VDX 6710, VDX 6720, VDX 6730, VDX
6740, VDX 6740T and VDX 8770
Switches
FIPS 140-2 Non-Proprietary
Security Policy
Document Version 1.0
Brocade Communications
8/11/2014
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 2 of 49
Revision History
Revision Date Revision Summary of Changes
9/12/2013 1.0 Initial Draft
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 3 of 49
© 2014 Brocade Communications Systems, Inc. All Rights Reserved.
This Brocade Communications Systems Security Policy for Brocade VDX6710, VDX6720, VDX6730, VDX6740,
VDX6740T and VDX8770 series of switches embodies Brocade Communications Systems' confidential and
proprietary intellectual property. Brocade Systems retains all title and ownership in the Security Policy,
including any revisions.
This Security Policy is supplied AS IS and may be reproduced only in its original entirety [without revision].
Brocade Communications Systems makes no warranty, either express or implied, as to the use, operation,
condition, or performance of the Security Policy, and any unintended consequence it may on the user
environment.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 4 of 49
Table of Contents
1 Module Overview....................................................................................................................................................... 7
1.1 SECURITY LEVEL DEFINITIONS ............................................................................................................................15
2 Modes of Operation................................................................................................................................................16
2.1 FIPS APPROVED MODE OF OPERATION ................................................................................................................16
2.2 NON-APPROVED MODE OF OPERATION ................................................................................................................18
3 Ports and Interfaces...............................................................................................................................................19
4 Identification and Authentication Policy.............................................................................................................23
4.1 ASSUMPTION OF ROLES ......................................................................................................................................23
5 Access Control Policy .............................................................................................................................................25
5.1 ROLES AND SERVICES ........................................................................................................................................25
5.2 UNAUTHENTICATED SERVICES .............................................................................................................................25
5.3 DEFINITION OF CRITICAL SECURITY PARAMETERS (CSPS) .....................................................................................26
5.4 DEFINITION OF PUBLIC KEYS ...............................................................................................................................26
5.5 DEFINITION OF SERVICE CATEGORIES ..................................................................................................................26
6 Operational Environment.......................................................................................................................................29
6.1 SECURITY RULES ...............................................................................................................................................30
7 Physical Security Policy .........................................................................................................................................30
7.1 PHYSICAL SECURITY MECHANISMS .....................................................................................................................30
7.2 OPERATOR REQUIRED ACTIONS ..........................................................................................................................31
8 Mitigation of Other Attacks Policy .......................................................................................................................31
9 Definitions and Acronyms .....................................................................................................................................32
Appendix A: Tamper Evident Seal Application Procedures ............................................................................................ 33
APPLYING SEALS TO THE BROCADE VDX 6710-54 ............................................................................................................33
APPLYING SEALS TO THE BROCADE VDX 6720-16 AND VDX 6720-24 .............................................................................34
APPLYING SEALS TO THE BROCADE VDX 6720-40 AND VDX 6720-60 .............................................................................35
APPLYING SEALS TO THE BROCADE VDX 6730-16, VDX 6730-24 AND VDX 6730-32-FCOE .........................................36
APPLYING SEALS TO THE BROCADE VDX 6730-40, VDX 6730-60 AND VDX 6730-72-FCOE .........................................37
APPLYING SEALS TO THE BROCADE VDX 6740 ..................................................................................................................38
APPLYING SEALS TO THE BROCADE VDX 6740T-24, VDX 6740T-48 AND VDX 6740T-64 ..............................................41
APPLYING SEALS TO THE BROCADE VDX 8770-8 ...............................................................................................................43
APPLYING SEALS TO THE BROCADE VDX 8770-4 ...............................................................................................................46
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 5 of 49
Table of Tables
Table 1 Firmware Version ..................................................................................................................................................7
Table 2 Validated VDX 6710 Configurations...................................................................................................................7
Table 3 Validated VDX 6720 Configurations...................................................................................................................7
Table 4 Validated VDX 6730 Configurations...................................................................................................................8
Table 5 Validated VDX 6740 Configurations...................................................................................................................9
Table 6 Validated VDX 6740T Configurations...............................................................................................................10
Table 7 Validated VDX 8770 Configurations.................................................................................................................11
Table 8 Components of the VDX 8770 ..........................................................................................................................11
Table 9 Module Security Level Specification.................................................................................................................15
Table 10 FIPS Approved Cryptographic Functions for the VDX 6710, VDX 6720 and VDX 6730..........................16
Table 11 FIPS Approved Cryptographic Functions for the VDX 8770........................................................................16
Table 12 FIPS Approved Cryptographic Functions for the VDX 6740 and VDX 6740T ...........................................16
Table 13 Roles and Required Identification and Authentication ...............................................................................23
Table 14 Strengths of Authentication Mechanisms.....................................................................................................24
Table 15 Service Descriptions.........................................................................................................................................24
Table 16 Services Authorized for Roles .........................................................................................................................25
Table 17 Services and Command Line Instructions (CLI) ...........................................................................................26
Table 18 CSP Access Rights within Roles & Services..................................................................................................29
Table 19 Inspection/Testing of Physical Security Mechanisms .................................................................................31
Table of Figures
Figure 1 VDX 6710-54 Switch .........................................................................................................................................12
Figure 2 VDX 6720-16 and VDX 6720-24.....................................................................................................................12
Figure 3 VDX 6720-40 and VDX 6720-60.....................................................................................................................12
Figure 4 VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE ................................................................................13
Figure 5 VDX 6730-40, VDX 6730-60 and VDX 6730-76-FCOE ................................................................................13
Figure 6 VDX 6740-24, VDX 6740-48 and VDX 6740-64...........................................................................................13
Figure 7 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64.....................................................................................14
Figure 8 VDX 8770-4 and VDX 8770-8..........................................................................................................................14
Figure 9 VDX 6710-54 left side seal location ...............................................................................................................33
Figure 10 VDX 6710-54 right side seal location...........................................................................................................33
Figure 11 VDX 6720-16 and VDX 6720-24 left side seal location ............................................................................34
Figure 12 VDX 6720-16 and VDX 6720-24 right side seal location..........................................................................34
Figure 13 VDX 6720-40 and VDX 6720-60 left side seal location ............................................................................35
Figure 14 VDX 6720-40 and VDX 6720-60 right side seal location..........................................................................35
Figure 15 VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE left side seal location........................................36
Figure 16 VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE right side seal location......................................36
Figure 17 VDX 6730-40, VDX 6730-60 and VDX 6730-72-FCOE left side seal location........................................37
Figure 18 VDX 6730-40, VDX 6730-60 and VDX 6730-72-FCOE right side seal location......................................37
Figure 19 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW bottom port side seal locations.....................38
Figure 20 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW bottom left side seal locations......................39
Figure 21 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW bottom right side seal locations....................39
Figure 22 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW top non-port side fan and power supply seal
locations .............................................................................................................................................................................40
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 6 of 49
Figure 23 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW top non-port side top cover seal locations.. 40
Figure 24 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64 bottom/front seal locations ...................................41
Figure 25 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64 bottom left side seal locations ..............................41
Figure 26 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64 bottom right side seal locations ............................41
Figure 27 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64 bottom back side seal locations ...........................42
Figure 28 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64 top back side seal locations ..................................42
Figure 29 Brocade VDX 8770-8 port side seal locations .............................................................................................43
Figure 30 Brocade VDX 8770-8 DC port side seal locations ......................................................................................44
Figure 31 Brocade VDX 8770-8 non-port side seal locations ................................................................45
Figure 32 Brocade VDX 8770-4 port side seal locations .............................................................................................46
Figure 33 Brocade VDX 8770-4 DC PSU seal locations ...............................................................................................47
Figure 34 Brocade VDX 8770-4 Non-port side seal locations .....................................................................................48
Figure 35 Brocade VDX 8770-4 Air Duct side seal locations ......................................................................................49
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 7 of 49
1 Module Overview
The VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX6740T and VDX 8770 are multiple-chip standalone
cryptographic modules, as defined by FIPS 140-2. The module(s) are available in multiple configurations that
vary based on the hardware enclosure. Each module is enclosed in a hard opaque commercial grade metal
chassis with removable cover. For the VDX 6710, VDX 6720, VDX 6730, VDX 6740, and VDX 6740T the power
supply and fan assemblies are no part of the cryptographic boundary. For VDX 8770 modules the power supply
and fan assemblies are part of the cryptographic boundary. The module is a Gigabit Ethernet routing switch
that provides secure network services and network management.
