Tag Archives: brocade

Brocade Distinguished Architect

Brocade 4 Comments

Since I’m working in the IT business for quite some time and especially have been focusing on the storage side of the fence I’d thought I’d put my knowledge to the test and try to get some personal satisfaction (if I’d succeeded that is). I’ve never been a huge fan of vendor certifications to be honest but that is most likely due to the fact that some vendor certifications used to be too over-rated. I can recall the Microsoft Certified System Engineer track which, back then in the late 90’s and early 2000, was a certificate that was on the “to-have” list of every engineer simply because you almost certainly got short-listed on every job-application out there but certainly not due to the level of knowledge you needed to have of pass these tests. I had quite a few of these guys who spent 2 weeks on a crash-course boot-camp and passed the MCSE exam who really fell from a cliff as soon as I let them administer a 500 server and 2000 client windows NT/2000/2003 environment (back then this was a fairly beefy environment, nowadays it’s pretty common to have this in SMB environments as well.) The MCSE “New Style” has completely replaced the old certification path and you need some deep knowledge and a fair couple of years with your feet on the data-centre floor before you’ll be able to pass the tests.

bro_edu5_dist_arch_rgb

Let me make one thing very clear:

If you haven’t worked in an environment with equipment, software, procedures and policies your are trying to obtain a certificate for, your accreditation is useless.

Continue reading

Upgrade FOS leads to fabric segmentation.

Brocade No Comments

I ran into this in my lab when upgrading a switch which caused a fabric-segmentation and obviously the release notes of a previous version show:

Other Important Notes and Recommendations
Management Server Platform Capability support changes in FOS v6.4
FOS v6.4 no longer automatically enables the Management Server (MS) Platform capability when a switch attempts to join a fabric that has these services enabled. This prevents a FOS v6.4 switch from joining such a fabric, and ISL will be disabled with a RAS log message. To allow a FOS v6.4 switch to join such fabrics msPlMgmtActivate command should be used to enable the Management Server platform services explicitly.

Continue reading

Management Security in Brocade FOS

Brocade 1 Comment

If you’re in my business of looking at logfiles to be able to determine what’s going on or what has happened one of the most annoying, and frightening, things to see is a sheer amount of failed login attempts. In most cases these are simply genuine mistakes where a lingering management application or forgotten script is still trying to login to obtain one piece of information or another out of the switch/fabric. The SAN switches are often well inside the datacentre management firewalls so attacks from outside the company are less likely to occur however when looking at security statistics over the last decade or so it turns out that threats are more likely to originate from inside the company boundaries. Employees mucking around with tools like nmap, MITD software like cane & able, or even an entire Kali Linux distro hooked up to the network “just to see what it does because a mate of mine recommended it”. In 99.999% of all install bases I looked at the normal embedded username/password mechanism is used for authentication and authorisation. This also means that if security management is not configured on these switches, a not so good-Samaritan is able to use significant brute force tactics to try and obtain access to these switches without anyone knowing. When using an external authentication mechanism like LDAP or TACACS+ chances are there are some monitoring procedures in place which monitor and alert on these kind of symptoms however the main issue is that the attack has already occurred and there is no mechanism to prevent these sorts of attacks on a level that really protects the switch. It is fairly simple to overload a switch with authentication attempts by firing off thousands of ssh,telnet and http(s) sessions (which is easily done from any reasonable priced laptop these days with a Linux distro like Kali installed) and therefore crippling the poor e500 CPU on the CP. This can have significant ramifications on overall fabric services in that switch which can bring down a storage network. Now, obviously there is a mechanism to try and prevent this via iptables however there are a number of back-draws.

Continue reading

FabricWatch FW-1050 alerts on SFP power failures

Brocade No Comments

Whenever you see Fabricwatch throw a lot of a lot of FW-1050 warning messages around indicating an out of boundary power value on SFP’s it is most likely these ports have never been polled by the CP’s.

2014/10/08-04:04:27, [FW-1050], 94159, SLOT 5 | FID 128, WARNING, xxxxxx, Sfp Supply Voltage for port 7/13, is below low boundary(High=3630, Low=2970). Current value is 0 mV.
2014/10/08-04:04:27, [FW-1050], 94160, SLOT 5 | FID 128, WARNING, xxxxxx, Sfp Supply Voltage for port 7/15, is below low boundary(High=3630, Low=2970). Current value is 0 mV.
2014/10/08-04:04:27, [FW-1050], 94161, SLOT 5 | FID 128, WARNING, xxxxxx, Sfp Supply Voltage for port 7/20, is below low boundary(High=3630, Low=2970). Current value is 0 mV.
2014/10/08-04:04:27, [FW-1050], 94162, SLOT 5 | FID 128, WARNING, xxxxxx, Sfp Supply Voltage for port 7/22, is below low boundary(High=3630, Low=2970). Current value is 0 mV.
2014/10/08-04:04:27, [FW-1050], 94163, SLOT 5 | FID 128, WARNING, xxxxxx, Sfp Supply Voltage for port 7/28, is below low boundary(High=3630, Low=2970). Current value is 0 mV.
2014/10/08-04:04:27, [FW-1050], 94164, SLOT 5 | FID 128, WARNING, xxxxxx, Sfp Supply Voltage for port 7/30, is below low boundary(High=3630, Low=2970). Current value is 0 mV.

Multi_mode_sfp_transceiver_IMGP7822_wp

On a normally operational port FOS will poll the SFP’s so now and then to check on various things. This includes the usual SFP inventory like serial number, Vendor ID, SFP capabilities etc. Additional things that checked are the TX and RX power levels, voltage and current being used on that particular SFP.

Continue reading

8 – Quality of Service

Config Guide 8 Comments

Historically the need to segregate fibre-channel traffic and have the option to prioritize frames and flows has not been high on design agenda of most of the companies I had under my eyes. Most often if the need is there to differentiate between different levels of importance between the various business applications you’ll very often see that additional equipment is purchased and the topologies are adjusted as needed. This obviously works well however when the ratio of capex vs opex is out of balance but the business is still retaining the need for your applications to be separated in order of criticality, you need to consider other options. As in the IP networking world Fibre-Channel has a similar functionality which has been in the FC standards for a long time but only recently has been introduced by some vendors.

Continue reading

7 – Fabric Security

Config Guide No Comments

This topic is hardly ever touched when fabric designs are developed and discussed among storage engineers but for me this always sits on my TODO list before hooking up any HBA or array port. It is as important in the storage world as it has been in the IP networking sector for decades. Historically the reasoning to not pay attention to this topic was that the SAN was always deeply embedded in tightly controlled data-centres with strict access policies. Additionally the use of fibre-optics and relatively complex architectures to the storage un-inaugurated even more, unfairly, devalued the necessity of implementing security policies.

Let me make one thing clear: Being able to gain access to a storage infrastructures is like finding the holy grail for archaeologists. If no storage infrastructure security is implemented it will allow you to obtain ALL data for good or bad purposes but even worse it also allows the non-invited guest to corrupt and destroy it. With this chapter I will outline some of the procedures I consider a MUST and some which you REALLY should take a good look at and if possible implement them.

Continue reading

RFE for Brocade FOS

Brocade 5 Comments

There is already a fair chunk of functionality in FOS but, being a support-engineer, you always come up with features and functions that will improve storage fabrics.

Being on a Ficon course last week and meeting some Brocade friends I requested them to add the following to the (most likely) long RFE (Request for Enhancement) list.

Continue reading