Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com. You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you will find information about how to:
Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco.
A current list of security advisories, security notices, and security responses for Cisco products is available at this URL: http://www.cisco.com/go/psirt To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:
For Emergencies only security-alert@cisco.com An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
For Nonemergencies psirt@cisco.com 228-408 525-6532
In an emergency, you can also reach PSIRT by telephone:
We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html The link on this page has the current PGP key ID in use. If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly. To open a service request by telephone, use one of the following numbers: Asia-Pacific: +(Australia: 805 227) EMEA: +55 USA: 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation. Severity 2 (S2)Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation. Severity 3 (S3)Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 (S4)You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL: http://www.cisco.com/go/guide
Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL: http://www.cisco.com/packet iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine or view the digital edition at this URL: http://ciscoiq.texterity.com/ciscoiq/sample/ Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL: http://www.cisco.com/en/US/products/index.html Networking Professionals Connection is an interactive website for networking professionals to share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL: http://www.cisco.com/discuss/networking World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.html

Cisco MDS SAN-OS Release 2.0(1b) and later support SLPv2 for the Cisco MDS 9000 Family CIM server.

Server Profile

Once the CIM client discovers the CIM servers within the SAN, the CIM client must determine the level of support each CIM server provides. The Server profile defines the capabilities of the CIM server. This includes providing the namespace and all profiles and subprofiles supported by the CIM server. For each supported profile, the Server profile instantiates the RegisteredProfile class. Each instance of this class gives the CIM client the profile name and unique ID that is supported by the CIM server. Similarly, the CIM server lists all supported optional subprofiles, using the RegisteredSubProfile class and the SubprofileRequiresProfile association class to associate the subprofile with the profile.
Cisco MDS SAN-OS Release 2.0(1b) and later support the Server profile for the Cisco MDS 9000 Family CIM server.
For a Server profile instance diagram, refer to SMI-S at http://www.snia.org.

Switch Profile

The Switch profile models the physical and logical aspects of switches. The CIM client uses the Switch profile to identify that the CIM server is on a switch and uses classes in the Switch profile to identify and manage Fibre Channel ports on the switch. The Switch profile also supports the optional Blade subprofile (see the Blade Subprofile section on page 2-3) and the optional Access Point subprofile (see the Access Point Subprofile section on page 2-4).
For a Switch profile instance diagram, refer to the SMI-S at http://www.snia.org. Table 2-1 shows how to use the Switch profile classes and association classes to model the switch and ports.

Chapter 2

Cisco MDS 9000 Family CIM Server Support Switch Profile
Table 2-1 Using the Switch Profile
ComputerSystem PhysicalElement FCPort FCPortCapabilities FCPortStatistics
How Used Identifies the switch, with the Dedicated property set to Switch. Identifies the physical aspects of a device. Identifies logical aspects of the port link and the data layers. Defines configuration options supported by the ports. Identifies port statistics, showing real-time port traffic information for each instance of FCPort class. Defines configuration options supported by the switch. Requests configuration changes on the switch. Requests configuration changes on the ports.

Creating and deleting zones and zone sets Creating and deleting zone members (using ZoneMembershipSettingData) Adding and removing zone members to zones Adding and removing zones to zone sets Activating and deactivating a zone set
The CIM server supports all the CIM classes and association classes described by the SMI-S zoning model.
Enhanced Zoning and Enhanced Zoning Control Subprofile
The Enhanced Zoning and Enhanced Zoning Control subprofile is a subprofile of the Fabric profile and provides additional modeling of Cisco zoning information for management purposes. This includes support for the following:
Creating and deleting zone aliases Adding and removing zone members to zone aliases
This subprofile supports all CIM classes and association classes described by the SMI-S zoning model except the concept of sessions for zoning.
Using the Zoning Subprofile
In the Cisco MDS CIM implementation, zoning occurs under the VSAN, not the fabric.
For Zoning subprofile instance diagrams, refer to the SMI-S at http://www.snia.org. Table 2-5 shows how to use the classes and association classes of the Zoning subprofiles to model zoning.
Table 2-5 Using the Zoning Subprofile
ZoneMembershipSettingData
How Used Identifies zone members and indicates the member ID (defined in the CIM schema) and how the device was zoned. Identifies zone aliases. Contains zone members (ZoneMembershipSettingData class) associated by the ElementSettingData association class. Identifies zone sets. Contains zones associated by the MemberOfCollection association class. Identifies VSANs. Only contains zone sets that are associated by the HostedCollection association class. Provides operations to control zone objects, such as creating, removing, and activating both zones and zone sets. Manages the creation of zone sets, zones, zone aliases, and zone members, as well as activation of the zone set. The ZoneService class is hosted on the CISCO_Vsan class, which is a subclass of AdminDomain. Represents a link that associates two ProtocolEndpoint classes as a connection that is currently carrying traffic.

ZoneAlias

ZoneSets

AdminDomain

ZoneControl

ZoneService

Zones and zone sets that are active have the Actve pr i oper y set to Tr by the CIM server. Zones can t ue only contain the following types of objects:
Zone members (ZoneMembershipSettingData class) associated by the ElementSettingData association class. Zone aliases (ZoneAlias class; defined by SMI-S as NamedAddressCollections class) associated by the MemberOfCollection association class.

Figure 2-3 VSAN Partitioning Example
AdminDomain (Fabric) Name="Physical Fabric" NameFormat="String" OperationalStatus={2} The SAN
Contained Domain AdminDomain (VSAN 1) Name="1_2130405060708090" NameFormat="id with wwn" OperationalStatus={2} VSANs within the SAN Contained Domain AdminDomain (VSAN 2) Name="2_2230405060708090" NameFormat="id with wwn" OperationalStatus={2}

120468

TE Port Extensions
TE ports are E ports that can carry traffic for multiple VSANs. The CIM server uses the existing fabric-to-FC port association classes to model membership of TE ports in multiple VSANs. Figure 2-4 shows the physical and logical port relationship to the switch. The two illustrated physical ports are partitioned into logical ports, and the logical ports are identified as belonging to the physical ports using the HostedDependency association class. A physical TE port is partitioned into two logical ports, one for Partitioned switch 1(associated to VSAN 1 in Figure 2-2) and one for Partitioned switch 2 (associated to VSAN 2 in Figure 2-2). The physical ports are identified as components of the physical switch using the SystemDevice association class, and the partitioned ports are identified as components of the corresponding partitioned switch using the SystemDevice association class.
Figure 2-4 TE Port Partitioning Example
ComputerSystem (Physical switch w/ partition support) Name=2000000000000000

SystemDevice

FCPort (Physical TE port) DeviceID=2A00000000000000 SystemName=2000000000000000 PortType=14
FCPort (Physical TE port) HostedDependency SystemDevice DeviceID=2B00000000000000 SystemName=2000000000000000 PortType=14 HostedDependency SystemDevice FCPort (Logical E port) DeviceID=2B00000000000000 SystemName=2100000000000000 PortType=14 FCPort (Partitioned port switch 1) ComputerSystem (Partitoned switch 2) Name=2200000000000000 FCPort (Partitioned port switch 2) SystemDevice DeviceID=2A00000000000000 SystemName=2200000000000000 PortType=14 DeviceID=2A00000000000000 SystemName=2100000000000000 PortType=14 Hosted Dependency Hosted dependency
ComputerSystem (Partitoned switch 1) Name=2100000000000000

Hosted dependency

For more information about trunking, refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide or the Cisco MDS 9000 Family CLI Configuration Guide.

