storage:brocade_adv
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
storage:brocade_adv [2025/03/28 16:01] manu [configuring security policies] |
storage:brocade_adv [2025/05/02 16:13] (current) manu [Configuring XISL] |
||
|---|---|---|---|
| Line 114: | Line 114: | ||
| https://techdocs.broadcom.com/us/en/fibre-channel-networking/fabric-os/fabric-os-commands/9-2-x/Fabric-OS-Commands/lfCfg.html | https://techdocs.broadcom.com/us/en/fibre-channel-networking/fabric-os/fabric-os-commands/9-2-x/Fabric-OS-Commands/lfCfg.html | ||
| + | ===== Configuring QOS ===== | ||
| + | |||
| + | Quality Of Service can easily activated per zone | ||
| + | |||
| + | You can enable high or low priority traffic, based on a priority ID. | ||
| + | The id range is from 1 through 5 for high-priority traffic, which corresponds to VCs 10 through 14. For low-priority traffic, the id range is from 1 through 2, which corresponds to VCs 8 and 9. The id is optional; if it is not specified, the virtual channels are allocated through a round-robin scheme. | ||
| + | |||
| + | Example of High priority zone with ID 2 | ||
| + | QOSH2_myzone1 | ||
| + | |||
| + | For low priority 1 | ||
| + | QOSL1_myzone2 | ||
| + | |||
| + | After enabling zone, your ISL have to be configured for QOS: | ||
| + | <cli prompt='>'> | ||
| + | sw0:admin> portcfgqos --enable 3 | ||
| + | </cli> | ||
| ===== Configuring Virtual Fabric ===== | ===== Configuring Virtual Fabric ===== | ||
| Line 483: | Line 500: | ||
| 1606 buffers required for 100km at 8G and framesize of 512 bytes | 1606 buffers required for 100km at 8G and framesize of 512 bytes | ||
| </cli> | </cli> | ||
| + | |||
| + | ==== ISL settings for DWDM ==== | ||
| + | |||
| + | {{storage:isl_dwdm_parameters.png?600|}} | ||
| ===== Connect to a switch without password ===== | ===== Connect to a switch without password ===== | ||
| Line 987: | Line 1008: | ||
| ===== configuring security policies ===== | ===== configuring security policies ===== | ||
| - | + | * Fabric configuration server policy (FCS): Restricts which switches can change the configuration of the fabric. | |
| - | + | * Device connection control (DCC) policy: Restricts which Fibre Channel device ports can connect to which Fibre Channel switch ports. | |
| - | FCS Policy : The fabric configuration server policy in base Fabric OS may be performed on a local switch basis and may be performed on any switch in the fabric. | + | * Switch connection control (SCC) policy: Restricts which switches can join with a switch. |
| Displaying the Database Distribution Settings | Displaying the Database Distribution Settings | ||
| Line 1020: | Line 1041: | ||
| IPFILTER - accept | IPFILTER - accept | ||
| Fabric Wide Consistency Policy:- "SCC" | Fabric Wide Consistency Policy:- "SCC" | ||
| + | </cli> | ||
| + | |||
| + | Best way to configure SCC is to first enable all switches to join the fabric: | ||
| + | |||
| + | On each SAN switch you can list the WWN: | ||
| + | <cli prompt='>'> | ||
| + | switch:admin> wwn | ||
| + | </cli> | ||
| + | |||
| + | Do either of the following: | ||
| + | |||
| + | * Manually add the front domain switch WWN to the SCC policy, or the Domain ID, or name. | ||
| + | <cli prompt='>'> | ||
| + | switch:admin> secpolicycreate SCC_POLICY "WWA;WWB" | ||
| + | </cli> | ||
| + | * Use the command to automatically add all switches in the fabric | ||
| + | <cli prompt='>'> | ||
| + | switch:admin> secpolicycreate SCC_POLICY "*" | ||
| + | </cli> | ||
| + | |||
| + | List the policy settings | ||
| + | <cli prompt='>'> | ||
| + | switch:admin> secpolicyshow | ||
| + | |||
| + | ___________________________________________________ | ||
| + | ACTIVE POLICY | ||
| + | FCS_POLICY | ||
| + | Pos Primary WWN DId swName | ||
| + | __________________________________________________ | ||