For each module to operate in a FIPS approved mode of operation, the tamper evident seals supplied in
Brocade XBR-000195 must be installed, as defined in Appendix A.
The security officer is responsible for storing and controlling the inventory of any unused seals. The unused
seals shall be stored in plastic bags in a cool, dry environment between 60° and 70° F (15° to 20° C) and
less than 50% relative humidity. Rolls should be stored flat on a slit edge or suspended by the core.
The security officer shall maintain a serial number inventory of all used and unused tamper evident seals. The
security officer shall periodically monitor the state of all applied seals for evidence of tampering. A seal serial
number mismatch, a seal placement change, a checkerboard destruct pattern that appears in peeled film and
adhesive residue on the substrate are evidence of tampering. The security officer shall periodically view each
applied seal under a UV light to verify the presence of a UV wallpaper pattern. The lack of a wallpaper pattern is
evidence of tampering. The security officer is responsible for returning a module to a FIPS approved state after
any intentional or unintentional reconfiguration of the physical security measures.
Table 1 Firmware Version
Firmware Part Number
Network OS (NOS) v4.0.0 63-1001271-01
Table 2 Validated VDX 6710 Configurations
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6710-54-F
P/N: 80-1004843-04
VDX 6710,48P GBE,6P
SFP+,AC, NON-PORT SIDE
EXHAUST1
NOS v4.0.0 XBR-000195
SKU: BR-VDX6710-54-R
P/N: 80-1004702-04
VDX 6710,48P GBE,6P
SFP+,AC, PORT SIDE
EXHAUST1
NOS v4.0.0 XBR-000195
Table 2 Notes:
1. Port side and non-port side exhaust indicates whether the external fan direction causes air to be
draw into the non-port side air vents and exhausted from the port side air vents or vice versa.
Table 3 Validated VDX 6720 Configurations
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6720-16-F3
P/N: 80-1004566-071,
80-1006701-022
VDX 6720,16P,SFP+,AC,NON-
PORT SIDE EXHAUST4
NOS v4.0.0 XBR-000195
SKU: BR-VDX6720-16-R3
P/N: 80-1004567-071,
80-1006702-022
VDX 6720,16P,SFP+,AC, PORT
SIDEEXHAUST4
NOS v4.0.0 XBR-000195
SKU: BR-VDX6720-24-F3
P/N: 80-1004564-071,
80-1006699-022
VDX 6720,24P,SFP+,AC,NON-
PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 8 of 49
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6720-24-R3
P/N: 80-1004565-071,
80-1006700-022
VDX 6720,24P,SFP+,AC, PORT
SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6720-40-F3
P/N: 80-1004570-071,
80-1006305-022
VDX 6720,40P,SFP+,AC,NON-
PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6720-40-R3
P/N: 80-1004571-071,
80-1006306-022
VDX 6720,40P,SFP+,AC, PORT
SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6720-60-F3
P/N: 80-1004568-071,
80-1006303-022
VDX 6720,60P,SFP+,AC,NON-
PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6720-60-R3
P/N: 80-1004569-071,
80-1006304-022
VDX 6720,60P SFP+,AC, PORT
SIDE EXHAUST
NOS v4.0.0 XBR-000195
Table 3 Notes:
1. Serviceable assembly
2. Production assembly.
3. Serviceable and production assemblies are functionally equivalent. The part number assigned to
each production assembly was created to support the release of updated logos and marks on the
agency label.
4. Port side and non-port side exhaust indicates whether the external fan direction causes air to be
draw into the non-port side air vents and exhausted from the port side air vents or vice versa.
Table 4 Validated VDX 6730 Configurations
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6730-16-F3
P/N: 80-1005649-031,
80-1006709-022
VDX 6730,16P,SFP+,AC,NON-
PORT SIDE EXHAUST4
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-16-R3
P/N: 80-1005651-031,
80-1006711-022
VDX 6730,16P,SFP+,AC, PORT
SIDEEXHAUST4
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-24-F3
P/N: 80-1005648-031,
80-1006708-022
VDX 6730,24P,SFP+,AC, NON-
PORT SIDE EXHAUST, SW-VDX-
6730-24POD-01LIC
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-24-R3
P/N: 80-1005650-031,
80-1006710-022
VDX 6730,24P,SFP+,AC, PORT
SIDE EXHAUST, SW-VDX-6730-
24POD-01 LIC
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-32-FCOE-F
P/N:BR-VDX6730-24-Fwith
BR-VDX6730-24VCS-01 and BR-
VDX6730-24FCOE-01 License
VDX 6730, BUNDLE, 24P SFP+, 8
8G FC, VCS LIC, FCOE LIC, AC,
NON-PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-32-FCOE-R
P/N:BR-VDX6730-24-Rwith
BR-VDX6730-24VCS-01 and BR-
VDX6730-24FCOE-01 License
VDX 6730, BUNDLE, 24P SFP+, 8
8G FC, VCS LIC, FCOE LIC, AC,
PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 9 of 49
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6730-40-F3
P/N: 80-1005680-031,
80-1006719-022
VDX 6730,40P,SFP+,AC,NON-
PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-40-R3
P/N: 80-1005681-031,
80-1006720-022
VDX 6730,40P,SFP+,AC, PORT
SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-60-F3
P/N: 80-1005679-031,
80-1006718-022
VDX 6730,60P,SFP+,AC, NON-
PORT SIDE EXHAUST, SW-VDX-
6730-60POD-01 LIC, SWVDX-
6730-60POD2-01LIC
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-60-R3
P/N: 80-1005678-031,
80-1006717-022
VDX 6730,60P,SFP+,AC, PORT
SIDE EXHAUST, SW-VDX-6730-
60POD-01 LIC, SWVDX-6730-
60POD2-01LIC
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-76-FCOE-F
P/N:BR-VDX6730-60-Fwith
BR-VDX6730-60VCS-01 and BR-
VDX6730-60FCOE-01 License
VDX 6730, BUNDLE, 60P SFP+,
16 8G FC, VCS LIC, FCOE LIC, AC,
NON-PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
SKU: BR-VDX6730-76-FCOE-R
P/N:BR-VDX6730-60-Rwith
BR-VDX6730-60VCS-01 and BR-
VDX6730-60FCOE-01 License
VDX 6730, BUNDLE, 60P SFP+,
16 8G FC, VCS LIC, FCOE LIC, AC,
PORT SIDE EXHAUST
NOS v4.0.0 XBR-000195
Table 4 Notes:
1. Serviceableassembly
2. Productionassembly.
3. Serviceable and production assemblies are functionally equivalent. The part number assigned to
each production assembly was created to support the release of updated logos and marks on the
agency label.