120471

Figure 2-5 shows the full UML diagram for VSAN fabric and port partitioning in a SAN switch.
Figure 2-5 UML Diagram for VSAN Partitioning
FCPort (Physical TE port) AdminDomain (Fabric) Name="Physical Fabric" NameFormat="String" OperationalStatus={2} Hosted=false SystemDevice FCPort (Physical TE port) DeviceID=2B00000000000000 SystemName=2000000000000000 PortType=14 HostedDependency FCPort (Logical E port) HostedDependency DeviceID=2B00000000000000 SystemName=2100000000000000 PortType=14 SystemDevice Component Component Contained domain AdminDomain (VSAN 2) Name="2_2230405060708090" NameFormat="id with wwn" OperationalStatus={2} Hosted=true ComputerSystem (Partitoned switch 2) Component Name=2200000000000000 Component SystemDevice DeviceSAP Implementation ProtoclEndPoint DeviceID=2A00000000000000 SystemName=2200000000000000 FCPort (Partitioned Port switch 2) DeviceID=2A00000000000000 SystemName=2200000000000000 PortType=14 ComputerSystem (Partitoned switch 1) Name=2100000000000000 SystemDevice Hosted Dependency DeviceSAP Implementation ProtoclEndPoint DeviceID=2B00000000000000 SystemName=2100000000000000 FCPort (Partitioned port switch 1) DeviceID=2A00000000000000 SystemName=2100000000000000 PortType=14 DeviceSAP Implementation ProtoclEndPoint DeviceID=2A00000000000000 SystemName=2100000000000000 Hosted Dependency DeviceID=2A00000000000000 SystemName=2000000000000000 PortType=14

AdminDomain (VSAN 1) Name="1_2130405060708090" NameFormat="id with wwn" OperationalStatus={2} Hosted=true

Active connection

ProtoclEndPoint Active DeviceID=2c00000000000000 Connection SystemName=1000000000000000 DeviceSAP Implementation FCPort (Physical Port) SystemDevice DeviceID=2c00000000000000 SystemName=1000000000000000 PortType=14

120187

ComputerSystem (Physical Switch/Storage/ Host Not part of the partitioning system) Name=10000000000000

PortChannel Extensions

A PortChannel is the aggregation of multiple physical Fibre Channel ports into one logical port to provide aggregated bandwidth, load balancing, and link redundancy. The CIM server supports a PortChannel port type in the Cisco_FCPort class. The Component association class can be used to associate individual ports with a PortChannel. PortChannels are supported by the CIM server only for the local switch on which the CIM server is running. The CIM server also exports active connections for remote PortChannels, with two limitations:
The remote PortChannel WWN is not available; the remote switch WWN and port index are provided. The Component and LogicalIdentity association classes of the remote PortChannel are not available.
For more information about PortChannels, refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide or the Cisco MDS 9000 Family CLI Configuration Guide. Figure 2-6 shows the relationships among ports and PortChannels on the switch that is running the CIM server. In this example:
The PortChannels and ports are identified as belonging to the physical switch using the SystemDevice association class. The individual ports are identified as belonging to the PortChannels using the Component association class.

Figure 2-6

UML Instance Diagram of the Relationships Among Ports Using FCIP PortChannels, and Ethernet Ports ,
FC Port (E Port) SystemDevice AdminDomain (Fabric) Name="Physical Fabric" NameFormat="String" OperationalStatus={2} Hosted=false Contained domain AdminDomain (VSAN 1) Name="1_2130405060708090" NameFormat="id with wwn" OperationalStatus={2} Hosted=true Contained domain Component AdminDomain (VSAN 2) Component Component Component Name=2000000000000000 SystemDevice SystemDevice PortChannel DeviceID=2D00000000000000 SystemName=2000000000000000 PortType=21 Physical switch (with VSAN support) DeviceID=2A00000000000000 SystemName=2000000000000000 PortType=14 Component

FDMI Subprofile Extensions
In addition to the standard FDMI subprofile, the following classes and association classes that are specific to the Cisco MDS 9000 Family are supported:
PortControllerRealizes PlatformPackage PortControllerSoftwareIdentity HBASoftwareInstalledOnPlatform NodeFCPortControlledByPortController ProductPhysicalHBA PlatformInFabric NodePortInPlatform NodeInPlatform PortControllerInPlatform PortControllerInFabric
See the Cisco FDMI MOF section on page A-5 for the full definition of the Cisco FDMI extensions.

CIM Indications

SMI-S provides asynchronous indications for changes in the CIM server or the managed elements controlled by the CIM server. These indications can inform a CIM client that:
The SAN configuration has changed. The SAN switch health has degraded. The SAN fabric performance has degraded. Nameserver Database has changed. VSAN added/deleted/modified. Fan status has changed. Temperature status has changed. Power Supply status has changed.
Cisco MDS 9000 Family CIM Server Support CIM Indications
FRU inserted/ removed/changed.
Indications can also be used when a CIM class method is invoked that will take a long time to finish. Rather than tie up the CIM server (block) until the operation completes, the CIM server responds that the operation started, and the CIM server continues handling other requests (non-blocking). When the original, long operation completes, the CIM server sends a CIM indication asynchronously to the CIM client, showing the result of the operation. A CIM client must subscribe to indications it wants to receive from the CIM server. The Cisco MDS 9000 Family CIM server supports the following Cisco-specific indications:
CISCO_LinkStateChange CISCO_LinkUp CISCO_Linkdown CISCO_MediaFRUInserted CISCO_MediaFRURemoved CISCO_VSANChanged CISCO_ZoneSetAlert CISCO_EnvironmentalAlert CISCO_FanAlert CISCO_PowerAlert CISCO_TempAlert CISCO_NameServerDatabaseChanged
See the Cisco Indications MOF section on page A-15 for the Cisco Indications MOF file.
This chapter provides the steps to configure the CIM server in Cisco MDS 9000 Family products and gives some sample scenarios for using CIM objects to manage your SAN. This chapter includes the following sections:
Configuring the CIM Server, page 3-1 Performing Discovery and Performance Monitoring, page 3-3 Modeling a Module Using the Blade Subprofile, page 3-4 Configuring Zoning, page 3-4