| + | 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs | ||
| + | 2 No 10:00:00:60:69:30:1e:62 4 switch | ||
| + | ____________________________________________________ | ||
| + | </cli> | ||
| + | |||
| + | Activate and distribute the SCC policy. | ||
| + | <cli prompt='>'> | ||
| + | switch:admin> secpolicysave | ||
| + | switch:admin> secpolicyactivate | ||
| + | </cli> | ||
| + | |||
| + | distribute -p <policy_list> -d <switch_list> | ||
| + | <cli prompt='>'> | ||
| + | switch:admin> distribute -p "SCC;DCC" -d "3;5" | ||
| + | </cli> | ||
| + | Or | ||
| + | <cli prompt='>'> | ||
| + | switch:admin> distribute -p "FCS;PWD" -d "*" | ||
| + | </cli> | ||
| + | |||
| + | ===== configuring crypto policies ===== | ||
| + | |||
| + | <cli prompt='>'> | ||
| + | switch:admin> setcryptocfg --show | ||
| + | SSH Crypto: | ||
| + | SSH Cipher : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc | ||
| + | SSH Kex : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 | ||
| + | SSH MAC : hmac-sha1,hmac-sha2-256,hmac-sha2-512 | ||
| + | TLS Ciphers: | ||
| + | HTTPS : ECDSA:ECDH:RSA:AES:3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!AESCCM8:!AESCCM:!ARIAGCM:!CAMELLIA:!CHACHA20:!SEED:!RC4 | ||
| + | HTTPS_TLS_v1.3 : TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 | ||
| + | RADIUS : ECDSA:ECDH:RSA:AES:3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!AESCCM8:!AESCCM:!ARIAGCM:!CAMELLIA:!CHACHA20:!SEED:!RC4 | ||
| + | LDAP : ECDSA:ECDH:RSA:AES:3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!AESCCM8:!AESCCM:!ARIAGCM:!CAMELLIA:!CHACHA20:!SEED:!RC4 | ||
| + | SYSLOG : ECDSA:ECDH:RSA:AES:3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!AESCCM8:!AESCCM:!ARIAGCM:!CAMELLIA:!CHACHA20:!SEED:!RC4 | ||
| + | RSA : ECDSA:ECDH:RSA:AES:!3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!ARIAGCM:!CAMELLIA:!CHACHA20:!SSLv3:!TLSv1:!AESCCM | ||
| + | FA : ECDSA:ECDH:RSA:AES:!3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!ARIAGCM:!CAMELLIA:!CHACHA20:!SSLv3:!TLSv1:!AESCCM | ||
| + | TLS Protocol: | ||
| + | HTTPS : Any | ||
| + | RADIUS : Any | ||
| + | LDAP : Any | ||
| + | SYSLOG : Any | ||
| + | RSA : TLSv1.2 | ||
| + | FA : TLSv1.2 | ||
| + | X509v3: | ||
| + | Validation : Basic | ||
| + | Compliance: | ||
| + | CryptoVersion : 9.2.1 | ||
| + | FIPS Inside : Disabled | ||
| + | BootUp Selftests : Disabled | ||
| + | |||
| + | switch:admin> seccryptocfg --lstemplates | ||
| + | |||
| + | List of templates: | ||
| + | default_cc | ||
| + | default_generic | ||
| + | default_strong | ||
| + | default_fips | ||
| + | |||
| + | switch:admin> seccryptocfg --show default_strong | ||
| + | [Ver] 0.2 | ||
| + | [SSH] | ||
| + | Enc:aes128-ctr,aes192-ctr,aes256-ctr | ||
| + | Kex:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,curve25519-sha256 | ||
| + | Mac:hmac-sha2-256,hmac-sha2-512 | ||
| + | [AAA] | ||
| + | RAD_Ciphers:ECDSA:ECDH:RSA:AES:!3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!ARIAGCM:!CAMELLIA:!CHACHA20:!SSLv3:!TLSv1:!AESCCM | ||
| + | LDAP_Ciphers:ECDSA:ECDH:RSA:AES:!3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!ARIAGCM:!CAMELLIA:!CHACHA20:!SSLv3:!TLSv1:!AESCCM | ||
| + | RAD_Protocol:TLSv1.2 | ||
| + | LDAP_Protocol:TLSv1.2 | ||
| + | [LOG] | ||
| + | Syslog_Ciphers:ECDSA:ECDH:RSA:AES:!3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!ARIAGCM:!CAMELLIA:!CHACHA20:!SSLv3:!TLSv1:!AESCCM | ||
| + | Syslog_Protocol:TLSv1.2 | ||
| + | [HTTPS] | ||
| + | Ciphers:ECDSA:ECDH:RSA:AES:!3DES:!RSAPSK:!DHEPSK:!PSK:!DSS:!ARIAGCM:!CAMELLIA:!CHACHA20:!SSLv3:!TLSv1:!AESCCM | ||
| + | Protocol:TLSv1.3 | ||
| + | Ciphers_tlsv1.3:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256 | ||
| + | [X509v3] | ||
| + | Validation:Basic | ||
| </cli> | </cli> | ||
storage/brocade_adv.1743174112.txt.gz · Last modified: 2025/03/28 16:01 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
