS and must be Can be distributed by CFS.
configured manually on each switch in the
fabric.
Port-level checking for xE ports is as follows:

The switch login uses both port security binding and fabric binding for a given VSAN.
Binding checks are performed on the port VSAN as follows:
E port security binding check on port VSAN
TE port security binding check on each allowed VSAN
While port security complements fabric binding, they are independent features and can be enabled or
disabled separately.
Fabric Binding Enforcement

To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port
connection for each switch. Enforcement of fabric binding policies are done on every activation and
when the port tries to come up. In a FICON VSAN, the fabric binding feature requires all sWWNs
connected to a switch and their persistent domain IDs to be part of the fabric binding active database. In
a Fibre Channel VSAN, only the sWWN is required; the domain ID is optional.
Note All switches in a Fibre Channel VSAN using fabric binding must be running Cisco MDS SAN-OS
Release 3.0(1) and NX-OS 4.1(1b) or later.

Fabric Binding Configuration

To configure fabric binding in each switch in the fabric, follow these steps:
Step 1 Enable the fabric configuration feature.

Step 2 Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access
the fabric.
Step 3 Activate the fabric binding database.
Step 4 Copy the fabric binding active database to the fabric binding config database.
Step 5 Save the fabric binding configuration.
Step 6 Verify the fabric binding configuration.
Enabling Fabric Binding

The fabric binding feature must be enabled in each switch in the fabric that participates in the fabric
binding. By default, this feature is disabled in all switches in the Cisco MDS 9000 Family. The
configuration and verification commands for the fabric binding feature are only available when fabric
binding is enabled on a switch. When you disable this configuration, all related configurations are
automatically discarded.
To enable fabric binding on any participating switch, follow these steps:
Command Purpose
Step 1 switch# config t Enters configuration mode.
Step 2 switch(config)# feature fabric-binding Enables fabric binding on that switch.
switch(config)# no feature Disables (default) fabric binding on that switch.
fabric-binding
View the status of the fabric binding feature of a fabric binding-enabled switch by issuing the show
fabric-binding status command.
switch# show fabric-binding status
VSAN 1:Activated database
VSAN 4:No Active database
Configuring Switch WWN List

A user-specified fabric binding list contains a list of switch WWNs (sWWNs) within a fabric. If an
sWWN attempts to join the fabric, and that sWWN is not on the list or the sWWN is using a domain ID
that differs from the one specified in the allowed list, the ISL between the switch and the fabric is
automatically isolated in that VSAN and the switch is denied entry into the fabric.
The persistent domain ID can be specified along with the sWWN. Domain ID authorization is required
in FICON VSANs where the domains are statically configured and the end devices reject a domain ID
change in all switches in the fabric. Domain ID authorization is not required in Fibre Channel VSANs.

To configure a list of sWWNs and domain IDs for a FICON VSAN, follow these steps:
Command Purpose
switch(config)#
Step 2 switch(config)# fabric-binding database vsan 5 Enters the fabric binding submode for the
switch(config-fabric-binding)# specified VSAN.
switch(config)# no fabric-binding database vsan Deletes the fabric binding database for the
5 specified VSAN.
Step 3 switch(config-fabric-binding)# swwn Adds the sWWN and domain ID of a switch
21:00:05:30:23:11:11:11 domain 102 to the configured database list.
switch(config-fabric-binding)# swwn Adds the sWWN and domain ID of another
21:00:05:30:23:1a:11:03 domain 101 switch to the configured database list.
switch(config-fabric-binding)# no swwn Deletes the sWWN and domain ID of a
21:00:15:30:23:1a:11:03 domain 101 switch from the configured database list.
Step 4 switch(config-fabric-binding)# exit Exits the fabric binding submode.
switch(config)#
To configure a list of sWWNs and optional domain IDs for a Fibre Channel VSAN, follow these steps:
Command Purpose
switch(config)#
Step 2 switch(config)# fabric-binding database vsan 10 Enters the fabric binding submode for the
switch(config-fabric-binding)# specified VSAN.
switch(config)# no fabric-binding database vsan Deletes the fabric binding database for the
10 specified VSAN.
Step 3 switch(config-fabric-binding)# swwn Adds the sWWN of a switch for all domains
21:00:05:30:23:11:11:11 to the configured database list.
switch(config-fabric-binding)# no swwn Deletes the sWWN of a switch for all
21:00:05:30:23:11:11:11 domains from the configured database list.
switch(config-fabric-binding)# swwn Adds the sWWN of another switch for a
21:00:05:30:23:1a:11:03 domain 101 specific domain ID to the configured
database list.
switch(config-fabric-binding)# no swwn Deletes the sWWN and domain ID of a
21:00:15:30:23:1a:11:03 domain 101 switch from the configured database list.
Step 4 switch(config-fabric-binding)# exit Exits the fabric binding submode.
switch(config)#
Fabric Binding Activation

The fabric binding feature maintains a configuration database (config-database) and an active database.
The config-database is a read-write database that collects the configurations you perform. These
configurations are only enforced upon activation. This activation overwrites the active database with the
contents of the config- database. The active database is read-only and is the database that checks each
switch that attempts to log in.

By default, the fabric binding feature is not activated. You cannot activate the fabric binding database on
the switch if entries existing in the configured database conflict with the current state of the fabric. For
example, one of the already logged in switches may be denied login by the config-database. You can
choose to forcefully override these situations.
Note After activation, any already logged in switch that violates the current active database will be logged out,
and all switches that were previously denied login because of fabric binding restrictions are reinitialized.
To activate the fabric binding feature, follow these steps:
Command Purpose
switch(config)#
Step 2 switch(config)# fabric-binding activate vsan 10 Activates the fabric binding database for
the specified VSAN.
switch(config)# no fabric-binding activate vsan 10 Deactivates the fabric binding database for
the specified VSAN.
Forcing Fabric Binding Activation

If the database activation is rejected due to one or more conflicts listed in the previous section, you may
decide to proceed with the activation by using the force option.
To forcefully activate the fabric binding database, follow these steps:
Command Purpose
switch(config)#
Step 2 switch(config)# fabric-binding activate vsan 3 force Activates the fabric binding database
for the specified VSAN
forcefullyeven if the configuration
is not acceptable.
switch(config)# no fabric-binding activate vsan 3 force Reverts to the previously configured
state or to the factory default (if no
state is configured).
Saving Fabric Binding Configurations

When you save the fabric binding configuration, the config database is saved to the running
configuration.
Caution You cannot disable fabric binding in a FICON-enabled VSAN.
Use the fabric-binding database copy vsan command to copy from the active database to the
config database. If the configured database is empty, this command is not accepted.
switch# fabric-binding database copy vsan 1

Use the fabric-binding database diff active vsan command to view the differences between the
active database and the config database. This command can be used when resolving conflicts.
switch# fabric-binding database diff active vsan 1
Use the fabric-binding database diff config vsan command to obtain information on the
differences between the config database and the active database.
switch# fabric-binding database diff config vsan 1
Use the copy running-config startup-config command to save the running configuration to the
startup configuration so that the fabric binding config database is available after a reboot.
switch# copy running-config startup-config
Clearing the Fabric Binding Statistics

Use the clear fabric-binding statistics command to clear all existing statistics from the fabric binding
database for a specified VSAN.
switch# clear fabric-binding statistics vsan 1
Deleting the Fabric Binding Database

Use the no fabric-binding command in configuration mode to delete the configured database for a
specified VSAN.
switch(config)# no fabric-binding database vsan 10
Verifying Fabric Binding Configurations

Use the show commands to display all fabric binding information configured on this switch (see
Examples 47-1 to 47-9).
Example 47-1 Displays Configured Fabric Binding Database Information
switch# show fabric-binding database

--------------------------------------------------
Vsan Logging-in Switch WWN Domain-id
--------------------------------------------------
1 21:00:05:30:23:11:11:11 0x66(102)
1 21:00:05:30:23:1a:11:03 0x19(25)
1 20:00:00:05:30:00:2a:1e 0xea(234) [Local]
4 21:00:05:30:23:11:11:11 Any
4 21:00:05:30:23:1a:11:03 Any
4 20:00:00:05:30:00:2a:1e 0xea(234) [Local]
61 21:00:05:30:23:1a:11:03 0x19(25)
61 21:00:05:30:23:11:11:11 0x66(102)
61 20:00:00:05:30:00:2a:1e 0xea(234) [Local]
[Total 7 entries]

Example 47-2 Displays Active Fabric Binding Information
switch# show fabric-binding database active

--------------------------------------------------
--------------------------------------------------
1 21:00:05:30:23:11:11:11 0x66(102)
1 21:00:05:30:23:1a:11:03 0x19(25)
1 20:00:00:05:30:00:2a:1e 0xea(234) [Local]
61 21:00:05:30:23:1a:11:03 0x19(25)
61 21:00:05:30:23:11:11:11 0x66(102)
61 20:00:00:05:30:00:2a:1e 0xef(239) [Local]
Example 47-3 Displays Configured VSAN-Specific Fabric Binding Information
switch# show fabric-binding database vsan 4

--------------------------------------------------
--------------------------------------------------
4 21:00:05:30:23:11:11:11 Any
4 21:00:05:30:23:1a:11:03 Any
4 20:00:00:05:30:00:2a:1e 0xea(234) [Local]
[Total 2 entries]
Example 47-4 Displays Active VSAN-Specific Fabric Binding Information
switch# show fabric-binding database active vsan 61

--------------------------------------------------
--------------------------------------------------
61 21:00:05:30:23:1a:11:03 0x19(25)
61 21:00:05:30:23:11:11:11 0x66(102)
61 20:00:00:05:30:00:2a:1e 0xef(239) [Local]
[Total 3 entries]
Example 47-5 Displays Fabric Binding Statistics
switch# show fabric-binding statistics

Statistics For VSAN: 1
------------------------
Number of sWWN permit: 0
Number of sWWN deny : 0
Total Logins permitted : 0

Total Logins denied : 0
------------------------

------------------------



------------------------

------------------------

------------------------

------------------------

------------------------

------------------------

Example 47-6 Displays Fabric Binding Status for Each VSAN
switch# show fabric-binding status

VSAN 1 :Activated database
VSAN 4 :No Active database
VSAN 61 :Activated database
Example 47-7 Displays Fabric Binding Violations
switch# show fabric-binding violations

-------------------------------------------------------------------------------

Default Settings
VSAN Switch WWN [domain] Last-Time [Repeat count] Reason

-------------------------------------------------------------------------------
2 20:00:00:05:30:00:4a:1e [0xeb] Nov 25 05:46:14 2003 [2] Domain mismatch
3 20:00:00:05:30:00:4a:1e [*] Nov 25 05:44:58 2003 [2] sWWN not found
4 20:00:00:05:30:00:4a:1e [*] Nov 25 05:46:25 2003 [1] Database mismatch
Note In VSAN 3 the sWWN itself was not found in the list. In VSAN 2, the sWWN was found in the list, but
has a domain ID mismatch.
Example 47-8 Displays EFMD Statistics
switch# show fabric-binding efmd statistics
EFMD Protocol Statistics for VSAN 1

----------------------------------------
Merge Requests -> Transmitted : 0 , Received : 0
Merge Accepts -> Transmitted : 0 , Received : 0
Merge Rejects -> Transmitted : 0 , Received : 0
Merge Busy -> Transmitted : 0 , Received : 0
Merge Errors -> Transmitted : 0 , Received : 0

----------------------------------------

----------------------------------------
Example 47-9 Displays EFMD Statistics for a Specified VSAN
switch# show fabric-binding efmd statistics vsan 4

----------------------------------------
Default Settings
Table 47-2 lists the default settings for the fabric binding feature.

Default Settings
Table 47-2 Default Fabric Binding Settings
Parameters Default
Fabric binding Disabled.

PA R T 6
IP Services
CH A P T E R 48
Configuring FCIP
Cisco MDS 9000 Family IP storage (IPS) services extend the reach of Fibre Channel SANs by using
open-standard, IP-based technology. The switch can connect separated SAN islands using Fibre Channel
over IP (FCIP).
Note FCIP is specific to the IPS module and is available in Cisco MDS 9200 Switches or Cisco MDS 9500
Directors.
The Cisco MDS 9216I switch and the 14/2 Multiprotocol Services (MPS-14/2) module also allow you
to use Fibre Channel, FCIP, and iSCSI features. The MPS-14/2 module is available for use in any switch
in the Cisco MDS 9200 Series or Cisco MDS 9500 Series.
Note For information on configuring Gigabit Ethernet interfaces, see Chapter 53, Configuring IPv4 for
Gigabit Ethernet Interfaces.

About FCIP, page 48-1
Configuring FCIP, page 48-7
Using the FCIP Wizard, page 48-8
About FCIP
The Fibre Channel over IP Protocol (FCIP) is a tunneling protocol that connects geographically
distributed Fibre Channel storage area networks (SAN islands) transparently over IP local area networks
(LANs), metropolitan area networks (MANs), and wide area networks (WANs). See Figure 48-1.

Chapter 48 Configuring FCIP
About FCIP
Figure 48-1 Fibre Channel SANs Connected by FCIP
Virtual (E)ISL
WAN
Fibre Fibre
Channel Channel
91556
fabric IP router fabric
IP router
FCIP uses TCP as a network layer transport. The DF bit is set in the TCP header.
Note For more information about FCIP protocols, refer to the IETF standards for IP storage at
http://www.ietf.org. Also refer to Fibre Channel standards for switch backbone connection at
http://www.t11.org (see FC-BB-2).

FCIP Concepts, page 48-2
FCIP High-Availability Solutions, page 48-4
Ethernet PortChannels and Fibre Channel PortChannels, page 48-7
FCIP Concepts
To configure IPS modules or MPS-14/2 modules for FCIP, you should have a basic understanding of the
following concepts:
FCIP and VE Ports, page 48-2
FCIP Links, page 48-3
FCIP Profiles, page 48-4
FCIP Interfaces, page 48-4
FCIP and VE Ports

Figure 48-2 describes the internal model of FCIP with respect to Fibre Channel Inter-Switch Links
(ISLs) and Cisco's extended ISLs (EISLs).
FCIP virtual E (VE) ports behave exactly like standard Fibre Channel E ports, except that the transport
in this case is FCIP instead of Fibre Channel. The only requirement is for the other end of the VE port
to be another VE port.
A virtual ISL is established over an FCIP link and transports Fibre Channel traffic. Each associated
virtual ISL looks like a Fibre Channel ISL with either an E port or a TE port at each end (see
Figure 48-2).

About FCIP
Figure 48-2 FCIP Links and Virtual ISLs
Switch A
FC Switch C
F
F FC
FC F
E IP
GE VE
FC F
FC
Switch B
FCIP link
VE GE
FC E
F Virtual ISL
FC
91557
See the Configuring E Ports section on page 48-28.
FCIP Links
FCIP links consist of one or more TCP connections between two FCIP link endpoints. Each link carries
encapsulated Fibre Channel frames.
When the FCIP link comes up, the VE ports at both ends of the FCIP link create a virtual Fibre Channel
(E)ISL and initiate the E port protocol to bring up the (E)ISL.
By default, the FCIP feature on any Cisco MDS 9000 Family switch creates two TCP connections for
each FCIP link:
One connection is used for data frames.
The other connection is used only for Fibre Channel control frames, that is, switch-to-switch
protocol frames (all Class F). This arrangement provides low latency for all control frames.
To enable FCIP on the IPS module or MPS-14/2 module, an FCIP profile and FCIP interface (interface
FCIP) must be configured.
The FCIP link is established between two peers, the VE port initialization behavior is identical to a
normal E port. This behavior is independent of the link being FCIP or pure Fibre Channel, and is based
on the E port discovery process (ELP, ESC).
Once the FCIP link is established, the VE port behavior is identical to E port behavior for all inter-switch
communication (including domain management, zones, and VSANs). At the Fibre Channel layer, all VE
and E port operations are identical.

About FCIP
FCIP Profiles
The FCIP profile contains information about the local IP address and TCP parameters. The profile
defines the following information:
The local connection points (IP address and TCP port number)
The behavior of the underlying TCP connections for all FCIP links that use this profile
The FCIP profiles local IP address determines the Gigabit Ethernet port where the FCIP links terminate
(see Figure 48-3).
Figure 48-3 FCIP Profile and FCIP Links
Switch 2
Switch 1
Gigabit
Ethernet FCIP link 1
FCIP IP
interfaces network
Switch 4
FCIP
profile FCIP link 3
91558
FCIP Interfaces
The FCIP interface is the local endpoint of the FCIP link and a VE port interface. All the FCIP and E
port parameters are configured in context to the FCIP interface.
The FCIP parameters consist of the following:
The FCIP profile determines which Gigabit Ethernet port initiates the FCIP links and defines the
TCP connection behavior.
Peer information.
Number of TCP connections for the FCIP link.
E port parameterstrunking mode and trunk allowed VSAN list.
FCIP High-Availability Solutions

The following high-availability solutions are available for FCIP configurations:
Fibre Channel PortChannels, page 48-5
FSPF, page 48-5
VRRP, page 48-6
Ethernet PortChannels, page 48-6

About FCIP
Fibre Channel PortChannels

Figure 48-4 provides an example of a PortChannel-based load-balancing configuration. To perform this
configuration, you need two IP addresses on each SAN island. This solution addresses link failures.
Figure 48-4 PortChannel-Based Load Balancing
Ethernet
FCIP link switch
IP
FC fabric network FC fabric
Ethernet Ethernet
switch FCIP link switch
90857
PortChannel of
two FCIP links
The following characteristics set Fibre Channel PortChannel solutions apart from other solutions:
The entire bundle is one logical (E)ISL link.
All FCIP links in the PortChannel should be across the same two switches.
The Fibre Channel traffic is load balanced across the FCIP links in the PortChannel.
FSPF
Figure 48-5 displays a FPSF-based load balancing configuration example. This configuration requires
two IP addresses on each SAN island, and addresses IP and FCIP link failures.
Figure 48-5 FSPF-Based Load Balancing
FCIP link
IP
FC fabric network FC fabric 90858
PortChannel of FCIP link

two FCIP tunnels
The following characteristics set FSPF solutions apart from other solutions:
Each FCIP link is a separate (E)ISL.
The FCIP links can connect to different switches across two SAN islands.
The Fibre Channel traffic is load balanced across the FCIP link.

About FCIP
VRRP
Figure 48-6 displays a Virtual Router Redundancy Protocol (VRRP)-based high availability FCIP
configuration example. This configuration requires at least two physical Gigabit Ethernet ports
connected to the Ethernet switch on the island where you need to implement high availability using
VRRP.
Figure 48-6 VRRP-Based High Availability
FCIP link
IP
FC fabric FC fabric
network
90859
IP interfaces are in VRRP group
The following characteristics set VRRP solutions apart from other solutions:
If the active VRRP port fails, the standby VRRP port takes over the VRRP IP address.
When the VRRP switchover happens, the FCIP link automatically disconnects and reconnects.
This configuration has only one FCIP (E)ISL link.
Ethernet PortChannels
Figure 48-7 displays an Ethernet PortChannel-based high- availability FCIP example. This solution
addresses the problem caused by individual Gigabit Ethernet link failures.
Figure 48-7 Ethernet PortChannel-Based High Availability
FCIP link
IP
FC fabric FC fabric
network
90860
Ethernet ports are

in PortChannel
The following characteristics set Ethernet PortChannel solutions apart from other solutions:
The Gigabit Ethernet link level redundancy ensures a transparent failover if one of the Gigabit
Ethernet links fails.
Two Gigabit Ethernet ports in one Ethernet PortChannel appear like one logical Gigabit Ethernet
link.

Configuring FCIP
The FCIP link stays up during the failover.
Ethernet PortChannels and Fibre Channel PortChannels

Ethernet PortChannels offer link redundancy between the Cisco MDS 9000 Family switchs Gigabit
Ethernet ports and the connecting Ethernet switch. Fibre Channel PortChannels also offer (E)ISL link
redundancy between Fibre Channel switches. FCIP is an (E)ISL link and is only applicable for a Fibre
Channel PortChannel. Beneath the FCIP level, an FCIP link can run on top of an Ethernet PortChannel
or on one Gigabit Ethernet port. This link is totally transparent to the Fibre Channel layer.
An Ethernet PortChannel restriction only allows two contiguous IPS ports, such as ports 12 or 34, to
be combined in one Ethernet PortChannel (see the Configuring Gigabit Ethernet High Availability
section on page 52-8). This restriction only applies to Ethernet PortChannels. The Fibre Channel
PortChannel (to which FCIP link can be a part of) does not have a restriction on which (E)ISL links can
be combined in a Fibre Channel PortChannel as long as it passes the compatibility check (see the
Compatibility Check section on page 23-17). The maximum number of Fibre Channel ports that can
be put into a Fibre Channel PortChannel is 16 (see Figure 48-8).
Figure 48-8 PortChannels at the Fibre Channel and Ethernet Levels
Fibre Channel PortChannel
Fibre Channel Fibre Channel
FCIP FCIP
TCP TCP
IP IP
Ethernet Ethernet
Ethernet PortChannel
94176
Gigabit Ethenet link Gigabit Ethenet link Gigabit Ethenet link
To configure Fibre Channel PortChannels, see Chapter 23, Configuring PortChannels. To configure
Ethernet PortChannels, see the Configuring High Availability section on page 17-1.
Configuring FCIP
This section describes how to configure FCIP and includes the following topics:
Enabling FCIP, page 48-8
Basic FCIP Configuration, page 48-15

Using the FCIP Wizard
Verifying Interfaces and Extended Link Protocol, page 48-16

Checking Trunk Status, page 48-17
Advanced FCIP Profile Configuration, page 48-18
Advanced FCIP Interface Configuration, page 48-21
Configuring E Ports, page 48-28
Configuring E Ports, page 48-28
Advanced FCIP Features, page 48-29
Enabling FCIP
To begin configuring the FCIP feature, you must explicitly enable FCIP on the required switches in the
fabric. By default, this feature is disabled in all switches in the Cisco MDS 9000 Family.
The configuration and verification operations for the FCIP feature are only available when FCIP is
enabled on a switch. When you disable this feature, all related configurations are automatically
discarded.
To use the FCIP feature, you need to obtain the SAN extension over IP package license
(SAN_EXTN_OVER_IP or SAN_EXTN_OVER_IP_IPS4) (see Chapter 10, Obtaining and Installing
Licenses).

Note In Cisco MDS SAN-OS Release 2.0 and later NX-OS, there is an additional login prompt to log into a
switch that is not a part of your existing fabric.
To create and manage FCIP links with Fabric Manager, use the FCIP Wizard. Make sure that the the IP
services module is inserted in the required Cisco MDS 9000 Family switch, and that the Gigabit Ethernet
interfaces on these switches are connected and then the verify the connectivity. The procedures for
creating FCIP links using the FCIP Wizard are as follows:
Select the endpoints.
Choose the interfaces IP addresses.
Specify link attributes.
Optionally enable FCIP write acceleration or FCIP compression.
To create FCIP links using the FCIP Wizard, follow these steps:
Step 1 Click the FCIP Wizard icon in the Fabric Manager toolbar. See Figure 48-9.

Figure 48-9 FCIP Wizard
You see the switch selections as shown in Figure 48-10.
Figure 48-10 Switch Selections
Step 2 Choose the switches that act as endpoints for the FCIP link and click Next.
Step 3 Choose the Gigabit Ethernet ports on each switch that will form the FCIP link.
Step 4 If both Gigabit Ethernet ports are part of MPS-14/2 modules, check the Enforce IPSEC Security check
box and set the IKE Auth Key, as shown in Figure 48-11. See the IPsec and IKE Terminology section
on page 44-5 for information on IPsec and IKE.
Check the Use Large MTU Size (Jumbo Frames) option to use jumbo size frames of 2300. Since Fibre
Channel frames are 2112, we recommended that you use this option. If you uncheck the box, the FCIP
Wizard does not set the MTU size, and the default value of 1500 is set.
Note In Cisco MDS 9000 SAN-OS, Release 3.0(3), by default the Use Large MTU Size (Jumbo
Frames) option is not selected.

Figure 48-11 Enabling IPsec on an FCIP link
Step 5 Click Next. You see the IP Address/Route input screen.

Step 6 Select Add IP Route, if you want to add an IP route, otherwise leave the defaults. See Figure 48-12.

Figure 48-12 Specify IP Address/Route
Step 7 Click Next. You see the TCP connection characteristics.

Step 8 Set the minimum and maximum bandwidth settings and round-trip time for the TCP connections on this
FCIP link, as shown in Figure 48-13. You can measure the round-trip time between the Gigabit Ethernet
endpoints by clicking the Measure button.

Figure 48-13 Specifying Tunnel Properties
Step 9 Check the Write Acceleration check box to enable FCIP write acceleration on this FCIP link.
See the FCIP Write Acceleration section on page 48-29.
Step 10 Check the Enable Optimum Compression check box to enable IP compression on this FCIP link.
See the FCIP Compression section on page 48-37.
Step 11 Click Next.
Step 12 Set the Port VSAN and click the Trunk Mode radio button for this FCIP link, (see Figure 48-14).
Note If FICON is enabled/FICON VSAN is present on both the switches, the Figure 48-26 is
displayed, otherwise Figure 48-25 is displayed.

Figure 48-14 Create FCIP ISL
Figure 48-15 Enter FICON Port Address

Figure 48-16 Create FCIP ISL
Figure 48-17 Enter FICON Port Address

Step 13 Click Finish to create this FCIP link.
Basic FCIP Configuration

Once you have created FCIP links using the FCIP wizard, you may need to modify parameters for these
links. This includes modifying the FCIP profiles as well as the FCIP link parameters. Each Gigabit
Ethernet interface can have three active FCIP links at one time.
Once you have created FCIP links using the FCIP wizard, you may need to modify parameters for these
links. This includes modifying the FCIP profiles as well as the FCIP link parameters. Each Gigabit
Ethernet interface can have three active FCIP links at one time.
To configure an FCIP link, follow these steps on both switches:
Step 1 Configure the Gigabit Ethernet interface.

Step 2 Create an FCIP profile, and then assign the Gigabit Ethernet interfaces IP address to the profile.
Step 3 Create an FCIP interface, and then assign the profile to the interface.
Step 4 Configure the peer IP address for the FCIP interface.
Step 5 Enable the interface.
Creating FCIP Profiles

You must assign a local IP address of a Gigabit Ethernet interface or subinterface to the FCIP profile to
create an FCIP profile. You can assign IPv4 or IPv6 addresses to the interfaces. Figure 48-18 shows an
example configuration.
Figure 48-18 Assigning Profiles to Each Gigabit Ethernet Interface
Switch 1 Switch 2
IP router IP router
IP
Network
IP address of Gigabit Ethernet IP address of Gigabit Ethernet
interface 3/1 = 10.100.1.25 interface 3/1 = 10.1.1.1 91561
To create an FCIP profile in switch 1, follow these steps:
Step 1 Verify that you are connected to a switch that contains an IPS module.
Step 2 From Fabric Manager, choose Switches > ISLs > FCIP in the Physical Attributes pane. From Device
Manager, choose FCIP from the IP menu.
Step 3 Click the Create Row button in Fabric Manager or the Create button on Device Manager to add a new
profile.
Step 4 Enter the profile ID in the ProfileId field.
Step 5 Enter the IP address of the interface to which you want to bind the profile.

Step 6 Modify the optional TCP parameters, if desired. Refer to Fabric Manager Online Help for explanations
of these fields.
Step 7 (Optional) Click the Tunnels tab and modify the remote IP address in the Remote IPAddress field for
the endpoint to which you want to link.
Step 8 Enter the optional parameters, if desired. See the Cisco MDS 9000 Family CLI Configuration Guide for
information on displaying FCIP profile information.
Step 9 Click Apply Changes icon to save these changes.
Creating FCIP Links

When two FCIP link endpoints are created, an FCIP link is established between the two IPS modules or
MPS-14/2 modules. To create an FCIP link, assign a profile to the FCIP interface and configure the peer
information. The peer IP switch information initiates (creates) an FCIP link to that peer switch (see
Figure 48-19).
Figure 48-19 Assigning Profiles to Each Gigabit Ethernet Interface
Endpoint Endpoint
Interface FCIP = 51 Interface FCIP = 52
Profile = 10 Profile = 20
Connecting switch (peer) = 10.1.1.1 Connecting switch (peer) = 10.100.1.25
Switch 1 Switch 2
FCIP link Virtual (E) ISL
Switch 1 Switch 2
IP router IP router
IP
network
91562
IP address of Gigabit Ethernet IP address of Gigabit Ethernet
interface 3/1 = 10.100.1.25 interface 3/1 = 10.1.1.1
Verifying Interfaces and Extended Link Protocol

To verify the FCIP interfaces and Extended Link Protocol (ELP) on Device Manager, follow these steps:
Step 1 Make sure you are connected to a switch that contains an IPS module.
Step 2 Select FCIP from the Interface menu.
Step 3 Click the Interfaces tab if it is not already selected. You see the FCIP Interfaces dialog box.

Step 4 Click the ELP tab if it is not already selected. You see the FCIP ELP dialog box.
Checking Trunk Status

To check the trunk status for the FCIP interface on Device Manager, follow these steps:
Step 1 Make sure you are connected to a switch that contains an IPS module.
Step 2 Select FCIP from the IP menu.
Step 3 Click the Trunk Config tab if it is not already selected. You see the FCIP Trunk Config dialog box. This
shows the status of the interface.
Step 4 Click the Trunk Failures tab if it is not already selected. You see the FCIP Trunk Failures dialog box.
Launching Cisco Transport Controller

Cisco Transport Controller (CTC) is a task-oriented tool used to install, provision, and maintain network
elements. It is also used to troubleshoot and repair NE faults.
To launch CTC using Fabric Manager, follow these steps:
Step 1 Right-click an ISL carrying optical traffic in the fabric.

Step 2 Click Element Manager.
Step 3 Enter the URL for the Cisco Transport Controller.
Step 4 Click OK.
Launching Cisco Transport Controller

Cisco Transport Controller (CTC) is a task-oriented tool used to install, provision, and maintain network
elements. It is also used to troubleshoot and repair NE faults.
To launch CTC using Fabric Manager, follow these steps:
Step 1 Right-click an ISL carrying optical traffic in the fabric.

Step 2 Click Element Manager.
Step 3 Enter the URL for the Cisco Transport Controller.
Step 4 Click OK.

Advanced FCIP Profile Configuration

A basic FCIP configuration uses the local IP address to configure the FCIP profile. In addition to the
local IP address and the local port, you can specify other TCP parameters as part of the FCIP profile
configuration.

Configuring TCP Parameters

You can control TCP behavior in a switch by configuring the following TCP parameters.
Note When FCIP is sent over a WAN link, the default TCP settings may not be appropriate. In such cases, we
recommend that you tune the FCIP WAN link by modifying the TCP parameters (specifically bandwidth,
round-trip times, and CWM burst size).

Minimum Retransmit Timeout, page 48-19
Keepalive Timeout, page 48-19
Maximum Retransmissions, page 48-19
Path MTUs, page 48-20
Selective Acknowledgments, page 48-20
Window Management, page 48-20
Monitoring Congestion, page 48-20
Estimating Maximum Jitter, page 48-21
Buffer Size, page 48-21
Minimum Retransmit Timeout
You can control the minimum amount of time TCP waits before retransmitting. By default, this value is
200 milliseconds (msec).
Keepalive Timeout
You can configure the interval that the TCP connection uses to verify that the FCIP link is functioning.
This ensures that an FCIP link failure is detected quickly even when there is no traffic.
If the TCP connection is idle for more than the specified time, then keepalive timeout packets are sent
to ensure that the connection is active. The keepalive timeout feature can be used to tune the time taken
to detect FCIP link failures.
You can configure the first interval during which the connection is idle (the default is 60 seconds). When
the connection is idle for the configured interval, eight keepalive probes are sent at 1-second intervals.
If no response is received for these eight probes and the connection remains idle throughout, that FCIP
link is automatically closed.
Note Only the first interval (during which the connection is idle) can be changed.
Maximum Retransmissions
You can specify the maximum number of times a packet is retransmitted before TCP decides to close the
connection.

Path MTUs
Path MTU (PMTU) is the minimum MTU on the IP network between the two endpoints of the FCIP link.
PMTU discovery is a mechanism by which TCP learns of the PMTU dynamically and adjusts the
maximum TCP segment accordingly (RFC 1191).
By default, PMTU discovery is enabled on all switches with a timeout of 3600 seconds. If TCP reduces
the size of the maximum segment because of PMTU change, the reset-timeout specifies the time after
which TCP tries the original MTU.
Selective Acknowledgments
TCP may experience poor performance when multiple packets are lost within one window. With the
limited information available from cumulative acknowledgments, a TCP sender can only learn about a
single lost packet per round trip. A selective acknowledgment (SACK) mechanism helps overcome the
limitations of multiple lost packets during a TCP transmission.
The receiving TCP sends back SACK advertisements to the sender. The sender can then retransmit only
the missing data segments. By default, SACK is enabled on Cisco MDS 9000 Family switches.
Window Management
The optimal TCP window size is automatically calculated using the maximum bandwidth parameter, the
minimum available bandwidth parameter, and the dynamically measured round trip time (RTT).
Note The configured round-trip-time parameter determines the window scaling factor of the TCP
connection. This parameter is only an approximation. The measured RTT value overrides the round trip
time parameter for window management. If the configured round-trip-time is too small compared to
the measured RTT, then the link may not be fully utilized due to the window scaling factor being too
small.
The min-available-bandwidth parameter and the measured RTT together determine the threshold below
which TCP aggressively maintains a window size sufficient to transmit at minimum available bandwidth.
The max-bandwidth-mbps parameter and the measured RTT together determine the maximum window
size.
Note Set the maximum bandwidth to match the worst-case bandwidth available on the physical link, keeping
in mind other traffic that might be going across this link (for example, other FCIP tunnels, WAN
limitations)in other words, maximum bandwidth should be the total bandwidth minus all other traffic
going across that link.
Monitoring Congestion
By enabling the congestion window monitoring (CWM) parameter, you allow TCP to monitor
congestion after each idle period. The CWM parameter also determines the maximum burst size allowed
after an idle period. By default, this parameter is enabled and the default burst size is 50 KB.
The interaction of bandwidth parameters and CWM and the resulting TCP behavior is outlined as
follows:
If the average rate of the Fibre Channel traffic over the preceding RTT is less than the
min-available-bandwidth multiplied by the RTT, the entire burst is sent immediately at the
min-available-bandwidth rate, provided no TCP drops occur.

If the average rate of the Fibre Channel traffic is greater than min-available-bandwidth multiplied
by the RTT, but less than max-bandwidth multiplied by the RTT, then if the Fibre Channel traffic is
transmitted in burst sizes smaller than the configured CWM value the entire burst is sent
immediately by FCIP at the max-bandwidth rate.
If the average rate of the Fibre Channel traffic is larger than the min-available-bandwidth multiplied
by the RTT and the burst size is greater than the CWM value, then only a part of the burst is sent
immediately. The remainder is sent with the next RTT.
The software uses standard TCP rules to increase the window beyond the one required to maintain the
min-available-bandwidth to reach the max-bandwidth.
Note The default burst size is 50 KB.
Tip We recommend that this feature remain enabled to realize optimal performance. Increasing the CWM
burst size can result in more packet drops in the IP network, impacting TCP performance. Only if the IP
network has sufficient buffering, try increasing the CWM burst size beyond the default to achieve lower
transmit latency.
Estimating Maximum Jitter
Jitter is defined as a variation in the delay of received packets. At the sending side, packets are sent in a
continuous stream with the packets spaced evenly apart. Due to network congestion, improper queuing,
or configuration errors, this steady stream can become lumpy, or the delay between each packet can vary
instead of remaining constant.
You can configure the maximum estimated jitter in microseconds by the packet sender. The estimated
variation should not include network queuing delay. By default, this parameter is enabled in Cisco MDS
switches when IPS modules or MPS-14/2 modules are present.
The default value is 1000 microseconds for FCIP interfaces.
Buffer Size
You can define the required additional bufferingbeyond the normal send window size that TCP
allows before flow controlling the switchs egress path for the FCIP interface. The default FCIP buffer
size is 0 KB.
Note Use the default if the FCIP traffic is passing through a high throughput WAN link. If you have a
mismatch in speed between the Fibre Channel link and the WAN link, then time stamp errors occur in
the DMA bridge. In such a situation, you can avoid time stamp errors by increasing the buffer size.
Advanced FCIP Interface Configuration

This section describes the options you can configure on an FCIP interface to establish connection to a
peer and includes the following topics:
Configuring Peers, page 48-22
Active Connections, page 48-25
Number of TCP Connections, page 48-25

Time Stamp Control, page 48-25

FCIP B Port Interoperability Mode, page 48-25
Quality of Service, page 48-28
To establish a peer connection, you must first create the FCIP interface .
Configuring Peers
To establish an FCIP link with the peer, you can use one of two options:
Peer IP addressConfigures both ends of the FCIP link. Optionally, you can also use the peer TCP
port along with the IP address.
Special framesConfigures one end of the FCIP link when security gateways are present in the IP
network. Optionally, you can also use the switch WWN (sWWN) and profile ID along with the IP
address.
Peer IP Address
The basic FCIP configuration uses the peers IP address to configure the peer information. You can also
specify the peers port number to configure the peer information. If you do not specify a port, the default
3225 port number is used to establish connection. You can specify an IPv4 address or an IPv6 address.
To assign the peer information based on the IPv4 address and port number using Fabric Manager, follow
these steps:
Step 1 Expand ISLs and select FCIP in the Physical Attributes pane.
You see the FCIP profiles and links in the Information pane.
From Device manager, choose IP > FCIP.

You see the FCIP dialog box.
Step 2 Click the Tunnels tab.You see the FCIP link information.
Step 3 Click the Create Row icon in Fabric Manager or the Create button in Device Manager.
You see the FCIP Tunnels dialog box.
Step 4 Set the ProfileID and TunnelID fields.
Step 5 Set the RemoteIPAddress and RemoteTCPPort fields for the peer IP address you are configuring.
Step 6 Check the PassiveMode check box if you do not want this end of the link to initiate a TCP connection.
Step 7 (Optional) Set the NumTCPCon field to the number of TCP connections from this FCIP link.
Step 8 (Optional) Check the Enable check box in the Time Stamp section and set the Tolerance field.
Step 9 (Optional) Set the other fields in this dialog box and click Create to create this FCIP link.
these steps:
Step 1 Expand ISLs and select FCIP in the Physical Attributes pane.

From Device manager, choose IP > FCIP.

Step 2 Click the Tunnels tab.You see the FCIP link information.
these steps:
Step 1 From Fabric Manager, choose ISLs > FCIP from the Physical Attributes pane.
From Device manager, choose IP > FCIP.You see the FCIP dialog box.
Step 2 Click the Tunnels tab. You see the FCIP link information.
these steps:
From Device manager, choose IP > FCIP.You see the FCIP dialog box.


Special Frames
You can alternatively establish an FCIP link with a peer using an optional protocol called special frames.
When special frames are enabled, the peer IP address (and optionally the port or the profile ID) only
needs to be configured on one end of the link. Once the connection is established, a special frame is
exchanged to discover and authenticate the link.
By default, the special frame feature is disabled. You must enable special frames on the interfaces on
both peers to establish the FCIP link.
Note Refer to the Fibre Channel IP standards for further information on special frames.
Tip Special frame negotiation provides an additional authentication security mechanism because the link
validates the WWN of the peer switch.
To enable special frames using Fabric Manager, follow these steps:
From Device manager, choose IP > FCIP. You see the FCIP dialog box.
Step 8 Check the Enable check box in the Special Frames section of the dialog box and set the RemoteWWN
and the RemoteProfileID fields.

Active Connections
You can configure the required mode for initiating a TCP connection. By default, active mode is enabled
to actively attempt an IP connection. If you enable the passive mode, the switch does not initiate a TCP
connection rather waits for the peer to connect to it.
Note Ensure that both ends of the FCIP link are not configured as passive mode. If both ends are configured
as passive, the connection is not initiated.
Number of TCP Connections

You can specify the number of TCP connections from an FCIP link. By default, the switch tries two (2)
TCP connections for each FCIP link. You can configure one or two TCP connections. For example, the
Cisco PA-FC-1G Fibre Channel port adapter, which has only one (1) TCP connection, interoperates with
any switch in the Cisco MDS 9000 Family. One TCP connection is within the specified limit. If the peer
initiates one TCP connection, and your MDS switch is configured for two TCP connections, then the
software handles it and proceeds with just one connection.
Time Stamp Control

You can instruct the switch to discard packets that are outside the specified time. When enabled, this
feature specifies the time range within which packets can be accepted. If the packet arrived within the
range specified by this option, the packet is accepted. Otherwise, it is dropped.
By default, time stamp control is disabled in all switches in the Cisco MDS 9000 Family. If a packet
arrives within a 2000 millisecond interval (+ or 2000 msec) from the network time, that packet is
accepted.
Note The default value for packet acceptance is 2000 microseconds.

If the time-stamp option is enabled, be sure to configure NTP on both switches (see the NTP
Configuration section on page 12-4).
Tip Do not enable time stamp control on an FCIP interface that has tape acceleration or write acceleration
configured.
FCIP B Port Interoperability Mode

While E ports typically interconnect Fibre Channel switches, some SAN extender devices, such as
Ciscos PA-FC-1G Fibre Channel port adapter and the SN 5428-2 storage router, implement a bridge port
model to connect geographically dispersed fabrics. This model uses B port as described in the T11
Standard FC-BB-2. Figure 48-20 shows a typical SAN extension over an IP network.

Figure 48-20 FCIP B Port and Fibre Channel E Port
E port
Switch A
F FC Switch C
FC F
F FC
F IP
GE VE
FC E
FC
Switch B FCIP link

VE GE
FC E
F
Virtual ISL
FC
B port FC bridge
B FC
Switch A B
access
F FC
FCIP link
FC F
FC bridge
E
Switch C
FC B
FC B access IP
F FC
FC E
Switch B E
B access ISL
FC
E FC
FC E ISL
F
ISL
91559
FC
B ports bridge Fibre Channel traffic from a local E port to a remote E port without participating in
fabric-related activities such as principal switch election, domain ID assignment, and Fibre Channel
fabric shortest path first (FSPF) routing. For example, Class F traffic entering a SAN extender does not
interact with the B port. The traffic is transparently propagated (bridged) over a WAN interface before
exiting the remote B port. This bridge results in both E ports exchanging Class F information that
ultimately leads to normal ISL behavior such as fabric merging and routing.
FCIP links between B port SAN extenders do not exchange the same information as FCIP links between
E ports, and are therefore incompatible. This is reflected by the terminology used in FC-BB-2: while VE
ports establish a virtual ISL over an FCIP link, B ports use a B access ISL.

The IPS module and MPS-14/2 module support FCIP links that originate from a B port SAN extender
device by implementing the B access ISL protocol on a Gigabit Ethernet interface. Internally, the
corresponding virtual B port connects to a virtual E port that completes the end-to-end E port
connectivity requirement (see Figure 48-21).
Figure 48-21 FCIP Link Terminating in a B Port Mode
Switch A 7200 router
F FC
Fibre Channel
FC F port adapter (1G)
E
B B
access FC
FC IP
Switch B FCIP link

Switch C
F FC
FC bridge
FC E
B
VE B access GE E
FC
ISL
FC E B access ISL
E
91560
FC
FCIP interface
The B port feature in the IPS module and MPS-14/2 module allows remote B port SAN extenders to
communicate directly with a Cisco MDS 9000 Family switch, eliminating the need for local bridge
devices.
Configuring B Ports
When an FCIP peer is a SAN extender device that only supports Fibre Channel B ports, you need to
enable the B port mode for the FCIP link. When a B port is enabled, the E port functionality is also
enabled and they coexist. If the B port is disabled, the E port functionality remains enabled.
To enable B port mode using Fabric Manager, follow these steps:
Step 1 Choose ISLs > FCIP from the Physical Attributes pane.
Step 2 Click the Tunnels tab.
You see the FCIP link information.


Step 8 Check the Enable check box in the B Port section of the dialog box and optionally check the KeepAlive
check box if you want a response sent to an ELS Echo frame received from the FCIP peer.
To enable B port mode using Fabric Manager, follow these steps:
Step 1 Choose ISLs > FCIP from the Physical Attributes pane.
Step 2 Click the Tunnels tab.
You see the FCIP link information.
Step 8 Check the Enable check box in the B Port section of the dialog box and optionally check the KeepAlive
check box if you want a response sent to an ELS Echo frame received from the FCIP peer.
Quality of Service
The quality of service (QoS) parameter specifies the differentiated services code point (DSCP) value to
mark all IP packets (type of serviceTOS field in the IP header).
The control DSCP value applies to all FCIP frames in the control TCP connection.
The data DSCP value applies to all FCIP frames in the data connection.
If the FCIP link has only one TCP connection, that data DSCP value is applied to all packets in that
connection.
Configuring E Ports
You can configure E ports in the same way you configure FCIP interfaces. The following features are
also available for FCIP interfaces:

An FCIP interface can be a member of any VSAN (see Chapter 26, Configuring and Managing
VSANs).
Trunk mode and trunk allowed VSANs (see Chapter 24, Configuring Trunking).
PortChannels (see Chapter 46, Configuring Port Security):
Multiple FCIP links can be bundled into a Fibre Channel PortChannel.
FCIP links and Fibre Channel links cannot be combined in one PortChannel.
FSPF (see Chapter 32, Configuring Fibre Channel Routing Services and Protocols).
Fibre Channel domains (fcdomains) (see Chapter 25, Configuring Domain Parameters.).
Importing and exporting the zone database from the adjacent switch (see Chapter 30, Configuring
and Managing Zones).
Advanced FCIP Features

You can significantly improve application performance by configuring one or more of the following
options for the FCIP interface.
FCIP Write Acceleration, page 48-29
Configuring FCIP Write Acceleration, page 48-31
FCIP Tape Acceleration, page 48-32
Configuring FCIP Tape Acceleration, page 48-36
FCIP Compression, page 48-37
FCIP Write Acceleration
The FCIP write acceleration feature enables you to significantly improve application write performance
when storage traffic is routed over wide area networks using FCIP. When FCIP write acceleration is
enabled, WAN throughput is maximized by minimizing the impact of WAN latency for write operations.
Note The write acceleration feature is disabled by default and must be enabled on both sides of the FCIP link.
If it is only enabled on one side of the FCIP tunnel the write acceleration feature will be turned
operationally off.
In Figure 48-22, the WRITE command without write acceleration requires two round trip transfers
(RTT), while the WRITE command with write acceleration only requires one RTT. The maximum sized
Transfer Ready is sent from the host side of the FCIP link back to the host before the WRITE command
reaches the target. This enables the host to start sending the write data without waiting for the long
latency over the FCIP link of the WRITE command and Transfer Ready. It also eliminates the delay
caused by multiple Transfer Readys needed for the exchange going over the FCIP link.

Figure 48-22 FCIP Link Write Acceleration
Initiator MDS 9000 MDS 9000 Target
FC
FCIP over
WAN
Command
RTT1
Transfer ready
Without
Data transfer acceleration
RT2
Status
Initiator MDS 9000 MDS 9000 Target
FC
FCIP over
WAN
Command
Transfer ready
Data transfer
Transfer ready
RTT1 With
acceleration
Status
105224
Tip FCIP write acceleration can be enabled for multiple FCIP tunnels if the tunnels are part of a dynamic
PortChannel configured with channel mode active. FCIP write acceleration does not work if multiple
non-PortChannel ISLs exist with equal weight between the initiator and the target port. Such a
configuration might cause either SCSI discovery failure or failed WRITE or READ operations.
Tip Do not enable time stamp control on an FCIP interface with write acceleration configured.
Note Write acceleration cannot be used across FSPF equal cost paths in FCIP deployments. Native Fibre
Channel write acceleration can be used with Port Channels. Also, FCIP write acceleration can be used
in Port Channels configured with channel mode active or constructed with Port Channel Protocol (PCP).

Caution FCIP write acceleration with FCIP ports as members of PortChannels in Cisco MDS SAN-OS Release
2.0(1b) and later NX-OS are incompatible with the FCIP write acceleration in earlier releases.
Configuring FCIP Write Acceleration

You can enable FCIP write acceleration when you create the FCIP link using the FCIP Wizard.
To enable write acceleration on an existing FCIP link, follow these steps:
Step 1 Choose ISLs > FCIP from the Physical Attributes pane on Fabric Manager.
On Device manager, choose IP > FCIP.
Step 2 Click the Tunnels (Advanced) tab.
You see the FICP link information (see Figure 48-23).
Figure 48-23 FCIP Tunnels (Advanced) Tab
Step 3 Check or uncheck the Write Accelerator check box.

Step 4 Choose the appropriate compression ratio from the IP Compression drop-down list.
Step 1 Choose ISLs > FCIP from the Physical Attributes pane on Fabric Manager.
On Device manager, choose IP > FCIP.
Step 2 Click the Tunnels (Advanced) tab.
You see the FICP link information (see Figure 48-23).

Figure 48-24 FCIP Tunnels (Advanced) Tab
Step 3 Check or uncheck the Write Accelerator check box.

Step 4 Choose the appropriate compression ratio from the IP Compression drop-down list.
FCIP Tape Acceleration

Tapes are storage devices that store and retrieve user data sequentially. Cisco MDS NX-OS provides both
tape write and read acceleration.
Applications that access tape drives normally have only one SCSI WRITE or READ operation
outstanding to it. This single command process limits the benefit of the tape acceleration feature when
using an FCIP tunnel over a long-distance WAN link. It impacts backup, restore, and restore performance
because each SCSI WRITE or READ operation does not complete until the host receives a good status
response from the tape drive. The FCIP tape acceleration feature helps solve this problem. It improves
tape backup, archive, and restore operations by allowing faster data streaming between the host and tape
drive over the WAN link.
In an example of tape acceleration for write operations, the backup server in Figure 48-25 issues write
operations to a drive in the tape library. Acting as a proxy for the remote tape drives, the local Cisco
MDS switch proxies a transfer ready to signal the host to start sending data. After receiving all the data,
the local Cisco MDS switch proxies the successful completion of the SCSI WRITE operation. This
response allows the host to start the next SCSI WRITE operation. This proxy method results in more
data being sent over the FCIP tunnel in the same time period compared to the time taken to send data
without proxying. The proxy method improves the performance on WAN links.

Figure 48-25 FCIP Link Tape Acceleration for Write Operations
Backup MDS with MDS with Tape

Server IPS IPS Drive
FC
WAN
Write Command 1 Write Command 1 Write Command 1
Status 1 Status 1
Write Command N Write Command N

Status N
WRITE FILEMARKS operation Write Command N
Status N
WRITE FILEMARKS operation

WRITE FILEMARKS status
120492
At the tape end of the FCIP tunnel, another Cisco MDS switch buffers the command and data it has
received. It then acts as a backup server to the tape drive by listening to a transfer ready from the tape
drive before forwarding the data.
Note In some cases such as a quick link up/down event (FCIP link, Server/Tape Port link) in a tape
library environment that exports Control LUN or a Medium Changer as LUN 0 and tape drives
as other LUNs, tape acceleration may not detect the tape sessions and may not accelerate these
sessions. The workaround is to keep the FCIP link disabled for a couple of minutes before
enabling the link. Note that this does not apply to tape environments where the tape drives are
either direct FC attached or exported as LUN 0.
The Cisco NX-OS provides reliable data delivery to the remote tape drives using TCP/IP over the WAN.
It maintains write data integrity by allowing the WRITE FILEMARKS operation to complete end-to-end
without proxying. The WRITE FILEMARKS operation signals the synchronization of the buffer data
with the tape library data. While tape media errors are returned to backup servers for error handling, tape
busy errors are retried automatically by the Cisco NX-OS software.
In an example of tape acceleration for read operations, the restore server in Figure 48-26 issues read
operations to a drive in the tape library. During the restore process, the remote Cisco MDS switch at the
tape end, in anticipation of more SCSI read operations from the host, sends out SCSI read operations on
its own to the tape drive. The prefetched read data is cached at the local Cisco MDS switch. The local
Cisco MDS switch on receiving SCSI read operations from the host, sends out the cached data. This
method results in more data being sent over the FCIP tunnel in the same time period compared to the
time taken to send data without read acceleration for tapes. This improves the performance for tape reads
on WAN links.

Figure 48-26 FCIP Link Tape Acceleration for Read Operations
Restore MDS with MDS with Tape

Server IPS IPS Drive
FC
WAN
Read command N
Read data N Read data N
Status N Status N
Read command N Read command N+1
Read data N Read data N+1
Status N Status N+1 Status N+1
Read command N+1

Read command N+2
Status N+1
144886
The Cisco NX-OS provides reliable data delivery to the restore application using TCP/IP over the WAN.
While tape media errors during the read operation are returned to the restore server for error handling,
the Cisco NX-OS software recovers from any other errors.
Note The FCIP tape acceleration feature is disabled by default and must be enabled on both sides of the FCIP
link. If it is only enabled on one side of the FCIP tunnel, the tape acceleration feature is turned
operationally off.
Tip FCIP tape acceleration does not work if the FCIP port is part of a PortChannel or if there are multiple
paths between the initiator and the target port. Such a configuration might cause either SCSI discovery
failure or broken write or read operations.
Caution When tape acceleration is enabled in an FCIP interface, a FICON VSAN cannot be enabled in that
interface. Likewise, if an FCIP interface is up in a FICON VSAN, tape acceleration cannot be enabled
on that interface.
Note When you enable the tape acceleration feature for an FCIP tunnel, the tunnel is reinitialized and the write
and read acceleration feature is also automatically enabled.
In tape acceleration for writes, after a certain amount of data has been buffered at the remote Cisco MDS
switch, the write operations from the host are flow controlled by the local Cisco MDS switch by not
proxying the Transfer Ready. On completion of a write operation when some data buffers are freed, the
local Cisco MDS switch resumes the proxying. Likewise, in tape acceleration for reads, after a certain

amount of data has been buffered at the local Cisco MDS switch, the read operations to the tape drive
are flow controlled by the remote Cisco MDS switch by not issuing any further reads. On completion of
a read operation, when some data buffers are freed, the remote Cisco MDS switch resumes issuing reads.
The default flow control buffering uses the automatic option. This option takes the WAN latencies and
the speed of the tape into account to provide optimum performance. You can also specify a flow control
buffer size (the maximum buffer size is 12 MB).
Tip We recommend that you use the default option for flow-control buffering.
Tip Do not enable time-stamp control on an FCIP interface with tape acceleration configured.
Note If one end of the FCIP tunnel is running Cisco MDS SAN-OS Release 3.0(1) or later and NX-OS, and
the other end is running Cisco MDS SAN-OS Release 2.x, and tape acceleration is enabled, then the
FCIP tunnel will run only tape write acceleration, not tape-read acceleration.
Tape Library LUN Mapping for FCIP Tape Acceleration
If a tape library provides logical unit (LU) mapping and FCIP tape acceleration is enabled, you must
assign a unique LU number (LUN) to each physical tape drive accessible through a target port.
Figure 48-27 shows tape drives connected to Switch 2 through a single target port. If the tape library
provides LUN mapping, then all the four tape drives should be assign unique LUNs.
Figure 48-27 FCIP LUN Mapping Example
Tape library
Host 1
FCIP link
Drive 1
Switch 1 Switch 2
Drive 2
Host 2
Drive 3
Drive 4
180106
For the mappings described in Table 48-1 and Table 48-2, Host 1 has access to Drive 1 and Drive 2, and
Host 2 has access to Drive 3 and Drive 4.
Table 48-1 describes correct tape library LUN mapping.

Table 48-1 Correct LUN Mapping Example with Single Host Access
Host LUN Mapping Drive

Host 1 LUN 1 Drive 1
LUN 2 Drive 2
LUN 4 Drive 4
Table 48-2 describes incorrect tape library LUN mapping.
Table 48-2 Incorrect LUN Mapping Example with Single Hosts Access

LUN 2 Drive 2
LUN 2 Drive 4
Another example setup is when a tape drive is shared by multiple hosts through a single tape port. For
instance, Host 1 has access to Drive1 and Drive2, and Host 2 has access to Drive 2, Drive 3, and Drive
4. A correct LUN mapping configuration for such a setup is shown in Table 48-3.
Table 48-3 Correct LUN Mapping Example with Multiple Host Access

LUN 2 Drive 2
LUN 3 Drive 3
LUN 4 Drive 4
Configuring FCIP Tape Acceleration

To enable FCIP tape acceleration using Fabric Manager, follow these steps:
From Device Manager, choose IP > FCIP.
Step 2 Click the Tunnels tab. You see the FICP link information.
Step 4 Set the profile ID in the ProfileID field and the tunnel ID in the TunnelID fields.

Step 6 Check the TapeAccelerator check box.
To enable FCIP tape acceleration using Fabric Manager, follow these steps:
From Device Manager, choose IP > FCIP.
Step 2 Click the Tunnels tab. You see the FICP link information.
Step 4 Set the profile ID in the ProfileID field and the tunnel ID in the TunnelID fields.
Step 6 Check the TapeAccelerator check box.
FCIP Compression
The FCIP compression feature allows IP packets to be compressed on the FCIP link if this feature is
enabled on that link. By default the FCIP compression is disabled. When enabled, the software defaults
to using the auto mode (if a mode is not specified).
Note The "auto" mode (default) selects the appropriate compression scheme based on the card type and
bandwidth of the link (the bandwidth of the link configured in the FCIP profiles TCP parameters).
Table 48-4 lists the modes used for different cards.
Table 48-4 Algorithm Classification
Mode IPS Card MPS 14/2 Card 18+4/9222i

mode1 SW HW HW
mode2 SW SW HW
mode3 SW SW HW
Note With SAN-OS 3.3(1) and later NX-OS, all compression options (auto, mode1, mode2, mode3) mean
hardware deflate on 9222i and MSM 18+4. There is no software compression.

Default Settings
Table 48-5 lists the performance settings for different cards.
Table 48-5 Performance Settings
Bandwidth IPS Card MPS 14/2 Card 18+4/9222i

Any - - mode1/mode2/mode3
>25Mbps mode1 mode1 mode2/mode3
10-25Mbps mode2 mode2 mode2/mode3
10Mbps mode3 mode3 mode2/mode3
Note The Cisco MDS 9216i and 9222i Switches also supports the IP compression feature. The integrated
supervisor module has the same hardware components that are available in the MPS-14/2 module.
Caution The compression modes in Cisco SAN-OS Release 2.0(1b) and later and NX-OS are incompatible with
the compression modes in Cisco SAN-OS Release 1.3(1) and earlier.
Tip While upgrading from Cisco SAN-OS Release 1.x to Cisco SAN-OS Release 2.0(1b) or later and
NX-OS, we recommend that you disable compression before the upgrade procedure, and then enable the
required mode after the upgrade procedure.
If both ends of the FCIP link are running Cisco SAN-OS Release 2.0(1b) or later and NX-OS and you
enable compression at one end of the FCIP tunnel, be sure to enable it at the other end of the link.
Default Settings
Table 48-6 lists the default settings for FCIP parameters.
Table 48-6 Default FCIP Parameters
Parameters Default
TCP default port for FCIP 3225
minimum-retransmit-time 200 msec
Keepalive timeout 60 sec
Maximum retransmissions 4 retransmissions
PMTU discovery Enabled
pmtu-enable reset-timeout 3600 sec
SACK Enabled
max-bandwidth 1 Gbps
min-available-bandwidth 500 Mbps
round-trip-time 1 msec
Buffer size 0 KB

Default Settings
Table 48-6 Default FCIP Parameters (continued)
Parameters Default
Control TCP and data connection No packets are transmitted
TCP congestion window monitoring Enabled
Burst size 50 KB
TCP connection mode Active mode is enabled
special-frame Disabled
FCIP timestamp Disabled
acceptable-diff range to accept packets +/ 2000 msec
B port keepalive responses Disabled
Write acceleration Disabled
Tape acceleration Disabled

Default Settings

CH A P T E R 49
Configuring the SAN Extension Tuner
The SAN Extension Tuner (SET) feature is unique to the Cisco MDS 9000 Family of switches. This
feature helps you optimize FCIP performance by generating either direct access (magnetic disk) or
sequential access (magnetic tape) SCSI I/O commands and directing such traffic to a specific virtual
target. You can specify the size of the test I/O transfers and how many concurrent or serial I/Os to
generate while testing. The SET reports the resulting I/Os per second (IOPS) and I/O latency, which
helps you determine the number of concurrent I/Os needed to maximize FCIP throughput.
About the SAN Extension Tuner, page 49-1
License Prerequisites, page 49-3
Configuring the SAN Extension Tuner, page 49-3
Using the SAN Extension Tuner Wizard, page 49-4
About the SAN Extension Tuner

Note SAN Extension Tuner is not supported on the Cisco Fabric Switch for HP c-Class BladeSystem and the
Cisco Fabric Switch for IBM BladeCenter.
Note As of Cisco MDS SAN-OS Release 3.3(1a), SAN Extension Tuner is supported on the Multiservice
Module (MSM) and the Multiservice Modular Switch.
Applications such as remote copy and data backup use FCIP over an IP network to connect across
geographically distributed SANs. To achieve maximum throughput performance across the fabric, you
can tune the following configuration parameters:
The TCP parameters for the FCIP profile (see the Window Management section on page 48-20).
The number of concurrent SCSI I/Os generated by the application.
The transfer size used by the application over an FCIP link.
SET is implemented in IPS ports. When enabled, this feature can be used to generate SCSI I/O
commands (read and write) to the virtual target based on your configured options (see Figure 49-1).

Chapter 49 Configuring the SAN Extension Tuner
About the SAN Extension Tuner
Figure 49-1 SCSI Command Generation to the Virtual Target
Virtual initiator Virtual target
FC
Read/Write I/O
WAN/MAN
IPS IPS
120493
fabric fabric
The SET feature assists with tuning by generating varying SCSI traffic workloads. It also measures
throughput and response time per I/ O over an FCIP link.
Before tuning the SAN fabric, be aware of the following guidelines:
Following these implementation details:
The tuned configuration is not persistent.
The virtual N ports created do not register FC4 features supported with the name server. This is
to avoid the hosts in the SAN from discovering these N ports as regular initiators or targets.
Login requests from other initiators in the SAN are rejected.
The virtual N ports do not implement the entire SCSI suite; it only implements the SCSI read
and write commands.
Tuner initiators can only communicate with tuner targets.
Verify that the Gigabit Ethernet interface is up at the physical layer (GBIC and Cable connectedan
IP address is not required).
Enable iSCSI on the switch (no other iSCSI configuration is required).
Enable the interface (no other iSCSI interface configuration is required) (see the Creating iSCSI
Interfaces section on page 50-5).
Configure the virtual N ports in a separate VSAN or zone as required by your network.
Be aware that a separate VSAN with only virtual N ports is not required, but is recommended as
some legacy HBAs may fail if logins to targets are rejected.
Do not use same Gigabit Ethernet interface to configure virtual N ports and FCIP linksuse
different Gigabit Ethernet interfaces. While this is not a requirement, it is recommended as the
traffic generated by the virtual N ports may interfere with the performance of the FCIP link.
SAN Extension Tuner Setup

Figure 49-2 provides a sample physical setup in which the virtual N ports are created on ports that are
not a part of the FCIP link for which the throughput and latency is measured.

License Prerequisites
Figure 49-2 N Port Tuning Configuration Physical Example
Cisco MDS Switch Cisco MDS Switch
WAN or MAN
FCIP FCIP
link link
120494
N port N port
(Acts as initiator) (Acts as target)
Figure 49-3 provides a sample logical setup in which the virtual N ports are created on ports that are not
a part of the FCIP link for which the throughput and latency is measured.
Figure 49-3 Logical Example of N Port Tuning for a FCIP Link
Cisco MDS Switch SAN Extension Tuner Cisco MDS Switch

N ports
GE 3/4 GE 2/4
GE 3/3 GE 2/3
FCIP
120495
link
Data Pattern
By default, an all-zero pattern is used as the pattern for data generated by the virtual N ports. You can
optionally specify a file as the data pattern to be generated by selecting a data pattern file from one of
three locations: the bootflash: directory, the volatile: directory, or the slot0: directory. This option is
especially useful when testing compression over FCIP links. You can also use Canterbury corpus or
artificial corpus files for benchmarking purposes.
License Prerequisites
To use the SET, you need to obtain the SAN_EXTN_OVER_IP license (see Chapter 10, Obtaining and
Configuring the SAN Extension Tuner

Tuning the FCIP Link, page 49-4

Using the SAN Extension Tuner Wizard
Tuning the FCIP Link

To tune the required FCIP link, follow these steps:
Step 1 Configure the nWWN for the virtual N ports on the switch.
Step 2 Enable iSCSI on the interfaces on which you want to create the N ports.
Step 3 Configure the virtual N ports on either side of the FCIP link.
Step 4 Ensure that the virtual N ports are not visible to real initiators in the SAN. You can use zoning (see
Chapter 30, Configuring and Managing Zones) or VSANs (see Chapter 26, Configuring and
Managing VSANs) to segregate the real initiators. Ensure that the zoning configuration is setup to allow
the virtual N-ports to communicate with each other.
Step 5 Start the SCSI read and write I/Os.
Step 6 Add more N ports (as required) to other Gigabit Ethernet ports in the switch to obtain maximum
throughput. One scenario that may require additional N ports is if you use FCIP PortChannels.

Use the SAN Extension Tuner wizard to perform the these tasks:
Configuring nWWN ports
Enabling iSCSI
Configuring Virtual N ports
Assigning SCSI read and write CLI commands
Assigning SCSI tape read and write CLI commands
Configuring a data pattern for SCSI commands
To tune the required FCIP link using the SAN Extension Tuner Wizard in Fabric Manager, follow these
steps:
Step 1 Right-click a valid FCIP link in the Fabric pane, and then select SAN Extension Tuner from the
drop-down list. You can also highlight the link and choose Tools > Other > SAN Extension Tuner.
You see the Select Ethernet Port Pair dialog box (see Figure 49-4).

Figure 49-4 Select Ethernet Port Pair Dialog Box
Step 2 Select the Ethernet port pairs that correspond to the FCIP link you want to tune and click Next.
Note The Ethernet ports you select should be listed as down.
You see the Specify Parameters dialog box (see Figure 49-5).
Step 3 Create and activate a new zone to ensure that the virtual N ports are not visible to real initiators in the
SAN by clicking Yes to the zone creation dialog box.
Figure 49-5 Specify Parameters Dialog Box

Step 4 (Optional) Change the default settings for the transfer data size and the number of concurrent SCSI read
and write commands as follows:
a. Set Transfer Size to the number of bytes that you expect your applications to use over the FCIP link.
b. Set Read I/0 to the number of concurrent SCSI read commands you expect your applications to
generate over the FCIP link.
c. Set Write I/0 to the number of concurrent outstanding SCSI write commands you expect your
applications to generate over the FCIP link.
Note There is only one outstanding I/O at a time to the virtual N-port that emulates the tape behavior.
d. Check the Use Pattern File check box and select a file that you want to use to set the data pattern
that is generated by the SAN extension tuner. See the Data Pattern section on page 49-3.
Step 5 Click Next.
You see the Results dialog box (see Figure 49-6).
Figure 49-6 Results Dialog Box
Step 6 Click Start to start the tuner. The tuner sends a continuous stream of traffic until you click Stop.
Step 7 Click Show to see the latest tuning statistics. You can select this while the tuner is running or after you
stop it.
Step 8 Click Stop to stop the SAN extension tuner.

Default Settings
Default Settings
Table 49-1 lists the default settings for tuning parameters.
Table 49-1 Default Tuning Parameters
Parameters Default
Tuning Disabled.
Transfer ready size Same as the transfer size in the SCSI write command.
Outstanding I/Os 1.
Number of transactions 1.
Data generation format All-zero format.
File mark frequency 0.

Default Settings

CH A P T E R 50
Configuring iSCSI
open-standard, IP-based technology. The switch allows IP hosts to access Fibre Channel storage using
the iSCSI protocol.
Note The iSCSI feature is specific to the IPS module and is available in Cisco MDS 9200 Switches or Cisco
MDS 9500 Directors.
The Cisco MDS 9216i switch and the 14/2 Multiprotocol Services (MPS-14/2) module also allow you
Note For information on configuring Gigabit Ethernet interfaces, see Configuring Gigabit Ethernet
Interfaces for IPv4 section on page 52-4.

About iSCSI, page 50-1
Configuring iSCSI, page 50-4
Configuring iSLB, page 50-35
iSCSI High Availability, page 50-50
iSCSI Authentication Setup Guidelines and Scenarios, page 50-56
iSNS, page 50-67
iSNS Cloud Discovery, page 50-73
About iSCSI
Note The iSCSI feature is not supported on the Cisco Fabric Switch for HP c-Class Bladesystem and Cisco

Chapter 50 Configuring iSCSI
About iSCSI
The iSCSI feature consists of routing iSCSI requests and responses between iSCSI hosts in an IP
network and Fibre Channel storage devices in the Fibre Channel SAN that are accessible from any Fibre
Channel interface of the Cisco MDS 9000 Family switch (see Figure 50-1).
Figure 50-1 Transporting iSCSI Requests and Responses for Transparent iSCSI Routing
Intelligent
IP host A Switch 1 storage array
IP Fibre
iscsi network Channel
SAN
A C
Transporting iSCSI requests Transporting FCP requests
and responses over an IP and responses between a Cisco
network MDS switch and a storage array
B
Routing SCSI requests
91567
and responses
(Through the IPS module)
Each iSCSI host that requires access to storage through the IPS module or MPS-14/2 module needs to
have a compatible iSCSI driver installed. (The Cisco.com website at
http://www.cisco.com/cgi-bin/tablebuild.pl/sn5420-scsi provides a list of compatible drivers.) Using the
iSCSI protocol, the iSCSI driver allows an iSCSI host to transport SCSI requests and responses over an
IP network. From the host operating system perspective, the iSCSI driver appears to be a SCSI transport
driver similar to a Fibre Channel driver in the host.
The IPS module or MPS-14/2 module provides transparent SCSI routing. IP hosts using the iSCSI
protocol can transparently access targets on the Fibre Channel network. Figure 50-1 provides an example
of a typical configuration of iSCSI hosts connected to an IPS module or MPS-14/2 module through the
IP network access Fibre Channel storage on the Fibre Channel SAN.
The IPS module or MPS-14/2 module create a separate iSCSI SAN view and Fibre Channel SAN view.
For the iSCSI SAN view, the IPS module or MPS-14/2 module creates iSCSI virtual targets and then
maps them to physical Fibre Channel targets available in the Fibre Channel SAN. They present the Fibre
Channel targets to IP hosts as if the physical iSCSI targets were attached to the IP network (see
Figure 50-2).
Figure 50-2 iSCSI SAN ViewiSCSI Virtual Targets
MDS
IP Fibre
iSCSI Network Channel
SAN
Virtual iSCSI Target T-3
Target T-3
120871

About iSCSI
For the Fibre Channel SAN view, the IPS module or MPS-14/2 module presents iSCSI hosts as a virtual
Fibre Channel host. The storage devices communicate with the virtual Fibre Channel host similar to
communications performed with real Fibre Channel hosts (see Figure 50-3).
Figure 50-3 Fibre Channel SAN ViewiSCSHI Host as an HBA
MDS
IP Fibre
iSCSI
Network
FC Channel
SAN
host A Virtual Target T-3
FC host A
120872
The IPS modules or MPS-14/2 modules transparently map the command between the iSCSI virtual target
and the virtual Fibre Channel host (see Figure 50-4).
Figure 50-4 iSCSI to FCP (Fibre Channel) Routing
MDS
iSCSI to FCP(FC) routing
FC
Session
IP host A
iSCSI
IP Network iSCSI
iqn.host A iSCSI Virtual FC virtual

host pwwn-A FC Target T1
Target iqn.T1
iSCSI pwwn-T1
120744
Session SCSI Routing
Routing SCSI from the IP host to the Fibre Channel storage device consists of the following main
actions:
The iSCSI requests and responses are transported over an IP network between the hosts and the IPS
module or MPS-14/2 module.
The SCSI requests and responses are routed between the hosts on an IP network and the Fibre
Channel storage device (converting iSCSI to FCP and vice versa). The IPS module or MPS-14/2
module performs this conversion and routing.
The FCP requests or responses are transported between the IPS module or MPS-14/2 module and
the Fibre Channel storage devices.
Note FCP (the Fibre Channel equivalent of iSCSI) carries SCSI commands over a Fibre Channel SAN.
Refer to the IETF standards for IP storage at http://www.ietf.org for information on the iSCSI protocol.

Configuring iSCSI
About iSCSI Configuration Limits

iSCSI configuration has the following limits:
The maximum number of iSCSI and iSLB initiators supported in a fabric is 2000.
The maximum number of iSCSI and iSLB initiators supported is 200 per port.
The maximum number of iSCSI and iSLB sessions supported by an IPS port in either transparent or
proxy initiator mode is 500.
The maximum number of iSCSI and iSLB session support by switch is 5000.
The maximum number of iSCSI and iSLB targets supported in a fabric is 6000.
Configuring iSCSI
This section describes how to configure iSCSI on the Cisco MDS 9000 Family switches.
Enabling iSCSI, page 50-4
Creating iSCSI Interfaces, page 50-5
Using the iSCSI Wizard, page 50-5
Presenting Fibre Channel Targets as iSCSI Targets, page 50-7
Presenting iSCSI Hosts as Virtual Fibre Channel Hosts, page 50-14
iSCSI Access Control, page 50-24
iSCSI Session Authentication, page 50-28
iSCSI Immediate Data and Unsolicited Data Features, page 50-31
iSCSI Interface Advanced Features, page 50-32
Enabling iSCSI
To use the iSCSI feature, you must explicitly enable iSCSI on the required switches in the fabric. By
default, this feature is disabled in all switches in the Cisco MDS 9000 Family.
To enable iSCSI on any participating switch using Fabric Manager, follow these steps:
Step 1 Choose End Devices > iSCSI in the Physical Attributes pane.
You see the iSCSI tables in the Information pane (see Figure 50-5).

Configuring iSCSI
Figure 50-5 iSCSI Tables in Fabric Manager
The Control tab is the default tab. You see the iSCSI enable status for all switches in the fabric that
contain IPS ports.
Step 2 Choose enable from the Command column for each switch that you want to enable iSCSI on.
Caution When you disable this feature, all related configurations are automatically discarded.
Creating iSCSI Interfaces

Each physical Gigabit Ethernet interface on an IPS module or MPS-14/2 module can be used to translate
and route iSCSI requests to Fibre Channel targets and responses in the opposite direction. To enable this
capability, the corresponding iSCSI interface must be in an enabled state.
Using the iSCSI Wizard

To use the iSCSI wizard in Fabric Manager, follow these steps:
Step 1 Click the iSCSI Setup Wizard icon.

You see the iSCSI Wizard Configure Initiator dialog box shown in Figure 50-6.

Configuring iSCSI
Figure 50-6 iSCSI Wizard Configure Initiator Dialog Box
Step 2 Select an existing iSCSI initiator or add the iSCSI node name or IP address for a new iSCSI initiator.
Step 3 Select the switch for this iSCSI initiator if you are adding a new iSCSI initiator and click Next.
You see the iSCSI Wizard Select Targets dialog box shown in Figure 50-7.
Figure 50-7 iSCSI Wizard Select Targets Dialog Box

Configuring iSCSI
Step 4 Select the VSAN and targets to associate with this iSCSI initiator and click Next.
Note The iSCSI wizard turns on the Dynamic Import FC Targets feature.
You see the iSCSI Wizard Select Zone dialog box shown in Figure 50-8.
Figure 50-8 iSCSI Wizard Select Zone Dialog Box
Step 5 Set the zone name for this new iSCSI zone and check the ReadOnly check box if needed.
Step 6 Click Finish to create this iSCSI initiator.
If created, the target VSAN is added to the iSCSI host VSAN list.
Note iSCSI wizard automatically turns on the Dynamic FC target import.
Presenting Fibre Channel Targets as iSCSI Targets

The IPS module or MPS-14/2 module presents physical Fibre Channel targets as iSCSI virtual targets,
allowing them to be accessed by iSCSI hosts. It does this in one of two ways:
Dynamic mappingAutomatically maps all the Fibre Channel target devices/ports as iSCSI
devices. Use this mapping to create automatic iSCSI target names.

Configuring iSCSI
Static mappingManually creates iSCSI target devices and maps them to the whole Fibre Channel
target port or a subset of Fibre Channel LUNs. With this mapping, you must specify unique iSCSI
target names.
Static mapping should be used when iSCSI hosts should be restricted to subsets of LUs in the Fibre
Channel targets and/or iSCSI access control is needed (see the iSCSI Access Control section on
page 50-24). Also, static mapping allows the configuration of transparent failover if the LUs of the
Fibre Channel targets are reachable by redundant Fibre Channel ports (see the Transparent Target
Failover section on page 50-50).
Note The IPS module or MPS-14/2 module does not import Fibre Channel targets to iSCSI by default. Either
dynamic or static mapping must be configured before the IPS module or MPS-14/2 module makes Fibre
Channel targets available to iSCSI initiators.
Dynamic Mapping
When you configure dynamic mapping the IPS module or MPS-14/2 module imports all Fibre Channel
targets to the iSCSI domain and maps each physical Fibre Channel target port as one iSCSI target. That
is, all LUs accessible through the physical storage target port are available as iSCSI LUs with the same
LU number (LUN) as in the physical Fibre Channel target port.
The iSCSI target node name is created automatically using the iSCSI qualified name (IQN) format. The
iSCSI qualified name is restricted to a maximum name length of 223 alphanumeric characters and a
minimum length of 16 characters.
The IPS module or MPS-14/2 module creates an IQN formatted iSCSI target node name using the
following conventions because the name must be unique in the SAN:
IPS Gigabit Ethernet ports that are not part of a Virtual Router Redundancy Protocol (VRRP) group
or PortChannel use this format:
iqn.1987-05.com.cisco:05.<mgmt-ip-address>.<slot#>-<port#>-<sub-intf#>.<Target-pWWN>
IPS ports that are part of a VRRP group use this format:
iqn.1987-05.com.cisco:05.vrrp-<vrrp-ID#>-<vrrp-IP-addr>.<Target-pWWN>
Ports that are part of a PortChannel use this format:

iqn.1987-02.com.cisco:02.<mgmt-ip-address>.pc-<port-ch-sub-intf#>.<Target-pWWN>
Note If you have configured a switch name, then the switch name is used instead of the management IP
address. If you have not configured a switch name, the management IP address is used.
With this convention, each IPS port in a Cisco MDS 9000 Family switch creates a unique iSCSI target
node name for the same Fibre Channel target port in the SAN.
For example, if an iSCSI target was created for a Fibre Channel target port with pWWN
31:00:11:22:33:44:55:66 and that pWWN contains LUN 0, LUN 1, and LUN 2, those LUNs would
become available to an IP host through the iSCSI target node name iqn.1987-05.com.cisco:05.
MDS_switch_management_IP_address.01-01.3100112233445566 (see Figure 50-9).

Configuring iSCSI
Figure 50-9 Dynamic Target Mapping
MDS-mgntIP
pwwn 31.00.11.22.33.44.55.66
Virtual iSCSI Target

IP host A
IP Network iSCSI LUN0 LUN0

iSCSI
1/1
LUN1 LUN1
iqn.host A
LUN2 LUN2
120780
iqn.1987-05.com.cisco:05.<mgnt-IPaddr>.01-01.3100112233445566
Note Each iSCSI initiator may not have access to all targets depending on the configured access control
mechanisms (see the iSCSI Access Control section on page 50-24).
To enable dynamic mapping of Fibre Channel targets into iSCSI using Device Manager, follow these
steps:
Step 1 Choose IP > iSCSI.

You see the iSCSI configuration (see Figure 50-10).
Figure 50-10 iSCSI Configuration in Device Manager
Step 2 Click the Targets tab to display a list of existing iSCSI targets (see Figure 50-11).
Figure 50-11 iSCSI Targets Tab
Step 3 Check the Dynamically Import FC Targets check box.

Step 4 Click Apply to save this change.

Configuring iSCSI
Static Mapping
You can manually (statically) create an iSCSI target by assigning a user-defined unique iSCSI node name
to it. The iSCSI qualified name is restricted to a minimum length of 16 characters and a maximum of
223 characters. A statically mapped iSCSI target can either map the whole Fibre Channel target port (all
LUNs in the target port mapped to the iSCSI target), or it can contain one or more LUs from a Fibre
Channel target port (see Figure 50-12).
Figure 50-12 Statically Mapped iSCSI Targets
MDS
Target pwwn
31:00:11:22:33:44:55:66
host B
LUN 0 LUN 0
IP
iSCSI
Network LUN 1 LUN 1
LUN 2 LUN 2
iSCSI Virtual target

iqn.iscsi-target-abc
120875
To create a static iSCSI virtual target for the entire Fibre Channel target port using Device Manager,
follow these steps:
Step 1 Click IP > iSCSI.

