Home » Cisco Manuals » Hubs & Switches » Cisco DS-C9216I-K9 » Manual Viewer

Cisco DS-C9216I-K9 Switch Guide - Page 51

Fabric Management, Security Management, Switch Access Security, Port Security

Add to My Manuals
Save this manual to your list of manuals

Page 51 highlights

Chapter 1 Product Overview Software Features When a switch powers up and two supervisor modules are present, the module in slot 5 enters the active mode, while the second module in slot 6 enters the standby mode. All storage management functions occur on the active supervisor module. The standby module constantly monitors the active module. If the active module fails, the standby module takes over without any impact to user traffic. See the Cisco MDS 9500 Series Hardware Installation Guide for additional information. Fabric Management Switches in the Cisco MDS 9000 Family offer fabric management and control through the command-line interface (CLI) by using Telnet, SSH, or a serial console and through the Cisco MDS 9000 Fabric Manager tool by using the Simple Network Management Protocol (SNMP) services: • SNMP versions 1, 2, and 3 are supported. • Remote Monitoring (RMON) allows you to specify thresholds and monitor alarms on SNMP variables. Extended RMON alarms are available for supported Management Information Base (MIB) objects. See the Cisco MDS 9000 Family MIB Reference Guide for additional information. • System error message logs (syslogs) are viewed through a console or Telnet session for asynchronous events such as an interface transition. Syslogs are directed to an internal log and optionally to an external server. See the Cisco MDS 9000 Family System Messages Guide for additional information. Security Management The Cisco MDS 9000 Family of switches offer strict and secure switch management options through switch access security, port security, user authentication, and role-based access. Switch Access Security Each switch can be accessed through the CLI or SNMP. • Secure switch access-Available when you explicitly enable Secure Shell (SSH) access to the switch. SSH access provides additional controlled security by encrypting data, user IDs, and passwords. By default, Telnet access is enabled on each switch. • SNMP access-SNMPv3 provides built-in security for secure user authentication and data encryption. • IP Access control lists (IP-ACLs)-Provide basic network security to all switches in the Cisco MDS 9000 Family. IP-ACLs restricts IP-related inband and out-of-band management traffic based on IP addresses (layer 3 and layer 4 information). You can use IP-ACLs to control transmissions on an interface. Port Security Port security features prevent unauthorized access to a switch port in the Cisco MDS 9000 Family. • Login requests from unauthorized Fibre Channel devices (Nx ports) and switches (xE ports) are rejected. • All intrusion attempts are reported to the SAN administrator through syslog messages. OL-7753-01 Cisco MDS 9000 Fabric Manager Switch Configuration Guide 1-9