4. Port side and non-port side exhaust indicates whether the external fan direction causes air to be
draw into the non-port side air vents and exhausted from the port side air vents or vice versa.
Table 5 Validated VDX 6740 Configurations
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6740-24-F
P/N: 80-1007295-01
VDX6740,24-Port, AC, Non-
port side exhaust1
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740-24-R
P/N: 80-1007294-01
VDX6740, 24-Port, AC, Port
side exhaust1
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740-48-F
P/N: 80-1007483-01
VDX6740,24-Port, AC, SW-
VDX-24POD10G LIC, Non-port
side exhaust
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740-48-R
P/N: 80-1007481-01
VDX6740, 48-Port, AC, SW-
VDX-24POD10G LIC, Port side
Exhaust
NOS v4.0.0 XBR-000195
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 10 of 49
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6740-64-ALLSW-F
P/N: 80-1007484-01
VDX6740,64-Port, FCOE, AC,
SW-FCOE-NOS-01, SW-
VCSNOS-01,SWVDX-
24POD10G and SW-VDX-
4POD40G LIC, Non-port side
Exhaust
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740-64-ALLSW-R
P/N: 80-1007482-01
VDX6740,64-Port, FCOE, AC,
SW-FCOE-NOS-01, SW-
VCSNOS-01,SWVDX-
24POD10G and SW-VDX-
4POD40G LIC, Port side
Exhaust
NOS v4.0.0 XBR-000195
Table 5 Notes:
1. Port side and non-port side exhaust indicates whether the external fan direction causes air to be
draw into the non-port side air vents and exhausted from the port side air vents or vice versa.
Table 6 Validated VDX 6740T Configurations
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX6740T-24-F
P/N: 80-1007273-01
VDX 6740T, 24-Port, 10GB-T,
AC, Non-port side exhaust1
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740T-24-R
P/N: 80-1007274-01
VDX 6740T, 24-Port, 10GB-T,
AC, Port side exhaust1 NOS v4.0.0 XBR-000195
SKU: BR-VDX6740T-48-F
P/N: 80-1007485-01
VDX 6740T, 48-Port, 10GB-T,
AC, SW-VDX-24POD10G LIC,
Non-port side exhaust
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740T-48-R
P/N: 80-1007487-01
VDX 6740T, 48-Port, 10GB-T,
AC, SW-VDX-24POD10G LIC
Port side exhaust
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740T-64-ALLSW-F
P/N: 80-1007486-01
VDX6740T,64-Port, 10GB-T,
FCOE, AC, SW-FCOE-NOS-01,
SW-VCSNOS-01, SWVDX-
24POD10G and SW-VDX-
4POD40G LIC, Non-port side
exhaust
NOS v4.0.0 XBR-000195
SKU: BR-VDX6740T-64-ALLSW-R
P/N: 80-1007488-01
VDX6740T,64-Port, 10GB-T,
FCOE,AC, SW-FCOE-NOS-01,
SW-VCSNOS-01, SWVDX-
24POD10G and SW-VDX-
4POD40G LIC, Port side
exhaust
NOS v4.0.0 XBR-000195
Table 6 Notes:
1. Port side and non-port side exhaust indicates whether the external fan direction causes air to be
draw into the non-port side air vents and exhausted from the port side air vents or vice versa.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 11 of 49
Table 7 Validated VDX 8770 Configurations
SKU/MFG Part Number Product Description Firmware FIPS KIT
SKU: BR-VDX8770-4-BND-AC
P/N: 80-1005850-02
VDX 8770 4 I/O Slot chassis
with three Switch Fabric
Modules, one Management
Module, two exhaust Fans
and two 3000W AC PSU
NOS v4.0.0 XBR-000195
SKU: BR-VDX8770-4-BND-DC
P/N: 80-1006532-03
VDX 8770 4 I/O Slot chassis
with three Switch Fabric
Modules, one Management
Module, two exhaust Fans
and two 3000W DC PSU
NOS v4.0.0 XBR-000195
SKU: BR-VDX8770-8-BND-AC
P/N: 80-1005905-02
VDX 8770 8 I/O Slot chassis
with six Switch Fabric
Modules, one Management
Module, 4 exhaust Fans and
three 3000W AC PSU
NOS v4.0.0 XBR-000195
SKU: BR-VDX8770-8-BND-DC
P/N: 80-1006533-03
VDX 8770 8 I/O Slot chassis
with six Switch Fabric
Modules, one Management
Module, 4 exhaust Fans and
three 3000W DC PSU
NOS v4.0.0 XBR-000195
Furthermore, the following Field Replaceable Units (FRU) [i.e. power Supply Module, Filler Panel for Power Supply Slot, Fan
Module, Switch Fabric Module, Management Module, Line Card Unit, Filler Panel for Line Card Slot, Half-Slot Filler Panel for
Switch Fabric Module Slot or Management Module Slot] may be used within validated Brocade VDX 8770-4 and VDX
8770-8 configurations:
Table 8 Components of the VDX 8770
Component of the cryptographic boundary SKU/MGF Part Number
Field Replaceable Unit* – Power Supply Module
AC
SKU: XBR-ACPWR-3000
P/N: 80-1006540-01
DC
SKU: XBR-DCPWR-3000
P/N: 80-1006539-02
Field Replaceable Unit* – Filler Panel for Power Supply Slot
SKU: XBR-BLNK-PSU
P/N: 80-1006430-01
Field Replaceable Unit* – Fan Module
SKU: XBR-FAN-FRU
P/N: 80-1006080-01
Field Replaceable Unit* – Switch Fabric Module
SKU: BR-VDX8770-SFM-1
P/N: 80-1006295-01
Field Replaceable Unit* – Management Module
SKU: BR-VDX8770-MM-1
P/N: 80-1006294-02
Field Replaceable Unit* – Line Card Unit 48X1G Line Card
SKU: BR-VDX8770-48X1G-SFP-1
P/N: 80-1006049-02
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 12 of 49
Component of the cryptographic boundary SKU/MGF Part Number
12X40GE Line Card
SKU BR-VDX8770-12X40G-QSFP-1
P/N80-1006293-02
48X10G Line Card
SKU BR-VDX8770-48X10G-SFPP-1
P/N80-1006048-02
Field Replaceable Unit* – Filler Panel for Line Card Slot
SKUXBR-BLNK-FULL
P/N80-1006431-01
Field Replaceable Unit* – Half-Slot Filler Panel for Switch Fabric
Module Slot or Management Module Slot
SKUXBR-BLNK-HALF
P/N80-1006429-01
*ATTENTION: Please see notice in Appendix A regarding “Field Replaceable” Units.
Figure 1 through Figure 8 illustrate the cryptographic module configurations. With the exception of VDX 8770-
4 and VDX 8770-8 shown below, power supplies and fan assemblies are not within cryptographic boundary.
Figure 1 VDX 6710-54 Switch
Table 2 lists the validated configurations for the VDX 6710-54.
Figure 2 VDX 6720-16 and VDX 6720-24
Table 3 lists the validated configurations for the VDX 6720-16 and VDX 6720-241.
Figure 3 VDX 6720-40 and VDX 6720-60
Table 3 lists the validated configurations for the VDX 6720-40 and VDX 6720-602.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 13 of 49
1 SW-VDX-6720-24POD-01 license enables additional ports
2 SW-VDX-6720-60POD-01 and SWVDX-6720-60POD2-01 licenses enable additional ports.
Figure 4 VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE
Table 4 lists the validated configurations for the VDX 6730-16, VDX 6730-243 and VDX 6730-32-FCOE4.
