-to skip pagination on every show command
> skip-page-display
-to set hostname
> switchname SAN1
-to set ip address
> ipaddrset
-to set dns
> dnsconfig
-to show current date
> date
-to set ntp server
> tsclockserver 10.10.10.1
-to show current timezone
> tstimezone
Time Zone : US/Pacific
-to change timezone
> tsTimeZone –interactive
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) none – I want to specify the time zone using the POSIX TZ format.
Enter number or control-D to quit ?1
Please select a country.
1) Algeria 18) Gabon 35) Rwanda
2) Angola 19) Gambia 36) Sao Tome & Principe
3) Benin 20) Ghana 37) Senegal
4) Botswana 21) Guinea 38) Sierra Leone
5) Burkina Faso 22) Guinea-Bissau 39) Somalia
6) Burundi 23) Kenya 40) South Africa
7) Cameroon 24) Lesotho 41) Spain
8) Central African Rep. 25) Liberia 42) Sudan
9) Chad 26) Libya 43) Swaziland
10) Congo (Dem. Rep.) 27) Malawi 44) Tanzania
11) Congo (Rep.) 28) Mali 45) Togo
12) Cote d’Ivoire 29) Mauritania 46) Tunisia
13) Djibouti 30) Morocco 47) Uganda
14) Egypt 31) Mozambique 48) Western Sahara
15) Equatorial Guinea 32) Namibia 49) Zambia
16) Eritrea 33) Niger 50) Zimbabwe
17) Ethiopia 34) Nigeria
Enter number or control-D to quit ?1
The following information has been given:
Algeria
Therefore TZ=’Africa/Algiers’ will be used.
Local time is now: Wed Oct 28 15:01:38 CET 2015.
Universal Time is now: Wed Oct 28 14:01:38 UTC 2015
-to show domain ID
> fabricshow
Switch ID Worldwide Name Enet IP Addr FC IP Addr Name
————————————————————————-
2: fffc02 10:00:00:60:69:e0:01:46 10.3.220.1 0.0.0.0 “ras001”
-to set domain ID
1. Connect to the switch and log in on an account assigned to the admin role.
2. Enter the switchDisable command to disable the switch.
3. Enter the configure command.
4. Enter y after the Fabric parameters prompt.
Fabric parameters (yes, y, no, n): [no] y
5. Enter a unique domain ID at the Domain prompt. Use a domain ID value from 1 to 239 for normal operating mode (FCSWcompatible).
Domain: (1..239) [1] 3
6. Respond to the remaining prompts, or press Ctrl-D to accept the other settings and exit.
7. Enter the switchEnable command to re-enable the switch.
-to change hostname
> switchname SAN1
The prompt does not change to the new switch name until after you log in again
-to save config
> cfgSave
-to upload config
> configUpload
-to restore config
> configDownload
-to upgrade both secondary and primary firmware
> firmwaredownload
At a high level the upgrade process goes as follows:
The Fabric OS downloads the firmware to the secondary partition.
The system performs a high availability reboot (haReboot). After the haReboot, the former secondary partition is the primary partition.
The system replicates the firmware from the primary to the secondary partition.
-to show current firmware
> firmwareshow
-If you may want to test the firmware first and have an option to roll-back.
To accomplish that you can use -s key and disable auto-commit
> firmwaredownload -s
Switch will upload the firmware to the secondary partition, switch secondary and primary partitions after a reboot, but won’t replicate the firmware to the secondary partition.
-You can use the following command to restore firmware back to the previous version
> firmwareRestore
-Or if you’re happy with the firmware, commit it to the secondary partition:
> firmwareCommit
Important Notes
When downloading firmware for your switch, make sure to use switch’s vendor web-site. EMC Connectrix DS-300B, Brocade 300 and IBM SAN24B-4 are essentially the same switch, but firmware and supported versions for each OEM vendor may slightly vary. Here are the links where you can get FC switch firmware for some of the vendors:
-EMC: sign in to
http://support.emc.com > find your switch model under the product section and go to downloads
-to reboot
> reboot
-to shutdown
> sysshutdown
-to show CLI history
> clihistory
CLI history
Date & Time Message
Thu Sep 27 04:58:00 2012 root, 10.70.12.101, firmwareshow -v
-to Downloading a configuration from one switch to another switch of the same model
1. Configure one switch.
2. Use the configUpload command to save the configuration information. Refer to Configuration file backup on page 137 for more information.