Section	Page
Contents	3
Preface	27
Audience	27
Organization	27
Conventions	30
Obtaining Documentation	31
Cisco.com	31
Documentation DVD	31
Ordering Documentation	31
Documentation Feedback	32
Cisco Product Security Overview	32
Reporting Security Problems in Cisco Products	32
Obtaining Technical Assistance	33
Cisco Technical Support Website	33
Submitting a Service Request	33
Definitions of Service Request Severity	34
Obtaining Additional Publications and Information	34
New and Changed Information	37
Product Overview	43
Hardware Overview	43
Cisco MDS 9216 Fabric Switch	44
Cisco MDS 9500 Modular Directors	44
Cisco MDS 9100 Series Fixed Configuration Fabric Switches	45
Software Features	46
Licensing	46
High Availability	46
Switch Reliability	46
Virtual SANs	47
Intelligent Zoning	47
Inter-VSAN Routing	47
Trunking	48
PortChannels	48
IP Services	48
IP Storage	49
Call Home	49
QoS and Congestion Control	49
SPAN and RSPAN	50
Switch Management Features	50
Redundant Supervisor Module Management	50
Fabric Management	51
Security Management	51
Tools for Software Configuration	52
CLI	52
Cisco MDS 9000 Fabric Manager	53
Getting Started with Cisco Fabric Manager	55
Managing Cisco MDS 9000 Switches	56
Storage Management Solutions Architecture	57
In-Band Management and Out-of-Band Management	58
MGMT0	58
IPFC	58
Installing the Applications	59
Launching the Applications	60
Using the Management Services Wizard	61
A Note on Ports	61
Overview of Fabric Manager	63
Launching Cisco Fabric Manager	63
Using Fabric Manager	64
Menu Bar, Toolbars, and Status Bar	65
Logical/Physical Pane	65
Information Pane	66
Map Pane	66
Discovering and Viewing the Network Fabric	69
Controlling Administrator Access with Users and Roles	69
Modifying Device Grouping	69
Setting Fabric Manager Preferences	70
Viewing Reports in Fabric Manager	71
Using Device Manager	72
Launching Device Manager from Fabric Manager	72
Using Summary View	73
Comparing Device Manager to Fabric Manager	74
Performing Device Management	75
Managing Ports	75
Setting Device Manager Preferences	76
Using Performance Manager	76
Performance Manager Architecture	76
Creating a PM Configuration File	76
Collecting the Data	77
Presenting the Collected Data	77
Exporting and Importing Data	78
Integration with Cisco Traffic Analyzer	78
Configuring PM for Use with Cisco Traffic Analyzer	78
Stopping Data Collection	81
Exporting Data Collection to XML Files	81
Removing Data Collection Files from the List	81
Before You Begin	83
About Flash Devices	83
Internal bootflash:	84
External CompactFlash (Slot0)	84
Switch Roles	84
Using Valid Formats and Ranges	84
Obtaining and Installing Licenses	89
License Terminology	89
Licensing Model	90
Licensing High Availability	92
Options to Install a License	92
Obtaining a Factory-Installed License	92
Performing a Manual Installation	93
Obtaining License Key Files	93
Installing Licenses	94
Installing Licenses Using Fabric Manager License Wizard	94
Installing Licenses Using Device Manager	96
Viewing License Information in Fabric Manager	96
Viewing License Information in Device Manager	97
Removing Licenses	97
Updating Licenses	98
License Expiry Alerts	98
Moving Licenses Between Switches	99
Initial Configuration	101
NTP Configuration	101
NTP Configuration Guidelines	102
Display General NTP Statistics for a Switch	103
Create an NTP Server or Peer	103
Edit an NTP Server or Peer Configuration	104
Delete an NTP Server or Peer	104
Configuring High Availability	105
About High Availability	105
Switchover Mechanisms	106
HA Switchover	106
Process Restartability	106
Synchronizing Supervisor Modules	106
HA Redundancy States	106
Software Images	109
About Software Images	109
Essential Upgrade Prerequisites	110
Using the Software Install Wizard	111
Maintaining Supervisor Modules	112
Standby Supervisor Boot Variable Version	112
Standby Supervisor Boot Alert	113
Replacing Modules	113
Recovering a Corrupted Bootflash	113
Default Factory Settings	113
Managing Modules	115
About Modules	115
Supervisor Modules	115
Switching Modules	116
Viewing the State of a Module	116
Identifying Module LEDs	117
Configuring EPLDs	119
Default Supervisor Module Settings	120
Managing System Hardware	121
Configuring Power Supplies	121
Guidelines for Power Supplies with Different Capacities	121
Guidelines for Power Supplies with Different Capacities	123
Managing Power Supplies	124
Displaying Module Temperature	125
Monitoring Fan Modules	126
Monitoring Clock Modules	126
Viewing System Attributes	126
Viewing Running Processes	126
Viewing Flash File Information	127
Managing Inventory Information	127
Managing Module Attributes	127
Configuring and Managing VSANs	129
How VSANs Work	130
VSANs Versus Zones	132
Default and Isolated VSANs	133
Default VSANs	133
Isolated VSANs	133
VSAN Membership	134
VSAN Attributes	134
Operational State of a VSAN	134
Adding and Configuring VSANs	135
Deleting VSANs	135
Default Settings	136
Configuring Interfaces	137
Configuring Fibre Channel Interfaces	137
About Interface Modes	138
E Port	138
F Port	138
FL Port	139
TL Port	139
TE Port	139
SD Port	139
ST Port	140
Fx Port	140
B Port	140
Auto Mode	140
About Interface States	140
Administrative States	140