Step 3 Click Create to create an iSCSI target.
You see the Create iSCSI Targets dialog box shown in Figure 50-13.

Configuring iSCSI
Figure 50-13 Create iSCSI Targets Dialog Box
Step 4 Set the iSCSI target node name in the iSCSI Name field, in IQN format.
Step 5 Set the Port WWN field for the Fibre Channel target port you are mapping.
Step 6 Click the Select from List radio button and set the iSCSI initiator node names or IP addresses that you
want this virtual iSCSI target to access, or click the All radio button to let the iSCSI target access all
iSCSI initiators. Also see the iSCSI Access Control section on page 50-24.
Step 7 Click the Select from List radio button and check each interface you want to advertise the iSCSI targets
on or click the All radio button to advertise all interfaces.
Tip An iSCSI target cannot contain more than one Fibre Channel target port. If you have already mapped the
whole Fibre Channel target port, you cannot use the LUN mapping option.
Note See the iSCSI-Based Access Control section on page 50-26 for more information on controlling access
to statically mapped targets.

Configuring iSCSI
Advertising Static iSCSI Targets
You can limit the Gigabit Ethernet interfaces through which static iSCSI targets are advertised. By
default iSCSI targets are advertised on all Gigabit Ethernet interfaces, subinterfaces, PortChannel
interfaces, and PortChannel subinterfaces.
To configure a specific interface that should advertise the iSCSI virtual target using Device Manager,
follow these steps:

Step 3 Right-click the iSCSI target that you want to modify and click Edit Advertised.
You see the Advertised Interfaces dialog box.
Step 4 (Optional) Right-click on an interface that you want to delete and select Delete.
Step 5 (Optional) Click Create to advertise on more interfaces.
You see the Create Advertised Interfaces dialog box.
iSCSI Virtual Target Configuration Examples

This section provides three examples of iSCSI virtual target configurations.
Example 1
This example assigns the whole Fibre Channel target as an iSCSI virtual target. All LUNs that are part
of the Fibre Channel target are available as part of the iSCSI target (see Figure 50-14).
Figure 50-14 Assigning iSCSI Node Names
iSCSI view of storage device Fibre Channel storage

iqn.1987-02.com.cisco.target-1 device
1 1
2 2
3 3 pWWN 28:00:01:02:03:04:05:06
4 4
5 5
112189
6 6
iscsi virtual-target name iqn.1987-02.com.cisco.target-1

pWWN 28:00:01:02:03:04:05:06
Example 2
This example maps a subset of LUNs of a Fibre Channel target to three iSCSI virtual targets. Each iSCSI
target only has one LUN (see Figure 50-15).

Configuring iSCSI
Figure 50-15 Mapping LUNs to an iSCSI Node Name
iSCSI view of storage device Fibre Channel storage

iqn.1987-02.com.cisco.target-1 device
0 0
1 pWWN 28:00:01:02:03:04:05:06
iqn.1987-02.com.cisco.target-2 2
112190
iqn.1987-02.com.cisco.target-3

pWWN 28:00:01:02:03:04:05:06 fc-lun 0 iscsi-lun 0
Example 3
This example maps three subsets of Fibre Channel LUN targets to three iSCSI virtual targets. Two iSCSI
targets have one LUN and the third iSCSI target has two LUNs (see Figure 50-16).
Figure 50-16 Mapping LUNs to Multiple iSCSI Node Names
iSCSI view of storage device Fibre Channel storage device

0 0
1 pWWN 28:00:01:02:03:04:05:06
iqn.1987-02.com.cisco.target-2 2
3
0
0
112191
1


Configuring iSCSI
Presenting iSCSI Hosts as Virtual Fibre Channel Hosts

The IPS module or MPS-14/2 module connects to the Fibre Channel storage devices on behalf of the
iSCSI host to send commands and transfer data to and from the storage devices. These modules use a
virtual Fibre Channel N port to access the Fibre Channel storage devices on behalf of the iSCSI host.
iSCSI hosts are identified by either iSCSI qualified name (IQN) or IP address.
Initiator Identification
iSCSI hosts can be identified by the IPS module or MPS-14/2 module using the following:
iSCSI qualified name (IQN)
An iSCSI initiator is identified based on the iSCSI node name it provides in the iSCSI login. This
mode can be useful if an iSCSI host has multiple IP addresses and you want to provide the same
service independent of the IP address used by the host. An initiator with multiple IP addresses
(multiple network interface cardsNICs) has one virtual N port on each IPS port to which it logs in.
IP address
An iSCSI initiator is identified based on the IP address of the iSCSI host. This mode is useful if an
iSCSI host has multiple IP addresses and you want to provide different service-based on the IP
address used by the host. It is also easier to get the IP address of a host compared to getting the iSCSI
node name. A virtual N port is created for each IP address it uses to log in to iSCSI targets. If the
host using one IP address logs in to multiple IPS ports, each IPS port will create one virtual N port
for that IP address.
You can configure the iSCSI initiator identification mode on each IPS port and all the iSCSI hosts
terminating on the IPS port will be identified according to that configuration. The default mode is to
identify the initiator by name.
To specify the initiator identification mode using Fabric Manager, follow these steps:
Step 1 Choose Interfaces > FC Logical from the Physical Attributes pane.
You see the interfaces configuration in the Information pane.
Step 2 Select the iSCSI tab.
You see the iSCSI interfaces configuration.
Step 3 Right-click on the Initiator ID Mode field for the iSCSI interface that you want to modify and select
name or ipaddress from the drop-down menu.
Initiator Presentation Modes

Two modes are available to present iSCSI hosts in the Fibre Channel fabric: transparent initiator mode
and proxy initiator mode.
In transparent initiator mode, each iSCSI host is presented as one virtual Fibre Channel host. The
benefit of transparent mode is it allows a finer level of Fibre Channel access control configuration
(similar to managing a real Fibre Channel host). Because of the one-to-one mapping from iSCSI
to Fibre Channel, each host can have different zoning or LUN access control on the Fibre Channel
storage device.

Configuring iSCSI
In proxy initiator mode, there is only one virtual Fibre Channel host per one IPS port and all iSCSI
hosts use that to access Fibre Channel targets. In a scenario where the Fibre Channel storage device
requires explicit LUN access control for every host, the static configuration for each iSCSI initiator
can be overwhelming. In this case, using the proxy initiator mode simplifies the configuration.
Caution Enabling proxy initiator mode of an iSCSI interface that is part of an iSLB VRRP group impacts load
balancing on the interface. See the Changing iSCSI Interface Parameters and the Impact on Load
Balancing section on page 50-45.
The Cisco MDS switches support the following iSCSI session limits:
The maximum number of iSCSI sessions on a switch is 5000.
The maximum number of iSCSI sessions per IPS port in transparent initiator mode is 500.
The maximum number of iSCSI sessions per IPS port in proxy initiator mode is 500.
The maximum number of concurrent sessions an IPS port can create is five (but the total number of
sessions that can be supported is 500).
Note If more than five iSCSI sessions try to come up simultaneously on a port, the initiator receives a
temporary error and later retries to create a session.
Transparent Initiator Mode
Each iSCSI host is presented as one virtual Fibre Channel host (that is, one Fibre Channel N port). The
benefit of transparent mode is it allows a finer-level of Fibre Channel access control configuration.
Because of the one-to-one mapping from iSCSI to Fibre Channel, each host can have different zoning or
LUN access control on the Fibre Channel storage device.
When an iSCSI host connects to the IPS module or MPS-14/2 module, a virtual host N port (HBA port)
is created for the host (see Figure 50-17). Every Fibre Channel N port requires a unique Node WWN and
Port WWN.

Configuring iSCSI
Figure 50-17 Virtual Host HBA Port
MDS
host A
iSCSI
Virtual
FC host A
host B
iSCSI
IP Network
Virtual
host C FC host B Target
T-1
iSCSI
Virtual
120876
FC host C
After the virtual N port is created with the WWNs, a fabric login (FLOGI) is done through the virtual
iSCSI interface of the IPS port. After the FLOGI is completed, the virtual N port is online in the Fibre
Channel SAN and virtual N port is registered in the Fibre Channel name server. The IPS module or
MPS-14/2 module registers the following entries in the Fibre Channel name server:
IP address of the iSCSI host in the IP-address field on the name server
IQN of the iSCSI host in the symbolic-node-name field of the name server
SCSI_FCP in the FC-4 type field of the name server
Initiator flag in the FC-4 feature of the name server
Vendor-specific iSCSI GW flag in the FC-4 type field to identify the N-port device as an iSCSI
gateway device in the name server.
When all the iSCSI sessions from the iSCSI host are terminated, the IPS modules or MPS-14/2 modules
perform an explicit Fabric logout (FLOGO) to remove the virtual N-port device from the Fibre Channel
SAN (this indirectly de-registers the device from the Fibre Channel name server).
For every iSCSI session from the host to the iSCSI virtual target there is a corresponding Fibre Channel
session to the real Fibre Channel target. In Figure 50-17, there are three iSCSI hosts and all three of them
connect to the same Fibre Channel target. There is one Fibre Channel session from each of the three
virtual Fibre Channel hosts to the target.
iSCSI Initiator Idle Timeout
iSCSI initiator idle timeout specifies the time for which the virtual Fibre Channel N port is kept idle after
the initiator logs out from its last iSCSI session. The default value for this timer is 300 seconds. This is
useful to avoid N ports logging in to and logging off of the Fibre Channel SAN as transient failure occurs
in the IP network. This helps reduce unnecessary RSCNs being generated in the Fibre Channel SAN.
To configure the initiator idle timeout using Fabric Manager, follow these steps:

Configuring iSCSI
Step 2 Click the Globals tab.

You see the iSCSI global configuration.
Step 3 Right-click on the InitiatorIdle Timeout field that you want to modify and enter the new timeout value.
WWN Assignment for iSCSI Initiators
An iSCSI host is mapped to an N ports WWNs by one of the following mechanisms:

Dynamic mapping (default)
Static mapping
Dynamic Mapping
With dynamic mapping, an iSCSI host is mapped to a dynamically generated port WWN (pWWN) and
node WWN (nWWN). Each time the iSCSI host connects it might be mapped to a different WWN. Use
this option if no access control is required on the Fibre Channel target device (because the target device
access control is usually configured using the host WWN).
The WWNs are allocated from the MDS switch's WWN pool. The WWN mapping to the iSCSI host is
maintained as long as the iSCSI host has at least one iSCSI session to the IPS port. When all iSCSI
sessions from the host are terminated and the IPS module or MPS-14/2 module performs an FLOGO for
the virtual N port of the host, the WWNs are released back to the switch's Fibre Channel WWN pool.
These addresses are then available for assignment to other iSCSI hosts requiring access to the Fibre
Channel Fabric.
The following are three dynamic initiator modes are supported:
iSCSIDynamic initiators are treated as iSCSI initiators and can access dynamic virtual targets and
configured iSCSI virtual targets.
iSLBDynamic initiators are treated as iSLB initiators.
DenyDynamic initiators are not allowed to log in to the MDS switch.
iSCSI dynamic mapping is the default mode of operation. This configuration is distributed using CFS.
Note Configuring dynamic initiator modes is supported only through the CLI, not through Device Manager or
Fabric Manager.
Static Mapping
With static mapping, an iSCSI host is mapped to a specific pWWN and nWWN. This mapping is
maintained in persistent storage and each time the iSCSI host connects, the same WWN mapping is used.
This mode is required if you use access control on the target device.
You can implement static mapping in one of two ways:
User assignmentYou can specify your own unique WWN by providing them during the
configuration process.
System assignmentYou can request that the switch provide a WWN from the switchs Fibre
Channel WWN pool and keep the mapping in its configuration.

Configuring iSCSI
Tip We recommend using the system-assign option. If you manually assign a WWN, you must
ensure its uniqueness (see the World Wide Names section on page 37-5). You should not use
any previously assigned WWNs.
To configure static mapping for an iSCSI initiator using Device Manager, follow these steps:
Step 1 Select IP > iSCSI.

You see the iSCSI configuration (see Figure 50-10). The Initiators tab is the default.
Step 2 Click Create to create an iSCSI initiator.
You see the Create iSCSI Initiators dialog box shown in Figure 50-18.
Figure 50-18 Create iSCSI Initiators Dialog Box
Step 3 Set the iSCSI node name or IP address and VSAN membership.
Step 4 In the Node WWN section, check the Persistent check box.
Step 5 Check the System Assigned check box if you want the switch to assign the nWWN or leave this
unchecked and set the Static WWN field.
Step 6 In the Port WWN section, check the Persistent check box if you want to statically map pWWNs to the
iSCSI initiator.
Step 7 If persistent, check the System Assigned check box and set the number of pWWNs to reserve for this
iSCSI initiator if you want the switch to assign pWWNs. Alternately, you can leave this unchecked and
set one or more pWWNs for this iSCSI initiator.

Configuring iSCSI
Step 8 Optionally set the AuthUser field if authentication is enabled. Also see the iSCSI Session
Authentication section on page 50-28.
Step 9 Click Create to create this iSCSI initiator.
Note If the system-assign option is used to configure WWNs for an iSCSI initiator, when the configuration is
saved to an ASCII file the system-assigned WWNs are also saved. Subsequently if you perform a write
erase, you must manually delete the WWN configuration from the ASCII file. Failing to do so can cause
duplicate WWN assignments if the ASCII configuration file is reapplied on the switch.
Making the Dynamic iSCSI Initiator WWN Mapping Static

After a dynamic iSCSI initiator has already logged in, you may decide to permanently keep the
automatically assigned nWWN/pWWN mapping so this initiator uses the same mapping the next time it
logs in.
You can convert a dynamic iSCSI initiator to static iSCSI initiator and make its WWNs persistent (see
Dynamic Mapping section on page 50-17).
Note You cannot convert a dynamic iSCSI initiator to a static iSLB initiator or a dynamic iSLB initiator to a
static iSCSI initiator.
Note Making the dynamic pWWNs static after the initiator is created is supported only through the CLI, not
through Device Manager or Fabric Manager. In Fabric Manager or Device Manager, you must delete and
then recreate this initiator to have the pWWNs static.
Checking for WWN Conflicts

WWNs assigned to static iSCSI initiators by the system can be inadvertently returned to the system when
an upgrade fails or you downgrade the system software . In these instances, the system can later assign
those WWNs to other iSCSI initiators (dynamic or static) and cause conflicts.
You can address this problem by checking for and removing any configured WWNs that belong to the
system whenever such scenarios occur.
To permanently keep the automatically assigned nWWN mapping using Fabric Manager, follow these
steps:
Step 2 Click the Initiators tab.
You see the iSCSI initiators configured.
Step 3 Check the Persistent Node WWN check box for the iSCSI initiators that you want to make static.

Configuring iSCSI
Proxy Initiator Mode
In the event that the Fibre Channel storage device requires explicit LUN access control for every host
using the transparent initiator mode (presenting one iSCSI host as one Fibre Channel host) means every
iSCSI host has to be configured statically. This can mean several configuration tasks for each iSCSI host.
In this case, using the proxy initiator mode simplifies the configuration.
In this mode, only one virtual host N port (HBA port) is created per IPS port. All the iSCSI hosts
connecting to that IPS port will be multiplexed using the same virtual host N port (see Figure 50-19).
This mode simplifies the task of statically binding WWNs. LUN mapping and assignment on the Fibre
Channel storage array must be configured to allow access from the proxy virtual N ports pWWN for all
LUNs used by each iSCSI initiator that connects through this IPS port. The LUN is then assigned to each
iSCSI initiator by configuring iSCSI virtual targets (see the Static Mapping section on page 50-10)
with LUN mapping and iSCSI access control (see the iSCSI Access Control section on page 50-24).
Figure 50-19 Multiplexing IPS Ports
MDS
Host A
iSCSI
Proxy initiator
host
Host B
iSCSI
IP network
Host C
iSCSI
120874
Proxy initiator mode can be configured on a per IPS port basis, in which case only iSCSI initiators
terminating on that IPS port will be in this mode.
When an IPS port is configured in proxy-initiator mode, fabric login (FLOGI) is done through the virtual
iSCSI interface of the IPS port. After the FLOGI is completed, the proxy-initiator virtual N port is online
in the Fibre Channel fabric and virtual N port is registered in the Fibre Channel name server. The IPS
module or MPS-14/2 module registers the following entries in the Fibre Channel name server:
iSCSI interface name iSCSI slot /port is registered in the symbolic-node-name field of the name
server
SCSI_FCP in the FC-4 type field of the name server
Initiator flag in the FC-4 feature of the name server
Vendor specific flag (iscsi-gw) in the FC-4 type field to identify the N-port device as an iSCSI
gateway device in the name server
Similar to transparent initiator mode, the user can provide a pWWN and nWWN or request a system
assigned WWN for the proxy initiator N port.

Configuring iSCSI
Caution Enabling the proxy initiator mode of an iSCSI interface that is part of an iSLB VRRP group impacts load
To configure the proxy initiator using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Interfaces and then select FC Logical in the Physical Attributes pane.
You see the Interface tables in the Information pane (see Figure 50-20).
Figure 50-20 FC Logical Interface Tables
Step 2 In Device Manager, click Interface > Ethernet and iSCSI.

You see the Ethernet Interfaces and iSCSI dialog box shown in Figure 50-21.
Figure 50-21 Ethernet Interfaces and iSCSI Dialog Box
Step 3 Click the iSCSI tab in either FM or DM.

You see the iSCSI interface configuration table (see Figure 50-22).

Configuring iSCSI
Figure 50-22 iSCSI Tab in Device Manager
Step 4 Check the Proxy Mode Enable check box.

Step 5 Click the Apply Changes icon in Fabric Manager or click Apply in Device Manager to save these
changes.
Note When an interface is in proxy initiator mode, you can only configure Fibre Channel access control
(zoning) based on the iSCSI interfaces proxy N port attributesthe WWN pairs or the FC ID. You
cannot configure zoning using iSCSI attributes such as IP address or IQN of the iSCSI initiator. To
enforce initiator-based access control, use iSCSI based access control (see the iSCSI Access Control
VSAN Membership for iSCSI

Similar to Fibre Channel devices, iSCSI devices have two mechanisms by which VSAN membership can
be defined.
iSCSI hostVSAN membership to iSCSI host. (This method takes precedent over the iSCSI
interface.)
iSCSI interfaceVSAN membership to iSCSI interface. (All iSCSI hosts connecting to this iSCSI
interface inherit the interface VSAN membership if the host is not configured in any VSAN by the
iSCSI host method.)
VSAN Membership for iSCSI Hosts
Individual iSCSI hosts can be configured to be in a specific VSAN (similar to the DPVM feature for
Fibre Channel, see Chapter 28, Creating Dynamic VSANs). The specified VSAN overrides the iSCSI
interface VSAN membership.
To assign VSAN membership for iSCSI hosts using Fabric Manager, follow these steps:
Step 2 Select the Initiators tab.
You see the iSCSI initiators configured.
Step 3 Fill in the VSAN Membership field to assign a VSAN to the iSCSI hosts.

Configuring iSCSI
Note When an initiator is configured in any other VSAN (other than VSAN 1), for example VSAN 2, the
initiator is automatically removed from VSAN 1. If you also want it to be present in VSAN 1, you must
explicitly configure the initiator in VSAN 1.
VSAN Membership for iSCSI Interfaces
VSAN membership can be configured for an iSCSI interface, called the port VSAN. All the iSCSI
devices that connect to this interface automatically become members of this VSAN, if it is not explicitly
configured in a VSAN. In other words, the port VSAN of an iSCSI interface is the default VSAN for all
dynamic iSCSI initiators. The default port VSAN of an iSCSI interface is VSAN 1.
Caution Changing the VSAN membership of an iSCSI interface that is part of an iSLB VRRP group impacts load
To change the default port VSAN for an iSCSI interface using Device Manager, follow these steps:
Step 1 Choose Interface > Ethernet and iSCSI.

You see the Ethernet Interfaces and iSCSI dialog box (see Figure 50-21).
Step 2 Click the iSCSI tab.
You see the iSCSI interface configuration table (see Figure 50-22).
Step 3 Double-click the PortVSAN column and modify the default port VSAN.
Example of VSAN Membership for iSCSI Devices

Figure 50-23 provides an example of VSAN membership for iSCSI devices:
iSCSI interface 1/1 is a member of VSAN Y.
iSCSI initiator host A has explicit VSAN membership to VSAN X.
Three iSCSI initiators (host A, host B, and host C) C connect to iSCSI interface 1/1.

Configuring iSCSI
Figure 50-23 VSAN Membership for iSCSI Interfaces
MDS
Host A
(VSAN X)
VSAN X
iSCSI
Virtual
Host A VSAN X
Host B
IP T1
iSCSI network
VSAN Y
Host C
iSCSI
VSAN Y
Virtual
Virtual
Host B
iSCSI interface 1/1 Host C T2
120870
port VSAN = Y
Host As virtual Fibre Channel N port will be added to VSAN X because of explicit membership for the
initiator. The virtual host-B and host-C N ports do not have any explicit membership configuration so
they will inherit the iSCSI interface VSAN membership and be part of VSAN Y.
Advanced VSAN Membership for iSCSI Hosts

An iSCSI host can be a member of multiple VSANs. In this case multiple virtual Fibre Channel hosts
are created, one in each VSAN in which the iSCSI host is a member. This configuration is useful when
certain resources such as Fibre Channel tape devices need to be shared among different VSANs.
iSCSI Access Control

Two mechanisms of access control are available for iSCSI devices:
Fibre Channel zoning-based access control
iSCSI ACL-based access control
Depending on the initiator mode used to present the iSCSI hosts in the Fibre Channel fabric, either or
both the access control mechanisms can be used.
The following topics are included in this section:
Fibre Channel Zoning-Based Access Control, page 50-25
iSCSI-Based Access Control, page 50-26
Enforcing Access Control, page 50-27

Configuring iSCSI
Fibre Channel Zoning-Based Access Control

Cisco SAN-OS and NX-OS 4.1(1b) VSAN and zoning concepts have been extended to cover both Fibre
Channel devices and iSCSI devices. Zoning is the standard access control mechanism for Fibre Channel
devices, which is applied within the context of a VSAN. Fibre Channel zoning has been extended to
support iSCSI devices, and this extension has the advantage of having a uniform, flexible access control
mechanism across the whole SAN.
Common mechanisms for identifying members of a Fibre Channel zone are the following (see
Chapter 30, Configuring and Managing Zones for details on Fibre Channel zoning):
Fibre Channel device pWWN.
Interface and switch WWN. Device connecting via that interface is within the zone.
In the case of iSCSI, behind an iSCSI interface multiple iSCSI devices may be connected.
Interface-based zoning may not be useful because all the iSCSI devices behind the interface will
automatically be within the same zone.
In transparent initiator mode (where one Fibre Channel virtual N port is created for each iSCSI host as
described in the Transparent Initiator Mode section on page 50-15), if an iSCSI host has static WWN
mapping then the standard Fibre Channel device pWWN-based zoning membership mechanism can be
used.
Zoning membership mechanism has been enhanced to add iSCSI devices to zones based on the
following:
IPv4 address/subnet mask
IPv6 address/prefix length
iSCSI qualified name (IQN)
Symbolic-node-name (IQN)
For iSCSI hosts that do not have a static WWN mapping, the feature allows the IP address or iSCSI node
name to be specified as zone members. Note that iSCSI hosts that have static WWN mapping can also
use these features. IP address based zone membership allows multiple devices to be specified in one
command by providing the subnet mask.
Note In proxy initiator mode, all iSCSI devices connecting to an IPS port gain access to the Fibre Channel
fabric through a single virtual Fibre Channel N port. Thus, zoning based on the iSCSI node name or IP
address will not have any effect. If zoning based on pWWN is used, then all iSCSI devices connecting
to that IPS port will be put in the same zone. To implement individual initiator access control in proxy
initiator mode, configure an iSCSI ACL on the virtual target (see the iSCSI-Based Access Control
To add an iSCSI initiator to the zone database using Fabric Manager, follow these steps:

You see the Edit Local Zone Database dialog box shown in Figure 50-24.

Configuring iSCSI
Figure 50-24 Edit Local Zone Database Dialog Box in Fabric Manager
Step 2 Select the VSAN you want to add the iSCSI host initiator to and click OK.
You see the available zones and zone sets for that VSAN (see Figure 50-25).
Figure 50-25 Available Zones and Zone Sets
Step 3 From the list of available devices with iSCSI host initiators, drag the initiators to add into the zone.
Step 4 Click Distribute to distribute the change.
iSCSI-Based Access Control

iSCSI-based access control is applicable only if static iSCSI virtual targets are created (see the Static
Mapping section on page 50-10). For a static iSCSI target, you can configure a list of iSCSI initiators
that are allowed to access the targets.
By default, static iSCSI virtual targets are not accessible to any iSCSI host. You must explicitly configure
accessibility to allow an iSCSI virtual target to be accessed by all hosts. The initiator access list can
contain one or more initiators. The iSCSI initiator can be identified by one of the following mechanisms:
iSCSI node name
IPv4 address and subnet

Configuring iSCSI
IPv6 address
Note For a transparent mode iSCSI initiator, if both Fibre Channel zoning and iSCSI ACLs are used, then for
every static iSCSI target that is accessible to the iSCSI host, the initiators virtual N port should be in
the same Fibre Channel zone as the Fibre Channel target.
, To configure access control in iSCSI using Device Manager, follow these steps:
Step 1 Select IP > iSCSI.

Step 2 Select the Targets tab.
You see the iSCSI virtual targets.
Step 3 Uncheck the Initiators Access All check box if checked.
Step 4 Click Edit Access.
You see the Initiators Access dialog box.
Step 5 Click Create to add more initiators to the Initiator Access list.
You see the Create Initiators Access dialog box.
Step 6 Add the name or IP address for the initiator that you want to permit for this virtual target.
Step 7 Click Create to add this initiator to the Initiator Access List.
Enforcing Access Control

IPS modules and MPS-14/2 modules use both iSCSI and Fibre Channel zoning-based access control lists
to enforce access control. Access control is enforced both during the iSCSI discovery phase and the
iSCSI session creation phase. Access control enforcement is not required during the I/O phase because
the IPS module or MPS-14/2 module is responsible for the routing of iSCSI traffic to Fibre Channel.
iSCSI discovery phaseWhen an iSCSI host creates an iSCSI discovery session and queries for all
iSCSI targets, the IPS module or MPS-14/2 module returns only the list of iSCSI targets this iSCSI
host is allowed to access based on the access control policies discussed in the previous section. The
IPS module or MPS-14/2 module does this by querying the Fibre Channel name server for all the
devices in the same zone as the initiator in all VSANs. It then filters out the devices that are initiators
by looking at the FC4-feature field of the FCNS entry. (If a device does not register as either initiator
or target in the FC4-feature field, the IPS module or MPS-14/2 module will advertise it.) It then
responds to the iSCSI host with the list of targets. Each will have either a static iSCSI target name
that you configure or a dynamic iSCSI target name that the IPS module or MPS-14/2 module creates
for it (see the Dynamic Mapping section on page 50-8).
iSCSI session creationWhen an IP host initiates an iSCSI session, the IPS module or MPS-14/2
module verifies if the specified iSCSI target (in the session login request) is allowed by both the
access control mechanisms described in the iSCSI-Based Access Control section on page 50-26.
If the iSCSI target is a static mapped target, the IPS module or MPS-14/2 module verifies if the
iSCSI host is allowed within the access list of the iSCSI target. If the IP host does not have access,
its login is rejected. If the iSCSI host is allowed, it validates if the virtual Fibre Channel N port used
by the iSCSI host and the Fibre Channel target mapped to the static iSCSI virtual target are in the
same Fibre Channel zone.

Configuring iSCSI
If the iSCSI target is an autogenerated iSCSI target, then the IPS module or MPS-14/2 module
extracts the WWN of the Fibre Channel target from the iSCSI target name and verifies if the initiator
and the Fibre Channel target is in the same Fibre Channel zone or not. If they are, then access is
allowed.
The IPS module or MPS-14/2 module uses the Fibre Channel virtual N port of the iSCSI host and does
a zone-enforced name server query for the Fibre Channel target WWN. If the FC ID is returned by the
name server, then the iSCSI session is accepted. Otherwise, the login request is rejected.
iSCSI Session Authentication

The IPS module or MPS-14/2 module supports the iSCSI authentication mechanism to authenticate the
iSCSI hosts that request access to the storage devices. By default, the IPS modules or MPS-14/2 modules
allow CHAP or None authentication of iSCSI initiators. If authentication is always used, you must
configure the switch to allow only CHAP authentication.
For CHAP user name or secret validation, you can use any method supported and allowed by the Cisco
MDS AAA infrastructure (see Chapter 41, Configuring RADIUS and TACACS+). AAA
authentication supports a RADIUS, TACACS+, or local authentication device.
To configure AAA authentication for an iSCSI user using Fabric Manager, follow these steps:
Step 1 Choose Switches > Security > AAA in the Physical Attributes pane.
You see the AAA configuration in the Information pane.
Step 2 Click the Applications tab.
You see the AAA configuration per application (see Figure 50-26).
Figure 50-26 AAA per Application Configuration
Step 3 Right-click on the ServerGroup Id List field for the iSCSI application and enter the server group that you
want iSCSI to use.
Note You should use an existing server group or create a new server group before configuring it for
iSCSI session authentication.
The sections included in this topic are:

Authentication Mechanism, page 50-29

Configuring iSCSI
Local Authentication, page 50-30

Restricting iSCSI Initiator Authentication, page 50-30
Mutual CHAP Authentication, page 50-30
Configuring an iSCSI RADIUS Server, page 50-31
Authentication Mechanism
You can configure iSCSI CHAP or None authentication at both the global level and at each interface
level.
The authentication for a Gigabit Ethernet interface or subinterface overrides the authentication method
configured at the global level.
To configure AAA authentication for an iSCSI user using Fabric Manager, follow these steps:
Step 2 Click the Globals tab.
You see the iSCSI authentication configuration table.
Step 3 Select chap or none from the authMethod column.
Step 4 Click the Apply Changes icon in Fabric Manager to save these changes.
To configure the authentication mechanism for iSCSI sessions to a particular interface using Fabric
Step 1 Choose Switches > Interfaces > Gigabit Ethernet in the Physical Attributes pane.
You see the Gigabit Ethernet configuration in the Information pane.
Step 2 Click the iSNS tab.
You see the iSCSI and iSNS configuration (see Figure 50-27).
Figure 50-27 Configuring iSCSI Authentication on an Interface
Step 3 Right-click on the IscsiAuthMethod field and select none or chap.


Configuring iSCSI
Local Authentication
See the Configuring Users section on page 39-12 to create the local password database. To create users
in the local password database for the iSCSI initiator, the iSCSI keyword is mandatory.
To configure iSCSI users for local authentication using Device Manager, follow these steps:
Step 1 Choose Security > iSCSI.

You see the iSCSI Security dialog box shown in Figure 50-28.
Figure 50-28 iSCSI Security Dialog Box
Step 2 Complete the iSCSI User, Password, and Password Confirmation fields.
Step 3 Click Create to save this new user.
Restricting iSCSI Initiator Authentication

By default, the iSCSI initiator can use any user name in the RADIUS server or in the local database in
authenticating itself to the IPS module or MPS-14/2 module (the CHAP user name is independent of the
iSCSI initiator name). The IPS module or MPS-14/2 module allows the initiator to log in as long as it
provides a correct response to the CHAP challenge sent by the switch. This can be a problem if one
CHAP user name and password has been compromised.
To restrict an initiator to use a specific user name for CHAP authentication using Fabric Manager, follow
these steps:
Step 2 Right-click the AuthUser field and enter the user name to which you want to restrict the iSCSI initiator.
Mutual CHAP Authentication

In addition to the IPS module or MPS-14/2 module authentication of the iSCSI initiator, the IPS module
or MPS-14/2 module also supports a mechanism for the iSCSI initiator to authenticate the Cisco MDS
switchs iSCSI target during the iSCSI login phase. This authentication requires the user to configure a
user name and password for the switch to present to the iSCSI initiator. The provided password is used
to calculate a CHAP response to a CHAP challenge sent to the IPS port by the initiator.

Configuring iSCSI
To configure a global iSCSI target user name and password to be used by the switch to authenticate itself
to an initiator using Fabric Manager, follow these steps:
Step 2 Select the Globals tab.
You see the global iSCSI configuration.
Step 3 Fill in the Target UserName and Target Password fields.
To configure a per-initiator iSCSI targets user name and password used by the switch to authenticate
itself to an initiator using Device Manager, follow these steps:
Step 1 Choose IP > iSCSI.

Step 2 Complete the Target UserName and Target Password fields for the initiator that you want to configure.
Step 3 Click Create to add this initiator to the Initiator Access List.
Configuring an iSCSI RADIUS Server

To configure an iSCSI RADIUS server, follow these steps:
Step 1 Configure the RADIUS server to allow access from the Cisco MDS switch's management Ethernet IP
address.
Step 2 Configure the shared secret for the RADIUS server to authenticate the Cisco MDS switch.
Step 3 Configure the iSCSI users and passwords on the RADIUS server.
iSCSI Immediate Data and Unsolicited Data Features

Cisco MDS switches support the iSCSI immediate data and unsolicited data features if requested by the
initiator during the login negotiation phase. Immediate data is iSCSI write data contained in the data
segment of an iSCSI command protocol data unit (PDU), such as combining the write command and
write data together in one PDU. Unsolicited data is iSCSI write data that an initiator sends to the iSCSI
target, such as an MDS switch, in an iSCSI data-out PDU without having to receive an explicit ready to
transfer (R2T) PDU from the target.
These two features help reduce I/O time for small write commands because it removes one round-trip
between the initiator and the target for the R2T PDU. As an iSCSI target, the MDS switch allows up to
64 KB of unsolicited data per command. This is controlled by the FirstBurstLength parameter during
iSCSI login negotiation phase.

Configuring iSCSI
If an iSCSI initiator supports immediate data and unsolicited data features, these features are
automatically enabled on the MDS switch with no configuration required.
iSCSI Interface Advanced Features

Advanced configuration options are available for iSCSI interfaces on a per-IPS port basis. These
configurations are similar to the advanced FCIP configurations and are already explained in that section .
Cisco MDS switches support the following advanced features for iSCSI interfaces:
iSCSI Listener Port, page 50-32
TCP Tuning Parameters, page 50-32
QoS, page 50-32
iSCSI Routing Modes, page 50-33
iSCSI Listener Port

You can configure the TCP port number for the iSCSI interface that listens for new TCP connections.
The default port number is 3260. Once you change the TCP port number, the iSCSI port only accepts
TCP connections on the newly configured port.
TCP Tuning Parameters

You can configure the following TCP parameters:
Minimum retransmit timeout (See the Minimum Retransmit Timeout section on page 48-19.)
Keepalive timeout (See the Keepalive Timeout section on page 48-19.)
Maximum retransmissions (See the Maximum Retransmissions section on page 48-19)
Path MTU (See the Path MTUs section on page 48-20.)
SACK (SACK is enabled by default for iSCSI TCP configurations.)
Window management (The iSCSI defaults are max-bandwidth is 1 Gbps, min-available-bandwidth
is 70 Mbps, and round-trip-time is 1 msec.) (See the Window Management section on
page 48-20.)
Buffer size (The iSCSI default send buffer size is 4096 KB) (See the Buffer Size section on
page 48-21.)
Window congestion monitoring (enabled by default and the default burst size is 50 KB) (See the
Monitoring Congestion section on page 48-20.)
Maximum delay jitter (enabled by default and the default time is 500 microseconds)
QoS
To set the QoS values using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Interfaces and then select FC Logical in the Physical Attributes pane.
You see the Interface tables in the Information pane (see Figure 50-20).
Step 2 In Device Manager, choose Interface > Ethernet and iSCSI.

Configuring iSCSI
You see the Ethernet Interfaces and iSCSI dialog box (see Figure 50-21).
Step 3 Click the iSCSI TCP tab in either Fabric Manager or Device Manager.
You see the iSCSI TCP configuration table.
Step 4 Set the QoS field from 1 to 6.
Step 5 Click the Apply Changes icon in Fabric Manager or click Apply in Device Manager to save these
changes.
iSCSI Routing Modes

Cisco MDS 9000 Family switches support multiple iSCSI routing modes. Each mode negotiates different
operational parameters, has different advantages and disadvantages, and is suitable for different usages.
Pass-thru mode
In pass-thru mode, the port on the IPS module or MPS 14/2 module converts and forwards read data
frames from the Fibre Channel target to the iSCSI host frame-by-frame without buffering. This
means that one data-in frame received is immediately sent out as one iSCSI data-in PDU.
In the opposite direction, the port on the IPS module or MPS 14/2 module limits the maximum size
of iSCSI write data-out PDU that the iSCSI host can send to the maximum data size that the Fibre
Channel target specifies that it can receive. The result is one iSCSI data-out PDU received sent out
as one Fibre Channel data frame to the Fibre Channel target.
The absence of buffering in both directions leads to an advantage of lower forwarding latency.
However, a small maximum data segment length usually results in lower data transfer performance
from the host because of a higher processing overhead by the host system. Another benefit of this
mode is iSCSI data digest can be enabled. This helps protect the integrity of iSCSI data carried in
the PDU over what TCP checksum offers.
Store-and-forward mode (default)
In store-and-forward mode, the port on the IPS module or MPS 14/2 module assembles all the Fibre
Channel data frames of an exchange to build one large iSCSI data-in PDU before forwarding it to
the iSCSI client.
In the opposite direction, the port on the IPS module or MPS 14/2 module does not impose a small
data segment size on the host so the iSCSI host can send an iSCSI data-out PDU of any size (up to
256 KB). The port then waits until the whole iSCSI data-out PDU is received before it converts, or
splits, the PDU, and forwards Fibre Channel frames to the Fibre Channel target.
The advantage of this mode is higher data transfer performance from the host. The disadvantages
are higher transfer latency and that the iSCSI data digest (CRC) cannot be used.
Note The store-and-forward mode is the default forwarding mode.
Cut-through mode
Cut-through mode improves the read operation performance over store-and-forward mode. The port
on the IPS module or MPS 14/2 module achieves this by forwarding each Fibre Channel data-in
frame to the iSCSI host as it is received without waiting for the whole exchange complete. There is
no difference for write data-out operations from store-and-forward mode.
Figure 50-29 compares the messages exchanged by the iSCSI routing modes.

Configuring iSCSI
Figure 50-29 iSCSI Routing Modes
Pass -Thru Store -Forward Cut -Thru

iSCSI initiator MDS FC Target iSCSI initiator MDS FC Target iSCSI initiator MDS FC Targ
Command1 Command1 Command1
Command Command Command

TCP part 1
contains iSCSI
Data1 Data-in PDU #1 Data1
Wait for all Data frame is DSlen = 16KB
Data to forwarded as Data2
iSCSI Data- arrive it is received
in PDU #1, Data1 TCP part 2
DSlen = 1KB Data16
TCP part 1
iSCSI Data16
contains iSCSI
Data-in Data2
Data-in PDU #1 TCP part 16
PDU #2
DSlen = 16KB
Status
iSCSI TCP part 2 Response1
Data-in Data16
PDU #16
Status
Response1 Command2
TCP part 16
Status
Command2 Response1
130687
Command2
Table 50-1 compares the advantages and disadvantages of the different iSCSI routing modes.
Table 50-1 Comparison of iSCSI Routing Modes
Mode Advantages Disadvantages

Pass-thru Low-latency Lower data transfer performance.
Data digest can be used
Store-and-forward Higher data transfer Data digest cannot be used.
performance
Cut-thru Improved read performance If the Fibre Channel target sent read data for
over store-and-forward different commands interchangeably, data of the
first command is forwarded in cut-thru mode but
the data of subsequent commands is buffered
and the behavior is the same as
store-and-forward mode.
Data digest cannot be used.

Configuring iSLB
Caution Changing the forwarding mode of an iSCSI interface that is part of an iSLB VRRP group impacts load
Configuring iSLB
The iSCSI server load balancing (iSLB) feature provides a means to easily configure large scale iSCSI
deployments containing hundreds or even thousands of initiators. When not using iSLB, configuring
iSCSI requires the following:
You need to perform multiple configuration steps on the MDS switch, including the following:
Initiator configuration using static pWWN and VSAN.
Zoning configuration for initiators and targets.
Optional create virtual target and give access to the initiator.
Configuration of target LUN mapping and masking on the storage system for the initiator based
on the static pWWN created for the initiator on the MDS switch.
You need to duplicate the configuration manually on multiple MDS switches.
There is no load balancing for IPS ports. For example:
The Virtual Router Redundancy Protocol (VRRP) only supports active and backup, not load
balancing.
You must use multiple VRRP groups and configure hosts in different groups.
iSLB provides the following features:
The iSLB initiator configuration is simplified with support for initiator targets and auto-zones.
Cisco Fabric Services (CFS) eliminates the need for manual configuration by distributing the iSLB
initiator configuration among all MDS switches in the fabric.
Note Only statically mapped iSLB initiator configuration is distributed throughout the fabric
using CFS. Dynamically and statically mapped iSCSI initiator configurations are not
distributed.
Dynamic load balancing of iSLB initiators is available using iSCSI login redirect and VRRP.
This section covers the following topics:
About iSLB Configuration Limits, page 50-36
iSLB Configuration Prerequisites, page 50-36
About iSLB Initiators, page 50-37
Configuring iSLB Using Device Manager, page 50-37
Configuring iSLB Initiators, page 50-39
About Load Balancing Using VRRP, page 50-43
Configuring Load Balancing Using VRRP, page 50-45
About iSLB Configuration Distribution Using CFS, page 50-46

Configuring iSLB
Distributing the iSLB Configuration Using CFS, page 50-47
Note Before configuring iSLB, you must enable iSCSI (see the Enabling iSCSI section on page 50-4).
Note For iSLB, all switches in the fabric must be running Cisco MDS SAN-OS Release 2.1(1a) or later.
About iSLB Configuration Limits

iSLB configuration has the following limits:
The maximum number of iSLB and iSCSI initiators supported in a fabric is 2000.
The maximum number of iSCSI and iSLB initiators supported is 200 per port.
The maximum number of iSLB and iSCSI sessions supported by an IPS port in either transparent or
proxy initiator mode is 500.
The maximum number of iSLB initiators supported in a fabric is 2000.
The maximum number of iSLB sessions per IPS port in either transparent or proxy initiator mode is
500.
The maximum number of switches in a fabric that can have iSLB with CFS distribution enabled is
four.
No more than 200 new iSLB initiators can be added to the pending configuration. Before adding
more initiators, you must commit the configuration.
You cannot disable iSCSI if you have more than 200 iSLB initiators in the running configuration.
Reduce the number of iSLB initiators to fewer than 200 before disabling iSCSI.
iSLB can be used without CFS distribution but if iSLB auto-zone feature is used, traffic is disrupted
when any zoneset is activated.
If IVR and iSLB features are enabled in the same fabric, you should have at least one switch in the
fabric where both these features are enabled. Any zoning-related configuration and activation (for
normal zones, IVR zones, or iSLB zones) must be performed on this switch. Otherwise, there may
be traffic disruption in the fabric.
iSLB Configuration Prerequisites

Perform the following prerequisite actions prior to configuring iSLB:
Enable iSCSI (see the Enabling iSCSI section on page 50-4).
Configure the Gigabit Ethernet interfaces (see the Configuring Gigabit Ethernet Interfaces for
IPv4 section on page 52-4 or the Configuring Basic Connectivity for IPv6, page 54-11).
Configure the VRRP groups (see the Configuring Load Balancing Using VRRP section on
page 50-45).
Configure and activate a zone set (see Chapter 30, Configuring and Managing Zones).
Enable CFS distribution for iSLB (see the Enabling iSLB Configuration Distribution section on
page 50-47).

Configuring iSLB
About iSLB Initiators

iSLB initiators provide the following features in addition to those supported by iSCSI initiators:
An iSLB initiator also supports iSLB virtual targets. These targets are very similar to iSCSI virtual
targets with the exception that they do not include the advertise interface option and as a result are
distributable using CFS.
Initiator targetsThese targets are configured for a particular initiator.
Load balancing using iSCSI login redirect and VRRPIf load balancing is enabled, the IPS
Manager redirects incoming sessions to the best interface based on the calculated load for each
interface.
Configuration distribution to other switches using CFS.
Configuring iSLB Using Device Manager

To configure iSLB using Device Manager, follow these steps:
Step 1 Choose IP > iSCSI iSLB.

You see the iSCSI iSLB dialog box shown in Figure 50-30.
Figure 50-30 iSCSI iSLB Dialog Box
Step 2 Click Create to create a new iSCSI iSLB initiator.

You see the Create iSCSI iSLB Initiators dialog box shown in Figure 50-31.

Configuring iSLB
Figure 50-31 Create iSCSI iSLB Initiators Dialog Box
Step 3 Set the Name or IP Address field to the iSLB name or IP address.
Step 4 Set the VSAN Membership field to the VSAN that you want the iSLB initiator in.
Also see the Assigning VSAN Membership for iSLB Initiators section on page 50-40.
Step 5 Check the Persistent check box to convert a dynamic nWWN to static for the iSLB initiator.
Also see the Making the Dynamic iSLB Initiator WWN Mapping Static section on page 50-40.
Step 6 (Optional) Check the SystemAssigned check box to have the switch assign the nWWN.
Step 7 (Optional) Set the Static WWN field to manually assign the static nWWN. You must ensure uniqueness
for this nWWN.
Step 8 (Optional) Check the Port WWN Mapping Persistent check box to convert dynamic pWWNs to static
for the iSLB initiator.
See the Making the Dynamic iSLB Initiator WWN Mapping Static section on page 50-40.
Step 9 (Optional) Check the SystemAssigned check box and set the number of pWWNs you want to have the
switch assign the PWWN.
Step 10 (Optional) Set the Static WWN(s) field to manually assign the static pWWNs.
You must ensure uniqueness for these pWWN.

Configuring iSLB
Step 11 (Optional) Set the AuthUser field to the username that you want to restrict the iSLB initiator to for iSLB
authentication.
Also see the Restricting iSLB Initiator Authentication section on page 50-43.
Step 12 Fill in the Username and Password fields to configure iSLB initiator target CHAP authentication.
Also see the Configuring iSLB Session Authentication section on page 50-43.
Step 13 In the Initiator Specific Target section, set the pWWN to configure an iSLB initiator target.
Step 14 (Optional) Set the Name field to a globally unique identifier (IQN).
Step 15 (Optional) Check the NoAutoZoneCreation check box to disable auto-zoning.
Also see the Configuring and Activating Zones for iSLB Initiators and Initiator Targets section on
page 50-42.
Step 16 Optionally, check the TresspassMode check box.
Also see the LUN Trespass for Storage Port Failover section on page 50-53.
Step 17 Optionally, check the RevertToPrimary check box to revert back to the primary port after an HA
failover when the primary port comes back up.
Step 18 Set the PrimaryVsan to the VSAN for the iSLB initiator target.
Step 19 Click Create to create this iSLB initiator.
Step 20 If CFS is enabled, select commit from the CFS drop-down menu.
Configuring iSLB Initiators

Assigning WWNs to iSLB Initiators, page 50-39
Making the Dynamic iSLB Initiator WWN Mapping Static, page 50-40
Assigning VSAN Membership for iSLB Initiators, page 50-40
Configuring Metric for Load Balancing, page 50-40
About Load Balancing Using VRRP, page 50-43
Configuring and Activating Zones for iSLB Initiators and Initiator Targets, page 50-42
Configuring iSLB Session Authentication, page 50-43
Assigning WWNs to iSLB Initiators

An iSLB host is mapped to an N ports WWNs by one of the following mechanisms:
Dynamic mapping (default)
Static mapping
Note Assigning WWNs for iSLB initiators is the same as for iSCSI initiators. For information on dynamic and
static mapping, see the WWN Assignment for iSCSI Initiators section on page 50-17.

Configuring iSLB
Tip We recommend using the SystemAssign option. If you manually assign a WWN, you must ensure its
uniqueness (see the World Wide Names section on page 37-5). You should not use any previously
assigned WWNs.
See the Configuring iSLB Using Device Manager procedure on page 50-37.
Making the Dynamic iSLB Initiator WWN Mapping Static

After a dynamic iSLB initiator has logged in, you may decide to permanently keep the automatically
assigned nWWN/pWWN mapping to allow this initiator to use the same mapping the next time it logs
in (see the Dynamic Mapping section on page 50-8).
You can convert a dynamic iSLB initiator to a static iSLB initiator and make its WWNs persistent.
Note Making the dynamic mapping for iSLB initiators static is the same as for iSCSI. See the Making the
Dynamic iSLB Initiator WWN Mapping Static section on page 50-40.
Note Only statically mapped iSLB initiator configuration is distributed throughout the fabric using CFS.
Dynamically and statically configured iSCSI initiator configurations are not distributed.
Assigning VSAN Membership for iSLB Initiators

Individual iSLB hosts can be configured to be in a specific VSAN (similar to the DPVM feature for Fibre
Channel; see Chapter 2, Starting a Switch in the Cisco MDS 9000 Family). The specified VSAN
overrides the iSCSI interface VSAN membership.
Note Specifying the iSLB initiator VSAN is the same as for an iSCSI initiator. See the VSAN Membership
for iSCSI section on page 50-22.
Note When an iSLB initiator is configured in any other VSAN (other than VSAN 1, the default VSAN), for
example VSAN 2, the initiator is automatically removed from VSAN 1. If you also want it to be present
in VSAN 1, you must explicitly configure the initiator in VSAN 1.
Configuring Metric for Load Balancing

You can assign a load metric to each initiator for weighted load balancing. The load calculated is based
on the number of initiators on a given iSCSI interface. This feature accommodates initiators with
different bandwidth requirements. For example, you could assign a higher load metric to a a database
server than to a web server. Weighted load balancing also accommodates initiators with different link
speeds.

Configuring iSLB
For more information on load balancing, see the About Load Balancing Using VRRP section on
page 50-43.
Choose IP > iSCSI iSLB in Device Manager and set the LoadMetric field to change the load balancing
metric for an iSLB initiator.
Configuring iSLB Initiator Targets

You can configure initiator targets using the device alias or the pWWN. You can also optionally specify
one or more of the following optional parameters:
Secondary pWWN
Secondary device alias
LUN mapping
IQN
VSAN identifier
Note The VSAN identifier is optional if the target is online. If the target is not online, the VSAN
identifier is required.
In addition, you can disable auto-zoning.

If you configure an IQN for an initiator target, then that name is used to identify the initiator target.
Otherwise, a unique IQN is generated for the initiator target.
To configure additional iSLB initiator targets using Device Manager, follow these steps:

You see the iSCSI iSLB dialog box (see Figure 50-30).
Step 2 Click on the initiator you want to add targets to and click Edit Initiator Specific Targets.
You see the Initiator Specific Target dialog box.
Step 3 Click Create to create a new initiator target.
You see the Create Initiator Specific Target dialog box shown in Figure 50-32.

Configuring iSLB
Figure 50-32 Create Initiator Specific Target Dialog Box
Step 4 Fill in the pWWN field with the initiator target pWWN.
Step 5 (Optional) Set the Name field to a globally unique identifier (IQN).
Step 6 (Optional) Check the NoAutoZoneCreation check box to disable auto-zoning (see Figure 50-31). See
the Configuring and Activating Zones for iSLB Initiators and Initiator Targets section on page 50-42.
Step 7 (Optional) Check the TresspassMode check box. See the LUN Trespass for Storage Port Failover
Step 8 (Optional) Check the RevertToPrimary check box to revert back to the primary port after an HA
failover when the primary port comes back up.
Step 9 Set the PrimaryVsan to the VSAN for the iSLB initiator target.
Step 10 Click Create to create this iSLB initiator target.
Configuring and Activating Zones for iSLB Initiators and Initiator Targets
You can configure a zone name where the iSLB initiators and initiator targets are added. If you do not
specify a zone name, the IPS manager creates one dynamically. iSLB zone sets have the following
considerations:
Auto-zoning of the initiator with the initiator targets is enabled by default.
A zone set must be active in a VSAN for auto-zones to be created in that VSAN.
iSLB zone set activation might fail if another zone set activation is in process or if the zoning
database is locked. Retry the iSLB zone set activation if a failure occurs. To avoid this problem, only
perform only one zoning related operation (normal zones, IVR zones, or iSLB zones) at a time.
Auto-zones are created when the zone set is activated and there has been at least one change in the
zoneset. The activation has no effect if only the auto-zones have changed.
Caution If IVR and iSLB are enabled in the same fabric, at least one switch in the fabric must have both features
enabled. Any zoning related configuration or activation operation (for normal zones, IVR zones, or iSLB
zones) must be performed on this switch. Otherwise, traffic might be disrupted in the fabric.

Configuring iSLB
Choose IP > iSCSI iSLB in Device Manager and set the autoZoneName field to change the auto zone
name for an iSLB initiator.
Configuring iSLB Session Authentication

The IPS module and MPS-14/2 module support the iSLB authentication mechanism to authenticate iSLB
hosts that request access to storage. By default, the IPS module and MPS-14/2 module allow CHAP or
None authentication of iSCSI initiators. If authentication is always used, you must configure the switch
to allow only CHAP authentication.
For CHAP user name or secret validation you can use any method supported and allowed by the Cisco
MDS AAA infrastructure (see Chapter 41, Configuring RADIUS and TACACS+). AAA
authentication supports RADIUS, TACACS+, or a local authentication device.
Note Specifying the iSLB session authentication is the same as for iSCSI. See the iSCSI Session
Authentication section on page 50-28.
Restricting iSLB Initiator Authentication
By default, the iSLB initiator can use any user name in the RADIUS or local AAA database in
authenticating itself to the IPS module or MPS-14/2 module (the CHAP user name is independent of the
iSLB initiator name). The IPS module or MPS-14/2 module allows the initiator to log in as long as it
provides a correct response to the CHAP challenge sent by the switch. This can be a problem if one
CHAP user name and password have been compromised.
Choose IP > iSCSI iSLB in Device Manager and set the AuthName field to restrict an initiator to use a
specific user name for CHAP authentication.
Mutual CHAP Authentication
In addition to the IPS module and MPS-14/2 module authentication of the iSLB initiator, the IPS module
and MPS-14/2 module also support a mechanism for the iSLB initiator to authenticate the Cisco MDS
switchs initiator target during the iSCSI login phase. This authentication requires the user to configure
a user name and password for the switch to present to the iSLB initiator. The provided password is used
to calculate a CHAP response to a CHAP challenge sent to the IPS port by the initiator.
Choose IP > iSCSI iSLB in Device Manager and set the Target Username and Target Password fields to
configure a per-initiator user name and password used by the switch to authenticate itself to an initiator.
About Load Balancing Using VRRP

You can configure Virtual Router Redundancy Protocol (VRRP) load balancing for iSLB. Figure 50-33
shows an example of load balancing using iSLB.

Configuring iSLB
Figure 50-33 iSLB Initiator Load Balancing Example
T1 T2 T3 T4
Fibre Channel Fibre Channel
IPS IPS
VRRP Backup Backup 2
master master
IP network
Session Session Session Session

to T1 to T1 to T2, T3 to T3, T4
154018
The host is configured with a VRRP address as the portal address. When the VRRP master port receives
the first iSCSI session from an initiator, it assigns a backup port to serve that particular host. This
information is synchronized to all switches through CFS if recovery is needed when a master port fails.
The initiator gets a temporary redirect iSCSI login response. The host then logs in to the backup port at
its physical IP address. If the backup port goes down, the host will revert to the master port. The master
port knows through CFS that the backup port has gone down and redirects the host to another backup
port.
Note If an Ethernet PortChannel is configured between the IPS module and an Ethernet switch, the load
balancing policy on the Ethernet switch must be based on source/destination IP address only, not port
numbers, for load balancing with VRRP to operate correctly.
Note An initiator can also be redirected to the physical IP address of the master interface.
Tip iSLB VRRP load balancing is based on the number of iSLB initiators and not number of sessions. Any
iSLB initiator that has more targets configured than the other iSLB initiators (resulting in more sessions)
should be configured with a higher load metric. For example, you can increase the load metric of the
iSLB initiator with more targets to 3000 from the default value of 1000.

Configuring iSLB
Caution A Gigabit Ethernet interface configured for iSLB can only be in one VRRP group because redirected
sessions do not carry information about the VRRP IP address or group. This restriction allows the slave
port to uniquely identify the VRRP group to which it belongs.
Changing iSCSI Interface Parameters and the Impact on Load Balancing

All iSCSI interfaces in a VRRP group that has load balancing enabled must have the same interface
VSAN, authentication, proxy initiator mode, and forwarding mode. When you need to change any of
these parameters for the iSCSI interfaces in a VRRP group, you must do so one interface at a time.
During the transition time when the parameter is changed on some interfaces in the VRRP group and not
the others, the master port does not redirect new initiators and instead handles them locally.
Caution Changing the VSAN, proxy initiator, authentication, and forwarding mode for iSCSI interfaces in a
VRRP group can cause sessions to go down multiple times.
VRRP Load Balancing Algorithm For Selecting Gigabit Ethernet Interfaces

When the VRRP master receives an iSCSI session request from an initiator, it first checks for an existing
mapping to one of the interfaces in that VRRP group. If such a mapping exists, the VRRP master
redirects the initiator to that interface. If no such mapping exists, the VRRP master selects the least
loaded interface and updates the selected interfaces load with the initiators iSLB metric (weight).
Note The VRRP master interface is treated specially and it takes lower load compared to the other interfaces.
This is to account for the redirection work performed by the master interface for every session. A new
initiator is assigned to the master interface only if the following is true for every other interface:
VRRP backup interface load > [2 * VRRP master interface load + 1]
Configuring Load Balancing Using VRRP

You must first configure VRRP on the Gigabit Ethernet interfaces on the switch that connect to the IP
network before configuring VRRP for iSLB. For information on how to configure VRRP on a Gigabit
Ethernet interface, see the Virtual Router Redundancy Protocol section on page 51-8.
To configure VRRP load balancing using Device Manager, follow these steps:

You see the iSCSI iSLB dialog box (see Figure 50-30).
Step 2 Click the VRRP tab.
Step 3 Click Create to configure VRRP load balancing for iSLB initiators.
You see the Create iSCSI iSLB VRRP dialog box shown in Figure 50-34.

Configuring iSLB
Figure 50-34 Create iSCSI iSLB VRRP Dialog Box
Step 4 Set the Vrld to the VRRP group number.

Step 5 Select either ipv4 or ipv6 and check the LoadBalance check box.
Step 6 Click Create to enable load balancing.
About iSLB Configuration Distribution Using CFS

Configuration for iSLB initiators and initiator targets on an MDS switch can be distributed using the
Cisco Fabric Services (CFS). This feature allows you to synchronize the iSLB configuration across the
fabric from the console of a single MDS switch. The iSCSI initiator idle timeout, iSCSI dynamic initiator
mode, and global authentication parameters are also distributed. CFS distribution is disabled by default
(see Chapter 5, Using the CFS Infrastructure).
After enabling the distribution, the first configuration starts an implicit session. All server configuration
changes entered thereafter are stored in a temporary database and applied to all switches in the fabric
(including the originating one) when you explicitly commit the database.
When CFS is enabled for iSLB, the first iSLB configuration operation starts a CFS session and locks the
iSLB configuration in the fabric. The configuration changes are applied to the pending configuration
database. When you make the changes to the fabric, the pending configuration is distributed to all the
switches in the fabric. Each switch then validates the configuration. This check ensures the following:
The VSANs assigned to the iSLB initiators are configured on all the switches.
The static WWNs configured for the iSLB initiators are unique and available on all the switches.
The iSLB initiator node names do not conflict with the iSCSI initiators on all the switches.
After the check completes successfully, all the switches commit the pending configuration to the running
configuration. If any check fails, the entire commit fails.
Note iSLB is only fully supported when CFS is enabled. Using iSLB auto-zoning without enabling CFS mode
may cause traffic disruption when any zone set is activated.
Note CFS does not distribute non-iSLB initiator configurations or import Fibre Channel target settings.

Configuring iSLB
Non-iSLB virtual targets will continue to support advertised interfaces option.
restarted.
Distributing the iSLB Configuration Using CFS

This section contains the following:
Enabling iSLB Configuration Distribution, page 50-47
Committing Changes to the Fabric, page 50-48
Discarding Pending Changes, page 50-48
Clearing a Fabric Lock, page 50-49
CFS Merge Process, page 50-49
iSLB CFS Merge Status Conflicts, page 50-49
Enabling iSLB Configuration Distribution

To enable CFS distribution of the iSLB configuration using Device Manager, follow these steps:
Step 1 Choose Admin > CFS.

You see the CFS dialog box shown in Figure 50-35.
Figure 50-35 Enabling CFS in Device Manager
Step 2 Set the Command field to enable for the iSLB feature.

Configuring iSLB
Locking the Fabric

The first action that modifies the existing configuration creates the pending configuration and locks the
feature in the fabric. Once you lock the fabric, the following conditions apply:
A pending configuration is created by copying the active configuration. Modifications from this
point on are made to the pending configuration and remain there until you commit the changes to
the active configuration (and other switches in the fabric) or discard them.
Note iSCSI configuration changes are not allowed when an iSLB CFS session is active.
Committing Changes to the Fabric

To apply the pending iSLB configuration changes to the active configuration and to other MDS switches
in the fabric, you must commit the changes. The pending configuration changes are distributed and, on
a successful commit, the configuration changes are applied to the active configuration in the MDS
switches throughout the fabric, the automatic zones are activated, and the fabric lock is released.
To commit iSLB configuration changes to other MDS switches in the fabric, activate iSLB automatic
zones, and release the fabric lock using Device Manager, follow these steps:

You see the CFS Configuration dialog box (see Figure 50-35).
Step 2 Set the Command field to commit for the iSLB feature.
Discarding Pending Changes

At any time, you can discard the pending changes to the iSLB configuration and release the fabric lock.
This action has no affect on the active configuration on any switch in the fabric.
To discard the pending iSLB configuration changes and release the fabric lock using Device Manager,
follow these steps:

Step 2 Set the Command field to abort for the iSLB feature.

Configuring iSLB
Clearing a Fabric Lock

If you have performed an iSLB configuration task and have not released the lock by either committing
or discarding the changes, an administrator can release the lock from any switch in the fabric. If the
administrator performs this task, your pending changes are discarded and the fabric lock is released.
restarted.
To release a fabric lock using Device Manager, follow these steps:

Step 2 Set the Command field to clear for the iSLB feature.
CFS Merge Process

When two fabrics merge, CFS attempts to merge the iSLB configuration from both the fabrics. A
designated switch (called the dominant switch) in one fabric sends its iSLB configuration to a designated
switch (called the subordinate switch) in the other fabric. The subordinate switch compares its running
configuration to the received configuration for any conflicts. If no conflicts are detected, it merges the
two configurations and sends it to all the switches in both the fabrics. Each switch then validates the
configuration. This check ensures the following:
VSANs assigned to the iSLB initiators are configured on all the switches.
The static WWNs configured for the iSLB initiators are unique and available on all the switches.
The iSLB initiator node names have no conflicts with iSCSI initiators on all the switches.
If this check completes successfully, the subordinate switch directs all the switches to commit the
merged configuration to running configuration. If any check fails, the merge fails.
iSLB CFS Merge Status Conflicts

Merge conflicts may occur. User intervention is required for the following merge conflicts:
The iSCSI global authentication or iSCSI initiator idle timeout parameters are not configured the
same in the two fabrics.
The same iSLB initiator is configured differently in the two fabrics.
An iSLB initiator in one fabric has the same name as an iSCSI initiator in the other fabric.
Duplicate pWWN/nWWN configuration is detected in the two fabric. For example, a
pWWN/nWWN configured for an iSLB initiator on one fabric is configured for an iSCSI initiator
or a different iSLB initiator in the other fabric.
A VSAN configured for an iSLB initiator in one fabric does not exist in the other fabric.

iSCSI High Availability
Tip Check the syslog for details on merge conflicts.
User intervention is not required when the same iSLB initiator has a different set of non-conflicting
initiator targets. The merged configuration is the union of all the initiator targets.

The following high availability features are available for iSCSI configurations:
Transparent Target Failover, page 50-50
Multiple IPS Ports Connected to the Same IP Network, page 50-53
VRRP-Based High Availability, page 50-54
Ethernet PortChannel-Based High Availability, page 50-55
Transparent Target Failover

The following high availability configurations are available:
iSCSI high availability with host running multi-path software
iSCSI High availability with host not having multi-path software
iSCSI High Availability with Host Running Multi-Path Software

Figure 50-36 shows the physical and logical topology for an iSCSI HA solution for hosts running
multi-path software. In this scenario, the host has four iSCSI sessions. There are two iSCSI sessions from
each host NIC to the two IPS ports.

Figure 50-36 Host Running Multi-Path Software
MDS
IP Network Switch Storage
IP 10.1.1.1/24 IP 20.1.1.1/24 P1
Ethernet 1/1
iSCSI switch
2/1
10.1.1.2/24 21.1.1.1/24 P2
MDS 1
Logical View
Session 1 iqn.com.cisco.mds-1.1-1.P1
H1
Session 2 iSCSI
iqn.com.cisco.mds-
1.1-1.P2 P1
iSCSI IP Network
P2
H2
iqn.com.cisco.mds-
Session 3
1.1-1.P2 iSCSI
Session 4
P2
120743
Each IPS ports is exporting the same two Fibre Channel target ports of the storage but as different iSCSI
target names if you use dynamic iSCSI targets). So the two IPS ports are exporting a total of four iSCSI
target devices. These four iSCSI targets map the same two ports of the Fibre Channel target.
The iSCSI host uses NIC-1 to connect to IPS port 1 and NIC-2 to connect to IPS port 2. Each IPS port
exports two iSCSI targets, so the iSCSI host creates four iSCSI sessions.
If the iSCSI host NIC-1 fails (see Figure 50-36 for the physical view), then sessions 1 and 2 fail but we
still have sessions 3 and 4.
If the IPS port 1 fails, the iSCSI host cannot connect to the IPS port, and sessions 1 and 2 fail. But
sessions 3 and 4 are still available.
If the storage port 1 fails, then the IPS ports will terminate sessions 1 and 3 (put iSCSI virtual target
iqn.com.cisco.mds-5.1-2.p1 and iqn-com.cisco.mds-5.1-1.p1 in offline state). But sessions 2 and 4 are
still available.
In this topology, you have recovery from failure of any of the components. The host multi-path software
takes care of load-balancing or failover across the different paths to access the storage.
iSCSI HA with Host Not Having Any Multi-Path Software

The above topology will not work if the host does not have multi-path software because the host has
multiple sessions to the same storage. Without multi-path software the host does not have knowledge of
the multiple paths to the same storage.

IP storage has two additional features that provide an HA solution in this scenario.
IPS ports support the VRRP feature (see the Configuring VRRP for Gigabit Ethernet Interfaces
section on page 52-9) to provide failover for IPS ports.
IPS has transparent Fibre Channel target failover for iSCSI static virtual targets.
Statically imported iSCSI targets have an additional option to provide a secondary pWWN for the Fibre
Channel target. This can be used when the physical Fibre Channel target is configured to have an LU
visible across redundant ports. When the active port fails, the secondary port becomes active and the
iSCSI session switches to use the new active port (see Figure 50-37).
Figure 50-37 Static Target Importing Through Two Fibre Channel Ports
iSCSI host Switch 1 Fibre Channel storage

IP pWWN 1 FC 26:00:01:02:03:04:05:06
iSCSI Network 26:00:01:02:03:10:11:12
pWWN 2
Fibre Channel storage

Primary access = pWWN1
Secondary access = pWWN 2
91568
ABC
In Figure 50-37, you can create an iSCSI virtual target that is mapped to both pWWN1 and pWWN2 to
provide redundant access to the Fibre Channel targets.
The failover to a secondary port is done transparently by the IPS port without impacting the iSCSI
session from the host. All outstanding I/Os are terminated with a check condition status when the
primary port fails. New I/Os received during the failover are not completed and receive a busy status.
Tip If you use LUN mapping, you can define a different secondary Fibre Channel LUN if the LU number is
different.
Enable the optional revert-primary-port option to direct the IPS port to switch back to the primary port
when the primary port is up again. If this option is disabled (default) and the primary port is up again
after a switchover, the old sessions will remain with the secondary port and do not switch back to the
primary port. However, any new session will use the primary port. This is the only situation when both
the primary and secondary ports are used at the same time.
To create a static iSCSI virtual target for the entire Fibre Channel target port using Device Manager,
follow these steps:

Step 2 Click the Targets tab to display a list of existing iSCSI targets shown (see Figure 50-11).
Step 3 Click Create to create an iSCSI target.
You see the Create iSCSI Targets dialog box (see Figure 50-13).
Step 4 Set the iSCSI target node name in the iSCSI Name field, in IQN format.
Step 5 Set the Port WWN field for the Fibre Channel target port you are mapping.

Step 6 Click the Select from List radio button and set the iSCSI initiator node names or IP addresses that you
want this virtual iSCSI target to access, or choose the All radio button to let the iSCSI target access all
iSCSI initiators See the iSCSI Access Control section on page 50-24.
Step 7 Chick the Select from List radio button and check each interface you want to advertise the iSCSI targets
on or choose the All radio button to advertise all interfaces.
LUN Trespass for Storage Port Failover

In addition to the high availability of statically imported iSCSI targets, the trespass feature is available
to enable the move of LUs, on an active port failure, from the active to the passive port of a statically
imported iSCSI target.
In physical Fibre Channel targets, which are configured to have LUs visible over two Fibre Channel N
ports, when the active port fails, the passive port takes over. Some physical Fibre Channel targets require
that the trespass feature be used to move the LUs from the active port to the passive port. A statically
imported iSCSI target's secondary pWWN option and an additional option of enabling the trespass
feature is available for a physical Fibre Channel target with redundant ports. When the active port fails,
the passive port becomes active, and if the trespass feature is enabled, the Cisco MDS switch sends a
request to the target to move the LUs on the new active port. The iSCSI session switches to use the new
active port and the moved LUs are accessed over the new active port (see Figure 50-38).
Figure 50-38 Virtual Target with an Active Primary Port
pWWN a1:94:cc
fcid 0x550002
Primary FC
iSCSI IP network Secondary 105219
IP Addr 10.1.1.1 IP Addr 10.1.1.2 pWWN a1:97:ac

iqn.initiator.abc iqn.virtual-target.abc fcid 0610003
In Device Manager, choose IP > iSCSI, select the Targets tab, and check the Trespass Mode check box
to enable the trespass feature for a static iSCSI virtual target.
Multiple IPS Ports Connected to the Same IP Network

Figure 50-39 provides an example of a configuration with multiple Gigabit Ethernet interfaces in the
same IP network.

Figure 50-39 Multiple Gigabit Ethernet Interfaces in the Same IP Network
Physical view (iSCSI)
IP IP-10.1.10.100 FC
network
iSCSI
HBA
IP-10.1.1.1 FC fabric pWWN-P1
iqn.host-1
Network portal 10.1.10.100

Logical view
FC
IP-10.1.10.100
lqn.com.cisco.mds.5-3.gw.p1
IP
network
iSCSI
HBA
iqn.host-1
FC
IP-10.1.1.1
lqn.com.cisco.mds.2-1.gw.p1
90861
In Figure 50-39, each iSCSI host discovers two iSCSI targets for every physical Fibre Channel target
(with different names). The multi-pathing software on the host provides load-balancing over both paths.
If one Gigabit Ethernet interface fails, the host multi-pathing software is not affected because it can use
the second path.
VRRP-Based High Availability

Figure 50-40 provides an example of a VRRP-based high availability iSCSI configuration.

Figure 50-40 VRRP-Based iSCSI High Availability
Physical view (iSCSI)

VRRP across two ports
IP FC
network
iSCSI
HBA
Virtual IP-10.1.1.1 FC fabric pWWN-P1

iqn.host-1

Logical view FC
Virtual IP-10.1.1.1
lqn.com.cisco.mds.vr1.gw.p1
IP
iSCSI
HBA network
iqn.host-1
FC
lqn.com.cisco.mds.vr1.gw.p1
In Figure 50-40, each iSCSI host discovers one iSCSI target for every physical Fibre Channel target. 90862
When the Gigabit Ethernet interface of the VRRP master fails, the iSCSI session is terminated. The host
then reconnects to the target and the session comes up because the second Gigabit Ethernet interface has
taken over the virtual IP address as the new master.
Ethernet PortChannel-Based High Availability
Note All iSCSI data traffic for one iSCSI link is carried on one TCP connection. Consequently, the aggregated
bandwidth is 1 Gbps for that iSCSI link.
Figure 50-41 provides a sample Ethernet PortChannel-based high availability iSCSI configuration.

iSCSI Authentication Setup Guidelines and Scenarios
Figure 50-41 Ethernet PortChannel-Based iSCSI High Availability
iSCSI Ethernet PortChannel

HBA
iqn.host-2 FC fabric FC
IP
network
IP-10.1.1.1 pWWN-P2
iSCSI
HBA
iqn.host-1
90863
pWWN-P1
In Figure 50-41, each iSCSI host discovers one iSCSI target for every physical Fibre Channel target. The
iSCSI session from the iSCSI host to the iSCSI virtual target (on the IPS port) uses one of the two
physical interfaces (because an iSCSI session uses one TCP connection). When the Gigabit Ethernet
interface fails, the IPS module and the Ethernet switch transparently forwards all the frames on to the
second Gigabit Ethernet interface.
Note If an Ethernet PortChannel is configured between the IPS module and an Ethernet switch, the load
balancing policy on the Ethernet switch must be based on source/destination IP address only, not port
numbers, for load balancing with VRRP to operate correctly.

This section provides guidelines on iSCSI authentication possibilities, setup requirements, and sample
scenarios. It includes the following authentication setup guidelines:
No Authentication, page 50-56
CHAP with Local Password Database, page 50-57
CHAP with External RADIUS Server, page 50-57
iSCSI Transparent Mode Initiator, page 50-58
Target Storage Device Requiring LUN Mapping, page 50-62
Caution Changing the authentication of an iSCSI interface that is part of an iSLB VRRP group impacts load
No Authentication
Set the iSCSI authentication method to none to configure a network with no authentication.
In Fabric Manager, choose End Devices > iSCSI in the Physical Attributes pane. Then select the
Globals tab and set the AuthMethod drop-down menu to none and click Apply Changes.

CHAP with Local Password Database

To configure authentication using the CHAP option with the local password database, follow these steps:
Step 1 Set the AAA authentication to use the local password database for the iSCSI protocol:
a. In Fabric Manager, choose Switches > Security > AAA in the Physical Attributes pane.
b. Click the Applications tab in the Information pane.
c. Check the Local check box for the iSCSI row and click Apply Changes.
Step 2 Set the iSCSI authentication method to require CHAP for all iSCSI clients.:
a. In Fabric Manager, choose End Devices > iSCSI in the Physical Attributes pane.
b. Click the Globals tab in the Information pane.
c. Set the AuthMethod drop-down menu to chap and click Apply Changes.
Step 3 Configure the user names and passwords for iSCSI users:
a. In Device Manager, choose Security > iSCSI.
b. Set the Username, Password and Confirm Password fields.
c. Click Create to save these changes.
Step 4 Verify the global iSCSI authentication setup:
b. Click the Globals tab in the Information pane.
CHAP with External RADIUS Server

To configure authentication using the CHAP option with an external RADIUS server, follow these steps:
Step 1 :Configure the password for the Cisco MDS switch as RADIUS client to the RADIUS server:
a. In Fabric Manager, choose Switches > Security > AAA > RADIUS in the Physical Attributes pane.
b. Click the Default tab in the Information pane.
c. Set the AuthKey field to the default password and click the Apply Changes icon.
Step 2 Configure the RADIUS server IP address:
a. In Fabric Manager, choose Switches > Security > AAA > RADIUS in the Physical Attributes pane.
b. Click the Server tab in the Information pane and click Create Row.
c. Set the Index field to a unique number.
d. Set the IP Type radio button to ipv4 or ipv6.
e. Set the Name or IP Address field to the IP address of the RADIUS server and click Create.
Step 3 Create a RADIUS server group and add the RADIUS server to the group:
b. Select the Server Groups tab in the Information pane and click Create Row.

c. Set the Index field to a unique number.

d. Set the Protocol radio button to radius.
e. Set the Name field to the server group name.
f. Set the ServerIDList to the index value of the RADIUS server (as created in Step 2 c.) and click
Create.
Step 4 Set up the authentication verification for the iSCSI protocol to go to the RADIUS server.
b. Click the Applications tab in the Information pane.
c. Right-click on the iSCSI row in the Type, SubType, Function column.
d. Set the ServerGroup IDList to the index value of the Server Group (as created in Step 3 c) and click
Create.
Step 5 Set up the iSCSI authentication method to require CHAP for all iSCSI clients.
b. Select chap from the AuthMethod drop-down menu.
c. Click the Apply Changes icon.
Step 6 In Fabric Manager, choose End Devices > iSCSI in the Physical Attributes pane.
Step 7 Click the Globals tab in the Information pane to verify that the global iSCSI authentication setup is for
CHAP.
Step 8 In Fabric Manager, choose Switches > Security > AAA in the Physical Attributes pane.
Step 9 Click the Applications tab in the Information pane to verify the AAA authentication information for
iSCSI.
To configure an iSCSI RADIUS server, follow these steps:
Step 1 Configure the RADIUS server to allow access from the Cisco MDS switch's management Ethernet IP
address.
Step 2 Configure the shared secret for the RADIUS server to authenticate the Cisco MDS switch.
Step 3 Configure the iSCSI users and passwords on the RADIUS server.
iSCSI Transparent Mode Initiator

This scenario assumes the following configuration (see Figure 50-42):
No LUN mapping or LUN masking or any other access control for hosts on the target device
No iSCSI login authentication (that is, login authentication set to none)
The topology is as follows:
iSCSI interface 7/1 is configured to identify initiators by IP address.
iSCSI interface 7/5 is configured to identify initiators by node name.

The iSCSI initiator host 1 with IPv4 address 10.11.1.10 and name
iqn.1987-05.com.cisco:01.255891611111 connects to IPS port 7/1 is identified using IPv4
address (host 1 = 10.11.1.10).
The iSCSI initiator host 2 with IPv4 address 10.15.1.10 and node name
iqn.1987-05.com.cisco:01.25589167f74c connects to IPS port 7/5.
Figure 50-42 iSCSI Scenario 1
7/1 Interface fc 2/1

21:00:00:20:37:6f:fd:97
Host 1 iSCSI-zone-1
10.11.1.10 Switch 1
o.01.255891611111
iSCSI Interface fc 2/5
21:00:00:20:37:6f:fe:54
10.15.1.10
.01.25589167F74C iSCSI
iSCSI-zone-2
Host 2
Interface fc 2/9
7/5 21:00:00:20:37:a6:a6:5d
94136
To configure scenario 1 (see Figure 50-42), follow these steps:
Step 1 Configure null authentication for all iSCSI hosts in Cisco MDS switches.
b. Select none from the AuthMethod drop-down menu in the Information pane.
Step 2 Configure iSCSI to dynamically import all Fibre Channel targets into the iSCSI SAN using
auto-generated iSCSI target names.
a. In Device Manager, click IP > iSCSI.
b. Click the Targets tab.
c. Check the Dynamically Import FC Targets check box.
d. Click Apply.
Step 3 Configure the Gigabit Ethernet interface in slot 7 port 1 with an IPv4 address and enable the interface.
a. In Fabric Manager, choose Switches > Interfaces > Gigabit Ethernet in the Physical Attributes
pane.
b. Select the IP Address tab in the Information pane and click Create Row.
c. Set the IP address and subnet mask for the Gigabit Ethernet interface in slot 7 port 1.
d. Click Create.

e. Select the General tab and select up from the Admin drop-down menu for the Gigabit Ethernet
interface in slot 7 port 1.
f. Click the Apply Changes icon.
Note Host 2 is connected to this port.
Step 4 Configure the iSCSI interface in slot 7 port 1 to identify all dynamic iSCSI initiators by their IP address,
and enable the interface.
a. In Fabric Manager, choose Switches > Interfaces > FC Logical in the Physical Attributes pane.
b. Click the iSCSI tab in the Information pane.
c. Select ipaddress from the Initiator ID Mode drop-down menu and click the Apply Changes icon.
d. In Device Manager, choose Interfaces > Ethernet and iSCSI.
e. Click the iSCSI tab.
f. Select up from the Admin drop-down menu for the iSCSI interface in slot 7 port 1.
g. Click Apply.
pane.
b. Click the IP Address tab in the Information pane and click Create Row.
d. Click Create.
Step 6 Configure the iSCSI interface in slot 7 port 5 to identify all dynamic iSCSI initiators by node name and
enable the interface.
c. Select name from the Initiator ID Mode drop-down menu and click the Apply Changes icon.
g. Click Apply.
Note Host 1 is connected to this port.
Step 7 Verify the available Fibre Channel targets.

a. In Device Manager, Choose FC > Name Server.
b. Click the General tab.
Step 8 Create a zone named iscsi-zone-1 with host 1 and one Fibre Channel target in it.