The Cisco Fabric MOF for Cisco SAN-OS Release 3.0(1) or later provides extensions to the Fabric profile to manage VSANs, PortChannels, and other Cisco-specific entities within the fabric. See the section on page 2-7.
[Version ("1.0.0"), Description ( "cisco fabric and switch profile classes")] class CISCO_ActiveConnection : CIM_ActiveConnection {}; class CISCO_AdminDomain : CIM_AdminDomain {}; [Version ( "2.7.1"), Description ( "Capabilities and management of a Fibre Channel Port Device.") ] class CISCO_FCPort : CIM_FCPort {
Appendix A Cisco MOF Files for Cisco SAN-OS Release 3.0(1) or Later
[Override ( "PortType"), Description ( "The specific mode currently enabled for the Port. The " "values: \"N\" = Node Port, \"NL\" = Node Port supporting FC " "arbitrated loop, \"E\" = Expansion Port connecting fabric " "elements (for example, FC switches), \"F\" = Fabric " "(element) Port, \"FL\" = Fabric (element) Port supporting " "FC arbitrated loop, \"B\" = Bridge and \"G\" = Generic " "Port. PortTypes are defined in the ANSI X3 standards. " "When set to 1 (\"Other\"), the related property " "OtherPortType contains a string description of the port's " "type."), ValueMap { "0", "1", "10", "11", "12", "13", "14", "15", "16", "17", "18", "16004", "16010", "16011", "16012", "16000.65535"}, Values { "Unknown", "Other", "N", "NL", "F/NL", "Nx", "E", "F", "FL", "B", "G", "PortChannel", "FCIP", "ISCSI-F", "ISCSI-N", "Vendor Reserved"} ] uint16 PortType; uint16 PortAvailability = 2; }; class CISCO_Vsan : CIM_AdminDomain { }; class CISCO_Component : CIM_Component {}; class CISCO_ComputerSystem : CIM_ComputerSystem {}; class CISCO_ConnectivityCollection : CIM_ConnectivityCollection {}; class CISCO_ConnectivityMemberOfCollection : CIM_MemberOfCollection {}; class CISCO_ContainedDomain : CIM_ContainedDomain {}; class CISCO_DeviceSAPImplementation : CIM_DeviceSAPImplementation {}; class CISCO_FCPortStatistics : CIM_FCPortStatistics {}; class CISCO_HostedAccessPoint : CIM_HostedAccessPoint {}; class CISCO_HostedCollection : CIM_HostedCollection {}; class CISCO_ProtocolEndPoint : CIM_ProtocolEndPoint {}; class CISCO_PhysicalPackage : CIM_PhysicalPackage {}; class CISCO_PhysicalElement : CIM_PhysicalElement {}; class CISCO_Product : CIM_Product {}; class CISCO_Realizes : CIM_Realizes {};

Appendix A

Managed Object Format Files Cisco MOF Files for Cisco SAN-OS Release 3.0(1) or Later
class CISCO_SystemDevice : CIM_SystemDevice {}; class CISCO_ComputerSystemPackage : CIM_ComputerSystemPackage {}; class CISCO_ProductPhysicalComponent : CIM_ProductPhysicalComponent {}; class CISCO_ElementStatisticalData : CIM_ElementStatisticalData {}; class CISCO_LogicalPortGroup : CIM_LogicalPortGroup {}; class CISCO_LogicalModule : CIM_LogicalModule {}; class CISCO_ModulePort : CIM_ModulePort {}; class CISCO_EthernetPort : CIM_EthernetPort {}; class CISCO_HostedDependency : CIM_HostedDependency {}; class CISCO_LogicalIdentity : CIM_LogicalIdentity {}; class CISCO_PhysicalComputerSystem : CISCO_ComputerSystem {}; class CISCO_LogicalComputerSystem : CISCO_ComputerSystem {}; class CISCO_FCNodeMemberOfCollection : CIM_MemberOfCollection {}; class CISCO_FabricHostedService : CIM_HostedService {}; class CISCO_ObjectManagerHost : CIM_System {}; class CISCO_FCPortCapabilities : CIM_FCPortCapabilities {}; class CISCO_FCSwitchCapabilities : CIM_FCSwitchCapabilities {}; class CISCO_FCPortSettings : CIM_FCPortSettings {}; class CISCO_FCSwitchSettings : CIM_FCSwitchSettings {}; class CISCO_ElementCapabilities : CIM_ElementCapabilities {}; class CISCO_ElementSettingDataSys : CIM_ElementSettingData {}; class CISCO_SoftwareIdentity : CIM_SoftwareIdentity
{}; class CISCO_ElementSoftwareIdentity : CIM_ElementSoftwareIdentity {}; class CISCO_SAPAvailableForElement : CIM_SAPAvailableForElement {}; class CISCO_RemoteServiceAccessPoint : CIM_RemoteServiceAccessPoint {};

Cisco Zone MOF

The Cisco Zone MOF for Cisco SAN-OS Release 3.0(1) or later provides extensions to the zoning subprofiles. See the section on page 2-7.
[Version ("1.0.0"), Description ( "cisco zoneset class")] class CISCO_ZoneSet : CIM_ZoneSet {}; class CISCO_Zone : CIM_Zone {}; class CISCO_ZoneAlias : CIM_NamedAddressCollection {}; class CISCO_ZoneMemberSettingData : CIM_ZoneMembershipSettingData{ [Override ( "ConnectivityMemberType" ), Description ( "ConnectivityMemberType specifies the type of identification " "used in the ConnectivityMemberID field. For Fibre Channel, " "several of the enumerated values require additional " "explanation: \n" "* A ConnectivityMemberType equal to 2 (Permanent Address) " "indicates that an NxPort WWN (pWWN)value should be specified in " "the related ConnectivityMemberID property. \n" "* A ConnectivityMemberType of 3 (FCID) indicates " "that an NxPort Address ID(FCID) value should be specified in the " "related ConnectivityMemberID property. \n" "* A ConnectivityMemberType of 4 (Switch Port ID) indicates " "that a Domain or Port Number(DomainID) value should be specified in " "the related ConnectivityMemberID property.(eg. 06:40) \n" "* A ConnectivityMemberType of 5 (fcalias) " "indicates that alias name which denotes a port ID or WWN shoud be " "specified in the related ConnectivityMemberID property." "* A ConnectivityMemberType of 6 (Interface) " "indicates that a interface of local switch. The fc interface should" "be specified in the related ConnectivityMemberID property(eg. fc1/9)" "* A ConnectivityMemberType of 7 (fWWN) " "indicates that Fabric port WWN.The WWN of the fabric " "port value should be specified in the " "related ConnectivityMemberID property." "* A ConnectivityMemberType of 8 (Network Address IpV4) " "indicates that IPv4 address of an attached device in 32 bits" "in dotted decimal format should be specified in the " "related ConnectivityMemberID property." "* A ConnectivityMemberType of 9 (Network Address IpV6) " "indicates that IPv6 addressThe IPv6 address of an attached device " "in 128 bits in colon(:)-separated hexadecimal format should be specified" " in related ConnectivityMemberID property."

"* A ConnectivityMemberType of 10 (Interface with Remote SWWN) " "indicates that a interface of remote switch. The fc interface should" "be specified along with Switch WWN in the related ConnectivityMemberID" "property(eg. fc1/9:20000005300084DF)" "* A ConnectivityMemberType of 11 (Interface with DomainID) " "indicates that a interface of local switch. The fc interface should" "be specified along with the Domain Id in the related " "ConnectivityMemberID property(eg.fc1/9:25)" )] "* A ConnectivityMemberType of 12 (Symbolic-node name) " "indicates that a symbolic-node name" "should be specified in the " "related ConnectivityMemberID property." uint16 ConnectivityMemberType; }; class CISCO_ZoneService : CIM_ZoneService {}; class CISCO_SystemSpecificCollection : CIM_SystemSpecificCollection {}; class CISCO_ZoneMemberOfCollection : CIM_MemberOfCollection {}; class CISCO_ElementSettingData : CIM_ElementSettingData {}; class CISCO_HostedService : CIM_HostedService {}; class CISCO_ZoneHostedCollection : CIM_HostedCollection {}; class CISCO_ZoneCapabilities : CIM_ZoneCapabilities {};