Operational States	141
Reason Codes	141
Configuring TL Port ALPA Caches	144
Configuring Buffer-to-Buffer Credits	144
Configuring Performance Buffers	144
Configuring the Beacon Mode	145
Identifying the Beacon LEDs	145
Configuring Switch Port Defaults	146
Default Settings	146
Configuring VSAN Interfaces	146
Configuring Gigabit Ethernet Interfaces	147
Enabling or Disabling Ports	147
Managing Interface Attributes for Ports	147
Configuring Trunking	149
About Trunking	149
About Trunking Protocol	150
Configuring Trunk Modes	150
Configuring Trunk-Allowed VSAN List	150
Trunking Configuration Guidelines	152
Default Settings	153
Configuring PortChannels	155
PortChannel Examples	155
Configuring 32-port Switching Modules and Host-Optimized Ports	156
Managing Physical Attributes for a Port	156
Viewing Port Capability Attributes	157
About PortChanneling and Trunking	157
Managing PortChannel General Attributes	158
Managing PortChannel Interface Attributes	158
Quiescing/Disabling Port Channel Members	158
About Load Balancing	159
Considerations for PortChannel Configurations	160
Error Detection	160
Default Settings	161
Configuring and Managing Zones	163
Zoning Features	164
Zoning Example	165
Configuring a Zone	166
Creating Zones	166
Creating Additional Zones	166
Cloning Zones	167
Adding Zone Members	167
Displaying Port Membership Information	168
Viewing Zone Statistics	168
Deleting Zones and Members	168
Configuring Aliases	168
Creating Zones with Aliases	169
Viewing Aliases	169
Zone Sets	169
Active and Full Zone Set Considerations	170
Distributing Zone Sets	172
Copying Zone Sets	172
Creating Zone Sets	172
Creating Additional Zone Sets	172
Cloning Zone Sets	173
Adding Zones to a Zone Set	173
Activating or Enforcing Zone Sets	173
Deactivating Zone Sets	174
Importing Active Zone Sets	174
Exporting Active Zone Sets	174
Deleting Zone Sets or Members	174
Clearing the Zone Database	175
Recovering a Full Zone Database	175
Performing Zone Merge Analysis	175
Zone Enforcement	176
The Default Zone	176
Setting Default Zone Policy	177
Changing the Default Zone Policy	177
Recovering from Link Isolation	177
LUN Zoning	178
Assigning LUNs to Storage Subsystems	179
Read-Only Zoning	179
Guidelines to Configure Read-Only Zones	179
Default Settings	180
Migrating a Non-MDS Database	180
Using the Zone Wizard	180
Configuring Inter-VSAN Routing	181
About IVR	181
IVR Features	182
IVR Terminology	182
IVR Guidelines	183
Domain ID Guidelines	183
Transit VSANs Guidelines	183
Border Switch Guidelines	183
Configuring IVR	184
Unique Domain ID Configuration Options	184
Enabling IVR	184
Configuring an IVR Topology	184
Creating an IVR Topology	184
Creating IVR Zones and Zone Sets	185
Creating Additional IVR Zones and Zone Sets	185
Activating IVR Zone Sets	186
Deactivating IVR Zone Sets	186
Recovering an IVR Full Zone Database	186
Recovering an IVR Full Topology	187
IVR Interoperability	187
IVR Using LUN Zoning or Read-Only Zoning	187
Creating IVZs and IVZSs	187
Zones versus IVZs	188
Automatic IVZ Creation	188
Configuring and Activating IVZs and IVZSs	189
Using the force Option	189
Clearing the IVZ Database	189
Using the Zone Wizard	190
Managing FLOGI, Name Server, FDMI, and RSCN Databases	191
Displaying FLOGI Details	191
Configuring the Name Server Proxy Feature	192
Displaying Name Server Database Entries	192
Displaying FDMI	192
Displaying RSCN Information	192
Sending RSCNs	193
Viewing General Attributes for the Name Server	193
Viewing Advanced Attributes for the Name Server	193
Proxy Ports for the Name Server	193
Viewing Name Server Statistics	194
Viewing RSCN Nx Registrations	194
Viewing RSCN Statistics	194
Viewing FLOGI Attributes	194
Viewing Port ELP Attributes	195
Viewing Trunk Configuration	195
Configuring Switch Security	197
Switch Management Security	198
SNMP Security	198
CLI Security	198
Switch AAA Functionalities	198
Authentication	199
Authorization	199
Accounting	199
Remote Authentication by AAA Servers	199
Remote Authentication Guidelines	199
Server Groups	200
AAA Service Configuration Options	200
Configuring RADIUS	200
About RADIUS	201
Configuring RADIUS Authentication	201
Configuring RADIUS Servers	201
Setting the RADIUS Server Address	201
Setting the RADIUS Preshared Key	202
Setting Iterations of the RADIUS Server	202
Defining Vendor-Specific Attributes	202
VSA Format	202
Configuring TACACS+	203
About TACACS+	203
Advantages of TACACS+	203
Enabling TACACS+	204
Setting the TACACS+ Server Address	204
Setting the Secret Key	204
Setting the Timeout Value	204
Defining Custom Attributes for Roles	204
Configuring Server Groups	205
Local AAA	205
Authentication and Authorization Process	205
Configuring Role-Based CLI Authorization	207
Configuring Rules and Features for Each Role	207
Configuring the VSAN Policy	208
Recovering Administrator Password	208
Configuring SSH Services	208
Enabling SSH Service	209
Generating an SSH Host Key Pair	209
Using the force Option	209
About SNMP Security	209
SNMP Version 1 and Version 2c	210
Adding a Community String	210
Deleting a Community String	210
SNMP Version 3	210
Adding SNMP Users	211
Deleting SNMP Users	211
Configuring and Creating SNMP User Roles	211
