FOS REST API function calls are permitted or denied based on user privilege configurations determined by the role-based access control (RBAC) functionality in Fabric OS.
Implementing the following changes to your Brocade switches will not interrupt system operation or compromise performance.
Rest assured, these adjustments can be safely applied even on your running productive system.
Brocade REST API is supported on SAN switches running Fabric OS 8.2.1 and later but we recommend to use FOS 9 and higher. All switches running earlier versions cannot be monitored by BVQ! (see Supported Brocade systems).
Brocade SAN Switch User
For switches running FOS 9, the user needs at least the permissions of the default role basicswitchadmin.
For switches running FOS 8.2.x, the user needs at least the permissions of the default role admin.
For all versions, there is no support for default switch role user, because it has no permission to observe the RBAC class configure, that BVQ needs to gather information about the switch configuration.
Depending on the specific FOS level, the following user has to be added on each and every switch you want to scan:
FOS 9.x: userconfig --add bvq -r basicswitchadmin -c basicswitchadmin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password> FOS 8.2.x: userconfig --add bvq -r admin -c admin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password>
FOS 9.x: userconfig --add bvq -r basicswitchadmin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password> FOS 8.2.x: userconfig --add bvq -r admin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password>
Increase Rest sessions
It is also an essential requirement to increase the number of allowed REST sessions to 10 on each switch in the fabric. This adjustment is a necessary step to ensure efficient operation.
mgmtapp --config -maxrestsession 10 mgmtapp --show REST Configuration: Interface State: Enabled Effective Protocol: HTTPS only HTTP State: Enabled Session Count: 10 Throttling Configurations: Sample Requests : 120 Sample Time (in sec) : 30 Idle Time (in sec) : 3
Gather information for BVQ Scanner configuration
Unlike BVQ versions prior to 2023.H1 where Brocade scanner configurations had to be configured for each virtual fabric, now only one scanner configuration per SAN is required. All switches that belong to the same fabric or are reachable by any virtual fabric on one of those switches will be detected and configured in a single scanner configuration. The switch IP used to discover the SAN must be one that has virtual fabrics feature in enabled - unless none of the switches in the fabric support this feature or have it enabled.
Switches in access gateway mode are not part of the fabric, and hence, have to be added to the configuration manually.
BVQ scanner configurations need the following input:
- Switch IP address or DNS name of one switch in the SAN. This does not need to be the principal but must be one that has virtual fabrics enabled if any of the switches in the SAN are using this feature.
- Protocol - http or https
- Switch username and password
- Port number (if not default)
SSL / HTTPS certificate handling
Add BVQ user via FOS CLI (switches without VF)seccertmgmt show -cert https
If you want to enable the BVQ Scanner Switch Check SSL certificate, you need to install a non-self-signed certificate on the switch.
Note:
If switches or virtual fabrics are added to or removed from the SAN, the scanner configuration needs to be adjusted manually. Edit the scanner configuration and select "Discover switches" to rediscover the SAN.
BVQ 2022.H2.1 and higher
BVQ collects topology and performance data from Cisco MDS switches using the Cisco MDS NX-API. This feature needs to be enabled on all Cisco MDS switches that should be monitored by BVQ.
switch# show feature Feature Name Instance State -------------------- -------- ----- ... nxapi 1 disabled ... switch# conf t switch(config)# feature nxapi switch# show feature Feature Name Instance State -------------------- -------- ----- ... nxapi 1 enabled ...
Cisco SAN Switch User
The following user has to be added on each and every switch you want to scan:
cisco-BVQ-1# config terminal Enter configuration commands, one per line. End with CNTL/Z. cisco-BVQ-1(config)# role name bvq-role cisco-BVQ-1(config-role)# description Monitoring role for BVQ cisco-BVQ-1(config-role)# rule 1 permit show cisco-BVQ-1(config-role)# exit cisco-BVQ-1(config)# role show cisco-BVQ-1(config)# show role Role: bvq-role Description: Monitoring role for BVQ Vsan policy: permit (default) ------------------------------------------------- Rule Type Command-type Feature ------------------------------------------------- 1 permit show * cisco-BVQ-1(config)# username bvq-user password P@ssw0rd role bvq-role cisco-BVQ-1(config)# exit cisco-BVQ-1# show user-account user:bvq-user this user account has no expiry date roles:bvq-role
config terminal role name bvq-role description Monitoring role for BVQ rule 1 permit show exit username bvq-user password P@ssw0rd role bvq-role exit