Cisco FDMI MOF

The Cisco FDMI MOF for Cisco SAN-OS Release 3.0(1) or later provides extensions to the Fabric profile to manage VSANs, PortChannels, and other Cisco-specific entities within the fabric. See the section on page 2-7.
[Provider("FDMI_Provider"),Description ( "This class represents FDMI enabled physical HBA card attached " "to a switch" )] class CISCO_PhysicalHBA: CIM_PhysicalPackage { [Override("Tag"), Key, MaxLen (256), Description ( "A unique physical identifier that serves as the key for " "the HBA. The HBA serial number could be used as a tag.\n" )] string Tag; [Override("CreationClassName"), Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance.")] string CreationClassName= "CISCO_PhysicalHBA"; [Override("Manufacturer"), MaxLen (256), Description ( "The name of the organization responsible for "
"manufacturing the HBA.")] string Manufacturer; [Override("Model"), MaxLen (64), Description ( "The name by which the HBA is generally known.")] string Model; [Description ( "The detailed description of the model of the HBA. The " "value might provide a more detailed identification of the " "HBA than the Model property does."), MaxLen (256)] string ModelDescription; [Override("SerialNumber"), MaxLen (64), Description ( "A manufacturer-allocated number used to identify the HBA. " "This value SHOULD match a serial number engraved or " "printed in the HBA.")] string SerialNumber; [Override("Version"), MaxLen (64), Description ( "A string indicating the version of the HBA card.")] string Version; } ; /// CISCO_HBAProduct [Provider("FDMIProvider"), Description ("This class represents product information of FDMI enabled physical HBA card attached to a switch." )] class CISCO_HBAProduct: CIM_Product { [Override("Name"),Key, Description ( "Commonly used Product name."), MaxLen ( 256 )] string Name; [Override("IdentifyingNumber"),Key, Description ( "A manufacturer-allocated number used to identify the HBA. " "This value SHOULD match a serial number engraved or " "printed in the HBA."), MaxLen ( 64 )] string IdentifyingNumber; [Override("Vendor"),Key, Description ( "The name of the Product's supplier, or entity selling the " "Product (the manufacturer, reseller, OEM, etc.). " "Corresponds to the Vendor property in the Product object in " "the DMTF Solution Exchange Standard."), MaxLen ( 256 ) ] string Vendor; [Override("Version"),Key, Description ( "A string indicating the version of the HBA card."), MaxLen ( 64 )] string Version; [Override("ElementName"), Description( "The detailed description of the model of the HBA. The " "value might provide a more detailed identification of the " "HBA than the Model property does ")] string ElementName;

}; // CISCO_Platform [Provider("FDMIProvider"), Description ( "CISCO_Platform represents a fabric-connected entity, " "containing one or more Node objects, that has registered " "with a fabric's Management Server service.")] class CISCO_Platform: CIM_ComputerSystem { [Override ("CreationClassName"), Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance.")] string CreationClassName= "CISCO_Platform"; [Override ("Name"), Key, MaxLen (256), Description ( "The inherited Name serves as key of the platform in an " "enterprise environment. This value has the following " "format:\n" "\"WWN\":\"Platform Name\".")] string Name; [Override ("ElementName"), Required, Description ( "A user-friendly name for the object. This property allows " "each instance to define a user-friendly name IN ADDITION TO " "its key properties/identity data, and description " "information.")] string ElementName; [Override ( "NameFormat" ),Required, Description ( "The ComputerSystem object and its derivatives are Top Level " "Objects of CIM. They provide the scope for numerous " "components. Having unique System keys is required. The " "NameFormat property identifies how the ComputerSystem Name " "is generated. The NameFormat ValueMap qualifier defines the " "various mechanisms for assigning the name. Note that " "another name can be assigned and used for the " "ComputerSystem that better suit a business, using the " "inherited ElementName property."), ValueMap { "Other", "IP", "Dial", "HID", "NWA", "HWA", "X25", "ISDN", "IPX", "DCC", "ICD", "E.164", "SNA", "OID/OSI", "WWN", "NAA" }] string NameFormat = "Other"; [Write, Override ("Dedicated"), Description( "Platform type. Although this is represented as an array, " "only one type is specified at any given time (array size is " "always 1). When writing this property, users should " "specify only a single type in an array size of exactly 1. " "Specifying more or less than 1 type results in an exception " "with an invalid argument error code."), Values{"Unknown", "Others", "Gateway", "dummy3", "dummy4", "Converter", "HBA", "Swproxy", "StorageDev", "Host", "Storsubsys", "Module", "Driver", "StorAccess"}, ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13"}] uint16 Dedicated[]; [Override ("OtherIdentifyingInfo"), Description( "Platform name: for example, host name.")] string OtherIdentifyingInfo[];

Managed Object Format Files Cisco Indications MOF

Cisco Indications MOF

The Cisco Indications MOF provides extensions to the SMI-S standard indications to provide indications of link state changes. This MOF supports Cisco SAN-OS Release 2.0(1a) or later. See the FDMI Subprofile Extensions section on page 2-16.
[Version ("2.2.0")] class CISCO_LinkStateChange : CISCO_AlertIndication { [Description ( "The desired state of the interface. The testing (3) state" "indicates that no operational packets can be passed. When a" "managed system initializes, all interfaces start with" "ifAdminStatus in the down(2) state. As a result of either" "explicit management action or per configuration information" "retained by the managed system, ifAdminStatus is then" "changed to either the up(1) or testing(3) states (or remains" "in the down(2) state)."), ValueMap {"1", "2", "3"}, Values { "up", "down", "testing"}] uint32 ifAdminStatus; [Description ( "The current operational state of the interface. "), ValueMap {"1", "2", "3", "4", "5", "6", "7"}, Values { "up", "down", "testing", "unknown", "dormant", "notPresent", "lowerLayerDown"}] uint32 ifOperStatus; uint32 ifIndex; }; class CISCO_LinkUp : CISCO_LinkStateChange {}; class CISCO_LinkDown : CISCO_LinkStateChange {}; class CISCO_MediaFRU : CISCO_AlertIndication { uint32 PhysicalIndex; string PhysicalDescr; uint32 PhysicalVendorType_len; uint32 PhysicalContainedIn; [ Description ("Entity Physical Class Type "), ValueMap {"1", "2", "3","4" , "5", "6", "7", "8", "9","10", "11" } , Values {"ENT_OTHER","UNKNOWN_ENTITY", "CHASSIS", "BACKPLANE","CONTAINER", "POWERSUPPLY", "FAN", "SENSOR", "MODULE", "PORT", "STACK"} ] uint32 PhysicalClass; uint32 PhysicalParRelPos; string PhysicalName; string PhysicalHardwareRev; string PhysicalFirmwareRev; string PhysicalSoftwareRev; string PhysicalSerialNum; string PhysicalMfgName; string PhysicalModelName; string PhysicalAlias; string PhysicalAssetID; boolean PhysicalIsFRU;
Appendix A Cisco Indications MOF
boolean Valid; [ Description ( "Module Admin Status Status"), ValueMap {"1", "2", "3","4"}, Values {"CEFC_PHYS_STATUS_OTHER ","CEFC_PHYS_STATUS_SUPPORTED", "CEFC_PHYS_STATUS_UNSUPPORTED", "CEFC_PHYS_STATUS_INCOMPATIBLE"} ] uint16 PhysicalStatus; string string string string string uint16 string }; class CISCO_MediaFRUInserted : CISCO_MediaFRU {}; class CISCO_MediaFRURemoved : CISCO_MediaFRU {}; class CISCO_MediaFRUChanged: CISCO_AlertIndication { uint32 PhysicalIndex; [Description ( "Module Operational Status"), ValueMap {"1", "2","4","5","6","7","8","9","10","11","12", "13","14","15","16","17","18","19","20","21"}, Values { "MOD_OPER_UNKNOWN","MOD_OPER_OK","MOD_OPER_DISABLED","MOD_OPER_OKBUTDIAGFAILED", "MOD_OPER_BOOT","MOD_OPER_SELFTEST", " MOD_OPER_FAILED", "MOD_OPER_MISSING", "MOD_OPER_MISMATCHWITHPARENT", "MOD_OPER_MISMATCHCONFIG", "MOD_OPER_DIAGFAILED", "MOD_OPER_DORMANT" , " MOD_OPER_OUTOFSERVICEADMIN", "MOD_OPER_OUTOFSERVICEENVTEMP", "MOD_OPER_POWEREDDOWN", "MOD_OPER_POWEREDUP", " MOD_OPER_POWERDENIED", "MOD_OPER_POWERCYCLED", "MD_OPER_OKBUTPOWEROVERWARNING"," MOD_OPER_OKBUTPOWEROVERCRITICAL", "MOD_OPER_SYNCINPROGRESS" } ] uint16 ModuleOperStatus; [Description ( "Module Admin Status Status"), ValueMap {"1", "2", "3","4"}, Values {"Admin Enabled","Admin Disabled", "Admin Reset", "Admin Out of Service"} ] uint16 ModuleAdminStatus; [Description ( "Module Admin Status Status"), ValueMap {"1", "2", "3","4","5"}, Values {"UNKNOWN_RESET ","POWERUP", "PARITYERROR", "CLEARCONFIGRESET","MANUALRESET"} ] uint16 ModuleResetReason; string ModuleResetReasonDescription; uint32 numPorts; uint32 boot_mode; uint8 isValid; PhySecondSerialNum; PhyProductNumber; PhyPartRevision; PhyMfgDate; PhysicalCLEICode; PhySramSize; PhysicalNameofSlot;