Viewing SNMP Community and User Information	212
Group-Based SNMP Access	212
Configuring Common Roles	212
Creating and Modifying Users	213
Creating Common Roles	214
Editing Common Role Rules (Device Manager Only)	215
Deleting Common Roles	215
Assigning Users to Roles	215
Default Security Settings	216
Restricting Switch Access	217
Configuring Fabric Security	219
About Fabric Authentication	219
About DHCHAP	220
DHCHAP Compatibility with Existing MDS Features	220
Configuring DHCHAP Authentication	221
Enabling DHCHAP	221
Configuring DHCHAP Authentication Modes	221
Configuring the DHCHAP Hash Algorithm	222
Configuring DHCHAP Groups	222
Configuring DHCHAP Passwords	222
Configuring Passwords for Other Devices	223
Configuring the DHCHAP Timeout Value	223
Default Fabric Security Settings	223
Configuring Port Security	225
Port Security Features	225
Enforcing Port Security	225
Configuring a Port Binding	226
Copying an Active Configuration to the Running Configuration	226
Deleting a Port Binding	227
About Auto-Learn	227
Activating Port Security	227
Activating a Port Binding	227
Displaying Activated Port Bindings	228
Configuring Auto-Learning	228
Authorization Scenario	229
Turning Auto-Learning On or Off	230
Manually Configuring Port Security	231
Identifying WWNs to Configure Port Security	231
Securing Authorized Ports	231
Activating the Port Security Database	231
Forcing Port Security Activation	232
Reactivating the Database	232
Database Scenarios	232
Displaying Port Security Statistics	233
Displaying Port Security Violations	233
Default Port Security Settings	233
Configuring Fibre Channel Routing Services and Protocols	235
FSPF Features	236
FSPF Examples	236
Fault Tolerant Fabric	236
Redundant Links	237
Fail-over Scenarios for PortChannels and FSPF Links	237
Configuring FSPF Globally	238
Managing FSPF General Attributes	238
Disabling FSPF Routing Protocols	238
Link State Record Defaults	238
Viewing Link State Records	239
Viewing FSPF Links	239
Configuring FSPF for a Specific Interface	239
Configuring FSPF Interfaces	240
Computing Route Cost	240
Specifying Hello Time Intervals	240
Specifying Dead Intervals	240
Disabling FSPF for Specific Interfaces	240
Retransmitting Intervals	240
Viewing FSPF Interface Statistics	241
Configuring Fibre Channel Routes	241
Configuring Fibre Channel Route Flows	241
Broadcast Routing	242
In-Order Delivery	242
Reordering Network Frames	242
Reordering PortChannel Frames	243
Enabling In-Order Delivery	244
Configuring Flow Statistics	244
Viewing FSPF Statistics	244
Default Settings	244
Configuring IP Services	247
Traffic Management Services	248
Configuring the Ethernet Management Port	248
Configuring the Default Gateway	249
Configuring the Default Network	250
Configuring an IP Route	250
IP Access Control Lists	250
IP-ACL Configuration Guidelines	250
Creating IP-ACLs	251
Adding Entries to an Existing IP-ACL	251
Comparing Ports	251
Applying IP-ACLs	253
Configuring IPFC	254
Configuring Overlay VSANs	254
Configuring Multiple VSANs	255
Managing IPFC Connectivity with Multiple VSANs	256
Configuring VRRP	256
VRRP Features	257
VRRP Functionality	257
Creating or Removing a Virtual Router	258
Enabling a Virtual Router	258
Adding an IP Address for a Virtual Router	258
Viewing IP Address Information	258
Managing IP Addresses for VRRP	259
Setting Priority for the Virtual Router	259
Setting the Time Interval for the Advertisement Packet	259
Preempting the Master Virtual Router	259
Configuring Authentication for the Virtual Router	259
Setting the Priority Based on Interface State	260
Configuring VRRP Operations Attributes	260
Default Settings	260
Enabling or Disabling IP Forwarding	261
Viewing Information and Statistics	261
Viewing VRRP Statistics	261
Viewing TCP Information and Statistics	261
Viewing UDP Information and Statistics	261
Viewing IP Statistics	262
Viewing ICMP Statistics	262
Configuring FICON	263
About FICON	264
MDS-Specific FICON Advantages	265
Fabric-Optimization with VSANs	265
FCIP Support	266
PortChannel Support	267
VSANs for FICON and FCP Intermixing	267
MDS-Supported FICON Features	267
FICON Port Numbering	268
Port Addresses	270
Implemented and Unimplemented Port Addresses	271
Installed and Uninstalled Ports	271
FCIP Port Number	271
Port Numbering Summary	272
FCIP and PortChannel Port Numbers	272
FC ID Allocation	273
FICON Cascading	273
MDS FICON Prerequisites	273
Enabling FICON	274
Effects of Enabling FICON	274
Creating FICON VSANs (enabling FICON) Using Fabric Manager	274
Creating FICON VSANs (enabling FICON) Using Device Manager	275
Deleting FICON VSANs (Disabling FICON)	275
Viewing FICON Director History	276
Configuring Code Page	276
Configuring the FC ID Last Byte	276
Automatically Saving the Running Configuration	276
Binding Port Numbers to PortChannels	277
Binding Port Numbers to FCIP Interfaces	277
Configuring FICON Ports	277
FICON Information Refresh Note	277
Blocking Ports	277
Prohibiting Ports	278
Entering FICON Port Configuration Information	278
Viewing FICON Port Attributes	279
FICON Configuration Files	279
Accessing FICON Configuration Files	280
Editing FICON Configuration Files	280
Creating FICON Files	280
Deleting FICON Files	281