Note Use the IP address of the host in zone membership configuration because the iSCSI interface is
configured to identify all hosts based on IP address.
a. In Fabric Manager, choose Zones > Edit Local Full Zone Database.
b. Select VSAN 1 from the VSAN drop-down menu in the Edit Local Full Zone Database dialog box.
c. Select the Zones folder in the left navigation pane and click Insert.
d. Set the Zone Name field to iscsi-zone-1 and click OK.
e. Select the iscsi-zone-1 folder in the left navigation pane and click Insert.
f. Set the ZoneBy radio button toWWN.
g. Set the Port WWN to the pWWN for the Fibre Channel target (that is, 21:00:00:20:37:6f:fd:97) and
click Add.
h. Set the ZoneBy radio button to iSCSI IP Address/Subnet.
i. Set the IP Address/Mask field to the IP Address for Host 1 iSCSI initiator (10.11.1.10) and click
Add.
Step 9 Create a zone named iscsi-zone-2 with host 2 and two Fibre Channel targets in it.
Note Use the symbolic node name of the iSCSI host in zone membership configuration because the
iSCSI interface is configured to identify all hosts based on node name.
a. In Fabric Manager, choose Zones > Edit Local Full Zone Database from the main menu.
g. Set the Port WWN to the pWWN for one of the Fibre Channel targets (for example,
21:00:00:20:37:6f:fe:5). and click Add.
h. Set the Port WWN to the pWWN for another of the Fibre Channel targets (for example,
21:00:00:20:37:a6:a6:5d). and click Add.
i. Set the ZoneBy radio button to iSCSI name.
j. Set the Port Name field to the symbolic name for host 2 (iqn.1987-05.com.cisco:01.25589167f74c)
and click Add.
Step 10 Create a zone set, add the two zones as members, and activate the zone set.
Note iSCSI interface is configured to identify all hosts based on node name.
c. Select the Zoneset folder in the left navigation pane and click Insert.
d. Set the Zoneset Name to zonset-iscsi and click OK.

e. Click on the zoneset-iscsi folder and click Insert.

f. Set the Zone Name field to iscsi-zone-1 and click OK.
g. Set the Zone Name field to iscsi-zone-2 and click OK.
h. Click Activate to activate the new zone set.
i. Click Continue Activation to finish the activation.
Step 11 Bring up the iSCSI hosts (host 1 and host 2).
Step 12 Show all the iSCSI sessions.
a. In Device Manager, choose Interfaces > Monitor > Ethernet.
b. Click the iSCSI connections tab to show all the iSCSI sessions.
c. In Device Manager, choose IP > iSCSI and select the Session Initiators tab.
d. Click Details.
Step 13 In Fabric Manager, choose End Devices > iSCSI in the Physical Attributes pane to verify the details of
the two iSCSI initiators
Step 14 In Fabric Manager, choose Zones > Edit Local Full Zone Database to view the active zone set. The
iSCSI initiators' FC IDs are resolved.
Step 15 In Device Manager, Choose FC > Name Server. The Fibre Channel name server shows the virtual N
ports created for the iSCSI hosts.
Step 16 In Device Manager, Choose FC > Name Server.
Step 17 Click the Advanced tab. Verify the detailed output of the iSCSI initiator nodes in the Fibre Channel
name server.
Target Storage Device Requiring LUN Mapping

Sample scenario 2 assumes the following configuration (see Figure 50-43):
Access control is based on Fibre Channel zoning.
There is target-based LUN mapping or LUN masking.
There is no iSCSI authentication (none).
The iSCSI initiator is assigned to different VSANs.

Figure 50-43 iSCSI Scenario 2
Interface fc 2/1
21:00:00:20:37:6f:fd:97
Host 1 VSAN 1
iSCSI
Switch 1 iSCSI
Interface fc 2/5
21:00:00:20:37:6f:fe:54
iSCSI
VSAN 2
Host 2
Interface fc 2/9
21:00:00:20:37:a6:a6:5d
94137
To configure scenario 2 (see Figure 50-43), follow these steps:
Step 1 Configure null authentication for all iSCSI hosts.

b. Select none from the AuthMethod drop-down menu in the Information pane.
Step 2 Configure iSCSI to dynamically import all Fibre Channel targets into the iSCSI SAN using
auto-generated iSCSI target names.
a. In Device Manager, click IP > iSCSI.
b. Click the Targets tab.
c. Check the Dynamically Import FC Targets check box.
d. Click Apply.
pane.
b. Select the IP Address tab in the Information pane and click Create Row.
d. Click Create.
e. Click the General tab and select up from the Admin drop-down menu for the Gigabit Ethernet
Step 4 Configure the iSCSI interface in slot 7 port 1 to identify all dynamic iSCSI initiators by their IP address
and enable the interface.
b. Select the iSCSI tab in the Information pane.

g. Click Apply.
Step 5 Configure the Gigabit Ethernet interface in slot 7 port 5 with the IPv4 address and enable the interface.
pane.
b. Click the IP Address tab in the Information pane and click Create Row.
d. Click Create.
Step 6 Configure the iSCSI interface in slot 7 port 5 to identify all dynamic iSCSI initiators by IP address and
enable the interface.
g. Click Apply.
Step 7 Configure for static pWWN and nWWN for host 1.
a. In Device Manager, choose IP > iSCSI.
b. Click the Initiators tab.
c. Check the Node Address Persistent and Node Address System-assigned check boxes the Host 1
iSCSI initiator.
d. Click Apply.
Step 8 Configure for static pWWN for Host 2.
a. In Device Manager, Choose IP > iSCSI.
c. Right-click on the Host 2 iSCSI initiator and click Edit pWWN.
d. Select 1 from the System-assigned Num field and click Apply.
Step 9 View the configured WWNs.
Note The WWNs are assigned by the system. The initiators are members of different VSANs.


Step 10 Create a zone for Host 1 and the iSCSI target in VSAN 1.
Note Use the IP address of the host in zone membership configuration because the iSCSI interface is
configured to identify all hosts based on IP address.
f. Set the ZoneBy radio button to WWN.
g. Set the Port WWN to the pWWN for the Fibre Channel target (that is, 21:00:00:20:37:6f:fd:97). and
click Add.
h. Set the ZoneBy radio button to iSCSI IP Address/Subnet.
i. Set the IP Address/Mask field to the IP Address for Host 1 iSCSI initiator (10.11.1.10) and click
Add.
Note Fibre Channel storage for zone membership for the iSCSI initiator, either the iSCSI symbolic
node name or the pWWN, can be used. In this case, the pWWN is persistent.
Step 11 Create a zone set in VSAN 1 and activate it.

d. Set the Zoneset Name to zonset-iscsi-1 and click OK.
e. Click on the zoneset-iscsi-1 folder and click Insert.
g. Click Activate to activate the new zone set.
h. Click Continue Activation to finish the activation.
Step 12 Create a zone with host 2 and two Fibre Channel targets.
Note If the host is in VSAN 2, the Fibre Channel targets and zone must also be in VSAN 2.
Note iSCSI interface is configured to identify all hosts based on node name.


g. Set the Port WWN to the pWWN for one of the Fibre Channel targets (for example,
21:00:00:20:37:6f:fe:5). and click Add.
h. Set the Port WWN to the pWWN for another of the Fibre Channel targets (for example,
21:00:00:20:37:a6:a6:5d). and click Add.
i. Set the ZoneBy radio button to iSCSI IP Address/Subnet.
j. Set the IP Address/Mask field to the IP Address for Host 2 iSCSI initiator (10.15.1.11) and click
Add.
Step 13 Create a zone set in VSAN 2 and activate it.
d. Set the Zoneset Name to zonset-iscsi-2 and click OK.
e. Click on the zoneset-iscsi-2 folder and click Insert.
g. Click Activate to activate the new zone set.
h. Click Continue Activation to finish the activation.
Step 14 Start the iSCSI clients on both hosts
Step 15 Show all the iSCSI sessions.
a. In Device Manager, choose Interface > Monitor > Ethernet and select the iSCSI connections tab
to show all the iSCSI sessions.
b. In Device Manager, choose IP > iSCSI and select the Session Initiators tab.
c. Click Details.
Step 16 In Fabric Manager, choose End Devices > iSCSI in the Physical Attributes pane to verify the details of
the two iSCSI initiators.
Step 17 In Fabric Manager, choose Zones > Edit Local Full Zone Database to view the active zone set. The
iSCSI initiators' FC IDs are resolved.
Step 18 In Device Manager, choose FC > Name Server. The Fibre Channel name server shows the virtual N
ports created for the iSCSI hosts.
Step 19 In Device Manager, Choose FC > Name Server.
Step 20 Click the Advanced tab. Verify the detailed output of the iSCSI initiator nodes in the Fibre Channel
name server.

iSNS
iSNS
Internet Storage Name Service (iSNS) allows your existing TCP/IP network to function more effectively
as a SAN by automating the discovery, management, and configuration of iSCSI devices. To facilitate
these functions, the iSNS server and client function as follows:
The iSNS client registers iSCSI portals and all iSCSI devices accessible through them with an iSNS
server.
The iSNS server provides the following services for the iSNS client:
Device registration
State change notification
Remote domain discovery services
All iSCSI devices (both initiator and target) acting as iSNS clients, can register with an iSNS server.
iSCSI initiators can then query the iSNS server for a list of targets. The iSNS server will respond with a
list of targets that the querying client can access based on configured access control parameters.
A Cisco MDS 9000 Family switch can act as an iSNS client and register all available iSCSI targets with
an external iSNS server. All switches in the Cisco MDS 9000 Family with IPS modules or MPS-14/2
modules installed support iSNS server functionality. This allows external iSNS clients, such as an iSCSI
initiator, to register with the switch and discover all available iSCSI targets in the SAN.
About iSNS Client Functionality, page 50-67
Creating an iSNS Client Profile, page 50-68
About iSNS Server Functionality, page 50-69
Configuring iSNS Servers, page 50-71
About iSNS Client Functionality

The iSNS client functionality on each IPS interface (Gigabit Ethernet interface or subinterface or
PortChannel) registers information with an iSNS server. You must specify an iSNS servers IP address
by creating an iSNS profile, adding the servers IP address to it, and then assigning (or tagging) the
profile to the interface. An iSNS profile can be tagged to one or more interfaces.
Once a profile is tagged to an interface, the switch opens a TCP connection to the iSNS server IP address
(using the well-known iSNS port number 3205) in the profile and registers network entity and portal
objects; a unique entity is associated with each IPS interface. The switch then searches the Fibre Channel
name server (FCNS) database and switch configuration to find storage nodes to register with the iSNS
server.
Statically mapped virtual targets are registered if the associated Fibre Channel pWWN is present in the
FCNS database and no access control configuration prevents it. A dynamically mapped target is
registered if dynamic target importing is enabled. See the Presenting Fibre Channel Targets as iSCSI
Targets section on page 50-7 for more details on how iSCSI imports Fibre Channel targets.
A storage node is deregistered from the iSNS server when it becomes unavailable when a configuration
changes (such as access control change or dynamic import disabling) or the Fibre Channel storage port
goes offline. It is registered again when the node comes back online.

iSNS
When the iSNS client is unable to register or deregister objects with the iSNS server (for example, the
client is unable to make a TCP connection to the iSNS server), it retries every minute to reregister all
iSNS objects for the affected interfaces with the iSNS server. The iSNS client uses a registration interval
value of 15 minutes. If the client fails to refresh the registration during this interval, the server will
deregister the entries.
Untagging a profile also causes the network entity and portal to be deregistered from that interface.
Note The iSNS client is not supported on a VRRP interface.
Creating an iSNS Client Profile

To create an iSNS profile using Fabric Manager, follow these steps:
You see the iSCSI configuration in the Information pane (see Figure 50-10).
Step 2 Select the iSNS tab.
Step 3 You see the iSNS profiles configured (see Figure 50-44).
Figure 50-44 iSNS Profiles in Fabric Manager
Step 4 Click the Create Row icon.

You see the Create iSNS Profiles dialog box.
Step 5 Set the ProfileName field to the iSNS profile name that you want to create.
Step 6 Set the ProfileAddr field to the IP address of the iSNS server.
To delete an iSNS profile using Fabric Manager, follow these steps:
Step 1 Choose End Devices > iSCSI from the Physical Attributes pane.
You see the iSCSI configuration in the Information pane (see Figure 50-10).
You see the iSNS profiles configured (see Figure 50-44).
Step 3 Right-click on the profile that you want to delete and click the Delete Row icon.

iSNS
To tag a profile to an interface using Fabric Manager, follow these steps:
You see the Gigabit Ethernet configuration in the Information pane.
Step 2 Click the iSNS tab.
You see the iSNS profiles configured for these interfaces (see Figure 50-45).
Figure 50-45 iSNS Profiles in Fabric Manager
Step 3 Set the iSNS ProfileName field to the iSNS profile name that you want to add to this interface.
To untag a profile from an interface using Fabric Manager, follow these steps:
You see the Gigabit Ethernet Configuration in the Information pane.
You see the iSNS profiles configured for these interfaces (see Figure 50-45).
Step 3 Right-click on iSNS ProfileName field that you want to untag and delete the text in that field.
About iSNS Server Functionality

When enabled, the iSNS server on the Cisco 9000 Family MDS switch tracks all registered iSCSI
devices. As a result, iSNS clients can locate other iSNS clients by querying the iSNS server. The iSNS
server also provides the following functionalities:
Allows iSNS clients to register, deregister, and query other iSNS clients registered with the iSNS
server.
Provides centralized management for enforcing access control to provide or deny access to targets
from specific initiators.
Provides a notification mechanism for registered iSNS clients to receive change notifications on the
status change of other iSNS clients.
Provides a single access control configuration for both Fibre Channel and iSCSI devices.
Discovers iSCSI targets that do not have direct IP connectivity to the iSCSI initiators.

iSNS
Example Scenario
The iSNS server provides uniform access control across Fibre Channel and iSCSI devices by utilizing
both Fibre Channel zoning information and iSCSI access control information and configuration. An
iSCSI initiator acting as an iSNS client only discovers devices it is allowed to access based on both sets
of access control information. Figure 50-46 provides an example of this scenario.
Figure 50-46 Using iSNS Servers in the Cisco MDS Environment
Zone 1 Zone 2
P1 SW-1 SW-2 P2
FC FC
Gigabitethernet 2/1 Gigabitethernet 3/1
IP
Network - 1
iSCSI iSCSI
TOE TOE
130914
iqn.host1 iqn.host2
In Figure 50-46, iqn.host1 and iqn.host2 are iSCSI initiators. P1 and P2 are Fibre Channel targets. The
two initiators are in different zones: Zone 1 consists of iqn.host1 and target P1, and Zone 2 consists of
iqn.host2 and target P2. iSNS server functionality is enabled on both switches, SW-1 and SW-2. The
registration process proceeds as follows:
1. Initiator iqn.host1 registers with SW-1, port Gigabitethernet2/1.
2. Initiator iqn.host2 registers with SW-2, port Gigabitethernet3/1.
3. Initiator iqn.host1 issues an iSNS query to SW-1 to determine all accessible targets.
4. The iSNS server in turn queries the Fibre Channel name server (FCNS) to obtain a list of devices
that are accessible (that is, in the same zone) by the query originator. This query yields only P1.
5. The iSNS server then queries its own database to convert the Fibre Channel devices to the
corresponding iSCSI targets. This is based on the iSCSI configuration, such as virtual-target and its
access control setting or whether the dynamic Fibre Channel target import feature is enabled or
disabled.
6. The iSNS server sends a response back to the query initiator. This response contains a list all iSCSI
portals known to the iSNS server. This means iqn.host1 can choose to log in to target P1 through
either SW-1 (at Gigabitethernet 2/1) or SW-2 (at Gigabitethernet 3/1).
7. If the initiator chooses to log in to SW-1 and later that port becomes inaccessible (for example,
Gigabitethernet 2/1 goes down), the initiator has the choice to move to connect to target P1 through
port Gigabitethernet 3/1 on SW-2 instead.
8. If the target either goes down or is removed from the zone, the iSNS server sends out an iSNS State
Change Notification (SCN) message to the initiator so that the initiator can remove the session.

iSNS
Configuring iSNS Servers

This section describe how to configure an iSNS server on a Cisco MDS 9000 Family switch.
Enabling the iSNS Server, page 50-71
iSNS Configuration Distribution, page 50-71
Configuring the ESI Retry Count, page 50-72
Configuring the Registration Period, page 50-72
iSNS Client Registration and Deregistration, page 50-72
Target Discovery, page 50-72
Enabling the iSNS Server

Before the iSNS server feature can be enabled, iSCSI must be enabled (see the Enabling iSCSI section
on page 50-4). When you disable iSCSI, iSNS is automatically disabled. When the iSNS server is
enabled on a switch, every IPS port whose corresponding iSCSI interface is up is capable of servicing
iSNS registration and query requests from external iSNS clients.
To enable the iSNS server using Fabric Manager, follow these steps:
Step 1 Choose End Devices > iSNS.

You see the iSNS configuration in the Information pane.
Step 2 Click the Control tab and select enable from the Command drop-down menu for the iSNS server feature.
Step 3 Click the Apply Changes icon to save this change.
Note If you are using VRRP IPv4 addresses for discovering targets from iSNS clients, ensure that the IP
address is created using the secondary option (.
iSNS Configuration Distribution

You can use the CFS infrastructure to distribute the iSCSI initiator configuration to iSNS servers across
the fabric. This allows the iSNS server running on any switch to provide a querying iSNS client a list of
iSCSI devices available anywhere on the fabric. For information on CFS, see Chapter 13, Using the
CFS Infrastructure.
To enable iSNS configuration distribution using Fabric Manager, follow these steps:

Step 2 Click the CFS tab and select enable from the Admin drop-down menu for iSNS.
Step 3 Select enable from the Global drop-down menu for iSNS.

iSNS
Configuring the ESI Retry Count

The iSNS client registers information with its configured iSNS server using an iSNS profile. At
registration, the client can indicate an entity status inquiry (ESI) interval of 60 seconds or more. If the
client registers with an ESI interval set to zero (0), then the server does not monitor the client using ESI.
In such cases, the clients registrations remain valid until explicitly deregistered or the iSNS server
feature is disabled.
The ESI retry count is the number of times the iSNS server queries iSNS clients for their entity status.
The default ESI retry count is 3. The client sends the server a response to indicate that it is still alive. If
the client fails to respond after the configured number of retries, the client is deregistered from the server.
Configuring the Registration Period

The iSNS client specifies the registration period with the iSNS Server. The iSNS Server keeps the
registration active until the end of this period. If there are no commands from the iSNS client during this
period, then the iSNS server removes the client registration from its database.
If the iSNS client does not specify a registration period, the iSNS server assumes a default value of 0,
which keeps the registration active indefinitely. You can also manually configure the registration period
on the MDS iSNS Server.
To configure the registration period on an iSNS Server using Fabric Manager, follow these steps:

You see the configured iSNS servers.
Step 3 Set the ESI NonResponse Threshold field to the ESI retry count value.
iSNS Client Registration and Deregistration

An iSNS client cannot query the iSNS server until it has registered.
iSNS client deregistration can occur either explicitly or when the iSNS server detects that it can no
longer reach the client (through ESI monitoring).
iSNS client registration and deregistration result in status change notifications (SCNs) being generated
to all interested iSNS clients.
Target Discovery
iSCSI initiators discover targets by issuing queries to the iSNS server. The server supports DevGetNext
requests to search the list of targets and DevAttrQuery to determine target and portal details, such as the
IP address or port number to which to connect.

iSNS Cloud Discovery
On receiving a query request from the iSCSI client, the iSNS server queries the Fibre Channel Name
Server (FCNS) to obtain a list of Fibre Channel targets that are accessible by the querying initiator. The
result of this query depends on zoning configuration currently active and current configuration(s) of the
initiator. The iSNS server will subsequently use the iSCSI target configuration(s) (virtual target and
dynamic import configuration) to translate the Fibre Channel target to an equivalent iSCSI target. At this
stage it also applies any access control configured for the virtual target. A response message with the
target details is then sent back to the query initiator.
The iSNS server sends a consolidated response containing all possible targets and portals to the querying
initiator. For example, if a Fibre Channel target is exported as different iSCSI targets on different IPS
interfaces, the iSNS server will respond with a list of all possible iSCSI targets and portals.
In order to keep the list of targets updated, the iSNS server sends state change notifications (SCN) to the
client whenever an iSCSI target becomes reachable or unreachable. The client is then expected to
rediscover its list of accessible targets by initiating another iSNS query. Reachability of iSCSI targets
changes when any one of the following occurs:
Target goes up or down.
Dynamic import of FC target configuration changes.
Zone set changes.
Default zone access control changes.
IPS interface state changes.
Initiator configuration change makes the target accessible or inaccessible.

You can configure iSNS cloud discovery to automate the process of discovering iSNS servers in the IP
network.
About Cloud Discovery, page 50-73
Configuring iSNS Cloud Discovery, page 50-74
About Cloud Discovery
Note iSNS Cloud Discovery is not supported on the Cisco Fabric Switch for IBM BladeCenter and Cisco
Fabric Switch for HP c-Class BladeSystem.
When an iSNS server receives a query request, it responds with a list of available targets and the portals
through which the initiator can reach the target. The IP network configuration outside the MDS switch
may result in only a subset of Gigabit Ethernet interfaces being reachable from the initiator. To ensure
that the set of portals returned to the initiator is reachable, the iSNS server needs to know the set of
Gigabit Ethernet interfaces that are reachable from a given initiator.

The iSNS cloud discovery feature provides information to the iSNS server on the various interfaces
reachable from an initiator by partitioning the interfaces on a switch into disjointed IP clouds. This
discovery is achieved by sending messages to all other known IPS ports that are currently up and,
depending on the response (or the lack of it), determines if the remote IPS port is in the same IP network
or in a different IP network.
Cloud discovery is initiated when the following events occur:
Manual requests from the CLI initiate cloud discovery from the CLI. This action causes the
destruction of existing memberships and makes new ones.
Auto-discovery of the interface results in an interface being assigned to its correct cloud. All other
cloud members are not affected. The membership of each cloud is built incrementally and is initiated
by the following events:
A Gigabit Ethernet interface comes up. This can be a local or remote Gigabit Ethernet interface.
The IP address of a Gigabit Ethernet interface changes.
The VRRP configuration on a port changes.
The iSNS server distributes cloud and membership information across all the switches using CFS.
Therefore, the cloud membership view is the same on all the switches in the fabric.
Note For CFS distribution to operate correctly for iSNS cloud discovery, all switches in the fabric must be
running Cisco SAN-OS Release 3.0(1) or NX-OS 4.1(1b) and later.
Configuring iSNS Cloud Discovery

This section describes how to configure iSNS cloud discovery and includes the following topics:
Enabling iSNS Cloud Discovery, page 50-74
Initiating On-Demand iSNS Cloud Discovery, page 50-74
Configuring Automatic iSNS Cloud Discovery, page 50-75
Enabling iSNS Cloud Discovery

To enable iSNS cloud discovery using Fabric Manager, follow these steps:

Step 2 Click the Control tab and select enable from the Command drop-down menu for the cloud discovery
feature.
Initiating On-Demand iSNS Cloud Discovery

To initiate on-demand iSNS cloud discovery using Fabric Manager, follow these steps:

Default Settings

Step 2 Click the Cloud Discovery tab and check the Manual Discovery check box.
Configuring Automatic iSNS Cloud Discovery

To configure automatic iSNS cloud discovery using Fabric Manager, follow these steps:

Step 2 Click the Cloud Discovery tab and check the AutoDiscovery check box.
Configuring iSNS Cloud Discovery Distribution

To configure iSNS cloud discovery CFS distribution using Fabric Manager, follow these steps:

Step 2 Click the CFS tab and select enable from the Admin drop-down menu for the cloud discovery feature.
Step 3 Select enable from the Global drop-down menu for the cloud discovery feature.
Default Settings
Table 50-2 lists the default settings for iSCSI parameters.
Table 50-2 Default iSCSI Parameters
Parameters Default
Number of TCP connections One per iSCSI session.
minimum-retransmit-time 300 msec.
keepalive-timeout 60 seconds.
max-retransmissions 4 retransmissions.
PMTU discovery Enabled.
pmtu-enable reset-timeout 3600 sec.

Default Settings
Table 50-2 Default iSCSI Parameters (continued)
Parameters Default
SACK Enabled.
max-bandwidth 1 Gbps
min-available-bandwidth 70 Mbps.
round-trip-time 1 msec.
Buffer size 4096 KB.
Control TCP and data connection No packets are transmitted.
TCP congestion window monitoring Enabled.
Burst size 50 KB.
Jitter 500 microseconds.
TCP connection mode Active mode is enabled.
Fibre Channel targets to iSCSI Not imported.
Advertising iSCSI target Advertised on all Gigabit Ethernet interfaces,
subinterfaces, PortChannel interfaces, and PortChannel
subinterfaces.
iSCSI hosts mapping to virtual Fibre Dynamic mapping.
Channel hosts
Dynamic iSCSI initiators Members of the VSAN 1.
Identifying initiators iSCSI node names.
Advertising static virtual targets No initiators are allowed to access a virtual target (unless
explicitly configured).
iSCSI login authentication CHAP or none authentication mechanism.
revert-primary-port Disabled.
Header and data digest Enabled automatically when iSCSI initiators send
requests. This feature cannot be configured and is not
available in store-and-forward mode.
iSNS registration interval 60 sec (not configurable).
iSNS registration interval retries 3.
Fabric distribution Disabled.
Table 50-3lists the default settings for iSLB parameters.
Table 50-3 Default iSLB Parameters
Parameters Default
Fabric distribution Disabled.
Load balancing metric 1000.

CH A P T E R 51
Configuring IP Services
Cisco MDS 9000 Family switches can route IP traffic between Ethernet and Fibre Channel interfaces.
The IP static routing feature is used to route traffic between VSANs. To do so, each VSAN must be in a
different IP subnetwork. Each Cisco MDS 9000 Family switch provides the following services for
network management systems (NMSs):
IP forwarding on the out-of-band Ethernet interface (mgmt0) on the front panel of the supervisor
modules.
IP forwarding or in-band Fibre Channel interface using the IP over Fibre Channel (IPFC)
functionIPFC specifies how IP frames can be transported over Fibre Channel using encapsulation
techniques. IP frames are encapsulated into Fibre Channel frames so NMS information can cross the
Fibre Channel network without using an overlay Ethernet network.
IP routing (default routing and static routing)If your configuration does not need an external
router, you can configure a default route using static routing.
Switches are compliant with RFC 2338 standards for Virtual Router Redundancy Protocol (VRRP)
features. VRRP is a restartable application that provides a redundant, alternate path to the gateway
switch.
Note For information about configuring IPv6, see Chapter 54, Configuring IPv6 for Gigabit Ethernet
Interfaces.

Traffic Management Services, page 51-2
Management Interface Configuration, page 51-2
Default Gateway, page 51-3
IPv4 Default Network Configuration, page 51-4
IPFC, page 51-5
IPv4 Static Routes, page 51-5
Overlay VSANs, page 51-6
Multiple VSAN Configuration, page 51-7
Virtual Router Redundancy Protocol, page 51-8
DNS Server Configuration, page 51-12

Chapter 51 Configuring IP Services
Traffic Management Services
Traffic Management Services

In-band options are compliant with and use the RFC 2625 standards. An NMS host running the IP
protocol over an FC interface can access the switch using the IPFC functionality. If the NMS does not
have a Fibre Channel HBA, in-band management can still be performed using one of the switches as an
access point to the fabric (see Figure 51-1).
Figure 51-1 Management Access to Switches
Router
subnetwork
Telnet or CLI
SSH
Switch 2
DNS server
mgmt 0 GUI
(IP address:
172.16.1.2)
SNMP
Management LAN
79936

The management interface on the switch allows multiple simultaneous Telnet or SNMP sessions. You
can remotely configure the switch through the management interface, but first you must configure IP
version 4 (IPv4) parameters (IP address, subnet mask) or an IP version 6 (IPv6) address and prefix length
so that the switch is reachable. For information on configuring IPv6 addresses, see Chapter 54,
Configuring IPv6 for Gigabit Ethernet Interfaces.
On director class switches, a single IP address is used to manage the switch. The active supervisor
module's management (mgmt0) interface uses this IP address. The mgmt0 interface on the standby
supervisor module remains in an inactive state and cannot be accessed until a switchover happens. After
a switchover, the mgmt0 interface on the standby supervisor module becomes active and assumes the
same IP address as the previously active supervisor module.
Note The port on the Ethernet switch to which the MDS management interface is connected should be
configured as a host port (also known as access port) instead of a switch port. Spanning tree
configuration for that port (on the Ethernet switch) should disabled. This helps avoid the delay in the
MDS management port coming up due to delay from Ethernet spanning tree processing that the Ethernet
switch would run if enabled. For Cisco Ethernet switches, use either the switchport host command in
IOS is or the set port host in Catalyst OS. Refer to the configuration guide for your Ethernet switch.

Default Gateway
Note Before you begin to configure the management interface manually, obtain the switchs IP address and IP
subnet mask. Also make sure the console cable is connected to the console port.
To configure the mgmt0 Ethernet interface using Device Managerfor IPv6, follow these steps:
Step 1 Select Interface > Mgmt > Mgmt0.

Step 2 Enter the description.
Step 3 Select the administrative state of the interface.
Step 4 Check the CDP check box to enable CDP.
Step 5 Enter the IP address mask.
Step 6 Click Apply to apply the changes.
Default Gateway
You can configure a default gateway IPv4 address on your Cisco MDS 9000 Family switch.
About the Default Gateway, page 51-3
Configuring the Default Gateway, page 51-3
About the Default Gateway

The default gateway IPv4 address should be configured along with the IPv4 static routing attributes (IP
default network, destination prefix, and destination mask, and next hop address).
Tip If you configure the static route IP forwarding and the default-network details, these IPv4 addresses will
be used regardless of the default-gateway being enabled or disabled. If these IP addresses are configured
but not available, the switch will fall back to using the default gateway IP address, if you have configured
it. Be sure to configure IP addresses for all entries in the switch.
See the Initial Setup Routine section on page 2-2 for more information on configuring the IP addresses
for all entries in the switch.
Configuring the Default Gateway

To configure an IP route or identify the default gateway using Device Manager, follow these steps:
Step 1 Choose IP > Routes.

You see the IP Routes window.
Step 2 Create a new IP route or identify the default gateway on a switch by clicking Create.

IPv4 Default Network Configuration
You see the Create IP Routes window.

Step 3 Complete the fields in this window. Configure a static route, by entering the destination network ID and
subnet mask in the Dest and Mask fields. Configure a default gateway by entering the IP address of the
seed switch in the Gateway field.
Step 4 Click Create to add the IP route.
IPv4 Default Network Configuration

If you assign the IPv4 default network address, the switch considers routes to that network as the last
resort. If the IPv4 default network address is not available, the switch uses the IPv4 default gateway
address. For every network configured with the IPv4 default network address, the switch flags that route
as a candidate default route, if the route is available.
Tip If you configure the static route IP forwarding and the default network details, these IPv4 addresses will
be used regardless of the default gateway being enabled or disabled. If these IPv4 addresses are
configured and not available, the switch will fall back to using the default gateway IPv4 address, if you
have configured it. Be sure to configure IPv4 addresses for all entries in the switch if you are using IPv4.
See the Initial Setup Routine section on page 2-2 for more information on configuring the IP addresses
for all entries in the switch.
When the Ethernet interface is configured, the switch should point to the gateway router for the IP
network. The host accesses the gateway using a gateway switch. This gateway switch is configured as
the default gateway. The other switches in the fabric that are connected to the same VSAN as the gateway
switch can also be connected through the gateway switch. Every interface connected to this VSAN
should be configured with the VSAN IPv4 address of the gateway switch (see Figure 51-2).
Figure 51-2 Overlay VSAN Functionality
NMS
1.1.1.10
Ethernet connection
Switch A Switch B
1.12.11.1 1.12.11.2
1.12.11.1
VSAN 1
Switch D Switch C
1.12.11.1 1.12.11.1
85476
1.12.11.4 1.12.11.3
In Figure 51-2, switch A has the IPv4 address 1.12.11.1, switch B has the IPv4 address 1.12.11.2, switch
C has the IPv4 address 1.12.11.3, and switch D has the IPv4 address 1.12.11.4. Switch A is the gateway
switch with the Ethernet connection. The NMS uses the IPv4 address 1.1.1.10 to connect to the gateway

IPFC
switch. Frames forwarded to any switch in the overlaid VSAN 1 are routed through the gateway switch.
Configuring the gateway switchs IPv4 address (1.12.11.1) in the other switches enable the gateway
switch to forward the frame to the intended destination. Similarly, if a non-gateway switch in the VSAN
forwards a frame to the Ethernet world, the frame is routed through the gateway switch.
When forwarding is disabled (default), IP frames are not sent from one interface to another. In these
cases, the software performs local IP routing between two switches using the in-band option for Fibre
Channel traffic and the mgmt0 option for Ethernet traffic.
When a VSAN is created, a VSAN interface is not created automatically. You need to specifically create
the interface (see the VSAN Interfaces section on page 20-30).
IPFC
IPFC provides IP forwarding or in-band switch management over a Fibre Channel interface (rather than
out-of-band using the Gigabit Ethernet mgmt 0 interface). You can be use IPFC to specify that IP frames
can be transported over Fibre Channel using encapsulation techniques. IP frames are encapsulated into
Fibre Channel frames so NMS information can cross the Fibre Channel network without using an overlay
Ethernet network.
Once the VSAN interface is created, you can specify the IP address for that VSAN. You can assign an
IPv4 address or an IPv6 address.
Note See the Chapter 54, Configuring IPv6 for Gigabit Ethernet Interfaces for information about
configuring IPv6 on the Cisco MDS 9000 Family switches.
IPFC Configuration Guidelines

Follow these guidelines to configure IPFC:
1. Create the VSAN to use for in-band management, if necessary.
2. Configure an IPv4 address and subnet mask for the VSAN interface.
3. Enable IPv4 routing.
4. Verify connectivity.
IPv4 Static Routes

If your network configuration does not need an external router, you can configure IPv4 static routing on
your MDS switch.
Note For information about IPv6 static routing, see the Configuring IPv6 for Gigabit Ethernet Interfaces
Static routing is a mechanism to configure IPv4 routes on the switch. You can configure more than one
static route.

Overlay VSANs
If a VSAN has multiple exit points, configure static routes to direct traffic to the appropriate gateway
switch. IPv4 routing is disabled by default on any gateway switch between the out-of-band management
interface and the default VSAN, or between directly connected VSANs.
Overlay VSANs
This section describes overlay VSANs and how to configure them.
About Overlay VSANs, page 51-6
Configuring Overlay VSANs, page 51-6
About Overlay VSANs

VSANs enable deployment of larger SANs by overlaying multiple logical SANs, each running its own
instance of fabric services, on a single large physical network. This partitioning of fabric services
reduces network instability by containing fabric reconfiguration and error conditions within an
individual VSAN. VSANs also provide the same isolation between individual VSANs as physically
separated SANs. Traffic cannot cross VSAN boundaries and devices may not reside in more than one
VSAN. Because each VSAN runs separate instances of fabric services, each VSAN has its own zone
server and can be zoned in exactly the same way as SANs without VSAN capability.
Configuring Overlay VSANs

To configure an overlay VSAN, follow these steps:
Step 1 Add the VSAN to the VSAN database on all switches in the fabric.
Step 2 Create a VSAN interface for the VSAN on all switches in the fabric. Any VSAN interface belonging to
the VSAN has an IP address in the same subnet. Create a route to the IPFC cloud on the IP side.
Step 3 Configure a default route on every switch in the Fibre Channel fabric pointing to the switch that provides
NMS access.
Step 4 Configure the default gateway (route) and the IPv4 address on switches that point to the NMS (see
Figure 51-3).

Multiple VSAN Configuration
Figure 51-3 Overlay VSAN Configuration Example
Physical Fibre
Channel Fabric
Int vsan10 - 10.10.10.88
VSAN HR
Int vsan10 - 10.10.10.124

IP default gateway
10.10.10.34
VSAN 10
Int vsan10 - 10.10.10.35
Int vsan10 - 10.10.10.34

VSAN ENG
172.23.84.74
mgmt 0
172.23.84.86
NMS
IP cloud
79544
ip route 10.10.10.0 255.255.255.0 172.23.93.74
Multiple VSAN Configuration

More than one VSAN can be used to segment the management network in multiple subnets. An active
interface must be present on the switch for the VSAN interface to be enabled.
To configure multiple VSANs, follow these steps:
Step 1 Add the VSAN to the VSAN database on any switch in the fabric.
Step 2 Create a VSAN interface for the appropriate VSAN on any switch in the fabric.
Step 3 Assign an IP address on every VSAN interface on the same subnet as the corresponding VSAN.
Step 4 Define the multiple static routes on the Fibre Channel switches and the IP cloud (see Figure 51-4).

Virtual Router Redundancy Protocol
Figure 51-4 Multiple VSAN Configuration Example
Physical Fibre
Channel Fabric
route 0.0.0.0 0.0.0.0 next_hop 10.10.10.35
If vsan10 - 10.10.10.88
If vsan10 - 10.10.10.124
VSAN 10
If vsan10 - 10.10.10.35
VSAN 10 default
gateway
If vsan10 - 11.11.11.35
VSAN 11
route 10.10.10.10.0 255.255.255.0 next_hop 11.11.11.35
IP default-gateway 10.10.10.35 next_hop 11.12.12.34
If vsan11 - 11.11.11.34
VSAN 11 default
gateway If vsan11 - 11.11.11.72
172.23.84.74
172.23.84.86
NMS
IP cloud
79545
ip route 10.10.10.0 255.255.255.0 172.23.84.74

ip route 11.11.11.0 255.255.255.0 172.23.84.74

Cisco MDS 9000 Family switches are compliant with RFC 2338 standards for Virtual Router
Redundancy Protocol (VRRP) features. This section provides details on the VRRP feature.
About VRRP, page 51-9
Configuring VRRP, page 51-10

About VRRP
VRRP provides a redundant alternative path to the gateway switch, which has connectivity to the NMS.
VRRP has the following characteristics and advantages:
VRRP is a restartable application.
When a VRRP master fails, the VRRP backup takes over within three times the advertisement time.
VRRP over Ethernet, VRRP over VSAN, and Fibre Channel functions are implemented as defined
in RFC 2338 and the draft-ietf-vrrp-ipv6 specification.
A virtual router is mapped to each VSAN and Ethernet interface with its unique virtual router IP,
virtual router MAC, and VR ID.
Interface Mgmt 0 supports only one VRRP group. All other interface supports up to 7 virtual router
groups, including both IPv4 and IPv6 combined.
VR IDs can be reused in multiple VSANs with different virtual router IP mapping.
Both IPv4 and IPv6 is supported.
The management interface (mgmt 0) supports only one virtual router group. All other interfaces
each support up to seven virtual router groups, including both IPv4 and IPv6 combined. Up to 255
virtual router groups can be assigned in each VSAN.
VRRP security provides three options, including no authentication, simple text authentication, and
MD5 authentication.
Note If you are using IPv6, you must either configure an IPv6 address on the interface or enable IPv6
on the interface. For more information about IPv6, see Chapter 54, Configuring IPv6 for
In Figure 51-5, switch A is the VRRP master and switch B is the VRRP backup switch. Both switches
have an IP address to VRRP mapping configured. The other switches set switch A as the default gateway.
If switch A fails, the other switches do not have to change the routing configurations as switch B
automatically becomes the master and takes over the function of a gateway.
Figure 51-5 VRRP Functionality
NMS Ethernet NMS

1.1.1.10 connection 1.1.30
Switch A Switch B
1.2.11.1 1.2.11.2
VRRP
VSAN 1
Switch D Switch C
85477
1.2.11.4 1.2.11.3

In Figure 51-6, the fabric example has two virtual router groups (VR1 and VR 2) because a virtual router
cannot span across different types of interfaces. In both switch 1 and switch 2, the Ethernet interface is
in VR 1 and the FC interface is in VR 2. Each virtual router is uniquely identified by the VSAN interface
and the VR ID.
Figure 51-6 Redundant Gateway
Management
appliance
Link 5
IP
network
Switch 1 Switch 5
VR1
VR2
Switch 2 Switch 4
FC Fabric
Switch 3
Redundant Gateway
IP links
FC links
Virtual Router with
79546
unique VR IP and
VR MAC
Configuring VRRP
This section describes how to configure VRRP and includes the following topics:
Adding and Deleting Virtual Router, page 51-10
Virtual Router Initiation, page 51-11
Adding Virtual Router IP Addresses, page 51-11
Setting the Priority for the Virtual Router, page 51-11
Setting the time Interval for Advertisement Packets, page 51-11
Configuring or Enabling Priority Preemption, page 51-11
Setting Virtual Router Authentication, page 51-12
Tracking the Interface Priority, page 51-12
Adding and Deleting Virtual Router

All VRRP configurations should be replicated across switches in a fabric that runs VRRP.
Note The total number of VRRP groups that you can configure on a Gigabit Ethernet port, including main
interfaces and subinterfaces, cannot exceed seven. This limitation applies to both IPv4 and IPv6 groups.

Virtual Router Initiation

By default, a virtual router is always disabled. VRRP can be configured only if this state is enabled. Be
sure to configure at least one IP address, either IPv4 or IPv6, before attempting to enable a VR.
Adding Virtual Router IP Addresses

One virtual router IP address can be configured for a virtual router. If the configured IP address is the
same as the interface IP address, this switch automatically owns the IP address. You can configure either
an IPv4 address or an IPv6 address.
According to the VRRP specification, the master VRRP router drops the packets addressed to the virtual
router's IP address because the virtual router is only intended as a next-hop router to forward packets. In
MDS switches however, some applications require that packets addressed to virtual router's IP address
be accepted and delivered to them. By using the secondary option to the virtual router IPv4 address, the
VRRP router will accept these packets when it is the master.
To manage IP addresses for virtual routers from Device Manager, follow these steps:
Step 1 Choose IP > VRRP. You see the Operations tab of the VRRP dialog box.
Step 2 Click the IP Addresses tab on the VRRP dialog box.
Step 3 To create a new VRRP entry, click Create. You see the Create VRRP IP Addresses window.
Step 4 Complete the fields in this window to create a new VRRP IP Address, and click OK or Apply.
Setting the Priority for the Virtual Router

The valid range to assign a virtual router priority is 1 to 254 with 1 being the lowest priority and 254
being the highest priority. The default value is 100 for switches with secondary IP addresses and 255 for
switches with the primary IP address.
Setting the time Interval for Advertisement Packets

The valid time range for an advertisement packet on an interface using IPv4 is between 1 and 255
seconds. The default value is 1 (one) second. If the switch has the primary IP address, this time must be
specified.
Configuring or Enabling Priority Preemption

You can enable a higher priority backup virtual router to preempt the lower priority master virtual router.
Note If the virtual IP address is also the IP address for the interface, then preemption is implicitly applied.
Note The VRRP preemption is not supported on IP storage Gigabit Ethernet interfaces.

DNS Server Configuration
Setting Virtual Router Authentication

VRRP security provides three options, including simple text authentication, MD5 authentication, and no
authentication.
Simple text authentication uses a unique, 1 to 8 character password that is used by all switches
participating in the same virtual router. This password should be different from other security
passwords.
MD5 authentication uses a unique, 16 character key that is shared by all switches participating in
the same virtual router. This secret key is shared by all switches in the same virtual router.
No authentication is the default option.
You can configure the key using the authentication option in the VRRP submode and distribute it using
the configuration file. The security parameter index (SPI) settings assigned in this option should be
unique for each VSAN.
Note All VRRP configurations must be duplicated.
Note VRRP router authentication does not apply to IPv6.
Tracking the Interface Priority

Interface state tracking changes the priority of the virtual router based on the state of another interface
in the switch. When the tracked interface is down, the priority reverts to the priority value for the virtual
router (see thePriority for the Virtual Router section on page 44-21). When the tracked interface is up,
the priority of the virtual router is restored to the interface state tracking value. You can track the state
of either a specified VSAN interface or the management interface (mgmt 0). The interface state tracking
feature is disabled by default.
Note For interface state tracking to function, you must enable preemption on the interface. See the
Configuring or Enabling Priority Preemption section on page 51-11.
DNS Server Configuration

The DNS client on the switch communicates with the DNS server to perform the IP address-name server
correspondence.
The DNS server may be dropped after two attempts because of one of the following reasons:
The IP address or the switch name is wrongly configured.
The DNS server is not reachable because external reasons (reasons beyond our control).
Note When accessing a Telnet host, if the DNS server is not reachable (for any reason) the switch login prompt
may take a longer time to appear. If so, verify that the DNS server is accurately configured and reachable.

Default Settings
Default Settings
Table 51-1 lists the default settings for DNS features.
Table 51-1 Default DNS Settings
Parameters Default
Domain lookup Disabled.
Domain name Disabled.
Domains None.
Domain server None.
Maximum domain servers 6.
Table 51-2 lists the default settings for VRRP features.
Table 51-2 Default VRRP Settings
Parameters Default
Virtual router state Disabled.
Maximum groups per VSAN 255.
Maximum groups per Gigabit Ethernet port 7.
Priority preemption Disabled.
Virtual router priority 100 for switch with secondary IP addresses.
255 for switches with the primary IP address.
Priority interface state tracking Disabled.
Advertisement interval 1 second for IPv4.
100 centiseconds for IPv6.

Default Settings

CH A P T E R 52
Configuring IP Storage
open-standard, IP-based technology. The switch connects separated SAN islands using Fibre Channel
over IP (FCIP), and it allows IP hosts to access Fibre Channel storage using the iSCSI protocol.
Note FCIP and iSCSI features are specific to the IPS module and are available in Cisco MDS 9200 Switches
or Cisco MDS 9500 Directors.
The Cisco MDS 9216I switch and the 14/2 Multiprotocol Services (MPS-14/2) module also allow you

Services Modules, page 52-1
Supported Hardware, page 52-3
Configuring Gigabit Ethernet Interfaces for IPv4, page 52-4
Configuring Gigabit Ethernet High Availability, page 52-8
Configuring CDP, page 52-10
Services Modules
The IP Storage services module (IPS module) and the MPS-14/2 module allow you to use FCIP and
iSCSI features. Both modules integrate seamlessly into the Cisco MDS 9000 Family, and support the full
range of features available on other switching modules, including VSANs, security, and traffic
management. The following types of storage services modules are currently available for use in any
switch in the Cisco MDS 9200 Series or in the Cisco MDS 9500 Series:
The 4-port, hot-swappable IPS module (IPS-4) has four Gigabit Ethernet ports.
The 8-port, hot-swappable IPS module (IPS-8) has eight Gigabit Ethernet ports.
The MPS-14/2 module has 14 Fibre Channel ports (numbered 1 through 14) and two Gigabit
Ethernet ports (numbered 1 and 2).
Gigabit Ethernet ports in these modules can be configured to support the FCIP protocol, the iSCSI
protocol, or both protocols simultaneously:

Chapter 52 Configuring IP Storage
Services Modules
FCIPFCIP transports Fibre Channel frames transparently over an IP network between two Cisco
MDS 9000 Family switches or other FCIP standards-compliant devices. Figure 52-1 shows how the
IPS module is used in different FCIP scenarios.
Figure 52-1 FCIP Scenarios
FC
Fabric
"Control" TCP
connection
"Data" TCP
connection
IP
network
FC FC
Fabric Fabric
91553
iSCSIThe IPS module provides IP hosts access to Fibre Channel storage devices. The IP host
sends SCSI commands encapsulated in iSCSI protocol data units (PDUs) to a Cisco MDS 9000
Family switch IPS port over a TCP/IP connection. At this point, the commands are routed from an
IP network into a Fibre Channel network and forwarded to the intended target. Figure 52-2 depicts
the iSCSI scenarios in which the IPS module is used.
Figure 52-2 iSCSI Scenarios
iqn.host-2
FC
iSCSI
pWWW - P3
IP IP-10.1.1.1 pWWW - P2
network
Fibre
channel
pWWW - P1
iqn.host-1 fabric
iSCSI
91554
Module Status Verification

To verify the status of the module using Fabric Manager, follow these steps:
Step 1 Select a switch in the Fabric pane.

Supported Hardware
Step 2 Open the Switches folder and select Hardware in the Physical Attributes pane.
You see the status for all modules in the switch in the Information pane.
IPS Module Upgrade
Caution A software upgrade is only disruptive for the IPS module. The NX-OS software continues to support
nondisruptive software upgrades for Fibre Channel modules in the switch and for the switch itself.
IPS modules use a rolling upgrade install mechanism where each module in a given switch can only be
upgraded in sequence. To guarantee a stable state, each IPS module in a switch requires a 5-minute delay
before the next IPS module is upgraded.
MPS-14/2 Module Upgrade
Caution A software upgrade is only partially disruptive for the MPS-14/2 module. The NX-OS software
continues to support nondisruptive software upgrades for Fibre Channel modules in the switch and for
the switch itself.
The MPS-14/2 modules have 14 Fibre Channel ports (nondisruptive upgrade) and 2 Gigabit Ethernet
ports (disruptive upgrade). MPS-14/2 modules use a rolling upgrade install mechanism for the two
Gigabit Ethernet ports where each module in a given switch can only be upgraded in sequence. To
guarantee a stable state, each MPS-14/2 module in a switch requires a 5-minute delay before the next
module is upgraded.
Supported Hardware
You can configure the FCIP and iSCSI features using one or more of the following hardware:
IPS-4 and IPS-8 modules (refer to the Cisco MDS 9200 Series Hardware Installation Guide or the
Cisco MDS 9500 Series Hardware Installation Guide for more information)
MPS-14/2 module (refer to the Cisco MDS 9200 Series Hardware Installation Guide or the Cisco
MDS 9500 Series Hardware Installation Guide for more information).
Note In both the MPS-14/2 module and the Cisco MDS 9216i integrated supervisor module, the port
numbering differs for the Fibre Channel ports and the Gigabit Ethernet ports. The Fibre Channel
ports are numbered from 1 through 14 and the Gigabit Ethernet ports are numbered 1 and 2.
Cisco MDS 9216i Switch (refer to the Cisco MDS 9200 Series Hardware Installation Guide).

Configuring Gigabit Ethernet Interfaces for IPv4

Both FCIP and iSCSI rely on TCP/IP for network connectivity. On each IPS module or MPS-14/2
module, connectivity is provided in the form of Gigabit Ethernet interfaces that are appropriately
configured. This section covers the steps required to configure IP for subsequent use by FCIP and iSCSI.
Note For information about configuring FCIP, see Chapter 5, Fabric Manager Client. For information about
configuring iSCSI, see Chapter 50, Configuring iSCSI.
A new port mode, called IPS, is defined for Gigabit Ethernet ports on each IPS module or MPS-14/2
module. IP storage ports are implicitly set to IPS mode, so it can only be used to perform iSCSI and FCIP
storage functions. IP storage ports do not bridge Ethernet frames or route other IP packets.
Each IPS port represents a single virtual Fibre Channel host in the Fibre Channel SAN. All the iSCSI
hosts connected to this IPS port are merged and multiplexed through the single Fibre Channel host.
In large scale iSCSI deployments where the Fibre Channel storage subsystems require explicit LUN
access control for every host device, use of proxy-initiator mode simplifies the configuration.
Note The Gigabit Ethernet interfaces on the MPS-14/2 module do not support EtherChannel.
Note To configure IPv6 on a Gigabit Ethernet interface, see the Gigabit Ethernet IPv6-ACL Guidelines
Tip Gigabit Ethernet ports on any IPS module or MPS-14/2 module should not be configured in the same
Ethernet broadcast domain as the management Ethernet portthey should be configured in a different
broadcast domain, either by using separate standalone hubs or switches or by using separate VLANs.
Basic Gigabit Ethernet Configuration

Figure 52-3 shows an example of a basic Gigabit Ethernet IP version 4 (IPv4) configuration.
Figure 52-3 Gigabit Ethernet IPv4 Configuration Example
Switch 1 IP host
IP router
10.1.1.100/24 10.100.1.1/24
91555
10.1.1.1/24 10.100.1.25/24
Note The port on the Ethernet switch to which the MDS Gigabit Ethernet interface is connected should be
configuration for that port (on the ethernet switch) should disabled. This helps avoid the delay in the
management port coming up due to delay from Ethernet spanning tree processing that the Ethernet

Cisco IOS is or the set port host in Catalyst OS. Refer to the configuration guide for your Ethernet
switch.
To configure the Gigabit Ethernet interface for the scenario in Figure 52-3, follow these steps:
Step 1 From Fabric Manager, choose Switches > Interfaces > Gigabit Ethernet in the Physical Attributes
pane. You see the Gigabit Ethernet configuration in the Information pane.
From Device Manager, right-click the Gigabit Ethernet port that you want to configure and choose
Configure.... You see the Gigabit Ethernet configuration dialog box.
Step 2 Click the General tab in Fabric Manager, or click the GigE tab in Device Manager to display the general
configuration options for the interface.
Step 3 Set the description and MTU value for the interface. The valid value for the MTU field can be a number
in the range from 576 to 9000.
Step 4 Set Admin up or down and check the CDP check box if you want this interface to participate in CDP.
Step 5 Set IpAddress/Mask with the IP address and subnet mask for this interface.
Step 6 From Fabric Manager, click the Apply Changes icon to save these changes, or click the Undo Changes
icon to discard changes.
From Device Manager, click Apply to save these changes, or click Close to discard changes and close
the Gigabit Ethernet configuration dialog box.
Configuring Interface Descriptions

See the About Interface Modes section on page 20-3 for details on configuring the switch port
description for any interface.

See the About Beacon Mode section on page 20-20 for details on configuring the beacon mode for any
interface.
Configuring Autonegotiation
By default, autonegotiation is enabled all Gigabit Ethernet interface. You can enable or disable
autonegotiation for a specified Gigabit Ethernet interface. When autonegotiation is enabled, the port
automatically detects the speed or pause method, and duplex of incoming signals based on the link
partner. You can also detect link up conditions using the autonegotiation feature.
Configuring the MTU Frame Size

You can configure the interfaces on a switch to transfer large (or jumbo) frames on a port. The default
IP maximum transmission unit (MTU) frame size is 1500 bytes for all Ethernet ports. By configuring
jumbo frames on a port, the MTU size can be increased up to 9000 bytes.

Note The minimum MTU size is 576 bytes.
Tip MTU changes are disruptive, all FCIP links and iSCSI sessions flap when the software detects a change
in the MTU size.
Configuring Promiscuous Mode

You can enable or disable promiscuous mode on a specific Gigabit Ethernet interface. By enabling the
promiscuous mode, the Gigabit Ethernet interface receives all the packets and the software then filters
and discards the packets that are not destined for that Gigabit Ethernet interface.
About VLANs for Gigabit Ethernet

Virtual LANs (VLANs) create multiple virtual Layer 2 networks over a physical LAN network. VLANs
provide traffic isolation, security, and broadcast control.
Gigabit Ethernet ports automatically recognize Ethernet frames with IEEE 802.1Q VLAN
encapsulation. If you need to have traffic from multiple VLANs terminated on one Gigabit Ethernet port,
configure subinterfacesone for each VLAN.
If the IPS module or MPS-14/2 module is connected to a Cisco Ethernet switch, and you need to have
traffic from multiple VLANs coming to one IPS port, verify the following requirements on the Ethernet
switch:
The Ethernet switch port connected to the IPS module or MPS-14/2 module is configured as a
trunking port.
The encapsulation is set to 802.1Q and not ISL, which is the default.
Use the VLAN ID as a subscription to the Gigabit Ethernet interface name to create the subinterface
name (the <slot-number>/<port-number>.<VLAN-ID>).
Interface Subnet Requirements

Gigabit Ethernet interfaces (major), subinterfaces (VLAN ID), and management interfaces (mgmt 0) can
be configured in the same or different subnet depending on the configuration (see Table 52-1).
Table 52-1 Subnet Requirements for Interfaces
Same Subnet
Interface 1 Interface 2 Allowed Notes
Gigabit Ethernet 1/1 Gigabit Ethernet 1/2 Yes Two major interfaces can be configured in the same
or different subnets.
Gigabit Ethernet 1/1.100 Gigabit Ethernet 1/2.100 Yes Two subinterfaces with the same VLAN ID can be
configured in the same or different subnets.
Gigabit Ethernet 1/1.100 Gigabit Ethernet 1/2.200 No Two subinterfaces with different VLAN IDs cannot
be configured in the same subnet.

Table 52-1 Subnet Requirements for Interfaces (continued)
Same Subnet
Gigabit Ethernet 1/1 Gigabit Ethernet 1/1.100 No A subinterface cannot be configured on the same
subnet as the major interface.
mgmt0 Gigabit Ethernet 1/1.100 No The mgmt0 interface cannot be configured in the
mgmt0 Gigabit Ethernet 1/1 No same subnet as the Gigabit Ethernet interfaces or
subinterfaces.
Note The configuration requirements in Table 52-1 also apply to Ethernet PortChannels.
Verifying Gigabit Ethernet Connectivity

Once the Gigabit Ethernet interfaces are connected with valid IP addresses, verify the interface
connectivity on each switch. Ping the IP host using the IP address of the host to verify that the static IP
route is configured correctly.
Note If the connection fails, verify the following, and ping the IP host again:
- The IP address for the destination (IP host) is correctly configured.
- The host is active (powered on).
- The IP route is configured correctly.
- The IP host has a route to get to the Gigabit Ethernet interface subnet.
- The Gigabit Ethernet interface is in the up state.
Gigabit Ethernet IPv4-ACL Guidelines
Tip If IPv4-ACLs are already configured in a Gigabit Ethernet interface, you cannot add this interface to an
Ethernet PortChannel group.
Follow these guidelines when configuring IPv4-ACLs for Gigabit Ethernet interfaces:
Only use Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP).
Note Other protocols such as User Datagram Protocol (UDP) and HTTP are not supported in
Gigabit Ethernet interfaces. Applying an ACL that contains rules for these protocols to a
Gigabit Ethernet interface is allowed but those rules have no effect.
Apply IPv4-ACLs to the interface before you enable an interface. This ensures that the filters are in
place before traffic starts flowing.
Be aware of the following conditions:
If you use the log-deny option, a maximum of 50 messages are logged per second.

Configuring Gigabit Ethernet High Availability
The established, precedence, and fragments options are ignored when you apply IPv4-ACLs
(containing these options) to Gigabit Ethernet interfaces.
If an IPv4-ACL rule applies to a preexisting TCP connection, that rule is ignored. For example
if there is an existing TCP connection between A and B, and an IPv4-ACL specifies dropping
all packets whose source is A and destination is B is subsequently applied, it will have no effect.

Virtual Router Redundancy Protocol (VRRP) and Ethernet PortChannels are two Gigabit Ethernet
features that provide high availability for iSCSI and FCIP services.
VRRP for iSCSI and FCIP Services

VRRP provides a redundant alternate path to the Gigabit Ethernet port for iSCSI and FCIP services.
VRRP provides IP address failover protection to an alternate Gigabit Ethernet interface so the IP address
is always available (see Figure 52-4).
Figure 52-4 VRRP Scenario
Switch 1
VRRP group
10.1.1.10 virtual IP 10.1.1.100
VRRP master
IPS module Connect to
L2 switch
10.1.1.100
IP network
IPS module
10.1.1.30
VRRP backup
90855
Switch 2
In Figure 52-4, all members of the VRRP group must be IP storage Gigabit Ethernet ports. VRRP group
members can be one or more of the following interfaces:
One or more interfaces in the same IPS module or MPS-14/2 module
Interfaces across IPS modules or MPS-14/2 modules in one switch
Interfaces across IPS modules or MPS-14/2 modules in different switches
Gigabit Ethernet subinterfaces
Ethernet PortChannels and PortChannel subinterfaces
See the Virtual Router Redundancy Protocol section on page 51-8.

Configuring VRRP for Gigabit Ethernet Interfaces
Note The VRRP preempt option is not supported on IPS Gigabit Ethernet interfaces. However, if the virtual
IPv4 address is also the IPv4 address for the interface, then preemption is implicitly applied.
Note If you configure secondary VRRP IPv6 addresses on an IPFC VSAN interface, before a downgrading to
a release prior to Cisco Release 3.0(1), you must remove the secondary VRRP IPv6 addresses. This is
required only when you configure IPv6 addresses.
About Ethernet PortChannel Aggregation

Ethernet PortChannels refer to the aggregation of multiple physical Gigabit Ethernet interfaces into one
logical Ethernet interface to provide link redundancy and, in some cases, higher aggregated bandwidth and
load balancing.
An Ethernet switch connecting to the MDS switch Gigabit Ethernet port can implement load balancing
based on the IP address, IP address and UDP/TCP port number, or MAC address. Due to the load
balancing scheme, the data traffic from one TCP connection is always sent out on the same physical
Gigabit Ethernet port of an Ethernet PortChannel. For the traffic coming to the MDS, an ethernet switch
can implement load balancing based on its IP address, its source-destination MAC address, or its IP
address and port. The data traffic from one TCP connection always travels on the same physical links.
To make use of both ports for the outgoing direction, multiple TCP connections are required.
All FCIP data traffic for one FCIP link is carried on one TCP connection. Consequently, the aggregated
bandwidth is 1 Gbps for that FCIP link.
Note The Cisco Ethernet switchs PortChannel should be configured as a static PortChannel, and not the
default 802.3ad protocol.
Ethernet PortChannels can only aggregate two physical interfaces that are adjacent to each other on a
given IPS module (see Figure 52-5).
Note PortChannel members must be one of these combinations: ports 12, ports 34, ports 56, or ports 78.

Configuring CDP
Figure 52-5 Ethernet PortChannel Scenario
Switch 1
Ethernet PortChannel
aggregation
L2 switch
IPS module
90856
In Figure 52-5, Gigabit Ethernet ports 3 and 4 in slot 9 are aggregated into an Ethernet PortChannel.
Ethernet PortChannels are not supported on MPS-14/2 modules and 9216i IPS modules.
Note PortChannel interfaces provide configuration options for both Gigabit Ethernet and Fibre Channel.
However, based on the PortChannel membership, only Gigabit Ethernet parameters or Fibre Channel
parameters are applicable.
Configuring Ethernet PortChannels

The PortChannel configuration specified in Chapter 23, Configuring PortChannels also applies to
Ethernet PortChannel configurations.
Note Gigabit Ethernet interfaces cannot be added to a PortChannel if one of the following cases apply:
- The interface already has an IP address assigned.
- The subinterfaces are configured on that interface.
- The interface already has an associated IPv4-ACL rule and the PortChannel does not.
Configuring CDP
The Cisco Discovery Protocol (CDP) is supported on the management Ethernet interface on the
supervisor module and the Gigabit Ethernet interfaces on the IPS module or MPS-14/2 module.
See the Configuring CDP section on page 12-12.
Default Settings
Table 52-2 lists the default settings for IP storage services parameters.

Default Settings
Table 52-2 Default Gigabit Ethernet Parameters
Parameters Default
IPS core size Partial

Default Settings

CH A P T E R 53
Configuring IPv4 for Gigabit Ethernet Interfaces
Cisco MDS 9000 Family supports IP version 4 (IPv4) on Gigabit Ethernet interfaces. This chapter
describes how to configure IPv4 addresses and other IPv4 features.
This chapter includes the following topics:
About IPv4, page 53-1
Basic Gigabit Ethernet Configuration for IPv4, page 53-2
VLANs, page 53-4
IPv4-ACLs, page 53-6
About IPv4
Both FCIP and iSCSI rely on TCP/IP for network connectivity. On each IPS module or MPS-14/2
module, connectivity is provided in the form of Gigabit Ethernet interfaces that are appropriately
configured. This section covers the steps required to configure IP for subsequent use by FCIP and iSCSI.
Note For information about configuring FCIP, see Chapter 48, Configuring FCIP. For information about
configuring iSCSI, see Chapter 50, Configuring iSCSI.
A new port mode, called IPS, is defined for Gigabit Ethernet ports on each IPS module or MPS-14/2
module. IP storage ports are implicitly set to IPS mode, so it can only be used to perform iSCSI and FCIP
storage functions. IP storage ports do not bridge Ethernet frames or route other IP packets.
Each IPS port represents a single virtual Fibre Channel host in the Fibre Channel SAN. All the iSCSI
hosts connected to this IPS port are merged and multiplexed through the single Fibre Channel host.
In large scale iSCSI deployments where the Fibre Channel storage subsystems require explicit LUN
access control for every host device, use of proxy-initiator mode simplifies the configuration.
Note The Gigabit Ethernet interfaces on the MPS-14/2 module do not support EtherChannel.
Note To configure IPv6 on a Gigabit Ethernet interface, see the Configuring IPv6 Addressing and Enabling
IPv6 Routing section on page 54-11.

Chapter 53 Configuring IPv4 for Gigabit Ethernet Interfaces
Basic Gigabit Ethernet Configuration for IPv4
Tip Gigabit Ethernet ports on any IPS module or MPS-14/2 module should not be configured in the same
Ethernet broadcast domain as the management Ethernet port. They should be configured in a different
broadcast domain, either by using separate standalone hubs or switches or by using separate VLANs.

Figure 53-1 shows an example of a basic Gigabit Ethernet IP version 4 (IPv4) configuration.
Figure 53-1 Gigabit Ethernet IPv4 Configuration Example
Switch 1 IP host
IP router
10.1.1.100/24 10.100.1.1/24
91555
10.1.1.1/24 10.100.1.25/24
Note The port on the Ethernet switch to which the MDS Gigabit Ethernet interface is connected should be
configuration for that port (on the Ethernet switch) should be disabled. This helps avoid the delay in the
management port coming up due to delay from Ethernet spanning tree processing that the Ethernet
Cisco IOS is or the set port host in Catalyst OS. Refer to the configuration guide for your Ethernet
switch.
To configure the Gigabit Ethernet interface using Fabric Manager, follow these steps:
Step 1 Expand Switches > Interfaces > Ethernet > IPS.

Step 2 Click the IP Addresses tab.
You see the Create Gigabit Ethernet Interface dialog box.
Step 4 Select the switch on which you want to create the Gigabit Ethernet interface.
Step 5 Enter the interface. For example 2/2 for slot 2, port 2.
Step 6 Enter the IPv4 address (10.1.1.100) and subnet mask (255.255.255.0).
Step 7 Click Create to save these changes or click Close to discard any unsaved changes.

Configuring Interface Descriptions, page 53-3
Configuring Beacon Mode, page 53-3
Configuring Autonegotiation, page 53-3
Configuring the MTU Frame Size, page 53-3

Configuring Promiscuous Mode, page 53-4
Configuring Interface Descriptions

See the About Interface Descriptions section on page 20-18 for details on configuring the switch port
description for any interface.

See the About Beacon Mode section on page 20-20 for details on configuring the beacon mode for any
interface.
Configuring Autonegotiation
By default, autonegotiation is enabled all Gigabit Ethernet interface. You can enable or disable
autonegotiation for a specified Gigabit Ethernet interface. When autonegotiation is enabled, the port
automatically detects the speed or pause method, and duplex of incoming signals based on the link
partner. You can also detect link up conditions using the autonegotiation feature.
To configure autonegotiation using Fabric Manager, follow these steps:

Step 2 In the General tab, you can enable or disable the Auto Negotiate option for a specific switch.
Configuring the MTU Frame Size

You can configure the interfaces on a switch to transfer large (or jumbo) frames on a port. The default
IP maximum transmission unit (MTU) frame size is 1500 bytes for all Ethernet ports. By configuring
jumbo frames on a port, the MTU size can be increased up to 9000 bytes.
Note The minimum MTU size is 576 bytes.
Tip MTU changes are disruptive, all FCIP links and iSCSI sessions flap when the software detects a change
in the MTU size.
To configure the MTU frame size using Fabric Manager, follow these steps:


VLANs
Step 2 In the General tab, in the Mtu column, you can enter a new value to configure the MTU Frame Size for
a specific switch. For example 3000 bytes. The default is 1500 bytes.
Configuring Promiscuous Mode

You can enable or disable promiscuous mode on a specific Gigabit Ethernet interface. By enabling the
promiscuous mode, the Gigabit Ethernet interface receives all the packets and the software then filters
and discards the packets that are not destined for that Gigabit Ethernet interface.
To configure the promiscuous mode using Fabric Manager, follow these steps:

Step 2 In the General tab, you can enable or disable the Promiscuous Mode option for a specific switch.
VLANs
This section describes virtual LAN (VLAN) support in Cisco MDS NX-OS and includes the following
topics:
About VLANs for Gigabit Ethernet, page 53-4
Configuring the VLAN Subinterface, page 53-5
Interface Subnet Requirements, page 53-5
About VLANs for Gigabit Ethernet

Virtual LANs (VLANs) create multiple virtual Layer 2 networks over a physical LAN network. VLANs
provide traffic isolation, security, and broadcast control.
Gigabit Ethernet ports automatically recognize Ethernet frames with IEEE 802.1Q VLAN
encapsulation. If you need to have traffic from multiple VLANs terminated on one Gigabit Ethernet port,
configure subinterfacesone for each VLAN.
Note If the IPS module or MPS-14/2 module is connected to a Cisco Ethernet switch, and you need to have
traffic from multiple VLANs coming to one IPS port, verify the following requirements on the Ethernet
switch:
- The Ethernet switch port connected to the IPS module or MPS-14/2 module is configured as a trunking
port.
- The encapsulation is set to 802.1Q and not ISL, which is the default.

VLANs
Use the VLAN ID as a subscription to the Gigabit Ethernet interface name to create the subinterface
name (the <slot-number>/<port-number>.<VLAN-ID>).
Configuring the VLAN Subinterface

To configure a VLAN subinterface (VLAN ID) using Device Manager, follow these steps:
Step 1 Select Interface > Ethernet and iSCSI.

Step 2 Click the Sub Interfaces tab.
Step 3 Select the Gigabit Ethernet subinterface on which 802.1Q should be used.
Step 4 Click the Edit IP Address button.
Step 5 Enter the IPv4 address and subnet mask for the Gigabit Ethernet interface.
Step 6 Click Create to save the changes or you may click Close.
Interface Subnet Requirements

Gigabit Ethernet interfaces (major), subinterfaces (VLAN ID), and management interfaces (mgmt 0) can
be configured in the same or different subnet depending on the configuration (see Table 53-1).
Table 53-1 Subnet Requirements for Interfaces
Same Subnet
Gigabit Ethernet 1/1 Gigabit Ethernet 1/2 Yes Two major interfaces can be configured in the same
or different subnets.
Gigabit Ethernet 1/1.100 Gigabit Ethernet 1/2.100 Yes Two subinterfaces with the same VLAN ID can be
configured in the same or different subnets.
Gigabit Ethernet 1/1.100 Gigabit Ethernet 1/2.200 No Two subinterfaces with different VLAN IDs cannot
be configured in the same subnet.
Gigabit Ethernet 1/1 Gigabit Ethernet 1/1.100 No A subinterface cannot be configured on the same
subnet as the major interface.
mgmt0 Gigabit Ethernet 1/1.100 No The mgmt0 interface cannot be configured in the
mgmt0 Gigabit Ethernet 1/1 No same subnet as the Gigabit Ethernet interfaces or
subinterfaces.
Note The configuration requirements in Table 53-1 also apply to Ethernet PortChannels.

IPv4-ACLs
IPv4-ACLs
This section describes the guidelines for IPv4 access control lists (IPv4-ACLs) and how to apply them
to Gigabit Ethernet interfaces.
Note For information on creating IPv4-ACLs, see Chapter 42, Configuring IPv4 and IPv6 Access Control
Lists.

The established option is ignored when you apply IPv4-ACLs containing this option to Gigabit
Ethernet interfaces.
If an IPv4-ACL rule applies to a pre-existing TCP connection, that rule is ignored. For example
if there is an existing TCP connection between A and B and an IPv4-ACL which specifies
dropping all packets whose source is A and destination is B is subsequently applied, it will have
no effect.
Tip If IPv4-ACLs are already configured in a Gigabit Ethernet interface, you cannot add this interface to an
Ethernet PortChannel group. See Configuring IPv4 for Gigabit Ethernet Interfaces, page 53-1 for
information on configuring IPv4-ACLs.
Default Settings
Table 53-2 lists the default settings for IPv4 parameters.
Table 53-2 Default IPv4 Parameters
Parameters Default
IPv4 MTU frame size 1500 bytes for all Ethernet ports.
Autonegotiation Enabled.
Promiscuous mode Disabled.

Default Settings

Default Settings

CH A P T E R 54
Configuring IPv6 for Gigabit Ethernet Interfaces
IP version 6 (IPv6) provides extended addressing capability beyond those provided in IP version 4 (IPv4)
in Cisco MDS NX-OS. The architecture of IPv6 has been designed to allow existing IPv4 users to
transition easily to IPv6 while providing services such as end-to-end security, quality of service (QoS),
and globally unique addresses.
About IPv6, page 54-1
Configuring Basic Connectivity for IPv6, page 54-11
Configuring IPv6 Static Routes, page 54-13
Gigabit Ethernet IPv6-ACL Guidelines, page 54-14
Transitioning from IPv4 to IPv6, page 54-15
Note For Cisco NX-OS features that use IP addressing, refer to the chapters in this guide that describe those
features for information on IPv6 addressing support.
Note To configure IP version 4 (IPv4) on a Gigabit Ethernet interface, see Chapter 53, Configuring IPv4 for
About IPv6
IPv6 provides the following enhancements over IPv4:
Allows networks to scale and provide global reachability.
Reduces the need for private address and network address translation (NAT).
Provides simpler autoconfiguration of addresses.
This section describes the IPv6 features supported by Cisco MDS NX-OS and includes the following
topics:
Extended IPv6 Address Space for Unique Addresses, page 54-2
IPv6 Address Formats, page 54-2
IPv6 Address Prefix Format, page 54-3

About IPv6
IPv6 Address Type: Unicast, page 54-3

IPv6 Address Type: Multicast, page 54-5
ICMP for IPv6, page 54-6
Path MTU Discovery for IPv6, page 54-7
IPv6 Neighbor Discovery, page 54-7
Router Discovery, page 54-9
IPv6 Stateless Autoconfiguration, page 54-9
Dual IPv4 and IPv6 Protocol Stacks, page 54-10
Extended IPv6 Address Space for Unique Addresses

IPv6 extends the address space by quadrupling the number of network address bits from 32 bits (in IPv4)
to 128 bits, which provides many more globally unique IP addresses. By being globally unique, IPv6
addresses enable global reachability and end-to-end security for networked devices, functionality that is
crucial to the applications and services that are driving the demand for more addresses.
IPv6 Address Formats

IPv6 addresses are represented as a series of 16-bit hexadecimal fields separated by colons (:) in the
format x:x:x:x:x:x:x:x. The following are examples of IPv6 addresses:
2001:0DB8:7654:3210:FEDC:BA98:7654:3210
2001:0DB8:0:0:8:800:200C:417A
It is common for IPv6 addresses to contain successive hexadecimal fields of zeros. To make IPv6
addresses easier to use, two colons (::) may be used to compress successive hexadecimal fields of zeros
at the beginning, middle, or end of an IPv6 address (the colons represent successive hexadecimal fields
of zeros). Table 54-1 lists compressed IPv6 address formats.
Note Two colons (::) can be used only once in an IPv6 address to represent the longest successive hexadecimal
fields of zeros.
Note The hexadecimal letters in IPv6 addresses are not case-sensitive.
Table 54-1 Compressed IPv6 Address Formats
IPv6 Address Type Uncompressed Format Compressed Format

Unicast 2001:0DB8:800:200C:0:0:0:417A 2001:0DB8:800:200C::417A
Multicast FF01:0:0:0:0:0:0:101 FF01::101

About IPv6
IPv6 Address Prefix Format

An IPv6 address prefix, in the format ipv6-prefix/prefix-length, can be used to represent bit-wise
contiguous blocks of the entire address space. The ipv6-prefix is specified in hexadecimal using 16-bit
values between the colons. The prefix-length is a decimal value that indicates how many of the
high-order contiguous bits of the address comprise the prefix (the network portion of the address). For
example, 2001:0DB8:8086:6502::/32 is a valid IPv6 prefix.
IPv6 Address Type: Unicast

An IPv6 unicast address is an identifier for a single interface on a single node. A packet that is sent to a
unicast address is delivered to the interface identified by that address. The Cisco MDS NX-OS supports
the following IPv6 unicast address types:
Global addresses
Link-local addresses
Global Addresses
Global IPv6 addresses are defined by a global routing prefix, a subnet ID, and an interface ID.
Figure 54-1 shows the structure of a global address.
Figure 54-1 Global Address Format
Provider Site Host

3 45 bits 16 bits 64 bits
147996
Global routing prefix SLA Interface ID
001
Addresses with a prefix of 2000::/3 (001) through E000::/3 (111) are required to have 64-bit interface
identifiers in the extended universal identifier (EUI)-64 format. The Internet Assigned Numbers
Authority (IANA) allocates the IPv6 address space in the range of 2000::/16 to regional registries.
The aggregatable global address typically consists of a 48-bit global routing prefix and a 16-bit subnet
ID or Site-Level Aggregator (SLA). In the IPv6 aggregatable global unicast address format document
(RFC 2374), the global routing prefix included two other hierarchically structured fields named
Top-Level Aggregator (TLA) and Next-Level Aggregator (NLA).The IETF decided to remove the TLS
and NLA fields from the RFCs because these fields are policy-based. Some existing IPv6 networks
deployed before the change might still be using networks based on the older architecture.
A 16-bit subnet field called the subnet ID could be used by individual organizations to create their own
local addressing hierarchy and to identify subnets. A subnet ID is similar to a subnet in IPv4, except that
an organization with an IPv6 subnet ID can support up to 65,535 individual subnets.
An interface ID is used to identify interfaces on a link. The interface ID must be unique to the link. They
may also be unique over a broader scope. In many cases, an interface ID will be the same as, or based
on, the link-layer address of an interface, which results in a globally unique interface ID. Interface IDs
used in aggregatable global unicast and other IPv6 address types must be 64 bits long and constructed
in the modified EUI-64 format.

