Reasons:
- flogi server not responding correctly
show flogi internal event interface fc x/y
- persistent fcid limit exceeded ( 255 entries with all area unique fcid because
of qlogic hbas)
MDS9513-83-SJ# show run | include "vsan Z" | include fcid | count
where Z is vsan #.
- conflict in persistent fcids ( MDS can't assign the fcid allocated
to WWN)
- # of devices more than 255 if qlogic or devices that need area unique fcid
is allocated
- supervisor failure or module issue, flogi command not reaching the supervisor
or flogi process.
show fc2 internal even errors
these are few causes.
Tuesday, April 29, 2008
Flex Attach in MDS!
MDS gives virtual pwwn that is used for zoning and lun masking, so when a host
connected a port dies, you can either connect a new host to same port or reconfigure
flexattach config on port where spare host is connected. So this is a security concern
because anyone can come and attach another host to port and get all the access to luns.
Similar way someone can replace or remove hba and connect it to a different server.
This can be reduced by using port-security.
http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_3_x/command/reference/CR03_f.html#wp1393061
connected a port dies, you can either connect a new host to same port or reconfigure
flexattach config on port where spare host is connected. So this is a security concern
because anyone can come and attach another host to port and get all the access to luns.
Similar way someone can replace or remove hba and connect it to a different server.
This can be reduced by using port-security.
http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_3_x/command/reference/CR03_f.html#wp1393061
MDS callhome for bootflash errors!
When a bootflash fails, if callhome is configured correctly, we would expect
XML destination to send the callhome, it does not happen even if Cisco_TAC alert group
is added because of the bug
CSCso71302.
Workaround is defined in the above Cisco MDS bug.
Symptom:
BOOTFLASH failure does not generate callhome to default XML destination profile.
Workaround:
Default XML destination profile is configured to receive alerts from Cisco-Tac alert group by default. You need to add linecard-hardware and supervisor-hardware alert groups to that destination profile to get callhome messages like BOOTFLASH failure
for eg.
callhome
destination-profile xml message-level 2
destination-profile xml email-addr auto-notify@cisco.com
destination-profile xml alert-group linecard-hardware
destination-profile xml alert-group supervisor-hardware
destination-profile xml alert syslog-group-port
XML destination to send the callhome, it does not happen even if Cisco_TAC alert group
is added because of the bug
CSCso71302.
Workaround is defined in the above Cisco MDS bug.
Symptom:
BOOTFLASH failure does not generate callhome to default XML destination profile.
Workaround:
Default XML destination profile is configured to receive alerts from Cisco-Tac alert group by default. You need to add linecard-hardware and supervisor-hardware alert groups to that destination profile to get callhome messages like BOOTFLASH failure
for eg.
callhome
destination-profile xml message-level 2
destination-profile xml email-addr auto-notify@cisco.com
destination-profile xml alert-group linecard-hardware
destination-profile xml alert-group supervisor-hardware
destination-profile xml alert syslog-group-port
Friday, April 25, 2008
NPIV sample config
Sample config:
9513(NPIV enable)--fc2/2---- ---fc1/1(NP port)---9134---(fc1/10 host)
All the ports are in vsan 30
NPV switch 9134 config:
Make sure switch password and console access is there before you do this,
npv enable.
npv enable and set the port to NP mode
MDS9134-SJ# show run int fc1/1
version 3.2(1a)
interface fc1/1
port-license acquire
switchport mode NP
no shutdown
This port is upstream to NPIV enabled switch and
fc1/10 is where host is connected
MDS9134-SJ# show run int fc1/10
version 3.2(1a)
interface fc1/10
port-license acquire
switchport mode F
no shutdown
They both have to be in same vsan else
NPIV upstream not availabe error might be there.
sh npv internal errors
192) Event:E_DEBUG, length:186, at 683624 usecs after Fri Apr 25 16:17:04 2008
[102] npivp_mts_hdlr_fwd_internal_flogi_update(1165): Unable to match the fw
d response for internal FLOGI with any of the outstanding responses, ignoring th
e resp, error: fu unknown error
193) Event:E_DEBUG, length:136, at 652218 usecs after Fri Apr 25 16:17:04 2008
[112] E(1,fc1/1) Upstream Port VSAN(30) for this interface is different from
the local port VSAN(1)Failing this external interface: fc1/1
MDS9134-SJ# show npv flogi-table
--------------------------------------------------------------------------------
SERVER EXTERNAL
INTERFACE VSAN FCID PORT NAME NODE NAME INTERFAC
E
--------------------------------------------------------------------------------
fc1/10 1 0x0a0400 21:00:00:e0:8b:0b:38:0e 20:00:00:e0:8b:0b:38:0e fc1/1
Total number of flogi = 1.
MDS9134-SJ# show npv status
npiv is enabled
External Interfaces:
====================
Interface: fc1/1, VSAN: 1, FCID: 0x0a000d, State: Up
Number of External Interfaces: 1
Server Interfaces:
==================
Interface: fc1/2, State: Pre-Initialized
Interface: fc1/10, VSAN: 1, State: Up
Number of Server Interfaces: 2
Eari
Earlier Error
MDS9134-SJ(config-if)# do show int fc1/10
fc1/10 is down (NPV upstream port not available)
Hardware is Fibre Channel, SFP is short wave laser w/o OFC (SN)
Port WWN is 20:0a:00:0d:ec:51:05:40
Admin port mode is F
snmp link state traps are enabled
Port vsan is 30
Ve
Becasuse upstream port fc1/1 is in vsan 1 and fc1/10 is vsan 30..?
What if upstream port in vsan 30 but remote switch with npiv does
not have vsan 30.
MDS9134-SJ# show npv sta
npiv is enabled
External Interfaces:
====================
Interface: fc1/1, State: Failed(Mismatch in VSAN for this upstream port)
Number of External Interfaces: 1
Server Interfaces:
==================
Interface: fc1/2, State: Waiting for External Interface
Interface: fc1/10, State: Waiting for External Interface
Number of Server Interfaces: 2
Created vsan 30 on 9513
then
MDS9134-SJ# show npv sta
npiv is enabled
External Interfaces:
====================
Interface: fc1/1, VSAN: 30, FCID: 0xa00000, State: Up
Number of External Interfaces: 1
Server Interfaces:
==================
Interface: fc1/2, State: Waiting for External Interface
Interface: fc1/10, VSAN: 30, State: Up
Number of Server Interfaces: 2
ee
No flogi commands are there...