Figure 5 VDX 6730-40, VDX 6730-60 and VDX 6730-76-FCOE
Table 4 lists the validated configurations for the VDX 6730-40, VDX 6730-605 and VDX 6730-76-FCOE6.
Figure 6 VDX 6740-24, VDX 6740-48 and VDX 6740-64
Table 5 lists the validated configurations for the VDX 6740-24, VDX 6740-487 and VDX 6740-648.
Table 5 Notes:
1. Port side and non-port side exhaust indicates whether the external fan direction causes air to be
draw into the non-port side air vents and exhausted from the port side air vents or vice versa.
3 SW-VDX-6730-24POD-01 license enables additional ports.
4 SW-VDX-6730-24POD-01,BR-VDX6730-24VCS-01andBR-VDX6730-24FCOE-01licensesenableadditional
ports and features.
5 SW-VDX-6730-60POD-01 and SWVDX-6730-60POD2-01 licenses enable additional ports.
6 SW-VDX-6730-60POD-01 and SWVDX-6730-60POD2-01, BR-VDX6730-60VCS-01 and BR-VDX6730-60FCOE-
01 licenses enable additional ports and features.
7 The SW-VDX-24POD10G license enables additional ports
8 SW-FCOE-NOS-01, SW-VCSNOS-01, SWVDX-24POD10G and SW-VDX-4POD40G licenses enable additional
ports and features
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 14 of 49
Figure 7 VDX 6740T-24, VDX 6740T-489 and VDX 6740T-6410
Table 6 lists the validated configurations for the VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64.
Figure 8 VDX 8770-4 and VDX 8770-811
9 The SW-VDX-24POD10G license enables ports 25 to 48
10 SW-FCOE-NOS-01, SW-VCSNOS-01, SWVDX-24POD10G and SW-VDX-4POD40G LIC enable ports 25 to 64
11 Each removable module in the chassis (except the fans) has a matching filler panel that must be in place if no module is installed in a
slot. The two modules shown in this picture are fully populated with management modules, switch fabric modules, line cards, and power
supplies per Table 8 Components of the VDX 8770. There are no filler panels for the fans since all fans must be installed on the chassis.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 15 of 49
Table 7 Validated VDX 8770 Configurations
Lists the hardware configurations for the VDX 8770-4 (Left) and VDX 8770-8 (Right). See Table 8 Components
of the VDX 8770 for a list of installable VDX 8770 components.
1.1 Security Level Definitions
The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-2.
Table 9 Module Security Level Specification
Security Requirements Section Level
CryptographicModuleSpecification 2
Module Ports and Interfaces 2
Roles, Services and Authentication 2
Finite State Model 2
PhysicalSecurity 2
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 16 of 49
Security Requirements Section Level
Operational Environment N/A
Cryptographic Key Management 2
EMI/EMC 2
Self-Tests 2
DesignAssurance 2
Mitigation of Other Attacks N/A
2 Modes of Operation
2.1 FIPS Approved mode of operation
The cryptographic module supports the following Approved algorithms in firmware
Table 10* FIPS Approved Cryptographic Functions for the VDX 6710, VDX 6720 and VDX 6730
Label Cryptographic Function
VDX 6710
VDX 6720
VDX 6730
RSA Rivest Shamir Adleman Signature Algorithm 1174, 1280
SHS Secure Hash Standard 1965
Table 11* FIPS Approved Cryptographic Functions for the VDX 8770
Label Cryptographic Function VDX 8770
RSA Rivest Shamir Adleman Signature Algorithm 1175, 1282
SHS Secure Hash Standard 1966
Table 12* FIPS Approved Cryptographic Functions for the VDX 6740 and VDX 6740T
Label Cryptographic Function VDX 6740 VDX 6740T
RSA Rivest Shamir Adleman Signature Algorithm 1175, 1282 1175, 1282
SHS Secure Hash Standard 1966 1966
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 17 of 49
*NOTICE: Users should reference the transition tables that will be available at
the CMVP Web site (http://csrc.nist.gov/groups/STM/cmvp/). The data in the
tables will inform users of the risks associated with using a particular
algorithm and a given key length.
This cryptographic module is impacted by SP800-131A transition rules
effective January 1, 2014. Therefore, the only features that provide 112 bits
of equivalent encryption strength are as follows:
 Firmware load test using RSA 2048 SHA-256 (via the Firmware
Management service)
The following non-Approved algorithms and protocols are only available in non-Approved mode of operation:
 RSA (key wrapping; key establishment methodology provides 80 bits of encryption strength; non-compliant)
 Diffie-Hellman (key agreement; key establishment methodology provides 80 bits of encryption
strength; non-compliant)
 SNMPv3 KDF(Cryptographic functionality does not meet FIPS requirements and is considered
plaintext)
 HMAC-MD5 to support RADIUS authentication
 TLS v1.0 KDF (non-compliant)
 SSHv2 KDF (non-compliant)
 MD5 (used for password hash, considered as plaintext)
 RADIUS PEAP MS-CHAP V2 (non-compliant)
 Non-deterministic random number generator for seeding ANSI X9.31 DRNG (non-compliant)
 OSPF is considered as plaintext interface (No protection is claimed for protocol data exchange).
 SHA-512 (non-compliant)
 TDES (non-compliant)
 AES (non-compliant)
 HMAC (non-compliant)
 RNG (non-compliant)
 RSA Digital signature generation (non-compliant)
The cryptographic module may be configured for FIPS 140-2 mode by an authorized human (Crypto
Officer) physically present at the cryptographic boundary directly connected to the module via execution of the
following procedure; failure to adhere to such guidance is an explicit violation of the Security Policy
and as such deems the cryptographic module fully non-compliant and unfit for service in an Approved
mode of operation.
 Install removable front cover (as applicable) and apply tamper labels
 Login as authorized user with admin role.
 Do not configure the system in standalone or fabric cluster mode.
 Disable Boot PROM Access.
 Do not enable LDAP.
 Do not enable RADIUS
 Do not enable secure syslog.
 Do not use SSH
 If TACACS+ is configured, then remove the configuration.
 If dot1x is configured, disable it.
 If vCenter is configured, then remove the configuration.
 If FC-SP authentication is configured, disable it.
 If autoupload is enabled, disable it.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 18 of 49
 Disable root access.
 Enable FIPS 140-2 Self tests i.e. Execute ‘fips selftests’
 Execute 'fips zeroize' (automatically reboot(s) the system).
 After reboot, Http, HTTPS, Telnet and some ports of Brocade internal servers must be blocked in FIPS
140-2 mode. Once the switch is in the fips compliant mode, HTTP (80), HTTPS (443), Telnet (23) and
Brocade internal server ports (TCP: 2301, 2401, 3016, 3516, 4516, 5016, 7013, 7110, 7710, 9013,
9110, 9710, 9910-10110. UDP: 33351, 36851, 37731, and 50690) must be blocked, and
passwords of the default accounts (admin and user) should be changed after every zeroization
operation to maintain FIPS 140-2 compliance.
 Note, when in FIPS Approved mode of operation, the following are not allowed:
o Do not use SSH.
o Do not enable remote access (SCP and LDAP are not allowed)..
o Do not enable secure syslog
o Do not use FTP for the following operations:
- Config Upload
- Config Download
- Support Save
NOTES:
1. Firmware packages are always signed at build time and validated during the firmwaredownload
operation.
2. USB interface: Authorized operator is required to maintain the physical possession (at all times) of the
USB token and shall not provide to unauthorized individuals/entities.
The operator can determine if the cryptographic module is running in FIPS 140-2 vs. non-Approved mode by
following the procedure mentioned above.