3. Run configDefault on each of the target switches, and then use the configDownload command to download the configuration file to each of the target switches. Refer to Configuration file restoration on page 139 for more information
-to view the changes, use cfgshow
> zonecreate sloth, “b*; 10:00:00:00:01:1e:20:20”
> cfgsave
> cfgenable
> cfgshow
Defined configuration:
zone: matt 30:06:00:07:1e:a2:10:20; 3,2
zone: sloth bawn; bolt; bond; brain; 10:00:00:00:01:1e:20:20 alias: bawn 3,5; 4,8
-to show license
> licenseshow
S9bddb9SQbTAceeCbzbzRcbcSc0c0SYRyeSzRScycazfT0G:
Integrated Routing Ports on Demand license
Capacity 128
> version
Kernel: 2.6.14.2
Made on: Mon Feb 11 20:36:38 2008
Flash: Wed Jan 7 15:33:34 2009
BootProm: 4.6.6
> diagshow
Diagnostics Status: Tue Sep 07 23:41:38 2010
Slot: 0 UPORTS
Port BPort Diag Active Speed FrTX FrRX LLI Errs Loopback
0/0 1 OK DN 4G Auto — — —
0/1 2 OK DN 4G Auto — — —
0/2 5 OK DN 4G Auto — — —
0/3 7 OK DN 4G Auto — — —
0/4 0 OK DN 4G Auto — — —
0/5 3 OK DN 4G Auto — — —
0/6 6 OK DN 4G Auto — — —
> switchshow
switchName: DS_5000B
switchType: 58.2
switchState: Online
switchMode: Native
switchRole: Principal
switchDomain: 1
switchId: fffc01
switchWwn: 10:00:00:05:1e:90:91:dc
zoning: OFF
switchBeacon: OFF
Area Port Media Speed State Proto
=====================================
0 0 — N4 No_Module
1 1 — N4 No_Module
2 2 — N4 No_Module
3 3 — N4 No_Module
4 4 — N4 No_Module
5 5 — N4 No_Module
6 6 — N4 No_Module
7 7 — N4 No_Module
> switchshow -portname
switchName: sw0
switchType: 66.1
switchState: Online
switchMode: Native
switchRole: Principal
switchDomain: 1
switchId: fffc01
switchWwn: 10:00:00:05:1e:82:3c:2a
zoning: OFF
switchBeacon: OFF
FC Router: OFF
Fabric Name: switch_test
Allow XISL Use: OFF
LS Attributes: [FID: 128, Base Switch: No, Default Switch: Yes, Address Mode 0]
Index Port PortWWN Name
==================================================
0 0 20:00:00:05:1e:82:3c:2a port0
1 1 20:01:00:05:1e:82:3c:2a port1
2 2 20:02:00:05:1e:82:3c:2a port2
3 3 20:03:00:05:1e:82:3c:2a port3
4 4 20:04:00:05:1e:82:3c:2a port4
5 5 20:05:00:05:1e:82:3c:2a port5
6 6 20:06:00:05:1e:82:3c:2a port6
7 7 20:07:00:05:1e:82:3c:2a port7
-to show the portshow output
> portshow 28
portIndex: 28
portName: sw78.E_PORT.28
portHealth: HEALTHY
Authentication: None
portDisableReason: None
portCFlags: 0x1
portFlags: 0x1000090b PRESENT ACTIVE E_PORT T_PORT T_MASTER G_PORT U_PORT LOGICAL_ONLINE LOGIN
LocalSwcFlags: 0x0
portType: 18.0
POD Port: Port is licensed
portState: 1 Online
Protocol: FC
portPhys: 6 In_Sync portScn: 16 E_Port Trunk master port Flow control mode 4
port generation number: 0
state transition count: 1
-use secCryptoCfg CLI to disable TLS – example below is from FOS 7.4 but you should be able to work it out for 8.0 or 8.1, too (this is adapted from a KB article)
FOS 7.4 (admin) supports display and modification of the default //selected// cipher suite (a subset of the above //supported// list) as follows:
admin> seccryptocfg –show
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512
If you were interested only in SSL (especially with respect to TLSv1.2) as part of the HTTPS cipher list, you would be concerned with the top line, as follows, as the other ciphers are SSH related (which do not use SSL/TLS):
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
We can query for more details about //selected// ciphers using the openssl command, but with the FOS selection string:
root> openssl ciphers -v ‘!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM’
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
We can see that FOS limits its selection of the support ciphers to these five above, which include TLSv1.2, so a client that might support many cipher suites would only successfully negotiate one of these five with the switch.
If you wish to reduce the FOS cipher selection even further you could, for example, remove the SSLv3 suites, by using the ‘!SSLv3’ added at the end of this selection string, which we are using to display a further subset of ciphers:
root> openssl ciphers -v ‘!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3’
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
This gives you the selection string that you would need to supply to the folowing FOS (admin) command “seccryptocfg”, to reduce the selection to the TLSv1.2 suites from the selection already done in FOS (note that http is restarted to adapt to the change):
admin> seccryptocfg –replace -type https -cipher ‘!ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3’
This command requires the daemon(s) HTTP to be restarted.
Existing sessions will be terminated.
Please confirm and provide the preferred option
Press Yes(Y,y), No(N,n) [N]:y
HTTP cipher list configured successfully.
Finally, we check the new list of FOS selected ciphers as follows:
admin> seccryptocfg –show
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM:!SSLv3
SSH Cipher List : aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512
Nbctcp's Weblog 