Commands
MDS9134-SJ# show npv internal event- flogi-fsm interface fc1/10
7) FSM: Transition at 922358 usecs after Fri Apr
25 16:50:55 2008
Previous state: [NPIVP_FLOGI_ST_WAIT_ON_FCID_ADD]
Triggered event: [NPIVP_FLOGI_EV_FCID_UPDATE_SUCCESS_RESP]
Next state: [NPIVP_FLOGI_ST_STEADY_STATE]
8) FSM: Transition at 922717 usecs after Fri Apr
25 16:50:55 2008
Previous state: [NPIVP_FLOGI_ST_STEADY_STATE]
Triggered event: [NPIVP_FLOGI_EV_SEND_FLOGI_ACC]
Next state: [FSM_ST_NO_CHANGE]
MDS9134-SJ# show npv internal event- ext-if-fsm int fc1/1\
497) FSM: Transition at 106900 usecs after Fri Apr 25 16:50:55
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_NS_RSNN_RESPONSE_SUCCESSFUL]
Next state: [FSM_ST_NO_CHANGE]
498) FSM: Transition at 110396 usecs after Fri Apr 25 16:50:55
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_NS_RSPN_RESPONSE]
Next state: [FSM_ST_NO_CHANGE]
499) FSM: Transition at 110406 usecs after Fri Apr 25 16:50:55
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_NS_RSPN_RESPONSE_SUCCESSFUL]
Next state: [FSM_ST_NO_CHANGE]
500) FSM: Transition at 110412 usecs after Fri Apr 25 16:50:55
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_VALIDATE_INT_FLOGI_ACC_SUCCESS]
Next state: [NPIVP_EXT_IF_ST_UP]
Curr state: [NPIVP_EXT_IF_ST_UP]
NPIV switch config and commands:
MDS9513-83-SJ(config)# do show run int fc2/2
version 3.2(2c)
interface fc2/2
no shutdown
switchport mode F
MDS9513-83-SJ(config)# do show int fc2/2
fc2/2 is up
Hardware is Fibre Channel, SFP is short wave laser w/o OFC (SN)
Port WWN is 20:42:00:0d:ec:2c:54:c0
Admin port mode is F
snmp link state traps are enabled
Port mode is F, FCID is 0xa00000
Port vsan is 30
Speed is 4 Gbps
Rate mode is dedicated
Transmit B2B Credit is 16
Receive B2B Credit is 16
Receive data field Size is 2112
Beacon is turned off
5 minutes input rate 128 bits/sec, 16 bytes/sec, 0 frames/sec
5 minutes output rate 104 bits/sec, 13 bytes/sec, 0 frames/sec
231 frames input, 22980 bytes
0 discards, 0 errors
0 CRC, 0 unknown class
0 too long, 0 too short
257 frames output, 19556 bytes
0 discards, 0 errors
5 input OLS, 5 LRR, 5 NOS, 0 loop inits
MDS9513-83-SJ(config)# do show flogi database interface fc2/2
---------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME
---------------------------------------------------------------------------
fc2/2 30 0xa00000 20:01:00:0d:ec:51:05:40 20:1e:00:0d:ec:51:05:41
fc2/2 30 0xa00100 21:00:00:e0:8b:0b:38:0e 20:00:00:e0:8b:0b:38:0e
[Win_HBA0]
MDS9513-83-SJ# show fcns database npv NOde_wwn 20:1e:00:0d:ec:51:05:41
VSAN 30:
--------------------------------------------------------------------------
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
--------------------------------------------------------------------------
0xa00100 N 21:00:00:e0:8b:0b:38:0e (Qlogic) scsi-fcp:init
[Win_HBA0]
Total number of entries = 1
MDS9513-83-SJ# show flogi database details
---------------------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME FLAGS
---------------------------------------------------------------------------------------
fc2/1 5 0xbd0000 21:00:00:e0:8b:08:dd:22 20:00:00:e0:8b:08:dd:22 ADOP
fc2/2 30 0xa00000 20:01:00:0d:ec:51:05:40 20:1e:00:0d:ec:51:05:41
fc2/2 30 0xa00100 21:00:00:e0:8b:0b:38:0e 20:00:00:e0:8b:0b:38:0e AVDO
[Win_HBA0]
fc2/8 1 0x0a000c 50:06:01:68:88:02:90:ce 50:06:01:60:11:02:90:ce
fc2/10 777 0x490300 21:00:00:d0:b2:00:82:c0 20:00:00:d0:b2:00:82:c0 ADOP
fc2/11 777 0x490200 21:02:00:d0:b2:00:82:c0 20:02:00:d0:b2:00:82:c0 ADOP
fv4/1/1 1 0x0a0000 26:02:00:0d:ec:2c:54:c2 26:0b:00:0d:ec:2c:54:c2 P
fv4/1/2 1 0x0a0001 26:03:00:0d:ec:2c:54:c2 26:0c:00:0d:ec:2c:54:c2 P
fv4/2/1 1 0x0a0002 26:04:00:0d:ec:2c:54:c2 26:0d:00:0d:ec:2c:54:c2 P
fv4/2/2 1 0x0a0009 25:02:00:0d:ec:2c:54:c2 25:03:00:0d:ec:2c:54:c2 P
fv4/3/1 1 0x0a0003 26:05:00:0d:ec:2c:54:c2 26:0e:00:0d:ec:2c:54:c2 P
fv4/4/1 1 0x0a0004 26:06:00:0d:ec:2c:54:c2 26:0f:00:0d:ec:2c:54:c2 P
fv4/5/1 1 0x0a0005 26:07:00:0d:ec:2c:54:c2 26:10:00:0d:ec:2c:54:c2 P
fv4/6/1 1 0x0a0006 26:08:00:0d:ec:2c:54:c2 26:11:00:0d:ec:2c:54:c2 P
fv4/7/1 1 0x0a0007 26:09:00:0d:ec:2c:54:c2 26:12:00:0d:ec:2c:54:c2 P
fv4/8/1 1 0x0a0008 26:0a:00:0d:ec:2c:54:c2 26:13:00:0d:ec:2c:54:c2 P
Total number of flogi = 16.
FLAGS:
A area FCID allocation
L loop device
V FDISC
D the wwn matches the default OUI list
O the wwn matches the configured OUI list
P allocation was done based on the persistency table
--------------
MDS9513-83-SJ# show run | include npi
npiv enable
MDS9513-83-SJ# show fcns database npv
VSAN 30:
-------------------------------------------------------------------------------
NPV NODE-NAME NPV IP_ADDR NPV IF CORE SWITCH WWN CORE IF
-------------------------------------------------------------------------------
20:1e:00:0d:ec:51:05:41 172.16.33.23 fc1/1 20:00:00:0d:ec:2c:54:c0 fc2/2
172.16.33.23 is 9134 switch.
which has npv enabled
MDS9513-83-SJ# show fcns database npv de
------------------------------------------------------------
VSAN:30 NPV Node Name: 20:1e:00:0d:ec:51:05:41
------------------------------------------------------------
NPV Fabric Port-WWN :20:01:00:0d:ec:51:05:40
class :2,3
NPV IP Address :172.16.33.23
ipa :ff ff ff ff ff ff ff ff
fc4-types:fc4_features :npv
NPV Switch Name:Interface :MDS9134-SJ:fc1/1
port-type :NP
Core Switch fabric-port-wwn :20:42:00:0d:ec:2c:54:c0
permanent-port-wwn (vendor) :20:01:00:0d:ec:51:05:40 (Cisco)
Total number of entries = 1
======================================================================
9513(NPIV enable)--fc2/2---- ---fc1/1(NP port)---9134---(fc1/10 host)
All the ports are in vsan 30
NPV switch 9134 config:
Make sure switch password and console access is there before you do this,
npv enable.