Preface

This preface describes the audience, organization, and conventions of the Cisco MDS 9000 Family Secure Erase Configuration Guide. It also provides information on how to obtain related documentation.
This guide is intended for experienced network administrators who are responsible for planning, installing, configuring, and maintaining Cisco MDS 9000 Secure Erase.
This document is organized as follows: Chapter Chapter 1 Chapter 2 Appendix A Title Product Overview Configuring Secure Erase Secure Erase CLI Command Reference Description Provides an overview of Cisco MDS Secure Erase. Describes the installation, provisioning, and configuration tasks. Syntax and usage guidelines for Cisco MDS Secure Erase CLI commands.
Command descriptions use these conventions: boldface font italic font [ ] [x|y|z] Commands and keywords are in boldface. Arguments for which you supply values are in italics. Elements in square brackets are optional. Optional alternative keywords are grouped in brackets and separated by vertical bars.
Screen examples use these conventions:
screen font boldface screen font italic screen font < > [ ] !, #
Terminal sessions and information the switch displays are in screen font. Information you must enter is in boldface screen font. Arguments for which you supply values are in italic screen font. Nonprinting characters, such as passwords, are in angle brackets. Default responses to system prompts are in square brackets. An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
This document uses the following conventions:
Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Caution

Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Related Documentation

The documentation set for the Cisco MDS 9000 Family includes the following documents. To find a document online, use the Cisco MDS SAN-OS Documentation Locator at: http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/roadmaps/doclocater.htm

Release Notes

Cisco MDS 9000 Family Release Notes for Cisco MDS SAN-OS Releases Cisco MDS 9000 Family Release Notes for Storage Services Interface Images Cisco MDS 9000 Family Release Notes for Cisco MDS 9000 EPLD Images
Compatibility Information
Cisco MDS 9000 SAN-OS Hardware and Software Compatibility Information Cisco MDS 9000 Family Interoperability Support Matrix Cisco MDS Storage Services Module Interoperability Support Matrix Cisco MDS SAN-OS Release Compatibility Matrix for Storage Service Interface Images
Regulatory Compliance and Safety Information
Regulatory Compliance and Safety Information for the Cisco MDS 9000 Family

Hardware Installation

Cisco MDS 9124 Multilayer Fabric Switch Quick Start Guide Cisco MDS 9500 Series Hardware Installation Guide Cisco MDS 9200 Series Hardware Installation Guide Cisco MDS 9100 Series Hardware Installation Guide

Cisco Fabric Manager

Cisco MDS 9000 Family Fabric Manager Quick Configuration Guide Cisco MDS 9000 Family Fabric Manager Configuration Guide Cisco MDS 9000 Family Fabric Manager Database Schema

Command-Line Interface

Cisco MDS 9000 Family Software Upgrade and Downgrade Guide Cisco MDS 9000 Family Storage Services Module Software Installation and Upgrade Guide Cisco MDS 9000 Family CLI Quick Configuration Guide Cisco MDS 9000 Family CLI Configuration Guide Cisco MDS 9000 Family Command Reference
Intelligent Storage Networking Services Configuration Guides
Cisco MDS 9000 Family Data Mobility Manager Configuration Guide Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
Troubleshooting and Reference
Cisco MDS 9000 Family Troubleshooting Guide Cisco MDS 9000 Family MIB Quick Reference Cisco MDS 9000 Family SMI-S Programming Reference Cisco MDS 9000 Family System Messages Reference
Installation and Configuration Notes
Cisco MDS 9000 Family SSM Configuration Note Cisco MDS 9000 Family Port Analyzer Adapter Installation and Configuration Note Cisco 10-Gigabit X2 Transceiver Module Installation Note Cisco MDS 9000 Family CWDM SFP Installation Note Cisco MDS 9000 Family CWDM Passive Optical System Installation Note
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

CH A P T E R

Product Overview
Cisco Secure Erase is a SAN-based product that erases existing data on a specific Logical Unit Number (LUN) on a storage array. The data erased using Secure Erase cannot be reconstructed. Cisco Secure Erase runs on the Cisco MDS 9000 18/4-Port Multiservice Module (MSM-18/4 module) and MDS 9222i switch. The MSM-18/4 module and 9222i switch are together called as the Secure Erase node. The MSM-18/4 module must be installed on the Cisco MDS switch on which you want to run Cisco Secure Erase. This chapter includes the following sections:

Concepts and Terminology

Cisco Secure Erase uses the following concepts and terminologies:

Secure Erase

Cisco Secure Erase is a SAN-based feature that erases existing data on a specific target. The data erased through Secure Erase cannot be reconstructed.
Secure Erase job is an enclosure where multiple target ports and VIs that belong to different VSANs can be added.
Secure Erase session is a unit of Secure Erase operation that contains the target and algorithms to be used.