2.2 Non-Approved Mode of Operation
In non-Approved mode, an operator will have no access to CSPs used within the FIPS Approved mode. When
switching from FIPS Approved mode to a non-Approved mode of operation, the operator is required to zeroize
the module’s plaintext CSPs, by calling “fips zeroize”.
The following cipher suites are allowed in non-Approved mode for configuring SSL and TLS:
aes-128-cbc,aes-128-ecb,aes-192-cbc,aes-192-ecb,aes-256-cbc,aes-256-ecb,bf,bf-cbc,bf-cfb,bf-ecb,bf-
ofb,cast,cast-cbc,cast5-cbc,cast5-cfb,cast5-ecb,cast5-ofb,des,des-cbc,des-cfb,des-ecb,des-ede,des-ede-
cbc,des-ede-cfb,des-ede-ofb,des-ede3,des-ede3-cbc,des-ede3-cfb,des-ede3-ofb,des-ofb,des3,desx,rc2,rc2- 40-
cbc,rc2-64-cbc,rc2-cbc,rc2-cfb,rc2-ecb,rc2-ofb,rc4,rc4-40
The following message digests functions are allowed in non-Approved mode:
md2, md4, md5, rmd160
The following message authentication algorithms and ciphers are allowed in non-Approved mode for configuring
SSH:
Ciphers: aes-128-ctr,aes-192-ctr,aes-256-ctr,arcfour256,arcfour128,aes-128-cbc,3des-cbc,blowfish-
cbc,cast128-cbc,aes-192-cbc,aes-256-cbc,arcfour
Macs:hmac-md5, hmac-sha-1, umac-64,hmac-ripemd160, hmac-sha-1-96, hmac-md5-96
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 19 of 49
3 Ports and Interfaces
The list of all cryptographic modules along with physical ports and logical interfaces are captured below:
1. VDX 6710-54-F and VDX 6710-54-R
a. 10 GbE (Qty. 6) Data Input, Data Output, Control Input, Status Output
b. 1 GbE (Qty. 48): Data Input, Data Output, Control Input, Status Output
c. Management Ethernet Ports (Qty. 1): Control Input, Status Output
d. Serial port (Qty. 1): Control Input, Status Output
e. USB (Qty. 1): Data Input, Data Output, Status Output
 Brocade USB flash device, XBR-DCX-0131
f. Power Supply and Fan Assembly (Qty. 2)
 Assembly Connectors (Qty. 2): Power Input, Control Input
 Assembly Status LED (Qty. 2): Status Output
g. Switch Status LEDs (Qty. 2): Status Output
 System Status (Qty. 1)
 System Power (Qty. 1)
2. VDX 6720-16-F, VDX 6720-16-R, VDX 6720-24-F and VDX 6720-24-R
a. The VDX 6720-16 and VDX 6720-24 utilize the same hardware platform. Licensing is used to
enable more than the base sixteen 10 GbE ports.
b. Data Ports (Qty. 24) : Data Input, Data Output, Control Input, Status Output
 GbE SFP+ (Qty. 24)
c. Management Ethernet Ports (Qty. 1): Control Input, Status Output
d. RLO Management Ethernet Ports (Qty. 1): (Inactive)
e. Serial port (Qty. 1): Control Input, Status Output
f. USB (Qty. 1): Data Input, Data Output, Status Output
 Brocade USB flash device, XBR-DCX-0131
g. Power Supply and Fan Assembly (Qty. 2)
 Assembly Connectors (Qty. 2): Power Input, Control Input
 Assembly Status LED (Qty. 2): Status Output
h. Switch Status LEDs (Qty. 2): Status Output
 System Status (Qty. 1)
 System Power (Qty. 1)
3. VDX 6720-40-F, VDX 6720-40-R, VDX 6720-60-F and VDX 6720-60-R
a. The VDX 6720-40 and VDX 6720-60 utilize the same hardware platform. Licensing is used to
enable more than the base forty 10 GbE ports.
b. Data Ports (Qty. 60): Data Input, Data Output, Control Input, Status Output
 GbE SFP+ (Qty. 60)
c. Management Ethernet Ports (Qty. 1): Control Input, Status Output
d. RLO Management Ethernet Ports (Qty. 1): (Inactive)
e. Serial port (Qty. 1): Control Input, Status Output
f. USB (Qty. 1): Data Input, Data Output, Status Output
 Brocade USB flash device, XBR-DCX-0131
g. Power Supply (Qty. 2)
 Power Supply Connectors (Qty. 2): Power Input, Control Input
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 20 of 49
 Power Supply Status LED (Qty. 2): Status Output
h. Fan Assembly (Qty. 3)
 Fan Tray Connectors (Qty. 3): Control Input
 Fan Status LED (Qty. 3): Status Output
i. Switch Status LEDs (Qty. 2): Status Output
 System Status (Qty. 1)
 System Power (Qty. 1)
4. VDX 6730-16-F, VDX 6730-16-R, VDX 6730-24-F, VDX 6730-24-R, VDX 6730-32-FCOE-F, VDX 6730-32-
FCOE-R
a. The VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE utilize the same hardware platform.
Licensing is used to enable more than the base sixteen 10 GbE ports.
b. Data Ports (Qty. 32): Data Input, Data Output, Control Input, Status Output
 GbE SFP+ (Qty. 24)
 8G Fibre Channel (Qty. 8)
c. Management Ethernet Ports (Qty. 1): Control Input, Status Output
d. RLO Management Ethernet Ports (Qty. 1): (Inactive)
e. Serial port (Qty. 1): Control Input, Status Output
f. USB (Qty. 1): Data Input, Data Output, Status Output
 Brocade USB flash device, XBR-DCX-0131
g. Power Supply and Fan Assembly (Qty. 2)
 Assembly Connectors (Qty. 2): Power Input, Control Input
 Assembly Status LED (Qty. 2): Status Output
h. Switch Status LEDs (Qty. 2): Status Output
 System Status (Qty. 1)
 System Power (Qty. 1)
5. VDX 6730-40-F, VDX 6730-40-R, VDX 6730-60-F, VDX 6730-60-R, VDX 6730-76-FCOE-F, VDX 6730-
76-FCOE-R
a. The VDX 6730-40, VDX 6730-60 and VDX 6730-76-FCOE utilize the same hardware platform.
Licensing is used to enable more than the base forty 10 GbE ports.