npv enable and set the port to NP mode
MDS9134-SJ# show run int fc1/1
version 3.2(1a)
interface fc1/1
port-license acquire
switchport mode NP
no shutdown
This port is upstream to NPIV enabled switch and
fc1/10 is where host is connected
MDS9134-SJ# show run int fc1/10
version 3.2(1a)
interface fc1/10
port-license acquire
switchport mode F
no shutdown
They both have to be in same vsan else
NPIV upstream not availabe error might be there.
sh npv internal errors
192) Event:E_DEBUG, length:186, at 683624 usecs after Fri Apr 25 16:17:04 2008
[102] npivp_mts_hdlr_fwd_internal_flogi_update(1165): Unable to match the fw
d response for internal FLOGI with any of the outstanding responses, ignoring th
e resp, error: fu unknown error
193) Event:E_DEBUG, length:136, at 652218 usecs after Fri Apr 25 16:17:04 2008
[112] E(1,fc1/1) Upstream Port VSAN(30) for this interface is different from
the local port VSAN(1)Failing this external interface: fc1/1
MDS9134-SJ# show npv flogi-table
--------------------------------------------------------------------------------
SERVER EXTERNAL
INTERFACE VSAN FCID PORT NAME NODE NAME INTERFAC
E
--------------------------------------------------------------------------------
fc1/10 1 0x0a0400 21:00:00:e0:8b:0b:38:0e 20:00:00:e0:8b:0b:38:0e fc1/1
Total number of flogi = 1.
MDS9134-SJ# show npv status
npiv is enabled
External Interfaces:
====================
Interface: fc1/1, VSAN: 1, FCID: 0x0a000d, State: Up
Number of External Interfaces: 1
Server Interfaces:
==================
Interface: fc1/2, State: Pre-Initialized
Interface: fc1/10, VSAN: 1, State: Up
Number of Server Interfaces: 2
Eari
Earlier Error
MDS9134-SJ(config-if)# do show int fc1/10
fc1/10 is down (NPV upstream port not available)
Hardware is Fibre Channel, SFP is short wave laser w/o OFC (SN)
Port WWN is 20:0a:00:0d:ec:51:05:40
Admin port mode is F
snmp link state traps are enabled
Port vsan is 30
Ve
Becasuse upstream port fc1/1 is in vsan 1 and fc1/10 is vsan 30..?
What if upstream port in vsan 30 but remote switch with npiv does
not have vsan 30.
MDS9134-SJ# show npv sta
npiv is enabled
External Interfaces:
====================
Interface: fc1/1, State: Failed(Mismatch in VSAN for this upstream port)
Number of External Interfaces: 1
Server Interfaces:
==================
Interface: fc1/2, State: Waiting for External Interface
Interface: fc1/10, State: Waiting for External Interface
Number of Server Interfaces: 2
Created vsan 30 on 9513
then
MDS9134-SJ# show npv sta
npiv is enabled
External Interfaces:
====================
Interface: fc1/1, VSAN: 30, FCID: 0xa00000, State: Up
Number of External Interfaces: 1
Server Interfaces:
==================
Interface: fc1/2, State: Waiting for External Interface
Interface: fc1/10, VSAN: 30, State: Up
Number of Server Interfaces: 2
ee
No flogi commands are there...
Commands
MDS9134-SJ# show npv internal event- flogi-fsm interface fc1/10
7) FSM:
25 16:50:55 2008
Previous state: [NPIVP_FLOGI_ST_WAIT_ON_FCID_ADD]
Triggered event: [NPIVP_FLOGI_EV_FCID_UPDATE_SUCCESS_RESP]
Next state: [NPIVP_FLOGI_ST_STEADY_STATE]
8) FSM:
25 16:50:55 2008
Previous state: [NPIVP_FLOGI_ST_STEADY_STATE]
Triggered event: [NPIVP_FLOGI_EV_SEND_FLOGI_ACC]
Next state: [FSM_ST_NO_CHANGE]
MDS9134-SJ# show npv internal event- ext-if-fsm int fc1/1\
497) FSM:
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_NS_RSNN_RESPONSE_SUCCESSFUL]
Next state: [FSM_ST_NO_CHANGE]
498) FSM:
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_NS_RSPN_RESPONSE]
Next state: [FSM_ST_NO_CHANGE]
499) FSM:
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_NS_RSPN_RESPONSE_SUCCESSFUL]
Next state: [FSM_ST_NO_CHANGE]
500) FSM:
2008
Previous state: [NPIVP_EXT_IF_ST_WAITING_NS_REGISTRATION]
Triggered event: [NPIVP_EXT_IF_EV_VALIDATE_INT_FLOGI_ACC_SUCCESS]
Next state: [NPIVP_EXT_IF_ST_UP]
Curr state: [NPIVP_EXT_IF_ST_UP]
NPIV switch config and commands:
MDS9513-83-SJ(config)# do show run int fc2/2
version 3.2(2c)
interface fc2/2
no shutdown
switchport mode F
MDS9513-83-SJ(config)# do show int fc2/2
fc2/2 is up
Hardware is Fibre Channel, SFP is short wave laser w/o OFC (SN)
Port WWN is 20:42:00:0d:ec:2c:54:c0
Admin port mode is F
snmp link state traps are enabled
Port mode is F, FCID is 0xa00000
Port vsan is 30
Speed is 4 Gbps
Rate mode is dedicated
Transmit B2B Credit is 16
Receive B2B Credit is 16
Receive data field Size is 2112
Beacon is turned off
5 minutes input rate 128 bits/sec, 16 bytes/sec, 0 frames/sec
5 minutes output rate 104 bits/sec, 13 bytes/sec, 0 frames/sec
231 frames input, 22980 bytes
0 discards, 0 errors
0 CRC, 0 unknown class
0 too long, 0 too short
257 frames output, 19556 bytes
0 discards, 0 errors
5 input OLS, 5 LRR, 5 NOS, 0 loop inits
MDS9513-83-SJ(config)# do show flogi database interface fc2/2
---------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME
---------------------------------------------------------------------------
fc2/2 30 0xa00000 20:01:00:0d:ec:51:05:40 20:1e:00:0d:ec:51:05:41
fc2/2 30 0xa00100 21:00:00:e0:8b:0b:38:0e 20:00:00:e0:8b:0b:38:0e
[Win_HBA0]
MDS9513-83-SJ# show fcns database npv NOde_wwn 20:1e:00:0d:ec:51:05:41
VSAN 30:
--------------------------------------------------------------------------
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
--------------------------------------------------------------------------
0xa00100 N 21:00:00:e0:8b:0b:38:0e (Qlogic) scsi-fcp:init
[Win_HBA0]
Total number of entries = 1
MDS9513-83-SJ# show flogi database details
---------------------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME FLAGS
---------------------------------------------------------------------------------------
fc2/1 5 0xbd0000 21:00:00:e0:8b:08:dd:22 20:00:00:e0:8b:08:dd:22 ADOP
fc2/2 30 0xa00000 20:01:00:0d:ec:51:05:40 20:1e:00:0d:ec:51:05:41
fc2/2 30 0xa00100 21:00:00:e0:8b:0b:38:0e 20:00:00:e0:8b:0b:38:0e AVDO
[Win_HBA0]
fc2/8 1 0x0a000c 50:06:01:68:88:02:90:ce 50:06:01:60:11:02:90:ce
fc2/10 777 0x490300 21:00:00:d0:b2:00:82:c0 20:00:00:d0:b2:00:82:c0 ADOP
fc2/11 777 0x490200 21:02:00:d0:b2:00:82:c0 20:02:00:d0:b2:00:82:c0 ADOP
fv4/1/1 1 0x0a0000 26:02:00:0d:ec:2c:54:c2 26:0b:00:0d:ec:2c:54:c2 P
fv4/1/2 1 0x0a0001 26:03:00:0d:ec:2c:54:c2 26:0c:00:0d:ec:2c:54:c2 P
fv4/2/1 1 0x0a0002 26:04:00:0d:ec:2c:54:c2 26:0d:00:0d:ec:2c:54:c2 P
fv4/2/2 1 0x0a0009 25:02:00:0d:ec:2c:54:c2 25:03:00:0d:ec:2c:54:c2 P
fv4/3/1 1 0x0a0003 26:05:00:0d:ec:2c:54:c2 26:0e:00:0d:ec:2c:54:c2 P
fv4/4/1 1 0x0a0004 26:06:00:0d:ec:2c:54:c2 26:0f:00:0d:ec:2c:54:c2 P
fv4/5/1 1 0x0a0005 26:07:00:0d:ec:2c:54:c2 26:10:00:0d:ec:2c:54:c2 P
fv4/6/1 1 0x0a0006 26:08:00:0d:ec:2c:54:c2 26:11:00:0d:ec:2c:54:c2 P
fv4/7/1 1 0x0a0007 26:09:00:0d:ec:2c:54:c2 26:12:00:0d:ec:2c:54:c2 P
fv4/8/1 1 0x0a0008 26:0a:00:0d:ec:2c:54:c2 26:13:00:0d:ec:2c:54:c2 P
Total number of flogi = 16.