Secure Erase Algorithm

Secure Erase is based on erase algorithms recommended by the United States Department of Defense, the Royal Canadian Police and NIST-800-88 algorithm recommended by the National Institute of Standards and Technology, agency of US Department of Commerce. Secure Erase algorithms specify a sequence of patterns to be written on physical media with the objective of erasing the data and overcoming the problem of data remanence.
An MSM-18/4 module is an MDS switch module that provides intelligent services. The Secure Erase feature is executed on the MSM-18/4 module.
A VI is a Virtual Initiator residing on the MSM-18/4 module.
A Logical Unit Number (LUN) is a unit of storage that you can specify for Secure Erase. The LUN is only a unique number in the content of a storage port.
A FUA is a Force Unit Access bit. Secure Erase turns the bit on in all the writes.
Chapter 1 Features and Capabilities
Features and Capabilities
Cisco Secure Erase has the following features and capabilities:

Configuration Using CLI

Secure Erase provides a set of CLI commands. The CLI runs on the supervisor and the requests are directly sent to the Secure Erase process running on the Secure Erase node.

Support Function

Secure Erase supports multiple storage ports and multiple storage arrays.

Data Erase

Secure Erase supports data erase using different algorithms.

Secure Erase Algorithms

Secure Erase provides algorithms recommended by the United States Department of Defense, the Royal Canadian Police, and the NIST-800-88 algorithm recommended by the National Institute of Standards and Technology, an agency of the US Department of Commerce. There is a provision to create and use your own proprietary algorithms. You can choose from the following algorithms:
Gutmann (http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/) RCMP DoD 522022M DoD 522022M-S NIST-800-88 All zeroes

Synchronize Cache

Synchronize cache is a SCSI command to request the storage controller to synchronize the data present in the cache to the physical media. This command can specify an LBA range for which the cache needs to be synchronized. Secure Erase executes this command at every step of the algorithm to instruct the storage controller to write each pattern to the physical media before next pattern is written. Please check with the array vendor to find out whether synchronize cache is supported.

Product Overview Requirements and Prerequisites
Requirements and Prerequisites
The prerequisites described in the following sections are required to set up Secure Erase.

Software Requirements

Cisco Secure Erase has the following software requirements:
MDS switches hosting the MSM-18/4 module and 9222i switch must be running SAN-OS Release 3.3(1a) or later. The Fabric Manager server version must be SAN-OS Release 3.3(1a) or later.

Hardware Requirements

Cisco Secure Erase has the following hardware requirements:
MSM-18/4 module and 9222i switch All MDS 9200 family switches All MDS 9500 family switches
The following switches support the MS-18/4 module:

Software Licenses

Cisco Secure Erase uses the Storage Services Enabler (SSE) Package for the licensing. The SSE license package is not included with the.
Chapter 1 Requirements and Prerequisites

Configuring Secure Erase

This chapter describes how to configure Cisco MDS Secure Erase, and has the following sections:
Configuration Overview, page 2-1 Configuration Process, page 2-1
Secure Erase is included in the SSI image.
Cisco Secure Erase runs on the MSM-18/4 module and 9222i switch installed in an MDS 9500 or 9200 series switch. The Secure Erase software package is included in the SSI image, which is delivered as part of NX-OS. The Secure Erase feature must be provisioned on the MSM-18/4 module.

Configuration Process

The following sections provide an overview of a typical Secure Erase process:
Obtaining Information, page 2-2 Setting Up Cisco Secure Erase, page 2-3 Job Configuration, page 2-4 Recovering Secure Erase Configuration, page 2-5
Chapter 2 Configuration Process
Figure 2-1 Secure Erase Workflow Diagram
Step 1: Obtain Information Collect information about Storage Enclosures
Step 2: Setup Creating Virtual Initiators, Zoning and Storage Array Configuration

Obtaining Information

You need to collect the following information about the target enclosure:
Information about the target enclosure or storage array on which you would like to perform Secure Erase. The storage array is also called as Secure Erase storage array. Information about WWNs of the target ports you would like to use to access the target enclosure. The target ports are called Secure Erase target ports and the VSANs where the Secure Erase target ports reside are called Secure Erase VSANs. Information about one or more LUNs on the Secure Erase storage array on which you would like to perform Secure Erase. These LUNs are also called as Secure Erase LUNs.

187141

Step 3: Job Configuration Create Secure Erase Jobs and Sessions

Chapter 2

Configuring Secure Erase Configuration Process
Setting Up Cisco Secure Erase
You need to create the VIs, setup zone, and storage array configuration to preconfigure Secure Erase. The CLI configuration is preserved across reboots or switch reloads. It is preferred to have one job per storage enclosure. A storage enclosure can have multiple storage ports spanning multiple VSANs and storage LUNs. To set up Secure Erase, follow these procedures:. Command

Step 1 Step 2 Step 3

switch# config t switch# MSM-18/4 enable feature se module module-id switch# secure-erase module module-id create-vi vsan secure-erase VSAN
Purpose Enters configuration mode. Provisions the Secure Erase feature on the specific module. Creates VIs in a Secure Erase VSAN.
This command must be performed for each Secure Erase VSAN. Once created, VIs are available for all Secure Erase jobs. Also, WWNs of the VIs are persistent across reload of the switch or MSM-18/4.

Step 4

switch# show secure-erase module module-id vsan secure-erase VSAN
Displays the WWNs of Secure Erase VIs created in the previous step.
Complete the additional following tasks:
Set up the zone. Decide on one or more Secure Erase VIs and zone target ports that you would like to use to perform Secure Erase.
Program the storage array. The Secure Erase storage array must be programmed to enable Secure Erase VIs to access the Secure Erase LUNs. Secure Erase requires write commands to go directly to the physical media. Secure Erase sends all write commands with Force Unit Access (FUA) bit on. When the bit is set, the SCSI device is instructed to bypass the cache and perform the command directly on the physical media.
Check with the storage array vendor to confirm that FUA bit is supported in SCSI writes.
Figure 2-2 Interaction of SUP and MSM-18/4
Secure Erase Command Parser SUPERVISOR Command Response

Secure Erase Daemon

187037

Secure Erase node

All Secure Erase CLIs are performed on the Supervisor. The Secure Erase configuration is stored in persistent memory on the supervisor engine.

Job Configuration

You can configure Cisco Secure Erase jobs and sessions using the CLI. For information about the CLI, refer to the Secure Erase CLI Command Reference, page A-1. To create a Secure Erase job and session, follow these steps: Command

Step 1 Step 2

secure-erase module module-id create job job-id secure-erase module module-id job job-id add-vi vsan secure-erase VSAN all | pwwn secure-erase VI pwwn add-tgt vsan secure-erase VSAN pwwn secure-erase target port pwwn
Purpose Creates a Secure Erase job. Adds Secure Erase VIs and Secure Erase target ports to a Secure Erase job.
You can use the CLI commands several times to include all the Secure Erase VIs and Secure Erase target ports in all the Secure Erase VSANs.