b. Data Ports (Qty. 72): Data Input, Data Output, Control Input, Status Output
 GbE SFP+ (Qty. 60)
 8G Fibre Channel (Qty. 16)
c. Management Ethernet Ports (Qty. 1): Control Input, Status Output
d. RLO Management Ethernet Ports (Qty. 1): (Inactive)
e. Serial port (Qty. 1): Control Input, Status Output
f. USB (Qty. 1): Data Input, Data Output, Status Output
 Brocade USB flash device, XBR-DCX-0131
g. Power Supply (Qty. 2)
 Power Supply Connectors (Qty. 2): Power Input, Control Input
 Power Supply Status LED (Qty. 2): Status Output
h. Fan Assembly (Qty. 3)
 Fan Tray Connectors (Qty. 3): Control Input
 Fan Status LED (Qty. 3): Status Output
i. Switch Status LEDs (Qty. 2): Status Output
 System Status (Qty. 1)
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 21 of 49
 System Power (Qty. 1)
6. VDX 6740-24-F, VDX 6740-24-R, VDX 6740-48-F, VDX 6740-48-R, VDX 6740-64-ALLSW-F, VDX 6740-
64-ALLSW-R
a. Data Port (Qty. 64): Data Input, Data Output, Control Input, Status Output
 1G/10G SFP+ ports (Qty. 48) supporting both 1G and 10G data rates
o Thirty-two of the forty-eight ports are 10G universal ports which can be
configured as Ethernet ports (1G/10G ) or Fiber Channel ports (8G/16G)
 QSFP ports (Qty. 4)
o 40G QSFP ports can be used as a native 40G Ethernet port or as four 16G Fiber
Channel ports
b. Management Ethernet Ports (Qty. 1): Control Input, Status Output
c. Serial port (Qty. 1): Control Input, Status Output
d. USB (Qty. 1): Data Input, Data Output, Status Output
 Brocade USB flash device, XBR-DCX-0131
e. Power Supply and Fan Assembly (Qty. 2)
 Assembly Connectors (Qty. 2): Power Input, Control Input
 Assembly Status LED (Qty. 2): Status Output
f. LEDs: Status Output
 System Power LED (Qty. 1)
 System Status LED (Qty. 1)
 Power Supply and Fan Status LED (Qty. 2)
7. VDX 6740T-24-F, VDX 6740T-24-R, VDX 6740T-48-F, VDX 6740T-48-R, VDX 6740T-64-ALLSW-F, VDX
6740T-64-ALLSW-R
a. Data Port (Qty. 64): Data Input, Data Output, Control Input, Status Output
 1G/10G SFP+ ports (Qty. 48) supporting both 1G and 10G data rates
o Thirty-two of the forty-eight ports are 10G universal ports which can be
configured as Ethernet ports (1G/10G) or Fiber Channel ports (8G/16G)
 QSFP ports (Qty. 4)
o 40G QSFP ports can be used as a native 40G Ethernet port or as four 16G Fiber
Channel ports
b. Management Ethernet Ports (Qty. 1): Control Input, Status Output
c. Serial port (Qty. 1): Control Input, Status Output
d. USB (Qty. 1): Data Input, Data Output, Status Output
 Brocade USB flash device, XBR-DCX-0131
e. Power Supply and Fan Assembly (Qty. 2)
 Assembly Connectors (Qty. 2): Power Input, Control Input
 Assembly Status LED (Qty. 2): Status Output
f. LEDs
 System Power LED (Qty. 1)
 System Status LED (Qty. 1)
• Power Supply and Fan Status LED (Qty. 2)
8. VDX 8770-4 and VDX 8770-8
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 22 of 49
a. Line card:
 BR-VDX8770-48X10G-SFPP-1 (48x10G):
o GbE port (Qty. 48): Data Input, Data Output
o LEDs: Status Output
i. Status LED (Qty. 1)
ii. Power LED (Qty. 1)
iii. Status Port LED (Qty. 48)
 BR-VDX8770-12X40G-QSFP-1 (12x40G):
o 40 GbE port (Qty. 12): Data Input, Data Output
o LEDs: Status Output
i. Status LED (Qty. 1)
ii. Power LED (Qty. 1)
 Status Port LED (Qty. 12)
 BR-VDX8770-48X1G-SFP-1:
o 1 GbE port (Qty. 48): Data Input, Data Output
o LEDs: Status Output
i. Status LED (Qty. 1)
ii. Power LED (Qty. 1)
iii. Status Port LED (Qty. 48)
b. Management Module (MM) (half-slot) :
o USB port (Qty. 1): Data Input, Data Output
o Console Port (RJ45 - serial) (Qty. 1):Control Input, Status Output
o Ethernet port (Mgmt IP) (RJ45) (Qty. 1): Control Input, Status Output
o Ethernet port (Service IP) (Qty. 1): Control Input, Status Output
o LEDs: Status Output
o Status LED (Qty. 1)
o Power LED (Qty. 1)
o Active LED (Qty. 1)
o Ethernet management link (upper left) (Qty. 1)
o Ethernet management link activity (upper right) (Qty. 1)
c. Switch Fabric Module (SFM)
o LEDs: Status Output
o Status LED (Qty. 1)
o Power LED (Qty. 1)
d. Power Supply
o AC Inlet (quantity 1): Power
o LEDs: Status Output
o AC power input LED (AC OK) (Qty. 1)
o DC power output LED (DC OK) (Qty. 1)
o Alarm LED (ALM) (Qty. 1)
e. Fan Assembly
o LEDs: Status Output
o Power LED (Qty. 1)
o Fault LED (Qty. 1)
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 23 of 49
NOTE: LEDs display power status and port activity status.
4 Identification and Authentication Policy
4.1 Assumption of roles
The cryptographic module supports three operator roles. The cryptographic module shall enforce the
separation of roles using role-based operator authentication. An operator must enter a username and its
password to log in. The username is an alphanumeric string of maximum forty (40) characters. The password is
an alphanumeric string of eight (8) to forty (40) characters randomly chosen from the ninety-six (96) printable
and human-readable characters. Upon correct authentication, the role is selected based on the username of
the operator and the context of the module. At the end of a session, the operator must log-out.
Forty-eight (48) concurrent operators are allowed on the switch.
Table 13 Roles and Required Identification and Authentication
Role Type of Authentication Authentication Data
Admin (Crypto-Officer): Admin
role has the permission to
access and execute all the
availableservices.
Role-basedoperatorauthentication Username and Password
User (User role): User role has
the permission to display
general configuration.
Role-basedoperatorauthentication Username and Password
Maximum Permissions (for a
custom role): A custom role can
be created and assigned the
custompermissions.
Role -based operator authentication Username and Password
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 24 of 49
Table 14 Strengths of Authentication Mechanisms
Authentication
Mechanism
Strength of Mechanism
Password The probability that a random attempt will succeed or a false acceptance
will occur is 1/96^8 which is less than 1/1,000,000.
The module can be configured to restrict the number of consecutive failed
authentication attempts. If the module is not configured to restrict failed
authentication attempts, then the maximum possible within one minute is
20. The probability of successfully authenticating to the module within
one minute is 20/96^8 which is less than 1/100,000.
Table 15 Service Descriptions
Service Name Description
UserManagement User and password management.
Login Session Management Controls the user session management
Firmware Man Control firmware management.
FIPS Control FIPS mode operation and related functions
Zeroize Zeroize all CSPs
Firmware Management Control firmwaremanagement.
ClockManagement Clock and Time zone Management
Debug & Diagnostics Debug & Diagnostics tools.
CLIManagement CLI Management tools
Platform Platform tools
Display Display configuration and operational commands
Terminal Configuration Terminalconfiguration operations
Ethernet Ethernet Management
License LicenseManagement
VCS® Cluster services
vCenter VMware-ESXhosts Management
SNMP SNMP
System Monitor Status configuration & monitoring
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 25 of 49
5 Access Control Policy
5.1 Roles and Services
Table 16 Services Authorized for Roles
5.2 Unauthenticated Services:
The cryptographic module supports the following unauthenticated services:
o Self-tests: This service executes the suite of self-tests required by FIPS 140-2. Self-tests may be
initiated by power-cycling the module.
o Show Status: This service is met through the various status outputs provided by the services provided
above, as well as the LED interfaces.