FLAGS:
A area FCID allocation
L loop device
V FDISC
D the wwn matches the default OUI list
O the wwn matches the configured OUI list
P allocation was done based on the persistency table
--------------
MDS9513-83-SJ# show run | include npi
npiv enable
MDS9513-83-SJ# show fcns database npv
VSAN 30:
-------------------------------------------------------------------------------
NPV NODE-NAME NPV IP_ADDR NPV IF CORE SWITCH WWN CORE IF
-------------------------------------------------------------------------------
20:1e:00:0d:ec:51:05:41 172.16.33.23 fc1/1 20:00:00:0d:ec:2c:54:c0 fc2/2
172.16.33.23 is 9134 switch.
which has npv enabled
MDS9513-83-SJ# show fcns database npv de
------------------------------------------------------------
VSAN:30 NPV Node Name: 20:1e:00:0d:ec:51:05:41
------------------------------------------------------------
NPV Fabric Port-WWN :20:01:00:0d:ec:51:05:40
class :2,3
NPV IP Address :172.16.33.23
ipa :ff ff ff ff ff ff ff ff
fc4-types:fc4_features :npv
NPV Switch Name:Interface :MDS9134-SJ:fc1/1
port-type :NP
Core Switch fabric-port-wwn :20:42:00:0d:ec:2c:54:c0
permanent-port-wwn (vendor) :20:01:00:0d:ec:51:05:40 (Cisco)
Total number of entries = 1
======================================================================
Saturday, April 12, 2008
NPIV
Cisco SAN-OS release 3.0(1) supports the industry-standard N-port
identifier virtualization (NPIV), which allows a single Fibre Channel
HBA port to be assigned multiple Fibre Channel IDs. Under virtual
operating environments such as VMware, NPIV enables access control,
zoning, and port security to be configured for each virtual machine.
N Port virtualization (NPV) reduces the number of Fibre Channel domain IDs in SANs. Switches operating in the NPV mode do not join a fabric; rather, they pass traffic between NPV core switch links and end devices, which eliminates the domain IDs for these edge switches.
While NPV is similar to N port identifier virtualization (NPIV), it does not offer exactly the same functionality. NPIV provides a means to assign multiple FC IDs to a single N port, and allows multiple applications on the N port to use different identifiers. NPIV also allows access control, zoning, and port security to be implemented at the application level. NPV makes use of NPIV to get multiple FCIDs allocated from the core switch on the NP port.
NP Ports
An NP port (proxy N port) is a port on a device that is in NPV mode and connected to the NPV core switch using an F port. NP ports behave like N ports except that in addition to providing N port behavior, they also function as proxies for multiple, physical N ports.
NP Links
An NP link is basically an NPIV uplink to a specific end device. NP links are established when the uplink to the NPV core switch comes up; the links are terminated when the uplink goes down. Once the uplink is established, the NPV switch performs an internal FLOGI to the NPV core switch, and then (if the FLOGI is successful) registers itself with the NPV core switch's name server.
When an NP port comes up, the NPV device first logs itself in to the NPV core switch and sends a FLOGI request that includes the following parameters:
•The fWWN (fabric port WWN) of the NP port used as the pWWN in the internal login.
•The VSAN-based sWWN (switch WWN) of the NPV device used as nWWN (node WWN) in the internal FLOGI.
After completing its FLOGI request, the NPV device registers itself with the fabric name server using the following additional parameters:
•Switch name and interface name (for example, fc1/4) of the NP port is embedded in the symbolic port name in the name server registration of the NPV device itself.
•The IP address of the NPV device is registered as the IP address in the name server registration of the NPV device.
Note The BB_SCN of internal FLOGIs on NP ports is always set to zero. The BB_SCN is supported at the F-port of the NPV device.
lthough fWWN-based zoning is supported for NPV devices, it is not recommended because:
•Zoning is not enforced at the NPV device (rather, it is enforced on the NPV core switch).
•Multiple devices behind an NPV device log in via the same F port on the core (hence, they use same fWWN and cannot be separated into different zones).
•The same device might log in using different fWWNs on the core switch (depending on the NPV link it uses) and may need to be zoned using different fWWNs.
When you enable NPV, your system configuration is erased and the system is rebooted with NPV mode enabled
On the 91x4 platform, before you upgrade to 3.2(2b) or downgrade from 3.2(2b), shut the F-ports connected to NPIV capable hosts, and then disable the NPIV feature. After the upgrade or downgrade is complete, enable the NPIV feature and up the F-ports.
switch(config)# npiv enable
switch(config)# interface fc2/1
switch(config-if)# switchport mode F
switch(config-if)# no shutdown
Configure the NPIV core switch port as an F port.
Changes Admin status to bring up the interfaces
switch(config)# npv enable
Enables NPV mode on a NPV device (module, Cisco MDS 9124 or Cisco MDS 9134 Fabric Switch). The module or switch is rebooted, and when it comes back up, is in NPV mode.
