Planning for Cisco switches and fabrics

IBM® Storage Insights uses NX-API to manage Cisco switches and fabrics.

Supported switches and fabrics

You must have NX-OS Release 8.4(x) or 8.5(1), or Start of change9.2(1a)End of change and must enable NX-API on your MDS Cisco switches before you can add them for monitoring in IBM Storage Insights.

Monitoring limitations:
  • The following Cisco switches are not supported for monitoring at this time:
    • Nexus family switches
    • Switches with the following SAN Extension module installed: DS-X9334-K9. To view the installed modules, use the show mod command on the switch CLI.
  • You can't monitor the IP storage modules (ethernet ports) or the Fibre Channel over IP (FCIP) tunnels on Cisco switches.

For a complete list of the switches that are supported, see https://www.ibm.com/support/pages/node/6465529.

Connection credentials for monitoring Cisco switches and fabrics

To add Cisco switches and fabrics, you must provide the username and password of a user with the network-admin role or network-operator role so that IBM Storage Insights can collect and analyze the following metadata:
  • Performance metadata
  • Asset, configuration, and status metadata
Tip: To help IBM Support troubleshoot data collection, performance, and other issues, create a dedicated user account for collecting metadata from switches. When the switches are added, you can also provide location information for the switches.

Entering configuration mode

To run commands that change switch configuration settings, you must enter configuration mode on the switch. Use the terminal as the source of commands. To enter configuration mode, run the following command:

switch_name# configure terminal

After you run this command, the prompt will include "(config)" to indicate that you are in configuration mode:


switch_name(config)#
Important: Users with the Network-admin role can run the commands that are listed here excluding the text (config), without entering configuration mode.

Configuring message severity levels for event processing

For IBM Storage Insights to process events from Cisco switches, you must configure the log message severity levels of the syslog messages for the switches.

You can configure the message severity levels for a switch by using either of the following methods:
  • Use the Device Manager, which is one of the Cisco Fabric Manager applications.
  • Use the CLI for a switch.
Using the Device Manager
To configure the message severity levels of a switch by using the Device Manager, complete the following steps:
  1. In Device Manager, click Logs > Syslog > Setup.
  2. In the Switch Logging tab, select the following options:
    • TerminalEnable
    • LineCardEnable
  3. Select the following message severity levels:
    Table 1.
    Message Severity Level
    TerminalMsgSeverity notice(6)
    LinecardMsgSeverity info(7)
    LogFileMsgSeverity info(7)
  4. Click Apply.
Using the CLI
To configure the message severity levels of a switch by using the CLI, complete the following steps:
  1. Access the CLI of the switch through SSH.
  2. Run the following command:
    switch_name# show logging
    The output of the command includes the following information:
    Logging logfile:                enabled
logfile-name: Severity - debugging Size - ######
    Where logfile-name represents the name of the log file.
  3. Run the following commands:
    switch# configure terminal
switch(config)# logging monitor 6
switch(config)# logging module 7
switch(config)# logging logfile logfile-name 7
switch(config)# exit
switch# copy run start
    Where logfile-name is the name of the log file from step 2.

Enabling NX-API and HTTPS

  1. To verify that the switch uses NX-OS Release 8.4(1) or later, run the following command:
    switch_name# show version
    Important: If the NX-OS Release is less than 8.4(1), you must upgrade the NX-OS to Release 8.4(1) or later to add the switch.
  2. To verify that NX-API is enabled, run the following command:
    switch_name# show feature | grep nxapi

    • If NX-API is enabled, the following text is displayed:

      nxapi 1 enabled
    • If NX-API is disabled, run the following command to enable it:
      switch_name# configure terminal
      switch_name(config)# feature nxapi
  3. To view the details of the NX-API configuration, including NX-API status, ports, and the HTTPS certificate, run the following command:
    switch_name# show nxapi
    The output includes the following key information:
    NX-API: Enabled
    You can also confirm the same by running the command in step 2.
    HTTP Port: Disabled
    HTTP is disabled by default. If you must enable HTTP due to internal requirements, run the following command:
    switch_name(config)# nxapi http port 8080

    To disable the HTTP again, run the following command:

    switch_name(config)# no nxapi http
    HTTPS Port: 8443
    When you enable NX-API, HTTPS is enabled automatically with a self-signed certificate that expires after one day. By default, HTTPS is configured to use port 8443.

    If port 8443 is not configured on the switch, run the following command:

    switch_name(config)# nxapi https port 8443

    To use a port other than 8443, substitute a different port number in the command.

    Remember: If the Cisco chassis is configured to run NX-API with HTTPS on port 443, it creates a conflict with the web server that runs on the same port. So, do not use the port 443. Use another unused port number.
    SSH Certificate Information:
    SSH certificate includes an expiration date and the certificate content.
Important: When you enable NX-API on Cisco MDS or IBM C-Type switches that run NX-OS version 8.4(2), the command might hang and eventually fail. For information about how to troubleshoot this issue, see https://www.ibm.com/support/pages/node/6552964.

Security

From Cisco NX-OS Release 8.4(x), when NX-API is enabled over HTTPS, a self signed certificate is created that expires after 24 hours. If you use expired certificate, the browser displays a warning about security vulnerabilities. It is recommended to use a valid certificate from a certificate authority to minimize the security threats. For more information on how to get the valid certificate and import on the switch, see the Configuring Certificate Authorities and Digital Certificates section in the Cisco MDS 9000 Series Security Configuration Guide, Release 8.x.

Saving NX-API configuration changes

After you make changes to the running NX-API configuration, you must save the configuration of the switch to the startup configuration so that the changes persist after the switch is rebooted. You can save the configuration from outside the configure terminal.

Run the following command to save the current configuration to be used when the switch is restarted:

switch_name# copy running-config startup-config

Other useful NX-API commands

Other NX-API commands that might be useful are listed in the following table.

Table 2. Other NX-API commands
Command Description Commands
Show whether HTTPS is enabled. 
switch_name# show nxapi | grep -i https
Configure the switch to use a port other than 8443 with HTTPS.

Restriction: Don't use port 443 because this port is already used by the web UI of the switch.

 
switch_name(config)# nxapi https port port_number
Create a user with network-operator role. 
switch_name (config)# username myoperator password user_password role network-operator
Disable HTTP access. 
switch_name(config)# no nxapi http