About IPv6
Cisco MDS NX-OS supports IEEE 802 interface types (for example, Gigabit Ethernet interfaces). The
first three octets (24 bits) are taken from the Organizationally Unique Identifier (OUI) of the 48-bit
link-layer address (MAC address) of the interface, the fourth and fifth octets (16 bits) are a fixed
hexadecimal value of FFFE, and the last three octets (24 bits) are taken from the last three octets of the
MAC address. The construction of the interface ID is completed by setting the Universal/Local (U/L)
bitthe seventh bit of the first octetto a value of 0 or 1. A value of 0 indicates a locally administered
identifier; a value of 1 indicates a globally unique IPv6 interface identifier (see Figure 54-2).
Figure 54-2 Interface Identifier Format
00 90 27 17 FC 0F
00 90 27 17 FC 0F
FF FE
00 90 27 FF FE 17 FC 0F
U=0
000000U0 Where U is 0 (not unique)
or 1 (unique)
U=1
144884
02 90 27 FF FE 17 FC 0F
Link-Local Address
A link-local address is an IPv6 unicast address that is automatically configured on an interface using the
link-local prefix FE80::/10 and the interface identifier in the modified EUI-64 format. Link-local
addresses are used in the neighbor discovery protocol and the stateless autoconfiguration process. Nodes
on a local link can use link-local addresses to communicate. Figure 54-3 shows the structure of a
link-local address.
Figure 54-3 Link-Local Address Format
128 bits
0 Interface ID
1111 1110 10
FE80::/10
52669
10 bits

About IPv6
IPv6 Address Type: Multicast

An IPv6 multicast address is an IPv6 address that has a prefix of FF00::/8 (1111 1111). An IPv6
multicast address is an identifier for a set of interfaces that typically belong to different nodes. A packet
sent to a multicast address is delivered to all interfaces identified by the multicast address. The second
octet following the prefix defines the lifetime and scope of the multicast address. A permanent multicast
address has a lifetime parameter equal to 0; a temporary multicast address has a lifetime parameter equal
to 1. A multicast address has the scope of a node, link, site, or organization, or a global scope has a scope
parameter of 1, 2, 5, 8, or E, respectively. For example, a multicast address with the prefix FF02::/16 is
a permanent multicast address with a link scope. Figure 54-4 shows the format of the IPv6 multicast
address.
Figure 54-4 IPv6 Multicast Address Format
128 bits
0 Interface ID
4 bits 4 bits
1111 1111
0 if permanent
F F Lifetime Scope Lifetime =
1 if temporary
1 = node
8 bits 8 bits 2 = link
Scope = 5 = site
8 = organization
52671
E = global
IPv6 hosts are required to join (receive packets destined for) the following multicast groups:
All-node multicast group FF02::1.
Solicited-node multicast group FF02:0:0:0:0:1:FF00:0000/104 concatenated with the low-order 24
bit of the unicast address.
The solicited-node multicast address is a multicast group that corresponds to an IPv6 unicast
address. IPv6 nodes must join the associated solicited-node multicast group for every unicast
address to which it is assigned. The IPv6 solicited-node multicast address has the prefix
FF02:0:0:0:0:1:FF00:0000/104 concatenated with the 24 low-order bits of a corresponding IPv6
unicast address. (See Figure 54-5.) For example, the solicited-node multicast address corresponding
to the IPv6 address 2037::01:800:200E:8C6C is FF02::1:FF0E:8C6C. Solicited-node addresses are
used in neighbor solicitation messages.

About IPv6
Figure 54-5 IPv6 Solicited-Node Multicast Address Format
IPv6 unicast or anycast address

Prefix Interface ID
24 bits
Solicited-node multicast address
FF02 0 1 FF Lower 24
128 bits
52672
Note There are no broadcast addresses in IPv6. IPv6 multicast addresses are used instead of broadcast
addresses.
ICMP for IPv6

Internet Control Message Protocol (ICMP) in IPv6 functions the same as ICMP in IPv4ICMP
generates error messages such as ICMP destination unreachable messages, and informational messages
such as ICMP echo request and reply messages. Additionally, ICMP packets in IPv6 are used in the IPv6
neighbor discovery process, path MTU discovery, and the Multicast Listener Discovery (MLD) protocol
for IPv6. MLD is based on version 2 of the Internet Group Management Protocol (IGMP) for IPv4.
A value of 58 in the Next Header field of the basic IPv6 packet header identifies an IPv6 ICMP packet.
ICMP packets in IPv6 resemble a transport-layer packet in the sense that the ICMP packet follows all
the extension headers and is the last piece of information in the IPv6 packet. Within IPv6 ICMP packets,
the ICMPv6 Type and ICMPv6 Code fields identify IPv6 ICMP packet specifics, such as the ICMP
message type. The value in the Checksum field is derived (computed by the sender and checked by the
receiver) from the fields in the IPv6 ICMP packet and the IPv6 pseudoheader. The ICMPv6 Data field
contains error or diagnostic information relevant to IP packet processing. Figure 54-6 shows the IPv6
ICMP packet header format.
Figure 54-6 IPv6 ICMP Packet Header Format
Next header = 58 IPv6 basic header

ICMPv6 packet
ICMPv6 packet
ICMPv6 type ICMPv6 code Checksum
ICMPv6 data
147997

About IPv6
Path MTU Discovery for IPv6

As in IPv4, path MTU discovery in IPv6 allows a host to dynamically discover and adjust to differences
in the MTU size of every link along a given data path. In IPv6, however, fragmentation is handled by the
source of a packet when the path MTU of one link along a given data path is not large enough to
accommodate the size of the packets. Having IPv6 hosts handle packet fragmentation saves IPv6 router
processing resources and helps IPv6 networks run more efficiently.
Note In IPv4, the minimum link MTU is 68 octets, which means that the MTU size of every link along a given
data path must support an MTU size of at least 68 octets.
In IPv6, the minimum link MTU is 1280 octets. We recommend using an maximum transmission unit
(MTU) value of 1500 octets for IPv6 links.
IPv6 Neighbor Discovery

The IPv6 neighbor discovery process uses ICMP messages and solicited-node multicast addresses to
determine the link-layer address of a neighbor on the same network (local link), verify the reachability
of a neighbor, and keep track of neighboring routers.
IPv6 Neighbor Solicitation and Advertisement Messages

A value of 135 in the Type field of the ICMP packet header identifies a neighbor solicitation message.
Neighbor solicitation messages are sent on the local link when a node wants to determine the link-layer
address of another node on the same local link. (See Figure 54-7.) When a node wants to determine the
link-layer address of another node, the source address in a neighbor solicitation message is the IPv6
address of the node sending the neighbor solicitation message. The destination address in the neighbor
solicitation message is the solicited-node multicast address that corresponds to the IPv6 address of the
destination node. The neighbor solicitation message also includes the link-layer address of the source
node.

About IPv6
Figure 54-7 IPv6 Neighbor DiscoveryNeighbor Solicitation Message
ICMPv6 type = 135

Src = A
Dst = solicited-node multicast of B
Data = link-layer address of A
Query = what is your link address?
ICMPv6 type = 136
Src = B
Dst = A
Data = link-layer address of B
147979
A and B can now exchange
packets on this link
After receiving the neighbor solicitation message, the destination node replies by sending a neighbor
advertisement message, which has a value of 136 in the Type field of the ICMP packet header, on the
local link. The source address in the neighbor advertisement message is the IPv6 address of the node
(more specifically, the IPv6 address of the node interface) sending the neighbor advertisement message.
The destination address in the neighbor advertisement message is the IPv6 address of the node that sent
the neighbor solicitation message. The data portion of the neighbor advertisement message includes the
link-layer address of the node sending the neighbor advertisement message.
After the source node receives the neighbor advertisement, the source node and destination node can
communicate.
Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer
address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the
destination address in a neighbor solicitation message is the unicast address of the neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node
on a local link. When there is such a change, the destination address for the neighbor advertisement is
the all-node multicast address.
Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer
address of a neighbor is identified. Neighbor unreachability detection identifies the failure of a neighbor
or the failure of the forward path to the neighbor, and is used for all paths between hosts and neighboring
nodes (hosts or routers). Neighbor unreachability detection is performed for neighbors to which only
unicast packets are being sent and is not performed for neighbors to which multicast packets are being
sent.
A neighbor is considered reachable when the neighbor returns a positive acknowledgment indicating that
it has received and processed packets previously sent to it. A positive acknowledgment could be from an
upper-layer protocol such as TCP indicating that a connection is making forward progress (reaching its
destination) or the receipt of a neighbor advertisement message in response to a neighbor solicitation
message. If packets are reaching the peer, they are also reaching the next-hop neighbor of the source.
Therefore, forward progress is also a confirmation that the next-hop neighbor is reachable.
For destinations that are not on the local link, forward progress implies that the first-hop router is
reachable. When acknowledgments from an upper-layer protocol are not available, a node probes the
neighbor using unicast neighbor solicitation messages to verify that the forward path is still working.
The return of a solicited neighbor advertisement message from the neighbor is a positive

About IPv6
acknowledgment that the forward path is still working (neighbor advertisement messages that have the
solicited flag set to a value of 1 are sent only in response to a neighbor solicitation message). Unsolicited
messages confirm only the one-way path from the source to the destination node; solicited neighbor
advertisement messages indicate that a path is working in both directions.
Note A neighbor advertisement message that has the solicited flag set to a value of 0 must not be considered
as a positive acknowledgment that the forward path is still working.
Neighbor solicitation messages are also used in the stateless autoconfiguration process to verify the
uniqueness of unicast IPv6 addresses before the addresses are assigned to an interface. Duplicate address
detection is performed first on a new, link-local IPv6 address before the address is assigned to an
interface (the new address remains in a tentative state while duplicate address detection is performed).
Specifically, a node sends a neighbor solicitation message with an unspecified source address and a
tentative link-local address in the body of the message. If another node is already using that address, the
node returns a neighbor advertisement message that contains the tentative link-local address. If another
node is simultaneously verifying the uniqueness of the same address, that node also returns a neighbor
solicitation message. If no neighbor advertisement messages are received in response to the neighbor
solicitation message and no neighbor solicitation messages are received from other nodes that are
attempting to verify the same tentative address, the node that sent the original neighbor solicitation
message considers the tentative link-local address to be unique and assigns the address to the interface.
Every IPv6 unicast address (global or link-local) must be checked for uniqueness on the link; however,
until the uniqueness of the link-local address is verified, duplicate address detection is not performed on
any other IPv6 addresses associated with the link-local address.
Router Discovery
Router discovery performs both router solicitation and router advertisement. Router solicitations are sent
by hosts to all-routers multicast addresses. Router advertisements are sent by routers in response to
solicitations or unsolicited and contain default router information as well as additional parameters such
as the MTU and hop limit.
IPv6 Stateless Autoconfiguration

All interfaces on IPv6 nodes must have a link-local address, which is automatically configured from the
identifier for an interface and the link-local prefix FE80::/10. A link-local address enables a node to
communicate with other nodes on the link and can be used to further configure the node.
Nodes can connect to a network and automatically generate site-local and global IPv6 address without
the need for manual configuration or help of a server, such as a DHCP server. With IPv6, a router on the
link advertises in router advertisement (RA) messages any site-local and global prefixes, and its
willingness to function as a default router for the link. RA messages are sent periodically and in response
to router solicitation messages, which are sent by hosts at system startup. (See Figure 54-8.)

About IPv6
Figure 54-8 IPv6 Stateless Autoconfiguration
52676
MAC address:
00:2c:04:00:FF:56
Host autoconfigured
address is: Sends network-type
prefix received + interface ID information
(prefix, default route, and so on)
A node on the link can automatically configure site-local and global IPv6 addresses by appending its
interface identifier (64 bits) to the prefixes (64 bits) included in the RA messages. The resulting 128-bit
IPv6 addresses configured by the node are then subjected to duplicate address detection to ensure their
uniqueness on the link. If the prefixes advertised in the RA messages are globally unique, then the IPv6
addresses configured by the node are also guaranteed to be globally unique. Router solicitation
messages, which have a value of 133 in the Type field of the ICMP packet header, are sent by hosts at
system startup so that the host can immediately autoconfigure without needing to wait for the next
scheduled RA message.
Dual IPv4 and IPv6 Protocol Stacks

The dual IPv4 and IPv6 protocol stack technique is one technique for a transition to IPv6. It enables
gradual, one-by-one upgrades to applications running on nodes. Applications running on nodes are
upgraded to make use of the IPv6 protocol stack. Applications that are not upgradedthey support only
the IPv4 protocol stackcan coexist with upgraded applications on the same node. New and upgraded
applications simply make use of both the IPv4 and IPv6 protocol stacks. (See Figure 54-9.)
Figure 54-9 Dual IPv4 and IPv6 Protocol Stack Technique
Existing application Upgraded application
TCP UDP TCP UDP
IPv4 IPv6 IPv4 IPv6
0x0800 0x86dd 0x0800 0x86dd Frame

protocol ID
147999
Data link (Ethernet) Datal link (Ethernet)
A new API has been defined to support both IPv4 and IPv6 addresses and DNS requests. An application
can be upgraded to the new API and still use only the IPv4 protocol stack. The Cisco MDS NX-OS
supports the dual IPv4 and IPv6 protocol stack technique. When an interface is configured with both an
IPv4 and an IPv6 address, the interface will accept and process both IPv4 and IPv6 traffic.

Configuring Basic Connectivity for IPv6
In Figure 54-10, an application that supports dual IPv4 and IPv6 protocol stacks requests all available
addresses for the destination host name www.a.com from a DNS server. The DNS server replies with all
available addresses (both IPv4 and IPv6 addresses) for www.a.com. The application chooses an
addressin most cases, IPv6 addresses are the default choiceand connects the source node to the
destination using the IPv6 protocol stack.
Figure 54-10 Dual IPv4 and IPv6 Protocol Stack Applications
www.example.com
=*? IPv4
3ffe:yyyy::1 10.1.1.1
10.1.1.1
DNS
52684
server IPv6
3ffe:yyyy::1

The tasks in this section explain how to implement IPv6 basic connectivity. Each task in the list is
identified as either required or optional. This section includes the following topics:
Configuring IPv6 Addressing and Enabling IPv6 Routing, page 54-11
Configuring IPv4 and IPv6 Protocol Addresses, page 54-13
Configuring IPv6 Addressing and Enabling IPv6 Routing

This task explains how to assign IPv6 addresses to individual router interfaces and enable the processing
of IPv6 traffic. By default, IPv6 addresses are not configured and IPv6 processing is disabled.
You can configure IPv6 addresses on the following interface types:
Gigabit Ethernet
Management
VLAN (Gigabit Ethernet subinterface)
VSAN
Note The IPv6 address must be in the form documented in RFC 2373, where the address is specified in
hexadecimal using 16-bit values between colons.
The IPv6 prefixmust be in the form documented in RFC 2373, where the address is specified in
hexadecimal using 16-bit values between colons.
The IPv6 prefix lengthis a decimal value that indicates how many of the high-order contiguous bits of
the address comprise the prefix (the network portion of the address). A slash mark must precede the
decimal value.

Configuring a global IPv6 address on an interface automatically configures a link-local address and
activates IPv6 for that interface. Additionally, the configured interface automatically joins the following
required multicast groups for that link:
Solicited-node multicast group FF02:0:0:0:0:1:FF00::/104 for each unicast address assigned to the
interface
All-node link-local multicast group FF02::1
Note The solicited-node multicast address is used in the neighbor discovery process.
Note The maximum number of IPv6 addresses (static and autoconfigured) allowed on an interface is eight,
except on the management (mgmt 0) interface where only one static IPv6 address can be configured.
To configure an IPv6 address on an interface using Device Manager, follow these steps:
Step 1 Choose Interfaces > Gigabit Ethernet and iSCSI.

You see the Gigabit Ethernet Configuration dialog box (see Figure 54-11).
Figure 54-11 Gigabit Ethernet Configuration in Device Manager
Step 2 Click the IP Address that you want to configure and click Edit IP Address.
You see the IP Address dialog box.
Step 3 Click Create and set the IP Address/Mask field, using the IPv6 format (for example,
2001:0DB8:800:200C::417A/64).
To enable IPv6 routing using Device Manager, follow these steps:

Configuring IPv6 Static Routes
Step 1 Choose IP > Routing. You see the IP Routing Configuration dialog box. (see Figure 54-11).
Figure 54-12 IP Routing Configuration in Device Manager
Step 2 Check the Routing Enabled check box.

Step 3 Click Apply to save these changes or click Close to discard any unsaved changes.
Configuring IPv4 and IPv6 Protocol Addresses

When an interface in a Cisco networking device is configured with both an IPv4 and an IPv6 address,
the interface can send and receive data on both IPv4 and IPv6 networks.
To configure an interface in a Cisco networking device to support both the IPv4 and IPv6 protocol stacks
Step 1 Click Interfaces > Gigabit Ethernet and iSCSI.

You see the Gigabit Ethernet Configuration dialog box.
Step 2 Click the IP Address field that you want to configure and click Edit IP Address.
You see the IP Address dialog box.
Step 3 Click Create and set the IP Address/Mask field, using the IPv4 or IPv6 format.
Configuring IPv6 Static Routes

Cisco MDS NX-OS supports static routes for IPv6. This section includes the following topics:
Configuring a IPv6 Static Route, page 54-13
Configuring a IPv6 Static Route

You must manually configure IPv6 static routes and define an explicit path between two networking
devices. IPv6 static routes are not automatically updated and must be manually reconfigured if the
network topology changes.

To configure a IPv6 static route using Device Manager, follow these steps:
Step 1 Choose IP > Routing.

You see the IP Routing Configuration dialog box.
You see the Create IP Route dialog box.
Step 3 Set the Dest field to the IPv6 destination address.
Step 4 Set the Mask field to the IPv6 subnet mask.
Step 5 Set the Gateway field to the IPv6 default gateway.
Step 6 Optionally, set the Metric field to the desired route metric.
Step 7 Select the interface from the Interface drop-down menu.
Tip If IPv6-ACLs are already configured in a Gigabit Ethernet interface, you cannot add this interface to a
Ethernet PortChannel group. See Chapter 42, Configuring IPv4 and IPv6 Access Control Lists for
information on configuring IPv6-ACLs.
The established option is ignored when you apply IPv6-ACLs containing this option to Gigabit
Ethernet interfaces.
If an IPv6-ACL rule applies to a preexisting TCP connection, that rule is ignored. For example,
if there is an existing TCP connection between A and B and an IPv6-ACL that specifies
dropping all packets whose source is A and destination is B is subsequently applied, it will have
no effect.
See Chapter 42, Configuring IPv4 and IPv6 Access Control Lists for information on applying
IPv6-ACLs to an interface.

Transitioning from IPv4 to IPv6
Transitioning from IPv4 to IPv6

Cisco MDS NX-OS does not support any transitioning mechanisms from IPv4 to IPv6. However, you
can use the transitioning schemes in the Cisco router products for this purpose. For information on
configuring Cisco routers to transition your network, refer to the Implementing Tunneling for IPv6
chapter in the Cisco IOS IPv6 Configuration Guide.
Default Settings
Table 54-2 lists the default settings for IPv6 parameters.
Table 54-2 Default IPv6 Parameters
Parameters Default
IPv6 processing Disabled.
Duplicate address detection 0 (neighbor discovery disabled).
attempts
Reachability time 1000 milliseconds.
Retransmission time 30000 milliseconds.
IPv6-ACLs None.

Default Settings

PA R T 7
Intelligent Storage Services

CH A P T E R 55
Configuring SCSI Flow Services and Statistics
Intelligent Storage Services are features supported on the Storage Services Module (SSM). The Storage
Services Module (SSM) supports SCSI flow services and SCSI flow statistics. Intelligent Storage
Services supported in Cisco MDS SAN-OS Release 2.0(2b) or Cisco NX-OS 4.1(1b) and later include
SCSI Flow Services, page 55-1
SCSI Flow Statistics, page 55-6
SCSI Flow Services

A SCSI initiator/target combination is a SCSI flow. SCSI flow services provide enhanced features for
SCSI flows, such as write acceleration and flow monitoring for statistics gathering on an SSM.
About SCSI Flow Services, page 55-1
Configuring SCSI Flow Services, page 55-3
Enabling Intelligent Storage Services, page 55-3
Disabling Intelligent Storage Services, page 55-6
About SCSI Flow Services

A SCSI initiator/target combination is a SCSI flow. SCSI flow services provide enhanced features for
SCSI flows, such as write acceleration and flow monitoring for statistics gathering on an SSM.
Functionally, the SCSI flow services functional architecture consists of the following components:
SCSI flow manager (SFM) on the supervisor
SCSI flow configuration CLI on the supervisor
SCSI flow configuration client on the Control Path Processor (CPP) of an SSM
SCSI flow feature set support on the Data Path Processor (DPP) of an SSM
Figure 55-1 shows an example of the SCSI flow services functional architecture.

Chapter 55 Configuring SCSI Flow Services and Statistics
SCSI Flow Services
Figure 55-1 SCSI Flow Services Functional Architecture
Supervisor Supervisor
SCSI flow CLI SCSI flow CLI
SCSI flow SCSI flow

manager CFS manager
SSM SSM
SCSI flow SCSI flow

CPP CPP
client client
DDP DPP DDP DPP
120994
Ports Ports
Initiator Target
Note The SCSI target and initiator must be connected to different SSMs on different switches.
Note For statistics monitoring, the target device is not required to be connected to an SSM.
SCSI Flow Manager

The SCSI flow manager (SFM) resides on a supervisor module and handles the configuration of SCSI
flows, validating them and relaying configuration information to the appropriate SSM. It also handles
any dynamic changes to the status of the SCSI flow due to external events. The SFM registers events
resulting from operations, such as port up or down, VSAN suspension, and zoning that affects the SCSI
flow status, and updates the flow status and configuration accordingly.
The SFM on the initiator communicates to its peer on the target side using Cisco Fabric Services (CFS).
Peer communication allows the initiator SFM to validate target parameters and program information on
the target side.

SCSI Flow Services
SCSI Flow Configuration Client

A SCSI flow configuration client (SFCC) resides on the CPP of the SSM. It receives flow configuration
requests from the SFM, programs the DPP corresponding to the initiator and target port interfaces, and
responds to the SFM with the status of the configuration request.
SCSI Flow Data Path Support

The DPP on the SSM examines all the messages between the initiator and target and provides SCSI flow
features such as Fibre Channel write acceleration and statistics monitoring.
Configuring SCSI Flow Services

A SCSI flow specification consists of the following attributes:
SCSI flow identifier
VSAN identifier
SCSI initiator port WWN
SCSI target port WWN
Flow feature set consisting of Fibre Channel write acceleration and statistics monitoring.
The SCSI flow specification is a distributed configuration because the SCSI initiator and the target might
be physically connected to SSMs on two different switches located across the fabric. The configuration
does not require information to identify either the switch name or the SSM slot location for either the
initiator or the target. The manual SCSI flow configuration is performed only at the initiator side. This
simplifies the configuration process. The initiator switch sends the configuration to the SFM on the
target switch using CFS. No SCSI flow configuration is necessary on the target switch.
Enabling Intelligent Storage Services

You can enable SCSI flow services either on the entire SSM or on groups of four interfaces.
Enabling SCSI flow services on interfaces has the following restrictions:
The fewest number of interfaces that you can enable is four. You can specify fc1 through fc4 but not
fc1 through fc2.
The first interface in the group must be 1, 5, 9, 13, 17, 21, 25, or 29. You can specify fc5 through
fc8 but not fc7 through fc10.
The groups of four interfaces do not need to be consecutive. You can specify fc1 through fc8 and
fc17 through fc20.
Note Fibre Channel write acceleration can only be provisioned on the entire SSM, not a group of interfaces
on the SSM.
To enable Intelligent Storage Services for an SSM and provision all ports or a group of ports to use these
services using Fabric Manager, follow these steps:

SCSI Flow Services
Step 1 Expand End Devices and then select SSM Features in the Physical Attributes pane.
You see the Intelligent Storage Services configuration in the Information pane.
Step 2 Click the SSM tab.
You see the set of configured services in the Information pane shown in Figure 55-2.
Figure 55-2 SSM Tab
Step 3 Click Create Row to enable a new service on an SSM.

You see the Create SSM dialog box shown in Figure 55-3.
Figure 55-3 Create SSM Dialog Box
Step 4 Select the switch and SSM card you want to configure.
Step 5 (Optional) Uncheck the Use All Ports on Module check box if you want to provision a subset of the
ports on the card to use this service.
Step 6 Select the port range you want to provision for using this service (starting port and ending port).
Note The port range must be a multiple of four (for example fc4/1 through fc4-12).
Step 7 Select the feature you want to enable on these ports from the drop-down list of services.
Step 8 Set the PartnerImageURI field if you are enabling a third-party application that requires an image loaded
onto the SSM.
Step 9 Click Create to create this row and enable this service.
To configure a Fibre Channel using Fabric Manager, follow these steps:

SCSI Flow Services
You see the Intelligent Storage Services configuration, showing the FCWA tab in the Information pane
Figure 55-4 FCWA Tab
Step 2 Click Create Row in the Information pane to create a SCSI flow or click a row in the FCWA table to
modify an existing SCSI flow.
You see the FC Write Acceleration dialog box shown in Figure 55-5.
Figure 55-5 FC Write Acceleration Dialog Box
Step 3 Select the initiator and target WWNs and VSAN IDs and check the WriteAcc check box to enable Fibre
Channel write acceleration on this SCSI flow.
Step 4 (Optional) Enable SCSI flow statistics on this SCSI flow by checking the Enable Statistics check box.
Step 5 (Optional) Change the BufCount value to set the number of 2K buffers used by the SCSI target.
Step 6 Click Create to create this SCSI flow.

SCSI Flow Statistics
Disabling Intelligent Storage Services

To disable Intelligent Storage Services in Fabric Manager for an SSM and free up a group of ports that
used these services, follow these steps:
You see the Intelligent Storage Services configuration in the Information pane.
Step 2 Click the SSM tab.
You see the set of configured services in the Information pane shown in Figure 55-2.
Step 3 Select the row in the table that you want to disable.
Step 4 (Optional) Check the Reboot Module on Delete check box if you want to force the card to reboot after
disabling the service. This is equivalent to the CLI force option.
Step 5 Click Delete Row. The ports that were provisioned for this service become available for provisioning in
another service.
Note If Reboot Module on Delete was checked, then the SSM module reboots.

About SCSI Flow Statistics, page 55-6
Configuring SCSI Flow Statistics, page 55-7
About SCSI Flow Statistics

The statistics that can be collected for SCSI flows include the following:
SCSI reads
Number of I/Os
Number of I/O blocks
Maximum I/O blocks
Minimum I/O response time
Maximum I/O response time
SCSI writes
Number of I/Os
Number of I/O blocks
Maximum I/O blocks
Minimum I/O response time

Maximum I/O response time

Other SCSI commands (not read or write)
Test unit ready
Report LUN
Inquiry
Read capacity
Mode sense
Request sense
Errors
Number of timeouts
Number of I/O failures
Number of various SCSI status events
Number of various SCSI sense key errors or events
To take advantage of this feature, only the initiator must be directly attached to an SSM.
Note The SCSI flow statistics feature requires the Enterprise Package license installed only on the initiator
switches.
Note For SCSI flow statistics, the initiator must connect to an SSM on a Cisco MDS switch while the target
can connect to any other switch in the fabric. The SCSI flow initiator and target cannot connect to the
same switch.
Configuring SCSI Flow Statistics

Enabling SCSI Flow Statistics, page 55-7
Clearing SCSI Flow Statistics, page 55-8
Enabling SCSI Flow Statistics

To enable SCSI flow statistics monitoring using Fabric Manager, follow these steps:
You see the FCWA tab in the Information pane.
Step 3 Select the initiator and target WWNs and VSAN IDs and check the Enable Statistics check box to
enable SCSI flow statistics on this SCSI flow.

Default Settings
Step 4 (Optional) Enable Fibre Channel write acceleration on this SCSI flow at this time by checking the
WriteAcc check box.
Step 5 Click Create to create this SCSI flow.
Clearing SCSI Flow Statistics

To clear SCSI flow statistics using Fabric Manager, follow these steps:
Step 1 Expand End Devices and then select SSM Features.

Step 2 Check the Stats Clear check box to clear SCSI flow statistics.
Step 3 Click the Apply Changes icon to clear the SCSI flow statistics.
Default Settings
Table 55-1 lists the default settings for SCSI flow services and SCSI flow statistics parameters.
Table 55-1 Default Intelligent Storage Services Parameters
Parameters Default
SCSI flow services Disabled.
SCSI flow services distribution Enabled.
SCSI flow statistics Disabled.

CH A P T E R 56
Configuring Fibre Channel Write Acceleration
The Storage Services Module (SSM) supports Fibre Channel write acceleration on Cisco MDS 9000
Family switches running Cisco MDS SAN-OS Release 2.0(2b) and later or Cisco NX-OS 4.1(3a).
Fibre Channel Write Acceleration, page 56-1
Fibre Channel Write Acceleration

Fibre Channel write acceleration minimizes application latency or reduces transactions per second over
long distances. For synchronous data replication, Fibre Channel write acceleration increases the distance
of replication or reduces effective latency to improve performance. To take advantage of this feature,
both the initiator and target devices must be directly attached to an SSM.
About Fibre Channel Write Acceleration, page 56-1
Enabling Fibre Channel Write Acceleration, page 56-2
About Fibre Channel Write Acceleration

The Fibre Channel write acceleration feature also allows the configuration of the buffer count. You can
change the number of 2-KB buffers reserved on the target side DPP for a SCSI flow.
You can estimate the number of buffers to configure using the following formula:
(Number of concurrent SCSI writes * size of SCSI writes in bytes) / FCP data frame size in bytes
For example, HDS TrueCopy between HDS 9970s uses 1-KB FCP data frames. You perform an initial
sync for a 16-LUN TrueCopy group with 15 tracks, or 768-KB per LUN, requires approximately
16*(768*1024)/1024 or 12248 write buffers.
Note The Fibre Channel write acceleration feature requires the Enterprise Package license installed on both
the initiator and target switches.

Chapter 56 Configuring Fibre Channel Write Acceleration
Fibre Channel Write Acceleration
Note The initiator and target cannot connect to the same Cisco MDS switch. Fibre Channel write acceleration
requires that the initiator and target must each connect to an SSM module installed on different Cisco
MDS switches.
Enabling Fibre Channel Write Acceleration

To enable Fibre Channel write acceleration, and optionally modify the number of write acceleration
buffers with Fabric Manager, follow these steps:
Step 1 Expand End Devices and then select SSM Features from the Physical Attributes pane.
You see the Intelligent Storage Services configuration, showing the FCWA tab in the Information pane
(see Figure 56-1).
Figure 56-1 FCWA Tab

Default Settings
Figure 56-2 FC Write Acceleration Dialog Box
Step 3 Select the initiator and target WWNs and VSAN IDs and check the WriteAcc check box to enable Fibre
Channel write acceleration on this SCSI flow.
Step 4 (Optional) Enable SCSI flow statistics on this SCSI flow at this time by checking the Enable Statistics
check box.
Step 5 (Optional) Set the BufCount value to the number of 2K buffers used by the SCSI target.
Step 6 Click Create to create this SCSI flow with Fibre Channel write acceleration.
Default Settings
Table 56-1 lists the default settings for Fibre Channel write acceleration parameters.
Table 56-1 Default Fibre Channel Write Acceleration Parameters
Parameters Default
Fibre Channel write acceleration Disabled.
Fibre Channel write acceleration buffers 1024.

Default Settings

PA R T 8
Network and Switch Monitoring

CH A P T E R 57
Network Monitoring
The primary purpose of Fabric Manager is to manage the network. In particular, SAN discovery and
network monitoring are two of its key network management capabilities.
SAN Discovery and Topology Mapping, page 57-1
Health and Event Monitoring, page 57-4
SAN Discovery and Topology Mapping

Fabric Manager provides extensive SAN discovery, topology mapping, and information viewing
capabilities. Fabric Manager collects information on the fabric topology through SNMP queries to the
switches connected to it. Fabric Manager recreates a fabric topology, presents it in a customizable map,
and provides inventory and configuration information in multiple viewing options.
Device Discovery
Once Fabric Manager is invoked, a SAN discovery process begins. Using information polled from a seed
Cisco MDS 9000 Family switch, including Name Server registrations, Fibre Channel Generic Services
(FC-GS), Fabric Shortest Path First (FSPF), and SCSI-3, Fabric Manager automatically discovers all
devices and interconnects on one or more fabrics. All available switches, host bus adapters (HBAs), and
storage devices are discovered. The Cisco MDS 9000 Family switches use Fabric-Device Management
Interface (FMDI) to retrieve HBA model, serial number and firmware version, and host operating-system
type and version discovery without host agents. Fabric Manager gathers this information through SNMP
queries to each switch. The device information discovered includes device names, software revision
levels, vendor, ISLs, PortChannels, and VSANs.
For a VSAN change involving a third-party switch, Fabric Manager will need a second discovery to show
the correct topology due to the discovery dependency when there is any change in a mixed VSAN. The
first discovery finds the third-party switch and the subsequent discovery will show the information on
which VSAN it is going to join and can discover the end devices connected to it. You can wait for the
subsequent discovery or trigger a manual discovery

Chapter 57 Network Monitoring
Topology Mapping
Fabric Manager is built upon a topology representation of the fabric. Fabric Manager provides an
accurate view of multiple fabrics in a single window by displaying topology maps based on device
discovery information. You can modify the topology map icon layout with an easy-to-use, drag-and-drop
interface. The topology map visualizes device interconnections, highlights configuration information
such as zones, VSANs, and ISLs exceeding utilization thresholds. The topology map also provides a
visual context for launching command-line interface (CLI) sessions, configuring PortChannels, and
opening device managers.
Using the Topology Map

The Fabric Manager topology map can be customized to provide a view into the fabric that varies from
showing all switches, end devices, and links, to showing only the core switches with single bold lines
for any multiple links between switches. Use the icons along the left side of the topology map to control
these views or right-click anywhere in the topology map to access the map controls.
You can zoom in or out on the topology map to see an overview of the SAN or focus on an area of
importance. You can also open an overview window that shows the entire fabric. From this window, you
can right-click and draw a box around the area you want to view in the main topology map view.
Another way to limit the scope of the topology display is to select a fabric or VSAN from the Logical
Domains pane. The topology map displays only that fabric or VSAN.
Moving the mouse pointer over a link or switch provides a simple summary of that SAN component,
along with a status indication. Right-clicking on the component brings up a pop-up menu. You can view
the component in detail or access configuration or test features for that component.
Double-click a link to bring link status and configuration information to the information pane.
Double-click a switch to bring up Device Manager for that switch.
Saving a Customized Topology Map Layout

Changes made to the topology map can be saved so that the customized view is available any time you
open the Fabric Manager Client for that fabric.
To save the customized layout using Fabric Manager, follow these steps:
Step 1 Click File > Preferences to open the Fabric Manager preferences dialog box.
Step 2 Click the Map tab and check the Automatically Save Layout check box to save any changes to the
topology map (See Figure 57-1).

Figure 57-1 Fabric Manager Preferences
Step 3 Click Apply, then OK to save this change.
Using Enclosures with Fabric Manager Topology Maps

Because not all devices are capable of responding to FC-GS-3 requests, different ports of a single server
or storage subsystem may be displayed as individual end devices on the topology map. See the
Modifying the Device Grouping section on page 5-32 to group these ports into a single enclosure for
Fabric Manager.
Clicking Alias->Enclosure displays hosts and storage elements in the Information pane. This is a
shortcut to naming enclosures. To use this shortcut, highlight each row in the host or storage table that
you want grouped in an enclosure then click Alias -> Enclosure. This automatically sets the enclosure
names of each selected row with the first token of the alias.
Mapping Multiple Fabrics

To log into multiple fabrics, the same username and password must be used. The information for both
fabrics is displayed, with no need to select a seed switch. To see details of a fabric, click the tab for that
fabric at the bottom of the Fabric pane, or double-click the fabrics cloud icon.
To continuously manage a fabric using Fabric Manager, follow the instructions in the Managing a
Fabric Manager Server Fabric section on page 3-3.
Inventory Management
The Information pane in Fabric Manager shows inventory, configuration, and status information for all
switches, links, and hosts in the fabric. Inventory management includes vendor name and model, and
software or firmware versions. Select a fabric or VSAN from the Logical Domains pane, and then select

Health and Event Monitoring
the Summary tab in the Information pane to get a count of the number of VSANS, switches, hosts, and
storage elements in the fabric. See the Fabric Manager Client Quick Tour: Server Admin Perspective
section on page 5-7 for more information on the Fabric Manager user interface.
Using the Inventory Tab from Fabric Manager Web Server

If you have configured Fabric Manager Web Server, you can launch this application and access the
Inventory tab to see a summary of the fabrics managed by the Fabric Manager Server. The Inventory tab
shows an inventory of the selected SAN, fabric, or switch.
See Chapter 7, Fabric Manager Web Client for more information on how to configure and use Fabric
Manager Web Server.
To view system messages remotely using Fabric Manager Web Server, follow these steps:
Step 1 Point your browser at the Fabric Manager Web Server. See the Launching Fabric Manager Web Client
Step 2 Click the Events tab then the Details to view the system messages. The columns in the events table are
sortable. In addition, you can use the Filter button to limit the scope of messages within the table.
Viewing Logs from Device Manager

You can view system messages from Device Manager if Device Manager is running from the same
workstation as the Fabric Manager Server. Choose Logs > Events > current to view the system
messages on Device Manager. The columns in the events table are sortable. In addition, you can use the
Find button to locate text within the table.
You can view switch-resident logs even if you have not set up your local syslog server or your local PC
is not in the switch's syslog server list. Due to memory constraints, these logs will wrap when they reach
a certain size. The switch syslog has two logs: an NVRAM log that holds a limited number of critical
and greater messages and a nonpersistent log that contains notice or greater severity messages. Hardware
messages are part of these logs.
Note To view syslog local logs, you need to configure the IP address of the Fabric Manager Server in the
syslog host.

Fabric Manager works with the Cisco MDS 9000 Family switches to show the health and status of the
fabric and switches. Information about the fabric and its components is gathered from multiple sources,
including Online System Health Management, Call Home, system messages, and SNMP notifications.
This information is then made available from multiple menus on Fabric Manager or Device Manager.

Fabric Manager Events Tab

The Fabric Manager Events tab, available from the topology window, displays the events Fabric Manager
received from sources within the fabric. These sources include SNMP events, RMON events, system
messages, and system health messages. The Events tab shows a table of events, including the event name,
the source and time of the event, a severity level, and a description of the event. The table is sortable by
any of these column headings.
Event Information in Fabric Manager Web Server Reports

The Fabric Manager web server client displays collections of information gathered by the Performance
Manager. This information includes events sent to the Fabric Manager Server from the fabric. To open
these reports, choose Performance Manager > Reports. This opens the web client in a web browser
and displays a summary of all fabrics monitored by the Fabric Manager Server. Choose a fabric and then
click the Events tab to see a summary or detailed report of the events that have occurred in the selected
fabric. The summary view shows how many switches, ISLs, hosts, or storage elements are down on the
fabric and how many warnings have been logged for that SAN entity. The detailed view shows a list of
all events that have been logged from the fabric and can be filtered by severity, time period, or type.
Events in Device Manager

Device Manager displays the events when you choose Logs > Events. Device Manager can display the
current list of events or an older list of events that has been stored on the Fabric Manager host. The event
table shows details on each event, including time, source, severity, and a brief description of the event.


CH A P T E R 58
Performance Monitoring
Cisco Fabric Manager and Device Manager provide multiple tools for monitoring the performance of the
overall fabric, SAN elements, and SAN links. These tools provide real-time statistics as well as historical
performance monitoring.
Real-Time Performance Monitoring, page 58-1
Historical Performance Monitoring, page 58-4
Real-Time Performance Monitoring

Real-time performance statistics are a useful tool in dynamic troubleshooting and fault isolation within
the fabric. Real-time statistics gather data on parts of the fabric in user-configurable intervals and display
these results in Fabric Manager and Device Manager.
Device Manager Real-Time Performance Monitoring

Device Manager provides an easy tool for monitoring ports on the Cisco MDS 9000 Family switches.
This tool gathers statistics at a configurable interval and displays the results in tables or charts. These
statistics show the performance of the selected port in real-time and can be used for performance
monitoring and troubleshooting. For a selected port, you can monitor any of a number of statistics
including traffic in and out, errors, class 2 traffic, and FICON data. You can set the polling interval from
ten seconds to one hour, and display the results based on a number of selectable options including
absolute value, value per second, and minimum or maximum value per second.
Device Manager checking for oversubscription on the host-optimized four-port groups on relevant
modules. Right-click the port group on a module and choose Check Oversubscription from the pop-up
menu.
Device manager provides two performance views, the Summary View tab, and the configurable monitor
option per port.
To configure the summary view in Device Manager, follow these steps:
Step 1 Click the Summary tab on the main display.

You see all of the active ports on the switch, as well as the configuration options available from the
Summary view shown in Figure 58-1.

Chapter 58 Performance Monitoring
Figure 58-1 Device Manager Summary Tab
Step 2 Select a value from the Poll Interval drop-down list.

Step 3 Decide how you want your data to be interpreted by looking at the Show Rx/Tx drop-down menu. The
table updates each polling interval to show an overview of the receive and transmit data for each active
port on the switch.
Step 4 Select a value from the Show Rx/Tx drop-down list. If you select Util%, you need to also select values
from the two Show Rx/Tx > %Util/sec drop-down lists. The first value is the warning level and the
second value is the critical threshold level for event reporting.
Note that you can also display percent utilization for a single port by selecting the port and clicking the
Monitor Selected Interface Traffic Util % icon.
Step 5 Click the Save Configuration icon.
The configurable monitor per port option gives statistics for in and out traffic on that port, errors, class
2 traffic and other data that can be graphed over a period of time to give a real-time view into the
performance of the port.
To configure per port monitoring using Device Manager, follow these steps:
Step 1 Click the Device tab.

Step 2 Right-click the port you are interested in and choose Monitor from the drop-down menu.
You see the port real-time monitor dialog box shown in Figure 58-2.

Figure 58-2 Device Manager Monitor Dialog Box
Step 3 Select a value from the Interval drop-down list to determine how often data is updated in the table shown
here.
Step 4 Click a statistical value in the table then click one of the graphing icons to display a running graph of
that statistic over time. You see a graph window that contains options to change the graph type.
Tip You can open multiple graphs for statistics on any of the active ports on the switch.
Fabric Manager Real-Time ISL Statistics

You can configure Fabric Manager to gather ISL statistics in real time. These ISL statistics include
receive and transmit utilization, bytes per second, as well as errors and discards per ISL.
To configure ISL statistics using Fabric Manager, follow these steps:
Step 1 Choose Performance > ISLs in Real-Time.

You see any ISL statistics in the Information pane (see Figure 58-3).
Figure 58-3 ISL Performance in Real Time
Step 2 Select a value from the Poll Interval drop-down list.

Step 3 Select two values from the Bandwidth utilization thresholds drop-down lists, one value for the minor
threshold and one value for the major threshold.
The table shown updates each polling interval to show the statistics for all configured ISLs in the fabric.
Step 4 Select a row in the table to highlight that ISL in blue in the Topology map.


Performance Manager gathers network device statistics historically and provides this information
graphically using a web browser. It presents recent statistics in detail and older statistics in summary.
Performance Manager also integrates with external tools such as Cisco Traffic Analyzer.
See the Performance Manager Architecture section on page 8-1 for an overview of Performance
Manager.
Creating a Flow with Performance Manager

Performance Manager has a Flow Configuration Wizard that steps you through the process of creating
host-to-storage, storage-to-host, or bidirectional flows. See the Flow Statistics Configuration section
on page 8-6 for information on creating flows.
Creating a Collection with Performance Manager

The Performance Manager Configuration Wizard steps you through the process of creating collections
using configuration files. Collections are defined for one or all VSANs in the fabric. Collections can
include statistics from the SAN element types described in Table 58-1.
Table 58-1 Performance Manager Collection Types
Collection Type Description

ISLs Collects link statistics for ISLs.
Host Collects link statistics for SAN hosts.
Storage Collects link statistics for a storage elements.
Flows Collects flow statistics defined by the Flow Configuration
Wizard.
Using Performance Thresholds

The Performance Manager Configuration Wizard allows you to set up two thresholds that trigger events
when the monitored traffic exceeds the percent utilization configured. These event triggers can be set as
either Critical or Warning events that are reported on the Fabric Manager web client Events browser
page.
You must choose either absolute value thresholds or baseline thresholds that apply to all transmit or
receive traffic defined in the collection. Click the Use absolute values radio button on the last screen of
the Performance Manager Configuration Wizard to configure thresholds that apply directly to the
statistics gathered. These statistics, as a percent of the total link capacity, are compared to the percent
utilization configured for the threshold type. If the statistics exceed either configured threshold, an event
is shown on the Fabric Manager web client Events tab.
As an example, the collection has absolute value thresholds set for 60% utilization (for warning) and
80% utilization (for critical). If Performance Manager detects that the traffic on a 1-Gigabit link in its
collection exceeds 600 Mbps, a warning event is triggered. If the traffic exceeds 800 Mbps, a critical
event is triggered.

Baseline thresholds are defined for a configured time of day or week (1 day, 1 week, or 2 weeks). The
baseline is created by calculating the average of the statistical results for the configured time each day,
week, or every 2 weeks. Table 58-2 shows an example of the statistics used to create the baseline value
for a collection defined at 4 pm on a Wednesday.
Table 58-2 Baseline Time Periods for a Collection Started on Wednesday at 4pm
Baseline Time Window Statistics Used in Average Calculation

1 day Every prior day at 4 pm
1 week Every prior Wednesday at 4 pm
2 weeks Every other prior Wednesday at 4 pm
Baseline thresholds create a threshold that adapts to the typical traffic pattern for each link for the same
time window each day, week, or every 2 weeks. Baseline thresholds are set as a percent of the average
(110% to 500%), where 100% equals the calculated average.
As an example, a collection is created at 4 pm on Wednesday, with baseline thresholds set for 1 week,
at 150% of the average (warning) and 200% of the average (critical). Performance Manager recalculates
the average for each link at 4 pm every Wednesday by taking the statistics gathered at that time each
Wednesday since the collection started. Using this as the new average, Performance Manager compares
each received traffic statistic against this value and sends a warning or critical event if the traffic on a
link exceeds this average by 150% or 200% respectively.
Table 58-3 shows two examples of 1-Gigabit links with different averages in our example collection and
at what traffic measurements the Warning and Critical events are sent.
Table 58-3 Example of Events Generated for 1-Gigabit Links
Average Warning Event Sent at 150% Critical Event Sent at 200%

400 Mbps 600 Mbps 800 Mbps
200 Mbps 300 Mbps 400 Mbps
Set these thresholds on the last screen of the Collections Configuration Wizard by checking the Send
events if traffic exceeds threshold check box.
Using the Performance Manager Configuration Wizard

See the Creating Performance Collections section on page 7-56.
Viewing Performance Manager Reports

You can view Performance Manager statistical data using preconfigured reports that are built on demand
and displayed in a web browser. These reports provide summary information as well as detailed statistics
that can be viewed for daily, weekly, monthly, or yearly results.
Choose Performance > Reports to access Performance Manager reports from Fabric Manager. This
opens a web browser window showing the default Fabric Manager web client event summary report.
Click the Performance tab to view the Performance Manager reports. Performance Manager begins
reporting data ten minutes after the collection is started

Note Fabric Manager Web Server must be running for this to work. See the Launching Fabric
Manager Web Client section on page 7-7.
Performance Summary
The Performance Summary page presents a dashboard display of the throughput and link utilization for
hosts, ISLs, storage, and flows for the last 24-hour period. The summary provides a quick overview of
the fabrics bandwidth consumption and highlights any hotspots.
The report includes network throughput pie charts and link utilization pie charts. Use the navigation tree
on the left to show summary reports for monitored fabrics or VSANs. The summary displays charts for
all hosts, storage elements, ISLs, and flows. Each pie chart shows the percent of entities (links, hosts,
storage, ISLs, or flows) that measure throughput or link utilization on each of six predefined ranges.
Move the mouse over a pie chart section to see how many entities exhibit that range of statistics.
Double-click any pie chart to bring up a table of statistics for those hosts, storage elements, ISLs, or
flows.
Performance Tables and Details Graphs

Click Host, Storage, ISL, or Flow to view traffic over the past day for all hosts, storage, ISLs, or flows
respectively. A table lists all of the selected entities, showing transmit and receive traffic and errors and
discards, if appropriate. The table can be sorted by any column heading. The table can also be filtered
by day, week, month, or year. Tables for each category of statistics display average and peak throughput
values and provide hot-links to more detailed information.
Clicking a link in any of the tables opens a details page that shows graphs for traffic by day, week, month,
and year. If flows exist for that port, you can see which storage ports sent data. The details page also
displays graphs for errors and discards if they are part of the statistics gathered and are not zero.
If you double-click a graph on a Detail report, it will launch the Cisco Traffic Analyzer for Fibre
Channel, if configured. The aliases associated with hosts, storage devices, and VSANs in the fabric are
passed to the Cisco Traffic Analyzer to provide consistent, easy identification.
Viewing Performance of Host-Optimized Port Groups

You can monitor the performance of host-optimized port groups by clicking Performance > End
Devices and selecting Port Groups from the Type drop-down list.
Viewing Performance Manager Events

Performance Manager events are viewed through Fabric Manager Web Server. To view problems and
events in Fabric Manager Web Server, choose a fabric and then click the Events tab to see a summary
or detailed report of the problems and events that have occurred in the selected fabric.

Generating Top10 Reports in Performance Manager

You can generate historical Top10 reports that can be saved for later review. These reports list the entities
from the data collection, with the most active entities appearing first. This is a static, one-time only
report that generates averages and graphs of the data collection as a snapshot at the time the report is
generated.
Tip Name the reports with a timestamp so that you can easily find the report for a given day or week.
These Top10 reports differ from the other monitoring tables and graphs in Performance Manager in that
the other data is continuously monitored and is sortable on any table column. The Top10 reports are a
snapshot view at the time the report was generated.
Note Top10 reports require analyzing the existing data over an extended period of time and can take hours or
more to generate on large fabrics.
See the Creating a Custom Report Template section on page 7-37 for information on creating a Top10
report.
Generating Top10 Reports Using Scripts

You can generate Top10 reports manually by issuing the following commands:
On UNIX, run the script:
/<user_directory>/.cisco_mds9000/bin/pm.sh display pm/pm.xml <output_directory>
On Windows, run the script:

c:\Program Files\Cisco Systems\MDS 9000\bin\pm.bat display pm\pm.xml
<output_directory>
On UNIX, you can automate the generation of the Top10 reports on your Fabric Manager Server host by
adding the following cron entry to generate the reports once an hour:
0 * * * * /<user_directory>/.cisco_mds9000/bin/pm.sh display pm/pm.xml <output_directory>
If your crontab does not run automatically or Java complains about an exception similar to
Example 58-1, you need to add -Djava.awt.headless=true to the JVMARGS command in
/<user_directory>/.cisco_mds9000/bin/pm.sh.
Example 58-1 Example Java Exception
in thread main java.lang.InternalError Can't connect to X11 window server using '0.0' as
the value of the DISPLAY variable.
Exporting Data Collections to XML Files

The RRD files used by Performance Manager can be exported to a freeware tool called rrdtool. The rrd
files are located in pm/db on the Fabric Manager Server. To export the collection to an XML file, enter
the following command at the operating system command-line prompt:
/bin/pm.bat xport xxx yyy

In this command, xxx is the RRD file and yyy is the XML file that is generated. This XML file is in a
format that rrdtool is capable of reading with the command:
rrdtool restore filename.xml filename.rrd
You can import an XML file with the command:

bin/pm.bat pm restore <xmlFile> <rrdFile>
This reads the XML export format that rrdtool is capable of writing with the command:
rrdtool xport filename.xml filename.rrd.
The pm xport and pm restore commands can be found on your Fabric Manager Server at bin\PM.bat
for Windows platforms or bin/PM.sh on UNIX platforms. For more information on the rrdtool, refer to
the following website: http://www.rrdtool.org.
Exporting Data Collections in Readable Format

Cisco MDS SAN-OS Release 2.1(1a) introduces the ability to export data collections in
comma-separated format (CSV). This format can be imported to various tools, including Microsoft
Excel. You can export these readable data collections either from the Fabric Manager Web Server menus
or in batch mode from the command line on Windows or UNIX. Using Fabric Manager Web Server, you
can export one file. Using batch mode, you can export all collections in the pm.xml file.
Note Fabric Manager Web Server must be running for this to work. See the Launching Fabric
Manager Web Client section on page 7-7.
To export data collections to Microsoft Excel using Fabric Manager Web Server, follow these steps:
Step 1 Click the Performance tab on the main page.

You see the overview table.
Step 2 Click the Flows sub-tab.
Step 3 Right-click the name of the entity you want to export and select Export to Microsoft Excel.
You see the Excel chart for that entity in a pop-up window.
To export data collections using command-line batch mode, follow these steps:
Step 1 Go to the installation directory on your workstation and then go to the bin directory.
Step 2 On Windows, enter .\pm.bat export C:\Program Files\Cisco Systems\MDS 9000\pm\pm.xml <export
directory>. This creates the csv file (export.csv) in the export directory on your workstation.
Step 3 On UNIX, enter ./pm.sh export /usr/local/cisco_mds9000/pm/pm.xml <export directory>. This
creates the csv file (export.csv) in the export directory on your workstation.
When you open this exported file in Microsoft Excel, the following information displays:
Title of the entity you exported and the address of the switch the information came from.

The maximum speed seen on the link to or from this entity.

The VSAN ID and maximum speed.
The timestamp, followed by the receive and transmit data rates in bytes per second.
Configuring Performance Manager for Use with Cisco Traffic Analyzer

Performance Manager works in conjunction with the Cisco Traffic Analyzer to allow you to monitor and
manage the traffic on your fabric. Using Cisco Traffic Analyzer with Performance Manager requires the
following components:
A configured Fibre Channel Switched Port Analyzer (SPAN) destination (SD) port to forward Fibre
Channel traffic.
A Port Analyzer Adapter 2 (PAA-2) to convert the Fibre Channel traffic to Ethernet traffic.
Cisco Traffic Analyzer software to analyze the traffic from the PAA-2.
To configure Performance Manager to work with the Cisco Traffic Analyzer, follow these steps:
Step 1 Set up the Cisco Traffic Analyzer according to the instructions in the Cisco MDS 9000 Family Port
Analyzer Adapter 2 Installation and Configuration Note.
Step 2 Get the following three items of information:
The IP address of the management workstation on which you are running Performance Manager and
Cisco Traffic Analyzer.
The path to the directory where Cisco Traffic Analyzer is installed.
The port that is used by Cisco Traffic Analyzer (the default is 3000).
Step 3 Start the Cisco Traffic Analyzer.
a. Choose Performance > Traffic Analyzer > Open.
b. Enter the URL for the Cisco Traffic Analyzer, in the format:
http://<ip address>:<port number>
ip address is the address of the management workstation on which you have installed the Cisco
Traffic Analyzer, and
:port number is the port that is used by Cisco Traffic Analyzer (the default is :3000).
c. Click OK.
d. Choose Performance > Traffic Analyzer > Start.
e. Enter the location of the Cisco Traffic Analyzer, in the format:
D:\<directory>\ntop.bat
where:
D: is the drive letter for the disk drive where the Cisco Traffic Analyzer is installed.
directory is the directory containing the ntop.bat file.
f. Click OK.
Step 4 Create the flows you want Performance Manager to monitor, using the Flow Configuration Wizard. See
the Creating a Flow with Performance Manager section on page 58-4

Step 5 Define the data collection you want Performance Manager to gather, using the Performance Manager
Configuration Wizard. See the Creating a Collection with Performance Manager section on page 58-4.
a. Choose the VSAN you want to collect information for or choose All VSANs.
b. Check the types of items you want to collect information for (Hosts, ISLs, Storage Devices, and
Flows).
c. Enter the URL for the Cisco Traffic Analyzer in the format:
http://<ip address>/<directory>
where:
ip address is the address of the management workstation on which you have installed the Cisco
Traffic Analyzer, and directory is the path to the directory where the Cisco Traffic Analyzer is
installed.
d. Click Next.
e. Review the data collection on this and the next section to make sure this is the data you want to
collect.
f. Click Finish to begin collecting data.
Note Data is not collected for JBOD or for virtual ports. If you change the data collection
configuration parameters during a data collection, you must stop and restart the collection
process for your changes to take effect.
Step 6 Choose Performance > Reports to generate a report. Performance Manager Web Server must be
running. See the Launching Fabric Manager Web Client section on page 7-7. You see Web Services;
click Custom then select a report template.
Note It takes at least five minutes to start collecting data for a report. Do not attempt to generate a
report in Performance Manager during the first five minutes of collection.
Step 7 Click the Cisco Traffic Analyzer at the top of the Host or Storage detail pages to view the Cisco Traffic
Analyzer information, or choose Performance > Traffic Analyzer > Open. The Cisco Traffic Analyzer
page will not open unless ntop has been started already.
Note For information on capturing a SPAN session and starting a Cisco Traffic Analyzer session to
view it, refer to the Cisco MDS 9000 Family Port Analyzer Adapter 2 Installation and
Configuration Note.
Note For information on viewing and interpreting your Performance Manager data, see the Historical
Performance Monitoring section on page 58-4.
For information on viewing and interpreting your Cisco Traffic Analyzer data, refer to the Cisco
MDS 9000 Family Port Analyzer Adapter 2 Installation and Configuration Note.

For performance drill-down, Fabric Manager Server can launch the Cisco Traffic Analyzer in-context
from the Performance Manager graphs. The aliases associated with hosts, storage devices, and VSANs
are passed to the Cisco Traffic Analyzer to provide consistent, easy identification.


CH A P T E R 59
Configuring RMON
RMON is an Internet Engineering Task Force (IETF) standard monitoring specification that allows
various network agents and console systems to exchange network monitoring data. You can use the
RMON alarms and events to monitor Cisco MDS 9000 Family switches running the Cisco SAN-OS
Release 2.0(1b) or later or Cisco NX-OS 4.1(3a) software.
About RMON, page 59-1
Configuring RMON Using Threshold Manager, page 59-1
About RMON
All switches in the Cisco MDS 9000 Family support the following RMON functions (defined in RFC
2819):
AlarmEach alarm monitors a specific management information base (MIB) object for a specified
interval. When the MIB object value exceedes a specified value (rising threshold), the alarm
condition is set and only one event is triggered regardless of how long the condition exists. When
the MIB object value falls below a certain value (falling threshold), the alarm condition is cleared.
This allows the alarm to trigger again when the rising threshold is crossed again.
EventDetermines the action to take when an event is triggered by an alarm. The action can be to
generate a log entry, an SNMP trap, or both.
For agent and management information, see the Cisco MDS 9000 Family MIB Quick Reference.
For SNMP security-related CLI configurations, see the About SNMP Security section on page 40-1
Configuring RMON Using Threshold Manager

RMON is disabled by default and no events or alarms are configured in the switch. You can configure
your RMON alarms and events by using the CLI or by using Threshold Manager in Device Manager.
The Threshold Monitor allows you to trigger an SNMP event or log a message when the selected statistic
goes over a configured threshold value. RMON calls this a rising alarm threshold. The configurable
settings are as follows:
VariableThe statistic you want to set the threshold value on.

Chapter 59 Configuring RMON
ValueThe value of the variable that you want the alarm to trigger at. This value is the difference
(delta) between two consecutive polls of the variable by Device Manager.
SampleThe sample period (in seconds) between two consecutive polls of the variable. Select your
sample period such that the variable does not cross the threshold value you set under normal
operating conditions.
WarningThe warning level used by Device Manager to indicate the severity of the triggered alarm.
This is a Fabric Manager and Device Manager enhancement to RMON.
Note To configure any type of RMON alarm (absolute or delta, rising or falling threshold) click More on the
Threshold Manager dialog box. You should be familiar with how RMON defines these concepts before
configuring these advanced alarm types. Refer to the RMON-MIB (RFC 2819) for information on how
to configure RMON alarms.
Note You must also configure SNMP on the switch to access RMON MIB objects.
RMON Alarm Configuration

Threshold Manager provides a list of common MIB objects to set an RMON threshold and alarm on. You
can also set an alarm on any MIB object. The specified MIB must be an existing SNMP MIB object in
standard dot notation (1.3.6.1.2.1.2.2.1.14.16 for ifInOctets.16).
Use one of the following options to specify the interval to monitor the MIB variable (ranges from 1 to
4294967295 seconds):
Use the delta option to test the change between samples of a MIB variable.
Use the absolute option to test each MIB variable directly.
Use the delta option to test any MIB objects that are counters.
The range for the rising threshold and falling threshold values is -2147483647 to 2147483647.
Caution The falling threshold must be less than the rising threshold.
You can optionally specify the following parameters:

The event-number to trigger if the rising or falling threshold exceeds the specified limit.
The owner of the alarm.

Enabling RMON Alarms by Port

To configure an RMON alarm for one or more ports using Device Manager, follow these steps:
Step 1 Choose Admin > Events > Threshold Manager and click the FC Interfaces tab.
You see the Threshold Manager dialog box as shown in Figure 59-1.
Figure 59-1 Threshold Manager Dialog Box
Step 2 Choose the Select radio button to select individual ports for this threshold alarm.
a. Click the ... button to the right of the Selected field to display all ports.
b. Select the ports you want to monitor.
c. Click OK to accept the selection.
Alternatively, click the appropriate radio button to choose ports by type: All ports, xE ports, or Fx ports.
Step 3 Check the check box for each variable to be monitored.
Step 4 Enter the threshold value in the Value column.
Step 5 Enter the sampling period in seconds. This is the time between each snapshot of the variable.
Step 6 Choose one of the following severity levels to assign to the alarm: Fatal, Warning, Critical, Error,
Information.

Enabling 32-Bit and 64-Bit Alarms

Step 8 Confirm the operation to define an alarm and a log event when the system prompts you to define a
severity event. If you do not confirm the operation, the system only defines a log event.
Step 9 Click More then click the Alarms tab from the Threshold Manager dialog box to verify the alarm you
created.
Step 10 Close both dialog box pop-ups.

To configure an RMON alarm for one or more ports using Device Manager, follow these steps:
Step 1 Choose Admin > Events > Threshold Manager and click the FC Interfaces > Create tab.
You see the create 32-bit and 64-bit alarm dialog box shown in Figure 59-2.
Figure 59-2 Create 32 and 64-Bit Dialog Box

Step 2 Click the Select radio button to select individual ports for this threshold alarm.
a. Click the ... button to the right of the Selected field to display all ports.
b. Select the ports you want to monitor.
c. Click OK to accept the selection.
Alternatively, click the appropriate radio button to choose ports by type: All ports, xE ports, or Fx ports.
Step 3 Check the check box for each variable to be monitored.
Step 5 Enter the sampling period in seconds. This is the time between each snapshot of the variable.
Step 6 Choose one of the following severity levels to assign to the alarm: Fatal, Warning, Critical, Error,
Information.
severity event. If you do not confirm the operation, the system only defines a log event.
Step 9 Click More and then click the Alarms tab from the Threshold Manager dialog box to verify the alarm
you created. The 32and 64-bit alarm show second as unit on the Interval column.
Figure 59-3 RMON Threshold Dialog Box
Step 10 Close both dialog box pop-ups.

Create RMON Alarms in Fabric Manager

To create 64-bit RMON alarms using Fabric Manager, follow these steps:
Step 1 Choose Physical Attributes > Events > RMON tab.

You see the 64-bit alarm dialog box as shown in Figure 59-4.
Figure 59-4 64-Bit Alarm Dialog Box
Step 2 Click the 64-bit alarms tab.

Step 3 Click Create Row tab.

Figure 59-5 64-Bit Alarm Create Row Tab
Step 4 Click the drop-down menu in the Variable field.

Step 5 Choose from the list of MIB Variables provided by the Threshold Manager.
Figure 59-6 MIB Variable Field Dialog Box for 64-Bit Alarms

Note You need to supply the interface details along with variables selected from the drop-down list to
complete the Variable field, for example, ifHCInOctets.
Step 6 Click the 32-bit alarms tab.

Step 7 Click the Create Row tab.
Step 8 Click the drop-down menu in the Variable field.
Step 9 Choose from the list of MIB Variables provided by the Threshold Manager.
Figure 59-7 MIB Variable Field Dialog Box for 32-Bit Alarms
Step 10 Click the radio button to choose the RMON alarm to be created (32-bit or 64-bit HC Alarm).

Enabling 32-bit RMON Alarms for VSANs

To enable an RMON alarm for one or more VSANs using Device Manager, follow these steps:
Step 1 Choose Admin > Events > Threshold Manager and click the Services tab.
You see the Threshold Manager dialog box.
Step 2 Click the Services tab.
You see the Threshold Manager dialog box with the Services tab for 32-bit alarm selecte as shown in
Figure 59-8.
Figure 59-8 Services Tab for 32-Bit Alarm Dialog Box
Step 3 Click on the 32-bit radio button.

Step 4 Enter one or more VSANs (multiple VSANs separated by commas) to monitor in the VSAN ID(s) field.
Use the down arrow to see a list of available VSANs to choose from.
Step 5 Check the check box in the Select column for each variable to monitor.
Step 7 Enter the sampling period in seconds.
Step 8 Choose a severity level to assign to the alarm: Fatal, Critical, Error, Warning, Information.
severity event.
If you do not confirm the operation, the system only defines a log event.
Step 11 Click More, then click the Alarms tab in the Threshold Manager dialog box to verify the alarm you
created.

Enabling 32-Bit and 64-Bit RMON Alarms for Physical Components

To configure an RMON alarm for a physical component for a 64-bit alarm using Device Manager, follow
these steps:
Step 1 Choose Admin > Events > Threshold Manager and click the Physical tab.
You see the Threshold Manager dialog box with the Physical tab for the 64-bit alarm selected as shown
in Figure 59-9.
Figure 59-9 Physical Tab for the 64-Bit Alarm
Step 5 Choose one of the following severity levels to assign to the alarm: Fatal(1), Warning(2), Critical(3),
Error(4), Information(5).
severity event.
Step 8 Click More, then click the 64-bit Alarms tab in the Threshold Manager dialog box to verify the alarm
you created (see Figure 59-10).

Figure 59-10 64-Bit Alarm Tab
Note The MaxAlarm option is noneditable because of backend support. The max RMON alarms cannot be set
using the CLI.
Creating a New RMON from Device Manager Threshold Manager

RMON does not check the RMON alarm configuration before configuring the switch.
To configure an RMON alarm from Device Manager Threshold Manager, follow these steps:
Step 1 Choose Physical Attributes > Events > RMON and click the Control tab.
You see the create RMON alarm Threshold Manager dialog box as shown in Figure 59-11.
Figure 59-11 Create RMON Alarm Threshold Manager
A user error is prompted if adding the new alarm exceeds the maximum alarm.

Note This feature is applicable when managing switches Release 4.1(1b) and later. Device Manager can only
treat the existing alarm number as 0 for the checking.
Figure 59-12 RMON Control Threshold Tab
Figure 59-13 Device Manager Error Tab

Enabling RMON Alarms for VSANs

To enable an RMON alarm for one or more VSANs using Device Manager, follow these steps:
Step 1 Choose Admin > Events > Threshold Manager and click the Services tab.
You see the Threshold Manager dialog box.
Step 2 Click the Services tab.
You see the Threshold Manager dialog box with the Services tab selected as shown in Figure 59-14.
Figure 59-14 Threshold Manager Services Tab
Step 3 Enter one or more VSANs (multiple VSANs separated by commas) to monitor in the VSAN ID(s) field.
Use the down arrow to see a list of available VSANs to choose from.
Step 7 Choose a severity level to assign to the alarm (Fatal, Critical, Error, Warning, or Information).
severity event.
Step 10 Click More, then click the Alarms tab in the Threshold Manager dialog box to verify the alarm you
created (see Figure 59-15).

Figure 59-15 List of Threshold Alarms
Step 11 Close both pop-up windows.
Managing RMON Events

To define customized RMON events using Device Manager, follow these steps:
Step 1 Choose Admin > Events > Threshold Manager and click More in the Threshold Manager dialog box.
Step 2 Click the Events tab in the RMON Thresholds dialog box.
You see the RMON Thresholds Events tab as shown in Figure 59-16.
Figure 59-16 RMON Thresholds Events Tab
Step 3 Click Create to create an event entry.

You see the Create RMON Thresholds Events dialog box as shown in Figure 59-17.

Figure 59-17 Create RMON Thresholds Events Dialog Box
Step 4 Configure the RMON threshold event attributes by choosing the type of event (log, snmptrap, or
logandtrap).
Step 5 Increment the index. If you try to create an event with the existing index, you see a duplicate entry error
message.
Step 6 (Optional) Provide a description and a community.
Step 7 Click Create, then close this dialog box.
Step 8 Verify that your event is listed in the remaining RMON Thresholds dialog box.
Step 9 Click Close to close the RMON Thresholds dialog box.
Managing RMON Alarms

To view the alarms that have already been enabled using Device Manager, follow these steps:
Step 1 Choose Admin > Events > Threshold Manager and click More in the Threshold Manager dialog box.
Step 2 Click the Alarms tab.
You see the RMON Thresholds dialog box as shown in Figure 59-18.
Figure 59-18 RMON Thresholds Dialog Box

Default Settings
Step 3 Delete any alarm by selecting it, then click Delete.
Viewing the RMON Log

To view the RMON log using Device Manager, follow these steps:
Step 1 Choose Admin > Events > Threshold Manager and click More on the Threshold Manager dialog box.
Step 2 Click the Log tab in the RMON Thresholds dialog box.
You see the RMON Thresholds Log tab (see Figure 59-19). This is the log of RMON events that have
been triggered by the Threshold Manager.
Figure 59-19 RMON Thresholds Log Tab
Default Settings
Table 59-1 lists the default settings for all RMON features in any switch.
Table 59-1 Default RMON Settings
Parameters Default
RMON alarms Disabled.
RMON events Disabled.

CH A P T E R 60
Monitoring Network Traffic Using SPAN
This chapter describes the Switched Port Analyzer (SPAN) features provided in switches in the Cisco
MDS 9000 Family. It includes the following sections:
About SPAN, page 60-1
SPAN Sources, page 60-2
SPAN Sessions, page 60-5
Specifying Filters, page 60-5
SD Port Characteristics, page 60-5
Configuring SPAN, page 60-6
Monitoring Traffic Using Fibre Channel Analyzers, page 60-10
Default SPAN Settings, page 60-13
About SPAN
The SPAN feature is specific to switches in the Cisco MDS 9000 Family. It monitors network traffic
through a Fibre Channel interface. Traffic through any Fibre Channel interface can be replicated to a
special port called the SPAN destination port (SD port). Any Fibre Channel port in a switch can be
configured as an SD port. Once an interface is in SD port mode, it cannot be used for normal data traffic.
You can attach a Fibre Channel Analyzer to the SD port to monitor SPAN traffic (see theConfiguring
the Cisco Fabric Analyzer section on page 66-19.
SD ports do not receive frames, they only transmit a copy of the SPAN source traffic. The SPAN feature
is non-intrusive and does not affect switching of network traffic for any SPAN source ports (see
Figure 60-1).

Chapter 60 Monitoring Network Traffic Using SPAN
SPAN Sources
Figure 60-1 SPAN Transmission
SPAN source port

fc1/2
fc3/1

85478
SD port
SPAN Sources
SPAN sources refer to the interfaces from which traffic can be monitored. You can also specify VSAN
as a SPAN source, in which case, all supported interfaces in the specified VSAN are included as SPAN
sources. You can choose the SPAN traffic in the ingress direction, the egress direction, or both directions
for any source interface:
Ingress source (Rx)Traffic entering the switch fabric through this source interface is spanned or
copied to the SD port (see Figure 60-2).
Figure 60-2 SPAN Traffic from the Ingress Direction
Ingress source port

fc1/2
fc3/1

85479
SD port
Egress source (Tx)Traffic exiting the switch fabric through this source interface is spanned or
copied to the SD port (see Figure 60-3).

SPAN Sources
Figure 60-3 SPAN Traffic from Egress Direction
Egress source port

fc1/2
fc3/1

85480
SD port
IPS Source Ports

SPAN capabilities are available on the IP Storage Services (IPS) module. The SPAN feature is only
implemented on the FCIP and iSCSI virtual Fibre Channel port interfaces, not the physical Gigabit
Ethernet ports. You can configure SPAN for ingress traffic, egress traffic, or traffic in both directions for
all eight iSCSI and 24 FCIP interfaces that are available in the IPS module.
Note You can configure SPAN for Ethernet traffic using Cisco switches or routers connected to the Cisco MDS
9000 Family IPS modules.
Allowed Source Interface Types

The SPAN feature is available for the following interface types:
Physical ports such as F ports, FL ports, TE ports, E ports, and TL ports.
Interface sup-fc0 (traffic to and from the supervisor):
The Fibre Channel traffic from the supervisor module to the switch fabric through the sup-fc0
interface is called ingress traffic. It is spanned when sup-fc0 is chosen as an ingress source port.
The Fibre Channel traffic from the switch fabric to the supervisor module through the sup-fc0
interface is called egress traffic. It is spanned when sup-fc0 is chosen as an egress source port.
PortChannels
All ports in the PortChannel are included and spanned as sources.
You cannot specify individual ports in a PortChannel as SPAN sources. Previously configured
SPAN-specific interface information is discarded.
IPS module specific Fibre Channel interfaces:
iSCSI interfaces
FCIP interfaces

SPAN Sources
VSAN as a Source
When a VSAN as a source is specified, then all physical ports and PortChannels in that VSAN are
included as SPAN sources. A TE port is included only when the port VSAN of the TE port matches the
source VSAN. A TE port is excluded even if the configured allowed VSAN list may have the source
VSAN, but the port VSAN is different.
You cannot configure source interfaces (physical interfaces, PortChannels, or sup-fc interfaces) and
source VSANs in the same SPAN session.
Guidelines to Configure VSANs as a Source

The following guidelines apply when configuring VSANs as a source:
Traffic on all interfaces included in a source VSAN is spanned only in the ingress direction.
If a VSAN is specified as a source, you cannot perform interface-level SPAN configuration on the
interfaces that are included in the VSAN. Previously configured SPAN-specific interface
information is discarded.
If an interface in a VSAN is configured as a source, you cannot configure that VSAN as a source.
You must first remove the existing SPAN configurations on such interfaces before configuring
VSAN as a source.
Interfaces are only included as sources when the port VSAN matches the source VSAN. Figure 60-4
displays a configuration using VSAN 2 as a source:
All ports in the switch are in VSAN 1 except fc1/1.
Interface fc1/1 is the TE port with port VSAN 2. VSANs 1, 2, and 3 are configured in the
allowed list.
VSAN 1 and VSAN 2 are configured as SPAN sources.
Figure 60-4 VSAN as a Source
TE port
Allowed list = VSAN 1,VSAN 2 and VSAN 3
Fibre Channel
traffic
VSAN 1, VSAN 3
VSAN 2 as source fc2/1
VSAN 1 VSAN 2
fc1/1
Cisco MDS 9000 switch VSAN 2
fc9/1
85481
SD port
For this configuration, the following apply:

VSAN 2 as a source includes only the TE port fc1/1 that has port VSAN 2.
VSAN 1 as a source does not include the TE port fc1/1 because the port VSAN does not match
VSAN 1.
See the Configuring an Allowed-Active List of VSANs section on page 24-11 or the About
Port VSAN Membership section on page 26-8.

SPAN Sessions
SPAN Sessions
Each SPAN session represents an association of one destination with a set of source(s) along with
various other parameters that you specify to monitor the network traffic. One destination can be used by
one or more SPAN sessions. You can configure up to 16 SPAN sessions in a switch. Each session can
have several source ports and one destination port.
To activate any SPAN session, at least one source and the SD port must be up and functioning. Otherwise,
traffic is not directed to the SD port.
Tip A source can be shared by two sessions, however, each session must be in a different directionone
ingress and one egress.
You can temporarily deactivate (suspend) any SPAN session. The traffic monitoring is stopped during
this time.
Specifying Filters
You can perform VSAN-based filtering to selectively monitor network traffic on specified VSANs. You
can apply this VSAN filter to all sources in a session (see Figure 60-4). Only VSANs present in the filter
are spanned.
You can specify session VSAN filters that are applied to all sources in the specified session. These filters
are bidirectional and apply to all sources configured in the session.
Guidelines to Specifying Filters

The following guidelines apply to SPAN filters:
PortChannel configurations are applied to all ports in the PortChannel.
If no filters are specified, the traffic from all active VSANs for that interface is spanned by default.
While you can specify arbitrary VSAN filters in a session, traffic can only be monitored on the port
VSAN or on allowed-active VSANs in that interface.
SD Port Characteristics
An SD port has the following characteristics:
Ignores BB_credits.
Allows data traffic only in the egress (Tx) direction.
Does not require a device or an analyzer to be physically connected.
Supports only 1 Gbps or 2 Gbps speeds. The auto speed option is not allowed.
Multiple sessions can share the same destination ports.
If the SD port is shut down, all shared sessions stop generating SPAN traffic.
The outgoing frames can be encapsulated in Extended Inter-Switch Link (EISL) format.

Configuring SPAN
The SD port does not have a port VSAN.

SD ports cannot be configured using Storage Services Modules (SSMs).
The port mode cannot be changed if it is being used for a SPAN session.
Note If you need to change an SD port mode to another port mode, first remove the SD port from all sessions
and then change the port mode.
Guidelines to Configure SPAN

The following guidelines apply for SPAN configurations:
You can configure up to 16 SPAN sessions with multiple ingress (Rx) sources.
You can configure a maximum of three SPAN sessions with one egress (Tx) port.
In a 32-port switching module, you must configure the same session in all four ports in one port
group (unit). If you wish, you can also configure only two or three ports in this unit (see the
Generation 1 Interfaces Configuration Guidelines section on page 20-2).
SPAN frames are dropped if the sum of the bandwidth of the sources exceeds the speed of the
destination port.
Frames dropped by a source port are not spanned.
Configuring SPAN
To monitor network traffic using SD ports, follow these steps:
Step 1 Configure the SD port.

Step 2 Attach the SD port to a specific SPAN session.
Step 3 Monitor network traffic by adding source interfaces to the session.
Configuring SPAN
To configure an SD port for SPAN monitoring using Device Manager, follow these steps:
Step 1 Right-click the port you want to configure and select Configure.
You see the general port configuration dialog.
Step 2 Under Mode, choose SD.
Step 3 Click Apply to accept the change.
Step 4 Close the dialog box.

Configuring SPAN
Configuring SPAN max-queued-packets

When a SPAN destination port is oversubscribed or has more source traffic than the speed of the
destination port, the source ports of the SPAN session will reduce in their throughput. The impact is
proportional to the amount of source traffic flowing in. Lowering the max-queued-packets value from
the default value of 15 to 1 prevents the impact on the source ports. It is necessary to reconsider the
default value for this setting as it may impact the source interface throughput.
By default, SPAN frames are dropped if the sum of the bandwidth of the source interfaces exceed the
bandwidth of the destination port. With a higher value, the SPAN traffic has a higher probability of
reaching the SPAN destination port instead of being dropped at the expense of data traffic throughput.
Note The span max-queued-packets can be changed only if no span sessions are currently active on the switch.
Note If you are spanning the traffic going through an FCIP interface, span copies may be dropped even if the
SD interface has more bandwidth than the amount of traffic being replicated. To avoid span drops, set
the max-queued-packets to a higher value; for example, 100.
Creating SPAN Sessions

To create SPAN sessions using Device Manager, follow these steps:
Step 1 Choose Interface > SPAN. You see the SPAN dialog box.
Step 2 Click the Sessions tab.
You see the Create SPAN Sessions dialog box shown in Figure 60-5.
Figure 60-5 Create SPAN Sessions Dialog Box
Step 4 Choose the session ID (from 1-16) using the up or down arrows and click Create.
Step 5 Repeat Step 4 for each session you want to create.
Step 6 Enter the destination interface in the Dest Interface field for the appropriate session.
Step 7 Enter the filter VSAN list in the Filter VSAN List field for the appropriate session.
Step 8 Choose active or in active admin status in the Admin drop-down list.
Step 9 Click Apply to save your changes.

Configuring SPAN
Step 10 Close the two dialog boxes.
Editing SPAN Sources

To edit a SPAN source using Device Manager, follow these steps:
Step 1 Choose Interface > SPAN.

You see the SPAN dialog box.
Step 2 Click the Sources tab.
You see the dialog box shown in Figure 60-6.
Figure 60-6 SPAN Sources Tab
Step 3 Enter the VSAN list name in the VSAN List field.
Step 4 Click Edit Interface List.
You see the Source Interfaces dialog box.
You see the Source Interfaces Interface Sources dialog box shown in Figure 60-7.
Figure 60-7 Source Interfaces Interface Sources Dialog Box
Step 6 Click the browse button to display the list of available FC ports.
Step 7 Choose a port and click OK.
Step 8 Click the direction (receive or transmit) you want.
Step 9 Click Create to create the FC interface source.

Configuring SPAN
Step 10 Click Close in each of the three open dialog boxes.
Deleting SPAN Sessions

To delete a SPAN session using Device Manager, follow these steps:
Step 1 Choose Interface > SPAN.