Note A write-erase is performed during the reboot.
switch(config)# interface fc1/1
switch(config-if)# switchport mode NP
switch(config-if)# no shutdown
On the NPV device, select the interfaces that will be connected to the aggregator switch and configure them as NP ports.
By grouping devices into different NPV sessions based on VSANs, it is possible to support multiple VSANs at the NPV-enabled switch. The correct uplink must be selected based on the VSAN(s) that the uplink can carry.
Issues I have seen with NPIV
- HP Virtual Connect does not load balance between the ports, the frames
might get lost, if there are multiple connections.
- Few Bugs on Cisco side,
CSCsk96105
Symptom: If you upgrade to Cisco SAN-OS Release 3.2(2c) from a lower version, or downgrade from Cisco SAN-OS Release 3.2(2c) to a lower version on an MDS 9124 switch, MDS 9134 switch, Cisco Fabric Switch for HP c-Class BladeSystem, or a Cisco Fabric Switch for IBM BladeCenter, zoning may not work as configured for the F ports connected to NPIV-capable hosts.
Workaround: This issue is resolved.
CSCsk00953
Symptom: HP Blade Servers that are connected through an HP Virtual Connect (VC) FC module to a Cisco Fabric Switch for HP c-Class BladeSystem using NPIV lose access to LUNs when load balancing on the VC module is switched from 16:1 to 8:1. When the load balancing ratio is 16:1, all servers connect through interface ext1. When the ratio is 8:1, servers 1 and 3 connect through ext1, servers 2 and 4 connect through ext2, and so on. Servers on ext2 are not affected by the switchover. In addition, packets might get dropped when the switchover occurs.
When more than 255 hosts logged into that vsan, there may be issue, if all the ports Qlogic ports.
As guessed each pwwn(of qlogic hba) belongs to auto-area-oui list and it consumes entire area. After 255 hosts are brought up in vsan 2 all 255 areas of domain 0x35 in vsan 2 are used and so the fcid allocation fails.
From fcdomain P2.log.txt:
grep "ENTIRE AREA" tt | grep " 2 " | wc -l
254
Workaround as suggested in Jerome's case:
MDS9216I-86-SJ# show fcid company-id-from-wwn 50:06:0b:00:00:c2:62:10
Extracted oui: 0x0060B0
MDS9216I-86-SJ# config t
MDS9216I-86-SJ(config)# no fcid-allocation area company-id 0x0060B0
shut all the hosts or host one by one to clear that area id.
purge fcdomain fcid vsan 2
identifier virtualization (NPIV), which allows a single Fibre Channel
HBA port to be assigned multiple Fibre Channel IDs. Under virtual
operating environments such as VMware, NPIV enables access control,
zoning, and port security to be configured for each virtual machine.
N Port virtualization (NPV) reduces the number of Fibre Channel domain IDs in SANs. Switches operating in the NPV mode do not join a fabric; rather, they pass traffic between NPV core switch links and end devices, which eliminates the domain IDs for these edge switches.
While NPV is similar to N port identifier virtualization (NPIV), it does not offer exactly the same functionality. NPIV provides a means to assign multiple FC IDs to a single N port, and allows multiple applications on the N port to use different identifiers. NPIV also allows access control, zoning, and port security to be implemented at the application level. NPV makes use of NPIV to get multiple FCIDs allocated from the core switch on the NP port.
NP Ports
An NP port (proxy N port) is a port on a device that is in NPV mode and connected to the NPV core switch using an F port. NP ports behave like N ports except that in addition to providing N port behavior, they also function as proxies for multiple, physical N ports.
NP Links
An NP link is basically an NPIV uplink to a specific end device. NP links are established when the uplink to the NPV core switch comes up; the links are terminated when the uplink goes down. Once the uplink is established, the NPV switch performs an internal FLOGI to the NPV core switch, and then (if the FLOGI is successful) registers itself with the NPV core switch's name server.
When an NP port comes up, the NPV device first logs itself in to the NPV core switch and sends a FLOGI request that includes the following parameters:
•The fWWN (fabric port WWN) of the NP port used as the pWWN in the internal login.
•The VSAN-based sWWN (switch WWN) of the NPV device used as nWWN (node WWN) in the internal FLOGI.
After completing its FLOGI request, the NPV device registers itself with the fabric name server using the following additional parameters:
•Switch name and interface name (for example, fc1/4) of the NP port is embedded in the symbolic port name in the name server registration of the NPV device itself.
•The IP address of the NPV device is registered as the IP address in the name server registration of the NPV device.
Note The BB_SCN of internal FLOGIs on NP ports is always set to zero. The BB_SCN is supported at the F-port of the NPV device.
lthough fWWN-based zoning is supported for NPV devices, it is not recommended because:
•Zoning is not enforced at the NPV device (rather, it is enforced on the NPV core switch).
•Multiple devices behind an NPV device log in via the same F port on the core (hence, they use same fWWN and cannot be separated into different zones).
•The same device might log in using different fWWNs on the core switch (depending on the NPV link it uses) and may need to be zoned using different fWWNs.
When you enable NPV, your system configuration is erased and the system is rebooted with NPV mode enabled
On the 91x4 platform, before you upgrade to 3.2(2b) or downgrade from 3.2(2b), shut the F-ports connected to NPIV capable hosts, and then disable the NPIV feature. After the upgrade or downgrade is complete, enable the NPIV feature and up the F-ports.
switch(config)# npiv enable
switch(config)# interface fc2/1
switch(config-if)# switchport mode F
switch(config-if)# no shutdown
Configure the NPIV core switch port as an F port.
Changes Admin status to bring up the interfaces
switch(config)# npv enable
Enables NPV mode on a NPV device (module, Cisco MDS 9124 or Cisco MDS 9134 Fabric Switch). The module or switch is rebooted, and when it comes back up, is in NPV mode.
Note A write-erase is performed during the reboot.
switch(config)# interface fc1/1
switch(config-if)# switchport mode NP
switch(config-if)# no shutdown
On the NPV device, select the interfaces that will be connected to the aggregator switch and configure them as NP ports.
By grouping devices into different NPV sessions based on VSANs, it is possible to support multiple VSANs at the NPV-enabled switch. The correct uplink must be selected based on the VSAN(s) that the uplink can carry.
Issues I have seen with NPIV
- HP Virtual Connect does not load balance between the ports, the frames
might get lost, if there are multiple connections.
- Few Bugs on Cisco side,
CSCsk96105
Symptom: If you upgrade to Cisco SAN-OS Release 3.2(2c) from a lower version, or downgrade from Cisco SAN-OS Release 3.2(2c) to a lower version on an MDS 9124 switch, MDS 9134 switch, Cisco Fabric Switch for HP c-Class BladeSystem, or a Cisco Fabric Switch for IBM BladeCenter, zoning may not work as configured for the F ports connected to NPIV-capable hosts.
Workaround: This issue is resolved.
CSCsk00953
Symptom: HP Blade Servers that are connected through an HP Virtual Connect (VC) FC module to a Cisco Fabric Switch for HP c-Class BladeSystem using NPIV lose access to LUNs when load balancing on the VC module is switched from 16:1 to 8:1. When the load balancing ratio is 16:1, all servers connect through interface ext1. When the ratio is 8:1, servers 1 and 3 connect through ext1, servers 2 and 4 connect through ext2, and so on. Servers on ext2 are not affected by the switchover. In addition, packets might get dropped when the switchover occurs.