SERVICE ROLE
U
s
e
r
Ad
m
i
n
M
a
x
i
m
u
m
Pe
r
m
i
s
s
i
o
n
s
UserManagement X X
Login Session Management X X
Firmware Management X X X
FIPS X X
Zeroize X X
ClockManagement X X
Debug & Diagnostics X X
CLIManagement X X
Platform X X
Display X X
Terminal Configuration X X
Ethernet X X
License X X
VCS X X
vCenter X X
SNMP X X
System Monitor X X
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 26 of 49
5.3 Definition of Critical Security Parameters (CSPs)
The following is a CSP contained in the module:
o Passwords
5.4 Definition of Public Keys:
The following is the public key contained in the module:
o FW Download Key (RSA 1024 SHA-1 / RSA 2048 SHA-256)
5.5 Definition of Service Categories:
Table 17 Services and Command Line Instructions (CLI)
Services CLIs
UserManagement
Username
role
password-attributes
rule
unlock
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 27 of 49
Services CLIs
Login Session Management
logout
banner
telnet
Firmware Management
Firmware
Fips
fips selftests
prom-access
Zeroize
fips zeroize
ClockManagement
Clock
Ntp
Debug & Diagnostics
Debug
diag
ping
l2traceroute
traceroute
top
undebug
CLI Management
no
delete
configure
dir
exit
help
history
quit
rename
abort
do
pwd
unhide
unhide fips
prompt1
prompt2
rbridge-id
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 28 of 49
Services CLIs
Platform
reload
chassis
clear
copy
fastboot
usb
logging
service
switch-attributes
support
auditlog
autoupload
beacon
cidrecov
df
ha
oscmd
power-off
power-on
linecard
Display
Show
Terminal Configuration
send
terminal
end
line
Ethernet
dot1x
cee-map
interface
ip
ipv6
lacp
mac
mac-address-table
port-profile
protocol
qos
rmon
sflow
vlan
monitor
arp
class-map
mac-rebalance
police-priority-map
policy-map
resequence
reserved-vlan
route-map
router
system-max
fabric
fcoe
bp-rate-limit
zoning
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 29 of 49
Services CLIs
License
License
Dpod
System Monitor
system-monitor system-monitor-
mail threshold-monitor
Table 18 CSP Access Rights within Roles & Services (RW-Read/Write, N-
No Access, Z-Zeroize)
P
a
s
s
w
o
r
d
s
FW
Download
Key
(RSA
1024
SHA
-1
/
RSA
2048
SHA-256)
User Management RW N
Login Session Management RW N
Firmware Management N N
Fips N/A N/A
Zeroize Z N
Clock Management N/A N/A
Debug & Diagnostics N/A N/A
CLI Management N/A N/A
Platform N/A N/A
Display N/A N/A
Terminal Configuration N/A N/A
Ethernet N/A N/A
License N/A N/A
System Monitor N/A N/A
6 OperationalEnvironment
The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the device supports
a limited operational environment; only trusted, validated code signed by RSA 1024 with SHA1 and RSA 2048
with SHA-256 digest may be executed.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 30 of 49
6.1 Security Rules
The cryptographic modules’ design corresponds to the cryptographic module’s security rules. This section
documents the security rules enforced by the cryptographic module to implement the security requirements of
this FIPS 140-2 Level 2 module.
1. The cryptographic module shall provide threedistinct operator roles.
2. The cryptographic module shall provide role-based authentication.
3. When the module has not been placed in a valid role, the operator shall not have access to any
cryptographic services.
4. The cryptographic module shall perform the following tests:
a. Power up Self-Tests:
i. Cryptographic algorithm tests:
(1) RSA 1024 SHA-1 Verify KAT
(2) RSA 2048 SHA 256 Sign/Verify KAT
ii. Firmware Integrity Test (128-bit EDC)
iii. Critical Functions Tests:
(1) RSA 2048 Encrypt/Decrypt KAT
b. Conditional Self Tests:
i. Continuous Random Number Generator (RNG) test -N/A
ii. Pair wise Consistency Test – N/A
iii. Firmware Load Test (RSA 1024 SHA-1 and RSA 2048 SHA-256 Signature Verification)
iv. Bypass Test: N/A
v. Manual Key Entry Test: N/A
5. At any time the cryptographic module is in an idle state, the operator shall be capable of commanding
the module to perform the power-up self-test by rebooting the module.
6. Data output shall be inhibited during key generation, self-tests, zeroization, and error states.
7. Status information shall not contain CSPs or sensitive data that if misused could lead to a compromise
of the module.
8. FC-SP authentication is not supported in FIPS mode..
9. The serial port may only be accessed by the Crypto-Officer when the Crypto-Officer is physically present
at the cryptographic boundary, via a direct connection without any network access or other intervening
systems.
7 Physical Security Policy
7.1 Physical Security Mechanisms
The multi-chip standalone cryptographic module includes the following physical security mechanisms:
 Production-grade components and production-grade opaque enclosure with tamper evident seals.
 Tamper evident seals.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 31 of 49
7.2 Operator Required Actions
The operator must periodically inspect the tamper evident seals applied to the modules within the operator’s
scope of responsibility for evidence of tampering.
Table 19 Inspection/Testing of Physical Security Mechanisms
Physical Security
Mechanisms
Recommended Frequency
of Inspection/Test
Tamper Evident Seals 12 months
8 Mitigation of Other Attacks Policy
These modules have not been designed to mitigate any specific attacks beyond the scope of FIPS 140-2
requirements.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 32 of 49
9 Definitions and Acronyms
10 GbE 10 Gigabit Ethernet
AES Advanced Encryption Standard
Blade Blade server
CBC Cipher Block Chaining
CLI Command Line interface
CSP Critical Security Parameter
DH Diffie-Hellman
FIPS Federal Information Processing Standard
FOS Fabric Operating System
GbE GigabitEthernet
HMAC Hash Message Authentication Code
HTTP Hyper Text Transfer Protocol
KAT Known Answer Test
LED Light Emitting Diode
LDAP Lightweight Directory Access Protocol
LIC License
MAC Message Authentication Code
MM ManagementModule
NTP Network Time Protocol
NOS Network Operating System
PKI Public Key Infrastructure
PROM Programmable read-only memory
PSU Power Supply Unit
RADIUS Remote Authentication Dial In User Service
RNG Random Number Generator
RSA Rivest Shamir and Adleman method for asymmetric encryption
SCP Secure Copy Protocol
SFM Switch Fabric Module
SHA Secure Hash Algorithm
SSH Secure Shell Protocol
TDES Triple Data Encryption Standard
TLS Transport Layer Security Protocol
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 33 of 49
Appendix A: Tamper Evident Seal Application Procedures
NOTICE: After performing the tamper evident seal application procedures as defined below, the removal of
any tamper seal from the cryptographic boundary is explicitly prohibited by this Security Policy. The
cryptographic module does not support a maintenance role or a maintenance interface.
Therefore, any such removal of a tamper evident seal from the cryptographic boundary (including but not
limited to the removal of a seal from a component described in this Security Policy as “Field Replaceable”)
is an explicit violation of the Security Policy.
Removal of a tamper evident seal results in an instantaneous invalidation of the cryptographic module,
deeming said module no longer FIPS validated and incapable of being placed back into FIPS mode
thereafter in perpetuity; such a cryptographic module shall be zeroized, immediately removed from service
and immediately returned to Brocade.
Use ethyl alcohol to clean the surface area at each tamper evident seal placement location. Prior to applying
a new seal to an area, that shows seal residue, use consumer strength adhesive remove to remove the seal
residue. Then use ethyl alcohol to clean off any residual adhesive remover before applying a new seal.
Applying seals to the Brocade VDX 6710-54
Two (2) tamper evident seals are required to complete the physical security requirements for the VDX 6710-54.
See Figure 9 and Figure 10 for details on how to position each seal.
1
Figure 9 VDX 6710-54 left side seal location
2
Figure 10 VDX 6710-54 right side seal location
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 34 of 49
Applying seals to the Brocade VDX 6720-16 and VDX 6720-24
Two (2) tamper evident seals are required to complete the physical security requirements for the VDX 6720-16
and VDX 6720-24. See Figure 11 and Figure 12 for details on how to position each seal.