Match case Limit results 1 per page

1-9

Cisco MDS 9000 Fabric Manager Switch Configuration Guide

OL-7753-01

Chapter 1

Product Overview

Software Features

When a switch powers up and two supervisor modules are present, the module in slot 5 enters the active

mode, while the second module in slot 6 enters the standby mode. All storage management functions

occur on the active supervisor module. The standby module constantly monitors the active module. If

the active module fails, the standby module takes over without any impact to user traffic.

See the

Cisco MDS 9500 Series Hardware Installation Guide

for additional information.

Fabric Management

Switches in the Cisco MDS 9000 Family offer fabric management and control through the command-line

interface (CLI) by using Telnet, SSH, or a serial console and through the Cisco MDS 9000 Fabric

Manager tool by using the Simple Network Management Protocol (SNMP) services:

•

SNMP versions 1, 2, and 3 are supported.

•

Remote Monitoring (RMON) allows you to specify thresholds and monitor alarms on SNMP

variables. Extended RMON alarms are available for supported Management Information Base

(MIB) objects. See the

Cisco MDS 9000 Family MIB Reference Guide

for additional information.

•

System error message logs (syslogs) are viewed through a console or Telnet session for

asynchronous events such as an interface transition. Syslogs are directed to an internal log and

optionally to an external server. See the

Cisco MDS 9000 Family System Messages Guide

for

additional information.

Security Management

The Cisco MDS 9000 Family of switches offer strict and secure switch management options through

switch access security, port security, user authentication, and role-based access.

Switch Access Security

Each switch can be accessed through the CLI or SNMP.

•

Secure switch access—Available when you explicitly enable Secure Shell (SSH) access to the

switch. SSH access provides additional controlled security by encrypting data, user IDs, and

passwords. By default, Telnet access is enabled on each switch.

•

SNMP access—SNMPv3 provides built-in security for secure user authentication and data

encryption.

•

IP Access control lists (IP-ACLs)—Provide basic network security to all switches in the Cisco MDS

9000 Family. IP-ACLs restricts IP-related inband and out-of-band management traffic based on IP

addresses (layer 3 and layer 4 information). You can use IP-ACLs to control transmissions on an

interface.

Port Security

Port security features prevent unauthorized access to a switch port in the Cisco MDS 9000 Family.

•

rejected.

•

All intrusion attempts are reported to the SAN administrator through syslog messages.