When more than 255 hosts logged into that vsan, there may be issue, if all the ports Qlogic ports.
As guessed each pwwn(of qlogic hba) belongs to auto-area-oui list and it consumes entire area. After 255 hosts are brought up in vsan 2 all 255 areas of domain 0x35 in vsan 2 are used and so the fcid allocation fails.
From fcdomain P2.log.txt:
grep "ENTIRE AREA" tt | grep " 2 " | wc -l
254
Workaround as suggested in Jerome's case:
MDS9216I-86-SJ# show fcid company-id-from-wwn 50:06:0b:00:00:c2:62:10
Extracted oui: 0x0060B0
MDS9216I-86-SJ# config t
MDS9216I-86-SJ(config)# no fcid-allocation area company-id 0x0060B0
shut all the hosts or host one by one to clear that area id.
purge fcdomain fcid vsan 2
Pending topics to add
Case notes:
NPIV
SME
Port stuck in initializing mode
hardware issues - PLOGI getting Lost
IVR and interop
Install /upgrade issues.
Zone Activation issues, Zone merge issues.
Fabric manager and Performance Manager
Ficon Configs.
Mismatch of Interop and IVR virtual domain add
SSM issues.
IVR Service Groups
Best Practices for Zone.
NPIV
SME
Port stuck in initializing mode
hardware issues - PLOGI getting Lost
IVR and interop
Install /upgrade issues.
Zone Activation issues, Zone merge issues.
Fabric manager and Performance Manager
Ficon Configs.
Mismatch of Interop and IVR virtual domain add
SSM issues.
IVR Service Groups
Best Practices for Zone.
IPSEC
Basic FCIP setup:
(14+2 card)
interface GigabitEthernet9/2
no shutdown
ip address 10.10.10.2 255.255.255.0
fcip profile 1
ip address 10.10.10.2
interface fcip1
no shutdown
no channel-group auto
use-profile 1
peer-info ipaddr 10.10.10.1
On 9216i:
interface fcip1
no shutdown
use-profile 1
peer-info ipaddr 10.10.10.2
fcip profile 1
ip address 10.10.10.1
interface GigabitEthernet1/16 (1/2 in newer code)
ip address 10.10.10.1 255.255.255.0
no shutdown
iZone merge failed
Looked zone on vsan 1 in 9509A:
MDS9509-B1# show zoneset active v 1
zoneset name zs1 vsan 1
zone name zone1 vsan 1
attribute qos priority high
pwwn 10:10:10:10:10:10:10:10
zone name test2 vsan 1
interface fc1/3 swwn 20:00:00:05:30:00:24:1e
zone name chip vsan 1
interface fc1/2 swwn 20:00:00:05:30:00:24:1e
interface fc1/5 swwn 20:00:00:05:30:00:24:1e
So enable qos on 9216i and reshut/no shut fcip1 and
zones merged fine.
---------
StepII security:
9509B:
MDS9509-B1(config)# crypto ike enable
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config-ike-ipsec)# initiator version 1 address 10.0.0.1
MDS9509-B1(config-ike-ipsec)# key cisco address 10.0.0.1
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config)# crypto ipsec enable
MDS9509-B1(config)# ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
MDS9509-B1(config)# crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
MDS9509-B1(config)# crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
MDS9509-B1(config)# crypto map domain ipsec cm1 1
MDS9509-B1(config-(crypto-map-ip))# set peer 10.10.10.1
MDS9509-B1(config-(crypto-map-ip))# match address acl1
MDS9509-B1(config-(crypto-map-ip))# set transform-set aes-xcbc 3des-md5
MDS9509-B1(config-(crypto-map-ip))# exit
MDS9509-B1(config)# interface gigabitethernet 9/2
MDS9509-B1(config-if)# crypto map domain ipsec cm1
Did same on 9216i except that peer 10.10.10.2 applied to interface gi 1/16 ( newer
SANOS code treats same interface gige 1/2)
-------------------------------
show commands:
MDS9216i# show crypto sad domain ipsec
interface: GigabitEthernet1/16
Crypto map tag: cm1, local addr. 10.10.10.1
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.0/255.255.255.0)
current_peer: 10.10.10.2
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
mode: tunnel, crypto algo: esp-aes-128-cbc, auth algo: esp-aes-xcbc-mac
current outbound spi: 0x4827c082 (1210564738), index: 16
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
current inbound spi: 0x90c7011 (151810065), index: 16
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
MDS9509-B1# show crypto sad domain ipsec interface gigabitethernet 9/2
interface: GigabitEthernet9/2
Crypto map tag: cm1, local addr. 10.10.10.2
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.0/255.255.255.0)
current_peer: 10.10.10.1
local crypto endpt.: 10.10.10.2, remote crypto endpt.: 10.10.10.1
mode: tunnel, crypto algo: esp-aes 128, auth algo: esp-aes-xcbc-mac
current outbound spi: 0x90c7011 (151810065), index: 128
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
current inbound spi: 0x4827c082 (1210564738), index: 129
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
---------
MDS9216i(config-ike-ipsec)# key cisco address ?
Peer IP address
MDS9216i(config-ike-ipsec)# key cisco address 10.10.10.2
MDS9216i(config-ike-ipsec)# policy 10
MDS9216i(config-ike-ipsec-policy)# exit
-------
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config-ike-ipsec)# key cisco address 10.10.10.1
MDS9509-B1(config-ike-ipsec)# policy 10
MDS9509-B1(config-ike-ipsec-policy)# exit
MDS9216i# show crypto ike domain ipsec initiator
initiator address 10.10.10.2 mode 0
MDS9509-B1# show crypto ike domain ipsec initiator
initiator version 1 address 10.0.0.1
initiator version 1 address 10.10.10.1
MDS9216i# show crypto ike domain ipsec sa
Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime
-------------------------------------------------------------------------------
41 10.10.10.1[500] 10.10.10.2[500] 3des sha preshared key 3600
Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime
-------------------------------------------------------------------------------
9 10.10.10.2[500] 10.10.10.1[500] 3des sha1 preshared key 3600
MDS9509-B1#
MDS9509-B1# crypto ike domain ipsec rekey sa 9
CMI request failed (Rekeying not supported for an IKEv1 tunnel)
MDS9216i# crypto ike domain ipsec rekey sa 41
CMI request failed (not supported)
----------
Compression/WA/TA
MDS9509-B1(config)# interface fcip 1
MDS9509-B1(config-if)# write-accelerator
MDS9509-B1(config-if)# write-accelerator tape-accelerator
MDS9509-B1(config-if)# ip-compression ?
