Preparation for Scanning Brocade FC Switch
StorageGuard collects configuration data from Brocade FC switches by running read-only FOS commands over a secure SSH session.
The following table lists the requirements for scanning Brocade FC switches:
| # | Description |
| 1 | Provide the network name or IP address of a Brocade SAN director. StorageGuard will automatically discover the names and IP addresses of the Brocade switches in the network through scanning this director. |
| 2 | Provide a user account (and password) for each Brocade SAN director and switch. |
| 3 | The user account should be assigned with an unlimited read-only role, capable of running all “show” and other read-only FOS commands. In a Virtual Fabric environment, chassis permission is also required. Examples of read-only FOS commands used:
|
| 4 | Verify that IP connectivity through SSH (default is port 22) is available between the StorageGuard server and each Brocade director and switch. |
Creating a User Account for Scanning Brocade FC Switch
The following suggested method can be used to create a user account with appropriate privileges:
roleconfig --add sguardrole
roleconfig --change sguardrole -class ADSelect -perm O
roleconfig --change sguardrole -class AG -perm O
roleconfig --change sguardrole -class APM -perm O
roleconfig --change sguardrole -class AdminDomains -perm O
roleconfig --change sguardrole -class Audit -perm O
roleconfig --change sguardrole -class Authentication -perm O
roleconfig --change sguardrole -class Blade -perm O
roleconfig --change sguardrole -class ChassisConfiguration -perm O
roleconfig --change sguardrole -class ChassisManagement -perm O
roleconfig --change sguardrole -class ConfigManagement -perm O
roleconfig --change sguardrole -class Configure -perm O
roleconfig --change sguardrole -class DCE -perm O
roleconfig --change sguardrole -class DMM -perm O
roleconfig --change sguardrole -class Debug -perm O
roleconfig --change sguardrole -class Diagnostics -perm O
roleconfig --change sguardrole -class EncryptionConfiguration -perm O
roleconfig --change sguardrole -class EncryptionManagement -perm O
roleconfig --change sguardrole -class EthernetConfig -perm O
roleconfig --change sguardrole -class FCoE -perm O
roleconfig --change sguardrole -class FICON -perm O
roleconfig --change sguardrole -class FIPSBootprom -perm O
roleconfig --change sguardrole -class FIPSCfg -perm O
roleconfig --change sguardrole -class FRUManagement -perm O
roleconfig --change sguardrole -class Fabric -perm O
roleconfig --change sguardrole -class FabricDistribution -perm O
roleconfig --change sguardrole -class FabricRouting -perm O
roleconfig --change sguardrole -class FabricWatch -perm O
roleconfig --change sguardrole -class Factory -perm O
roleconfig --change sguardrole -class FirmwareKeyManagement -perm O
roleconfig --change sguardrole -class FirmwareManagement -perm O
roleconfig --change sguardrole -class HA -perm O
roleconfig --change sguardrole -class IPSec -perm O
roleconfig --change sguardrole -class IPfilter -perm O
roleconfig --change sguardrole -class ISCSI -perm O
roleconfig --change sguardrole -class LayerTwo -perm O
roleconfig --change sguardrole -class License -perm O
roleconfig --change sguardrole -class LocalUserEnvironment -perm O
roleconfig --change sguardrole -class LogSupportsave -perm O
roleconfig --change sguardrole -class Logging -perm O
roleconfig --change sguardrole -class MAPS -perm O
roleconfig --change sguardrole -class ManagementAccessConfiguration -perm O
roleconfig --change sguardrole -class ManagementServer -perm O
roleconfig --change sguardrole -class NameServer -perm O
roleconfig --change sguardrole -class Nocheck -perm O
roleconfig --change sguardrole -class NxPortManagement -perm O
roleconfig --change sguardrole -class PKI -perm O
roleconfig --change sguardrole -class PhysicalComputerSystem -perm O
roleconfig --change sguardrole -class PortMirror -perm O
roleconfig --change sguardrole -class RADIUS -perm O
roleconfig --change sguardrole -class Reboot -perm O
roleconfig --change sguardrole -class Restricted -perm O
roleconfig --change sguardrole -class RoleConfig -perm O
roleconfig --change sguardrole -class RoutingAdvanced -perm O
roleconfig --change sguardrole -class RoutingBasic -perm O
roleconfig --change sguardrole -class SNMP -perm O
roleconfig --change sguardrole -class SRM -perm O
roleconfig --change sguardrole -class Security -perm O
roleconfig --change sguardrole -class Service -perm O
roleconfig --change sguardrole -class SessionManagement -perm O
roleconfig --change sguardrole -class Statistics -perm O
roleconfig --change sguardrole -class StatisticsDevice -perm O
roleconfig --change sguardrole -class StatisticsPort -perm O
roleconfig --change sguardrole -class SwitchConfiguration -perm O
roleconfig --change sguardrole -class SwitchManagement -perm O
roleconfig --change sguardrole -class SwitchManagementIPConfiguration -perm O
roleconfig --change sguardrole -class SwitchPortConfiguration -perm O
roleconfig --change sguardrole -class SwitchPortManagement -perm O
roleconfig --change sguardrole -class SwitchPortSecurityConfiguration -perm O
roleconfig --change sguardrole -class Topology -perm O
roleconfig --change sguardrole -class USBManagement -perm O
roleconfig --change sguardrole -class UserManagement -perm O
roleconfig --change sguardrole -class WWNCard -perm O
roleconfig --change sguardrole -class WWNCardZoning -perm O
roleconfig --change sguardrole -class Zoning -perm O
userconfig --add sguarduser -r sguardrole -c sguardrole -p <password> -l <all LF Ids, example: 1-128>
NOTES:
- Certain roleconfig --change commands may fail due to FOS version-specific support — these failures are expected and can be ignored. For example, RBAC classes such as SwitchPortSecurityConfiguration, SRM, MAPS, LayerTwo, IPSec, Factory, FabricWatch, FIPSBootprom, Debug and APM may not exist on certain FOS versions.
- In Virtual Fabric Environments, it’s recommended to also grant permission to run the fosexec command with read-only show commands.
Preparation for Scanning Brocade SANnav
StorageGuard collects configuration data from SANnav by running read-only API calls over a secure HTTPS session.
The following table lists the requirements for scanning SANnav:
| # | Description |
| 1 | Provide each SANnav server name or IP address. |
| 2 | Provide a read-only user name and password for each SANnav server. |
| 3 | Make sure that IP connectivity through HTTPS (port 443) is available between the StorageGuard server and each SANnav server. |
Creating a User Account for Scanning Brocade SANnav
The following suggested method can be used to create a user account with appropriate privileges:
- Click SANnav in the navigation bar, and then select Security > SANnav User Management.
- Click Users, and then click the + button in the subnavigation bar.
- Enter the username and password.
- In the Roles section, select AllPrivileges_ReadOnly.
- In the AORs section, select All Fabrics.
- Click Save.
Comments
0 comments
Please sign in to leave a comment.