Chapter 3 Using the Secure Erase Pre-Configuration Wizard
To display the Secure Erase Pre-Configuration wizard, from the Fabric Manager menu, choose Tools > Secure Erase > Pre-configuration. You see the Secure Erase Pre-Configuration Wizard screen. (See Figure 3-5.)
Figure 3-4 Secure Erase Pre-Configuration
Configuring Secure Erase Using Cisco Fabric Manager Configuring MDS Modules for Secure Erase
Configuring MDS Modules for Secure Erase
To configure MDS modules for Secure Erase, follow these steps:
Select the Secure Erase capable modules that you want to configure and click Next. The Modules for Set Up screen (see Figure 3-5) displays only the switch and modules that do not have the Secure Erase feature enabled. The switch must be running Cisco NX-OS Release 5.0 or later. This wizard cannot be used to edit existing configurations.
Figure 3-5 Modules for Set Up
The Enable Secure Shell (SSH) screen (see Figure 3-6) displays a list of Secure Erase switches. The table indicates if SSH is enabled and if the key already exists.
Click Next. A SSH key is created if the key does not already exist. SSH is enabled. The SSH key is created for protocol RSA with a numbits value of 1024.
If SSH is already enabled on all switches, then the No action necessary message is displayed. Click Next to continue.
Chapter 3 Configuring MDS Modules for Secure Erase
Figure 3-6 Enable Secure Shell (SSH)
Select a switch from the drop-down list to configure the IP address and mask for the VSAN 1 interface.
Click Add (See Figure 3-7) The switch moves from the drop-down list to the table. One entry can be added for each switch. Click Next. The IP address is created and the IPv4 routing is enabled for all the switches that are selected.
The valid mask values are 8, 16, 24, or 32. If the VSAN 1 IP address is already configured for the switch, then the switch does not appear in the drop-down list. If all the switches already have the VSAN 1 IP address configured, then a message is displayed. Once you click Next, the IPv4 routing is configured. If you do not add a VSAN 1 IP address for all the switches in the list and click Next, an error message is displayed. (See Figure 3-8.)

Figure 3-7 Configure VSAN IP Connectivity

Figure 3-8

Error Message for VSAN IP Connectivity
Select a switch module from the drop-down list and specify the CPP IP address/mask. (See Figure 3-9)
Click Add to move the switch module from the drop-down list to the table. The CPP IP address must be in the same subnet as the VSAN 1 IP address or an error message is displayed. Only one entry can be added for each switch module.
Click View necessary gateways. The Necessary Default Gateways screen is displayed. (See Figure 3-10). Click Next. The IP address is created and the gateway is configured.
The Configure Module IP Connectivity screen (see Figure 3-9) sets the IP address for CPP and configures the default gateway for the CPP interface to point to the VSAN 1 IP address. All IP traffic from the CPP interface is routed to the management interface.
Figure 3-9 Configure Module IP Connectivity
The Necessary Default Gateways screen (see Figure 3-10) shows the VSAN 1 IP address that will be used to configure the default gateway for each of the switch modules. It also shows if a default gateway already exists.
Figure 3-10 Necessary Default Gateways
The valid mask values are 8, 16, 24, or 32. If the CPP IP address is already configured for the switch module, then the module does not appear in the drop-down list. The 9222i switch is not displayed in the drop-down list because it is not required to set a separate CPP IP address or default gateway for this module. If all of the switch modules already have their CPP IP addresses configured, then a message is displayed. Click Next. The necessary default gateways are configured.

Step 5

Click Create/Activate Zones. The wizard goes through the fabrics to create the zones. (See Figure 3-11) Before creating the zones, the wizard checks if the active and local zone databases of the principle switch match. If there is a mismatch, an input dialog box is displayed. You will be prompted to copy the active zone database to the local zone database. If you click Yes, the zones are created on the principal switch for the fabric. If you click No, the zone creation is skipped for the zone mismatched fabric. After the zone creation is complete, a popup dialog box is displayed that specifies if the zone creation process was successful or if it failed. If there is an error during the zone creation, the Create/Activate Zones button is enabled. Click Create/Activate Zones again to create the zones that failed previously. Only the zones that failed previously will be created to avoid any duplicate entries in the zones database. Once all the zones are created successfully on all the fabrics, the Create/Activate Zones button is disabled and the Status button is enabled. (See Figure 3-12.)

Click Next.

All DPP Virtual Initiators (VIs) for the selected module are listed.
Configuring Secure Erase Using Cisco Fabric Manager Creating a Secure Erase Job Using Fabric Manager
All of the SE-enabled modules in the VSAN that the target ports belong to are listed. The module with the least number of active jobs should be selected by default. Ensure that the number of active jobs for each module is listed correctly.
Figure 3-16 Secure Erase Enable Module
Select a DPP Virtual Initiator (VI) for Secure Erase. The first DPP VI in the list is selected by default. Verify that the pWWN, nWWN, and the job number are listed correctly for each DPP VI. (See Figure 3-17.)
Click Create/Activate Zone.
The Zone Activation Status is displayed. (See Figure 3-18.) Zones are created for each of the VSANs that the selected targets belong to and the selected DPP VI.
Click Status to view the Zone creation or activation status. Click Next.
All of the selected targets with the LUNs are listed.
Figure 3-17 DPP VI Selection
Figure 3-18 Zone Activation Status
Select the LUNs for which the sessions need to be created. (See Figure 3-19.)
Checking the Session check box at target level will check all the LUNs for that target. Unchecking the session check box for any of the LUNs will automatically uncheck the check box at the parent target level.
Select the algorithm for each LUN. (See Figure 3-19.)
Selecting an algorithm at target level will select that algorithm for all the LUNs for that target. Selecting a different algorithm for any of the LUNs will automatically mark the algorithm as Mixed at the parent target level.
Figure 3-19 Create Session
Click Finish. The Secure Erase job is created with specxified sessions. If multiple LUNs were selected and at least one session is created successfully, then the operation is considered to be successful.
Displaying Secure Erase Job Status
To verify the Secure Erase jobs and session information, follow these steps:
Expand End Devices in the Physical Attributes pane and select Secure Erase. The information pane is displayed. (See Figure 3-20.)
Figure 3-20 Secure Erase Job Status View
Select a job status for each Secure Erase job. The following opearations are allowed on each job:

To add a dynamic pattern step to a specific algorithm, use the add-step dynamic command in configuration mode. add-step dynamic [0 | 1]
(Optional) Specifies that the pattern is generated using a random number generator. (Optional) Specifies that the pattern is complimentary to the previous pattern.
Configuration Secure Erase algorithm submode
The following example shows how to add a dynamic pattern step to a specific algorithm:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 algorithm 0 switch(config-se-algo)# switch(config-se-algo)# add-step dynamic 0

Command add-step static

Description Adds static pattern step to a specific algorithm.
Appendix A add-step static

add-step static

To add a static pattern step to a specific algorithm, use the add-step static command in configuration mode. add-step static pattern

pattern

Specifies the static pattern step. The pattern is to write ranges from 1 to 512 bytes and can consist of only characters 0 to 9 and A to F.
The following example shows how to add a static step to a specific algorithm:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 algorithm 0 switch(config-se-algo)# switch(config-se-algo)# add-step static 1

Command add-step dynamic

Description Adds a dynamic pattern step to a specific algorithm.
Secure Erase CLI Command Reference add-tgt vsan

add-tgt vsan

To define target enclosure and add multiple target ports for a specific Secure Erase job, use the add-tgt vsan command in configuration mode. add-tgt vsan vsan-id pwwn target port pwwn

vsan-id

Specifies the VSAN ID of the target port added to a Secure Erase job.
pwwn target port pwwn Specifies the port world-wide name (pWWN) of the target port.
The target ports added to a specific job can be part of a different VSAN. The Secure Erase application creates VIs in a specific VSAN.
VIs and targets from different VSANs can be added to a job. A storage array may have multiple storage ports belonging to a different VSAN. You can create one job for one storage array.