You see the SPAN dialog box.
Step 2 Click the Sessions tab.
Step 3 Click the SPAN session you want to delete.
Step 4 Click Delete.
The SPAN session is deleted.
SPAN Conversion Behavior

SPAN features (configured in any prior release) are converted as follows:
If source interfaces and source VSANs are configured in a given session, then all the source VSANs
are removed from that session.
For example, before Cisco MDS SAN-OS Release 1.0(4):
Session 1 (active)
Destination is fc1/9
No session filters configured
Ingress (rx) sources are
vsans 10-11
fc1/3,
Egress (tx) sources are
fc1/3,
Once upgraded to Cisco MDS SAN-OS Release 1.1(1):

Session 1 (active)
fc1/3,
fc1/3,
Session 1 had both source interfaces and source VSANs before the upgrade. After the upgrade, the
source VSANs were removed (rule 1).
If interface level VSAN filters are configured in source interfaces, then the source interfaces are also
removed from the session. If this interface is configured in both directions, it is removed from both
directions.
For example, before Cisco MDS SAN-OS Release 1.0(4):

Monitoring Traffic Using Fibre Channel Analyzers
Session 2 (active)
vsans 12
fc1/6 (vsan 1-20),
fc1/6 (vsan 1-20),
Once upgraded to Cisco MDS SAN-OS Release 1.1(1):

Session 2 (inactive as no active sources)
No ingress (rx) sources
No egress (tx) sources
Note The deprecated configurations are removed from persistent memory once a switchover or a new
startup configuration is implemented.
Session 2 had a source VSAN 12 and a source interface fc1/6 with VSAN filters specified in Cisco
MDS SAN-OS Release 1.0(4). When upgraded to Cisco MDS SAN-OS Release 1.1(1) the following
changes are made:
The source VSAN (VSAN 12) is removed (rule 1).
The source interface fc1/6 had VSAN filters specifiedit is also removed (rule 2).

You can use SPAN to monitor traffic on an interface without any traffic disruption. This feature is
specially useful in troubleshooting scenarios where traffic disruption changes the problem environment
and makes it difficult to reproduce the problem.
Without SPAN
You can monitor traffic using interface fc1/1 in a Cisco MDS 9000 Family switch that is connected to
another switch or host. You need to physically connect a Fibre Channel analyzer between the switch and
the storage device to analyze the traffic through interface fc1/1 as shown in Figure 60-8.

Figure 60-8 Fibre Channel Analyzer Usage Without SPAN
FC Analyzer usage without SPAN
Cisco Storage
MDS 9000 device
switch
fc1/1
Cisco Storage
MDS 9000 device
switch
fc1/1 RX =TX
1 FC Analyzer 2
TX RX
85651
This type of connection has the following limitations:
It requires you to physically insert the FC analyzer between the two network devices.
It disrupts traffic when the Fibre Channel analyzer is physically connected.
The analyzer captures data only on the Rx links in both port 1 and port 2. Port 1 captures traffic
exiting interface fc1/1 and port 2 captures ingress traffic into interface fc1/1.
With SPAN
Using SPAN you can capture the same traffic scenario shown in Figure 60-8 without any traffic
disruption. The Fibre Channel analyzer uses the ingress (Rx) link at port 1 to capture all the frames going
out of the interface fc1/1. It uses the ingress link at port 2 to capture all the ingress traffic on interface
fc1/1.
Using SPAN you can monitor ingress traffic on fc1/1 at SD port fc2/2 and egress traffic on SD port fc2/1.
This traffic is seamlessly captured by the FC analyzer as shown in Figure 60-9.

Figure 60-9 Fibre Channel Analyzer Using SPAN
RX source in session 1 - SD port fc2/1

Cisco TX source in session 2 - SD port fc2/2
MDS 9000 Storage
switch device
fc1/1 TX
RX
SD Port SD Port
fc2/1 fc2/2
TX TX
Dropped * * The egress (TX) traffic coming out from
the analyzer ports will be dropped.
RX RX
TX TX
1 2
85652
FC Analyzer
Configuring Fibre Channel Analyzers Using SPAN

To configure Fibre Channel Analyzers using SPAN for the example in Figure 60-9, follow these steps:
Step 1 Configure SPAN on interface fc1/1 in the ingress (Rx) direction to send traffic on SD port fc2/1 using
session 1.
Step 2 Configure SPAN on interface fc1/1in the egress (Tx) direction to send traffic on SD port fc2/2 using
session 2.
Step 3 Physically connect fc2/1 to port 1 on the Fibre Channel analyzer.
Step 4 Physically connect fc2/2 to port 2 on the Fibre Channel analyzer.
Single SD Port to Monitor Traffic

You do not need to use two SD ports to monitor bidirectional traffic on any interface as shown in
Figure 60-9. You can use one SD port and one FC analyzer port by monitoring traffic on the interface at
the same SD port fc2/1.
Figure 60-10 shows a SPAN setup where one session with destination port fc2/1 and source interface
fc1/1 is used to capture traffic in both ingress and egress directions. This setup is more advantageous and
cost effective than the setup shown in Figure 60-9it uses one SD port and one port on the analyzer,
instead of using a full, two-port analyzer.

Default SPAN Settings
Figure 60-10 Fibre Channel Analyzer Using a Single SD Port
Bidirectional source in session 1 - SD port fc2/1

Cisco Storage
MDS 9000 device
switch TX
fc1/1
RX
SD Port
fc2/1
TX
Dropped* * The egress (TX) traffic coming out from
the analyzer ports will be dropped.
TX
TX
1
85653
FC Analyzer
To use this setup, the analyzer should have the capability of distinguishing ingress and egress traffic for
all captured frames.

Table 60-1 lists the default settings for SPAN parameters.
Table 60-1 Default SPAN Configuration Parameters
Parameters Default
SPAN session Active.
If filters are not specified SPAN traffic includes traffic through a specific interface from all active
VSANs.
Encapsulation Disabled.
SD port Output frame format is Fibre Channel.


CH A P T E R 61
Configuring System Message Logging
This chapter describes how to configure system message logging on Cisco MDS 9000 Family switches.
It includes the following sections:
About System Message Logging, page 61-1
System Message Logging Configuration, page 61-3
About System Message Logging

You can monitor system messages by clicking the Events tab on Fabric Manager or by choosing Logs >
Events > Current on Device Manager. You can also monitor system messages remotely by accessing
the switch through Telnet, SSH, or the console port, or by viewing the logs on a system message logging
server.
Note When the switch first initializes, the network is not connected until initialization completes. Therefore,
messages are not redirected to a system message logging server for a few seconds.
Log messages are not saved across system reboots. However, a maximum of 100 log messages with a
severity level of critical and below (levels 0, 1, and 2) are saved in NVRAM.
Table 61-1 describes some samples of the facilities supported by the system message logs.
Table 61-1 Internal Logging Facilities
Facility Keyword Description Standard or Cisco MDS Specific

acl ACL manager Cisco MDS 9000 Family specific
all All facilities Cisco MDS 9000 Family specific
auth Authorization system Standard
authpriv Authorization (private) system Standard
bootvar Bootvar Cisco MDS 9000 Family specific
callhome Call Home Cisco MDS 9000 Family specific
cron Cron or at facility Standard
daemon System daemons Standard

Chapter 61 Configuring System Message Logging
About System Message Logging
Table 61-1 Internal Logging Facilities (continued)

fcc FCC Cisco MDS 9000 Family specific
fcdomain fcdomain Cisco MDS 9000 Family specific
fcns Name server Cisco MDS 9000 Family specific
fcs FCS Cisco MDS 9000 Family specific
flogi FLOGI Cisco MDS 9000 Family specific
fspf FSPF Cisco MDS 9000 Family specific
ftp File Transfer Protocol Standard
ipconf IP configuration Cisco MDS 9000 Family specific
ipfc IPFC Cisco MDS 9000 Family specific
kernel Kernel Standard
local0 to local7 Locally defined messages Standard
lpr Line printer system Standard
mail Mail system Standard
mcast Multicast Cisco MDS 9000 Family specific
module Switching module Cisco MDS 9000 Family specific
news USENET news Standard
ntp NTP Cisco MDS 9000 Family specific
platform Platform manager Cisco MDS 9000 Family specific
port Port Cisco MDS 9000 Family specific
port-channel PortChannel Cisco MDS 9000 Family specific
qos QoS Cisco MDS 9000 Family specific
rdl RDL Cisco MDS 9000 Family specific
rib RIB Cisco MDS 9000 Family specific
rscn RSCN Cisco MDS 9000 Family specific
securityd Security Cisco MDS 9000 Family specific
syslog Internal system messages Standard
sysmgr System manager Cisco MDS 9000 Family specific
tlport TL port Cisco MDS 9000 Family specific
user User process Standard
uucp UNIX-to-UNIX Copy Program Standard
vhbad Virtual host base adapter daemon Cisco MDS 9000 Family specific
vni Virtual network interface Cisco MDS 9000 Family specific
vrrp_cfg VRRP configuration Cisco MDS 9000 Family specific
vrrp_eng VRRP engine Cisco MDS 9000 Family specific
vsan VSAN system messages Cisco MDS 9000 Family specific
vshd vshd Cisco MDS 9000 Family specific

System Message Logging Configuration
Table 61-1 Internal Logging Facilities (continued)

wwn WWN manager Cisco MDS 9000 Family specific
xbar Xbar system messages Cisco MDS 9000 Family specific
zone Zone server Cisco MDS 9000 Family specific
Table 61-2 describes the severity levels supported by the system message logs.
Table 61-2 Error Message Severity Levels
Level Keyword Level Description System Message Definition

emergencies 0 System unusable LOG_EMERG
alerts 1 Immediate action needed LOG_ALERT
critical 2 Critical conditions LOG_CRIT
errors 3 Error conditions LOG_ERR
warnings 4 Warning conditions LOG_WARNING
notifications 5 Normal but significant condition LOG_NOTICE
informational 6 Informational messages only LOG_INFO
debugging 7 Debugging messages LOG_DEBUG
Note Refer to the Cisco MDS 9000 Family System Messages Reference for details on the error log message
format.

System logging messages are sent to the console based on the default (or configured) logging facility
and severity values.
This sections includes the following topics:
Message Logging Initiation, page 61-3
Console Severity Level, page 61-4
Module Logging, page 61-5
Log Files, page 61-6
System Message Logging Servers, page 61-7
Verifying Syslog Servers from Fabric Manager Web Server, page 61-10
Viewing Logs from Fabric Manager Web Server, page 61-11
Message Logging Initiation

You can disable logging to the console or enable logging to a given Telnet or SSH session.

When you disable or enable logging to a console session, that state is applied to all future console
sessions. If you exit and log in again to a new session, the state is preserved.
When you enable or disable logging to a Telnet or SSH session, that state is applied only to that
session. If you exit and log in again to a new session, the state is not preserved.
To enable or disable the logging state for a Telnet or SSH session using Fabric Manager, follow these
steps:

Step 2 Expand Switches, expand Events and select SysLog in the Physical Attributes pane.
You see the SysLog information in the Information pane.
Step 3 Click the Switch Logging tab.
You see the switch information shown in Figure 61-1.
Figure 61-1 Switch Logging Tab in Fabric Manager
Step 4 Select a switch in the Information pane.

Step 5 Check (enable) or uncheck (disable) the Console Enable check box.
Console Severity Level

When logging is enabled for a console session (default), you can configure the severity levels of
messages that appear on the console. The default severity for console logging is 2 (critical).
Tip The current critical (default) logging level is maintained if the console baud speed is 9600 baud (default).
All attempts to change the console logging level generates an error message. To increase the logging
level (above critical), you must change the console baud speed to 38400 baud.
To configure the severity level for a logging facility using Fabric Manager, follow these steps:

You see the switch information shown in Figure 61-2.


Step 5 Select a severity level from the Console Severity drop-down list in the row for that switch.
Module Logging
By default, logging is enabled at level 7 for all modules. You can enable or disable logging for each
module at a specified level.
To configure the severity level for a logging facility, follow these steps:
Step 1 In Fabric Manager, expand Switches, expand Events and select SysLog in the Physical Attributes pane.
In Device Manager, choose Logs > Syslog > Setup and click the Switch Logging tab in the Syslog
dialog box.
You see the switch information shown in Figure 61-3 or Figure 61-4.

Figure 61-4 Switch Logging Tab in Device Manager
Step 2 Check the check boxes where you want message logging to occur (ConsoleEnable, TerminalEnable,
LineCardEnable).
Step 3 Choose the message severity threshold from the Console Severity drop-down box for each switch in
Fabric Manager (see Figure 61-3) or click the appropriate message severity level radio button in Device
Manager (see Figure 61-4).
Step 4 Click the Apply Changes icon in Fabric Manager, or click Apply in Device Manager to save and apply
your changes.
Log Files
Logging messages can be saved to a log file. You can configure the name of this file and restrict its size
as required. The default log file name is messages. The file name can have up to 80 characters and the
file size ranges from 4096 bytes to 4194304 bytes.
To send log messages to a file using Fabric Manager, follow these steps:

You see the information in Figure 61-5.

Step 5 Enter the name of the log file in the LogFile Name column in the row for that switch.
Note The configured log file is saved in the /var/log/external directory. The location of the log file cannot be
changed.
System Message Logging Servers

You can configure a maximum of three system message logging servers.
To send log messages to a UNIX system message logging server, you must configure the system message
logging daemon on a UNIX server. Log in as root, and follow these steps:
Step 1 Add the following line to the /etc/syslog.conf file.

local1.debug /var/log/myfile.log
Note Be sure to add five tab characters between local1.debug and /var/log/myfile.log. Refer to entries
in the /etc/syslog.conf file for further examples.
The switch sends messages according to the specified facility types and severity levels. The local1
keyword specifies the UNIX logging facility used. The messages from the switch are generated by user
processes. The debug keyword specifies the severity level of the condition being logged. You can set
UNIX systems to receive all messages from the switch.
Step 2 Create the log file by entering these commands at the UNIX shell prompt:
$ touch /var/log/myfile.log
$ chmod 666 /var/log/myfile.log
Step 3 Make sure the system message logging daemon reads the new changes by entering this command:
$ kill -HUP ~cat /etc/syslog.pid~

Note Most tabs in the Information pane for features using CFS are dimmed until you click the CFS tab. The
CFS tab shows which switches have CFS enabled and shows the master switch for this feature. Once the
CFS tab is click, the other tabs in the Information pane that use CFS are activated.
You can configure a maximum of three syslog servers. One of these syslog servers should be Fabric
Manager if you want to view system messages from the Event tab in Fabric Manager.
To configure system message logging servers, follow these steps:
Step 1 In Fabric Manager, expand Switches, expand Events and select SysLog in the Physical Attributes pane,
then click the Servers tab in the Information pane.
Figure 61-6 Servers Tab in Fabric Manager Syslog
In Device Manager, choose Logs > Syslog > Setup and click the Servers tab in the Syslog dialog box.
Figure 61-7 Servers Tab in Device Manager Syslog
Step 2 Click the Create Row icon in Fabric Manager, or click Create in Device Manager (see Figure 61-7) to
add a new syslog server.
Step 3 Enter the name or IP address in dotted decimal notation (for example, 192.168.2.12) of the syslog server
in the Name or IP Address field.
Step 4 Set the message severity threshold by clicking the MsgSeverity radio button and set the facility by
clicking the Facility radio button.
Step 5 Click the Apply Changes icon in Fabric Manager, or click Create in Device Manager to save and apply
your changes.

Device Manager allows you to view event logs on your local PC as well as those on the switch. For a
permanent record of all events that occur on the switch, you should store these messages off the switch.
To do this the MDS switch must be configured to send syslog messages to your local PC and a syslog
server must be running on that PC to receive those messages. These messages can be categorized into
four classes:
HardwareLine card or power supply problems
Link IncidentsFICON port condition changes
AccountingUser change events
EventsAll other events
Note You should avoid using PCs that have IP addresses randomly assigned to them by DHCP. The switch
continues to use the old IP address unless you manually change it; however the Device Manager prompts
you if it does detect this situation. UNIX workstations have a built-in syslog server. You must have root
access (or run the Cisco syslog server as setuid to root) to stop the built-in syslog daemon and start the
Cisco syslog server.

Verifying Syslog Servers from Fabric Manager Web Server

To verify the syslog servers remotely using Fabric Manager Web Server, follow these steps:
Step 2 Choose Events > Syslog to view the syslog server information for each switch. The columns in the table
are sortable.
Outgoing System Message Logging Server Facilities

All system messages have a logging facility and a level. The logging facility can be thought of as where
and the level can be thought of as what.
The single system message logging daemon (syslogd) sends the information based on the configured
facility option. If no facility is specified, local7 is the default outgoing facility.
The internal facilities are listed in Table 61-1 and the outgoing logging facilities are listed in Table 61-3.
Table 61-3 Outgoing Logging Facilities

auth Authorization system Standard
authpriv Authorization (private) system Standard
cron Cron or at facility Standard
daemon System daemons Standard
ftp File Transfer Protocol Standard
kernel Kernel Standard
local0 to local7 Locally defined messages Standard (local7 is the default)
lpr Line printer system Standard
mail Mail system Standard
news USENET news Standard
syslog Internal system messages Standard
user User process Standard
uucp UNIX-to-UNIX Copy Program Standard

Default Settings
Viewing Logs from Fabric Manager Web Server

To view system messages remotely using Fabric Manager Web Server, follow these steps:
Step 2 Click the Events tab followed by the Details to view the system messages. The columns in the events
table are sortable. In addition, you can use the Filter button to limit the scope of messages within the
table.
Viewing Logs from Device Manager

You can view system messages from Device Manager if Device Manager is running from the same
workstation as the Fabric Manager Server. Choose Logs > Events > current to view the system
messages on Device Manager. The columns in the events table are sortable. In addition, you can use the
Find button to locate text within the table.
You can view switch-resident logs even if you have not set up your local syslog server or your local PC
is not in the switch's syslog server list. Due to memory constraints, these logs will wrap when they reach
a certain size. The switch syslog has two logs: an NVRAM log that holds a limited number of critical
and greater messages and a nonpersistent log that contains notice or greater severity messages. Hardware
messages are part of these logs.
Note When using the show logging command, output is displayed only when the configured logging levels
for the switch are different from the default levels.
Default Settings
Table 61-4 lists the default settings for system message logging.
Table 61-4 Default System Message Log Settings
Parameters Default
System message logging to the console Enabled for messages at the critical severity level.
System message logging to Telnet sessions Disabled.
Logging file size 4194304.
Log file name Message (change to a name with up to 200 characters).
Logging server Disabled.
Syslog server IP address Not configured.
Number of servers Three servers.
Server facility Local 7.

Default Settings

CH A P T E R 62
Configuring Call Home
Call Home provides e-mail-based notification of critical system events. A versatile range of message
formats are available for optimal compatibility with pager services, standard e-mail, or XML-based
automated parsing applications. Common uses of this feature may include direct paging of a network
support engineer, e-mail notification to a Network Operations Center, and utilization of Cisco Smart Call
Home services for direct case generation with the Technical Assistance Center.
Note Cisco Autonotify is upgraded to a new capability called Smart Call Home. Smart Call Home has
significant functionality improvement over Autonotify and is available across the Cisco product range.
For detailed information on Smart Call Home, see the Smart Call Home page at this location:
http://www.cisco.com/go/smartcall/
The Call Home feature provides message throttling capabilities. Periodic inventory messages, port
syslog messages, and RMON alert messages are added to the list of deliverable Call Home messages. If
required you can also use the Cisco Fabric Services application to distribute the Call Home configuration
to all other switches in the fabric.
Call Home Features, page 62-2
About Smart Call Home, page 62-2
Obtaining Smart Call Home, page 62-5
Configuring Call Home, page 62-5
Configuring Contact Information, page 62-6
Destination Profiles, page 62-7
Alert Groups, page 62-9
Customized Alert Group Messages, page 62-10
Call Home Message Level Feature, page 62-11
Syslog-Based Alerts, page 62-12
RMON-Based Alerts, page 62-13
E-Mail Options, page 62-14
HTTPS Support, page 62-22
Periodic Inventory Notification, page 62-15
Duplicate Message Throttle, page 62-16

Chapter 62 Configuring Call Home
Call Home Features
Call Home Enable Function, page 62-17

Call Home Configuration Distribution, page 62-18
Call Home Communications Test, page 62-19
Clearing Call Home Name Server Database, page 62-20
Configuring EMC E-mail Home Delayed Traps, page 62-21
Event Triggers, page 62-30
Event Triggers, page 62-30
Call Home Message Levels, page 62-32
Message Contents, page 62-33
Call Home Features

The Call Home functionality is available directly through the Cisco MDS 9000 Family. It provides
multiple Call Home profiles (also referred to as Call Home destination profiles), each with separate
potential destinations. You can define your own destination profiles in addition to predefined profiles.
The Call Home function can even leverage support from Cisco Systems or another support partner.
Flexible message delivery and format options make it easy to integrate specific support requirements.
The Call Home feature offers the following advantages:
Fixed set of predefined alerts and trigger events on the switch.
Automatic execution and attachment of relevant command output.
Multiple message format options:
Short TextSuitable for pagers or printed reports.
Plain TextFull formatted message information suitable for human reading.
XMLMatching readable format using Extensible Markup Language (XML) and document
type definitions (DTDs) named Messaging Markup Language (MML). The MML DTD is
published on the Cisco.com website at http://www.cisco.com/. The XML format enables
communication with the Cisco Systems Technical Assistance Center.
Multiple concurrent message destinations. You can configure up to 50 e-mail destination addresses
for each destination profile.
Multiple message categories including system, environment, switching module hardware,
supervisor module, hardware, inventory, syslog, RMON, and test.
About Smart Call Home

Smart Call Home is a component of Cisco SMARTnet Service that offers proactive diagnostics, real-time
alerts, and personalized web-based reports on select Cisco devices.
Smart Call Home provides fast resolution of system problems by analyzing Call Home messages sent
from your devices and providing a direct notification path to Cisco customer support.
Smart Call Home offers the following features:
Continuous device health monitoring and real-time diagnostics alerts.

Analysis of Call Home messages from your device and where appropriate, automatic service request
generation, routed to the appropriate TAC team, including detailed diagnostic information to speed
problem resolution.
Secure message transport through a downloadable Transport Gateway (TG) aggregation point. You
can use a TG aggregation point in cases requiring support for multiple devices or in cases where
security requirements mandate that your devices not be connected directly to the Internet.
Web-based access to Call Home messages and recommendations, inventory and configuration
information for all Call Home devices. Provides access to associated Field Notices, Security
Advisories and End-of-Life Information.

Table 62-1 lists the benefits of Smart Call Home.
Table 62-1 Benefits of Smart Call Home Compared to Autonotify
Feature Smart Call Home Autonotify

Low touch registration The registration process is Requires the customer to request
considerably streamlined. Cisco to add each specific serial
Customers no longer need to number to the database.
know their device serial
number or contract
information. They can
register devices without
manual intervention from
Cisco by sending a message
from those devices. The
procedures are outlined at
www.cisco.com/go/smartcal
l
Recommendations Smart Call Home provides Autonotify raises SRs for a set of
recommendations for known failure scenarios but no
issues including those for recommendations are provided for
which SRs are raised and for these.
which SRs are not
appropriate but for which
customers might want to
still take action on.
Device report Device report includes full No.
inventory and configuration
details. Once available, the
information in these reports
will be mapped to field
notices, PSIRTs, EoX
notices, configuration best
practices and bugs.
History report The history report is A basic version is available that does
available to look up any not include contents of message.
message and its contents,
including show commands,
message processing,
analysis results,
recommendations and
service request numbers for
all messages sent over the
past three months.

Obtaining Smart Call Home
Table 62-1 Benefits of Smart Call Home Compared to Autonotify (continued)
Feature Smart Call Home Autonotify

Network summary report A report that provides a No.
summary of the make-up of
devices and modules in the
customer network (for those
devices registered with
Smart Call home)
Cisco device support Device Support will be Will be deprecated in favor of Smart
extended across the Cisco Call Home in October 2008.
product range. See the
supported products table at
www.cisco.com/go/smartcal
l
Obtaining Smart Call Home

If you have a service contract directly with Cisco Systems, you can receive automatic case generation
from the Technical Assistance Center by registering with the Smart Call Home service.
You need the following items to register:
The SMARTnet contract number for your switch.
Your e-mail address
Your Cisco.com ID
For detailed information on Smart Call Home, including quick start configuration and registration steps,
see the Smart Call Home page at this location: http://www.cisco.com/go/smartcall/
Configuring Call Home

How you configure the Call Home process depends on how you intend to use the feature. Some points
to consider include:
An e-mail server and at least one destination profile (predefined or user-defined) must be
configured. The destination profile(s) used depends on whether the receiving entity is a pager,
e-mail, or automated service such as Cisco Smart Call Home.
Switches can forward events (SNMP traps/informs) up to 10 destinations.
The contact name (SNMP server contact), phone, and street address information must be configured
before Call Home is enabled. This configuration is required to determine the origin of messages
received.
The Cisco MDS 9000 switch must have IP connectivity to an e-mail server.
If Cisco Smart Call Home is used, an active service contract must cover the device being configured.
To configure Call Home, follow these steps:
Step 1 Assign contact information.

Configuring Contact Information
Step 2 Configure destination profiles.

Step 3 Associate one or more alert groups to each profile as required by your network. Customize the alert
groups, if desired.
Step 4 Configure e-mail options.
Step 5 Enable or disable Call Home.
Step 6 Test Call Home messages.
Configuring Contact Information

Each switch must include e-mail, phone, and street address information. You can optionally include the
contract ID, customer ID, site ID, and switch priority information.
Note Switch priority is specific to each switch in the fabric. This priority is used by the operations personnel
or TAC support personnel to decide which Call Home message they should respond to first. You can
prioritize Call Home alerts of the same severity from each switch.
To assign the contact information using Fabric Manager, follow these steps:
Step 1 In the Fabric Manager Physical Attributes pane, expand Switches, expand Events, and select Call
Home.
You see the Call Home tabs in the Information pane (see Figure 62-1).
Figure 62-1 Call Home in Fabric Manager
Step 2 In Device Manager, click Admin > Events > Call Home. See Figure 62-2.

Destination Profiles
Figure 62-2 Call Home in Device Manager
Step 3 Click the General tab, then assign contact information and enable the Call Home feature. Call Home is
not enabled by default. You must enter an e-mail address that identifies the source of Call Home
notifications.
Step 4 Click the Destination(s) tab to configure the destination e-mail addresses for Call Home notifications.
You can identify one or more e-mail addresses that will receive Call Home notifications.
Note Switches can forward events (SNMP traps/informs) up to 10 destinations.
Step 5 Click the e-mail Setup tab to identify the SMTP server. Identify a message server to which your switch
has access. This message server will forward the Call Home notifications to the destinations.
Step 6 In Fabric Manager, click the Apply Changes icon. In Device Manager, click Apply.
A destination profile contains the required delivery information for an alert notification. Destination
profiles are typically configured by the network administrator. At least one destination profile is
required. You can configure multiple destination profiles of one or more types.
You can use one of the predefined destination profiles or define a desired profile. If you define a new
profile, you must assign a profile name.
Note If you use the Cisco Smart Call Home service, the XML destination profile is required (see
http://www.cisco.com/en/US/partner/products/hw/ps4159/ps4358/products_configuration_example091
86a0080108e72.shtml).
You can configure the following attributes for a destination profile:

Profile nameA string that uniquely identifies each user-defined destination profile and is limited
to 32 alphanumeric characters. The format options for a user-defined destination profile are full-txt,
short-txt, or XML (default).
Destination addressThe actual address, pertinent to the transport mechanism, to which the alert
should be sent.
Message formattingThe message format used for sending the alert (full text, short text, or XML).
To configure predefined destination profile messaging options using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Events, and select Call Home in the Physical Attributes pane.
Step 2 Click the Profiles tab in the Information pane.
You see the Call Home profiles for multiple switches shown in Figure 62-3.
Figure 62-3 Call Home Profiles for Multiple Switches
Step 3 Set the profile name, message format, message size, and severity level.
Step 4 Click in the Alert Groups column and select or remove an alert group.
Step 5 Click the Apply Changes icon to create this profile on the selected switches.
To configure a new destination-profile (and related parameters) using Fabric Manager, follow these
steps:
You see Call Home profiles for multiple switches.
Step 3 Click the Create Row icon to add a new profile.

Step 4 Set the profile name, message format, size, and severity level.
Step 5 Click an alert group and select each group from the drop-down list that you want sent in this profile.

Alert Groups
Step 6 Click the Apply Changes icon to create this profile on the selected switches.
Alert Groups
An alert group is a predefined subset of Call Home alerts supported in all switches in the Cisco MDS
9000 Family. Different types of Call Home alerts are grouped into different alert groups depending on
their type. You can associate one or more alert groups to each profile as required by your network.
The alert group feature allows you to select the set of Call Home alerts to be received by a destination
profile (either predefined or user-defined). You can associate multiple alert groups with a destination
profile.
Note A Call Home alert is sent to e-mail destinations in a destination profile only if that Call Home alert
belongs to one of the alert groups associated with that destination profile.
To associate an alert group with a destination profile using Fabric Manager, follow these steps:
You see the Call Home profiles for multiple switches shown in Figure 62-5.
Step 3 Click the Alert Groups column in the row for the profile you want to associate.
You see the alert groups drop-down menu shown in Figure 62-6.

Customized Alert Group Messages
Figure 62-6 Alert Groups Drop-down Menu
Step 4 Click an alert group to select it for association.

Step 5 You see a check next to that alert group. To deselect it and remove the check, click it again.
Customized Alert Group Messages

The predefined Call Home alert groups generate notification messages when certain events occur on the
switch. You can customize predefined alert groups to execute additional valid show commands when
specific events occur. The output from these additional show commands is included in the notification
message along with the output of the predefined show commands.
Note You can assign a maximum of five user-defined show commands to an alert group. Only show commands
can be assigned to an alert group.
Note Customized show commands are only supported for full text and XML alert groups. Short text alert
groups (short-txt-destination) do not support customized show commands because they only allow 128
bytes of text.
To assign show commands to be executed when an alert is sent, you must associate the commands with
the alert group. When an alert is sent, Call Home associates the alert group with an alert type and attaches
the output of the show commands to the alert message.
Note Make sure the destination profiles for a non-Cisco-TAC alert group, with a predefined show command,
and the Cisco-TAC alert group are not the same.
Customizing Alert Group Messages Using Fabric Manager

To customize Call Home alert group messages using Fabric Manager, follow these steps:

Call Home Message Level Feature
Step 2 Click the User Defined Command tab in the Information pane.
You see the User Defined Command information shown in Figure 62-7.
Figure 62-7 User Defined Command Dialog Box

Step 4 Check the check boxes in front of the switches from which you want to receive alerts.
Step 5 Select the alert group type from the Alert Group Type drop-down list.
Step 6 Select the ID (1-5) of the CLI command. The ID is used to keep track of the messages.
Step 7 Enter the CLI show command in the CLI Command field.
Step 9 Repeat Steps 3 through 7 for each command you want to associate with the profile.
Call Home Message Level Feature

The Call Home message level feature allows you to filter messages based on their level of urgency. Each
destination profile (predefined and user-defined) is associated with a Call Home message level threshold.
Any message with a value lower than the urgency threshold is not sent. The urgency level ranges from 0
(lowest level of urgency) to 9 (highest level of urgency), and the default is 0 (all messages are sent).
Note Call Home severity levels are not the same as system message logging severity levels.
Setting the Call Home Message Levels Using Fabric Manager

To set the message level for each destination profile for Call Home using Fabric Manager, follow these
steps:
Step 1 In Fabric Manager, expand the Switches folder in the Physical Attributes pane, expand Events and then
select Call Home.
You see the Call Home information in the Information pane.

Syslog-Based Alerts
In Device Manager, choose Admin > Events > Call Home.

Step 2 Click the Profiles tab in the Information Pane.
You see the Call Home profiles shown in Figure 62-8.
Figure 62-8 Call Home Profiles
Step 3 Set a message level for each switch using the drop-down menu in the MsgLevel column.
Syslog-Based Alerts
You can configure the switch to send certain syslog messages as Call Home messages. The
syslog-group-port alert group selects syslog messages for the port facility. The Call Home application
maps the syslog severity level to the corresponding Call Home severity level (see the Call Home
Message Levels section on page 62-32). For example, if you select level 5 for the Call Home message
level, syslog messages at levels 0, 1, and 2 are included in the Call Home log.
Whenever a syslog message is generated, the Call Home application sends a Call Home message
depending on the mapping between the destination profile and the alert group mapping and based on the
severity level of the generated syslog message. To receive a syslog-based Call Home alert, you must
associate a destination profile with the syslog alert groups (currently there is only one syslog alert
groupsyslog-group-port) and configure the appropriate message level (see the Call Home Message
Level Feature section on page 62-11).
Note Call Home does not change the syslog message level in the message text. The syslog message texts in
the Call Home log appear as they are described in the Cisco MDS 9000 Family System Messages Guide.
Configuring Syslog-Based Alerts Using Fabric Manager

To configure the syslog-group-port alert group using Fabric Manager, follow these steps:


RMON-Based Alerts

You see the Create Call Home Profile dialog box.
Step 5 Select the switches for which you want to send alerts.
Step 6 Enter the name of the profile in the Name field.
Step 7 Choose the message format, message size, and message severity level.
Step 8 Check the syslogGroupPort check box in the AlertGroups section.
Step 9 Click Create to create the profile for the syslog-based alerts.
RMON-Based Alerts
You can configure the switch to send Call Home notifications corresponding to RMON alert triggers. All
RMON-based Call Home messages have their message level set to NOTIFY (2). The RMON alert group
is defined for all RMON-based Call Home alerts. To receive an RMON-based Call Home alert, you must
associate a destination profile with the RMON alert group.
Configuring RMON Alerts Using Fabric Manager

To configure RMON alert groups using Fabric Manager, follow these steps:


E-Mail Options
Step 4 Select the Create Row icon.

You see the Create Call Home Profile dialog box.
Step 5 Select switches to send alerts.
Step 6 Enter the name of the profile.
Step 7 Select the message format, message size, and message severity level.
Step 8 Check the RMON check box in the AlertGroups section.
Step 9 Click Create to create the profile for the RMON-based alerts.
E-Mail Options
You can configure the from, reply-to, and return-receipt e-mail addresses. While most e-mail address
configurations are optional, you must configure the SMTP server address for the Call Home
functionality to work.
Configuring General E-Mail Options Using Fabric Manager

To configure general e-mail options using Fabric Manager, follow these steps:

Step 3 Click the e-mail Setup tab.
Figure 62-11 Call Home e-mail Setup Tab

Step 5 Enter the general e-mail information.
Step 6 Enter the SMTP server IP address type, IP address or name, and port.
Step 7 Click the Apply Changes icon to update the e-mail options.

Periodic Inventory Notification
Configuring HTTPS Support

Any pre-defined or user-defined destination profiles can be configured to enable or disable a particular
transport method. The transport methods are HTTP and email.
To enable or disable transport method for a destination profile, follow these steps:
Command Purpose
Step 2 switch(config)# callhome Enters Call Home configuration submode.
switch(config-callhome)#
Step 3 switch(config-callhome)# Optional. Enables predefined destination profile
destination-profile CiscoTAC-1 CiscoTAC-1 for http transport-method.
transport-method http
Note For user-defined destination profiles, e-mail is
the default. You can enable either or both
transport mechanisms. If you disable both
methods, e-mail will be enabled.
Step 4 switch(config-callhome)# no Optional. Disables predefined destination profile
destination-profile CiscoTAC-1 CiscoTAC-1 for email transport-method.
transport-method email
Step 5 switch(config-callhome)# Optional. Enables predefined full-txt-destination profile
destination-profile full-txt for HTTP transport method.
transport-method http
Periodic Inventory Notification

You can configure the switch to periodically send a message with an inventory of all the software
services currently enabled and running on the switch along with hardware inventory information. The
inventory is modified each time the switch is restarted nondisruptively.
By default, this feature is disabled in all switches in the Cisco MDS 9000 Family. When you enable this
feature without configuring an interval value, the Call Home message is sent every 7 days. This value
ranges from 1 to 30 days.
Enabling Periodic Inventory Notifications Using Fabric Manager

To enable periodic inventory notification in a Cisco MDS 9000 Family switch using Fabric Manager,
follow these steps:

Step 3 Click the Periodic Inventory tab.
You see the Call Home periodic inventory information shown in Figure 62-12.

Duplicate Message Throttle
Figure 62-12 Call Home Periodic Inventory Tab

Step 6 Enter the number of days for which you want the inventory checked.
Duplicate Message Throttle

You can configure a throttling mechanism to limit the number of Call Home messages received for the
same event. If the same message is sent multiple times from the switch within a short period of time, you
may be swamped with a large number of duplicate messages.
By default, this feature is enabled in all switches in the Cisco MDS 9000 Family. When enabled, if the
number of messages sent exceeds the maximum limit of 30 messages within the 2-hour time frame, then
further messages for that alert type are discarded within that time frame. You cannot modify the time
frame or the message counter limit.
If 2 hours have elapsed since the first such message was sent and a new message has to be sent, then the
new message is sent and the time frame is reset to the time when the new message was sent and the count
is reset to 1.
Enabling Message Throttling Using Fabric Manager

To enable message throttling in a Cisco MDS 9000 Family switch using Fabric Manager, follow these
steps:


Call Home Enable Function
Figure 62-13 Call Home Control Tab

Step 5 Check the Duplicate Message Throttle check box.
Call Home Enable Function

Once you have configured the contact information, you must enable the Call Home function.
Enabling Call Home Using Fabric Manager

To enable the Call Home function using Fabric Manager, follow these steps:

Figure 62-14 Call Home Control Tab


Call Home Configuration Distribution
Call Home Configuration Distribution

You can enable fabric distribution for all Cisco MDS switches in the fabric. When you perform Call
Home configurations, and distribution is enabled, that configuration is distributed to all the switches in
the fabric.
You automatically acquire a fabric-wide lock when you perform the first configuration operation after
you enabled distribution in a switch. The Call Home application uses the effective and pending database
model to store or commit the configuration changes. When you commit the configuration changes, the
effective database is overwritten by the configuration changes in the pending database and all the
switches in the fabric receive the same configuration. After making the configuration changes, you can
choose to discard the changes by aborting the changes instead of committing them. In either case, the
lock is released. See Chapter 13, Using the CFS Infrastructure for more information on the CFS
application.
Note The switch priority and the Syscontact name are not distributed.
Enabling Call Home Fabric Distribution Using Fabric Manager

To enable Call Home fabric distribution using Fabric Manager, follow these steps:

You see the CFS information for Call Home shown in Figure 62-15.
Figure 62-15 Call Home CFS Tab

Step 5 Select Enable from the drop-down list in the Admin column in the row for that switch.
Step 6 Click the Apply Changes icon to commit the changes.

Call Home Communications Test
Fabric Lock Override

If you have performed a Call Home task and have forgotten to release the lock by either committing or
administrator performs this task, your changes to the pending database are discarded and the fabric lock
is released.
Tip The changes are only available in the volatile directory and are subject to being discarded if the switch
is restarted.

When merging two Call Home databases, follow these guidelines:
Be aware that the merged database contains the following information:
A superset of all the destination profiles from the dominant and subordinate switches that take
part in the merge protocol.
The e-mail addresses and alert groups for the destination profiles.
Other configuration information (for example, message throttling, periodic inventory) from the
switch that existed in the dominant switch before the merge.
Verify that two destination profiles do not have the same name (even if they have different
configuration information) on the subordinate and dominant switches. If they do contain the same
name, the merge operation will fail. You must then modify or delete the conflicting destination
profile on the required switch.
Call Home Communications Test

You can test Call Home communications by sending a test message to the configured destination(s) or
sending a test inventory message to the configured destination(s).
Testing Call Home Using Fabric Manager

To test the Call Home function and simulate a message generation using Fabric Manager, follow these
steps:

Step 3 Click the Test tab.
You see the configured tests for the switch and the status of the last testing.
Step 5 Select test or testWithInventory from the TestAction drop-down list in the row for that switch.

Clearing Call Home Name Server Database
Step 6 Click the Apply Changes icon to run the test.
Clearing Call Home Name Server Database

When the Call Home name server database is full, a new entry cannot be added. The device is not allowed
to come online.
To clear the name server database, increase the database size or perform a cleanup by removing unused
devices. A total of 20,000 name server entries are supported.

Configuring EMC E-mail Home Delayed Traps

Fabric Manager can be configured to generate EMC E-mail Home XML e-mail messages. In SAN-OS Release
3.x or earlier, Fabric Manager listens to interface traps and generates EMC E-mail Home e-mail messages.
Link traps are generated when an interface goes to down from up or vice versa. For example, if there is a
scheduled server reboot, the link goes down and Fabric Manager generates an e-mail notification.
Cisco NX-OS Release 4.1(3) provides the ability to generate a delayed trap so that the number of
generated e-mail messages is reduced. This method filters server reboots and avoids generating
unnecessary EMC E-mail Home e-mail messages. In NX-OS Release 4.1(3), users have the ability to
select the current existing feature or this new delayed trap feature.
Configuring Delayed Traps Using Cisco Fabric Manager

The server.callhome.delayedtrap.enable property is added to section 9 Call Home in the server.properties
configuration file. The property file can enable the Fabric Manager server to use delayed traps instead
of regular linkDown traps for EMC E-mail Home messages. To enable this feature, you need to turn on
delayed traps at switch level, and then set the server.callhome.delayedtrap.enable property in the
server.properties configuration file to true. By default, the server.callhome.delayedtrap.enable option is
disabled and regular linkDown traps are used.
To enable delayed traps on switches running NX-OS Release 4.1(3) and later using Fabric Manager,
follow these steps:
Step 1 In the Physical Attributes, expand Switches > Events, and select SNMP Traps.
In the table above the map layout in Fabric Manager, click the Delayed Traps tab.

Figure 62-16 Delayed Trap Dialog Box
Step 2 Check the Enable check box for the switches on which you want to enable delayed traps.
Step 3 Enter the timer value in the Delay column.
Step 4 Click Apply to save your changes.
Note If no value is entered, the default value of 4 minutes is used.
To disable delayed traps, follow these steps:
Step 1 Uncheck the Enable check box.

Figure 62-17 Delayed Trap Dialog Box
Step 2 Click Apply.
Enabling Delayed Traps Using Cisco Device Manager

To enable the delayed traps using Device Manager, follow these steps:
Step 1 In Device Manager choose Admin > Events > Filters > Delayed Traps
You can see the Events Filters information in the Information pane.
Step 2 Click the Delayed Traps tab.
Figure 62-18 Delayed Traps Dialog Box
Step 3 Check the Enable check box to enable delayed traps.

Delay interval will only be available when the feature is enabled.

Sample Syslog Alert Notification in Full-txt Format
Step 4 To disable Delayed Traps, uncheck the Enable check box and click Apply.
Figure 62-19 Disable Traps Dialog Box
Sample Syslog Alert Notification in Full-txt Format

source:MDS9000
Switch Priority:7
Device Id:DS-C9506@C@FG@07120011
Customer Id:basu
Contract Id:123
Site Id:San Jose
Server Id:DS-C9506@C@FG@07120011
Time of Event:2004-10-08T11:10:44
Message Name:SYSLOG_ALERT
Message Type:Syslog
Severity Level:2
System Name:10.76.100.177
Contact Name:Basavaraj B
Contact e-mail:[email protected]
Contact Phone:+91-80-310-1718
Street Address:#71 , Miller's Road
Event Description:2004 Oct 8 11:10:44 10.76.100.177 %PORT-5-IF_TRUNK_UP: %$VSAN 1%$
Interface fc2/5, vsan 1 is up
syslog_facility:PORT
start chassis information:
Affected Chassis:DS-C9506
Affected Chassis Serial Number:FG@07120011
Affected Chassis Hardware Version:0.104
Affected Chassis Software Version:3.1(1)
Affected Chassis Part No:73-8607-01
end chassis information:
Sample Syslog Alert Notification in XML Format

<?xml version="1.0" encoding="UTF-8" ?>
<soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope">
<soap-env:Header>
<aml-session:Session xmlns:aml-session="http://www.cisco.com/2004/01/aml-session"
soap-env:mustUnderstand="true"
soap-env:role="http://www.w3.org/2003/05/soap-envelope/role/next">
<aml-session:To>http://tools.cisco.com/neddce/services/DDCEService</aml-session:To>
<aml-session:Path>
<aml-session:Via>http://www.cisco.com/appliance/uri</aml-session:Via>

</aml-session:Path>
<aml-session:From>http://www.cisco.com/appliance/uri</aml-session:From>
<aml-session:MessageId>1004:FOX090306QT:3E55A81A</aml-session:MessageId>
</aml-session:Session>
</soap-env:Header>
<soap-env:Body>
<aml-block:Block xmlns:aml-block="http://www.cisco.com/2004/01/aml-block">
<aml-block:Header>
<aml-block:Type>http://www.cisco.com/2005/05/callhome/syslog</aml-block:Type>
<aml-block:CreationDate>2003-02-21 04:16:18 GMT+00:00</aml-block:CreationDate>
<aml-block:Builder>
<aml-block:Name>MDS</aml-block:Name>
<aml-block:Version>4.1</aml-block:Version>
</aml-block:Builder>
<aml-block:BlockGroup>
<aml-block:GroupId>1005:FOX090306QT:3E55A81A</aml-block:GroupId>
<aml-block:Number>0</aml-block:Number>
<aml-block:IsLast>true</aml-block:IsLast>
<aml-block:IsPrimary>true</aml-block:IsPrimary>
<aml-block:WaitForPrimary>false</aml-block:WaitForPrimary>
</aml-block:BlockGroup>
<aml-block:Severity>6</aml-block:Severity>
</aml-block:Header>
<aml-block:Content>
<ch:CallHome xmlns:ch="http://www.cisco.com/2005/05/callhome" version="1.0">
<ch:EventTime>2003-02-21 04:16:18 GMT+00:00</ch:EventTime>
<ch:MessageDescription>LICENSE_VIOLATION 2003 Feb 21 04:16:18 switch %$
%DAEMON-3-SYSTEM_MSG: <<%LICMGR-3-LOG_LICAPP_NO_LIC>> License file is missing
for feature SAN_EXTN_OVER_IP</ch:MessageDescription>
<ch:Event>
<ch:Type>syslog</ch:Type>
<ch:SubType>LICENSE_VIOLATION</ch:SubType>
<ch:Brand>Cisco</ch:Brand>
<ch:Series>MDS9000</ch:Series>
</ch:Event>
<ch:CustomerData>
<ch:UserData>
<ch:e-mail>[email protected]</ch:e-mail>
</ch:UserData>
<ch:ContractData>
<ch:CustomerId>eeranna</ch:CustomerId>
<ch:SiteId>Bangalore</ch:SiteId>
<ch:ContractId>123</ch:ContractId>
<ch:DeviceId>DS-C9216I-K9@C@FOX090306QT</ch:DeviceId>
</ch:ContractData>
<ch:SystemInfo>
<ch:Name>switch</ch:Name>
<ch:Contact>Eeranna</ch:Contact>
<ch:Contacte-mail>[email protected]</ch:Contacte-mail>
<ch:ContactPhoneNumber>+91-80-310-1718</ch:ContactPhoneNumber>
<ch:StreetAddress>#71, Miller's Road</ch:StreetAddress> </ch:SystemInfo>
</ch:CustomerData> <ch:Device> <rme:Chassis xmlns:rme="http://www.cisco.com/rme/4.0">
<rme:Model>DS-C9216I-K9</rme:Model>
<rme:HardwareVersion>1.0</rme:HardwareVersion>
<rme:SerialNumber>FOX090306QT</rme:SerialNumber>
</rme:Chassis>
</ch:Device>
</ch:CallHome>
</aml-block:Content>
<aml-block:Attachments>
<aml-block:Attachment type="inline">
<aml-block:Name>show logging logfile | tail -n 200</aml-block:Name> <aml-block:Data
encoding="plain">
<![CDATA[syslog_show:: command: 1055 param_count: 0

2003 Feb 21 04:11:48 %KERN-2-SYSTEM_MSG: Starting kernel... - kernel

2003 Feb 21 04:11:48 %KERN-3-SYSTEM_MSG: CMOS: Module initialized - kernel
2003 Feb 21 04:11:48 %KERN-2-SYSTEM_MSG: CARD TYPE: KING BB Index = 2344 - kernel
2003 Feb 21 04:12:04 %MODULE-5-ACTIVE_SUP_OK: Supervisor 1 is active (serial:
JAB100700MC)
2003 Feb 21 04:12:04 %PLATFORM-5-MOD_STATUS: Module 1 current-status is
MOD_STATUS_ONLINE/OK
2003 Feb 21 04:12:06 %IMAGE_DNLD-SLOT1-5-ADDON_IMG_DNLD_COMPLETE: Addon module image
download process completed. Addon Image download completed, installing image please wait..
2003 Feb 21 04:12:07 %IMAGE_DNLD-SLOT1-5-ADDON_IMG_DNLD_SUCCESSFUL: Addon module image
download and install process successful. Addon image installed.
2003 Feb 21 04:12:08 %KERN-3-SYSTEM_MSG: klm_af_xipc: Unknown parameter `start' -
kernel
2003 Feb 21 04:12:08 %KERN-3-SYSTEM_MSG: klm_ips_portcfg: Unknown parameter `start'
- kernel
2003 Feb 21 04:12:08 %KERN-3-SYSTEM_MSG: klm_flamingo: Unknown parameter `start' -
kernel
2003 Feb 21 04:12:10 %PORT-5-IF_UP: Interface mgmt0 is up
2003 Feb 21 04:12:21 switch %LICMGR-3-LOG_LIC_FILE_MISSING: License file(s) missing for
feature ENTERPRISE_PKG.
feature SAN_EXTN_OVER_IP.
2003 Feb 21 04:12:23 switch %PLATFORM-5-MOD_STATUS: Module 1 current-status is
MOD_STATUS_ONLINE/OK
2003 Feb 21 04:12:23 switch %MODULE-5-MOD_OK: Module 1 is online (serial: JAB100700MC)
2003 Feb 21 04:12:25 switch %PORT-5-IF_DOWN_ADMIN_DOWN: %$VSAN 1%$ Interface fc1/1 is down
(Administratively down)
2003 Feb 21 04:12:26 switch %PLATFORM-5-PS_STATUS: PowerSupply 1 current-status is PS_FAIL
2003 Feb 21 04:12:26 switch %PLATFORM-2-PS_FAIL: Power supply 1 failed or shut down
(Serial number QCS1007109F)
2003 Feb 21 04:12:26 switch %PLATFORM-5-PS_FOUND: Power supply 2 found (Serial number
QCS1007109R)
2003 Feb 21 04:12:26 switch %PLATFORM-2-PS_OK: Power supply 2 ok (Serial number
QCS1007109R)
2003 Feb 21 04:12:26 switch %PLATFORM-5-PS_STATUS: PowerSupply 2 current-status is PS_OK
2003 Feb 21 04:12:26 switch %PLATFORM-2-PS_FANOK: Fan in Power supply 2 ok
2003 Feb 21 04:12:26 switch %PLATFORM-5-FAN_DETECT: Fan module 1 (Serial number
NWG0901031X) ChassisFan1 detected
2003 Feb 21 04:12:26 switch %PLATFORM-2-FAN_OK: Fan module ok
2003 Feb 21 04:12:26 switch %PLATFORM-2-CHASSIS_CLKMODOK: Chassis clock module A ok
2003 Feb 21 04:12:26 switch %PLATFORM-2-CHASSIS_CLKSRC: Current chassis clock source is
clock-A
2003 Feb 21 04:12:26 switch %PORT-5-IF_DOWN_ADMIN_DOWN: %$VSAN 1%$ Interface fc1/10 is
down (Administratively down)


2003 Feb 21 04:12:30 switch %PLATFORM-2-MOD_DETECT: Module 2 detected (Serial number
JAB0923016X) Module-Type IP Storage Services Module Model DS-X9304-SMIP
2003 Feb 21 04:12:30 switch %MODULE-2-MOD_UNKNOWN: Module type [25] in slot 2 is not
supported
2003 Feb 21 04:12:45 switch %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by root on
console0
2003 Feb 21 04:14:06 switch %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on
console0
2003 Feb 21 04:15:12 switch %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on
console0
2003 Feb 21 04:15:52 switch %SYSMGR-3-BASIC_TRACE: core_copy: PID 1643 with message Core
not generated by system for licmgr(0). WCOREDUMP(9) returned zero .
2003 Feb 21 04:15:52 switch %SYSMGR-2-SERVICE_CRASHED: Service \"licmgr\" (PID 2272)
hasn't caught signal 9 (no core).
2003 Feb 21 04:16:18 switch %CALLHOME-2-EVENT: LICENSE_VIOLATION
2003 Feb 21 04:16:18 switch %CALLHOME-2-EVENT: LICENSE_VIOLATION ]]> </aml-block:Data>
</aml-block:Attachment> <aml-block:Attachment type="inline"> <aml-block:Name>show license
usage</aml-block:Name> <aml-block:Data encoding="plain">
<![CDATA[Feature Ins Lic Status Expiry Date Comments
Count
--------------------------------------------------------------------------------
DMM_184_PKG No 0 Unused Grace expired
FM_SERVER_PKG No - Unused Grace expired
MAINFRAME_PKG No - Unused Grace expired
ENTERPRISE_PKG Yes - Unused never license missing
DMM_FOR_SSM_PKG No 0 Unused Grace expired
SAN_EXTN_OVER_IP Yes 8 Unused never 8 license(s) missing
PORT_ACTIVATION_PKG No 0 Unused -
SME_FOR_IPS_184_PKG No 0 Unused Grace expired
STORAGE_SERVICES_184 No 0 Unused Grace expired
SAN_EXTN_OVER_IP_18_4 No 0 Unused Grace expired
SAN_EXTN_OVER_IP_IPS2 No 0 Unused Grace expired
SAN_EXTN_OVER_IP_IPS4 No 0 Unused Grace expired
STORAGE_SERVICES_SSN16 No 0 Unused Grace expired
10G_PORT_ACTIVATION_PKG No 0 Unused -
STORAGE_SERVICES_ENABLER_PKG No 0 Unused Grace expired
--------------------------------------------------------------------------------
**** WARNING: License file(s) missing. **** ]]> </aml-block:Data> </aml-block:Attachment>
</aml-block:Attachments> </aml-block:Block> </soap-env:Body> </soap-env:Envelope>

Sample RMON Notification in XML Format

<?xml version="1.0" encoding="UTF-8" ?>
<soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope">
<soap-env:Header>
<aml-session:Session xmlns:aml-session="http://www.cisco.com/2004/01/aml-session"
soap-env:mustUnderstand="true"
soap-env:role="http://www.w3.org/2003/05/soap-envelope/role/next">
<aml-session:To>http://tools.cisco.com/neddce/services/DDCEService</aml-session:To>
<aml-session:Path>
<aml-session:Via>http://www.cisco.com/appliance/uri</aml-session:Via>
</aml-session:Path>
<aml-session:From>http://www.cisco.com/appliance/uri</aml-session:From>
<aml-session:MessageId>1086:FHH0927006V:48BA26BD</aml-session:MessageId>
</aml-session:Session>
</soap-env:Header>
<soap-env:Body>
<aml-block:Block xmlns:aml-block="http://www.cisco.com/2004/01/aml-block">
<aml-block:Header>
<aml-block:Type>http://www.cisco.com/2005/05/callhome/diagnostic</aml-block:Type>
<aml-block:CreationDate>2008-08-31 05:06:05 GMT+00:00</aml-block:CreationDate>
<aml-block:Builder>
<aml-block:Name>MDS</aml-block:Name>
<aml-block:Version>4.1</aml-block:Version>
</aml-block:Builder>
<aml-block:BlockGroup>
<aml-block:GroupId>1087:FHH0927006V:48BA26BD</aml-block:GroupId>
<aml-block:Number>0</aml-block:Number>
<aml-block:IsLast>true</aml-block:IsLast>
<aml-block:IsPrimary>true</aml-block:IsPrimary>
<aml-block:WaitForPrimary>false</aml-block:WaitForPrimary>
</aml-block:BlockGroup>
<aml-block:Severity>2</aml-block:Severity>
</aml-block:Header>
<aml-block:Content>
<ch:CallHome xmlns:ch="http://www.cisco.com/2005/05/callhome" version="1.0">
<ch:EventTime>2008-08-31 05:06:05 GMT+00:00</ch:EventTime>
<ch:MessageDescription>RMON_ALERT WARNING(4) Falling:iso.3.6.1.4.1.9.9.305.1.1.1.0=1 <=
89:1, 4</ch:MessageDescription>
<ch:Event>
<ch:Type>diagnostic</ch:Type>
<ch:SubType>GOLD-major</ch:SubType>
<ch:Brand>Cisco</ch:Brand>
<ch:Series>MDS9000</ch:Series>
</ch:Event>
<ch:CustomerData>
<ch:UserData>
<ch:e-mail>[email protected]</ch:e-mail>
</ch:UserData>
<ch:ContractData>
<ch:CustomerId>12ss</ch:CustomerId>
<ch:SiteId>2233</ch:SiteId>
<ch:ContractId>rrr55</ch:ContractId>
<ch:DeviceId>DS-C9513@C@FHH0927006V</ch:DeviceId>
</ch:ContractData>
<ch:SystemInfo>
<ch:Name>sw172-22-46-174</ch:Name>
<ch:Contact>Mani</ch:Contact>
<ch:Contacte-mail>[email protected]</ch:Contacte-mail>
<ch:ContactPhoneNumber>+1-800-304-1234</ch:ContactPhoneNumber>
<ch:StreetAddress>1234 wwee</ch:StreetAddress>
</ch:SystemInfo>
</ch:CustomerData>

<ch:Device>
<rme:Chassis xmlns:rme="http://www.cisco.com/rme/4.0">
<rme:Model>DS-C9513</rme:Model>
<rme:HardwareVersion>0.205</rme:HardwareVersion>
<rme:SerialNumber>FHH0927006V</rme:SerialNumber>
</rme:Chassis>
</ch:Device>
</ch:CallHome>
</aml-block:Content>
</aml-block:Block>
</soap-env:Body>
</soap-env:Envelope>

Event Triggers
Event Triggers
This section discusses Call Home trigger events. Trigger events are divided into categories, with each
category assigned CLI commands to execute when the event occurs. The command output is included in
the transmitted message. Table 62-2 lists the trigger events.
Table 62-2 Event Triggers
Call Home
Event Alert Group Event Name Description Message Level
Call Home System and SW_CRASH A software process has crashed with a 5
CISCO_TAC stateless restart, indicating an
interruption of a service.
System and SW_SYSTEM_INCONSISTEN Inconsistency detected in software or file 5
CISCO_TAC T system.
Environmental TEMPERATURE_ALARM Thermal sensor indicates temperature 6
and reached operating threshold.
CISCO_TAC POWER_SUPPLY_FAILURE Power supply failed. 6
FAN_FAILURE Cooling fan has failed. 5
Line Card LINECARD_FAILURE Line card hardware operation failed. 7
Hardware and POWER_UP_DIAGNOSTICS_ Line card hardware failed power-up 7
CISCO_TAC FAILURE diagnostics.
Line Card PORT_FAILURE Hardware failure of interface port(s). 6
Hardware and
CISCO_TAC
Line Card BOOTFLASH_FAILURE Failure of boot compact Flash card. 6
Hardware,
Supervisor
Hardware, and
CISCO_TAC
Supervisor NVRAM_FAILURE Hardware failure of NVRAM on 6
Hardware and Supervisor hardware.
CISCO_TAC
Supervisor FREEDISK_FAILURE Free disk space is below a threshold on 6
Hardware and Supervisor hardware.
CISCO_TAC
Supervisor SUP_FAILURE Supervisor hardware operation failed. 7
Hardware and POWER_UP_DIAGNOSTICS_ Supervisor hardware failed power-up 7
CISCO_TAC FAILURE diagnostics.
Supervisor INBAND_FAILURE Failure of in-band communications path. 7
Hardware and
CISCO_TAC
Supervisor EOBC_FAILURE Ethernet out-of-band channel 6
Hardware and communications failure.
CISCO_TAC

Event Triggers
Table 62-2 Event Triggers (continued)
Call Home
Event Alert Group Event Name Description Message Level
Call Home Supervisor MGMT_PORT_FAILURE Hardware failure of management 5
Hardware and Ethernet port.
CISCO_TAC
License LICENSE_VIOLATION Feature in use is not licensed, and are 6
turned off after grace period expiration.
Inventory Inventory and COLD_BOOT Switch is powered up and reset to a cold 2
CISCO_TAC boot sequence.
HARDWARE_INSERTION New piece of hardware inserted into the 2
chassis.
HARDWARE_REMOVAL Hardware removed from the chassis. 2
Test Test and TEST User generated test. 2
CISCO_TAC
Port syslog Syslog-group- SYSLOG_ALERT Syslog messages corresponding to the 5
port port facility.
RMON RMON RMON_ALERT RMON alert trigger messages. 2
Table 62-3 lists event categories and command outputs.
Table 62-3 Event Categories and Executed Commands
Event Category Description Executed Commands

System Events generated by failure of a software system that is critical to unit show tech-support
operation. show system redundancy
show module
status
show version
show tech-support
platform
show tech-support
sysmgr
show hardware
show sprom all
Environmental Events related to power, fan, and environment sensing elements such show module
as temperature alarms. show environment
show module
show version
show environment
show logging logfile | tail
-n 200

Call Home Message Levels
Table 62-3 Event Categories and Executed Commands (continued)
Event Category Description Executed Commands

Line Card Hardware Events related to standard or intelligent line card hardware. show tech-support
show module
show version
show tech-support
platform
show tech-support
sysmgr
show hardware
show sprom all
Supervisor Hardware Events related to supervisor modules. show tech-support
show module
show version
show tech-support
platform
show tech-support
sysmgr
show hardware
show sprom all
Inventory Inventory status is provided whenever a unit is cold booted, or when show version
FRUs are inserted or removed. This is considered a noncritical event,
show module
and the information is used for status and entitlement.
show version
show hardware
show inventory
show system uptime
show sprom all
show license usage
Test User generated test message. show version
show module
show version
Call Home Message Levels

Call Home messages (sent for syslog alert groups) have the syslog severity level mapped to the Call
Home message level (see the Syslog-Based Alerts section on page 62-12).
This section discusses the severity levels for a Call Home message when using one or more switches in
the Cisco MDS 9000 Family. Call Home message levels are preassigned per event type.

Message Contents
Severity levels range from 0 to 9, with 9 having the highest urgency. Each syslog level has keywords and
a corresponding syslog level as listed in Table 62-4.
Note Call Home does not change the syslog message level in the message text. The syslog message texts in
the Call Home log appear as they are described in the Cisco MDS 9000 Family System Messages Guide.
Note Call Home severity levels are not the same as system message logging severity levels (see Chapter 61,
Configuring System Message Logging and the Cisco MDS 9000 Family System Messages Guide).
Table 62-4 Severity and Syslog Level Mapping
Call Home Level Keyword Used Syslog Level Description

Catastrophic (9) Catastrophic N/A Network wide catastrophic failure.
Disaster (8) Disaster N/A Significant network impact.
Fatal (7) Fatal Emergency (0) System is unusable.
Critical (6) Critical Alert (1) Critical conditions, immediate attention needed.
Major (5) Major Critical (2) Major conditions.
Minor (4) Minor Error (3) Minor conditions.
Warning (3) Warning Warning (4) Warning conditions.
Notify (2) Notification Notice (5) Basic notification and informational messages.
Possibly independently insignificant.
Normal (1) Normal Information (6) Normal event signifying return to normal state.
Debug (0) Debugging Debug (7) Debugging messages.
Message Contents
The following contact information can be configured on the switch:
Name of the contact person
Phone number of the contact person
E-mail address of the contact person
Mailing address to which replacement parts must be shipped, if required
Site ID of the network where the site is deployed
Contract ID to identify the service contract of the customer with the service provider
Table 62-5 describes the short text formatting option for all message types.
Table 62-5 Short Text Messages
Data Item Description

Device identification Configured device name
Date/time stamp Time stamp of the triggering event

Message Contents
Table 62-5 Short Text Messages (continued)
Data Item Description

Error isolation message Plain English description of triggering event
Alarm urgency level Error level such as that applied to system message
Table 62-6, Table 62-7, and Table 62-8 display the information contained in plain text and XML
messages.
Table 62-6 Reactive Event Message Format
Data Item Description XML Tag

(Plain text and XML) (Plain text and XML) (XML only)
Time stamp Date and time stamp of event in ISO time notation: /mml/header/time -
YYYY-MM-DDTHH:MM:SS. ch:EventTime
Note The time zone or daylight savings time (DST) offset from UTC
has already been added or subtracted. T is the hardcoded limiter
for the time.
Message name Name of message. Specific event names are listed in the Event /mml/header/name
Triggers section on page 62-30.
Message type Specifically Call Home. /mml/header/type - ch:Type
Message group Specifically reactive. /mml/header/group
Severity level Severity level of message (see Table 62-4). /mml/header/level -
aml-block:Severity
Source ID Product type for routing. /mml/header/source -
ch:Series
Device ID Unique device identifier (UDI) for end device generating message. /mml/ header/deviceId
This field should empty if the message is non-specific to a fabric switch.
Format: type@Sid@serial, where
type is the product model number from backplane SEEPROM.
@ is a separator character.
Sid is C, identifying the serial ID as a chassis serial number
serial is the number identified by the Sid field.
Example: DS-C9509@C@12345678
Customer ID Optional user-configurable field used for contract info or other ID by /mml/header/customerID -
any support service. ch:CustomerId
Contract ID Optional user-configurable field used for contract info or other ID by /mml/header/contractId -
any support service. ch:ContractId>
Site ID Optional user-configurable field used for Cisco-supplied site ID or /mml/header/siterId -
other data meaningful to alternate support service. ch:SiteId

Message Contents
Table 62-6 Reactive Event Message Format (continued)

Server ID If the message is generated from the fabric switch, it is the unique /mml/header/serverId -
device identifier (UDI) of the switch. -blank-
Sid is C identifying the serial ID as a chassis serial number
Example: DS-C9509@C@12345678
Message description Short text describing the error. /mml/body/msgDesc -
ch:MessageDescription
Device name Node that experienced the event. This is the host name of the device. /mml/body/sysName -
ch:SystemInfo/Name
Contact name Name of person to contact for issues associated with the node /mml/body/sysContact -
experiencing the event. ch:SystemInfo/Contact
Contact e-mail E-mail address of person identified as contact for this unit. /mml/body/sysContacte-mail -
ch:SystemInfo/Contacte-mail
Contact phone Phone number of the person identified as the contact for this unit. /mml/body/sysContactPhone
number Number -
ch:SystemInfo/ContactPhone
Number
Street address Optional field containing street address for RMA part shipments /mml/body/sysStreetAddress -
associated with this unit. ch:SystemInfo/StreetAddress
Model name Model name of the switch. This is the specific model as part of a product /mml/body/chassis/name -
family name. rme:Chassis/Model
Serial number Chassis serial number of the unit. /mml/body/chassis/serialNo -
rme:Chassis/SerialNumber
Chassis part number Top assembly number of the chassis. /mml/body/fru/partNo -
rme:chassis/Card/PartNumber
Chassis hardware Hardware version of chassis. /mml/body/chassis/hwVersion
version -
rme:Chassis/HardwareVersion
Supervisor module Top level software version. /mml/body/fru/swVersion -
software version rme:chassis/Card/SoftwareIde
ntity
Affected FRU name Name of the affected FRU generating the event message. /mml/body/fru/name -
rme:chassis/Card/Model
Affected FRU serial Serial number of affected FRU. /mml/body/fru/serialNo -
number rme:chassis/Card/SerialNumb
er
Affected FRU part Part number of affected FRU. /mml/body/fru/partNo -
number rme:chassis/Card/PartNumber

Message Contents
Table 62-6 Reactive Event Message Format (continued)

FRU slot Slot number of FRU generating the event message. /mml/body/fru/slot -
rme:chassis/Card/LocationWit
hinContainer
FRU hardware Hardware version of affected FRU. /mml/body/fru/hwVersion -
version rme:chassis/Card/SoftwareIde
ntity
FRU software Software version(s) running on affected FRU. /mml/body/fru/swVersion -
ntity
Command output The exact name of the issued command. /mml/attachments/attachment/
name name -
aml-block:Attachment/Name
Attachment type Specifically command output. /mml/attachments/attachment/
type - aml-block:Attachment
type
MIME type Normally text or plain or encoding type. /mml/attachments/attachment/
mime -
aml-block:Attachment/Data
encoding
Command output Output of command automatically executed (see Table 62-3). /mml/attachments/attachment/
text atdata -
Table 62-7 Inventory Event Message Format

for the time.
Message name Name of message. Specifically Inventory Update Specific event /mml/header/name
names are listed in the Event Triggers section on page 62-30.
Message type Specifically Inventory Update. /mml/header/type -
ch-inv:Type
Message group Specifically proactive. /mml/header/group
Severity level Severity level of inventory event is level 2 (seeTable 62-4). /mml/header/level -
aml-block:Severity
Source ID Product type for routing at Cisco. Specifically MDS 9000 /mml/header/source -
ch-inv:Series

Message Contents
Table 62-7 Inventory Event Message Format (continued)

Device ID Unique Device Identifier (UDI) for end device generating message. /mml/ header /deviceId
This field should empty if the message is non-specific to a fabric switch.
Example: DS-C9509@C@12345678
Customer ID Optional user-configurable field used for contact info or other ID by any /mml/header/customerID -
support service. ch-inv:CustomerId
Contract ID Optional user-configurable field used for contact info or other ID by any /mml/header/contractId -
support service. ch-inv:ContractId>
Site ID Optional user-configurable field, can be used for Cisco-supplied site ID /mml/header/siterId -
or other data meaningful to alternate support service. ch-inv:SiteId
Server ID If the message is generated from the fabric switch, it is the Unique /mml/header/serverId -
device identifier (UDI) of the switch. -blank-
Example: DS-C9509@C@12345678
ch-inv:MessageDescription
Device name Node that experienced the event. /mml/body/sysName -
ch-inv:SystemInfo/Name
experiencing the event. ch-inv:SystemInfo/Contact
Contact e-mail E-mail address of person identified as contact for this unit. /mml/body/sysContacte-mail
-
ch-inv:SystemInfo/Contacte-
mail
number Number -
ch-inv:SystemInfo/ContactPh
oneNumber
Street address Optional field containing street address for RMA part shipments /mml/body/sysStreetAddress -
associated with this unit. ch-inv:SystemInfo/StreetAddr
ess

Message Contents
Table 62-7 Inventory Event Message Format (continued)

Model name Model name of the unit. This is the specific model as part of a product /mml/body/chassis/name -
Serial number Chassis serial number of the unit. /mml/body/chassis/serialNo -
rme:Chassis/SerialNumber
Chassis part number Top assembly number of the chassis. /mml/body/fru/partNo -
Chassis hardware Hardware version of chassis. /mml/body/fru/hwVersion -
ntity
Supervisor module Top level software version. /mml/body/fru/swVersion -
software version rme:chassis/Card/SoftwareIde
ntity
FRU name Name of the affected FRU generating the event message. /mml/body/fru/name -
rme:chassis/Card/Model
FRU s/n Serial number of FRU. /mml/body/fru/serialNo -
rme:chassis/Card/SerialNumb
er
FRU part number Part number of FRU. /mml/body/fru/partNo -
FRU slot Slot number of FRU. /mml/body/fru/slot -
rme:chassis/Card/LocationWi
thinContainer
FRU hardware Hardware version of FRU. /mml/body/fru/hwVersion -
ntity
FRU software Software version(s) running on FRU. /mml/body/fru/swVersion -
ntity
Command output The exact name of the issued command. /mml/attachments/attachment
name /name -
aml-block:Attachment/Name
Attachment type Specifically command output. /mml/attachments/attachment
/type - aml-block:Attachment
type
MIME type Normally text or plain or encoding type. /mml/attachments/attachment
/mime -
encoding
Command output Output of command automatically executed after event categories (see /mml/attachments/attachment
text Event Triggers section on page 62-30). /atdata -

Message Contents
Table 62-8 User-Generated Test Message Format

for the time.
Message name Name of message. Specifically test message for test type message. /mml/header/name
Specific event names listed in the Event Triggers section on
page 62-30).
Message type Specifically Test Call Home. /mml/header/type - ch:Type
Message group This field should be ignored by the receiving Call Home processing /mml/header/group
application, but may be populated with either proactive or reactive.
Severity level Severity level of message, test Call Home message (see Table 62-4). /mml/header/level -
aml-block:Severity
Source ID Product type for routing. /mml/header/source -
ch:Series
Device ID Unique device identifier (UDI) for end device generating message. This /mml/ header /deviceId
field should empty if the message is non-specific to a fabric switch.
Example: DS-C9509@C@12345678
Customer ID Optional user-configurable field used for contract info or other ID by any /mml/header/customerID -
support service. ch:CustomerId
Contract ID Optional user-configurable field used for contract info or other ID by any /mml/header/contractId -
support service. ch:ContractId
Site ID Optional user-configurable field used for Cisco-supplied site ID or other /mml/header/siterId -
data meaningful to alternate support service. ch:SiteId
Server ID If the message is generated from the fabric switch, it is the Unique device /mml/header/serverId -
identifier (UDI) of the switch. -blank-
Example: DS-C9509@C@12345678
ch:MessageDescription

Default Settings
Table 62-8 User-Generated Test Message Format (continued)

Device name Switch that experienced the event. /mml/body/sysName -
ch:SystemInfo/Name
experiencing the event. ch:SystemInfo/Contact
Contact e-mail E-mail address of person identified as contact for this unit. /mml/body/sysContacte-mai
l-
ch:SystemInfo/Contacte-mai
l
number Number -
ch:SystemInfo/ContactPhon
eNumber
Street address Optional field containing street address for RMA part shipments /mml/body/sysStreetAddress
associated with this unit. -
ch:SystemInfo/StreetAddres
s
Model name Model name of the switch. This is the specific model as part of a product /mml/body/chassis/name -
Serial number Chassis serial number of the unit. /mml/body/chassis/serialNo
- rme:Chassis/SerialNumber
Chassis part number Top assembly number of the chassis. For example, 800-xxx-xxxx. /mml/body/fru/partNo -
rme:chassis/Card/PartNumb
er
Command output Output of command automatically executed after event categories listed /mml/attachments/attachmen
text in Table 62-3. t/atdata -
MIME type Normally text or plain or encoding type. /mml/attachments/attachmen
t/mime -
encoding
Attachment type Specifically command output. /mml/attachments/attachmen
t/type -
aml-block:Attachment type
Command output The exact name of the issued command. /mml/attachments/attachmen
name t/name -
aml-block:Attachment/Nam
e
Default Settings
Table 62-9 lists the default Call Home settings.

Default Settings
Table 62-9 Default Call Home Default Settings
Parameters Default
Destination message size for a message sent in full text format. 500,000
Destination message size for a message sent in XML format. 500,000
Destination message size for a message sent in short text format. 4000
DNS or IP address of the SMTP server to reach the server if no 25
port is specified.
Alert group association with profile. All
Format type. XML
Call Home message level. 0 (zero)

Default Settings

CH A P T E R 63
Configuring Fabric Configuration Servers
This chapter describes the Fabric Configuration Server (FCS) feature provided in the Cisco MDS 9000
Family of directors and switches. It includes the following sections:
About FCS, page 63-1
Displaying FCS Discovery, page 63-3
Displaying FCS Elements, page 63-3
Creating an FCS Platform, page 63-4
Displaying FCS Fabric Ports, page 63-5
About FCS
The Fabric Configuration Server (FCS) provides discovery of topology attributes and maintains a
repository of configuration information of fabric elements. A management application is usually
connected to the FCS on the switch through an N port. The FCS views the entire fabric based on the
following objects:
Interconnect element (IE) objectEach switch in the fabric corresponds to an IE object. One or
more IE objects form a fabric.
Port objectEach physical port in an IE corresponds to a port object. This includes the switch ports
(xE, Fx, and TL ports) and their attached Nx ports.
Platform objectA set of nodes may be defined as a platform object to make it a single manageable
entity. These nodes are end-devices (host systems, storage subsystems) attached to the fabric.
Platform objects reside at the edge switches of the fabric.
Each object has its own set of attributes and values. A null value may also be defined for some attributes.
In the Cisco MDS 9000 Family switch environment, multiple VSANs constitute a fabric, where one
instance of the FCS is present per VSAN.
As of Cisco NX-OS Release 4.1(1), FCS supports the discovery of virtual devices. The fcs
virtual-device-add command, issued in FCS configuration submode, allows you to discover virtual
devices in a particular VSAN or in all VSANs. The devices that are zoned for IVR must be discovered
with this command and have request domain_ID (RDI) enabled, before activating the IVR zone set.

Chapter 63 Configuring Fabric Configuration Servers
About FCS
If you have attached a management application to a switch, all the frames directed towards the FCS in
the switch are part of the port VSAN in the switch port (Fx port). Your view of the management
application is limited only to this VSAN. However, information about other VSANs that this switch is
part of can be obtained either through the SNMP or CLI.
In Figure 63-1 Management Application 1 (M1) is connected through an F port with port VSAN ID 1,
and Management Application 2 (M2) is connected through an F port with port VSAN ID 2. M1 can query
the FCS information of switches S1 and S3, and M2 can query switches S3 and S4. Switch S2
information is not known to both of them. FCS operations can be done only on those switches that are
visible in the VSAN. Note that M2 can send FCS requests only for VSAN 2 even though S3 is also a part
of VSAN 1.
Figure 63-1 FCSs in a VSAN Environment
Management
Application 2
(port VSAN=2)
F port
Switch 3 VSAN 2
VSAN 1 (dFCS3)
ISL1
ISL2
N port
Management Switch 1 Switch 4
Application 1 (dFCS1) (dFCS4)
F port
(port VSAN=1)
ISL3
Switch 2
(dFCS2)
VSAN 3
85581
Significance of FCS
This section lists the significance of FCSs.
FCSs support network management including the following:
N port management application can query and obtain information about fabric elements.
SNMP manager can use the FCS management information base (MIB) to start discovery and
obtain information about the fabric topology.
FCSs support TE and TL ports in addition to the standard F and E ports.
FCS can maintain a group of modes with a logical name and management address when a platform
registers with it. FCSs maintain a backup of all registrations in secondary storage and update it with
every change. When a restart or switchover happens, FCSs retrieve the secondary storage
information and rebuild its database.
SNMP manager can query FCSs for all IEs, ports, and platforms in the fabric.

Displaying FCS Discovery
Displaying FCS Discovery

To display FCS discovery information using Device Manager, follow these steps:
Step 1 Choose FC > Advanced > Fabric Config Server.

You see the Fabric Config Server dialog box shown in Figure 63-2.
Figure 63-2 Fabric Config Server Dialog Box
Step 1 Click the Discovery tab.

Step 2 Click Discover to rediscover the fabric, or click Refresh to update the display.
Displaying FCS Elements

To display FCS interconnect element information using Device Manager, follow these steps:

You see the Fabric Config Server dialog box.
Step 2 Click the Interconnect Elements tab.
You see the dialog box shown in Figure 63-3.

Creating an FCS Platform
Figure 63-3 FCS Interconnect Elements Tab
Creating an FCS Platform

To create an FCS platform using Device Manager, follow these steps:

Step 2 Click the Platforms (Enclosures) tab.
You see the Create Fabric Config Server dialog box shown in Figure 63-4.
Figure 63-4 Create Fabric Config Server Dialog Box

Displaying FCS Fabric Ports
Step 4 Enter the VSAN ID, or select the ID from the drop-down list of available VSAN IDs.
Step 5 Enter the Fabric Configuration Server name in the Name field.
Step 6 Choose the type of server (Gateway, Host, Storage).
Step 7 Enter the WWNs for the server.
Step 8 Enter the management addresses for the server.
Step 9 Click Create to create the server, or click Close to discard your changes and return to the Fabric Config
Server dialog box.
Displaying FCS Fabric Ports

To display FCS discovery information using Device Manager, follow these steps:

Step 2 Click the Fabric Ports tab.
You see a list of fabric ports (see Figure 63-5).

Default Settings
Figure 63-5 FCS Fabric Ports
Step 3 Click Refresh to update the display.
Default Settings
Table 63-1 lists the default FCS settings.
Table 63-1 Default FCS Settings
Parameters Default
Global checking of the platform name Disabled.
Platform node type Unknown.

PA R T 9
Traffic Management
CH A P T E R 64
Configuring Fabric Congestion Control and QoS
Fibre Channel Congestion Control (FCC) is a Cisco proprietary flow control mechanism that alleviates
congestion on Fibre Channel networks.
Quality of service (QoS) offers the following advantages:
Provides relative bandwidth guarantee to application traffic.
Controls latency experienced by application traffic.
Prioritizes one application over another (for example, prioritizing transactional traffic over bulk
traffic) through bandwidth and latency differentiation.
This chapter provides details on the QoS and FCC features provided in all switches. It includes the
following sections:
FCC, page 64-1
QoS, page 64-3
Example Configuration, page 64-10
Ingress Port Rate Limiting, page 64-11
FCC
FCC reduces the congestion in the fabric without interfering with the standard Fibre Channel protocols.
About FCC, page 64-1
FCC Process, page 64-2
Enabling FCC, page 64-2
Assigning FCC Priority, page 64-3
About FCC
The FCC protocol increases the granularity and the scale of congestion control applied to any class of
traffic (see Figure 64-1).