mode1 Fast compression for high bandwidth links
mode2 Moderate compression for medium bandwidth links
mode3 High compression for low bandwidth links
MDS9509-B1(config-if)# ip-compression mode1
MDS9509-B1(config-if)# shut
MDS9509-B1(config-if)# no shut
MDS9509-B1(config-if)# exit
MDS9509-B1# show int fcip1
fcip1 is down (Link failure or not-connected)
rite acceleration mode is on
Tape acceleration mode is on
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
And other switch:
show interface fcip1
fcip1 is down (Link failure or not-connected)
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
-----------
So disable write/tape acce/ip compression
MDS9509-B1# show interface fcip1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) ()
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) (1)
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
i----------------
vsan is 1
Using Profile id 1 (interface GigabitEthernet1/16)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
Write acceleration mode is on
Tape acceleration mode is on
Tape Accelerator flow control buffer is 256 KBytes
IP Compression is enabled and set for higher through put
IP Compression is enabled and set for higher compression ratio
9216i older version of code, does not have mode1/mode 2
MDS9216i(config-if)# ip-compression ?
high-comp-ratio Higher ratio slower compression
high-throughput Lower ratio faster compression
------
upgrading to same version
--
after the upgrade 9216i gige interface became gigethernet 1/2 instead
of gig 1/16. Eventhough 10.10.10.1 was not in running config, if I try to
give gig 1/2 10.10.10.1 , it failed saying that config was already given.
So I did write erase and recopied config to running config. copy r s.
then applied crypto and ip to gig 1/2.
------interface GigabitEthernet1/2
no shutdown
ip address 10.10.10.1 255.255.255.0
crypto map domain ipsec cm1
i-----
MDS9216i# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Peer port WWN is 22:15:00:05:30:00:24:5e
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) ()
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet1/2)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is disabled
Special Frame is disabled
Maximum number of TCP connections is 2
kickstart: version 2.0(1) [build 2.0(0.200)]
system: version 2.0(1) [build 2.0(0.200)]
----
MDS9509-B1# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is disabled
Special Frame is disabled
Maximum number of TCP connections is 2
------------
Look at FFCIP tunnel is protected by IPSec
-----
MDS9509-B1(config)# interface fcip 1
MDS9509-B1(config-if)# ip-compression mode1
MDS9216i# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Peer port WWN is 22:15:00:05:30:00:24:5e
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1)
Trunk vsans (operational) (1)
Trunk vsans (up) ()
Trunk vsans (isolated) ()
Trunk vsans (initializing) (1)
Using Profile id 1 (interface GigabitEthernet1/2)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
MDS9509-B1# show interface fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
----------------------
FCIP secure and compression on:
9216i:
ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
fcip enable
crypto ike enable
crypto ike domain ipsec
policy 10
key cisco address 10.10.10.2
fcip profile 1
ip address 10.10.10.1
crypto ipsec enable
crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
crypto map domain ipsec cm1 1
set peer 10.10.10.2
match address acl1
set transform-set aes-xcbc 3des-md5
interface fcip1
no shutdown
use-profile 1
peer-info ipaddr 10.10.10.2
ip-compression 1
interface GigabitEthernet1/2
no shutdown
ip address 10.10.10.1 255.255.255.0
crypto map domain ipsec cm1
------------
9509A:
ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
fcip enable
crypto ike enable
crypto ike domain ipsec
policy 1
policy 10
key cisco address 10.0.0.1
key cisco address 10.10.10.1
initiator version 1 address 10.0.0.1
initiator version 1 address 10.10.10.1
fcip profile 1
ip address 10.10.10.2
crypto ipsec enable
crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
crypto map domain ipsec cm1 1
set peer 10.10.10.1
match address acl1
set transform-set aes-xcbc 3des-md5
interface fcip1
no shutdown
no channel-group auto
use-profile 1
peer-info ipaddr 10.10.10.1
ip-compression 1
interface GigabitEthernet9/2
no shutdown
ip address 10.10.10.2 255.255.255.0
crypto map domain ipsec cm1
==================================
(14+2 card)
interface GigabitEthernet9/2
no shutdown
ip address 10.10.10.2 255.255.255.0
fcip profile 1
ip address 10.10.10.2
interface fcip1
no shutdown
no channel-group auto
use-profile 1
peer-info ipaddr 10.10.10.1
On 9216i:
interface fcip1
no shutdown
use-profile 1
peer-info ipaddr 10.10.10.2
fcip profile 1
ip address 10.10.10.1
interface GigabitEthernet1/16 (1/2 in newer code)
ip address 10.10.10.1 255.255.255.0
no shutdown
iZone merge failed
Looked zone on vsan 1 in 9509A:
MDS9509-B1# show zoneset active v 1
zoneset name zs1 vsan 1
zone name zone1 vsan 1
attribute qos priority high
pwwn 10:10:10:10:10:10:10:10
zone name test2 vsan 1
interface fc1/3 swwn 20:00:00:05:30:00:24:1e
zone name chip vsan 1
interface fc1/2 swwn 20:00:00:05:30:00:24:1e
interface fc1/5 swwn 20:00:00:05:30:00:24:1e
So enable qos on 9216i and reshut/no shut fcip1 and
zones merged fine.
---------
StepII security:
9509B:
MDS9509-B1(config)# crypto ike enable
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config-ike-ipsec)# initiator version 1 address 10.0.0.1
MDS9509-B1(config-ike-ipsec)# key cisco address 10.0.0.1
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config)# crypto ipsec enable
MDS9509-B1(config)# ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
MDS9509-B1(config)# crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
MDS9509-B1(config)# crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
MDS9509-B1(config)# crypto map domain ipsec cm1 1
MDS9509-B1(config-(crypto-map-ip))# set peer 10.10.10.1
MDS9509-B1(config-(crypto-map-ip))# match address acl1
MDS9509-B1(config-(crypto-map-ip))# set transform-set aes-xcbc 3des-md5
MDS9509-B1(config-(crypto-map-ip))# exit
MDS9509-B1(config)# interface gigabitethernet 9/2
MDS9509-B1(config-if)# crypto map domain ipsec cm1
Did same on 9216i except that peer 10.10.10.2 applied to interface gi 1/16 ( newer
SANOS code treats same interface gige 1/2)
-------------------------------
show commands:
MDS9216i# show crypto sad domain ipsec
interface: GigabitEthernet1/16
Crypto map tag: cm1, local addr. 10.10.10.1
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.0/255.255.255.0)
current_peer: 10.10.10.2
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
mode: tunnel, crypto algo: esp-aes-128-cbc, auth algo: esp-aes-xcbc-mac
current outbound spi: 0x4827c082 (1210564738), index: 16
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
current inbound spi: 0x90c7011 (151810065), index: 16
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
MDS9509-B1# show crypto sad domain ipsec interface gigabitethernet 9/2
interface: GigabitEthernet9/2
Crypto map tag: cm1, local addr. 10.10.10.2
protected network:
local ident (addr/mask): (10.10.10.0/255.255.255.0)
remote ident (addr/mask): (10.10.10.0/255.255.255.0)
current_peer: 10.10.10.1
local crypto endpt.: 10.10.10.2, remote crypto endpt.: 10.10.10.1
mode: tunnel, crypto algo: esp-aes 128, auth algo: esp-aes-xcbc-mac
current outbound spi: 0x90c7011 (151810065), index: 128
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
current inbound spi: 0x4827c082 (1210564738), index: 129
lifetimes in seconds:: 3600
lifetimes in bytes:: 4718592000
---------
MDS9216i(config-ike-ipsec)# key cisco address ?
