/
Network_layer

Network_layer

SAN


Brocade FC Switch

General Information

Only one scanner configuration per Fabric is required. All switches that belong to the same fabric or are reachable by any virtual fabric on one of those switches, will be detected and configured in a single scanner configuration. The first switch configured in BVQ to discover the the others in the fabric must have the virtual fabrics feature enabled - unless none of the switches in the fabric use this feature.

If switches or virtual fabrics are added to or removed from the fabric, the scanner configuration needs to be adjusted manually. Edit the scanner configuration and select "Discover switches" to rediscover the fabric.

Switches in access gateway mode are not part of the fabric, and hence, have to be added to the configuration manually.

Brocade REST API is supported on SAN switches running Fabric OS 8.2.1 and later but we recommend to use at least FOS 9. All switches running earlier versions cannot be monitored by BVQ! (see Supported Brocade systems).

SAN Switch User

FOS REST API function calls are permitted or denied based on user privilege configurations determined by the role-based access control (RBAC) functionality in Fabric OS.

For switches running

  • FOS 9, the user needs at least the permissions of the default role basicswitchadmin for all virtual Switches and the chassis.

  • FOS 8.2.x, the user needs at least the permissions of the default role admin.

For all versions, there is no support for default switch role user, because it has no permission to observe the RBAC class configure, that BVQ needs to gather information about the switch configuration.

It is recommended to have the same user credentials and access configuration (https / http and SSL certificate) on all Switches belonging to the same SAN.

Depending on the specific FOS level and the use of Virtual Fabrics (VF), the following user has to be added on every switch you want to scan:

Check for VF

fosconfig --show FC Routing service: disabled Virtual Fabric: enabled

Add BVQ user via FOS CLI (switches with VF)

FOS 9.x: userconfig --add bvq -r basicswitchadmin -c basicswitchadmin -l 1-128 -h 128 -d "BVQ Scanner User" -p <your-secret-pw> passwd bvq > <final_password> FOS 8.2.x: userconfig --add bvq -r admin -c admin -l 1-128 -h 128 -d "BVQ Scanner User" -p <your-secret-pw> passwd bvq > <final_password>

Add BVQ user via FOS CLI (switches without VF)

FOS 9.x: userconfig --add bvq -r basicswitchadmin -d "BVQ Scanner User" -p <your-secret-pw> passwd bvq > <final_password> FOS 8.2.x: userconfig --add bvq -r admin -d "BVQ Scanner User" -p <your-secret-pw> passwd bvq > <final_password>

Rest sessions

It is also an essential requirement to increase the number of allowed REST sessions to 10 on each switch in the fabric. This adjustment is a necessary step to ensure efficient operation.

Increase the number of max REST sessions to 10 & enable HTTPS keep alive

mgmtapp --config -maxrestsession 10 mgmtapp --enable keepalive mgmtapp --show REST Configuration: Interface State: Enabled Effective Protocol: HTTPS only HTTP State: Enabled Session Count: 10 <<----- HTTPS Configuration: KeepAlive : Enabled <<----- KeepAliveTimeout : 15sec Auth Configuration: AuthMode : Disabled

Gather information for BVQ Scanner configuration

BVQ scanner configurations need the following input:

  • Switch IP address or DNS name of one switch in the SAN. This does not need to be the principal but must be one that has virtual fabrics enabled if any of the switches in the SAN are using this feature.

  • Protocol - http or https

  • Switch username and password

  • Port number (if not default)

  • SSL / HTTPS certificate handling

    Get SSL Certificate Information

    seccertmgmt show -cert https

    If you want to enable the BVQ Scanner Switch Check SSL certificate, you need to install a non-self-signed certificate on the switch.


Cisco MDS FC Switch

NX-API

BVQ collects topology and performance data from Cisco MDS switches using the Cisco MDS NX-API. This feature needs to be enabled on all Cisco MDS switches monitored by BVQ.

switch# show feature Feature Name         Instance State -------------------- -------- ----- ... nxapi                1        disabled ... switch# conf t switch(config)# feature nxapi switch# show feature Feature Name         Instance State -------------------- -------- ----- ... nxapi                1        enabled ...

SAN Switch User

The following user has to be added on every switch you want to scan:

cisco-BVQ-1# config terminal Enter configuration commands, one per line. End with CNTL/Z. cisco-BVQ-1(config)# role name bvq-role cisco-BVQ-1(config-role)# description Monitoring role for BVQ cisco-BVQ-1(config-role)# rule 1 permit show cisco-BVQ-1(config-role)# exit cisco-BVQ-1(config)# role show cisco-BVQ-1(config)# show role bvq-role Role: bvq-role Description: Monitoring role for BVQ Vsan policy: permit (default) ------------------------------------------------- Rule Type Command-type Feature ------------------------------------------------- 1 permit show * cisco-BVQ-1(config)# username bvq password <your-secret-pw> role bvq-role cisco-BVQ-1(config)# exit cisco-BVQ-1# show user-account bvq user:bvq this user account has no expiry date roles:bvq-role

Fastpath

All configuration commands ready for copy / paste:

config terminal feature nxapi role name bvq-role description Monitoring role for BVQ rule 1 permit show exit username bvq password <your-secret-pw> role bvq-role exit copy running-config startup-config

LAN


Cisco NX-OS LAN Switch

NX-API

BVQ collects topology and performance data from Cisco MDS switches using the Cisco MDS NX-API. This feature needs to be enabled on all Cisco NX-OS switches monitored by BVQ.

configure terminal feature nxapi show feature | grep nxapi # nxapi 1 enabled nxapi https port 443 show nxapi # nxapi enabled # NXAPI timeout 60 # HTTPS Listen on port 443 # Certificate Information: # Issuer: /C=US/ST=CA/L=San Jose/O=Cisco Systems Inc./OU=dcnxos/CN=nxos # Expires: Mar 26 15:49:12 2025 GMT

Enable cdp

BVQ uses the Cisco Discovery Protocol (CDP) to discover connections between Switches. You need to enable this at least for all Switch ports connected to other Switches.

configure terminal cdp enable show cdp neighbors # Check for valid output

LAN Switch User

The following user has to be added on every switch you want to scan:

################## Create BVQ user ################## # Read-Only User with "network-operator" role. This way the privileges will be to 'read-only' configure terminal username bvq role network-operator password <your-secret-pw> show user-account bvq # user:bvq # this user account has no expiry date # roles:network-operator

Fastpath

All configuration commands ready for copy / paste:

configure terminal feature nxapi nxapi https port 443 cdp enable username bvq role network-operator password <your-secret-pw> # Check the following commands for valid output show nxapi show cdp neighbors show user-account bvq