The following example shows how to create a Secure Erase job:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 create job 1

Command add-tgt job

Description Defines a target enclosure and adds multiple target ports for a specific Secure Erase job.
Appendix A secure-erase create-vi vsan
secure-erase create-vi vsan
To create a VI for a specific VSAN, use the secure-erase create-vi vsan command in configuration mode. secure-erase module module-id create-vi vsan vsan-id

module module-id vsan-id

Specifies the desired slot number of the MSM-18/4 on which Secure Erase is provisioned. Specifies the VSAN ID of the target port being added.
You do not need to provide the job ID because VIs can be used commonly across jobs.
The following example shows how to create VIs for a VSAN:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 create-vi vsan 1

Command create job

Description Creates a Secure Erase job.
Secure Erase CLI Command Reference secure-erase destroy algorithm
To destroy a Secure Erase algorithm, use the secure-erase destroy algorithm command in configuration mode. secure-erase module module-id destroy algorithm algorithm-id
module module-id algorithm-id
Displays the slot number of the MSM-18/4 on which Secure Erase is provisioned. Displays the algorithm ID. The range is 0 to 9.
The following example shows how to destroy an algorithm:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 destroy algorithm 1
Command secure-erase destroyvi vsan
Description Destroys a Secure Erase VSAN.
Appendix A secure-erase destroy job

secure-erase destroy job

To destroy a Secure Erase job, use the secure-erase destroy job command in configuration mode. secure-erase module-id destroy job job-id
This command destroys a Secure Erase job. A job can be destroyed only when there are no active sessions running.
The following example shows how to validate a Secure Erase job:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 destroy job 1
Command secure-erase start job secure-erase stop job
Description Starts all sessions in a job. Stops all sessions in a job.

Secure Erase CLI Command Reference secure-erase destroy-vi vsan
To destroy a VI for a specific VSAN, use the secure-erase destroy-vi vsan command in configuration mode. secure-erase module module-id destroy-vi vsan vsan-id
Displays the slot number of the MSM-18/4 on which Secure Erase is provisioned. Displays the VSAN-ID of the target.
The following example shows how to destroy a VSAN:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 destroy-vi vsan 1
Command secure-erase destroy algorithm
Description Destroys a Secure Erase algorithm.
Appendix A secure-erase start job

secure-erase start job

To restart all sessions in a job, use the secure-erase start job command in configuration mode. secure-erase module module-id start job job-id
Specifies the desired module number of the MSM-18/4 on which Secure Erase is provisioned. Starts a specific job ID of the target.
This command starts all sessions in a job. If the active sessions have reached the maximum limit, the remaining sessions are queued. The queued sessions start when one or more sessions are complete or aborted. A job can be started only when it has one or more sessions in the stopped state or ready state.
The following example shows how to start a session in a Secure Erase job:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 start job 1
Command secure-erase stop job
Description Stops all sessions in a job.
Secure Erase CLI Command Reference secure-erase stop job

secure-erase stop job

To stop all sessions in a job, use the secure-erase stop job command in configuration mode. secure-erase module-id stop job job-id
Specifies the desired module number of the MSM-18/4 on which Secure Erase is provisioned. Stops the specific job ID of the target.
This command waits for the completion of the current pattern and pauses the pattern sequence. A stopped job can be restarted. A job can be stopped only when it has one or more sessions in the running state.
The following example shows how to stop a session in a Secure Erase job:
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 stop job 1
Command secure-erase start job

Description Restarts all sessions in a job.
Appendix A secure-erase validate job
secure-erase validate job
To validate a Secure Erase job, use the secure-erase validate job command in configuration mode. secure-erase module-id validate job job-id
switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# secure-erase module 2 validate job 1
Description Restarts all sessions in a job. Stops all sessions in a job.
secure-erase abort job Aborts a job in a session.
Secure Erase CLI Command Reference show secure-erase algorithm
To display the list of all Secure Erase algorithms, use the show secure-erase algorithm command. show secure-erase module module-id algorithm algorithm name
module module-id algorithm name
Displays the slot number of the MSM-18/4 on which Secure Erase is provisioned. Displays the algorithm name.

Exec mode

The following example displays the list of Secure Erase algorithms:
switch# show secure-erase module 4 algorithm name 1 switch# Algorithm : 1 Step 0: faa8bd6c1e838b6b9b0818f30d48f5eecc7e7f572d9d8ac50a9a78b73bf128eb7a71ff40a7c07f55dda1d31f87 5bca26b170d6b3c0735 55e06d6229f6a5dedeaa0583f0d1ebe28fca8a7cac936d6f0a453af4174fbbcba29f711047cb48e984a3c09751 9138a628bc6e662bd3d28237d09 1f68a8df05f50effc55390a12ee2c6 Step 1: 05574293e17c749464f7e70cf2b70a11338180a8d262753af5658748c40ed714858e00bf583f80aa225e2ce078 a435d94e8f294c3f8ca aa1f929dd6095a212155fa7c0f2e141d70357583536c9290f5bac50be8b044345d608eefb834b7167b5c3f68ae 6ec759d7439199d42c2d7dc82f6 e0975720fa0af1003aac6f5ed11d39 Step 2: 678909876545671234567898765435
The following example displays all available Secure Erase algorithms on a module:
switch# show secure-erase module 4 algorithm
Appendix A show secure-erase algorithm
Related Commands Command show secure-erase job Description Displays the contents of a particular Secure Erase job.
Secure Erase CLI Command Reference show secure-erase job

show secure-erase job

To display the contents of a particular job, use the show secure-erase job command. show secure-erase module module-id job job-id
Displays the slot number of the MSM-18/4 on which Secure Erase is provisioned. Displays the unique number to identify a Secure Erase job.
The following example displays the contents of a particular Secure Erase job:
switch# show secure-erase module 4 job 2
The following example displays the contents of all Secure Erase jobs configured on a module:

switch# show secure-erase module 16 job
Command show secure-erase algorithm
Description Displays the list of Secure Erase algorithms.
Appendix A show secure-erase job detail
To display the contents of a particular job in detail, use the show secure-erase job detail command. show secure-erase module module-id job job-id detail
The following example displays the contents of a Secure Erase job in a brief form:
switch# show secure-erase module 4 job 2 detail
Command show secure-erase job
Description Displays the contents of a Secure Erase job.
Secure Erase CLI Command Reference show secure-erase vsan

show secure-erase vsan

To display a list of all VIs in the VSAN, use the show secure-erase vsan command. show secure-erase module module-id vsan vsan-id
Displays the slot number of the MSM-18/4 on which Secure Erase is provisioned. Displays the VSAN ID of the target.
The following example displays the list of all VIs in the VSAN:
switch# show secure-erase module 4 vsan 1
Command show secure-erase algorithm show secure-erase job
Description Displays the list of Secure Erase algorithms. Displays the contents of a particular Secure Erase job.
Appendix A show secure-erase vsan

Algorithm about

1-3 1-4 1-4

1-2, 1-3

data erase

recommended

1-4 1-3
Cache Synchronization Configuration commands overview process

2-1 2-4 2-2 2-5 1-4 2-1

new and changed information (table)

job configuration

Overview
obtaining information set up VI,creating Zones, set up

2-3 2-3

recovering configuration storage array, program
Requirements hardware software

1-5 1-5

Licenses, Software
documentation additional publications related documents

1-xi 1-xi

SCSI command Session about

1-2, 1-3 1-3 1-4