Peer IP address
MDS9216i(config-ike-ipsec)# key cisco address 10.10.10.2
MDS9216i(config-ike-ipsec)# policy 10
MDS9216i(config-ike-ipsec-policy)# exit
-------
MDS9509-B1(config)# crypto ike domain ipsec
MDS9509-B1(config-ike-ipsec)# key cisco address 10.10.10.1
MDS9509-B1(config-ike-ipsec)# policy 10
MDS9509-B1(config-ike-ipsec-policy)# exit
MDS9216i# show crypto ike domain ipsec initiator
initiator address 10.10.10.2 mode 0
MDS9509-B1# show crypto ike domain ipsec initiator
initiator version 1 address 10.0.0.1
initiator version 1 address 10.10.10.1
MDS9216i# show crypto ike domain ipsec sa
Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime
-------------------------------------------------------------------------------
41 10.10.10.1[500] 10.10.10.2[500] 3des sha preshared key 3600
Tunn Local Addr Remote Addr Encr Hash Auth Method Lifetime
-------------------------------------------------------------------------------
9 10.10.10.2[500] 10.10.10.1[500] 3des sha1 preshared key 3600
MDS9509-B1#
MDS9509-B1# crypto ike domain ipsec rekey sa 9
CMI request failed (Rekeying not supported for an IKEv1 tunnel)
MDS9216i# crypto ike domain ipsec rekey sa 41
CMI request failed (not supported)
----------
Compression/WA/TA
MDS9509-B1(config)# interface fcip 1
MDS9509-B1(config-if)# write-accelerator
MDS9509-B1(config-if)# write-accelerator tape-accelerator
MDS9509-B1(config-if)# ip-compression ?
mode1 Fast compression for high bandwidth links
mode2 Moderate compression for medium bandwidth links
mode3 High compression for low bandwidth links
MDS9509-B1(config-if)# ip-compression mode1
MDS9509-B1(config-if)# shut
MDS9509-B1(config-if)# no shut
MDS9509-B1(config-if)# exit
MDS9509-B1# show int fcip1
fcip1 is down (Link failure or not-connected)
rite acceleration mode is on
Tape acceleration mode is on
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
And other switch:
show interface fcip1
fcip1 is down (Link failure or not-connected)
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
-----------
So disable write/tape acce/ip compression
MDS9509-B1# show interface fcip1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) ()
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) (1)
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
i----------------
vsan is 1
Using Profile id 1 (interface GigabitEthernet1/16)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
Write acceleration mode is on
Tape acceleration mode is on
Tape Accelerator flow control buffer is 256 KBytes
IP Compression is enabled and set for higher through put
IP Compression is enabled and set for higher compression ratio
9216i older version of code, does not have mode1/mode 2
MDS9216i(config-if)# ip-compression ?
high-comp-ratio Higher ratio slower compression
high-throughput Lower ratio faster compression
------
upgrading to same version
--
after the upgrade 9216i gige interface became gigethernet 1/2 instead
of gig 1/16. Eventhough 10.10.10.1 was not in running config, if I try to
give gig 1/2 10.10.10.1 , it failed saying that config was already given.
So I did write erase and recopied config to running config. copy r s.
then applied crypto and ip to gig 1/2.
------interface GigabitEthernet1/2
no shutdown
ip address 10.10.10.1 255.255.255.0
crypto map domain ipsec cm1
i-----
MDS9216i# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Peer port WWN is 22:15:00:05:30:00:24:5e
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) ()
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet1/2)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is disabled
Special Frame is disabled
Maximum number of TCP connections is 2
kickstart: version 2.0(1) [build 2.0(0.200)]
system: version 2.0(1) [build 2.0(0.200)]
----
MDS9509-B1# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is disabled
Special Frame is disabled
Maximum number of TCP connections is 2
------------
Look at FFCIP tunnel is protected by IPSec
-----
MDS9509-B1(config)# interface fcip 1
MDS9509-B1(config-if)# ip-compression mode1
MDS9216i# show int fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 20:14:00:0d:ec:0c:a9:00
Peer port WWN is 22:15:00:05:30:00:24:5e
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1)
Trunk vsans (operational) (1)
Trunk vsans (up) ()
Trunk vsans (isolated) ()
Trunk vsans (initializing) (1)
Using Profile id 1 (interface GigabitEthernet1/2)
Peer Information
Peer Internet address is 10.10.10.2 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
MDS9509-B1# show interface fcip 1
fcip1 is trunking
Hardware is GigabitEthernet
Port WWN is 22:15:00:05:30:00:24:5e
Peer port WWN is 20:14:00:0d:ec:0c:a9:00
Admin port mode is auto, trunk mode is on
Port mode is TE
vsan is 1
Trunk vsans (allowed active) (1,20,100-102,105,200,500)
Trunk vsans (operational) (1)
Trunk vsans (up) (1)
Trunk vsans (isolated) (20,100-102,105,200,500)
Trunk vsans (initializing) ()
Using Profile id 1 (interface GigabitEthernet9/2)
Peer Information
Peer Internet address is 10.10.10.1 and port is 3225
FCIP tunnel is protected by IPSec
Write acceleration mode is off
Tape acceleration mode is off
Tape Accelerator flow control buffer size is automatic
IP Compression is enabled and set for mode1
----------------------
FCIP secure and compression on:
9216i:
ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
fcip enable
crypto ike enable
crypto ike domain ipsec
policy 10
key cisco address 10.10.10.2
fcip profile 1
ip address 10.10.10.1
crypto ipsec enable
crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
crypto map domain ipsec cm1 1
set peer 10.10.10.2
match address acl1
set transform-set aes-xcbc 3des-md5
interface fcip1
no shutdown
use-profile 1
peer-info ipaddr 10.10.10.2
ip-compression 1
interface GigabitEthernet1/2
no shutdown
ip address 10.10.10.1 255.255.255.0
crypto map domain ipsec cm1
------------
9509A:
ip access-list acl1 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
fcip enable
crypto ike enable
crypto ike domain ipsec
policy 1
policy 10
key cisco address 10.0.0.1
key cisco address 10.10.10.1
initiator version 1 address 10.0.0.1
initiator version 1 address 10.10.10.1
fcip profile 1
ip address 10.10.10.2
crypto ipsec enable
crypto transform-set domain ipsec 3des-md5 esp-3des esp-md5-hmac
crypto transform-set domain ipsec aes-xcbc esp-aes 128 esp-aes-xcbc-mac
crypto map domain ipsec cm1 1
set peer 10.10.10.1
match address acl1
set transform-set aes-xcbc 3des-md5
interface fcip1
no shutdown
no channel-group auto
use-profile 1
peer-info ipaddr 10.10.10.1
ip-compression 1
interface GigabitEthernet9/2
no shutdown
ip address 10.10.10.2 255.255.255.0
crypto map domain ipsec cm1
==================================
Subscribe to:
Posts (Atom)