Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Brocade SAN Switch preparation

FOS REST API function calls are permitted or denied based on user privilege configurations determined by the role-based access control (RBAC) functionality in Fabric OS.
Implementing the following changes to your Brocade switches will not interrupt system operation or compromise performance.
Rest assured, these adjustments can be safely applied even on your running productive system.

Brocade REST API is supported on SAN switches running Fabric OS 8.2.1 and later but we recommend to use FOS 9 and higher. All switches running earlier versions cannot be monitored by BVQ! (see Supported Brocade systems).

Brocade SAN Switch User

For switches running FOS 9, the user needs at least the permissions of the default role basicswitchadmin.
For switches running FOS 8.2.x, the user needs at least the permissions of the default role admin.
For all versions, there is no support for default switch role user, because it has no permission to observe the RBAC class configure, that BVQ needs to gather information about the switch configuration.

Depending on the specific FOS level, the following user has to be added on each and every switch you want to scan:

Add BVQ user via FOS CLI (switches with VF)
FOS 9.x:
userconfig --add bvq -r basicswitchadmin -c basicswitchadmin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd
passwd bvq
> <final_password>

FOS 8.2.x:
userconfig --add bvq -r admin -c admin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd
passwd bvq 
> <final_password>
Add BVQ user via FOS CLI (switches without VF)
FOS 9.x:
userconfig --add bvq -r basicswitchadmin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd
passwd bvq
> <final_password>

FOS 8.2.x:
userconfig --add bvq -r admin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd 
passwd bvq 
> <final_password>

Increase Rest sessions

It is also an essential requirement to increase the number of allowed REST sessions to 10 on each switch in the fabric. This adjustment is a necessary step to ensure efficient operation.

Increase the number of allowed Rest sessions to 10
mgmtapp --config -maxrestsession 10

mgmtapp --show
REST Configuration:
Interface State: Enabled
Effective Protocol: HTTPS only
HTTP State: Enabled
Session Count: 10
Throttling Configurations:
Sample Requests : 120
Sample Time (in sec) : 30
Idle Time (in sec) : 3

Gather information for BVQ Scanner configuration

Unlike BVQ versions prior to 2023.H1 where Brocade scanner configurations had to be configured for each virtual fabric, now only one scanner configuration per SAN is required. All switches that belong to the same fabric or are reachable by any virtual fabric on one of those switches will be detected and configured in a single scanner configuration. The switch IP used to discover the SAN must be one that has virtual fabrics feature in enabled - unless none of the switches in the fabric support this feature or have it enabled.

Switches in access gateway mode are not part of the fabric, and hence, have to be added to the configuration manually.

BVQ scanner configurations need the following input:

  • Switch IP address or DNS name of one switch in the SAN. This does not need to be the principal but must be one that has virtual fabrics enabled if any of the switches in the SAN are using this feature.
  • Protocol - http or https
  • Switch username and password
  • Port number (if not default)
  • SSL / HTTPS certificate handling

    Add BVQ user via FOS CLI (switches without VF)
    seccertmgmt show -cert https

    If you want to enable the BVQ Scanner Switch Check SSL certificate, you need to install a non-self-signed certificate on the switch.

Note:

If switches or virtual fabrics are added to or removed from the SAN, the scanner configuration needs to be adjusted manually. Edit the scanner configuration and select "Discover switches" to rediscover the SAN.




Cisco SAN preparation

BVQ 2022.H2.1 and higher

BVQ collects topology and performance data from Cisco MDS switches using the Cisco MDS NX-API. This feature needs to be enabled on all Cisco MDS switches that should be monitored by BVQ.

Enable nxapi
switch# show feature
Feature Name         Instance State
-------------------- -------- -----
...
nxapi                1        disabled
...

switch# conf t
switch(config)# feature nxapi

switch# show feature
Feature Name         Instance State
-------------------- -------- -----
...
nxapi                1        enabled
...

Cisco SAN Switch User

The following user has to be added on each and every switch you want to scan:

Add BVQ User via CLI
cisco-BVQ-1# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
cisco-BVQ-1(config)# role name bvq-role
cisco-BVQ-1(config-role)# description Monitoring role for BVQ
cisco-BVQ-1(config-role)# rule 1 permit show
cisco-BVQ-1(config-role)# exit
cisco-BVQ-1(config)# role show
cisco-BVQ-1(config)# show role
Role: bvq-role
  Description: Monitoring role for BVQ
  Vsan policy: permit (default)
  -------------------------------------------------
  Rule    Type    Command-type    Feature
  -------------------------------------------------
  1       permit  show            *

cisco-BVQ-1(config)# username bvq-user password P@ssw0rd role bvq-role
cisco-BVQ-1(config)# exit
cisco-BVQ-1# show user-account
user:bvq-user
        this user account has no expiry date
        roles:bvq-role


copy and paste following commands
config terminal
role name bvq-role
description Monitoring role for BVQ
rule 1 permit show
exit
username bvq-user password P@ssw0rd role bvq-role
exit






  • No labels