Chapter 64 Configuring Fabric Congestion Control and QoS
FCC
Figure 64-1 FCC Mechanisms
Switch 1 sends Switch 2 sends Switch 3 sends

regular traffic to congested traffic congestion control
Switch 2 to Switch 3 message to Switch 1
to slow down the
traffic control
79943
Edge quench congestion control provides feedback to the source about the rate at which frames should
be injected into the network (frame intervals).
Note FCC is not supported on the Cisco Fabric Switch for HP c-Class BladeSystem and Cisco Fabric Switch
for IBM BladeCenter.
FCC Process
When a node in the network detects congestion for an output port, it generates an edge quench message.
These frames are identified by the Fibre Channel destination ID (DID) and the source ID. A switch from
other vendors simply forwards these frames.
Any receiving switch in the Cisco MDS 9000 Family handles frames in one of these ways:
It forwards the frame.
It limits the rate of the frame flow in the congested port.
The behavior of the flow control mechanism differs based on the Fibre Channel DID:
If the Fibre Channel DID is directly connected to one of the switch ports, the input rate limit is
applied to that port.
If the destination of the edge quench frame is a Cisco domain or the next hop is a Cisco MDS 9000
Family switch, the frame is forwarded.
If neither of these mechanisms is true, then the frame is processed in the port going towards the FC
DID.
All switches (including the edge switch) along the congested path process path quench frames. However,
only the edge switch processes edge quench frames.
Enabling FCC
By default, the FCC protocol is disabled. FCC can only be enabled for the entire switch.
Tip If you enable FCC, be sure to enable it in all switches in the fabric.
To enable or disable the FCC feature using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand FC Services and then select FCC in the Physical Attributes pane.

QoS
The FCC information is displayed in the Information pane. The General tab is the default.
Step 2 Select the switch on which you want to enable FCC.
Assigning FCC Priority

To assign FCC priority using Fabric Manager, follow these steps:
Step 1 Expand Switches, expand FC Services and then select FCC in the Physical Attributes pane.
The FCC information is displayed in the Information pane. The General tab is the default.
Step 2 Select the switch for which you want to assign the FCC priority.
Step 3 Enter the priority in the Priority column.
QoS
QoS implementation in the Cisco MDS 9000 Family follows the differentiated services (DiffServ)
model. The DiffServ standard is defined in RFCs 2474 and 2475.
All switches support the following types of traffic:
About Control Traffic, page 64-3
Enabling or Disabling Control Traffic, page 64-4
About Data Traffic, page 64-4
VSAN Versus Zone-Based QoS, page 64-5
Configuring Data Traffic, page 64-6
About Class Map Creation, page 64-6
Creating a Class Map, page 64-7
About Service Policy Definition, page 64-8
About Service Policy Enforcement, page 64-8
About the DWRR Traffic Scheduler Queue, page 64-8
Changing the Weight in a DWRR Queue, page 64-9
About Control Traffic

The Cisco MDS 9000 Family supports QoS for internally and externally generated control traffic. Within
a switch, control traffic is sourced to the supervisor module and is treated as a high priority frame. A
high priority status provides absolute priority over all other traffic and is assigned in the following cases:

QoS
Internally generated time-critical control traffic (mostly Class F frames).

Externally generated time-critical control traffic entering a switch in the Cisco MDS 9000 Family
from a another vendors switch. High priority frames originating from other vendor switches are
marked as high priority as they enter a switch in the Cisco MDS 9000 Family.
Enabling or Disabling Control Traffic

By default, the QoS feature for certain critical control traffic is enabled. These critical control frames
are assigned the highest (absolute) priority.
Tip We do not recommend disabling this feature as all critical control traffic is automatically assigned the
lowest priority once you issue this command.
Toenable or disable the high priority assignment for control traffic using Fabric Manager, follow these
steps:
Step 1 Expand Switches, expand FC Services and then select QoS in the Physical Attributes pane.
The QoS control traffic information is displayed in the Information pane. The Control tab is default.
Step 2 Select the switch on which you want to enable or disable control traffic.
Step 3 In the Command column, click the drop-down menu and select enable or disable.
About Data Traffic

Online transaction processing (OLTP), which is a low volume, latency sensitive application, requires
quick access to requested information. Backup processing application require high bandwidth but are
not sensitive to latency. In a network that does not support service differentiation, all traffic is treated
identicallythey experience similar latency and are allocated similar bandwidths. The QoS feature in
the Cisco MDS 9000 Family switches provides these guarantees.
Data traffic can be prioritized in distinct levels of service differentiation: low, medium, or high priority.
You can apply QoS to ensure that Fibre Channel data traffic for your latency-sensitive applications
receive higher priority over throughput-intensive applications such as data warehousing (see
Figure 64-2).

QoS
Figure 64-2 Prioritizing Data Traffic
OLTP server
Disk
FC
Congestion
VOQ(s) VOQ(s)
Backup server
Absolute Absolute
High High
Medium Medium
Low Low
105228
Switch 1 Switch 2
In Figure 64-2, the OLTP traffic arriving at Switch 1 is marked with a high priority level of throughput
classification (class map) and marking (policy map). Similarly, the backup traffic is marked with a low
priority level. The traffic is sent to the corresponding priority queue within a virtual output queue (VOQ).
A deficit weighted round robin (DWRR) scheduler configured in the first switch ensures that high
priority traffic is treated better than low priority traffic. For example, DWRR weights of 70:20:10 implies
that the high priority queue is serviced at 7 times the rate of the low priority queue. This guarantees lower
delays and higher bandwidths to high priority traffic if congestion sets in. A similar configuration in the
second switch ensures the same traffic treatment in the other direction.
If the ISL is congested when the OLTP server sends a request, the request is queued in the high priority
queue and is serviced almost immediately since the high priority queue is not congested. The scheduler
assigns its priority over the backup traffic in the low priority queue.
Note When the high priority queue does not have traffic flowing through, the low priority queue uses all the
bandwidth and is not restricted to the configured value.
A similar occurrence in Switch 2 sends a response to the transaction request. The round trip delay
experienced by the OLTP server is independent of the volume of low priority traffic or the ISL
congestion. The backup traffic uses the available ISL bandwidth when it is not used by the OLTP traffic.
Tip To achieve this traffic differentiation, be sure to enable FCC (see the Enabling FCC section on
page 64-2).
VSAN Versus Zone-Based QoS

While you can configure both zone-based QoS and VSAN-based QoS configurations in the same switch,
both configurations have significant differences. Table 64-1 highlights the differences between
configuring QoS priorities based on VSANs versus zones.

QoS
Table 64-1 QoS Configuration Differences
VSAN-Based QoS Zone-Based QoS

If you configure the active zone set on a given You cannot activate a zone set on a VSAN that
VSAN and also configure QoS parameters in any already has a policy map associated.
of the member zones, you cannot associate the
policy map with the VSAN.
If the same flow is present in two class maps If the same flow is present in two zones in a given
associated to a policy map, the QoS value of the zone set with different QoS values, the higher QoS
class map attached first takes effect. value is considered.
During a zone merge, if the Cisco NX-OS software
detects a mismatch for the QoS parameter, the link
is isolated.
Takes effect only when QoS is enabled. Takes effect only when QoS is enabled.
See the About Zone-Based Traffic Priority section on page 30-36 for details on configuring a
zone-based QoS policy.
Configuring Data Traffic

To configure QoS using Fabric Manager, follow these steps:
Step 1 Enable the QoS feature.

Step 2 Create and define class maps.
Step 3 Define service policies.
Step 4 Apply the configuration.
Tip QoS is supported in interoperability mode. For more information, refer to the Cisco MDS 9000 Family
Switch-to-Switch Interoperability Configuration Guide.
About Class Map Creation

Use the class map feature to create and define a traffic class with match criteria to identify traffic
belonging to that class. The class map name is restricted to 63 alphanumeric characters and defaults to
the match-all option. Flow-based traffic uses one of the following values:
WWNThe source WWN or the destination WWN.
Fibre Channel ID (FC ID) The source ID (SID) or the destination ID (DID). The possible values
for mask are FFFFFF (the entire FC ID is usedthis is the default), FFFF00 (only domain and area
FC ID is used), or FF0000 (only domain FC ID is used).
Note An SID or DID of 0x000000 is not allowed.

QoS
Source interfaceThe ingress interface.
Tip The order of entries to be matched within a class map is not significant.
Creating a Class Map

To create a class map using Fabric Manager, follow these steps:
The QoS information is displayed in the Information pane shown in Figure 64-3. The Control tab is the
default.
Figure 64-3 Quality of Service Control Tab
Step 2 In the Class Maps tab, click Create Row to create a new class map.
You see the Create Class Maps dialog box shown in Figure 64-4.
Figure 64-4 Create Class Maps Dialog Box
Step 3 Select the switches for the class map.

Step 4 Enter the source ID or the destination ID in the field.
Step 5 Enter a name for the class map.
Step 6 Select a Match mode.You can either match any or all criterion with one match statement from the class
map configuration mode.
Step 7 Click Create to proceed with creating the class map.

QoS
About Service Policy Definition

Service policies are specified using policy maps. Policy maps provide an ordered mapping of class maps
to service levels. You can specify multiple class maps within a policy map, and map a class map to a
high, medium, or low service level. The default priority is low. The policy map name is restricted to 63
alphanumeric characters.
As an alternative, you can map a class map to a differentiated services code point (DSCP).The DSCP is
an indicator of the service level for a specified frame. The DSCP value ranges from 0 to 63, and the
default is 0. A DSCP value of 46 is disallowed.
The order of the class maps within a policy map is important to determine the order in which the frame
is compared to class maps. The first matching class map has the corresponding priority marked in the
frame.
Note Refer to
http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a00800949f2.shtml for
further information on implementing QoS DSCP values.
Note Class maps are processed in the order in which they are configured in each policy map.
About Service Policy Enforcement

When you have configured a QoS data traffic policy, you must enforce the data traffic configuration by
applying that policy to the required VSAN(s). If you do not apply the policy to a VSAN, the data traffic
configuration is not enforced. You can only apply one policy map to a VSAN.
Note You can apply the same policy to a range of VSANs.
About the DWRR Traffic Scheduler Queue

The Cisco NX-OS software supports four scheduling queues:
Strict priority queues are queues that are serviced in preference to other queuesit is always
serviced if there is a frame queued in it regardless of the state of the other queues.
QoS assigns all other traffic to the DWRR scheduling high, medium, and low priority traffic queues.
The DWRR scheduler services the queues in the ratio of the configured weights. Higher weights translate
to proportionally higher bandwidth and lower latency. The default weights are 50 for the high queue, 30
for the medium queue, and 20 for the low queue. Decreasing order of queue weights is mandated to
ensure the higher priority queues have a higher service level, though the ratio of the configured weights
can vary (for example, one can configure 70:30:5 or 60:50:10 but not 50:70:10).
Table 64-2 describes the QoS behavior for Generation 1, Generation 2, and Generation 3 switching
modules.

QoS
Table 64-2 QoS Behavior for Generation 1 and Generation 2 Switching Modules
Source Module Type Destination Module Type QoS Behavior Description

Generation 1 Generation 1 QoS behavior reflects the DWRR configuration
for traffic coming in through a given port and
queued to the same egress port. All the other
traffic share equal bandwidth.
Generation 1 Generation 2 or QoS behavior reflects the DWRR configuration
Generation 3 for traffic coming in through a given port and
queued to the same egress port. All the other
streams share equal bandwidth.
Generation 2 or Generation 1 Bandwidth partitioning is equal for all the traffic.
Generation 3
Generation 2 or Generation 2 or QoS behavior reflects the DWRR weights
Generation 3 Generation 3 configuration for all possible streams.
Changing the Weight in a DWRR Queue

To change the weight in a DWRR queue using Fabric Manager, follow these steps:
The QoS control traffic information is displayed in the Information pane shown in Figure 64-5. The
default is the Control tab.
Step 2 Click the DWRR tab.

You see the queue status and weight (see Figure 64-6).
Figure 64-6 QoS Queue Status and Weight

Example Configuration
Step 3 Select a switch and change the weight.

Example Configuration
This section describes a configuration example for the application illustrated in Figure 64-7.
Figure 64-7 Example Application for Traffic Prioritization
OLTP server
Disk
21:00:00:0c:50:02:ca:b5 22:00:00:04:cf:22:eb:dc FC
Congestion
VOQ(s) VOQ(s)
Backup server
Absolute Absolute
High High
21:00:00:0c:50:02:c7:ff Medium Medium
Low Low
130667
Switch 1 Switch 2
Both the OLTP server and the backup server are accessing the disk. The backup server is writing large
amounts of data to the disk. This data does not require specific service guarantees. The volumes of data
generated by the OLTP server to the disk are comparatively much lower but this traffic requires faster
response because transaction processing is a low latency application.
The point of congestion is the link between Switch 2 and the disk, for traffic from the switch to the disk.
The return path is largely uncongested as there is little backup traffic on this path.
Service differentiation is needed at Switch 2 to prioritize the OLTP-server-to-disk traffic higher than the
backup-server-to-disk traffic.
To configure traffic prioritization for the example application, follow these steps:
Step 1 Create the class maps.

Step 2 Create the policy map.
Step 3 Assign the service policy.
Step 4 Assign the weights for the DWRR queues.
Step 5 Repeat Step 1 through Step 4 on Switch 1 to address forward path congestion at both switches.

Ingress Port Rate Limiting
Congestion could occur anywhere in the example configuration. To address congestion of the return path
at both switches, you need to create two more class maps and include them in the policy map as follows:
Step 1 Create two more class maps.

Step 2 Assign the class maps to the policy map.
Step 3 Repeat Step 1 through Step 2 on Switch 1 to address return path congestion at both switches.
Ingress Port Rate Limiting

A port rate limiting feature helps control the bandwidth for individual Fibre Channel ports. Port rate
limiting is also referred to as ingress rate limiting because it controls ingress traffic into a Fibre Channel
port. The feature controls traffic flow by limiting the number of frames that are transmitted out of the
exit point on the MAC. Port rate limiting works on all Fibre Channel ports. The rate limit ranges from 1
to 100% and the default is 100%.
Note Port rate limiting can only be configured on Cisco MDS 9100 Series switches, Cisco MDS 9216i
switches, and MPS-14/2 modules.
This feature can only be configured if the QoS feature is enabled and if this configuration is performed
on a Cisco MDS 9100 series switch, Cisco MDS 9216i switch, or MPS-14/2 module.
To configure the port rate limiting value using Fabric Manager, follow these steps:
The QoS control traffic information is displayed in the Information pane shown in Figure 64-8. The
default is the Control tab.
Step 2 Click the Rate Limit tab.


Default Settings
Figure 64-9 Rate Limits for Switch Interfaces
Step 3 Select the switch whose port rate limit you want to change.
Step 4 Enter the desired port rate limit in the Percent column.
Default Settings
Table 64-3 lists the default settings for FCC, QoS, and rate limiting features.
.
Table 64-3 Default FCC, QoS, and Rate Limiting Settings
Parameters Default
FCC protocol Disabled.
QoS control traffic Enabled.
QoS data traffic Disabled.
Zone-based QoS priority Low.
Rate limit 100%

CH A P T E R 65
Configuring Port Tracking
The port tracking feature is unique to the Cisco MDS 9000 Family of switches. This feature uses
information about the operational state of the link to initiate a failure in the link that connects the edge
device. This process of converting the indirect failure to a direct failure triggers a faster recovery process
towards redundant links. When enabled, the port tracking feature brings down the configured links based
on the failed link and forces the traffic to be redirected to another redundant link.
About Port Tracking, page 65-1
Port Tracking, page 65-2
Default Port Tracking Settings, page 65-6
About Port Tracking

Generally, hosts can instantly recover from a link failure on a link that is immediately (direct link)
connected to a switch. However, recovering from an indirect link failure between switches in a WAN or
MAN fabric with a keep-alive mechanism is dependent on several factors such as the time out values
(TOVs) and on registered state change notification (RSCN) information (see the Common Information
Model section on page 37-1 and About RSCN Information section on page 34-5).
In Figure 65-1, when the direct link 1 to the host fails, recovery can be immediate. However, when the
ISL 2 fails between the two switches, recovery depends on TOVs, RSCNs, and other factors.
Figure 65-1 Traffic Recovery Using Port Tracking
ISL2
WAN or
X MAN
Direct link 1
X
FC FC
WAN or
120490
MAN

Chapter 65 Configuring Port Tracking
Port Tracking
The port tracking feature monitors and detects failures that cause topology changes and brings down the
links connecting the attached devices. When you enable this feature and explicitly configure the linked
and tracked ports, the Cisco NX-OS software monitors the tracked ports and alters the operational state
of the linked ports on detecting a link state change.
The following terms are used in this chapter:
Tracked portsA port whose operational state is continuously monitored. The operational state of
the tracked port is used to alter the operational state of one or more ports. Fibre Channel, VSAN,
PortChannel, FCIP, or a Gigabit Ethernet port can be tracked. Generally, ports in E and TE port
modes can also be Fx ports.
Linked portsA port whose operational state is altered based on the operational state of the tracked
ports. Only a Fibre Channel port can be linked.
Port Tracking
Before configuring port tracking, consider the following guidelines:
Verify that the tracked ports and the linked ports are on the same Cisco MDS switch.
Be aware that the linked port is automatically brought down when the tracked port goes down.
Do not track a linked port back to itself (for example, Port fc1/2 to Port fc2/5 and back to Port fc1/2)
to avoid recursive dependency.
About Port Tracking, page 65-2
Enabling Port Tracking, page 65-3
About Configuring Linked Ports, page 65-3
Operationally Binding a Tracked Port, page 65-3
About Tracking Multiple Ports, page 65-5
Tracking Multiple Ports, page 65-5
About Monitoring Ports in a VSAN, page 65-6
Monitoring Ports in a VSAN, page 65-6
About Forceful Shutdown, page 65-6
Forcefully Shutting Down a Tracked Port, page 65-6
About Port Tracking

Port tracking has the following features:
The application brings the linked port down when the tracked port goes down. When the tracked port
recovers from the failure and comes back up again, the tracked port is also brought up automatically
(unless otherwise configured).
You can forcefully continue to keep the linked port down, even though the tracked port comes back
up. In this case, you must explicitly bring the port up when required.

Port Tracking
Enabling Port Tracking

The port tracking feature is disabled by default in all switches in the Cisco 9000 Family. When you
enable this feature, port tracking is globally enabled for the entire switch.
To configure port tracking, enable the port tracking feature and configure the linked port(s) for the
tracked port.
To enable port tracking with Fabric Manager, follow these steps:
Step 1 Expand Switches, expand Interfaces, and then select Port Tracking in the Physical Attributes pane.
The port tracking information is displayed in the Information pane shown in Figure 65-2. The default is
the Controls tab.
Figure 65-2 Port Tracking
Step 2 Click in the Command column to enable or disable port tracking.

Depending on your selection the corresponding entry in the Status column changes.
The entry in the Result column changes to success.
About Configuring Linked Ports

You can link ports using one of two methods:
Operationally binding the linked port(s) to the tracked port (default).
Continuing to keep the linked port down forcefullyeven if the tracked port has recovered from the
link failure.
Operationally Binding a Tracked Port

When you configure the first tracked port, operational binding is automatically in effect. When you use
this method, you have the option to monitor multiple ports or monitor ports in one VSAN.
To operationally bind a tracked port, follow these steps:
Step 1 Expand Switches, expand Interfaces, and then select Port Tracking in the Physical Attributes pane.
The port tracking information is displayed in the Information pane. The default is the Controls tab.

Port Tracking
Figure 65-3 Port Tracking Controls Tab
Step 2 Click the Dependencies tab.

You see the Create Port Tracking Dependencies dialog box shown in Figure 65-4.
Figure 65-4 Create Port Tracking Dependencies Dialog Box
Step 4 Select the switch whose ports you want to track by and selecting a switch from the drop-down list.
Step 5 Select the linked port(s) that should be bound to the tracked port(s) by clicking the browse button and
selecting from the list.
Step 6 Click the Single VSAN radio button if you want to track these ports only in one VSAN or click the All
VSANs radio button if you want to track these ports in all the available VSANs.
See About Monitoring Ports in a VSAN section on page 65-6 for details.
Step 7 If you chose Single VSAN in the previous step, enter the ID of the VSAN where these ports will be
monitored.
Step 8 Check the Forceshut check box if you want to forcefully shutdown the tracked port.
See About Forceful Shutdown section on page 65-6 for details.
Step 9 Click Create to proceed with creating this dependency.
If tracking is established, you see Success in the lower left corner of the dialog box (see Figure 65-5).

Port Tracking
Figure 65-5 Successful Port Tracking Established
About Tracking Multiple Ports

You can control the operational state of the linked port based on the operational states of multiple tracked
ports. When more than one tracked port is associated with a linked port, the operational state of the
linked port will be set to down only if all the associated tracked ports are down. Even if one tracked port
is up, the linked port will stay up.
In Figure 65-6, only if both ISLs 2 and 3 fail, will the direct link 1 be brought down. Direct link 1 will
not be brought down if either 2 or 3 are still functioning as desired.
Figure 65-6 Traffic Recovery Using Port Tracking
Port Channel
2
WAN or
fc 8/6
X MAN
1
X FCIP
FC FC
3
X
WAN or
120491
MAN
Tracking Multiple Ports

To track multiple ports, see Operationally Binding a Tracked Port section on page 65-3.

Default Port Tracking Settings
About Monitoring Ports in a VSAN

You can optionally configure one VSAN from the set of all operational VSANs on the tracked port with
the linked port by specifying the required VSAN. This level of flexibility provides higher granularity in
tracked ports. In some cases, when a tracked port is a TE port, the set of operational VSANs on the port
can change dynamically without bringing down the operational state of the port. In such cases, the port
VSAN of the linked port can be monitored on the set of operational VSANs on the tracked port.
If you configure this feature, the linked port is up only when the VSAN is up on the tracked port.
Tip The specified VSAN does not have to be the same as the port VSAN of the linked port.
Monitoring Ports in a VSAN

To monitor a tracked port in a specific VSAN, see Operationally Binding a Tracked Port section on
page 65-3.
About Forceful Shutdown

If a tracked port flaps frequently, then tracking ports using the operational binding feature may cause
frequent topology change. In this case, you may choose to keep the port in the down state until you are
able to resolve the reason for these frequent flaps. Keeping the flapping port in the down state forces the
traffic to flow through the redundant path until the primary tracked port problems are resolved. When
the problems are resolved and the tracked port is back up, you can explicitly enable the interface.
Tip If you configure this feature, the linked port continues to remain in the shutdown state even after the
tracked port comes back up. You must explicitly remove the forced shut state (by administratively
bringing up this interface) of the linked port once the tracked port is up and stable.
Forcefully Shutting Down a Tracked Port

To forcefully shut down a tracked port, see Operationally Binding a Tracked Port section on page 65-3.
Default Port Tracking Settings

Table 65-1 lists the default settings for port tracking parameters.
Table 65-1 Default Port Tracking Parameters
Parameters Default
Port tracking Disabled.
Operational binding Enabled along with port tracking.

PA R T 10
Troubleshooting
CH A P T E R 66
Troubleshooting Your Fabric
This chapter describes basic troubleshooting methods used to resolve issues with switches. This chapter
contains the following sections:
Troubleshooting Tools and Techniques, page 66-1
Analyzing Switch Device Health, page 66-3
Analyzing Switch Fabric Configuration, page 66-4
Analyzing End-to-End Connectivity, page 66-5
Using the Ping Tool (fcping), page 66-7
Using Traceroute (fctrace) and Other Troubleshooting Tools, page 66-7
Analyzing the Results of Merging Zones, page 66-8
Using the Show Tech Support Command, page 66-9
Running CLI Commands, page 66-10
Locating Other Switches, page 66-12
Getting Oversubscription Information in Device Manager, page 66-14
Fibre Channel Time Out Values, page 66-14
Configuring a Fabric Analyzer, page 66-17
Configuring World Wide Names, page 66-23
Configuring a Secondary MAC Address, page 66-23
FC ID Allocation for HBAs, page 66-24
Troubleshooting Tools and Techniques

Multiple techniques and tools are available to monitor and trouble shoot the Cisco MDS 9000 Family of
switches. These tools provide a complete, integrated, multi-level analysis solution.
Fabric Manager ServerThe Cisco Fabric Manager Server provides a long-term, high level view of
storage network performance. Fabric wide performance trends can be analyzed using Performance
Manager. It provides the starting point for deeper analysis to resolve network hot-spots.
Device ManagerIf a performance problem is detected with the Fabric Manager Server, use Cisco
Device Manager to view port level statistics in real-time. Details on protocols, errors, discards, byte and
frame counts are available. Samples can be taken as frequently as every 2 seconds, and values can be
viewed in text form or graphically as pie, bar, area and line changes.

Chapter 66 Troubleshooting Your Fabric
Troubleshooting Tools and Techniques
Traffic AnalyzerAnother option is to launch the Cisco Traffic Analyzer for Fibre Channel from the
Fabric Manager Server to analyze the traffic in greater depth. The Cisco Traffic Analyzer allows you to
breakdown traffic by VSANs and protocols and to examine SCSI traffic at a logical unit number (LUN)
level.
Protocol AnalyzerIf even deeper investigation is needed, the Cisco Protocol Analyzer for Fibre
Channel can be launched in-context from the Cisco Traffic Analyzer. The Cisco Protocol Analyzer
enables you to examine actual sequences of Fibre Channel frames easily using the Fibre Channel and
SCSI decoders Cisco developed for Ethereal.
Port Analyzer AdapterFabric Manager Server and Device Manager use SNMP to gather statistics.
They fully utilize the built in MDS statistics counters. Even so, there are limits to what the counters can
collect.
Integration with the Cisco Traffic Analyzer and Cisco Protocol Analyzer extend the MDS analysis
capabilities by analyzing the Fibre Channel traffic itself. The Cisco MDS 9000 Family Switched Port
Analyzer (SPAN) enables these solutions via a flexible, non-intrusive technique to mirror traffic
selectively from one or more ports to another MDS port within a fabric.
The Cisco Port Analyzer Adapter (PAA) encapsulates SPAN traffic in an Ethernet header for transport
to a PC or workstation for analysis. Both Fibre Channel control and data plane traffic are available using
SPAN. The PAA broadcasts the Ethernet packets, so they cannot be routed across IP networks. Hubs and
switches can be used, provided they are in the same Ethernet subnet. Direct connections between a PAA
and the PC are also supported. The PAA can reduce Ethernet traffic by truncating Fibre Channel data.
Both the Cisco Traffic Analyzer and Cisco Protocol Analyzer require the PAA to transport MDS SPAN
traffic to a PC or workstation.
Note The Cisco Traffic Analyzer works best with the Cisco Port Analyzer Adapter 2, because it provides a
length value for truncated data, enabling accurate byte count reporting.
Cisco Traffic Analyzer

The Cisco Traffic Analyzer for Fibre Channel provides real-time analysis of SPAN traffic or traffic
captured previously using the Cisco Protocol Analyzer. The Fibre Channel traffic from multiple Cisco
Port Analyzer Adapters (PAA) can be aggregated and analyzed by the Cisco Traffic Analyzer.
There are limits to how may SPAN sources can be sent to a single SPAN destination port on an MDS.
Aggregation extends the amount of information that can be analyzed in a unified set of reports by the
Cisco Traffic Analyzer.
Note The aggregation capabilities are restricted to the information collect by Ethernet connections to a single
PC. Aggregation across multiple PCs is NOT available.
The Cisco Traffic Analyzer presents it reports through a Web server, so you can view them locally or
remotely. The traffic analysis functions are provided by ntop open-source software, which was
enhanced by Cisco to add Fibre Channel and SCSI analysis and MDS enhanced inter-switch link (ISL)
header support for SPAN. ntop is available on the Cisco.com software download center, under the Cisco
Port Analyzer Adapter. ntop is also available on the Internet at http://www.ntop.org/ntop.html. The Cisco
enhanced ntop runs under Microsoft Windows and Linux operating systems.

Analyzing Switch Device Health
The Cisco Traffic Analyzer for Fibre Channel presents reports with network wide statistics. The
Summary Traffic report shows what percentage of traffic was within different ranges of frames sizes. A
breakdown of the percentage of traffic for each protocol such as SCSI, ELS is provided. The average and
peak throughput for the SPAN traffic being analyzed are also provided.
Fibre Channel traffic can be analyzed on a per VSAN basis with the Cisco Traffic Analyzer. The Domain
Traffic Distribution graphs indicate how much traffic (bytes) were transmitted or received by a switch
for a particular VSAN. FC Traffic Matrix graphs show how much traffic is transmitted and received
between Fibre Channel sources and destinations. The total byte and frame counts for each VSAN are
also provided.
Statistics can be analyzed for individual host and storage ports. You can see the percentage of SCSI read
versus write traffic, SCSI vs. other traffic, and percentage of transmitted versus received bytes and
frames. The peak and average throughput values are available for data transmitted and received by each
port.
Cisco Protocol Analyzer

The Cisco Protocol Analyzer for Fibre Channel enables you to view Fibre Channel traffic frames in
real-time or from a capture file. Fibre Channel and SCSI decoders enable you to view and analyze traffic
at the frame level. It matches response with request for complete decoding, which greatly simplifies
navigation. Response time between response and status are presented.
The Cisco Protocol Analyzer is VSAN aware, so VSANs can be used as criteria for capture and display
filters, and to colorize the display. VSAN numbers can also be displayed in a column. Summary statistics
are available for protocol distribution percentages and total bytes/frames transferred between specific
Fibre Channel source/destination pairs. File capture and filtering controls are available. Captured files
can be analyzed by either the Cisco Protocol Analyzer or the Cisco Traffic Analyzer.
Numerous features have been included for ease-of-use. You can find frames that meet particular criteria
and mark them. Entries in the frame (packet) list can be colorized to highlight items of interest, and
columns can be added/removed as desired.
The protocol analysis functions are provided by Ethereal open-source software, which was enhanced by
Cisco to decode Fibre Channel and SCSI protocols and support MDS enhanced inter-switch link (ISL)
headers for SPAN. Ethereal is available on the Cisco.com software download center, under the Cisco Port
Analyzer Adapter. Ethereal is also available on the Internet at http://www.ethereal.com. Ethereal runs
under Microsoft Windows, Solaris, and Linux operating systems.
Analyzing Switch Device Health

The Switch Health option lets you determine the status of the components of a specific switch.
To use the Switch Health option in Fabric Manager to determine the status of the components of a
specific switch, follow these steps:
Step 1 Choose Tools > Health > Switch Health.

You see the Switch Health Analysis window.
Step 2 Click Start to identify problems currently affecting the selected switch.
You see any problems listed in the switch health analysis window shown in Figure 66-1.

Analyzing Switch Fabric Configuration
Figure 66-1 Results of a Switch Health Analysis
Step 3 Click Clear to remove the contents of the Switch Health Analysis window.
Step 4 Click Close to close the window.
Analyzing Switch Fabric Configuration

The Fabric Configuration option lets you analyze the configuration of a switch by comparing the current
configuration to a specific switch or to a policy file. You can save a switch configuration to a file and
then compare all switches against the configuration in the file.
To use the Fabric Configuration option in Fabric Manager to analyze the configuration of a switch,
follow these steps:
Step 1 Choose Tools > Health > Fabric Configuration.

You see the Fabric Configuration Analysis dialog box.
Step 2 Decide whether you want to compare the selected switch to another switch, or to a policy file.
If you are making a switch comparison, select Policy Switch and then click the drop-down arrow to
see a list of switches.
If you are making a policy comparison, select Policy File. Then click the ... button to the right of
this option to browse your file system and select a policy file (*.XML).
Step 3 Click Rules to set the rules to apply when running the Fabric Configuration Analysis tool.
You see the Rules window.
Step 4 Change the rules as needed and click OK.
Step 5 Click Compare.
The system analyzes the configuration and displays issues that arise as a result of the comparison as

Analyzing End-to-End Connectivity
Figure 66-2 Results of a Fabric Configuration Analysis
Step 6 Check the check boxes in the Resolve column for the issues you want to resolve.
Step 7 To resolve, click Resolve Issues.
Step 8 Click Clear to remove the contents of the window.

You can use the End to End Connectivity option to determine connectivity and routes among devices
with the switch fabric. The connectivity tool checks to see that every pair of end devices can talk to each
other, using a Ping test and by determining if they are in the same VSAN or in the same active zone. This
option uses versions of the ping and traceroute commands modified for Fibre Channel networks.
The ping and redundancy tests are now mutually exclusive, you cannot run both at the same time.
To use the End to End Connectivity option in Fabric Manager to determine connectivity and routes,
follow these steps:
Step 1 Choose Tools > Connectivity > End to End Connectivity.

You see the End to End Connectivity Analysis dialog box.
Step 2 Select the VSAN whose connectivity will be verified from the VSAN drop-down list.
Step 3 Select whether to perform the analysis for all active zones or for the default zone.
Step 4 Click Ensure that members can communicate to perform a Fibre Channel ping between the selected
endpoints.
Step 5 Identify the number of packets, the size of each packet, and the time out in milliseconds.
Step 6 Analyze the redundant paths between endpoints by checking the Ensure that redundant paths exist
between members check box.

Step 7 Check the Report errors for check box to see a report of zone and device errors.
Step 8 Click Analyze.
The End to End Connectivity Analysis window displays the selected endpoints including the switch to
which each is attached, and the source and target ports used to connect it, as shown in Figure 66-3.
Figure 66-3 Results of an End-to-End Connectivity Analysis
The output shows all the requests that have failed. The possible descriptions are:
Ignoring empty zoneNo requests are issued for this zone.
Ignoring zone with single memberNo requests are issued for this zone.
Source/Target are unknownNo name server entries exist for the ports or we have not discovered
the port during discovery.
Both devices are on the same switch.
No paths exist between the two devices.
VSAN does not have an active zone set and the default zone is denied.
Average time micro secsThe latency value was more than the threshold supplied.

Using the Ping Tool (fcping)
Using the Ping Tool (fcping)

You can use the Ping tool to determine connectivity from another switch to a port on your switch.
To use the Ping tool in Fabric Manager to determine connectivity, follow these steps:
Step 1 Choose Tools > Connectivity > Ping. You can also select it from the right-click context menus for hosts
and storage devices in the Fabric pane.
You see the Ping dialog box.
Step 2 Select the source switch from the Source Switch drop-down list.
Step 3 Select the VSAN in which you want to verify connectivity from the VSAN drop-down list.
Step 4 Select the target end port for which to verify connectivity from the Target Endport drop-down list.
Step 5 Click Start to perform the ping between your switch and the selected port.
You see the results in the dialog box shown in Figure 66-4.
Figure 66-4 Ping Results
Step 6 Click Clear to clear the contents of the window and perform another ping, or click Close to close the
window.
Using Traceroute (fctrace) and Other Troubleshooting Tools

You can use the following options on the Fabric Manager Tools menu to verify connectivity to a selected
object or to open other management tools:
TracerouteVerify connectivity between two end devices that are currently selected on the Fabric
pane.
Device Manager Launch the Device Manager for the switch selected on the Fabric pane.
Command Line InterfaceOpen a Telnet or SSH session for the switch selected on the Fabric pane.
To use the Traceroute option in Fabric Manager to verify connectivity, follow these steps:
Step 1 Choose Tools > Connectivity > Trace Route.

You see the Trace Route dialog box.
Step 2 Select the source switch from the Source Switch drop-down list.

Analyzing the Results of Merging Zones
Step 3 Select the VSAN for which to verify connectivity from the VSAN drop-down list.
Step 4 Select the target end port for which to verify connectivity from the Target Endport drop-down list.
Step 5 Click Start to perform the traceroute between your switch and the selected port.
You see the results at the bottom of the dialog box as shown in Figure 66-5.
Figure 66-5 Successful Trace Route Results
Step 6 Click Clear to clear the contents of the window and perform another traceroute, or click Close to close
the window.
Analyzing the Results of Merging Zones

You can use the Zone Merge option on the Zone menu to determine if two connected switches have
compatible zone configurations.
To use the Zone Merge option in Fabric Manager to determine zone configuration compatibility, follow
these steps:
Step 1 Choose Zone > Merge Analysis.

You see the Zone Merge Analysis dialog box.
Step 2 Select a switch from each drop-down list.
Step 3 Select the VSAN for which you want to perform the zone merge analysis.
Step 4 Repeat Step 3 as needed.
Step 5 Click Analyze.
The Zone Merge Analysis window displays any inconsistencies between the zone configuration of the
two selected switches as shown in Figure 66-6.

Using the Show Tech Support Command
Figure 66-6 Results of Zone Merge Analysis

Using the Show Tech Support Command

The show tech support command is useful when collecting a large amount of information about your
switch for troubleshooting purposes. The output can be provided to technical support representatives
when reporting a problem.
You can issue a show tech support command from Fabric Manager for one or more switches in a fabric.
The results of each command are written to a text file, one file per switch, in a directory you specify. You
can then view these files using Fabric Manager.
You can also save the Fabric Manager map as a JPG file. The file is saved with the name of the seed
switch (for example, 172.22.94.250.jpg).
You can zip up all the files (the show tech support output and the map file image) and send the resulting
zipped file to technical support.
To use the show tech support command using Fabric Manager, follow these steps:
Step 1 Choose Tools > Health > Show Tech Support.

You see the Show Tech Support dialog box.
Step 2 Select the switches for which to view tech support information by checking the check boxes for each
switch.
Step 3 Set the time-out value.

Running CLI Commands
The default is 30 seconds.

Step 4 Select the folder where you want the text files (containing the tech support information) to be written.
Step 5 Check the Save Map check box if you want to save a screenshot of your map as a JPG file.
Step 6 Check the Compress all files as check box to compress the files into a zip file.
Step 7 Click OK to start issuing the show tech support command to the switches you specified, or click Close
to close the Show Tech Support dialog box without issuing the show tech support command (see
Figure 66-7).
In the Status column next to each switch, you see a highlighted status. A yellow highlight indicates that
the show tech support command is currently running on that switch. A red highlight indicates an error.
A green highlight like the one shown in Figure 66-7 indicates that the show tech support command has
completed successfully.
Figure 66-7 Successful Results of the Show Tech Support Command
Step 8 If prompted, enter your user name and password in the appropriate fields for the switch in question.
Note In order for Fabric Manager to successfully issue the show tech support command on a switch,
that switch must have this user name and password. Fabric Manager is unable to log into a switch
that does not have a user name and password and an error is returned for that switch.
Note If you would like to view output files of the show tech support command without using Fabric
Manager, open them with any text editor. Each file is named with the switchs IP address and has
a .TXT extension (for example, 111.22.33.444.txt).

As of Cisco MDS NX-OS Release 4.1(1), you can use the Run CLI Commands feature to run a CLI
command on multiple switches.
To run CLI commands using Fabric Manager, follow these steps:

Step 1 Choose Tools > Run CLI Commands.

You see the Run CLI Commands dialog box with all switches selected as shown in Figure 66-8.
Figure 66-8 Run CLI Commands Dialog Box
Step 2 Deselect the check box for the switch(es) for which you do not want to run CLI commands.
Step 3 Specify where you want the file to be saved.
Note A separate report is issued for each switch. Check the reports to verify whether a CLI command
failed.
Step 4 Enter the command(s) in the Command(s) text box. If the commands are configuration mode commands,
you must also enter the exit command.
Note For the commands to execute, you cannot be in configuration mode.
Step 5 Click OK to run the CLI command(s).

You see the Run CLI Commands dialog box showing the status of each switch as shown in Figure 66-9.

Locating Other Switches
Figure 66-9 Run CLI Commands Status
Adjusting for Daylight Savings Time
Note Starting in 2007, daylight savings time in the United States starts on the second Sunday in March and
ends on the first Sunday in November.
You can use the Run CLI Commands feature in Fabric Manager to adjust the time change configuration
in your switches. Enter the following commands in the Command(s) text box.
config t
no clock summer-time
clock summer-time daylight_timezone_name 2 Sunday March 02:00 1 Sunday November 02:00 60
exit

The Locate Switches option uses SNMPv2 and discovers devices responding to SNMP requests with the
read-only community string public. You can use this feature if:
You have third-party switches that do not implement the FC-GS3 FCS standard that provides
management IP addresses.
You want to locate other Cisco MDS 9000 switches in the subnet but are not physically connected
to the fabric (and therefore cannot be found via neighbors).

To locate switches that are not included in the currently discovered fabric using Fabric Manager, follow
these steps:
Step 1 Choose File > Locate Switches and Devices.

You see the Locate Switches dialog box.
Step 2 In the Comma Separated Subnets field, enter a range of specific addresses belonging to a specific subnet
to limit the research for the switches. To look for a Cisco MDS 9000 switch belonging to subnet
192.168.199.0, use the following string:
192.168.100.[1-254]
Multiple ranges can be specified, separated by commas. For example, to look for all the devices in the
two subnets 192.168.199.0 and 192.169.100.0, use the following string:
192.168.100.[1-254], 192.169.100.[1-254]
Step 3 Enter the appropriate read community string in the Read Community field.
The default value for this string is public.
Step 4 Click Display Cisco MDS 9000 Only to display only the Cisco MDS 9000 Family switches in your
network fabric.
Step 5 Click Search to discover switches and devices in your network fabric.
You see the results of the discovery in the Locate Switches window. (See Figure 66-10.)
Figure 66-10 Search Results for Switches and Devices
Note The number in the lower left corner of the screen increments as the device locator attempts to
discover the devices in your network fabric. When the discovery process is complete, the number
indicates the number of rows displayed.

Getting Oversubscription Information in Device Manager
Step 6 Click Close to close this dialog box.
Getting Oversubscription Information in Device Manager

To determine oversubscription for a module using Device Manager, follow these steps:
Step 1 Right-click the module you want to check for oversubscription and select Check Oversubscription
from the pop-up menu.
You see the Check Oversubscription dialog box shown in Figure 66-11.
Figure 66-11 Check Oversubscription Dialog Box
Note The module must be capable of oversubscription in order for you to see this menu item.

You can modify Fibre Channel protocol related timer values for the switch by configuring the following
time out values (TOVs):
Distributed services TOV (D_S_TOV)The valid range is from 5,000 to 10,000 milliseconds. The
default is 5,000 milliseconds.
Error detect TOV (E_D_TOV)The valid range is from 1,000 to 10,000 milliseconds. The default
is 2,000 milliseconds. This value is matched with the other end during port initialization.
Resource allocation TOV (R_A_TOV)The valid range is from 5,000 to 10,000 milliseconds. The
default is 10,000 milliseconds. This value is matched with the other end during port initialization.

Note The fabric stability TOV (F_S_TOV) constant cannot be configured.
Timer Configuration Across All VSANs

You can modify Fibre Channel protocol related timer values for the switch.
Caution The D_S_TOV, E_D_TOV, and R_A_ TOV values cannot be globally changed unless all VSANs in the
switch are suspended.
To configure timeouts using Fabric Manager, follow these steps:
Step 1 Select SAN in the Logical Domains pane to include all VSANs.
Step 2 Expand Switches, expand FC Services and select Timers & Policies in the Physical Attributes pane.
You see the timers for switches in the Information pane.
Step 3 Click Change Timeouts to configure the time-out values.
You see the Change Timeouts dialog box shown in Figure 66-12.
Figure 66-12 Change Timeouts Dialog Box
Step 4 Indicate values for R_A_TOV (Resource Allocation Time Out Value), D_S_TOV (Distributed Services
Time Out Value), and E_D_TOV (Error Detect Time Out Value).
Step 5 Click Apply.
To configure timer policies in Device Manager, follow these steps:
Step 1 Choose FC > Advanced > Timers/Policies.

You see timer policies for a single switch in the dialog box shown in Figure 66-13.

Figure 66-13 Configure Timer Policies in Device Manager
Step 2 Select a network from the drop-down list and specify a switch.
Step 3 Check the check boxes for InOrderDeliver and/or Trunk Protocol.
Step 4 Click Apply.
Timer Configuration Per-VSAN

You can also issue an fctimer for a specified VSAN to configure different TOV values for VSANs with
special links like FC or IP tunnels. You can configure different E_D_TOV, R_A_TOV, and D_S_TOV
values for individual VSANs. Active VSANs are suspended and activated when their timer values are
changed.
Caution You cannot perform a nondisruptive downgrade to any earlier version that does not support per-VSAN
FC timers.
Note This configuration must be propagated to all switches in the fabricbe sure to configure the same value
in all switches in the fabric.
If a switch is downgraded to Cisco MDS SAN-OS Release 1.2 or 1.1 after the timer is configured for a
VSAN, an error message is issued to warn against strict incompatibilities.
To configure per-VSAN FC timers using Fabric Manager, follow these steps:
Step 1 Choose the VSAN for timer configuration from the Logical Domains pane. If a VSAN is not specified
when you change the policies, the changed value is applied to all VSANs in the switch.
Step 2 Expand Switches, expand FC Services and select Timers & Policies in the Physical Attributes tree.
You see timeouts for only switches in the selected VSAN shown in the Information pane.
Step 3 Click Change Timeouts to configure the time-out values.
You see the dialog box shown in Figure 66-14

Configuring a Fabric Analyzer
Figure 66-14 Change Timeouts per VSAN in Fabric Manager
Step 4 Change the timeout values shown in Figure 66-14.

Step 5 Indicate values for R_A_TOV (Resource Allocation Time Out Value), D_S_TOV (Distributed Services
Time Out Value), and E_D_TOV (Error Detect Time Out Value).
Step 6 Click Apply.

Fibre Channel protocol analyzers capture, decode, and analyze frames and ordered sets on a link.
Existing Fibre Channel analyzers can capture traffic at wire rate speed. They are expensive and support
limited frame decoding. Also, to snoop traffic, the existing analyzers disrupt the traffic on the link while
the analyzer is inserted into the link.
Cisco has brought protocol analysis within a storage network to a new level with the Cisco Fabric
Analyzer. You can capture Fibre Channel control traffic from a switch and decode it without having to
disrupt any connectivity, and without having to be local to the point of analysis.
The Cisco Fibre Channel protocol analyzer is based on two popular public-domain software
applications:
libpcapSee http://www.tcpdump.org.
EtherealSee http://www.ethereal.com.
Note The Cisco Fabric Analyzer is useful in capturing and decoding control traffic, not data traffic. It is
suitable for control path captures, and is not intended for high-speed data path captures.
About the Cisco Fabric Analyzer

The Cisco Fabric Analyzer consists of two separate components (see Figure 66-15):
Software that runs on the Cisco MDS 9000 Family switch and supports two modes of capture:
A text-based analyzer that supports local capture and decodes captured frames
A daemon that supports remote capture
GUI-based client that runs on a host that supports libpcap such as Windows or Linux and
communicates with the remote capture daemon in a Cisco MDS 9000 Family switch.

Figure 66-15 Cisco Fabric Analyzer Use
Remote mode Local mode
GUI output Textual output
FC analyzer
IP IP RS-232
network network (Serial console)
10/100 Ethernet
(00B Mgmt)
FC analyzer
Fibre Channel
85482
fabric
Local Text-Based Capture

This component is a command-line driven text-based interface that captures traffic to and from the
supervisor module in a Cisco MDS 9000 Family switch. It is a fully functional decoder that is useful for
quick debug purposes or for use when the remote capture daemon is not enabled. Additionally, because
this tool is accessed from within the Cisco MDS 9000 Family switch, it is protected by the roles-based
policy that limits access in each switch.
Remote Capture Daemon

This daemon is the server end of the remote capture component. The Ethereal analyzer running on a host
is the client end. They communicate with each other using the Remote Capture Protocol (RPCAP).
RPCAP uses two endpoints, a TCP-based control connection and a TCP or UDP-based data connection
based on TCP (default) or UDP. The control connection is used to remotely control the captures (start or
stop the capture, or specify capture filters). Remote capture can only be performed to explicitly
configured hosts. This technique prevents an unauthorized machine in the network from snooping on the
control traffic in the network.
RPCAP supports two setup connection modes based on firewall restrictions.
Passive mode (default)The configured host initiates connection to the switch. Multiple hosts can
be configured to be in passive mode and multiple hosts can be connected and receive remote captures
at the same time.
Active modeThe switch initiates the connection to a configured hostone host at a time.

Using capture filters, you can limit the amount of traffic that is actually sent to the client. Capture filters
are specified at the client endon Ethereal, not on the switch.
GUI-Based Client
The Ethereal software runs on a host, such as a PC or workstation, and communicates with the remote
capture daemon. This software is available in the public domain from http://www.ethereal.com. The
Ethereal GUI front-end supports a rich interface such as a colorized display, graphical assists in defining
filters, and specific frame searches. These features are documented on Ethereals website.
While remote capture through Ethereal supports capturing and decoding Fibre Channel frames from a
Cisco MDS 9000 Family switch, the host running Ethereal does not require a Fibre Channel connection
to the switch. The remote capture daemon running on the switch sends the captured frames over the
out-of-band Ethernet management port. This capability allows you to capture and decode Fibre Channel
frames from your desktop or laptop.
Configuring the Cisco Fabric Analyzer

You can configure the Cisco Fabric Analyzer to perform one of two captures.
Local captureA local capture cannot be saved to persistent storage or synchronized to standby.
Launches the textual version on the fabric analyzer directly on the console screen. The capture can
also be saved on the local file system.
Remote captureA remote capture can be saved to persistent storage. It can be synchronized to the
standby supervisor module and a stateless restart can be issued, if required.
To use the Cisco Fabric Analyzer feature, traffic should be flowing to or from the supervisor module.

Sending Captures to Remote IP Addresses
Caution You must use the eth2 interface to capture control traffic on a supervisor module.
To capture remote traffic, use one of the following options:

The capture interface can be specified in Ethereal as the remote device:
rpcap://<ipaddress or switch hostname>/eth2
For example:
rpcap://cp-16/eth2
rpcap://17.2.1.1/eth2
The capture interface can be specified either in the capture dialog box or by using the -i option at
the command line when invoking Ethereal.
ethereal -i rpcap://<ipaddress|hostname>[:<port>]/<interface>
For example:
ethereal -i rpcap://172.22.1.1/eth2
or
ethereal -i rpcap://customer-switch.customer.com/eth2
Note For example, in a Windows 2000 setup, click Start on your desktop and select Run. In the
resulting Run window, type the required command line option in the Open field.
Displaying Captured Frames

You can selectively view captured frames by using the display filters feature. For example, instead of
viewing all the frames from a capture, you may only want to view Exchange Link Protocol (ELP) request
frames. This feature only limits the captured viewit does not affect the captured or the saved frames.
Procedures to specify, use, and save display filters are already documented in the Ethereal website
(http://www.ethereal.com). Some examples of how you can use this feature are as follows:
To view all packets in a specified VSAN, use this expression:
mdshdr.vsan == 2
To view all SW_ILS frames, use this expression:

fcswils
To view class F frames, use this expression:

mdshdr.sof == SOFf
To view all FSPF frames, use this expression:

swils.opcode == HLO || swils.opcode == LSU || swils.opcode == LSA
To view all FLOGI frames, use this expression:

fcels.opcode == FLOGI

To view all FLOGI frames in VSAN 1, use this expression:

fcels.opcode == FLOGI && mdshdr.vsan == 2
To view all name server frames, use this expression:

dNS
Defining Display Filters

Display filters limit the frames that can be displayed, but not what is captured (similar to any view
command). The filters to be displayed can be defined in multiple ways in the GUI application:
Auto-definition
Manual definition
Assisted manual definition
Only manual definition in local capture
No assists
Regardless of the definition, each filter must be saved and identified with a name.
Note This GUI-assisted feature is part of Ethereal and you can obtain more information from
http://www.ethereal.com.
Capture Filters
You can limit what frames are captured by using the capture filters feature in a remote capture. This
feature limits the frames that are captured and sent from the remote switch to the host. For example, you
can capture only class F frames. Capture filters are useful in restricting the amount of bandwidth
consumed by the remote capture.
Unlike display filters, capture filters restrict a capture to the specified frames. No other frames are visible
until you specify a completely new capture.
The syntax for capture filter is different from the syntax for display filters. Capture filters use the
Berkeley Packet Filter (BPF) library that is used in conjunction with the libpcap freeware. The list of all
valid Fibre Channel capture filter fields are provided later in this section.
Procedures to configure capture filters are already documented in the Ethereal website
(http://www.ethereal.com). Some examples of how you can use this feature as follows:
To capture frames only on a specified VSAN, use this expression:
vsan = 1
To capture only class F frames, use this expression:

class_f
To capture only class Fibre Channel ELS frames, use this expression:
els
To capture only name server frames, use this expression:

dns

To capture only SCSI command frames, use this expression:

fcp_cmd
Note This feature is part of libpcap and you can obtain more information from http://www.tcpdump.org.
Permitted Capture Filters

This section lists the permitted capture filters.
o vsan
o src_port_idx
o dst_port_idx
o sof
o r_ctl
o d_id
o s_id
o type
o seq_id
o seq_cnt
o ox_id
o rx_id
o els
o swils
o fcp_cmd (FCP Command frames only)
o fcp_data (FCP data frames only)
o fcp_rsp (FCP response frames only)
o class_f
o bad_fc
o els_cmd
o swils_cmd
o fcp_lun
o fcp_task_mgmt
o fcp_scsi_cmd
o fcp_status
o gs_type (Generic Services type)
o gs_subtype (Generic Services subtype)
o gs_cmd
o gs_reason
o gs_reason_expl
o dns (name server)
o udns (unzoned name server)
o fcs (fabric configuration server)
o zs (zone server)
o fc (use as fc[x:y] where x is offset and y is length to compare)
o els (use as els[x:y] similar to fc)
o swils (use as swils[x:y] similar to fc)
o fcp (use as fcp[x:y] similar to fc)
o fcct (use as fcct[x:y] similar to fc)

Configuring World Wide Names
Configuring World Wide Names

The world wide name (WWN) in the switch is equivalent to the Ethernet MAC address. As with the MAC
address, you must uniquely associate the WWN to a single device. The principal switch selection and
the allocation of domain IDs rely on the WWN. The WWN manager, a process-level manager residing
on the switchs supervisor module, assigns WWNs to each switch.
Cisco MDS 9000 Family switches support three network address authority (NAA) address formats (see
Table 66-1).
Table 66-1 Standardized NAA WWN Formats
NAA Address NAA Type WWN Format

IEEE 48-bit address Type 1 = 0001b 000 0000 0000b 48-bit MAC address
IEEE extended Type 2 = 0010b Locally assigned 48-bit MAC address
IEEE registered Type 5 = 0101b IEEE company ID: 24 bits VSID: 36 bits
Caution Changes to the world-wide names should be made by an administrator or individual who is completely
familiar with switch operations.
Link Initialization WWN Usage

Exchange Link Protocol (ELP) and Exchange Fabric Protocol (EFP) use WWNs during link
initialization. The usage details differ based on the Cisco SAN-OS or Cisco NX-OS software release:
Both ELPs and EFPs use the VSAN WWN by default during link initialization. However, the ELP usage
changes based on the peer switchs usage:
If the peer switch ELP uses the switch WWN, then the local switch also uses the switch WWN.
If the peer switch ELP uses the VSAN WWN, then the local switch also uses the VSAN WWN.
Note As of Cisco NX-OS Release 4.1(1), the ELP is enhanced to be compliant with FC-SW-3.
Configuring a Secondary MAC Address

To allocate a secondary MAC address, follow these steps:
Step 1 Select a SAN (or a VSAN) from the Logical Domains pane.
Step 2 Expand Switches, expand FC Services and select WWN Manager in the Physical Attributes pane.
Step 3 In the Information pane, scroll until you see the switch on which you want to configure a secondary MAC
address (see Figure 66-16).

Figure 66-16 Setting Secondary MAC Addresses
Step 4 Enter the secondary MAC address in the Secondary Mac Base field.
Step 5 Enter the range for the secondary MAC address in the Secondary Mac Range field.
Displaying WWN Information

To display the status of the WWN configuration, follow these steps:
Step 1 Select a SAN (or a VSAN) from the Logical Domains pane.
Step 2 Choose Switches > FC Services > WWN Manager from the Physical Attributes pane.
You see the WWN information for each switch in the SAN or VSAN.

Fibre Channel standards require a unique FC ID to be allocated to an N port attached to a Fx port in any
switch. To conserve the number of FC IDs used, Cisco MDS 9000 Family switches use a special
allocation scheme.
Some HBAs do not discover targets that have FC IDs with the same domain and area. Prior to Cisco
SAN-OS Release 2.0(1b), the Cisco SAN-OS software maintained a list of tested company IDs which
do not exhibit this behavior. These HBAs were allocated with single FC IDs, and for others a full area
was allocated.
The FC ID allocation scheme available in Release 1.3 and earlier, allocates a full area to these HBAs.
This allocation isolates them to that area and are listed with their pWWN during a fabric login. The
allocated FC IDs are cached persistently and are still available in Cisco SAN-OS Release 2.0(1b) and
later releases (see the FC ID Allocation for HBAs section on page 66-24).
As of Cisco SAN-OS Release 2.0(1b) and Cisco NX-OS Release 4.1(1), to allow further scalability for
switches with numerous ports, the Cisco SAN-OS and NX-OS software maintains a list of HBAs
exhibiting this behavior. Each HBA is identified by its company ID (also know as Organizational Unit
Identifier, or OUI) used in the pWWN during a fabric log in. Hence a full area is allocated to the N ports
with company IDs that are listed and for the others, a single FC ID is allocated. Irrespective of the kind
(whole area or single) of FC ID allocated, the FC ID entries remain persistent.

Default Settings
Default Settings
Table 66-2 lists the default settings for the features included in this chapter.
Table 66-2 Default Settings for Advanced Features
Parameters Default
CIM server Disabled
CIM server security protocol HTTP
D_S_TOV 5,000 milliseconds.
E_D_TOV 2,000 milliseconds.
R_A_TOV 10,000 milliseconds.
Time-out period to invoke fctrace 5 seconds.
Number of frame sent by the fcping feature 5 frames.
Remote capture connection protocol TCP.
Remote capture connection mode Passive.
Local capture frame limit s 10 frames.
FC ID allocation mode Auto mode.
Loop monitoring Disabled.

Default Settings

CH A P T E R 67
Management Software FAQ
This chapter answers some of the most frequently asked questions about Cisco Fabric Manager and
Device Manager. This chapter contains the following topics:
Installation Issues, page 67-3
When installing Fabric Manager from windows, why does clicking install fail?, page 67-3
Why do I have trouble launching Fabric Manager on Solaris?, page 67-3
What do I do if my browser prompts to save JNLP files?, page 67-3
What do I do if I see a "Java Web Start not detected" error?, page 67-4
What do I do if my desktop shortcuts not visible?, page 67-4
How do I upgrade to a newer version of Fabric Manager or Device Manager?, page 67-4
How do I downgrade Fabric Manager or Device Manager?, page 67-4
What do I do if an upgrade is not working?, page 67-4
What do I do if Java Web Start hangs on the download dialog?, page 67-5
How do I manually configure a browser for Java Web Start?, page 67-5
How do I run Java Web Start from the command line?, page 67-5
How do I clear the Java Web Start cache?, page 67-6
What do I do if my login does not work in Fabric Manager or Device Manager?, page 67-6
What do I do if I cannot install Fabric Manager or Device Manager, or run Java, when
pcAnyWhere is running?, page 67-6
What do I do if the Fabric Manager or Performance Manager service shows up as disabled in
the Services menu?, page 67-6
What do I do if I am unable to install Fabric Manager or Device Manager, or run Java, when
McAfee Internet Suite 6.0 Professional is running?, page 67-7
General, page 67-7
What do I do if I see errors while monitoring Area chart graphing?, page 67-7
What do I do if I see "gen error" messages?, page 67-7
What do I do if disk images in the Device Manager Summary View are not visible?, page 67-7
What do I do if I am unable to set both the D_S_TOV and E_D_TOV timers in Device
Manager?, page 67-7
What do I do if columns in Device Manager tables are too small?, page 67-8

Chapter 67 Management Software FAQ
What do I do if fabric changes are not propagated onto the map (for example, links don't
disappear)?, page 67-8
What do I do if the PortChannel creation dialog becomes too small after several uses?,
page 67-8
What do I do if I see errors after IPFC configuration?, page 67-8
What do I do if Fabric Manager or Device Manager is using the wrong network interface?,
page 67-8
What do I do if I see display anomalies in Fabric Manager or Device Manager?, page 67-8
Why is the active zone set in edit zone always shown in bold (even after successful activation)?,
page 67-9
Can I create a zone with prefix IVRZ or a zone set with name nozonset?, page 67-9
What do I do when One-Click License Install fails, and I cannot connect to the Cisco website?,
page 67-9
What do I do when Fabric Manager client and Device Manager cannot connect to the switch?,
page 67-10
How do I increase the log window size in Fabric Manager Client?, page 67-10
When do I do when the FM Server Database fails to start or has a file locking error?, page 67-10
Windows Issues, page 67-11
What do I do when text fields show up too small, and I cannot enter any data?, page 67-11
What do I do when printing causes an application crash?, page 67-11
What do I do when Windows XP hangs (or I see a blue screen)?, page 67-11
What do I do when Fabric Manager and Device Manager Icons Disappear?, page 67-11
What do I do when Device Manager or Fabric Manager window content disappears in Windows
XP?, page 67-11
What do I do when SCP/SFTP fails when a file is copied from local machine to the switch?,
page 67-12
UNIX Issues, page 67-12
What do I do when the parent Menus Disappear?, page 67-12
What do I do when the web browser cannot find web server even it is running?, page 67-12
How do I fix a "too many open files" error?, page 67-12
Other, page 67-13
How do I set the map layout so it stays after Fabric Manager restarted?, page 67-13
What do I do when two switches show on the map, but there is only one switch?, page 67-13
What does a red/orange/dotted line through the switch mean?, page 67-13
How do I upgrade without losing map settings?, page 67-19
How do I preserve historical data when moving Fabric Manager server to new host?, page 67-19
Are there restrictions when using Fabric Manager across FCIP?, page 67-19
How do I fix a "Please insure that FM server is running on localhost" message?, page 67-20
How do I run Cisco Fabric Manager with multiple interfaces?, page 67-20
How do I configure an HTTP proxy server?, page 67-21

Installation Issues
How do I clear the topology map?, page 67-21

How can I use Fabric Manager in a mixed software environment?, page 67-22
How do I fix a "corrupted jar file" error when Launching Fabric Manager?, page 67-22
How do I search for Devices in a Fabric?, page 67-22
How does Fabric Manager Server licensing work?, page 67-24
How do I manage Multiple Fabrics?, page 67-24
How can I clear an Orange X Through a Switch caused by license expiration?, page 67-24
Installation Issues
When installing Fabric Manager from windows, why does clicking install fail?
To make sure that Java Web Start is installed properly, follow these steps:
Step 1 Go to the Programs menu and see if Java Web Start is there.
Step 2 Start the Java Web Start program to make sure there is no problem with the Java Runtime installation.
Step 3 Click the Preferences tab, and make sure the proxies settings are fine for Web Start.
Step 4 Check that your browser is set up to handle JNLP settings properly (see the How do I manually
configure a browser for Java Web Start? section on page 67-5).
If you had older versions of the application and you see an error pop-up window saying cannot open the
JNLP file (in the error details), this could be because the Java Web Start cache is messed up. To work
around this, clear the cache and retry. To clear the cache, see the How do I clear the Java Web Start
cache? section on page 67-6.
Why do I have trouble launching Fabric Manager on Solaris?

If you are using Solaris 2.8 and are logged in as root and are using Netscape Navigator 6, you will not
be able to register the mime-type. Regular users can register the mime-type with Netscape Navigator 6
by manually adding it. Netscape 4.x works fine for all users.
What do I do if my browser prompts to save JNLP files?

Your browser may not be set up to launch Java Web Start for JNLP mime types. Java Web Start is
probably not installed or configured properly (see the How do I manually configure a browser for Java
Web Start? section on page 67-5).

Installation Issues
What do I do if I see a "Java Web Start not detected" error?

If you installed Java Web Start but still see an error message (in red) saying Java Web Start not
detected... on the switch home page, it could be a simple JavaScript error. We try to detect a Java Web
Start installation by running some JavaScript code tested for Internet Explorer and Mozilla (newer
versions). On some browsers (for example, Netscape 6.0, Opera) this code does not work properly
although the links still work.
First, try clicking on the install links.
If that does not work, check to see if the browser helper applications settings are correct (for
example, for Netscape 6.0 Edit > Preferences > Navigator > Helper Applications). See the How
do I manually configure a browser for Java Web Start? section on page 67-5.
What do I do if my desktop shortcuts not visible?

For Windows 2000 and Windows NT, we create Program Menu entries (under a new Cisco MDS 9000
program menu) and desktop shortcuts for Fabric Manager and Device Manager. The desktop shortcuts
and start menu entries for Fabric Manager and Device Manager are called FabricManager and
DeviceManager respectively. In other versions of Windows, including XP, we just create batch files on
the desktop called FabricManager.bat and DeviceManager.bat. For UNIX, we create shell scripts called
FabricManager.sh and DeviceManager.sh under the $HOME/.cisco_mds9000/bin directory. Note that on
Windows, installations run under Mozilla variants of browsers, and the desktop shortcuts do not get
created. The workaround is to manually create desktop shortcuts.
How do I upgrade to a newer version of Fabric Manager or Device Manager?

To upgrade to a newer version of Fabric Manager or Device Manager, follow these steps:
Step 1 Close all running instances of Fabric Manager or Device Manager.

Step 2 Point your browser at the switch running the new version and click the appropriate install link. Fabric
Manager or Device Manager prompts you to upgrade if the switch is running a newer version.
The installer checks your local copies and updates any newer versions of the software.
How do I downgrade Fabric Manager or Device Manager?

As of Cisco MDS NX-OS Release 4.x, downgrades are not supported through the installer. To downgrade
Fabric Manager or Device Manager to an earlier release, you need to manually uninstall first and then
install the previous version of Fabric Manager or Device Manager.
What do I do if an upgrade is not working?

If you are trying to upgrade because Fabric Manager or Device Manager prompted you saying that the
switch version is higher, and the upgrade failed, it might be because your default browser settings are
incorrect. Some error must have occurred during your last browser upgrade/install. To work around this,
launch the browser independently and click on install.

Installation Issues
On rare occasions, we have seen the upgrade happen but the version does not change. This is because of
HTTP caching in the network. During the upgrade, HTTP requests for files on the switch get cached in
the local machine. Even though the switch is in a higher version, the management software installed is
at the old version. The workaround for this is to uninstall the Fabric/Device Manager, clear the Java Web
Start cache, and then do a clean install.
What do I do if Java Web Start hangs on the download dialog?

To make sure Java Web Start is set up to access the switch in the same way your browser is set up, follow
these steps:
Step 1 Start Java Web Start (javaws.exe or javaws). You see the Java Web Start Application Manager.
Step 2 Choose File > Preferences > General and make sure your proxy settings are correct. For example, if
you are using an HTTP proxy, set it up here.
Step 3 Choose Use Browser.
Step 4 Click OK.
How do I manually configure a browser for Java Web Start?

For browsers like Opera, certain versions of Mozilla, or Konqueror, you must manually register Java Web
Start as the helper application for the JNLP files. To do this, the data you need is:
Description=Java Web Start
File Extension=jnlp
Mime Type=application/x-java-jnlp-file
Application=path-to-javaws (e.g. /usr/local/javaws/javaws)
After setting this up, you may need to restart the browser. If you see "Java Web Start not detected"
warnings, you can ignore them. These warnings are based on JavaScript, and not all browsers behave
well with JavaScript. Click on the install links to install Fabric Manager or Device Manager.
Note For Windows Users: To set up Java Web Start on *.jnlp files, select Windows Explorer > Tools > Folder
Options > File Types. Either change the existing setting for JNLP or add one so that *.jnlp files are
opened by javaws.exe. This executable is under Program Files\Java Web Start
How do I run Java Web Start from the command line?

If you cannot get your browser to run Java Web Start, you can still run Java Web Start from the command
line (javaws.exe or javaws) giving it the URL of the Fabric Manager or Device Manager on the switch
as an argument. For example, if your switch IP address is 10.0.0.1, you would use these commands to
start Fabric Manager and Device Manager:
javaws http://10.0.0.1/cgi-bin/fabric-manager.jnlp
javaws http://10.0.0.1/cgi-bin/element-manager.jnlp

Installation Issues
How do I clear the Java Web Start cache?

To clear the Java Web Start cache, follow these steps:
Step 1 Start the Java Web Start Application Manager (javaws.exe or javaws).
Step 2 Go to File > Preferences > Advanced and clear the applications folder or cache. You can manually
delete the .javaws or cache directory. On Windows this is under Documents and Settings, and on UNIX
this is under $HOME.
What do I do if during a Fabric Manager upgrade, the installer doesnt display a

prompt to create a shortcut?
Clear the Java Web Start cache as described in How do I clear the Java Web Start cache? in this chapter.
What do I do if my login does not work in Fabric Manager or Device Manager?

Make sure you have done the Initial Setup Routine on the switch. Refer to the Cisco MDS 9000 Family
Configuration Guide. Quick checks:
Make sure that the management interface on the switch is up (show interface mgmt0).
Check whether you can connect to the management interface (ping).
Verify the username is valid (show snmp user). You can also add/edit the users through the CLI.
If you have multiple network interfaces, see the What do I do if Fabric Manager or Device Manager
is using the wrong network interface? section on page 67-8
What do I do if I cannot install Fabric Manager or Device Manager, or run Java,

when pcAnyWhere is running?
You can either stop the pcAnyWhere service and install Fabric Manager or Device Manager, or
install/update DirectX. For more information,refer to the website at http://java.sun.com/
What do I do if the Fabric Manager or Performance Manager service shows up

as disabled in the Services menu?
This could happen if:
The service menu for Fabric Manager or Performance Manager was open during an
uninstall/upgrade.
The Fabric Manager client or Device Manager was running while doing an uninstall/upgrade.
This error happens when Windows is unable to delete a service completely. A reboot of the host should
fix the problem.

General
What do I do if I am unable to install Fabric Manager or Device Manager, or run

Java, when McAfee Internet Suite 6.0 Professional is running?
The McAfee internet suite comes with a virus scanner, firewall, antispam, and privacy management. The
privacy management can interfere with the Fabric Manager server-client interactions. To work around
this you must shut down the privacy service.
General
What do I do if I see errors while monitoring Area chart graphing?

When doing the area chart graphing from the monitor window, if you move the mouse over the Area chart
before the first data comes back, you see a java.lang.ArrayIndexOutOfBoundsException error on the
message log from JChart getX(). This is because JChart tries to locate a value that does not exist yet.
This might be fixed in a future version of JChart.
What do I do if I see "gen error" messages?

Usually a "gen error" means that the SNMP agent on the switch had an unexpected error in the process
of serving an SNMP request. However, when you are accessing the switch through a VPN connection or
any sort of NAT scheme, all errors are reported as gen error. This is a known problem and will be fixed
in a future release. You can verify whether this was the reason behind your gen error by trying to
reproduce this error in an environment where there is no network address translation (where you are on
the same network as the switch).
What do I do if disk images in the Device Manager Summary View are not
visible?
On some occasions the Summary View table in the Device Manager does not show the icons for disks
attached to a Fx port. This is because the FC4 features are empty for this port. A LUN discovery must
be issued to discover information about these hosts/disks that do not register their FC4 types. You can
do this in the Device Manager by clicking FC > Advanced > LUNs.
What do I do if I am unable to set both the D_S_TOV and E_D_TOV timers in

Device Manager?
If you modify both E_D_TOV and D_S_TOV at the same time, and the new D_S_TOV value is larger
than the old E_D_TOV value, you will get a WrongValue error. To work around this, you must change
the values separately.

General
What do I do if columns in Device Manager tables are too small?

If Device Manager is trying to display a large table and your switch is running slowly, the table will come
up with the tabs being hidden. To work around this, you must resize the window to see the data.
What do I do if fabric changes are not propagated onto the map (for example,
links don't disappear)?
Fabric Manager shows that a device or port is down by displaying a red cross on that port or device.
However, Fabric Manager does not remove any information that's already discovered. You must
rediscover to correctly update the map.
What do I do if the PortChannel creation dialog becomes too small after several
uses?
After several uses, the MemberList TextBox (in the PortChannel Create Window) does not display as it
should. It changes from a long TextBox with a ComboBox for choosing ports, to a small square TextBox
that is too small to choose ports. This is a known problem and will be fixed in a future release. To work
around this problem, stop and restart Fabric Manager or Device Manager.
What do I do if I see errors after IPFC configuration?

When IPFC and out of band management are configured, the Device Manager might not work using
SNMPv3 if you use the IPFC address. The workaround is either to use the management interface
(mgmt0) address, or to use SNMPv1/v2c over IPFC.
What do I do if Fabric Manager or Device Manager is using the wrong network

interface?
The problem happens because the underlying Java library picks a local interface arbitrarily. To work
around this, supply a command line argument before starting the Fabric/Device Manager. In the desktop
shortcut or shell script or batch file, add the following parameter "-Device Managerds.nmsAddress="
For example, in Windows the line looks like ".javaw.exe -Device Managerds.nmsAddress=X.X.X.X -cp
.".
In desktop shortcuts, this length could exceed the maximum characters allowed. If this happens, delete
the "-Dsun.java2d.ddoffscreen=false" portion to make more space. Newer versions of Fabric Manager
(Release 1.2 and later) allow you to pick a preferred network interface.
What do I do if I see display anomalies in Fabric Manager or Device Manager?

If you see Fabric Manager or Device Manager submenus detached from menus, the mouse pointer in
Fabric Manager Map is slow to react to mouse movement, or a wrong tooltip is displayed, these are
display anomalies, not problems with Fabric Manager or Device Manager.

General
Some older video cards exhibit these display anomalies. To fix this, first try updating the video drivers.
If this doesn't solve the problem, replace the video card.
What do I do if most of my Physical Attributes catagories disappear?

You have somehow turned off advanced features. Look for the check box Advanced Features in the upper
right of the Fabric Manager screen. Check the box.
What do I do if I cant see the Information pane?

The information pane should be in the upper half of the screen above the map in Fabric Manager. The
map my be covering it. Drag the edge of the map window down or use the black triangles to reorganize
the display.
Why is the active zone set in edit zone always shown in bold (even after
successful activation)?
A member of this VSAN must be participating in IVR zoning. Because the IVR zones get added to active
zones, the active zone set configuration is always different from the local zone set configuration with the
same name. The zone set name is always bold.
Can I create a zone with prefix IVRZ or a zone set with name nozonset?
Do not use these special names. These names are used by the system for identifying IVR zones.
What do I do when One-Click License Install fails, and I cannot connect to the
Cisco website?
The one-click license install tries to open an HTTP connection to the Cisco website. If you do your
browsing using an HTTP proxy then the following command- line variables need to be added to your
Fabric Manager client scripts:
-Dhttps.proxyHost and -Dhttps.proxyPort.
In case your one-click install URL starts with "http://" (and not "https://"), the variables are:
-Dhttp.proxyHost and -Dhttp.proxyPort.
For example, in Windows, edit the MDS 9000\bin\FabricManager.bat file and add to the JVMARGS
"-Dhttps.proxyHost=HOSTADDRESS -Dhttps.proxyPort=HOSTPORT".

General
What do I do when Fabric Manager client and Device Manager cannot connect
to the switch?
Fabric Manager or Device Manager using SNMPv3 at Cisco MDS SAN-OS Release 1.3(3) or earlier
can't manage a switch running Release 1.3(4) or later. This might affect a software upgrade using Fabric
Manager from Release 1.3(3) to Release 1.3(4).
How do I increase the log window size in Fabric Manager Client?

To limit the memory usage by FM Client, the log window is limited to 500 lines by default. If you want
to increase this, edit sm.properties in < install directory>/db/<user> directory and change
LogBufferSize.
When do I do when the FM Server Database fails to start or has a file locking
error?
In the database log (FMPersist.log) you will see an error message "The database is already in use by
another process". The HsqlDB 1.7.1 version has this problem. The file lock problem seems to happen
occasionally, and can be resolved by shutdown and restart of the db server. On windows this can be done
by stopping and starting the FMPersist service and on Unix just run the FMPersist.sh script with the
argument restart.
How do I re-synchronize Fabric Manager Client with Fabric Manager Server?

On some occasions, when the Fabric Manager Client in not in sync with the Fabric Manager Server, you
may need to re-synchronize the client and server. To re-synchronize Fabrix Manager Client with Fabric
Manager Server, click Resync All Open Fabrics from the File menu,
How do I rediscover the current fabric?

When the Fabric Manager Server is not in sync with the switches in the fabric, you may need to initiate
an on- demand discovery to update the Fabric Manager Client with the most recent changes from the
switches in the fabric. To rediscover the fabric switches, click Rediscover from the File menu.
How do I rediscover SCSI Targets?

When the Fabric Manager Server is not in sync with the SCSI Target switches in the fabric, you may
need to initiate an on- demand discovery to update the Fabric Manager Client with the most recent
changes from the SCSI Target switches in the fabric. To rediscover the fabric switches, click Rediscover
SCSI Targets from the File menu.

Windows Issues
Windows Issues
What do I do when text fields show up too small, and I cannot enter any data?
When Reflection X is running, certain text fields in the Fabric Manager and Device Manager are not
rendered to the full width of the field. Resize the dialog box to see the text fields properly.
What do I do when printing causes an application crash?

On Windows NT there is a known Sun JVM bug - the printservice crashes the VM. The solution
suggested by Sun is to update NT with SP 6. For more details refer to:
http://developer.java.sun.com/developer/bugParade/bugs/4530428.html.
What do I do when Windows XP hangs (or I see a blue screen)?

Windows XP with the ATI Radeon AGP graphics cards has known to freeze (hang) when a Java
application exits. The newer drivers from ATI seem to have fixed this problem. The other workaround is
to run the application with "-Dsun.java2d.noddraw=true". We do this today in the shortcut and shell
scripts we create. For more details refer to:
What do I do when Fabric Manager and Device Manager icons disappear?

On certain versions of Windows, certain images disappear. This is a Java bug. We have a workaround
that is already in place (disable DirectDraw acceleration) - but there are still cases where this problem
might arise. For more details refer to:
What do I do when Device Manager or Fabric Manager window content

disappears in Windows XP?
Device Manager or Fabric Manager main window content disappears in Windows XP due to a Java bug.
Refer to the following website:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4919780.
Minimize or maximize the window and restore to the normal size to restore the window content.
Disabling Direct Draw may also prevent this from happening by adding "-Dsun.java2d.noddraw=true"
to JVMARGS in <FM-install-dir>/bin/FabricManager.bat and DeviceManager.bat

UNIX Issues
What do I do when SCP/SFTP fails when a file is copied from local machine to
the switch?
If there are embedded spaces in the file path, then windows scp/sftp might fail. You will get a
copyDeviceBusy error from the switch. In tools such as the License Wizard either make sure tftp copy
can be done or pick filenames with no spaces.
UNIX Issues
What do I do when the parent menus disappear?

Displaying a submenu may occasionally cause the parent menu to disappear. For more details on this
bug, refer to: http://developer.java.sun.com/developer/bugParade/bugs/4470374.html.
What do I do when the web browser cannot find web server even it is running?
This can happens when web browser uses proxy server. To check that for Internet Explorer, choose tools
in menu, then choose internet options, then choose connection subpanel, then click Lan Setting. A dialog
comes up, verify the proxy setting.
How do I fix a "too many open files" error?

If you are running the JVM (Java Virtual Machine) on Linux and the drive where Java is installed or your
home directory is NFS mounted, there is an open bug against the Sun JDK about errors acquiring file
locks. The symptoms for the Fabric Manager are that launching a Device Manager or saving/opening
files will fail, giving a "too many open files" I/O or socket exception. The JVM keeps trying to open a
file on the NFS mounted drives, fails, and keeps trying to do it until it hits the 1024 file descriptors limit.
Workarounds (assuming /tmp is a local disk - replace it with your tmp area):
System Preferences
Make sure the system level preferences are stored on a local disk. The system preferences are stored
in $JAVA_HOME/.systemPrefs where JAVA_HOME is where you have installed the JDK. If this
directory is NFS mounted, then just do the following:
$ rm -rf $JAVA_HOME/.systemPrefs<
$ mkdir /tmp/.systemPrefs
$ ln -s /tmp/.systemPrefs $JAVA_HOME/.systemPrefs
The problem with this workaround is that you have to make sure /tmp/.systemPrefs exists on every
box where you are using $JAVA_HOME. We recommend installing the JVM as root and on a local
disk.
User Preferences
If your home directory is NFS mounted and you are getting this problem. Do the following:
$ rm -rf $HOME/.java
$ mkdir /tmp/.java.$USER
$ ln -s /tmp/.java.$USER $HOME/.java

Other
For further details, see the following URLs:

http://developer.java.sun.com/developer/bugParade/bugs/4673298.html
http://developer.java.sun.com/developer/bugParade/bugs/4635353.html
Other
How do I set the map layout so it stays after Fabric Manager restarted?
If you have arranged the map to your liking and would like to freeze the map so that the objects stay
as they are even after you stop Fabric Manager and restart it again, follow these steps:
Step 1 Right-click in a blank space in the map. You see a menu.

Step 2 Select Layout > Fix All Nodes from the menu.
What do I do when two switches show on the map, but there is only one
switch?
If two switches show on your map, but you only have one switch, it may be that you have two switches
in a non-contiguous VSAN that have the same Domain ID. Fabric Manager uses <vsanId><domainId>
to look up a switch, and this can cause the fabric discovery to assign links incorrectly between these
errant switches.
The workaround is to verify that all switches use unique domain IDs within the same VSAN in a
physically connected fabric. (The fabric configuration checker will do this task.)
What does a red/orange/dotted line through the switch mean?

If a red line shows through your switch, this means Fabric Manger sees something wrong with the
switch. Choose Switches in the Physical Attributes pane to see a status report in the information pane.
A module, fan, or power supply has failed or is offline and plugged in.
If a dotted orange line shows through your switch, this indicates a minor status warning for that switch.
Usually it means an issue with one of the modules. The tooltip should say exactly what is wrong. Hold
the mouse over the switch to see the tooltip.
Below are tables of color settings and tooltip definitions for Fabric Manager and Device Manager.
Table 67-1 Fabric Manager and Device Manager Color Definitions
Fabric Manager Color Definition

Red Slash Cannot communicate with a switch via SNMP.
Red X Cannot communicate with or see a switch in the
Domain Manager/Fabric Configuration Server list
of fabric switches.
Device Manager Color Definition

Other
Table 67-1 Fabric Manager and Device Manager Color Definitions (continued)
Fabric Manager Color Definition

Green Square with Mode (e.g., F, T, TE, U/I for Port up.
FICON)
Orange Square with Mode Trunk incomplete.
Orange Cross Ols or Nos received.
Brown Square Port is administratively down.
Light Gray Square Port is not manageable.
Red Cross HardwareFailure/LoopbackDiagFailure/LinkFail
ure
Red Square Any other kind of configuration failure.
No Square or Black Square Port not yet configured.
Table 67-2 Device Manager Tooltip Definitions
Tooltip Definition
adminDown The port is administratively down.
bitErrRTThresExceeded Bit error rate too high.
bundleMisCfg Misconfiguration in PortChannel membership
detected.
channelAdminDown This port is a member of a PortChannel and that
PortChannel is administratively down.
channelConfigurationInProgress This port is undergoing a PortChannel
configuration.
channelOperSuspended This port is a member of a PortChannel and its
operational parameters are incompatible with the
PortChannel parameters.
deniedDueToPortBinding Suspended due to port binding.
domainAddrAssignFailureIsolation The elected principal switch is not capable of
performing domain address manager functions so
no Nx_port traffic can be forwarded across
switches, hence all Interconnect_Ports in the
switch are isolated.
domainInvalidRCFReceived Invalid RCF received.
domainManagerDisabled Domain manager is disabled.
domainMaxReTxFailure Domain manager failure after maximum retries.
domainOtherSideEportIsolation The peer E port is isolated.
domainOverlapIsolation There is a overlap in domains while attempting to
connect two existing fabrics.
elpFailureClassFParamErr Isolated for ELP failure due to class F parameter
error.

Other
Table 67-2 Device Manager Tooltip Definitions (continued)
Tooltip Definition
elpFailureClassNParamErr Isolated for ELP failure due to class N parameter
error.
elpFailureInvalidFlowCTLParam Isolated for ELP failure due to invalid flow
control parameter.
elpFailureInvalidPayloadSize Isolated for ELP failure due to invalid payload
size.
elpFailureInvalidPortName Isolated for ELP failure due to invalid port name.
elpFailureInvalidSwitchName Isolated for ELP failure due to invalid switch
name.
elpFailureInvalidTxBBCredit Isolated for ELP failure due to invalid transmit
B2B credit.
elpFailureIsolation During a port initialization the prospective
Interconnect_Ports find incompatible link
parameters.
elpFailureLoopbackDetected Isolated for ELP failure due to loopback detected.
elpFailureRatovEdtovMismatch Isolated for ELP failure due to R_A_TOV or
E_D_TOV mismatch.
elpFailureRevMismatch Isolated for ELP failure due to revision mismatch.
elpFailureUnknownFlowCTLCode Isolated for ELP failure due to invalid flow
control code.
ePortProhibited Port down because FICON prohibit mask in place
for E/TE port.
eppFailure Trunk negotiation protocol failure after maximum
retries.
errorDisabled The port is not operational due to some error
conditions that require administrative attention.
escFailureIsolation During a port initialization the prospective
Interconnect_Ports are unable to proceed with
initialization as a result of Exchange Switch
Capabilities (ESC).
fabricBindingDBMismatch fabric bindingactive database mismatch with
peer.
fabricBindingDomainInvalid Peer domain ID is invalid in fabric binding active
database.
fabricBindingNoRspFromPeer Fabric binding no response from peer.
fabricBindingSWWNNotFound Peer switch WWN not found in fabric binding
active database.
fcipPortAdminCfgChange FCIP port went down due to configuration
change.
fcipPortKeepAliveTimerExpire FCIP port went down due to TCP keep alive timer
expired.

Other
Tooltip Definition
fcipPortMaxReTx FCIP port went down due to max TCP
retransmissions reached the configured limit.
fcipPortPersistTimerExpire FCIP port went down due to TCP persist timer
expired.
fcipPortSrcAdminDown FCIP port went down because the source ethernet
link was administratively shutdown.
fcipPortSrcLinkDown FCIP port went down due to ethernet link down.
fcipSrcModuleNotOnline FCIP port went down due to source module not
online.
fcipSrcPortRemoved FCIP port went down due to source port removal.
fcotChksumErr FSP SPROM checksum error.
fcotNotPresent SFP (GBIC) not present.
fcotVendorNotSupported FSP (GBIC) vendor is not supported.
fcspAuthenfailure Fibre Channel security protocol authorization
failed.
ficonBeingEnabled FICON is being enabled.
ficonNoPortnumber No FICON port number.
ficonNotEnabled FICON not enabled.
ficonVsanDown FICON VSAN is down.
firstPortNotUp In a over subscribed line card, first port cannot be
brought up in E mode when the other ports in the
group are up.
firstPortUpAsEport In a over subscribed line card, when the first port
in a group is up in E mode, other ports in that
group cannot be brought up.
hwFailure Hardware failure.
incomAdminRxBBCreditPerBuf Disabled due to incompatible admin port
rxbbcredit, performance buffers.
incompatibleAdminMode Port admin mode is incompatible with port
capabilities.
incompatibleAdminRxBBCredit Receive BB credit is incompatible.
incompatibleAdminRxBufferSize Receive buffer size is incompatible.
incompatibleadminSpeed Port speed is incompatible with port capabilities.
initializing The port is being initialized.
interfaceRemoved Interface is being removed.
invalidAttachment Invalid attachment.
invalidConfig This port has a misconfiguration with respect to
port channels.
invalidFabricBindExh Invalid fabric binding exchange.

Other
Tooltip Definition
linkFailCreditLoss Link failure due to excessive credit loss
indications.
linkFailCreditLossB2B Link failure when link reset (LR) operation fails
due to queue not empty.
linkFailDebounceTimeout Link failure due to re-negotiation failed.
linkFailLineCardPortShutdown Link failure due to port shutdown.
linkFailLinkReset Link failure due to link reset.
linkFailLIPF8Rcvd Link failure due to F8 LIP received.
linkFailLIPRcvdB2B Link failure when loop initialization (LIP)
operation fails due to non empty receive queue.
linkFailLossOfSignal Link failure due to loss of signal.
linkFailLossOfSync Link failure due to loss of sync.
linkFailLRRcvdB2B Link failure when link reset (LR) operation fails
due to non-empty receive queue.
linkFailNOSRcvd Link failure due to non-operational sequences
received.
linkFailOLSRcvd Link failure due to offline sequences received.
linkFailOPNyRETB2B Link failure due to open primitive signal returned
while receive queue not empty.
linkFailOPNyTMOB2B Link failure due to open primitive signal timeout
while receive queue not empty.
linkFailPortInitFail Link failure due to port initialization failure.
linkFailPortUnusable Link failure due to port unusable.
linkFailRxQOverFlow Link failure due to receive queue overflow.
linkFailTooManyINTR Link failure due to excessive port interrupts.
linkFailure Physical link failure.
loopbackDiagFailure Loopback diagnostics failure.
loopbackIsolation Port is connected to another port in the same
switch.
noCommonVsanIsolation Trunk is isolated because there are no common
vsans with peer.
none No failure.
nonParticipating During loop initialization, the port is not allowed
to participate in loop operations
offline Physical link is in offline state as defined in the
FC-FS standards.
ohmsExtLBTest Link suspended due to external loopback
diagnostics failure.
other Undefined reason.

Other
Tooltip Definition
parentDown The physical port to which this interface is bound
is down.
peerFCIPPortClosedConnection Port went down because peer FCIP port closed
TCP connection.
peerFCIPPortResetConnection Port went down because the TCP connection was
reset by the peer FCIP port.
portBindFailure Port got isolated due to port bind failure.
portBlocked Port blocked due to FICON.
portChannelMembersDown No operational members.
portFabricBindFailure Port isolated due to fabric bind failure.
portGracefulShutdown Port shutdown gracefully.
portVsanMismatchIsolation An attempt is made to connect two switches using
non-trunking ports having different port VSANs.
rcfInProgres An isolated xE_port is transmitting a reconfigure
fabric, requesting a disruptive reconfiguration in
an attempt to build a single, non-isolated fabric.
Only the Interconnect_Ports can become isolated.
srcPortNotBound No source port is specified for this interface.
suspendedByMode Port that belongs to a port channel is suspended
due to incompatible operational mode.
suspendedBySpeed Port that belongs to a port channel is suspended
due to incompatible operational speed.
suspendedByWWN Port that belongs to a port channel is suspended
due to incompatible remote switch WWN.
swFailure Software failure.
tooManyInvalidFLOGIs Suspended due to too many invalid FLOGIs.
tovMismatch Link isolation due to TOV mismatch
trunkNotFullyActive Some of the VSANs which are common with the
peer are not up.
upgradeInProgress Line card upgrade in progress.
vsanInactive Port VSAN is inactive. The port becomes
operational again when the port VSAN is active.
vsanMismatchIsolation This VSAN is not configured on both sides of a
trunk port.
zoneMergeFailureIsolation The two Interconnect_Ports cannot merge zoning
configuration after having exchanged merging
request for zoning.
zoneRemoteNoRespIsolation Isolation due to remote zone server not
responding.

Other
How do I upgrade without losing map settings?

When you upgrade from one version of Fabric Manager to another, there is a way to prevent the loss of
map settings (enclosure names, placement on the map, etc.)
The MDS 9000/db directory contains subfolders for each user (and one for fmserver). In these subfolders
are files for all discovered fabrics (*.dat) and maps (*.map). These are upgradable between versions. If
you need to clear the fabric cache, you should first export the enclosures to a file to avoid losing them.
Everything else aside from enclosures and map coordinates are stored on the switch. The preferences,
last opened, and site_ouis.txt format doesnt change from release to release.
How do I preserve historical data when moving Fabric Manager server to new
host?
To preserve your data when moving Fabric Manager Server to a new host, follow these steps:
Step 1 Export the enclosures to a file.

Step 2 Reinstall Fabric Manager (if you are installing on a new host, install Fabric Manager).
Step 3 After the installation is complete, stop Fabric Manager Server.
Step 4 Copy the RRD files from the old host to the new host. Place it in the MDS 9000 directory (on a Windows
PC, the default installation location for this directory is C:\Program Files\Cisco Systems\DCM).
Step 5 On the new host, run PMUpgrade.bat from the MDS 9000\bin folder. This creates files and a new
directory structure. There is a directory for each switch for which you have collected data.
Step 6 Continue to collect data on a specific switch by copying the db subfolder from that switchs folder to the
pm folder.
Step 7 On the new host, restart the Performance Manager Service (Windows) or Daemon (UNIX). You can use
the bin/PM.bat file to do this, or you can choose Performance > Collector > Restart from the Fabric
Manager menu.
Step 8 Re-import the enclosures on the new host.
Step 9 Be sure to turn off the original service on the old host.
Are there restrictions when using Fabric Manager across FCIP?

Fabric Manager will work with no restriction across an FCIP tunnel, as long as the tunnel is up. However,
Fabric Manager cannot automatically discover a Cisco SN5428 mgmt IP address in the fabric. For that
switch, it will display a red slash through an FCIP device because of a timeout error. It will still see all
targets, initiators, and ISLs attached to a Cisco SN5428 (or any other switch) as long as they appear in
the name server or FSPF.
To work around this, you can manually enter the IP address in the Switches table, and click Apply. If the
community string is correct, the red slash will go away. Even if the community string is incorrect,
double-clicking on the Cisco SN5428 will launch the web tool.

Other
How do I fix a "Please insure that FM server is running on localhost" message?

You may see this error message if you cannot connect to the fabric and your PC has multiple network
interface cards. The problem may be that Fabric Manager is trying to communicate through the wrong
interface (you can verify this by checking the FMServer.log file).
Generally it is best to let Fabric Manager choose the interface on startup. If you are getting the above
error, something may have gone wrong.
To reset Fabric Manager so that it chooses the interface next time it starts, follow these steps:
Step 1 Open the server.properties file in the Fabric Manager installation directory. On a Windows platform, this
file is in C:\Program Files\Cisco Systems\MDS 9000 by default.
Step 2 Comment out the line: snmp.localaddress.
Step 3 Save and exit the file.
Step 4 Restart Fabric Manager.
Note There are some cases where you would not want to do this, and should manually select the interface that
Fabric Manager uses. For more information, see theHow do I run Cisco Fabric Manager with multiple
interfaces? section on page 67-20.
How do I run Cisco Fabric Manager with multiple interfaces?

If your PC has multiple interfaces (NICs), the four Cisco Fabric Manager applications detect these
interfaces automatically (ignoring loopback interfaces). Fabric Manager Client and Device Manager
detect all interfaces on your PC each time you launch them, and allow you to select one. Fabric Manager
Server and Performance Manager detect on initial install, and allows you to select one. You are not
prompted again to choose an interface with these two applications.
There may be circumstances where you will want to change the interface you are using. For example:
If you add an interface after you have installed Fabric Manager Server and/or Performance Manager
If you decide to use a different interface than the one you initially selected
If for any reason one of the Cisco Fabric Manager applications did not detect multiple interfaces
Refer to the following sections, depending on which application you want to recognize the interface.
Manually specifying an interface for Fabric Manager Server, page 67-20
Manually specifying an interface for Fabric Manager Client or Device Manager, page 67-21
Manually specifying an interface for Fabric Manager Server

To specify an interface for Fabric Manager Server (including Performance Manager and Fabric Manager
Web Services), follow these steps:
Step 1 Go to the MDS 9000 folder. On a Windows platform, this folder is at C:\Program Files\Cisco
Systems\MDS 9000 by default.

Other
Step 2 Edit the server.properties file with a text editor.

Step 3 Scroll until you find the line: snmp.localaddress.
Step 4 If the line is commented, remove the comment character.
Step 5 Set the local address value to the IP address or interface name of the NIC you want to use.
Step 6 Save the file.
Step 7 Stop and restart Fabric Manager Server.
Manually specifying an interface for Fabric Manager Client or Device Manager

To specify an interface for the Fabric Manager Client or Device Manager, follow these steps:
Step 1 Go to the MDS 9000/bin folder. On a Windows platform, this folder is at C:\Program Files\Cisco
Systems\MDS 9000 by default.
Step 2 Edit the DeviceManager.bat file or the FabricManager.bat file.
Step 3 Scroll to the line that begins with set JVMARGS=
Step 4 Add the parameter -Device Managerds.nmsaddress=ADDRESS, where ADDRESS is the IP address or
interface name of the NIC you want to use.
Step 5 Save the file and relaunch Fabric Manager Client or Device Manager.
How do I configure an HTTP proxy server?

If your network uses a proxy server for HTTP requests, make sure the Java Web Start Application
Manager is properly configured with the IP address of your proxy server.
To configure a proxy server in the Java Web Start Application Manager, follow these steps:
Step 1 Launch the Java Web Start application.

Step 2 Choose File > Preferences from the Java WebStart Application Manager.
Step 3 Choose the Manual radio button and enter the IP address of the proxy server in the HTTP Proxy field.
Step 4 Enter the HTTP port number used by your proxy service in the HTTP Port field.
Step 5 Click OK.
How do I clear the topology map?

If you have a switch that you have removed from the fabric, there will be a red X through the switchs
icon. You can clear this information from the Fabric Manager client, or from the Fabric Manager server
(which will clear the information for all clients) without having to reboot the switch.
To clear information from topology maps using Fabric Manager, follow these steps:

Other
Step 1 Click the Refresh Map icon in the Fabric pane.

This clears the information from the client.
Step 2 Click Purge Down Elements in the Server menu.
This clears the information from the server.
Caution Any devices not currently accessible (may be offline) are purged.
How can I use Fabric Manager in a mixed software environment?

You can use Fabric Manager version 2.0(x) to manage a mixed fabric of Cisco MDS 9000 switches.
Certain 2.0 feature tabs will be empty for any switches running a software version that does not support
those features.
How do I fix a "corrupted jar file" error when launching Fabric Manager?
If you get the following error:
An error occurred while launching the application Fabric Manager.
download error:corrupted jar file at <ipaddress>\Device Managerboot.jar
(Where <ipaddress> is that of the switch)
The error message you are getting indicates that the Java Web Start cache is corrupted. You can try
clearing your Java Web Start cache first. To clear the Cache either run Java Web Start (from the Programs
menu) and under the preferences select clear cache. Or do it manually by first making sure all Fabric
Manager or Device Manager instances are closed and then deleting .javaws/cache. In the newer JREs this
directory is created under Documents and Settings\USERNAME and in the older ones it used to be under
Program Files\Java Web Start.
You can also browse beneath the cache folder and delete the offending IPAddress folder (e.g.
cache/http/D10.0.0.1).
Also, check to make sure that the host is not running a virus checker / java blocker?
You also can run the uninstall program and delete .cisco_mds directory, and then reinstall Fabric
Manager.
How do I search for devices in a fabric?

In Fabric Manager, you can search for one or more devices by different attributes, including pWWN.
To perform a search in Fabric Manager, follow these steps:
Step 1 Right-click the map and choose Find Elements from the drop-down menu.

Other
You see the Find Fabric dialog box as shown in Figure 67-1.
Step 2 Choose End Device from the left drop-down list.
Step 3 Choose Port WWN from the right drop-down list.
You can also enter only part of the WWN and use a wildcard (*) character (for example, you can enter
*fb*f8).
Figure 67-1 Find Fabric Dialog Box with End Device and Port WWN Selected
Step 4 Click Find in Map.

To search for devices in a zone, click Find in Zones. You see the device highlighted in the Fabric pane.
Right-click any device to see the attributes for that device. You can also select a link leading to a device
to see the attributes for the link.
How do I search in a table?

In Fabric Manager, you can search for devices having one or more attributes. You can enter a search
string in the Find dialog box and then use Next and Previous buttons to navigate through the results.
To perform a search inside a table in Fabric Manager, follow these steps:
Step 1 Click the Find icon from the tool bar.

You see the Find dialog box as in Figure 67-2

Other
Figure 67-2 Find Dialog Box
Step 2 Enter the search string in the Find text box.

Step 3 Click Selection to search in selected row(s).
Step 4 Check Ignore Case to ignore case sensitivity.
Step 5 Check Exact Match to search for the data value exactly matching the search string.
Step 6 Click Next to search.
Step 7 Click Cancel to close the dialog box.
How does Fabric Manager Server licensing work?

You must install a Cisco MDS 9000 Family Cisco Fabric Manager Server package on at least one switch
in each fabric where you intend to manage switches, if you intend to use the enhanced management
capabilities the license package provides. You must also license all switches you plan to monitor with
the Performance Manager (historical performance monitoring) feature. Failure to license all switches
can prevent effective use of the Flow performance monitoring, so it is recommended to license all
switches in each fabric managed by Cisco Fabric Manager Server.
You are free to try Cisco Fabric Manager Server capabilities prior to installing a license, but the those
extended functions will stop working after the 120-day grace period expires. Standard Cisco Fabric
Manager configuration and management capabilities will continue to be accessible without any licensed
switches after the grace period expires.
How do I manage multiple fabrics?

To monitor and manage multiple fabrics, you must persist one or more fabrics. Do this by checking the
Persist checkbox on the Server>Admin dialog Fabric tab. You must also use switches running SAN-OS
Release 1.3.x or later in both fabrics, and you must use the same user/password on both fabrics. Both
fabrics must not be physically connected.
How can I clear an orange X through a switch caused by license expiration?

If you are using a licensed feature and that license is allowed to expire, Fabric Manager shows a license
violation, and an orange X is placed through the switch on the Fabric Manager map.

Other
To clear the license violation message and the orange X, stop the Cisco Fabric Manager service on the
host, and restart it again.

Other

CH A P T E R 68
Monitoring System Processes and Logs
This chapter provides details on monitoring the health of the switch. It includes the following sections:
Displaying System Processes, page 68-1
Displaying System Status, page 68-2
Core and Log Files, page 68-3
Online System Health Management, page 68-5
Displaying System Processes

To obtain general information about all processes using Device Manager, follow these steps:
Step 1 Choose Admin > Running Processes.

You see the Running Processes dialog box shown in Figure 68-1.

Chapter 68 Monitoring System Processes and Logs
Displaying System Status
Figure 68-1 Running Processes Dialog Box
Where:
ProcessId = Process ID
Name = Name of the process
MemAllocated = Sum of all the dynamically allocated memory that this process has received from
the system, including memory that may have been returned
CPU Time (ms) = CPU time the process has used, in microseconds
Displaying System Status

To display system status from Device Manager, follow these steps:
Step 1 Choose Physical > System.

You see the System dialog box shown in Figure 68-2.

Core and Log Files
Figure 68-2 System Dialog Box
Core and Log Files

Displaying Core Status, page 68-3
Clearing the Core Directory, page 68-4
For information on copying core and log files, refer to the Cisco MDS 9000 Family CLI Configuration
Guide.
Displaying Core Status
Note Be sure SSH2 is enabled on this switch.
To display cores on a switch using Device Manager, follow these steps:
Step 1 Choose Admin > Show Cores.

You see the Show Cores dialog box shown in Figure 68-3.

Core and Log Files
Figure 68-3 Show Cores Dialog Box
Module-num shows the slot number on which the core was generated. In this example, the fspf core was
generated on the active supervisor module (slot 5), fcc was generated on the standby supervisor module
(slot 6), and acltcam and fib were generated on the switching module (slot 8).
Clearing the Core Directory
Note Be sure SSH2 is enabled on this switch.
To clear the cores on a switch using Device Manager, follow these steps:
Step 1 Click Clear to clear the cores.

The software keeps the last few cores per service and per slot and clears all other cores present on the
active supervisor module.
First and Last Core

The first and last core feature uses the limited system resource and retains the most important core files.
Generally, the first core and the most recently generated core have the information for debugging and,
the first and last core feature tries to retain the first and the last core information.
If the core files are generated from active supervisor module, the number of core files for the service is
defined in the service.conf file. There is no upper limit on the total number of core files in the active
supervisor module.

Online System Health Management
To display the core files saved in the system, use the show cores command:
First and Last Core Verification

You can view specific information about the saved core files. Example 68-1 provides further details on
saved core files.
Example 68-1 Regular Service on vdc 2 on Active Supervisor Module
For example, there are five radius core files from vdc2 on the active supervisor module. The second and
third oldest files get deleted to comply with the number of core files defined in the service.conf file.
switch# show cores vdc vdc2
VDC No Module-num Process-name PID Core-create-time

------ ---------- ------------ --- ----------------
2 5 radius 6100 Jan 29 01:47
2 5 radius 6101 Jan 29 01:55
2 5 radius 6102 Jan 29 01:55
2 5 radius 6103 Jan 29 01:55
2 5 radius 6104 Jan 29 01:57
switch# show cores vdc vdc2
VDC No Module-num Process-name PID Core-create-time

------ ---------- ------------ --- ----------------
2 5 radius 6100 Jan 29 01:47
2 5 radius 6103 Jan 29 01:55
2 5 radius 6104 Jan 29 01:57

The Online Health Management System (system health) is a hardware fault detection and recovery
feature. It ensures the general health of switching, services, and supervisor modules in any switch in the
Note For information on most Online Health Management System procedures, refer to the Cisco MDS 9000
Family CLI Configuration Guide.

About Online System Health Management, page 68-6
Performing Internal Loopback Tests, page 68-6
Performing External Loopback Tests, page 68-7

About Online System Health Management

The Online Health Management System (OHMS) is a hardware fault detection and recovery feature. It
runs on all Cisco MDS switching, services, and supervisor modules and ensures the general health of
any switch in the Cisco MDS 9000 Family. The OHMS monitors system hardware in the following ways:
The OHMS component running on the active supervisor maintains control over all other OHMS
components running on the other modules in the switch.
The system health application running in the standby supervisor module only monitors the standby
supervisor moduleif that module is available in the HA standby mode. See the HA Switchover
Characteristics section on page 17-2.
The OHMS application launches a daemon process in all modules and runs multiple tests on each module
to test individual module components. The tests run at preconfigured intervals, cover all major fault
points, and isolate any failing component in the MDS switch. The OHMS running on the active
supervisor maintains control over all other OHMS components running on all other modules in the
switch.
On detecting a fault, the system health application attempts the following recovery actions:
Performs additional testing to isolate the faulty component
Attempts to reconfigure the component by retrieving its configuration information from persistent
storage.
If unable to recover, sends Call Home notifications, system messages and exception logs; and shuts
down and discontinues testing the failed module or component (such as an interface)
Sends Call Home and system messages and exception logs as soon as it detects a failure.
Shuts down the failing module or component (such as an interface).
Isolates failed ports from further testing.
Reports the failure to the appropriate software component.
Switches to the standby supervisor module, if an error is detected on the active supervisor module
and a standby supervisor module exists in the Cisco MDS switch. After the switchover, the new
active supervisor module restarts the active supervisor tests.
Reloads the switch if a standby supervisor module does not exist in the switch.
Provides CLI support to view, test, and obtain test run statistics or change the system health test
configuration on the switch.
Performs tests to focus on the problem area.
Each module is configured to run the test relevant to that module. You can change the default parameters
of the test in each module as required.
Performing Internal Loopback Tests

You can run manual loopback tests to identify hardware errors in the data path in the switching or
services modules, and the control path in the supervisor modules. Internal loopback tests send and
receive FC2 frames to/from the same ports and provide the round trip time taken in microseconds. These
tests are available for Fibre Channel, IPS, and iSCSI interfaces.
Choose Interface > Diagnostics > Internal to perform an internal loopback test from Device Manager.

Default Settings
Performing External Loopback Tests

You can run manual loopback tests to identify hardware errors in the data path in the switching or
services modules, and the control path in the supervisor modules. External loopback tests send and
receive FC2 frames to/from the same port or between two ports.
You need to connect a cable (or a plug) to loop the Rx port to the Tx port before running the test. If you
are testing to/from the same port, you need a special loop cable. If you are testing to/from different ports,
you can use a regular cable. This test is only available for Fibre Channel interfaces.
Choose Interface > Diagnostics > External to perform an external loopback test from Device Manager.
Default Settings
Table 68-1 lists the default system health and log settings.
Table 68-1 Default System Health and Log Settings
Parameters Default
Kernel core generation One module.
System health Enabled.
Loopback frequency 5 seconds.
Failure action Enabled.

Default Settings

CH A P T E R 69
Fabric Manager Web Services
This chapter describes the Fabric Manager Web Services (FMWS) application program interface (API).
About Fabric Manager Web Services, page 69-1
Web Services Specifications, page 69-1
Logon Service, page 69-2
San Service, page 69-4
Service Endpoint Interface (SEI), page 69-4
Methods, page 69-4
Error Codes, page 69-15
About Fabric Manager Web Services

The Cisco Fabric Manager Web Services (FMWS) enables third-party vendors to access Fabric Manager
core software functionalities as remote procedure calls. Web Services extend the World Wide Web
infrastructure to provide a method to softwares connecting to other software applications. Applications
access Web Services using many protocols and data formats such as HTTP, HTTPS, XML, and SOAP.
Web Services combine the best aspects of component-based development and the web. Web Services
makes Fabric Manager an enterprise class application allowing it to be interoperable with other software
platforms.
This chapter defines the APIs exposed by the Fabric Manager Web Services feature.
Web Services Specifications

Web Services specifications compose together to provide interoperable protocols for security,
communication and syntax for representing data.

Chapter 69 Fabric Manager Web Services
Logon Service
XML
XML is the data format that defines the structure of the message. XML Web Services architecture allows
programs written in different languages on different platforms to communicate with each other in a
standards-based way. XML Web Services expose useful functionality to Web users through a standard
Web protocol (SOAP).
SOAP
Simple Object Access Protocol (SOAP) is the communications protocol for Web Services. SOAP is a
specification that defines the XML format for messages. The advantage of SOAP is that it has been
implemented on many different hardware and software platforms.
HTTP/HTTPS
HTTP/HTTPS is the transport layer of the service. HTTP/HTTPS allows data to traverse the network
easily and is widely accepted. It is also considered as platform neutral. Every Fabric Manager Web
Services operation is through HTTP/HTTPS.
WDSL
A WSDL definition is an XML document with a root definition element from the
http://schemas.xmlsoap.org/wsdl/ namespace. Fabric Manager Web Services uses the WSDL document
to publish which operations of Fabric Manager are available. The definitions element may contain
several other elements including types, message, portType, binding, and service, all of which come from
the namespace. WSDL is published on FMServer at http://localhost/LogonWSService/LogonWS?wsdl
Logon Service
LogonWS makes IdentityManagers operations available as Web Service calls. LogonWS allows the
following operations:
requestToken
This method returns a token string that must be passed in as the header of the SOAP message. Once the
username and password is authentication using Fabric Managers SecurityManager, the token is
generated and is kept valid for the number of milliseconds specified in the expiration argument.
Parameters
usernameName of the user.
passwordPassword of the user.
expirationTime (in milliseconds).
Return Value
Session token.

Logon Service
Error
Error code: 201Invalid argument in Web Service exception.
validateToken
This method returns true or false depending on the validity of the token. If the token has expired, it
returns false, or else it returns true.
Parameters
tokenSession Token.
Return Value
Boolean value True if the Fabric Manager accepts the token.
Error
Authentication or Token
To interact with Fabric Manager Web Services, the user must obtain a token through LogonWS and
attach this token to the header message of every SOAP requests. Fabric Manager Web Services verifies
user credentials using a unique token string that is administered by LogonWS. At any given time,
HTTPS should be deployed to secure the communication channel. The following example displays the
format of the header message:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<m:Token xmlns:m="http://www.w3schools.com/transaction/">
token string is put here
</m:Token></SOAP-ENV:Header>
<SOAP-ENV:Body>
<getFabrics xmlns="http://ep.jaxws.dcbu.cisco.com/"/>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
IdentityManager
IdentityManager provide identity services and manage the user credentials that are required by Web
Services. It is the token provider who administers and maintains tokens. It authenticates the user,
generates tokens, and validates or expires tokens by periodically checking and clearing the cache.

San Service
San Service
San Service is an Enterprise Java Beans (EJB) component that manages SAN-related service requests
and executes queries on Fabric Manager for information. SanWS checks with IdentityManager for
authentication before performing the request. A valid token string tells San Service that the user is a
Fabric Manager user and it must honor and execute the request. After retrieving the required information
it sends the result back to the user. SanWS logs errors in fms_ws.log.
Service Endpoint Interface (SEI)

Service endpoint interface (SEI) of SanWS defines the operations of the service. These methods are
published to the end users.
Methods
getFabrics
Returns the list of all open fabrics.
Return Value
An array of open fabrics.
Error
Error Code: 300 General SAN Service exception.
getFabricByIP
Returns the list of fabrics associated with the IP address of a given switch.
Parameters
ipAddressIP address of the switch.
Return Value
List of all fabrics associated with the specificIP address.
Error
getFabricByKey
Returns the list of fabrics associated with the specified key.

Methods
Parameters
keyKey of the fabric.
Return Value
List of all fabrics associated with the specified key.
Error
getFabricBySwitchKey
Returns the list of fabrics associated with the specified seed switch key (WWN).
Parameters
swkeySeed switch key of the fabric.
Return Value
List of all fabrics associated with the specified seed switch key.
Error
getSwitchesByFabric
Returns the list of switches associated with the specified fabric key.
Parameters
Return Value
List of all fabrics associated with the specified fabric key.
Error
getSwitch
Returns the list of switches on all the fabrics.
Parameters

Methods
Return Value
List of all fabrics associated with the specified fabric key.
Error
getSwitchByKey
Returns the switch associated with the specified switch key object.
Parameters
Return Value
Switch associated with the specified switch key.
Error
getSwitchIPByName
Returns the IP address associated with the specified system name or switch name.
Parameters
sysnameName of the system or switch.
Return Value
IP address associated with the specified system name.
Error
getSwitchIPByKey
Returns the IP address of the switch associated with the specified WwnKey object.
Parameters
keyWWN Key object.
Return Value
IP address associated with the specifiedWwnKey object.

Methods
Error
getNeighborSwitches
Returns the list of neighboring switches associated with the specified WwnKey.
Parameters
keyWwn Key object.
Return Value
List of neighboring switches associated with the specifiedWwnKey.
Error
Error code: 302SAN does not found objects by query key exception.
getVsans
Returns the list of VSANs in the fabric associated with the specified fabric key.
Parameters
keyfabric key object.
Return Value
List of VSANs in the fabric associated with the specified fabric key.
Error
getVsan
Returns the VSAN in the fabric associated with the specified VSAN key object.
Parameters
keyVSAN key object.
Return Value
VSANs in the fabric associated with the specified VSAN key object.
Error

Methods
getIsls
Returns the list of ISLs in the VSAN associated with the specified VSAN key.
Parameters
keyVSAN key.
Return Value
Array of ISL objects in the VSAN associated with the specified VSAN key.
Error
discoverFabric
This API will open the fabric. This function requires the IP address of the seed switch and SNMP
credentials.
Parameters
seedIP address of the seed switch.
userSNMP Credential.
Return Value
Boolean value is True, if the discovery was successful.
Error
Error Code: 100 Authentication failure exception.
Error code: 101Invalid credentials exception.
manageFabric
Returns true or false depending managability of the fabric.
Parameters
keyFabric key.
Return Value
Returns true if the fabric can be identified ot managed. Returns false if the fabric cannot be identified ot
managed.

Methods
Error
unManageFabric
This function is used to unmanage a fabric.
Parameters
keyFabric key.
Return Value
None.
Error
closeFabric
This functions is used to un manage and close a fabric.
Parameters
keyFabric key.
Return Value
None.
Error
purgeFabric
This functions is used to purge the specified fabric data both from Fabric Manager cache and database.
Parameters
keyFabric key.
Return Value
None.
Error

Methods
Error code: 302SAN does not found objects by query key exception.
getEndports
Returns the list of all the end ports known to the Fabric Manager.
Return Value
An array of all the end ports.
Error
getEnclosures
Returns the list of all the enclosures known to the Fabric Manager.
Return Value
An array of enclosure objects.
Error
getEndPortByFWwn
Returns the end port based on FPort WWN.
Parameters
wwnWWN of the FPort.
Return Value
Returns an array of end port based on FPort WWN. Returns null if there are no end ports associated with
the FPort.
Error
getEndPortByKey
Returns the end port based on Switch WWN.
Parameters
keyWWN of the node.

Methods
Return Value
Returns the end port based on Switch WWN. Returns null if there are no end ports associated with the
Switch.
Error
getEndPortAttachedToSw
Returns the end ports that are associated with a switch.
Parameters
keyIP address of the switch.
Return Value
Returns the end ports based on switch.
Error
getEnclosureByName
Returns the enclosure based on the name.
Parameters
nameName of the enclosure object.
Return Value
Returns the enclosure object..
Error
getEnclosureByKey
Returns the enclosure based on the name.
Parameters
nameName of the enclosure object.
Return Value
Returns the enclosure object.

Methods
Error
Error Code: 300 General SAN Service exception .
getEnclosureByPWwn
Returns the enclosure that are associated with a physical WWN.
Parameters
wwnPhysical WWN of the switch.
Return Value
Returns the enclosure based on physical WWN.
Error
updateEnclosure
Update the enclosure with the value that is passed as parameter.
Parameters
valueValue to update the enclosure.
Return Value
None.
Error
updateEndportEnclosure
Update the end port enclosure with the value that is passed as parameter.
Parameters
endportKeyValue for the endportKey.
enclosureKeyValue for the enclosureKey.
Return Value
None.
Error

Methods
getHosts
Returns the list of all the host enclosures known to Fabric Manager.
Return Value
Returns the list of all the host enclosures known to Fabric Manager.
Error
getHost
Returns the name of hosts in a VSAN.
Parameters
keyName of the VSAN.
Return Value
Returns the name of the hosts in tthe specified VSAN.
Error
getHostByFabric
Returns the name of hosts in a fabric.
ValidationException is thrown if any of the following situation occurs:
If the argument passed is null.
If the argument does not contain a valid key.
Parameters
keyName of the fabric.
Return Value
Returns the name of the hosts in the specified VSAN.
Error

Methods
getStorages
Returns the list of all the storage device enclosures known to Fabric Manager.
Return Value
An array of all the storage device enclosures known to Fabric Manager.
Error
getStorageByFabric
Returns the name of storage device enclosures in a fabric.
Parameters
Return Value
Returns the name of the storages in the specified fabric.
Error
getHostPorts
Returns the list of all the host end ports in a fabric.
Parameters
Return Value
An array of all the host ports in a fabric.
Error

Error Codes
Error Codes
Error Code Description

100 Authentication failure.
101 Invalid credential.
102 Invalid privilage.
103 Invalid token.
200 Web Service error.
201 Invalid argument in Web Service function.
202 Unreachable Web Service server.
300 SAN service error.
301 Invalid query key in SAN service

Error Codes

A P P E N D I X A
Launching Fabric Manager in Cisco SAN-OS
Releases Prior to 3.2(1)
This appendix provides instructions for launching Fabric Manager Client in Cisco SAN-OS releases
prior to 3.2(1).
This Appendix contains the following sections:
Setting the Seed Switch in Cisco SAN-OS Releases 3.1(1) to 3.2(1), page A-1
Setting the Seed Switch in Releases Prior to Cisco SAN-OS Release 3.1(1), page A-3
Setting the Seed Switch in Cisco SAN-OS Releases 3.1(1) to

3.2(1)
Note As of Cisco SAN-OS Release 3.1(1), the Fabric Manager login procedure changed. If you are running a
version of Cisco SAN-OS that is earlier than Cisco SAN-OS 3.1(1), follow the login instructions in the
Setting the Seed Switch in Releases Prior to Cisco SAN-OS Release 3.1(1) section on page A-3.
From Cisco SAN-OS Release 3.1(1) to Release 3.2(1), you must log in to Fabric Manager Server before
you discover or open fabrics, and these fabrics can have different user credentials. You can specify
different SNMP communities per switch on the Web Server.
Note The default user name is admin and the default password is password for your initial login. This
information is stored in the database. Both the Fabric Manager Server and the Web Server share the same
user credential database.
To log in to Fabric Manager Server and to open a fabric, follow these steps:
Step 1 Double-click the Fabric Manager Client icon on your workstation.

You see the Fabric Manager Server Login dialog box shown in Figure A-1.

OL-17256-03, Cisco MDS NX-OS Release 4.x A-1
Appendix A Launching Fabric Manager in Cisco SAN-OS Releases Prior to 3.2(1)
Setting the Seed Switch in Cisco SAN-OS Releases 3.1(1) to 3.2(1)
Figure A-1 Fabric Manager Server Login Dialog Box
Step 2 Set FM Server to the IP address where you installed Fabric Manager Server, or set it to localhost if you
installed Fabric Manager Server on your local workstation.
If you forget your password, you can run one of the following scripts:
bin\webUserAdd.bat admin password adds a user name and password to the Fabric Manager
Server database.
bin\DBReset.bat resets the database back to the initial state and removes any discovered
fabrics.
Both of these scripts are available as UNIX .sh files.
Step 3 Enter the Fabric Manager Server user name and password.
Step 5 Click Login. After you successfully log in to Fabric Manager Server, you can set the seed switch and
open the fabrics that you are entitled to access.
You see the Discover New Fabric dialog box shown in Figure A-2.
Figure A-2 Discover New Fabric Dialog Box
Step 6 Set the fabric seed switch to the Cisco MDS 9000 Family switch that you want Fabric Manager to use.
Step 8 Choose the Auth-Privacy option MD5-DES (default) when you log in.

A-2 OL-17256-03, Cisco MDS NX-OS Release 4.x
Setting the Seed Switch in Releases Prior to Cisco SAN-OS Release 3.1(1)
Note The Accelerate Discovery check box should remain checked for normal operation. Uncheck this
only if you have changed switch IP addresses. You may experience problems with SAN IDs in
Fabric Manager if you uncheck this check box.
Step 9 Click Discover.

You see the Open Fabric dialog box shown in Figure A-3.
Figure A-3 Open Fabric Dialog Box
Step 10 Check the check box(es) next to the fabric(s) you want to open in the Select column, or click the
Discover button to add a new fabric.
Note As of Cisco SAN-OS Release 3.1(1) and later, opening multiple fabrics is a licensed feature. You
will get a message if any of the fabrics discovered does not have a license.
Note As of Cisco SAN-OS Release 3.1(2b), a license can be a permanent license, an evaluation
license, or there are no licenses (all evaluation licenses have expired).
Setting the Seed Switch in Releases Prior to Cisco SAN-OS

Release 3.1(1)
Note As of Cisco SAN-OS Release 3.1(1), the Fabric Manager login procedure changed. If you are running
Cisco SAN-OS Releases 3.1(1) to 3.2(1), then follow the login instructions in the Setting the Seed
Switch in Cisco SAN-OS Releases 3.1(1) to 3.2(1) section on page A-1.

OL-17256-03, Cisco MDS NX-OS Release 4.x A-3
Setting the Seed Switch in Releases Prior to Cisco SAN-OS Release 3.1(1)
When you run Fabric Manager, you must select a switch for Fabric Manager to use to discover the fabric.
For releases earlier than Cisco SAN-OS Release 3.1(1), use the same user name and password on each
of the multiple fabrics that you open, then log in directly to the MDS 9000 Family switch that you want
Fabric Manager to use.
To set the seed switch if you are running a version of Cisco SAN-OS that is earlier than Cisco SAN-OS
Release 3.1(1), follow these steps:
Step 1 Double-click the Fabric Manager Client icon on your workstation.

You see the Fabric Manager Login dialog box shown in Figure A-4.
Figure A-4 Open Fabric Dialog Box
Step 2 Click the Options button if necessary to expand the optional settings in this dialog box.
Step 3 Set FM Server to the IP address where you installed Fabric Manager Server, or set it to localhost if you
installed Fabric Manager Server on your local workstation.
Step 4 Set the fabric seed switch to the MDS 9000 Family switch that you want Fabric Manager to use.
Note The Accelerate Discovery check box should remain checked for normal operation. Uncheck this
only if you have changed switch IP addresses. You may experience problems with out of sync
SAN IDs in Fabric Manager if you uncheck this check box.

A-4 OL-17256-03, Cisco MDS NX-OS Release 4.x
A P P E N D I X B
Cisco Fabric Manager Unsupported Feature List
This appendix contains a list of features and functions not supported by Cisco Fabric Manager or Device
Manager. This list is organized according to the chapter in which the feature would be described if it
were supported. (See Table B-1.) For documentation about these features, refer to the Cisco MDS 9000
Family CLI Configuration Guide.
Table B-1 Features Not Supported by Cisco Fabric Manager or Device Manage
Part Chapter/Category Procedure

2 Cisco MDS NX-OS Obtaining and Installing Licenses Backing Up License Files
Installation and Switch
Moving Licences Between Switches
Management
Initial Configuration Starting a Switch (Initial Setup)
Configuring Console Settings
Configuring COM1 and Modem Settings
Adjusting for Daylight Savings Time
Configuring the Initialization String
Basic Switch Configuration
Terminal Settings
File System Commands
Displaying File Contents
Software Images Manual Upgrade on a Dual Supervisor Switch

Corrupted Bootflash Recovery

OL-17256-03, Cisco MDS NX-OS Release 4.x B-1
Appendix B Cisco Fabric Manager Unsupported Feature List
Table B-1 Features Not Supported by Cisco Fabric Manager or Device Manage (continued)

Working with Configuration Files Formatting External CompactFlash
Compressing and Uncompressing Files
Displaying the Last Lines in a File
Executing Commands Specified in a Script
Setting the Delay Time
Displaying Configuration Files
Unlocking the Startup Configuration File
Accessing Remote File Systems
Configuring High Availability Copying Images to the Standby Supervisor
Managing System Hardware Clock Modules
Managing Modules Connecting to a Module
Preserving Module Configuration
Purging Module Configuration
EPLD Configuration
Configuring SSI Boot Image
Managing SSMs
3 Switch Configuration Configuring Interfaces Displaying the ALPA Cache Contents
Clearing the ALPA Cache
N-Port Identifier Virtualization (NPIV)
Scheduling Tasks Schedule Configuration
4 Fabric Configuration Inter-VSAN Routing Inter-VSAN Routing (IVR) FICON Support
Configuration
IVR Service Groups
6 IP Services Configuring FCIP Displaying and Clearing ARP Caches
Configuring the SAN Extension Tuning Configuration
Tuner
Configuring IP Storage IPS Module Core Dumps
8 Network and Switch Monitoring Network Traffic Remote SPAN
Monitoring Using SPAN

B-2 OL-17256-03, Cisco MDS NX-OS Release 4.x
Table B-1 Features Not Supported by Cisco Fabric Manager or Device Manage (continued)

10 Troubleshooting Troubleshooting Your Fabric Loop Monitoring
Configuring CIM
CFS for FC Timers
Local Text Based Capture
Capturing FC Analyzer Frames Locally
Sending Captured FC Analyzer Frames to a Remote IP
Address
Clearing Configured FC Analyzer Information
Displaying a List of Hosts Configured for Remote
Capture
Using Fabric Analyzer Display Filters
Monitoring System Processes and Saving the Last Core to Flash
Logs
Kernel Core Dumps
System Health Initiation
Loopback Test Configuration Frequency
Hardware Failure Action
Tests for a Specified Module
Clearing Previous Error Reports
Online Health Management System
Enabling and Disabling the OHMS
Enabling and Disabling Hardware Failure Action
Configuring Onboard Failure Logging
Clearing Previous Error Reports
Performing Tests for a Specified Module
Configuring Automatic Loopback Tests
Performing SERDES Loopback Tests

OL-17256-03, Cisco MDS NX-OS Release 4.x B-3

B-4 OL-17256-03, Cisco MDS NX-OS Release 4.x
A P P E N D I X C
Interface Nonoperational Reason Codes
If the administrative state for an interface is up and the operational state is down, the reason code differs
based on the nonoperational reason code as described in Table C-1.
Table C-1 Reason Codes for Nonoperational States
Applicable
Reason Code Description Modes
Link failure or not connected Physical layer link is not operational. All
SFP not present The small form-factor pluggable (SFP) hardware is not
plugged in.
Initializing The physical layer link is operational and the protocol
initialization is in progress.
Reconfigure fabric in progress The fabric is currently being reconfigured.
Offline Cisco MDS SAN-OS waits for the specified R_A_TOV
time before retrying initialization.
Inactive The interface VSAN is deleted or is in a suspended
state.
To make the interface operational, assign that port to a
configured and active VSAN.
Hardware failure A hardware failure is detected.
Error disabled Error conditions require administrative attention.
Interfaces may be error-disabled for various reasons.
For example:
Configuration failure.
Incompatible buffer-to-buffer credit configuration.
To make the interface operational, you must first fix the
error conditions causing this state; and next,
administratively shut down or enable the interface.

OL-17256-03, Cisco MDS NX-OS Release 4.x C-1
Appendix C Interface Nonoperational Reason Codes
Table C-1 Reason Codes for Nonoperational States (continued)
Applicable
Reason Code Description Modes
Isolation due to ELP failure Port negotiation failed. Only E ports
Isolation due to ESC failure Port negotiation failed. and TE ports
Isolation due to domain The Fibre Channel domains (fcdomain) overlap.

overlap
Isolation due to domain ID The assigned domain ID is not valid.
assignment failure
Isolation due to other side E The E port at the other end of the link is isolated.
port isolated
Isolation due to invalid fabric The port is isolated due to fabric reconfiguration.
reconfiguration
Isolation due to domain The fcdomain feature is disabled.
manager disabled
Isolation due to zone merge The zone merge operation failed.
failure
Isolation due to VSAN The VSANs at both ends of an ISL are different.
mismatch
Nonparticipating FL ports cannot participate in loop operations. It may Only FL
happen if more than one FL port exists in the same ports and TL
loop, in which case all but one FL port in that loop ports
automatically enters nonparticipating mode.
PortChannel administratively The interfaces belonging to the PortChannel are down. Only
down PortChannel
Suspended due to incompatible The interfaces belonging to the PortChannel have interfaces
speed incompatible speeds.
Suspended due to incompatible The interfaces belonging to the PortChannel have
mode incompatible modes.
Suspended due to incompatible An improper connection is detected. All interfaces in a
remote switch WWN PortChannel must be connected to the same pair of
switches.

C-2 OL-17256-03, Cisco MDS NX-OS Release 4.x
A P P E N D I X D
Managing Cisco FabricWare
The Cisco FabricWare software running on the MDS 9020 Switch offers Fibre Channel switching
services that realize maximum performance. Cisco FabricWare provides networking features such as
zoning, advanced security, nondisruptive software upgrades, diagnostics, a CLI with syntax resembling
Cisco IOS, and standard interfaces for management applications.
This appendix contains the following sections:
Fibre Channel Support, page D-1
Zone Configuration, page D-2
Security, page D-2
Events, page D-2
Managing Cisco FabricWare with Fabric Manager, page D-3
Fibre Channel Support

Cisco FabricWare supports autoconfigured Fibre Channel ports capable of up to 4-Gbps bandwidth.
Cisco FabricWare supports the following port types:
E
F
FL
Fx
Auto
Cisco FabricWare supports Fabric Shortest Path First (FSPF) as the standard path selection protocol used
by Fibre Channel fabrics. The FSPF feature is enabled by default on all Fibre Channel switches. Except
in configurations that require special consideration, you do not need to configure any FSPF services.
FSPF automatically calculates the best path between any two switches in a fabric.

OL-17256-03, Cisco MDS NX-OS Release 4.x D-1
Appendix D Managing Cisco FabricWare
Zone Configuration
Zone Configuration
Zoning enables you to set up access control between storage devices or user groups. If you have
administrator privileges in your fabric, you can create zones to increase network security and to prevent
data loss or corruption. Zoning is enforced by examining the source-destination ID field. Cisco
FabricWare does not support QoS, broadcast, LUN, or read-only zones.
You can use the Fabric Manager zone configuration tool to manage zone sets, zones, and zone
membership for switches running Cisco FabricWare. Cisco FabricWare supports zone membership by
pWWN. See the Configuring a Zone Using the Zone Configuration Tool section on page 30-12.
Security
Cisco FabricWare supports the following security features:
RADIUS
SSH
User-based roles
IP access control lists
Cisco FabricWare can use the RADIUS protocol to communicate with remote AAA servers. RADIUS is
a distributed client/server protocol that secures networks against unauthorized access. In the Cisco
implementation, RADIUS clients run on Cisco MDS 9000 Family switches and send authentication
requests to a central RADIUS server that contains all user authentication and network service access
information.
You can access the CLI using the console (serial connection), Telnet, or Secure Shell (SSH). For each
management path (console or Telnet and SSH), you can configure one or more of the following security
control options: local, remote (RADIUS), or none.
Using these access methods, you can configure the roles that each authenticated user receives when they
access the switch. Cisco FabricWare supports two fixed roles: network administrator and network
operator.
IP access lists (IP-ACLs) control management traffic over IP by regulating the traffic types that are
allowed or denied to the switch. IP-ACLs can only be configured for the mgmt0 port.
Fabric Manager Server uses SNMPv1 and SNMPv2 to communicate with Cisco FabricWare.
Events
You can monitor fabric and switch status for Cisco FabricWare switches through either a syslog server
or an SNMP trap receiver.
The syslog, or system message logging software, saves messages in a log file or directs the messages to
other devices. This feature provides you with the following capabilities:
Provides logging information for monitoring and troubleshooting
Allows you to select the types of captured logging information
Allows you to select the destination server to forward the captured logging information

D-2 OL-17256-03, Cisco MDS NX-OS Release 4.x
Managing Cisco FabricWare with Fabric Manager
By default, the switch logs normal but significant system messages to a log file and sends these messages
to the system console. You can specify which system messages should be saved based on the type of
facility and the severity level. You can access logged system messages using the CLI or by saving them
to a properly configured system message logging server.
You can configure the Cisco MDS 9020 Switch using the CLI to send notifications to SNMP managers
when particular events occur. You can send these notifications as traps.

Fabric Manager supports switches running Cisco FabricWare.
Table D-1 shows the supported features and where to find more information on that feature.
Table D-1 FabricWare Features in Fabric Manager
Feature FabricWare Capabilities Section

Zones Zone configuration Configuring a Zone Using the
Zone membership by pWWN Zone Configuration Tool section
on page 30-12
No Cisco FabricWare support for QoS,
broadcast, LUN, or read-only zones Adding Zone Members section
on page 30-14
About Zoning section on
page 30-1
Interfaces 1/2/4 Fibre Channel autonegotiating ports Fibre Channel Interfaces section
on page 20-2
SNMP SNMPv1 and SNMPv2c SNMP Version 1 and Version 2c
section on page 40-2
Software images Automated upgrades Using the Software Install
Wizard section on page 15-8
Manual upgrades
FLOGI, name server, Displaying FLOGI details Refer to the Cisco MDS 9020
FDMI, and RSCN Switch Configuration Guide and
Registering name server proxies
Command Reference.
Displaying FDMI
RSCN statistics

OL-17256-03, Cisco MDS NX-OS Release 4.x D-3
Table D-1 FabricWare Features in Fabric Manager (continued)
Feature FabricWare Capabilities Section

Security Configuring RADIUS Configuring a RADIUS Server
Configuring server groups
Configuring role-based authorization
Configuring user accounts
Configuring SSH services section on page 39-1
Configuring Users section on
page 39-12
Enabling SSH or Telnet Service
Fibre Channel routing FSPF global configuration Refer to the Cisco MDS 9020
Switch Configuration Guide and
FSPF interface configuration
Command Reference.
IP services IP access control lists on mgmt0 Creating IPv4-ACLs or
IPv6-ACLs in Device Manager
System messages System message logging configuration Viewing Logs from Device
Manager section on page 57-4
Advanced FC timer Fibre Channel Time Out Values
configuration section on page 37-2

D-4 OL-17256-03, Cisco MDS NX-OS Release 4.x
INDEX
3DES encryption
Symbols
IKE 44-7
* (asterisk) IPsec 44-6
autolearned entries 46-20 4/44-port 8-Gbps switching modules
port security wildcard 46-15 default settings 22-43
port security wildcards 46-15 example configurations 22-16
48-port 4-Gbps switching modules
bandwidth fairness 22-37
Numerics
configuration guidelines 22-30
12-port 4-Gbps switching modules default settings 22-43
BB_credit buffers 22-20 example configurations 22-17
configuration guidelines 22-31 oversubscription 22-34
default settings 22-43 shared resources 22-10
See also switching modules See also switching modules
16-port switching modules 48-port 8-Gbps switching modules
configuring BB_credits 20-26 default settings 22-43
LEDs 20-19 example configurations 22-14
See also switching modules See also switching modules
24-port 4-Gbps switching modules 4-port 10-Gbps switching modules
bandwidth fairness 22-37 BB_credit buffers 22-21
configuration guidelines 22-30 configuration guidelines 22-31
default settings 22-43 default settings 22-43
example configurations 22-19 See also switching modules
oversubscription 22-34
shared resources 22-10
A
See also switching modules
24-port 8-Gbps switching modules AAA
default settings 22-43 authentication process 41-6
example configurations 22-15 authorization process 41-6
32-port switching modules configuring information 7-53
configuring BB_credits 20-26 default settings 41-30
SPAN guidelines 60-6 description 41-1
See also switching modules DHCHAP authentication 45-10

OL-17256-03, Cisco MDS NX-OS Release 4.x IN-1
Index
distributing with CFS (procedure) 41-24 recovering 39-20

enabling server distribution 41-22 Admin tab
local services 41-26 description 7-44
remote services 41-4 Advanced Encrypted Standard encryption. See AES
encryption
service configuration options 41-4
advertised interfaces 50-12
setting authentication 41-26
advertisement packets
starting a distribution session 41-22
setting time intervals 51-11
AAA authentication
AES encryption
configuring 50-28, 50-29
description 40-4
AAA servers
IKE 44-7
groups 41-4
IPsec 44-6
monitoring 41-5
remote authentication 41-4
SNMP support 40-4
access control AES-XCBC-MAC
enforcingiSCSI IPsec 44-6
enforcing access control 50-27

AFIDs
iSCSI 50-26
Access Control Lists. See IPv4-ACLs; IPv6-ACLs configuring default 29-12
access controlzoning based access controliSCSI description 29-4, 29-7, 29-15
zoning based access control 50-27

aliases
accounting switching between global device aliases and FC

aliases 31-8
viewing lists 7-10
switching between global device aliases and
ACL based access control fcaliases 3-7
configuring for iSCSI 50-26 using as enclosure names 5-33
ACLs using with Fabric Manager 3-7
configuring for iSCSI 50-26 ALPA caches
active zone sets clearing B-2
considerations 30-4 description 20-25
enabling distribution 30-26 displaying contents B-2
adapters ANSI T11 FC-GS-3
Fibre Channel-to-Ethernet 9-2 support 2-16
adminDown tooltip 67-14 applications
administrative speeds management 2-17
configuring 20-12 ARP caches
administrative states clearing B-2
description 20-7 displaying B-2
setting 20-11 authentication
administrator passwords CHAP option 50-57
default 2-5 configuring local with Device Manager 50-30

IN-2 OL-17256-03, Cisco MDS NX-OS Release 4.x
Index
Fabric Manager Web Services 4-4 disabling 22-39

fabric security 45-1 enabling 22-38
guidelines 41-4 Generation 2 switching modules 22-37
iSCSI setup 50-56 BB_credit buffers
local 41-3, 50-30 12-port 4-Gbps switching module allocations 22-20
MD5 51-12 12-port 4-Gbps switching module
considerations 22-20
mechanism 50-29
24-port 4-Gbps switching module allocations 22-18
mutual CHAPmutual CHAP authentication 50-30
24-port 4-Gbps switching module
remote 41-3, 41-4
considerations 22-19, 22-20
restricting iSLB initiatorinitiator authentication
restrictingiSLB considerations 22-15
restricting iSLB initiators 50-43 4/44-port 8-Gbps switching module
simple text 51-12 considerations 22-16
user IDs 41-3 48-port 4-Gbps switching module
See also MD5 authentication
See also simple text authentication
authentication, authorization, and accounting. See AAA
4-port 10-Gbps switching module allocations 22-21
autogenerated iSCSI targetiSCSI
autogenerated target 50-28 considerations 22-21, 22-22
auto-negotiation allocation defaults (table) 22-14, 22-15, 22-16, 22-17
configuring Gigabit Ethernet interfaces 52-5, 53-3 BB_credits
autonomous fabric ID configuring 20-26
See AFIDs description 20-25
autonomous fabric identifiers. See AFIDs FICON port swapping 36-32
AutoNotify reason codes 20-9, C-1
description 62-5 beacon modes
auto port mode configuring 20-20
description 20-7 description 20-20
interface configuration 20-3 identifying LEDs 20-19
autosensing speed Berkeley Packet Filter library. See BPF library
Generation 2 switching modules 20-13 bit errors
auto-topology reasons 20-20
configuration guidelines 29-10 bit error thresholds
IVR 29-6 configuring 20-20
modifying (procedure) 29-11 description 20-20
bitErrRTThresExceeded tooltip 67-14
bootflash:
B
description 16-2
bandwidth fairness file system 15-2

Index
recovering from corruption B-1 configuration distribution 62-18

space requirements 15-3 configuring 62-5 to 62-19
boot variables configuring e-mail options 62-14
synchronizing 17-3 contact information 62-6
border switches database merge guidelines 62-19
description 29-4 default settings 62-40
IVR configuration guidelines 29-14 description 62-1
BPF library destination profiles 62-7 to 62-9
description 66-21 duplicate message throttle 62-16
See also libpcap freeware enabling 62-17
B port mode features 62-2
description 20-7 inventory notifications 62-15
interface modes 20-7 message format options 62-2
B ports RMON-based alerts 62-13
configuring 48-27 syslog-based alerts 62-12
interoperability mode 48-25 testing communications 62-19
SAN extenders 48-26 Call Home alert groups
bridge port mode. See B port mode configuring 62-9
bridge ports. See B ports customizing messages 62-10
broadcast description 62-9
in-band addresses default 19-13 Call Home destination profiles
routing 32-14 attributes 62-7
Brocade description 62-7
native interop mode 37-9 Call Home messages
buffer pools configuring levels 62-11
Generation 2 switching modules 22-10 format options 62-2
buffer sizes Call Home notifications
configuring in FCIP profiles 48-21 full-txt format for syslog 62-24
buffer-to-buffer credits. See BB_credits XML format for RMON 62-28
build fabric frames XML format for syslog 62-24
description 25-3 CAs
bundleMisCfg tooltip 67-14 authenticating 43-10
certificate download example 43-19
configuring 43-6 to 43-17
C
creating a trust point 43-8
Call Home default settings 43-37
alert groups 62-9 to 62-11 deleting digital certificates 43-16
AutoNotify feature 62-5 description 43-1 to 43-5, 69-1 to ??
CFS support 13-2 enrollment using cut-and-paste 43-4

Index
example configuration 43-17 to 43-36 saving configurations 13-8

Fabric Manager Web Services 7-5 CFS applications
identity 43-2 clearing session locks 13-8
maintaining 43-14 committing changes 13-7
maximum limits 43-36 discarding changes 13-8
monitoring 43-14 enabling 13-5
multiple 43-4 enabling (procedure) 13-6
multiple trust points 43-3 fabric locking 13-6
peer certificates 43-5 CFS over IP
purpose 43-2 configuring static IP peers 13-11
CDP default settings 13-23
configuring 12-12 to 12-13 description 13-10
configuring hold times 12-13 CFS regions
configuring refresh time interval globally 12-12 assigning features 13-17
disabling globally 12-12 creating 13-17
disabling on interfaces 12-12 deleting 13-19
packet transmission interval 12-12 description 13-16
certificate authorities. See CAs moving a feature 13-18
certificate revocation lists. See CRLs removing a feature 13-19
CFS usisng Fabric Manager 13-17
application requirements 13-5 channelAdminDown tooltip 67-14
configuring for NTP 12-8 channelConfigurationInProgress tooltip 67-14
default settings 13-23 channelOperSuspended tooltip 67-14
description 13-1 to 13-4 CHAP authentication 50-28, 50-43, 50-57
disabling on a switch 13-4 CHAP challenge 50-30
displaying configuration information 13-9 CHAP response 50-30
distribution modes 13-4 CHAP user name 50-30
distribution over IP 13-10 CIM
distribution scopes 13-3 configuring 37-1, B-3
enabling on a switch 13-4 description 37-1
example configuration using Device Manager 13-23 support 2-16
example configuration using Fabric Manager 13-20 CIM servers
example using Fabric Manager 12-8 default settings 66-25
feature description 13-2 Cisco Access Control Server. See Cisco ACS
iSLB config distribution 50-46 Cisco ACS
merge support 13-9 configuring for RADIUS 41-26 to 41-30
merge support (procedure) 13-22 configuring for TACACS+ 41-26 to 41-30
protocol description 13-3 cisco-av-pair
SAN-OS features supported 13-2 specifying for SNMPv3 41-13

Index
Cisco Discovery Protocol. See CDP description 1-2

Cisco Fabric Service. See CFS supervisor modules 19-1
Cisco MDS 9000 Family Cisco MDS SAN-OS
connecting a terminal 12-11 software images 15-1
description 1-1 Cisco SAN-OS features
initial setup 2-2 to 2-12 changed (table) 1-lvii
starting a switch 2-1 new (table) 1-lvii
Cisco MDS 9100 Series Cisco Traffic Analyzer
Cisco MDS 9120 switches 1-4 configuring with Performance Manager 58-9
Cisco MDS 9124 switches 1-4 description 9-3
Cisco MDS 9140 switches 1-4 installing (procedure) 9-3
description 1-4 statistics reports 66-3
high availability 17-1 troubleshooting tools 66-2
overview 1-4 using for troubleshooting 66-2
Cisco MDS 9200 Series using with Fabric Manager 9-2
Cisco MDS 9216A switches 1-3 Cisco Transport Controller. See CTC
Cisco MDS 9216i switches 1-3 Cisco vendor ID
connecting a terminal 12-11 description 41-13
description 1-3 class maps
high availability 17-1 configuring for data traffic 64-6
Cisco MDS 9216 creating 64-7
supervisor modules 19-2 CLI
Cisco MDS 9216A switches accessing D-2
Cisco MDS 9216i switches Fabric Manager alternative 1-6
configuring extended BB_credits 20-27 firewall 4-2
description 1-3 clients
Cisco MDS 9500 Series disconnecting 7-50
Cisco MDS 9506 Directors 1-2 viewing 7-50
Cisco MDS 9509 Directors 1-2 clock modules
Cisco MDS 9513 Directors 1-2 managing B-2
description 1-2 cloud discovery. See iSNS cloud discovery
high availability 17-1 code pages
Cisco MDS 9506 Directors FICON text string formatting 36-19
description 1-2 COM1 ports
Cisco MDS 9509 Directors configuring B-1
description 1-2 command-line interface. See CLI
supervisor modules 19-1 command schedulers
Cisco MDS 9513 Directors configuring B-2

Index
command scripts console sessions

executing B-2 message logging severity levels 61-4
Common Information Model. See CIM console settings
common roles configuring B-1
deleting (procedure) 39-3 Contiguous Domain ID Assignments
communities About 25-15
adding 7-51 contract IDs
removing 7-52 description 62-33
CompactFlash control traffic
devices 16-2 disabling QoS 64-4
slot0: 15-2 enabling for QoS 64-4
company IDs Control Unit Port. See CUP in-band management
FC ID allocations 37-7, 66-24 core dumps
configuration IPS modules B-2
overview 1-6 to 1-8 core files
saving automatically for FICON 36-23 clearing directory 68-4
saving to NVRAM 16-8 displaying information 68-3
software tools 1-5 saving to CompactFlash B-3
configuration files CRLs
backing up 16-9 configuring 43-15
copying (procedure) 16-8 configuring revocation checking methods 43-12
displaying B-2 description 43-5
downloading 16-7 downloading example 43-34
FICON 36-29 generation example 43-33
saving (procedures) 16-8 importing example 43-36, ?? to 43-36
saving across the fabric 16-9 crossbars
configurations compatibility with Generation 1 modules 18-10
changing initial 2-12 description 18-8
configuring NPV 21-7 management 18-7
congestion control methods. See FCC; edge quench removal considerations 18-9
congestion control
crypto IPv4-ACLs
congestion window monitoring. See CWM
any keyword 44-25
connectivity
troubleshooting tool 5-35
creating 44-25
verifying 66-7
mirror images 44-24
console logging crypto map entries
configuring 61-4
global lifetime values 44-37
console ports setting SA lifetimes 44-31
parameters 2-2
crypto maps

Index
auto-peer option 44-32 class maps 64-6

configuration guidelines 44-29 comparing VSANs and QoS 64-5
configuring perfect forward secrecy 44-35 defining service policies 64-8
entries for IPv4-ACLs 44-28 DWRR queues 64-8
perfect forward secrecy 44-34 enforcing service policies 64-8
SA lifetime negotiations 44-30 example configuration 64-10
SAs between peers 44-28 dates
crypto map sets configuring 12-3
applying to interfaces 44-36 daylight saving time
CTC adjusting for B-1
description 48-17 dead time intervals
launching 48-17 configuring for FSPF 32-8
CUP in-band management description 32-8
blocking restriction 36-25 dedicated rate mode
current VSANs migrating from shared rate mode 22-29, 22-30
description 29-3 migrating to shared rate mode 22-29, 22-30
custom reports default gateways. See IPv4 default gateways
creating a template 7-37 default networks
modifying a template 7-41 configuring 2-6, 2-10
Custom tab default networks. See IPv4 default networks
description 7-37 default users
Cut-through routing mode 50-33 description 2-3
cut-thru routing mode 50-34 default VSANs
CWM description 26-8
configuring in FCIP profiles 48-20 default zones
configuring 30-21
configuring policies 30-38
D
configuring QoS priorities 30-37
D_S_TOV description 30-20
default setting 66-25 interoperability 37-9
errors when setting 67-7 policies 30-20
modifying 66-15 deficit weighted round robin schedulers. See DWRR
schedulers
data
deniedDueToPortBinding tooltip 67-14
management 2-17
DES encryption
database files
IKE 44-7
resolving lock errors 7-45
IPsec 44-6
Data Encryption Standard encryption. See DES encryption
desktops
data traffic

Index
shortcuts not visible 67-4 preferences 6-8

destination IDs setting preferences 6-8
exchange based 23-5 tabs 6-5
flow based 23-4 troubleshooting tools 66-1
in-order delivery 32-15 trunking 6-7
path selection 26-11 upgrade failures 67-4
device alias database upgrading 67-4
committing changes 31-6 using interface (figure) 6-3
discarding changes 31-7 viewing license information 10-16
distribution to fabric 31-4 viewing port status 6-5
merging 31-8 viewing supervisor modules 6-7
device aliases viewing switch modules 6-7
CFS support 13-2 viewing system messages 61-11
clearing statistics 31-8 devices
comparison with zones (table) 31-4 discovery 57-1
default settings 31-9 management 2-17
description 31-1 modifying groupings (procedure) 5-32
features 31-3 searching in Fabric Manager 67-22
modifying the database 31-4 DH
requirements 31-3 IKE 44-6
zone alias conversion 31-7 DHCHAP
device IDs AAA authentication 45-10
Call Home format 62-34 authentication modes 45-5
Device Manager compatibility with other SAN-OS features 45-3
color definitions 6-5 configuring 45-2 to 45-10
connection failures 67-10 configuring AAA authentication 45-10
context menus 6-7 default settings 45-10
description 1-5, 2-15, 6-1 description 45-2
disk images not visible 67-7 enabling 45-4
downgrading 67-4 group settings 45-7
FAQs 67-1 hash algorithms 45-6
icons 6-4 licensing 45-2
installation failures 67-6, 67-7 passwords for local switches 45-7
label definitions 6-5 passwords for remote devices 45-8
launching (procedure) 6-2 timeout values 45-9
login failure recovery 67-6 See also FC-SP
managing ports 6-7 differentiated services code point. See DSCP
performance monitoring 58-1 Diffie-Hellman Challenge Handshake Authentication
PortChannels 6-7
Protocol. See DHCHAP

Index
Diffie-Hellman protocol. See DH configuring CFS distribution 25-12 to 25-15

digital certificates configuring fcalias members 30-21
configuration example 43-17 to 43-19 contiguous assignments 25-15
default settings 43-37 distributing 25-2
deleting from CAs 43-16 duplicates causing errors 67-13
description 43-1 to 43-5, 69-1 to ?? enabling contiguous assignments 25-15
exporting 43-5, 43-14 failures C-2
generating requests for identity certificates 43-12 interoperability 37-9
importing 43-5, 43-14 IVR configuration guidelines 29-13
installing identity certificates 43-13 non-unique and IVR NAT 29-5
IPsec 44-7 to 44-10 preferred 25-10
maintaining 43-14 static 25-10
maximum limits 43-36 unique 29-13
monitoring 43-14 domainInvalidRCFReceived tooltip 67-14
peers 43-5 domain manager
purpose 43-2 isolation 20-10
requesting identity certificate example 43-24 domainManagerDisabled tooltip 67-14
revocation example 43-30 domainMaxReTxFailure tooltip 67-14
digital signature algorithm. See DSA key pairs domain names
DirectX configuring 2-6
installing 67-6 domainOtherSideEportIsolation tooltip 67-14
Distributed Services Time Out Value. See D_S_TOV domainOverlapIsolation tooltip 67-14
DNS domains
configuring 2-6, 2-10 overlap isolations C-2
configuring IP addresses 2-7 DPVM
default settings 51-13 CFS support 13-2
DNS servers default settings 28-15
configuring 51-12 description 28-1
documentation enabling 28-2
additional publications i-lxvii requirements 28-2
related documents i-lxvii using DPVM Setup Wizard (procedure) 28-2
domainAddrAssignFailureIsolation tooltip 67-14 wizard 5-34
domain ID DPVM databases
CFS support 13-2 autolearned entries 28-8
domain IDs clearing 28-9
allowed lists 25-11 comparing differences 28-14
assignment failures 20-10 configuring CFS distribution 28-10 to 28-13
configuring allowed lists 25-11 copying 28-14

Index
description 28-5 edge switches

enabling autolearning 28-9 description 29-4
merging guidelines 28-13 edge VSANs
drill down reports description 29-3
description 7-1 EFMD
drivers fabric binding 47-1
iSCSI 50-2 EISLs
drop latency time PortChannel links 23-2
configuring 32-18 ELP
dsa key pairs verifying using Device Manager (procedure) 48-16
generating 39-16 elpFailureClassFParamErr tooltip 67-14
DSCP elpFailureClassNParamErr tooltip 67-15
configuring 48-28 elpFailureInvalidFlowCTLParam tooltip 67-15
DWRR queues elpFailureInvalidPayloadSize tooltip 67-15
changing weights 64-9 elpFailureInvalidPortName tooltip 67-15
DWRR schedulers elpFailureInvalidTxBBCredit tooltip 67-15
description 64-5 elpFailureIsolation tooltip 67-15
dynamic bandwidth management elpFailureLoopbackDetected tooltip 67-15
description 22-9 elpFailureRatovEdtovMismatch tooltip 67-15
dynamic iSCSI initiator elpFailureRevMismatch tooltip 67-15
converting 50-40 ELP failures
convert to staticiSCSI reason codes C-2
convert dynamic initiator to static 50-19 elpFailureUnknownFlowCTLCode tooltip 67-15
dynamic mapping 50-8, 50-39 e-mail addresses
dynamic mappingiSCSI assigning for Call Home 62-7
dynamic mappingiSCSI e-mail notifications
static mappingstatic mapping 50-7 Call Home 62-1
Dynamic Port VSAN Membership. See DPVM enclosure names
aliases 5-33
end devices
E
viewing storage port traffic and errors 7-16
E_D_TOV end-to-end connectivity
default setting 66-25 troubleshooting 66-5
errors when setting 67-7 enhanced ISLs. See EISLs
modifying 66-15 enhanced zones
EBCDIC advantages over basic zones 30-43
FICON string format 36-19 changing from basic zones 30-44
edge quench congestion control creating attribute groups 30-45
description 64-2 default settings 30-48

Index
description 30-43 Ethernet

enabling 30-45 reducing traffic 66-2
merging databases 30-45 Ethernet PortChannels
enterprise package licenses adding Gigabit Ethernet interfaces 52-10
description 10-4 configuring 52-10
entity status inquiry. See ESI description 52-9
EPLD images iSCSI 50-55
configuring B-2 redundancy 48-6
E port mode evaluation
classes of service 20-4 stop in Device Manager 10-17
description 20-4 events
ePortProhibited tooltip 67-15 displaying using Device Manager 57-5
E ports displaying using Fabric Manager 57-5
32-port guidelines 20-3 displaying using Fabric Manager Web Services 57-5
32-port switching module configuration viewing 7-10
guidelines 23-8
Exchange Fabric Membership Data. See EFMD 47-1
exchange IDs
fabric binding checking 47-2
in-order delivery 32-15
FCS support 63-1
path selection 26-11
FSPF topologies 32-2
exchange link parameter. See ELP
isolation 20-10, C-2
exchange link parameter failures. See ELP failures
recovering from link isolations 30-28
expansion port mode. See E port mode
SPAN sources 60-3
expiry alerts
eppFailure tooltip 67-15
licenses 10-15
Error Detect Time Out Value. See E_D_TOV explicit fabric logout 50-16
errorDisabled tooltip 67-15
extended BB_credits
error messages configuring 20-28
gen error messages 67-7
description 20-27
error reports
Generation 2 switching modules 22-23
clearing previous B-3
licensing 22-23
escFailureIsolation tooltip 67-15
Extended Binary-Coded Decimal Interchange Code. See
ESC failures EBCDIC 36-19
reason codes C-2 Extended Link Protocol. See ELP
ESI external CompactFlash
non-resp threshold 50-72 formatting B-2
ESI retry count 50-72 external loopback tests
Ethereal freeware description 68-7
analyzer 66-18 performing 68-7
URL 66-17 external RADIUS server

Index
CHAP 50-57 fabric login. See FLOGI

external RADIUS servers fabric loop port mode. See FL port mode
CHAP 50-57 Fabric Manager
authentication 4-1 to ??
browser support 2-19
F
fabric connection failures 67-10
editing monitoring 7-47 corrupted jar file errors 67-22
Fabric Analyzer description 1-5, 2-13
configuring 66-19 detachable tables 5-24
description 66-17 downgrading 67-4
Ethereal freeware 66-17 downloading software 2-18
libpcap freeware 66-17 error recovery 67-7
using display filters B-3 FAQs 67-1
fabric binding FCIP 67-19
activation 47-4 installation failures 67-6, 67-7
checking for Ex ports 47-2 installing 2-18
clearing statistics 47-6 integrating with other tools 2-40
compatibility with DHCHAP 45-3 ISL statistics 58-3
configuration 47-3 to 47-6 Java support 2-19
default settings 47-9 launching troubleshooting 67-3
deleting database 47-6 login failure recovery 67-6
description 47-1 to 47-2 missing Information pane 67-9
EFMD 47-1 mixed software environments 67-22
enforcement 47-2 network discovery 5-32
forceful activation 47-5 preinstallation tasks 2-18
licensing requirements 47-1 problems with map changes 67-8
port security comparison 47-1 running behind firewalls 2-40
saving configurations 47-5 running with multiple NICs 67-20
verifying configuration 47-6 to 47-9 searching for devices 67-22
fabricBindingDBMismatch tooltip 67-15 setting preferences 5-30
fabricBindingDomainInvalid tooltip 67-15 shows as disabled service 67-6
fabricBindingNoRspFromPeer tooltip 67-15 support operating systems 2-19
fabricBindingSWWNNotFound tooltip 67-15 uninstalling 2-43
Fabric Configuration Server. See FCS upgrade failures 67-4
Fabric Configuration Servers. See FCSs upgrading 2-38, 67-4
Fabric-Device Management Interface. See FDMI viewing license information 10-16
fabric lock Fabric Manager authentication
releasing 50-49 description 4-1

Index
discovery best practices 4-3 properties files 3-4

Web Server support 4-4 Red Hat Linux support 3-1
Fabric Manager Clients Solaris support 3-1
advanced mode 5-2 troubleshooting tools 66-1
description 2-14, 5-1 user names 3-7
displaying physical attributes 5-20 viewing logs 7-62
Fabric pane 5-24 Windows support 3-1
filtering 5-20 Fabric Manager Server package license
Information pane 5-23 description 10-6
launching 5-2 Fabric Manager Web Server
main menu 5-13 authentication 4-4
setting preferences 5-30 configuring RADIUS authentication 4-4
status bar 5-30 configuring TACACS+ authentication 4-5
toolbar icons (table) 5-17 description 2-15
troubleshooting tools 5-35 viewing system messages 61-11
using interface (figure) 5-12 Fabric Manager Web Services
wizards 5-34 configuring communities 7-51
Fabric Manager features configuring users 7-53
changed (table) 1-lvii description 7-1
new (table) 1-lvii exporting performance data 7-3
Fabric Manager Server initial screen 7-9
authentication 4-2 installing 7-3
configuring preferences 7-51 launching 7-7
continuously monitoring fabrics 3-3 navigating 7-2
database failed to start 67-10 printing 7-3
description 2-14, 3-1 recovering passwords 7-45
disk space requirements 3-1 TCP ports 7-4, 7-5
fabric discovery 4-3 using with SSL 7-5
features 3-1 fabric port mode. See F port mode
full fabric rediscovery 3-7 fabric pWWNs
installation overview 3-2 zone membership 30-2
installing 3-2 fabric reconfiguration
licensing 3-3, 10-17 fcdomain phase 25-2
local host error messages 67-20 fabrics
modifying settings 3-5 discovery 5-32
passwords 3-7 management 2-17
performing administrative tasks 7-44 monitoring 3-3
performing configuration tasks 7-44 See also build fabric frames
polling periods 3-7 fabrics. See RCFs; build fabric frames

Index
fabric security frame handling 64-2

authentication 45-1 logging facility 61-2
default settings 45-10 process 64-2
Fabric Shortest Path First. See FSPF fcdomains
FabricWare autoreconfigured merged fabrics 25-7
events D-2 configuring CFS distribution 25-12 to 25-15
Fabric Manager support (table) D-3 default settings 25-22
Fibre Channel support D-1 description 25-2
installing Fabric Manager Web Services 7-3 disabling 25-6
roles D-2 domain IDs 25-8
security D-2 dsiplaying statistics 25-22
SNMP traps D-2 enabling 25-6
syslog traps D-2 enabling autoreconfiguration 25-8
zoning support D-2 incoming RCFs 25-6
fabric WWNs. See fWWNs initiation 25-5
fan module LEDs overlap isolation 20-10
failure status 18-12 restarts 25-3
fan modules switch priorities 25-5
description 18-12 FC-GS-3 requests
displaying status 18-12 device grouping support 5-32
failures 18-12 FC ID allocation
FAQs FICON implementation 36-14
Device Manager 67-1 FC IDs
Fabric Manager 67-1 allocating 25-2, 37-7, 66-24
fault tolerant fabrics allocating company IDs 66-24
example (figure) 32-2 allocating default company ID lists 37-8
fcaliases allocating for FICON 36-14
adding members 30-22 allocation for HBAs 37-7
cloning 30-35 configuring fcalias members 30-21
configuring for zones 30-21 description 25-16
creating 30-22 persistent 25-17 to ??
renaming 30-34 FCIP 50-1
using with Fabric Manager 3-7 advanced features 48-29
FCC checking trunk status (procedure) 48-17
assigning priority 64-3 compatibility with DHCHAP 45-3
benefits 64-1 compression 48-37
default settings 64-12 configuring 48-7 to ??
description 64-1 configuring using FCIP Wizard 48-8 to 48-15
enabling 64-2 default parameters 48-38

Index
discarding packets 48-25 initiating IP connections 48-25

enabling 48-8 TCP connections 48-3
FICON support 36-5 FCIP peers
Gigabit Ethernet ports 52-4, 53-1 configuring IP addresses 48-22
high availability 48-4 to 48-7 enabling special frames 48-24
IPS modules 48-2 fcipPortAdminCfgChange tooltip 67-15
IP storage services support 52-1 fcipPortKeepAliveTimerExpire tooltip 67-15
link failures 48-5 fcipPortMaxReTx tooltip 67-16
MPS-14/2 module 48-2 fcipPortPersistTimerExpire tooltip 67-16
reserving ports for FICON 36-13 fcipPortSrcAdminDown tooltip 67-16
restrictions 67-19 fcipPortSrcLinkDown tooltip 67-16
specifying number of TCP connections 48-25 FCIP profiles
tape acceleration 48-32 to ?? configuring TCP parameters 48-19 to ??
time stamps 48-25 creating 48-15
VE ports 48-2 description 48-4
verifying ELP (procedure) 48-16 fcipSrcModuleNotOnline tooltip 67-16
verifying interfaces (procedure) 48-16 fcipSrcPortRemoved tooltip 67-16
virtual ISLs 48-2 FCIP tape acceleration
VRRP 48-6 configuring 48-36
write acceleration 48-29 description 48-32 to 48-36
FCIP compression FCIP TCP parameters
configuring (procedure) 48-12 configuring buffer size 48-21
description 48-37 configuring CWM 48-20
FCIP interfaces configuring keepalive timeouts 48-19
configuring advanced features 48-21 to 48-28 configuring maximum jitter 48-21
configuring peers 48-22 configuring maximum retransmissions 48-19
configuring QoS 48-28 configuring minimum retransmit timeouts 48-19
configuring special frames 48-24 configuring PMTUs 48-20
creating 48-22 configuring SACKs 48-20
parameters 48-4 configuring window management 48-20
SPAN sources 60-3 FCIP write acceleration
FCIP links configuring 48-31
B port interoperability mode 48-25 configuring (procedure) 48-12
configuring peers 48-22 FC Logical Interface Tables 50-21
configuring QoS 48-28 fcotChksumErr tooltip 67-16
creating 48-16 fcotNotPresent tooltip 67-16
description 48-3 fcotVendorNotSupported tooltip 67-16
endpoints 48-3 FCP

Index
intermixing protocols 36-5 Fibre Channel Congestion Control. See FCC

routing requests 50-3 Fibre Channel domains. See fcdomains
fcping. See Ping Tool Fibre Channel interface
FCS default settings 20-31
description 63-1 Fibre Channel interfaces
logging facility 61-2 administrative states 20-7
significance 63-2 BB_credits 20-25
FC-SP characteristics 20-2 to 20-11
authentication 45-1 configuring beacon modes 20-20
enabling 45-4 configuring bit error thresholds 20-20
enabling on ISLs 45-10 configuring frame encapsulation 20-18
See also DHCHAP configuring port modes 20-12
fcspAuthenfailure tooltip 67-16 configuring receive data field sizes 20-18
FCSs configuring speeds 20-12
default settings 63-6 deleting from PortChannels 23-20
description 63-1 disabling 20-11
displaying information 63-3 to ?? enabling 20-11
fctimers extended BB_credits 20-27
CFS support 13-2 graceful shutdown 20-11
configuring CFS B-3 modes 20-3 to 20-7
distribution 37-4 operational states 20-8
fctrace. See traceroute performance buffers 20-26
FDMI reason codes 20-8
description 34-4 states 20-7
displaying database information 34-4 taking out of service on Generation 2 switching
modules 22-40
Federal Information Processing Standards. See FIPS
Fibre Channel 50-1
troubleshooting operational states 20-9
See also interfaces 20-7
configuring time out values 66-15
Fibre Channel over IP. See FCIP
iSCSI targets 50-7 to 50-13
Fibre Channel Protocol. See FCP
sWWNs for fabric binding 47-4
Fibre Channel Security Protocol. See FC-SP
time out values 37-2 to 37-5
Fibre Channel targets
TOVs 37-3
dynamic importing 50-9
Fibre Channel Analyzers
dynamic mapping 50-9
configuring using SPAN 60-12
Fibre Channel analyzers Fibre Channel traffic
capturing frames locally B-3

analyzing 66-2
clearing configured information B-3

SPAN sources 60-3
monitoring without SPAN 60-10

statistics 66-3
sending frames to remote IP addresses B-3

Fibre Channel write acceleration

Index
default settings 56-3 text string formatting codes 36-19

description 56-1 unimplemented port 36-11
enabling 56-2 VSAN offline state 36-19
estimating number of write buffers 56-1 ficonBeingEnabled tooltip 67-16
licensing 56-1 FICON configuration files
modifying number of write buffers 56-2 applying to running configuration 36-29
Fibre Channel zoning-based access control 50-27 copying 36-31
Fibre Connection. See FICON description 36-29
FICON displaying 36-30
advantages on MDS switches 36-3 to 36-7 editing 36-30
automatic configuration save 36-23 view latest information 36-30
basic configuration 36-16 ficonNoPortnumber tooltip 67-16
calculating flow load balance (procedure) 36-39 ficonNotEnabled tooltip 67-16
cascading 36-7 FICON port numbers
configuration files 36-28 to 36-31 assigning to slots 36-13
configuring 36-15 to 36-24 default numbering scheme 36-8
configuring ports 36-24 to 36-28 FCIP interfaces 36-13
CUP in-band management 36-37 implemented addresses 36-11
default settings 36-42 installed ports 36-12
description 36-1 to 36-7 logical interfaces 36-13
displaying information 36-40 to 36-42 numbering guidelines 36-12
fabric binding requirements 47-3 PortChannel interfaces 36-13
Fabric Manager Client support 5-2 port swapping 36-11
FC4 protocols 36-2 reserved numbering scheme 36-11
FC ID allocations 36-14 unimplemented addresses 36-11
FCIP support 36-5 uninstalled ports 36-12
host timestamp control 36-22 FICON ports
implemented ports 36-11 assigning address names using Device Manager 36-27
installed ports 36-12 blocking 36-25
manually enabling 36-18 displaying address information 36-41
MDS-supported features 36-5 prohibiting 36-26
PortChannel support 36-5 swapping configurations 36-33
port numbering 36-8 to 36-14 FICON port swapping
port swapping 36-31 to 36-33 configuring (procedure) 36-33
RLIRs 36-27 to 36-28 guidelines 36-32
saving configuration changes 36-23 FICON tape acceleration
suspending a VSAN 36-19 configuration considerations 36-35
sWWNs for fabric binding 47-4 configuring 36-35
tape acceleration 36-33 to 36-37 description 36-33

Index
ficonVsanDown tooltip 67-16 viewing performance information 7-22

FICP flow statistics
wizard 5-34 description 8-6
field replaceable units. See FRUs FL port mode
files classes of service 20-5
compressing B-2 description 20-5
displaying contents B-1 FL ports
displaying last lines B-2 configuring 20-12
uncompressing B-2 description 20-5
file systems DPVM support 28-8
formatting 16-2 nonparticipating code 20-10
volatile: 16-2 nonparticipating codes C-2
File Transfer Protocol. See FTP persistent FC IDs 25-17
filtering SPAN sources 60-3
end port groups 5-28 See also Fx ports
switch groups 5-28 F port mode
filters classes of service 20-5
capture 66-21 description 20-5
defining displays 66-21 F ports
permitted 66-22 configuring 20-12
selective viewing 66-20 description 20-5
FIPS DPVM support 28-8
configuration guidelines 38-1 SPAN sources 60-3
self-tests 38-3 See also Fx ports
firewalls FPSF
configuring 2-14 load balancing (example) 48-5
running with Fabric Manager 2-40 frame encapsulation
firstPortNotUp tooltip 67-16 configuring 20-18
firstPortUpAsEport tooltip 67-16 frames
Flash devices configuring MTU size 52-5, 53-3
bootflash: 16-2 viewing 66-20
formatting 16-2 frequently asked questions. See FAQs
overview 16-1 FSPF
FLOGI computing link cost 32-7
description 34-1 configuring globally 32-4 to 32-6
displaying details 34-1 configuring Hello time intervals 32-7
logging facility 61-2 configuring link cost 32-6
flows configuring on interfaces 32-6 to 32-10
performance statistics 8-1 dead time intervals 32-8

Index
default settings 32-19 FCS support 63-1

description 32-2 interface modes 20-7
disabling on interfaces 32-9 VSAN membership 26-4
disabling routing protocols 32-6 See also F ports; FL ports 20-7
displaying databases 32-10
fail-over with PortChannels 32-3
G
fault tolerant fabrics 32-2
flow statistics 8-6 to 32-19 Generation 1 switching modules
in-order delivery 32-15 to 32-19 combining with Generation 2 switching
interoperability 37-10 modules ?? to 22-28
link state record defaults 32-4 extended BB_credits 20-27
multicast root switches 32-14 port index allocations 22-24
path selection protocol D-1 QoS behavior 64-8
reconvergence times 32-2 Generation 2 switching modules
redundant links 32-3 buffer groups 22-10 to 22-22
retransmitting intervals 32-8 combining with Generation 1 switching

modules ?? to 22-28
routing services 32-1
configuring 22-28 to ??
support 2-16
configuring port speeds 22-32
topology examples 32-2 to 32-4
configuring rate modes 22-33
FSPF multicast roots
default settings 22-43
configuring switches 32-14
description 22-1 to ??
FSPF routes
dynamic bandwidth management 22-9
configuring 32-12
extended BB_credits 20-28, 22-23
description 32-12
installing in Generation 1 chassis 15-16
FSPF routing
out-of-service interfaces 22-10
multicast 32-14
port groups 22-3
FTP
port index allocations 22-24
logging facility 61-2
port rate modes 22-4
support 2-16
QoS behavior 64-8
full zone sets
recovering from powered-down state 22-25
considerations 30-4
releasing shared resources 22-41
enabling distribution 30-26
taking interfaces out of service 22-40
fWWNs
Generation 3 switching modules
configuring fcalias members 30-21
Fx ports
Gigabit Ethernet
32-port default 20-3
IPv4 example configuration 52-4
configuring 20-12
Gigabit Ethernet interface example 50-53
description 20-7
Gigabit Ethernet interfaces
FCS 63-1

Index

configuring auto-negotiation 52-5, 53-3 Hello time intervals
configuring CDP 12-12 configuring for FSPF 32-8
configuring high availability 52-8 to 52-10 description 32-7
configuring IPv4 53-2 high availability
configuring IPv6 addresses 54-12 automatic synchronization 17-4
configuring MTU frame sizes 52-5, 53-3 compatibility with DHCHAP 45-3
configuring promiscuous mode 52-6, 53-4 description 17-1
configuring VRRP 52-9 Ethernet PortChannel 50-55
default parameters 53-6 Ethernet PortChannels 48-6
IPv4-ACL guidelines 53-6 Fibre Channel PortChannels 48-7
subinterfaces 52-6, 53-5 licensing 10-8
subnet requirements 52-6, 53-5 process restartability 17-3
viewing performance information 7-23 protection against link failures 17-1
Gigabit Ethernet subinterfaces software upgrades 15-5
configuring VLANs 53-5 supervisor module switchover mechanism 17-2
global keys switchover characteristics 17-2
assigning for RADIUS 41-8 synchronizing supervisor modules 17-3
VRRP 48-6, 50-54
VRRPVRRP-based high availability 50-54
H
historical data
hardware preserving 67-19
default settings 18-13 host control
displaying inventory 18-1 FICON 36-21
displaying temperatures 18-11 host names
overview 1-1 configuring for digital certificates 43-6
viewing list 7-10 hosts
hardware failures performance statistics 8-1
configuring actions B-3 HTTP
hard zoning port used 2-41
description 30-26 support 2-16
HA solution example 50-52 HTTP proxy servers
HBA port 50-15, 50-20 configuring 67-21
HBA ports HTTPS
configuring area FCIDs 25-19 support 2-16
HBAs hwFailure tooltip 67-16
device aliases 31-1
FC ID allocations 37-7, 66-24
Health tab

Index
description 44-13
I
images
IBM PPRC See kickstart images; software images; system images
FICON support 36-5 Software Installation Wizard 15-8
ICMP images. See kickstart images; software images; system
IPv6 54-6 images
ICMP packets in-band access
IPv6 header format, figure 54-6 configuring 2-9
type value 42-4 IPFC 2-12
icons in-band management
Device Manager 6-4 configuring 2-9, 2-10
IDs CUP 36-37
Cisco vendor ID 41-13 Ethernet connection 2-17
contract IDs 62-33 IPFC 51-5
login IDs 2-5 IPFC connection 2-17
serial IDs 62-34, 62-35, 62-37, 62-39 logical interface 2-9
server IDs 62-35 incomAdminRxBBCreditPerBuf tooltip 67-16
site IDs 62-33 incompatibleAdminMode tooltip 67-16
IKE incompatibleAdminRxBBCredit tooltip 67-16
algorithms for authentication 44-6 incompatibleAdminRxBufferSize tooltip 67-16
default settings 43-37, 44-39 incompatibleadminSpeed tooltip 67-16
description 44-3 indirect link failures
initializing 44-13 recovering 65-1
refreshing SAs 44-20 initialization string
terminology 44-5 configuring B-1
transforms for encryption 44-6 initializing tooltip 67-16
viewing configuration (procedure) 44-11 initiators
IKE domains statically mapped iSCSI 50-35
clearing 44-20 in-order delivery
description 44-13 configuring drop latency time 32-18
IKE initiators enabling for VSANs 32-18
configuring version 44-18 enabling globally 32-18
IKE peers guidelines 32-17
configuring keepalive times 44-17 reordering network frames 32-15
IKE policies reordering PortChannel frames 32-16
configuring negotiation parameters 44-15 install all command
negotiation 44-14 failure cases 15-7
IKE tunnels Intelligent Storage Services
clearing 44-20 disabling (procedure) 55-6

Index
disabling with force option 55-6 configuring mode 1 37-11

enabling (procedure) 55-3 default settings 37-13
Fibre Channel write acceleration 56-1 to 56-3 description 37-9
SCSI flow services 55-1 to 55-8 Inter-VSAN Routing. See IVR
SCSI flow statistics 55-1 to 55-8 Inter-VSAN Routing zones. See IVR zones
interfaceRemoved tooltip 67-16 Inter-VSAN Routing zone sets. See IVR zone sets
interfaces invalidAttachment tooltip 67-16
adding to PortChannels 23-17, 23-18 invalidConfig tooltip 67-16
assigning to VSANs 26-8 invalidFabricBindExh tooltip 67-16
configuring data field size 20-18 inventories
configuring fcalias members 30-21 managing 57-3
default settings 20-31 viewing details for switches 7-30
deleting from PortChannels 23-20 viewing details for VSANs 7-29
forced addition to PortChannels 23-19 viewing information 7-28
isolated states 23-18 viewing ISL information 7-34
nonoperational reason codes C-1 viewing module details 7-32
reason codes C-1 viewing zone information 7-36
SFP types 20-22 Inventory tab
suspended states 23-18 description 7-28
VSAN membership 26-7 IOD. See in-order delivery
interface statistics IP-ACLs
description 20-22 wizard 5-34
gathering 20-22 See also IPv4-ACLs; IPv6-ACLs
internal bootflash: IP addresses
Flash devicesFlash devices 16-2 management interfaces 2-2
internal loopback tests IP connections
description 68-6 active mode 48-25
performing 68-6 initiating 48-25
Internet Control Message Protocol. See ICMP passive mode 48-25
Internet Explorer IP domain names
Fabric Manager support 2-19 configuring for digital certificates 43-6
Internet Key Exchange. See IKE IPFC
Internet Storage Name Service. See iSNS configuration guidelines 51-5
interoperability description 51-5
configuring interop mode 1 37-11 errors caused by configuration 67-8
description 37-8 in-band access 2-12
verifying status 37-12 in-band management 2-17
VSANs 26-12 logging facility 61-2
interop modes IP filters

Index
contents 42-2 IP storage services

restricting IP traffic 42-1 default parameters 52-10
using IP-ACL Wizard (procedure) 42-5 IP Storage services modules. See IPS modules
IP routing IPv4
enabling 2-6, 2-10 configuring Gigabit Ethernet interfaces 53-2
IPsec default settings 53-6
algorithms for authentication 44-6 description 53-1
configuring with FCIP Wizard (procedure) 48-9 transitioning to IPv6 54-15
crypto IPv4-ACLs 44-21 to 44-25 IPv4-ACLs
default settings 44-39 adding entries 42-7
description 44-2 applying to interfaces 42-10, 42-11
digital certificate support 44-7 to 44-10 configuration guidelines 42-2
enabling with FCIP Wizard (procedure) 44-10 creating complex IPv4-ACLs (procedure) 42-6
fabric setup requirements 44-4 creating with IP-ACL Wizard (procedure) 42-5
global lifetime values 44-37 crypto 44-21 to 44-25
hardware compatibility 44-4 crypto map entries 44-28
licensing requirements 44-3 example configuration 42-12
maintenance 44-37 FabricWare support D-2
prerequisites 44-3 guidelines for Gigabit Ethernet interfaces 53-6
RFC implementations 44-1 reading dump logs 42-9
terminology 44-5 removing entries 42-8
transform sets 44-25 IPv4 addresses
transforms for encryption 44-6 configuring fcalias members 30-21
unsupported features 44-4 configuring IPv6 and IPV6 protocol stacks 54-13
viewing configuration (procedure) 44-11 IPv6 protocol stacks 54-10
IP security. See IPsec IPv4 default gateways
IPS modules configuring 2-10, 12-10, 51-3
CDP support 52-10 configuring mgmt0 interfaces 20-29
core dumps B-2 description 51-3
FCIP 48-2 static routes (tip) 51-4
port modes 52-4, 53-1 IPv4 default networks
software upgrades 52-3 description 51-4
supported features 52-1 IPv6
IPS port mode address types 54-3
description 52-4 configuring addressing 54-11
IPS ports 50-8 configuring IPv4 and IPv6 addresses 54-13
modes 53-1 configuring management interfaces 51-3
multiple connections 50-53 default settings 54-15
SPAN sources 60-3 description 54-1 to 54-11

Index
dual IPv4 and IPv6 protocol stack applications, formats 50-8

figure 54-11
ISCSI
dual IPv4 and IPv6 protocol stacks 54-10
enforcing access control 50-27
dual IPv4 and IPv6 protocol stack technique,
iSCSI
figure 54-10
access control 50-24 to 50-28
enabling routing 54-11
add initiator to zone database 50-25
enhancements over IPv4 54-1
advanced VSAN membershipadvanced VSAN
ICMP 54-6
membership 50-24
IPv6-ACL guidelines 54-14
checking for WWN conflicts 50-19
neighbor discovery 54-7
compatible drivers 50-2
path MTU discovery 54-7
configuring 50-1, 50-1 to ??, 50-4, ?? to 50-56
router advertisement messages 54-9
configuring AAA authentication 50-28, 50-29
router discovery 54-9
configuring ACLs 50-26
stateless autoconfiguration 54-9
configuring VRRP 50-54
static routes 54-13
creating virtual targets 50-10
transitioning from IPv4 54-15
default parameters 50-75
IPv6-ACLs
discovery phase 50-27
guidelines for IPv6 54-14
drivers 50-2
IPv6 addresses
enabling 50-4
configuring 54-11
error 50-15
configuring fcalias members 30-2, 30-21
Fabric Manager Client support 5-2
configuring IPv4 and IPV6 protocol stacks 54-13
Fibre Channel targets 50-7 to 50-13
formats 54-2
Gigabit Ethernet ports 52-4, 53-1
link-local type 54-4
GW flagiSCSI
multicast type 54-5
gateway device 50-16
prefix format 54-3
HA with host without multi-path software 50-51
unicast type 54-3
initiator idle timeoutinitiator idle timeout
IPv6 neighbor discovery iSCSIinitiator idle timeout
advertisement messages 54-7
configuring with Fabric Manager 50-16
description 54-7 initiator name 50-30
neighbor solicitation message, figure 54-8 initiator targets 50-7
solicitation messages 54-7 IPS module support 52-2
IPv6 routing IQNs 50-14
enabling 54-11 login redirect 50-37
IPv6 static routes LUN mapping for targets 50-62 to ??
configuring 54-13 MPS-14/2 module support 52-2
IQN multiple IPS ports 50-53
formats 50-8 PortChannel-based high availability 50-55
IQNs

Index
PortChannel-based high availabilityEthernet VSAN membership 50-22

PortChannel-based high availability 50-55
iSCSI hosts
protocol 50-2
initiator identification 50-14
requests and responses 50-3
initiator presentation modes 50-14
restrict an initiator to a specific user name for CHAP
initiator presentation modesinitiator presentation
authentication 50-30
modes 50-14
routing 50-2
iSCSI initiators
routing modes chartrouting modes chart for
configuring static IP address mapping 50-18
iSCSI 50-34
dynamic mapping 50-17
session creation 50-27
idle timeout 50-16
session limits 50-15
making dynamic WWN mapping static 50-19
statically mapped initiators 50-35
proxy mode 50-20
tables in Fabric Manager 50-19
statically mapped (procedure) 50-18
targets in Device Manager 50-9
static mapping 50-17
transparent initiator mode 50-15
transparent mode 50-15
transparent mode initiator 50-58 to ??
WWN assignments 50-17
users with local authentication 50-30
iSCSI interfaces
using iSCSI Wizard (procedure) 50-5 to 50-7
configuring 50-14, 50-14 to ??
VSAN membership 50-22
configuring listener ports 50-32
VSAN membership example 50-23
configuring listener portsiSCSI
VSAN membership for iSCSI interfaces 50-22, 50-23
listener port 50-32
wizard 5-34
configuring QoS 50-32
zone name 50-7
configuring routing mode 50-33 to ??
iSCSI authentication
configuring routing modesiSCS
configuring routing modesrouting modes 50-33
configuring RADIUS (procedure) 50-31
configuring TCP tuning parameters 50-32
external RADIUS servers 50-57
creating 50-5
global override 50-29
creatingiSCSI
local authentication 50-30
creating interfaces 50-5
mechanisms 50-29
SPAN sources 60-3
restricting on initiators 50-30
scenarios 50-56
iSCSI LUs 50-8
setup guidelines 50-56
iSCSI protocol 50-1
iSCSI-based access control 50-26
iSCSI server load balancing 50-35
iSCSI devices
iSCSI Server Load Balancing. See iSLB
example membership in VSANs 50-23
iSCSI sessions
iscsi-gw 50-20
authenticationiSCSI
iSCSI high availability
session authenticationauthentication
ISCSI hosts
iSCSI session 50-28

Index
iSCSI targets iSLB initiators 50-37

advertising 50-12 activating zones 50-42
dynamic importing 50-8 assigning WWNs 50-39
dynamic mapping 50-8 configuring 50-39 to 50-43
examples 50-12 configuring load balancing metrics 50-40
secondary access 50-52 configuring zones 50-42
static importing 50-10 dynamic initiator mapping 50-40
static importingstatic mappingiSCSI targets VSAN membership 50-40
static mapping 50-10 iSLB initiator targets
transparent failover 50-50 activating zones 50-42
iSLB configuring zones 50-42
activating zones 50-41, 50-42 description 50-41
auto-zoning 50-46 iSLB sessions
CFS support 13-2 authentication 50-43
committing configuration changescommitting authenticationiSLB
configuration changes
sessions authentication 50-43
iSLB 50-48
maximum per IPS portiSLB
configuration distribution 50-46 to ??, 50-47
maximum sessions per IPS port 50-36
configuration limits 50-36
iSLB with CFS distribution 50-36
configuration prerequisites 50-36
ISLs
configuring 50-35
graph past 24 hours performance 7-26
configuring initiators and targets 50-41
performance statistics 8-1
configuring VRRP 50-45
PortChannel links 23-2
configuring with Device Manager 50-37
statistics 58-3
configuring zones 50-41, 50-42
viewing detailed inventory information 7-34
viewing performance information 7-17
distributing configuration using CF 50-46
iSMS servers
dynamic initiator mapping 50-40
enabling 50-71
enabling configuration distribution 50-47
iSNS
initiator WWN assignment 50-35
CFS support 13-2
load balancing algorithm 50-45 to ??
client registration 50-72
maximum initiators 50-36
cloud discovery 50-73
static initiator configurationinitiator configuration
configuring 50-73
static iSLB 50-35
configuring servers 50-71 to 50-73
description 50-67
zone set activation failed 50-42
ESI 50-72
iSlb iSNS cloud discovery
automatic 50-75
iSLB auto-zone feature 50-36
CFS distribution 50-75

Index
description 50-73 interoperability 29-7

enabling 50-74 logging 29-20
initiating on-demand 50-74 modifying 29-9
iSNS profiles native VSANs 29-3
creating 50-68 paths 29-3
iSNS servers persistent FC IDs 29-19
configuration distribution 50-71 read-only zoning 29-31
configuring ESI retry count 50-72 SDV limitations 27-9
enabling 50-71 service groups B-2
example scenario 50-70 sharing resources 29-2
isolated VSANs terminology 29-3
description 26-8 transit VSAN configuration guidelines 29-14
displaying membership 26-9 transit VSANs 29-3
IVR virtual domains 29-18
activating topologies 29-16 VSAN topologies 29-6
AF IDs 29-15 wizard 5-34
auto-topology 29-6 zone communication 29-22
border switch 29-4 zones 29-3, 29-22 to ??
border switch, guidelines 29-14 zone sets 29-3
border switch configuration guidelines 29-14 Zone Wizard 29-7
border switches 29-4 IVR databases
configuring (procedure) 29-14 merge guidelines 29-31
configuring logging levels 29-20 IVR logging
configuring without auto topology 29-13 configuring levels 29-20
configuring without IVR NAT 29-13 IVR NAT
current VSANs 29-3 auto-topology 29-6
database merge guidelines 29-31 border switch, guidelines 29-10
default settings 29-34 configuration guidelines 29-10
default zone policy 29-22 description 29-5
description 29-2 load balancing 29-5
domain ID configuration guidelines 29-13 modifying (procedure) 29-11
domain ID guidelines 29-13 transit VSANs, guidelines 29-10
edge switch 29-4 IVR persistent FC IDs
edge switches 29-4 configuring 29-19
edge VSANs 29-3 persistent 29-19
Fabric Manager Client support 5-2 IVR topologies
features 29-3 CFS support 13-2
Fibre Channel header modifications 29-4 clearing manual entries 29-17
FICON support B-2 creating manually 29-15

Index
manually activating 29-16 Java Web Start

migrating from automatic mode to user-configured checking installation 67-3
mode 29-17
clearing the cache 67-6
recovering 29-29
Fabric Manager support 2-19
IVR virtual domains
hangs on the download dialog 67-5
configuring 29-18
not detected 67-4
description 29-18
running from command line 67-5
IVR zones
setting up on *.jnlp files 67-5
activating with force option 29-26
jitter
automatic creation 29-22
configuring estimated maximum in FCIP
clearing database 29-31 profiles 48-21
configuring 29-23 to ?? JNLP
configuring LUNs 29-30 verifying settings 67-3
configuring QoS attributes 29-30 JRE
configuring with IVR Zone Wizard 29-7 Fabric Manager requirements 7-4
description 29-3, 29-21, 29-22 jumbo frames. See MTUs
differences with zones (table) 29-22
downgrading considerations 29-31
K
LUN zoning 29-30
maximum number of members 29-4 keepalive timeouts
maximum number of zones 29-4 configuring in FCIP profiles 48-19
recovering the full database 29-28 kernel core dumps
renaming 29-30 configuring B-3
IVR zone sets kickstart images
configuring 29-23 to ?? description 15-2
description 29-3, 29-21 KICKSTART variable 15-1
downgrading considerations 29-31 selecting for supervisor modules 15-2
maximum number 29-4 Konqueror
renaming 29-30 configuring for Java Web Start 67-5
J L
Java latency
execution failures 67-6 forwarding 50-33
java.lang.ArrayIndexOutOfBoundsException LEDs
errorArrayIndexOutOfBoundsException error 67-7
beacon mode states 20-19
Java RMI
speed 20-19
ports used 2-41
license key files
Java Runtime Environment. See JRE
description 10-2

Index
installing 10-10 unsupported features B-1

obtaining 10-9 updating 10-14
updating 10-9 viewing in Device Manager 10-16
licenses viewing in Fabric Manager 10-16
backing up files B-1 viewing in Fabric Manager Web Services 10-17
claim certificate 10-2 viewing switch information 7-31
description 10-1 viewing with Fabric Manager Web Server
(procedure) 10-17
displaying information 10-16
wizard 5-34
enterprise package 10-4
line cards. See switching modules; services modules
expiry alerts 10-15
link costs
extended BB_credits 20-27, 22-23
configuring for FSPF 32-7
Fabric Manager 67-24
description 32-6
Fabric Manager Server package 10-6

linkFailCreditLossB2B tooltip 67-17
factory-installed 10-9
linkFailCreditLoss tooltip 67-17
feature-based 10-3
linkFailDebounceTimeout tooltip 67-17
features supported (table) 10-4

linkFailLineCardPortShutdown tooltip 67-17
grace period alerts 10-15

linkFailLinkReset tooltip 67-17
grace period expiration 10-15

linkFailLIPF8Rcvd tooltip 67-17
high availability 10-8

linkFailLIPRcvdB2B tooltip 67-17
identifying features in use 10-13

linkFailLossOfSignal tooltip 67-17
installation options 10-8

linkFailLossOfSync tooltip 67-17
installing manually 10-9

linkFailLRRcvdB2B tooltip 67-17
installing using Device Manager 10-12

linkFailNOSRcvd tooltip 67-17
installing using License Wizard 10-11

linkFailOLSRcvd tooltip 67-17
installing with License Wizard 10-11

linkFailOPNyRETB2B tooltip 67-17
key files 10-9 to 10-13

linkFailOPNyTMOB2B tooltip 67-17
linkFailPortInitFail tooltip 67-17
mainframe package 10-6
linkFailPortUnusable tooltip 67-17
module-based 10-3
linkFailRxQOverFlow tooltip 67-17
moving between switches B-1
linkFailTooManyINTR tooltip 67-17
obtaining 10-9
link failures
on-demand port activation 11-1
protection against 17-1
One-Click License Install failed 67-9
reason codes C-1
PAK 10-2
SAN extension package 10-5
recovering 65-1
Storage Services Enabler package 10-7

linkFailure tooltip 67-17
terminology 10-1
Link Incident Records. See LIRs
transferring between switches 10-16

link-local addresses
uninstalling 10-14
description 54-4

Index
format, figure 54-4 viewing information 7-62

link redundancy viewing using Device Manager 57-4
Ethernet PortChannel aggregation 52-9 viewing using Fabric Manager Web Server 57-4
Linux 2-34 loopbackDiagFailure tooltip 67-17
Fabric Manager support 2-19 loopbackIsolation tooltip 67-17
installing Fabric Manager Web Services 7-4 loopback tests
install scripts 2-34 configuring frequency B-3
LIRs external 68-6, 68-7
description 36-27 loops
load balancing 50-35, 50-37 monitoring B-3
attributes 26-11 LUN 50-8
attributes for VSANs 26-5 trespass for storage port failover 50-53
configuring 26-11 LUN mapping 50-52
description 23-4, 26-11 iSCSI 50-62 to ??
FSPF (example) 48-5 LUNs
PortChannels 23-2 explicit access control 50-20
PortChannels (example) 48-5 IVR zoning 29-30
weighted 50-40 mapping and assignment 50-20
load metric 50-40 LUN zoning
lock the fabric 50-48 configuring 30-40
log files description 30-40
configuring 61-6 LUs 50-8
default names 61-6
description 68-3
M
sizes 61-6
logging MAC addresses
default settings 61-11 configuring secondary 37-6, 66-23
disabling 61-3 mainframe package licenses
enabling 61-3 description 10-6
message severity levels 61-3 mainframes
logical unit numbers. See LUNs FICON parameters 36-22
logins VSAN clock 36-22
failure recovery 67-6 management
SSH 41-4 role-based 5-34
Telnet 41-4 management access
logs configuring in-band 2-9 to 2-12
increasing log window size 67-10 configuring out-of-band 2-4 to 2-9
RMON 59-16 description 2-12
SNMP events 40-12 in-band 2-3

Index
out-of-band 2-3 no squares 67-14

management interfaces orange crosses 67-14
configuring 20-29, 51-3 orange squares with mode 67-14
configuring for IPv6 51-3 purging down elements 5-27
default settings 20-31 red crosses 67-14
features 20-29 red line through switches 67-13
IP addresses 2-2 red squares 67-14
See also mgmt0 interfaces refreshing 5-27
management protocols saving 5-26
supported (table) 2-15 shows two switches when only one 67-13
map preferences tab descriptions 5-25
Automatically Save Layout default 5-32 upgrade software without losing map settings 67-19
Detach Overview Window default 5-32 viewing large 5-26
Display End Device Labels default 5-31 Visio diagrams 5-27
Display End Devices default 5-31 maps module failuresmaps
Display Unselected VSAN Members default 5-31 fan failuresmaps
Expand Loops default 5-31 power supply failures 67-13
Expand Multiple Links default 5-31 maximum retransmissions
Layout New Devices Automatically default 5-31 configuring in FCIP profiles 48-19
Open New Device Manager Each Time default 5-31 McAfee Internet Suite 6.0 Professional
Override Preferences for Non-default Layout Device Manager installation failures 67-7
default 5-31
Fabric Manager installation failures 67-7
Select Switch or Link from Table default 5-31
McData
Use Quick Layout when Switch has >=30 End Devices native interop mode 37-9
default 5-31
MD5 authentication
maps
IKE 44-7
black squares 67-14
IPsec 44-6
brown squares 67-14
VRRP 51-12
clearing license orange X 67-24
merged fabrics
clearing topologies 67-21
autoreconfigured 25-7
color definitions 67-13
merge status conflictsiSLB
default preferences 5-31
merge status conflictsCFS
freezing the layout look 67-13
merge status conflicts 50-49
green squares with mode 67-14
Message Authentication Code using AES. See
grouping end devices 5-32
AES-XCBC-MAC
highlighting 5-26
Message Digest 5. See MD5 authentication
icon descriptions 5-24
messages
light gray squares 67-14
selecting severity level 7-50
module warnings 67-13
mgmt0

Index
out-of-band management 2-17 software upgrades 52-3

mgmt0 interfaces supported features 52-1
configuring 12-10, 20-29 MSCHAP
configuring out-of-band access 2-6 description 41-25
default settings 20-31 MTU frame sizes
features 20-29 configuring Gigabit Ethernet interfaces 52-5
local IPv4 routing 51-5 MTUs
out-of-band access 2-12 configuring frame sizes 53-3
Microsoft Challenge Handshake Authentication Protocol. configuring size
See MSCHAP
path discovery for IPv6 54-7
minimum retransmit timeouts
multicast addresses
configuring in FCIP profiles 48-19
IPv6 alternative to broadcast addresses 54-6
modems IPv6 format, figure 54-5
configuring settings B-1
IPv6 solicited-node format, figure 54-6
module configurations multicast root switches
preserving B-2
configuring 32-14
purging B-2
description 32-14
saving to NVRAM 19-7
multi-path software example 50-51
modules multiple fabrics 57-3
configuring message logging 61-5
managing 67-24
connecting to B-2
multiple VSANs
displaying temperatures 18-11
configuring 51-7
preserving the configuration 19-7
Multiprotocol Services modules. See MPS-14/2 modules
replacing 15-17
mutual CHAP authentication
resetting 19-5
configuring for iSCSI 50-30
state descriptions 19-4
configuring for iSLB 50-43
temperature monitoring 18-11
configuring for iSLBI 50-43
verifying status 12-2, 19-3
module tests
configuring B-3 N
monitoring traffic
name servers
SPAN 60-6
displaying database entries 34-3
Mozilla
interoperability 37-10
configuring for Java Web Start 67-5
LUN information 35-1
MPS-14/2 modules 50-1, 50-2, 50-3, 50-5, 50-20, 50-27
proxy feature 34-2
CDP support 52-10
registering proxies 34-2
configuring extended BB_credits 20-27
rejecting duplicate pWWNs 34-3
FCIP 48-2
NAT. See IVR NAT
port modes 52-4, 53-1
native VSANs

Index
description 29-3 N-Port identifier virtualization. See NPIV

Network Address Translation. See IVR NAT N ports
network administrator roles hard zoning 30-26
FabricWare D-2 zone enforcement 30-26
network administrators zone membership 30-2
additional roles 41-3 See also Nx ports
permissions 41-3 NL ports
network monitoring See also Nx ports
device discovery 57-1 NP-ports 21-3
mapping topologies 57-2 NPV
network operator roles wizard 5-34
FabricWare D-2 NPV, configuring 21-7
network operators NPV mode 21-3
permissions 41-3 ntop freeware
Network Time Protocol. See NTP batch files 9-5
NICs modifying launch scripts 9-5
manually specifying for Device Manager 67-21 NTP
manually specifying for Fabric Manager Client 67-21 CFS support 13-2
manually specifying for Fabric Manager Server 67-20 configuration guidelines 12-5
NL ports configuring 12-4 to 12-10
hard zoning 30-26 configuring CFS distribution 12-8
interface modes 20-7 configuring with CFS 12-8
zone enforcement 30-26 logging facility 61-2
node world wide names. See nWWNs time-stamp option 48-25
nondisruptive upgrades NTP peers
methods 15-5 deleting 12-7
None authentication 50-28 editing 12-6
nonparticipating codes NTP servers
nonParticipating tooltip 67-17 deleting 12-7
nonvolatile storage editing 12-6
bootflash: 16-2 nWWNs
notifications DPVM 28-1
adding forwards 7-49 Nx ports
conditions for sending 7-59 FCS support 63-1
removing forwards 7-50 See also N ports; NL ports
NPIV
configuring B-2
NP links 21-3

Index
Generation 2 switching modules 22-34

O
ratios 22-34
offline tooltip 67-17
OHMS
configuring B-3
P
description 68-6 PAA
ohmsExtLBTest tooltip 67-17 description 66-2
On-Demand Port activation license troubleshooting tools 66-2
acquiring for ports 11-6 PAA-2s
checking status of licenses 11-4 Cisco Traffic Analyzer 9-3
configuring 11-4 to ?? description 9-2
description 11-1 PAAs
making ports eligible 11-5 compared with PAA-2s 9-3
port licensing 11-2 packets
port naming conventions 11-2 discarding in FCIP 48-25
Online Certificate Status Protocol. See OCSP parentDown tooltip 67-18
Online Health Management System. See OHMS pass-thru routing mode 50-33, 50-34
Opera passwords
configuring for Java Web Start 67-5 administrator 2-2
operational states assigning using Fabric Manager 5-34
configuring on Fibre Channel interfaces 20-12 DHCHAP 45-7, 45-8
description 20-8 recovering 7-45
OSCP setting administrator default 2-9
support 43-5 path MTUs. See PMTUs
other tooltip 67-17 pcAnyWhere
out-of-band access replacing with DirectX 67-6
mgmt0 interfaces 2-12 stopping 67-6
out-of-band management PDU 50-33
configuring 2-4, 2-10 peerFCIPPortClosedConnection tooltip 67-18
Ethernet connection 2-17 peerFCIPPortResetConnection tooltip 67-18
out-of-service interfaces performance
description 22-10 configuring collections 7-56
overlay VSANs customizing reports 7-37
configuring 51-6 custom monitoring 7-26
description 51-6 data 8-3
oversubscription event triggers 8-2
diagnosing with Device Manager 66-14 graphs 58-6
disabling restrictions 22-35 historical monitoring 58-4
enabling restrictions 22-37 host-optimized port groups 58-6

Index
ISL statistics (procedure) 58-3 viewing graphs 58-6

monitoring 8-1 viewing host-optimized port group performance 58-6
monitoring in Device Manager (procedure) 58-1 viewing summary reports 58-6
per-port monitoring (procedure) 58-2 viewing tables 58-6
real-time monitoring 58-1 Performance tab
summary reports 58-6 description 7-13
tables 58-6 persistent domain ID
using thresholds 8-2, 58-4 FICON VSANs 47-3
viewing future predictions 7-25 persistent FC IDs
viewing summaries 7-14 configuring 25-17
performance buffers description 25-17, 29-19
configuring 20-27 enabling 25-17
description 20-26 purging 25-21
performance collections Ping Tool
adding 7-56 troubleshooting tools 66-7
configuring thresholds 7-59 PKI
removing 7-57 enrollment support 43-4
Performance Manager PLOGI
architecture 8-1 name server 34-3
authentication 4-4 PMTUs
configuring data collection 8-3 configuring in FCIP profiles 48-20
configuring flows 8-3 polling periods
configuring with Traffic Analyzer 58-9 changing 3-7
creating collections 58-4 port addresses
creating flows 58-4 FICON 36-11
data collection 8-2 Port Analyzer Adapters. See PAAs
data interpolation 8-2 Port Analyzer Adapters 2. See PAA-2s
description 2-15 portBindFailure tooltip 67-18
shows as disabled service 67-6 portBlocked tooltip 67-18
thresholds 58-4 PortChannel
using thresholds 8-2 interfaces 50-12
verifying collections 3-3 subinterfaces 50-12
viewing reports 58-5 portChannelMembersDown tooltip 67-18
wizard for configuring 58-5 PortChannel modes
Performance Manager reports description 23-6
exporting as CSV 58-8 PortChannel Protocol
exporting as XML 58-7 autocreation 23-22
generating top 10 58-7 configuring autocreation 23-23
viewing events 58-6

Index
converting autocreated groups to manually member combinations 52-9

configured 23-23
misconfiguration error detection 23-11
creating channel group 23-21
redundancy 48-7
description 23-20
reserving ports for FICON 36-13
enabling autocreation 23-23
SPAN sources 60-3
PortChannels
verifying configurations 23-24
adding interfaces 23-17, 23-18
wizard 5-34
administratively down 20-10
portFabricBindFailure tooltip 67-18
comparison with trunking 23-3
portGracefulShutdown tooltip 67-18
compatibility checks 23-17
port groups
compatibility with DHCHAP 45-3
assigning extended BB_credits 20-27
description 22-3
configuring 23-9 to ??
Generation 2 Fibre Channel switching modules 22-3
configuring for FCIP high availability 48-5
Generation 3 Fibre Channel switching modules 22-7
configuring using Device Manager 6-7
host-optimized performance 58-6
creating 23-16
port indexes
creation dialog box too small 67-8
description 22-24
port modes
deleting 23-16
auto 20-7
deleting interfaces 23-20
description 20-3 to 20-7
description 23-1
IPS 52-4, 53-1
down states C-2
port rate limiting
examples 23-2
configuring 64-11
FICON support 36-5
default 64-12
forcing interface additions 23-19
description 64-11
Generation 2 switching module interfaces 22-26
hardware restrictions 64-11
high availability 17-1
port rate modes
incompatible modes C-2
configuring 22-33
incompatible remote switch C-2
dedicated 22-6
incompatible speeds C-2
description 22-4
in-order guarantee 32-16
oversubscribed 22-7
interface states 23-18
shared 22-7
interoperability 37-10
See also rate modes
IQN formats 50-8
ports
link changes 32-16
aggregation 17-1
link failures 32-3
disabling using Device Manager 6-7
load balancing 23-4
enabling using Device Manager 6-7
load balancing (example) 48-5
on-demand port activation licensing 11-1
virtual E 48-2

Index
VSAN membership 26-7 copying active to config (procedure) 46-11

Port Security deleting 46-22
wizard 5-34 interactions 46-20
port security manual configuration guidelines 46-4
activating 46-9 merge guidelines 46-20
activation 46-3 reactivating 46-11
activation rejection 46-10 scenarios 46-21
auto-learning 46-2 port speeds
CFS support 13-2 configuring 20-12
cleaning up databases 46-23 configuring on Generation 2 switching module
interfaces 22-32
compatibility with DHCHAP 45-3
port swapping. See FICON port swapping
configuring CFS distribution 46-17 to 46-20
port tracking
deactivating 46-9

description 65-1
deleting entries from database (procedure) 46-17

enabling 65-3
disabling 46-8
guidelines 65-2
displaying settings (procedure) 46-12

monitoring ports in a VSAN 65-6
displaying statistics (procedure) 46-12

multiple ports 65-5
enabling 46-8
shutting down ports forcefully 65-6
enforcement mechanisms 46-2

portVsanMismatchIsolation tooltip 67-18
fabric binding comparison 47-1

port world wide names. See pWWNs
forcing activation 46-10

power cycling
license requirement 46-2

modules 19-6
manual configuration guidelines 46-4

powering off
preventing unauthorized accesses 46-1

switching modules 19-8
unauthorized accesses prevented 46-1

power supplies
configuration guidelines 18-5 to 18-7
WWN identification 46-16
configuring modes 18-4
port security auto-learning
configuring power attributes 18-5
description 46-2
default state 18-13
device authorization 46-14
displaying configuration 18-5
disabling 46-13
power usage
distributing configuration 46-19
displaying 18-3
enabling 46-13
guidelines for configuring with CFS 46-3
preferences
guidelines for configuring without CFS 46-4

Confirm Deletion default 5-31
port security databases default 5-30
cleaning up 46-23
Device Manager 6-8
copying 46-22
Export Tables with Format default 5-31

Index
Fabric Manager Clients 5-30 Public Key Infrastructure. See PKI

Show CFS Warnings default 5-31 pWWNs
Show Device Name by default 5-30 configuring fcalias members 30-21
Show End Device Using default 5-30 converting dynamic to static 50-19
Show Shortened iSCSI Names default 5-30 DPVM 28-1
Show Timestamps as Date/Time default 5-30 rejecting duplicates 34-3
Show WorldWideName (WWN) Vendor default 5-30 zone membership 30-2
Telnet Path default 5-30
Use Secure Shell instead of Telnet default 5-31
Q
preshared keys
RADIUS 41-8 QoS
TACACS+ 41-15 class maps 64-6
principal switches comparison with VSANs 64-5
assigning domain ID 25-10 control traffic support 64-3
processes creating class maps 64-7
nondisruptive restarts 17-1 data traffic support 64-4 to 64-10
restartability 17-3 default settings 64-12
product IDs description 64-1
displaying 18-1 DSCP value 48-28
promiscuous mode DWRR queues 64-8
configuring Gigabit Ethernet interfaces 52-6, 53-4 enabling control traffic 64-3
protocol 50-1 example data traffic configuration 64-10
Protocol Analyzer logging facilities 61-2
description 66-2 port rate limiting 64-11
troubleshooting tools 66-2 service policies 64-8
using for troubleshooting 66-3 wizard 5-34
protocols QoS values
analyzing 66-17 configuring 50-32
VRRP 50-8
proxies
registering for name servers 34-2
R
proxy initiator R_A_TOV
configuringiSCSI default setting 66-25
configuring proxy initiator 50-21 modifying 66-15
proxy initiator mode 50-14, 50-25 RADIUS 50-57
configuring 50-20 AAA authentication 50-28, 50-43
zoning 50-22 AAA protocols 41-1
proxy initiator modeiSCSI CFS merge guidelines 41-24
proxy initiator mode 50-20

Index
CFS support 13-2 recovering passwords 39-20

clearing configuration distribution sessions 41-24 recovery
configuring an iSCSI RADIUS serveriSCSI from powered-down state 22-25
configuring a RADIUS server 50-31 passwords 7-45
configuring Cisco ACS 41-26 to 41-30 Red Hat Linux
configuring test idle timer 41-11 Fabric Manager Server 3-1
configuring test user name 41-11 redundancy
default settings 41-31 Ethernet PortChannels 48-6, 48-7
description 41-7 Fibre Channel PortChannels 48-7
discarding configuration distribution changes 41-23 VRRP 48-6
enabling configuration distribution 41-22 VSANs 26-4
FabricWare support D-2 redundancy states
setting preshared keys 41-8 value descriptions 17-4
specifying server at user login 41-12 redundant physical links
specifying time-out 41-9 example (figure) 32-3
starting a distribution session 41-22 Registered Link Incident Reports. See RLIRs
rate limiting Registered State Change Notifications. See RSCNs
default settings 64-12 reloading
rate modes switches 19-6
configuring on Generation 2 switching module remote AAA server
interfaces 22-33
delayed authentication 4-2
See also port rate modes Remote Capture Protocol. See RPCAP
rcfInProgres tooltip 67-18
remote file systems
RCFs accessing B-2
description 25-3
remote SPAN
incoming 25-6
configuring B-2
rejecting incoming 25-7
Resource Allocation Time Out Value. See R_A_TOV
read-only zones
Resource Manager Essentials. See RME
resources
configuring 30-42
management 2-17
retransmitting intervals
description 30-41
configuring for FSPF 32-9
reason codes
description 32-8
description 20-8
RLIRs
description (table) C-1
description 36-27
receive buffer groups. See buffer groups displaying information (procedure) 36-27
receive data field sizes RME
configuring 20-18
support 1-6
reconfigure fabric frames. See RCFs RMON

Index
alarms 59-1 description 43-2

configuring using Threshold Manager 59-1 exporting 43-5, 43-14
default settings 59-16 generating 43-6
defining an event (procedure) 59-14 importing 43-5, 43-14
description 59-1 multiple 43-4
enabling alarms 59-2 rsa key pairs
enabling alarms (procedure) 59-9, 59-13 generating 39-16
events 59-1 RSCNs 50-16
setting alarms (procedure) 59-3, 59-4, 59-6 clearing statistics 34-7
viewing alarms (procedure) 59-15 default settings 34-8
viewing logs (procedure) 59-16 description 34-5
role-based management displaying information 34-5
controlling access 5-34 logging facility 61-2
roles multiple port IDs 34-6
adding web services roles 7-54 RSCN timers
CFS support 13-2 CFS support 13-2
default permissions 41-3 RSPAN
deleting (procedure) 39-3 configuring B-2
privileges 5-34 running configuration files
removing web services roles 7-55 saving to startup configuration file 16-8
user profiles 41-3 runtime checks
round-trip response time static routes 32-12
monitoring 9-3
route costs
S
computing 32-6
router discovery SACKs
IPv6 54-9 configuring in FCIP profiles 48-20
routing SAN extension package licenses
multicast 32-14 description 10-5
See also broadcast routing SAN extension tuner
See also IP routing configuring 49-2, B-2
RPCAP data patterns 49-3
Ethereal communication 66-18 default settings 49-7
RRD description 49-1
configuring database 7-60 license requirements 49-3
rsa1 key pairs tuning guidelines 49-2
generating 39-16 SAN operating system. See Cisco MDS SAN-OS
RSA key-pairs SAs
deleting 43-16 establishing between IPsec peers 44-28

Index
lifetime negotiations 44-30 SCSI LUNs

refreshing 44-20 customized discovery 35-2
setting lifetime 44-31 discovering targets 35-1
scalability displaying information 35-3
VSANs 26-4 starting discoveries 35-2
schedulers. See command schedulers SCSI sessions
SCP monitoring status 9-3
support 2-16 SCSI traffic
scripts analysis 66-2
FMServer.sh 2-34 analyzing at LUN level 66-2
SCSI SD port mode
displaying LUN discovery results 35-3 description 20-6
monitoring frame counts 9-3 interface modes 20-6
monitoring I/Os per second 9-3 SD ports
monitoring read throughput 9-3 bidirectional traffic 60-12
monitoring traffic throughput 9-3 characteristics 60-5
routing requests 50-2 Cisco Traffic Analyzer 9-4
traffic reports 66-3 configuring 20-12
SCSI flow configuration clients configuring for SPAN monitoring 60-6
description 55-3 monitoring bidirectional traffic 60-12
SCSI flow data path support SDV
description 55-3 IVR limitations 27-9
SCSI flow managers secondary MAC addresses
SCSI flow services Secure Hash Algorithm. See SHA-1
CFS support 13-2 Secure Shell Protocol
configuring 55-3 to ??, 55-3 to 55-6 See SSH
configuring (procedure) 55-4 Secure Shell Protocol. See SSH
default settings 55-8 security
description 55-1 accounting 41-3
functional architecture (figure) 55-2 managing on the switch 41-1
SCSI flow configuration clients 55-3 security associations. See SAs
SCSI flow data path support 55-3 security control
SCSI flow managers 55-2 local 41-2
SCSI flow statistics remote 41-2, 41-14
clearing (procedure) 55-8 remote AAA servers 41-7
default settings 55-8 security parameter index. See SPI
description 55-6 selective acknowledgments. See SACKs
enabling 55-7 sensors

Index
temperature monitoring 18-11 oversubscription 22-34

serial console ports shell scripts
accessing switches 2-12 $HOME/.cisco_mds9000/bin directory 67-4
serial IDs DeviceManager.sh 67-4
description 62-34 FabricManager.sh 67-4
serial numbers for uninstalling Fabric Manager 2-44
displaying 18-1, 18-3 shortcuts
server groups not visible on desktops 67-4
configuring 41-20 site IDs
service policies description 62-33
defining 64-8 small computer system interface. See SCSI
enforcement 64-8 SMTP
services assigning contact names 62-7
restarting 7-45 server address 62-14
starting 7-45 SNMP
stopping 7-45 access control 40-2
services modules access groups 40-3
description 19-3 adding communities 40-7
managing 19-1 assigning contact 40-2
power cycling 19-6 assigning location 40-2
replacing 15-17 configuring event security 40-11
resetting 19-5 configuring event security (procedure) 40-11
state descriptions 19-4 configuring notification target users 40-11
verifying status 19-3 creating users 40-4
setup command default settings 40-12
using 2-12 deleting communities 40-7
SFPs deleting community strings (procedure) 40-7
displaying transmitter types 20-22 enabling access 2-7
not present reason codes C-1 enabling SNMP notifications 40-9
transmitter types 20-21 encryption-based privacy 40-4
SFTP FICON control 36-22
support 2-16 group-based access 40-3
SHA-1 modifying users 40-4
IKE 44-7 port used 2-41
IPsec 44-6 proxy services 2-14
shared rate mode read-only access 40-7
description 22-7 read-write access 40-7
migrating from dedicated rate mode 22-29, 22-30 security features 41-2
migrating to dedicated rate mode 22-29, 22-30 server contact name 62-5

Index
users with multiple roles (procedure) 40-6 restricting switch access 40-3
user synchronization with CLI 40-3 security features 40-2
Version 3 security features 40-1, 40-2 specifying cisco-av-pair 41-13
versions supported 40-1 support 2-16
viewing event log 40-12 See also SNMP 40-2
See also SNMPv1; SNMPv2c; SNMPv3 software configuration
SNMP_TRAP overview 1-6 to 1-8
port used 2-41 software images
SNMP community strings default settings 15-17
configuring 2-10 selecting for supervisor modules 15-2
SNMP manager space requirements 15-4
FCS 63-2 synchronizing 17-4
SNMP preferences upgrade prerequisites 15-3 to 15-5
Enable Audible Alert when Event Received upgrading SAN-OS images 15-1
default 5-31
variables 15-1
Retry request 1 time(s) after 5 sec timeout software installation
default 5-31
Software Installation Wizard 15-8
Trace SNMP packets in Log default 5-31
software upgrades
SNMPv1
disruptive 15-5
community strings 40-2
mechanisms 15-5
description 40-2
nondisruptive 17-1
FabricWare support D-2
Software Installation Wizard 15-8
support 2-16
soft zoning
See also SNMP
description 30-26
SNMPv2
See also zoning
community strings 40-2
Solaris 2-34
FabricWare support D-2
SNMPv2c
installing Fabric Manager Web Services 7-4
configuring notifications 40-8
install scripts 2-34
description 40-2
source IDs
support 2-16
Call Home event format 62-34
See also SNMP
exchange based 23-5
SNMPv3
flow based 23-4
assigning multiple roles 40-6
in-order delivery 32-15
CLI user managementSNMPv3
path selection 26-11
AAA integration 40-2
SPAN
configuring notifications 40-9
description 40-2
enforcing message encryption 40-5
configuring Fibre Channel analyzers 60-11

Index
configuring on switch ports 9-4 srcPortNotBound tooltip 67-18

conversion behavior 60-9 SSH
default settings 60-13 default service 39-18
description 60-1 enabling 2-7, 2-10
egress sources 60-2 FabricWare support D-2
Fibre Channel analyzers 60-10 host key pair 39-16
filters 60-5 logins 41-4
monitoring traffic 9-1, 60-1 port used 2-41
SD ports 60-5 support 2-16
sessions 60-5 SSH key pair
sources 60-4 overwriting 39-18
sources for monitoring 60-2 SSH sessions
VSAN sources 60-4 message logging 61-3
SPAN destination port mode. See SD port mode SSI boot images
SPAN filters configuring B-2
description 60-5 SSL certificates
guidelines 60-5 using with Fabric Manager Web Services 7-5
SPAN ports SSMs
viewing detailed traffic information 7-24 default settings 19-13
SPAN sessions disabling Intelligent Storage Services
(procedure) 55-6
deleting using Device Manager 60-9
description 60-5
enabling Intelligent Storage Services
(procedure) 55-3
VSAN filters 60-5
Fibre Channel write acceleration 56-1 to 56-3
SPAN sources
managing 19-13, B-2
editing with Device Manager 60-8
provisioning Intelligent Storage Services
egress 60-2 (procedure) 55-3
ingress 60-2 replacing considerations 19-13
interface types 60-3 SCSI flow services 55-1 to 55-8
IPS ports 60-3 SCSI flow statistics 55-1 to 55-8
VSANs configuration guidelines 60-4 standby supervisor modules
SPAN traffic boot alert 15-16
real-time analysis 66-2 boot variable version 15-15
SPAN tunnel port mode. See ST port mode copying image to B-2
special frames managing bootflash: 15-16
enabling for FCIP 48-24 monitoring 17-2
SPF synchronizing 17-4
computational hold times 32-4 startup configuration files
SPI saving running configuration file 16-8
configuring virtual routers 51-12 unlocking B-2

Index
statically imported iSCSI targets 50-52 Fabric Manager support 2-19

static iSLB initiator Supervisor-1 modules
converting 50-40 migrating from Supervisor-2 modules (note) 15-15
static mapped iSCSI targetiSCSI selecting software images 15-2
static mapped target 50-27 Supervisor-2 modules
static mapping 50-39 description 1-2
static routes Generation 1 chassis 15-16
configuring 2-6 migrating from Supervisor-1 modules 15-15 to ??
runtime checks 32-12 select software images 15-2
static WWN mapping 50-25 USB ports 1-2
statistics supervisor modules
SCSI I/O 9-3 active state 19-5
supervisor modules 19-4 capturing local traffic 66-18
storage devices default settings 19-13
access control 30-1 description 1-2, 19-1
performance statistics 8-1 high availability 17-1
permanent 16-2 managing standby bootflash: 15-16
temporary 16-2 manual switchovers 17-2
Storage Services Enabler package licenses migrating to Supervisor-2 modules 15-15 to ??
description 10-7 redundancy 17-1
storage traffic replacing 15-15, 15-17
viewing performance information 7-22 replacing considerations 19-13
store-and-forward routing mode 50-33, 50-34 resetting 19-5
ST port mode standby boot alert 15-16
description 20-6 standby state 17-4, 19-5
interface modes 20-6 standby supervisor boot variable version 15-15
limitations 20-6 state descriptions 17-4, 19-4
ST ports statistics 19-4
interface modes 20-6 switchover mechanisms 17-2
subnet masks switchovers after failures 17-1
configuring mgmt0 interfaces 20-29 synchronizing 17-3
configuring switches 2-2 upgrading a dual supervisor switch B-1
default setting 19-13 verifying status 19-3
initial configuration 2-6, 2-10 viewing using Device Manager 6-7
subnets See also Supervisor 1 modules; Supervisor 2 modules
requirements 52-6, 53-5 suspendedByMode tooltip 67-18
summary reports suspendedBySpeed tooltip 67-18
description 7-1 suspendedByWWN tooltip 67-18
Sun JRE swFailure tooltip 67-18

Index
Switched Port Analyzer. See SPAN switch port interfaces

switches configuring default 2-11
accessing 2-12 switch ports
comparing configurations 66-4 configuring attribute default values 20-21
displaying power usage 18-3 configuring trunk modes 2-11
displaying serial numbers 18-3 switch priorities
initial setup 2-2 configuring 25-5
internal states 17-4 default 25-5
reloading 19-6 description 25-5
starting 2-1 switch security
starting up B-1 default settings 39-24, 41-30
status of device health 66-3 sWWNs
upgrading with dual supervisors B-1 configuring for fabric binding 47-3
viewing license information 7-31 syslog
switching modules CFS support 13-2
description 19-3 port used 2-41
managing 19-1 viewing information 7-11
power cycling 19-6 viewing registration information 7-48
powering off 19-8 viewing with Events tab 7-9
preserving configuration 19-8 syslog servers
replacing 15-17 verifying using Fabric Manager Web Services 61-10
resetting 19-5 system health
state descriptions 19-4 default settings 68-7
verifying status 19-3 initiating B-3
viewing using Device Manager 6-7 system images
switch management description 15-2
architecture 2-16 selecting for supervisor modules 15-2
in-band 2-17, 51-5 SYSTEM variable 15-1
out-of-band 2-17 system messages
switch names configuring log files 61-6
assigning 12-1 configuring logging 61-3
switchover mechanism configuring logging servers 61-7
warm state 19-5 default settings 61-11
switchovers monitoring 61-1
characteristics 17-2 severity levels 61-3
guidelines 17-3 viewing 7-11
initiating manually 17-2 viewing from Device Manager 61-11
supervisor modules 17-1 viewing from Fabric Manager Web Server 61-11
VRRP 48-6 viewing using Device Manager 57-4

Index
viewing using Fabric Manager Web Server 57-4 IPv4-ACLs 42-3

viewing with Events tab 7-9 TCP tuning parameters 50-32
system processes Telnet
displaying 68-1 default service 39-15
enabling 2-7, 2-10
logins 41-4
T
port used 2-41
tables support 2-16
filtering 7-3 Telnet server connections
navigating 7-3 description 12-11
searching for information 7-3 disabling 12-11
TACACS+ Telnet sessions
AAA authentication 50-43 message logging 61-3
AAA protocols 41-1 temperatures
CFS merge guidelines 41-24 displaying 18-11
CFS support 13-2 major thresholds 18-11
clearing configuration distribution sessions 41-24 minor thresholds 18-11
configuring Cisco ACS 41-26 to 41-30 monitoring hardware 18-11
default settings 41-31 templates
description 41-14 creating for custom reports 7-37
discarding configuration distribution changes 41-23 modifying custom report templates 7-41
displaying server statistics 41-18 TE port mode
enabling configuration distribution 41-22 classes of service 20-6
global keys 41-15 description 20-6
setting default server encryption 41-15 TE ports
setting default server timeout 41-15 fabric binding checking 47-2
setting preshared key 41-15 FCS support 63-1, 63-2
specifying server at login 41-18 FSPF topologies 32-2
starting a distribution session 41-22 interoperability 37-10
validating 41-17 recovering from link isolations 30-28
tape acceleration SPAN sources 60-3
FICON 36-33 to 36-37 trunking restrictions 24-3
target discovery 50-72 terminals
TCP connections configuring settings B-1
FCIP profiles 48-4 TF port mode
specifying number 48-25 classes of service 20-6
TCP parameters description 20-6
configuring in FCIP profiles 48-19 to ?? TFTP
TCP ports port used 2-41

Index
support 2-16 topology maps

Threshold Manager custom 57-2
configuring RMON 59-1 description 57-2
thresholds enclosures 57-3
baselines for performance 8-2 saving custom layouts (procedure) 57-2
time tovMismatch tooltip 67-18
configuring 12-3 TOVs
time delays configuring across all VSANs 37-2
setting B-2 configuring for a VSAN 37-3
timeouts default settings 37-13, 66-25
configuring with Fabric Manager 66-15 interoperability 37-9
time out values. See TOVs ranges 37-2, 66-14
timers traceroute
timer values troubleshooting connectivity 66-7
modifying 66-14 tracked ports
timestamps binding operationally 65-3
FICON host control 36-22 traffic
time zones local captures 66-19
configuring 12-3 managing using Cisco Traffic Analyzer 9-2
TL port mode monitoring using Cisco Traffic Analyzer 9-2
classes of service 20-5 remote captures 66-18, 66-19
description 20-5 text-based captures 66-18
TL ports viewing captured frames 66-20
ALPA caches 20-25 Traffic Analyzer. See Cisco Traffic Analyzer
configuring 20-12, 20-24 traffic isolation
description 20-23 VSANs 26-4
FCS 63-1, 63-2 transform sets
FCS support 63-1, 63-2 description 44-25
logging facility 61-2 transient failure 50-16
SPAN sources 60-3 transit VSANs
tools configuration guidelines 29-10
software configuration 1-5 description 29-3, 29-16
tooManyInvalidFLOGIs tooltip 67-18 IVR configuration guidelines 29-14
topologies translative loop port mode. See TL port mode
clearing maps 67-21 transparent initiator mode 50-14
mapping 57-2 transparent initiator modeiSCSI
topology map transparent initiator mode 50-20
mapping multiple fabrics 57-3 traps

Index
viewing registration information 7-48 default settings 24-11, 24-12

Triple DES. See 3DEC encryption default state 24-6
troubleshooting description 24-6
analyzing switch health 66-3 detecting port isolation 24-4
analyzing zone merges 66-8 disabling 24-7
CTC 48-17 enabling 24-7
Fabric Manager tools 5-35 trunk mode
locating other switches 66-13 configuring 24-7, 24-8
monitoring oversubscription 66-14 default settings 24-11
show tech command 66-9 status 24-7
testing end-to-end connectivity 66-5 trunkNotFullyActive tooltip 67-18
tools 66-1 trust points
using Fabric Configuration tool (procedure) 66-4 creating 43-8
using Ping Tool 66-7 description 43-2
using traceroute (procedure) 66-7 multiple 43-3
with Cisco Traffic Analyzer 66-2 saving configuration across reboots 43-14
with Protocol Analyzer 66-3
troubleshooting reports
U
trunk-allowed VSAN lists UDP ports
description 24-9 to 24-11 IPv4-ACLs 42-3
trunking UDP traffic
comparison with PortChannels 23-3 blocking 2-14
configuration guidelines 24-4 unique area FC IDs
configuring modes 24-7 configuring 25-19
configuring using Device Manager 6-7 description 25-19
default settings 24-11 UNIX
description 24-1 install scripts 2-34
interoperability 37-9 launching Fabric Manager Web Services 7-7
link state 24-7 UNIX issues
merging traffic 24-4 parent menus disappear 67-12
restrictions 24-3 too many open files error 67-12
trunking E port mode. See TE port mode web browser cannot find web server 67-12
trunking F port mode. See TF port mode upgradeInProgress tooltip 67-18
trunking mode upgrades. See disruptive upgrades; nondisruptive
FCIP interface 48-4 upgrades; software upgrades
trunking ports upgrading
associated with VSANs 26-8 switches B-1
trunking protocol user accounts

Index
creating additional at setup 2-5 virtual SANs. See VSANs

User-based roles Visio diagrams
FabricWare support D-2 saving maps as 5-27
user IDs VLANs
authentication 41-3 configuring on Gigabit Ethernet subinterfaces 53-5
user profiles description 52-6, 53-4
role information 41-3 volatile:
users description 16-2
adding 7-53 VR IDs
CFS support 13-2 description 51-9
default 2-3 mapping 51-9
deleting (procedure) 39-15 VRRP 50-35
removing 7-54 algorithm for selecting Gigabit Ethernet
interfaces 50-45 to ??
SNMP support 40-4
backup switches 51-9
configuring advertisement time intervals 51-11
V configuring for Gigabit Ethernet interfaces 52-9
configuring for iSLB 50-45
vendor-specific attributes. See VSAs
configuring virtual routers 51-10
VE ports
description 48-2
description 51-9, 52-8
FCIP 48-2
group members 52-8
virtual E ports. See VE ports
initiating virtual routers 51-11
virtual Fibre Channel host 50-3
IQN formats 50-8
virtual ISLs
iSCSI parameter change impact 50-45
description 48-2
iSLB 50-43 to ??
Virtual LANs. See VLANs
virtual LANs. See VLANs
master switches 51-9
virtual router IDs. See VR IDs
MD5 authentication 51-12
Virtual Router Redundancy Protocol. See VRRP
primary IP address 51-11
Virtual Router Redundancy Protocolprotocols
priority preemption 51-11
Virtual Router Redundancy 50-35
security authentication 51-12
virtual routers
setting priorities 51-11
adding 51-10
setting priority 51-11
adding primary IP addresses 51-11
simple text authentication 51-12
authentication 51-12
VRRP group 50-23
VRRPI f iSCSI login redirect 50-37
deleting 51-10
VSAN IDs
initiating 51-11
allowed list 24-11
setting priorities 51-11

Index
description 26-5 features 26-1

multiplexing traffic 20-6 FICON-enabled 26-12
range 26-4 flow statistics 8-6
VSAN membership 26-4 FSPF connectivity 32-2
vsanInactive tooltip 67-18 gateway switches 51-4
VSAN interfaces interop mode 37-10
configuring 20-30 IP routing 42-1
creating 20-30 IPv4 static routing 51-6
description 20-30 iSLB 50-40
VSAN membership iSLB initiators 50-40
iSCSI hosts 50-22 isolated 26-8
iSCSI hostsiSCSI load balancing 26-11
VSAN membership for hosts 50-22 load balancing attributes 26-5
iSCSI interfaces 50-23 mismatches 20-10, C-2
vsanMismatchIsolation tooltip 67-18 multiple zones 30-4
VSANs names 26-5
advantages 26-3 name server 34-2
allowed-active 24-4 operational states 26-9
allowed list 60-4 overlaid routes 51-6
broadcast addresses 32-14 port membership 26-7
clocks 36-22 port tracking 65-6
comparison with QoS 64-5 Rules and features 39-4
comparison with zones (table) 26-4 SPAN filters 60-5
compatibility with DHCHAP 45-3 SPAN source 60-4
configuring 26-6 to ?? SPAN sources 60-4
configuring allowed-active lists 24-11 states 26-5
configuring FSPF 32-4 suspending for FICON 36-19
configuring multiple IPv4 subnets 51-7 TE port mode 20-6
configuring trunk-allowed lists 24-9 to 24-11 TF port mode 20-6
default settings 26-12 timer configuration 37-3
default VSANs 26-8 traffic isolation 26-3
deleting 26-9 traffic routing between 51-1
description 26-1 to 26-4 transit 29-16
domain ID automatic reconfiguration 25-8 trunk-allowed 24-4
example membership for iSCSI devices 50-23 trunking ports 26-8
fabric optimization for FICON 36-3 VRRP 51-9
FC IDs 26-1 wizard 5-34
FCS 63-1 VSAN trunking. See trunking
FCS support 63-1 VSAs

Index
communicating attributes 41-13 configuring 37-5, 66-23

protocol options 41-13 displaying configurations 66-24
displaying information 37-6
link initialization 37-6
W
port security 46-16
window management secondary MAC addresses 37-6
configuring in FCIP profiles 48-20 static binding 50-20
Windows suspended connection C-2
Fabric Manager Server 3-1 suspended connections 20-10
Fabric Manager support 2-19
installing Fabric Manager Web Services 7-4
X
Windows issues
blue screen 67-11 XML
Device Manager window content disappears 67-11 support 2-16
Fabric Manager window content disappears 67-11 XRC
icons disappear from desktop 67-11 FICON support 36-5
printing causes an application crash 67-11
SCP/SFTP failures 67-12
Z
text fields are too small 67-11
Windows XP hangs 67-11 zone aliases
Windows workstations conversion to device aliases 31-7
modifying 2-14 zone attribute groups
wizards cloning 30-35
DPVM Wizard 5-34 zone configurations
FCIP Wizard 5-34 test for compatibility 66-8
IP ACL Wizard 5-34 zone databases
iSCSI Wizard 5-34 migrating a non-MDS database 30-35
IVR Zone Wizard 5-34 zone members
License Install Wizard 5-34 adding to zones 30-14
NPV Wizard 5-34 converting to pWWN members 30-24
PortChannel Wizard 5-34 displaying information 30-20
Port Security Wizard 5-34 zoneMergeFailureIsolation tooltip 67-18
QoS Wizard 5-34 zone policies
Quick Config Wizard 30-7 configuring 2-11
Software Install Wizard 5-35 zoneRemoteNoRespIsolation tooltip 67-18
VSAN Wizard 5-34 zones
Zone Edit Tool Wizard 5-34 access control 30-16
world wide names. See WWNs adding zone members 30-14
WWNs

Index
analyzing merges 66-8 See also read-only zones

assigning LUNs to storage subsystems 30-41 See also zoning; zone sets
backing up (procedure) 30-30 zone server databases
changing from enhanced zones 30-44 clearing 30-36
cloning 30-35 zone sets
compacting for downgrading 30-47 activating 30-17
comparison with device aliases (table) 31-4 cloning 30-35
comparison with VSANs (table) 26-4 configuring 30-15 to 30-21
configuring 30-10 to 30-25 considerations 30-4
configuring aliases 30-21 copying 30-29
configuring and activating for iSLB 50-41 creating 30-16
configuring broadcasting 30-38 default settings 30-48
configuring fcaliases 30-21 distributing configuration 30-26
default policies 30-2 enabling distribution 30-26
default settings 30-48 exporting 30-28
differences with IVR zones (table) 29-22 exporting databases 30-28
displayed as bold 67-9 features 30-1
editing full zone databases 30-11 importing 30-28
enforcing restrictions 30-26 importing databases 30-28
exporting databases 30-28 one-time distribution 30-27
features 30-1, 30-3 recovering from link isolations 30-28
importing databases 30-28 renaming 30-34
iSLB 50-41, 50-42 viewing information 30-42
IVR communication 29-22 See also active zone sets
logging facility 61-3 See also active zone sets; full zone sets
LUN-based 30-40 See also zones; zoning
membership using pWWNs 26-4 zone traffic priorities
merge failures 20-10 description 30-36
read-only for IVR 29-31 zoning
renaming 30-34 configuring broadcasting 30-38
restoring (procedure) 30-30 description 30-1
troubleshooting tools 5-35 example 30-2
viewing information 30-42 FabricWare support D-2
viewing inventory information 7-36 implementation 30-3
wizard 5-34 Quick Config Wizard 30-7 to 30-10
See also default zones See also LUN zoning
See also enhanced zones See also zones; zone sets
See also hard zoning; soft zoning zoning based access control
See also LUN zoning configuring for iSCSI 50-25

Index
configuring for iSCSIiSCSI

configuring zoning based access control 50-25

Index

Cisco PDF

Uploaded by

Copyright:

Available Formats

Cisco PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco PDF

Uploaded by

Copyright:

Available Formats

Se n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o .

Cisco MDS 9000 Family Fabric Manager

Text Part Number: OL-17256-03

Cisco MDS 9000 Family Fabric Manager Configuration Guide

New and Changed Information lvii

Document Conventions lxvi

Related Documentation lxvii

PART 1 Getting Started

CHAPTER 1 Product Overview 1-1

Cisco NX-OS Software Configuration 1-4

Cisco MDS 9000 Family Fabric Manager Configuration Guide

CHAPTER 2 Installing Cisco MDS NX-OS and Fabric Manager 2-1

Starting a Switch in the Cisco MDS 9000 Family 2-1

Initial Setup Routine 2-2

Where Do You Go Next? 2-13

About Cisco Fabric Manager 2-13

Cisco MDS 9000 Family Fabric Manager Configuration Guide

Importing PM Statitics Data to Fabric Manager 2-24

Running Fabric Manager Behind a Firewall 2-40

Uninstalling the Management Software 2-43

CHAPTER 3 Fabric Manager Server 3-1

Fabric Manager Server Overview 3-1

Fabric Manager Server Features 3-1

Installing and Configuring Fabric Manager Server 3-2

Modifying Fabric Manager Server 3-5

CHAPTER 4 Authentication in Fabric Manager 4-1

Fabric Manager Authentication Overview 4-1

Best Practices for Discovering a Fabric 4-3

Fabric Manager Web Server Authentication 4-4

CHAPTER 5 Fabric Manager Client 5-1

About Fabric Manager Client 5-1

Cisco MDS 9000 Family Fabric Manager Configuration Guide

Fabric Manager Client Quick Tour: Server Admin Perspective 5-7

Network Fabric Discovery 5-31

Modifying the Device Grouping 5-32

Controlling Administrator Access with Users and Roles 5-34

Using Fabric Manager Wizards 5-34

Fabric Manager Troubleshooting Tools 5-35

Cisco MDS 9000 Family Fabric Manager Configuration Guide

CHAPTER 6 Device Manager 6-1

About Device Manager 6-1

Launching Device Manager 6-2

Using Device Manager 6-2

CHAPTER 7 Fabric Manager Web Client 7-1

About Fabric Manager Web Client 7-1

Navigating Fabric Manager Web Client 7-2

Installing Fabric Manager Web Client 7-3

Launching Fabric Manager Web Client 7-7

Cisco MDS 9000 Family Fabric Manager Configuration Guide

Viewing Switch Bandwidth 7-27

Cisco MDS 9000 Family Fabric Manager Configuration Guide

Downloading Fabric Manager Client 7-62

CHAPTER 8 Performance Manager 8-1

Performance Manager Architecture 8-1

Flow Statistics Configuration 8-6

CHAPTER 9 Cisco Traffic Analyzer 9-1

Understanding SPAN 9-1

Using Cisco Traffic Analyzer with Performance Manager 9-2

Accessing Traffic Analyzer from Fabric Manager Web Server 9-5