1
Figure 11 VDX 6720-16 and VDX 6720-24 left side seal location
2
Figure 12 VDX 6720-16 and VDX 6720-24 right side seal location
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 35 of 49
Applying seals to the Brocade VDX 6720-40 and VDX 6720-60
Two (2) tamper evident seals are required to complete the physical security requirements for the VDX 6720-40
and VDX 6720-60. See Figure 13 and Figure 14 for details on how to position each seal.
1
Figure 13 VDX 6720-40 and VDX 6720-60 left side seal location
2
Figure 14 VDX 6720-40 and VDX 6720-60 right side seal location
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 36 of 49
Applying seals to the Brocade VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE
Two (2) tamper evident seals are required to complete the physical security requirements for the VDX 6730-16,
VDX 6730-24 and VDX 6730-32-FCOE. See Figure 15 and Figure 16 for details on how to position each seal.
1
Figure 15 VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE left side seal location
2
Figure 16 VDX 6730-16, VDX 6730-24 and VDX 6730-32-FCOE right side seal location
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 37 of 49
Applying seals to the Brocade VDX 6730-40, VDX 6730-60 and VDX 6730-76-FCOE
Two (2) tamper evident seals are required to complete the physical security requirements for the VDX 6730-40,
VDX 6730-60 and VDX 6730-76-FCOE. See Figure 17 and Figure 18 for details on how to position each seal.
1
Figure 17 VDX 6730-40, VDX 6730-60 and VDX 6730-76-FCOE left side seal location
2
Figure 18 VDX 6730-40, VDX 6730-60 and VDX 6730-76-FCOE right side seal location
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 38 of 49
Applying seals to the Brocade VDX 6740
Twenty tamper evident seals are required to complete the physical security requirements for the –R and –F
configurations of the BR-VDX 6740-24, BR-VDX 6740-48 and BR-VDX 6740-64-ALLSW. See Figure 19 through
Figure 23 for details on how to position each seal.
1. Apply one (1) seal over the screws along the bottom port side surface of the chassis. Five (5) seals, 1
to 5, are required to complete this step. See Figure 19 for details on how to position each seal.
2. Apply three (3) seals, 6 to 8, across the seam between the left side of the top cover and the bottom
side of the chassis. Each seal must wrap across a 90 degree angle from the bottom of the chassis to
the side of the top cover. See Figure 20 on how to position each seal.
3. Apply three (3) seals, 9 to 11, across the seam between the right side of the top cover and the bottom
of the chassis. Each seal must wrap across a 90 degree angle from the bottom of the chassis to the
side of the top cover. See Figure 21 on how to position each seal.
4. Six (6) seals, 12 to 17, are required to complete this step. Seals 13, 14 and16 must wrap across a 90
degree angle from the top of the chassis to the external surface of the combination power supply and
fan module. Seals 15 and 17 must wrap across a 90 degree angle from the bottom of the chassis to
the external surface of the combination power supply and fan module. Seal 12 bridges the seam
between the chassis the combination power supply and fan module on the left side of the non-port
side of the chassis. See Figure 22 for details on how to position each seal.
5. Apply one (1) seal over the screws along the top port side surface of the chassis. Three (3) seals, 18
to 20, are required to complete this step. See Figure 23 for details on how to position each seal.
Figure 19 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW bottom port side seal locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 39 of 49
Figure 20 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW bottom left side seal locations
Figure 21 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW bottom right side seal locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 40 of 49
Figure 22 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW top non-port side fan and power
supply seal locations
Figure 23 VDX 6740-24, VDX 6740-48 and VDX 6740-64-ALLSW top non-port side top cover seal
locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 41 of 50
Applying seals to the Brocade VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64-ALLSW
Twenty Nine (29) tamper evident seals are required to complete the physical security requirements for the VDX
6740T-24, VDX 6740T-48 and VDX 6740T-64-ALLSW. See Figure 24 through Figure 28 for details on how to
position each seal.
Figure 24 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64-ALLSW bottom/front seal locations
Figure 25 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64-ALLSW bottom left side seal locations
Figure 26 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64-ALLSW bottom right side seal
locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 42 of 50
Figure 27 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64-ALLSW bottom back side seal locations
Figure 28 VDX 6740T-24, VDX 6740T-48 and VDX 6740T-64-ALLSW top back side seal
locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 43 of 50
Applying seals to the Brocade VDX 8770-8 with AC and DC Power Supply
Thirty-six (36) tamper evident seals are required to complete the physical security requirements
illustrated in Figure 29 to Figure 31.
VDX 8770-8 AC Port Side Tamper Evident Seal Application Procedure
Twenty-eight (28) tamper evident seals are required to complete steps 1 to 6 on the port side as
illustrated in Figure 29. Unused slots must be filled with the module or filler panel appropriate for
that slot to maintain adequatecooling.
1. Apply one (1) seal to each blade or filler panel installed in line card slots L1 through L8. Eight (8)
seals are required to complete this step. See Figures 29A, 29C, 29D and 29E for details on how to
position each seal.
2. Apply one (1) seal to each Switch Fabric Module (SFM) or filler panel installed in SFM slots S1,
S3 and S5. Three (3) seals are required to complete this step. See Figure 29B and 29E for
details on how to position each seal.
3. Apply one (1) seal to each Switch Fabric Module (SFM) or filler panel installed in SFM slots S2,
S4 and S6. Three (3) seals are required to complete this step. See Figure 29E and 29G for
details on how to position each seal.
4. Apply two (2) seals to each Management Module (MM) or filler panel installed in MM slots
M1 and M2. Four (4) seals are required to complete this step. See Figure 29E, 29F and
29H for details on how to position each seal.
5. For VDX 8770-8 with AC Power Supply Units (PSU) see Figures 29E and 29F for
details on how to position seals 14-17. Four (4) seals are required to complete this
step.
6. See Figure 29E and 29H for details on how to position seals 21-26. Six (6)
seals are required to complete this step.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 44 of 50
A
B
C
D
E
F
G
H
Figure 29 Brocade VDX 8770-8 AC port side seal locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 44 of 50
VDX 8770-8 DC Port Side Tamper Evident Seal Application Procedure
Twenty-eight (28) tamper evident seals are required to complete steps 1 to 6 on the port side as illustrated
in Figure 30. Unused slots must be filled with the module or filler panel appropriate for that slot to maintain
adequatecooling.
1. Apply one (1) seal to each blade or filler panel installed in line card slots L1 through L8. Eight (8)
seals are required to complete this step. See Figures 30A, 30C, 30D and 30E for details on how to
position each seal.
2. Apply one (1) seal to each Switch Fabric Module (SFM) or filler panel installed in SFM slots S1, S3
and S5. Three (3) seals are required to complete this step. See Figure 30B and 30E for details on
how to position each seal.
3. Apply one (1) seal to each Switch Fabric Module (SFM) or filler panel installed in SFM slots S2, S4
and S6. Three (3) seals are required to complete this step. See Figure 30E and 30H for details on
how to position each seal.
4. Apply two (2) seals to each Management Module (MM) or filler panel installed in MM slots M1
and M2. Four (4) seals are required to complete this step. See Figure 30E, 30F and 30I for
details on how to position each seal.
5. For VDX 8770-8 with DC Power Supply Units (PSU) refer to Figures 30E, 30F and 30G
for details on how to position seals 14-17. Four (4) seals are needed to complete this step.
6. See Figures 30E and 30I on how to position seals 21-26. Six (6) seals are required
to complete this step.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 45 of 50
Figure 30 Brocade VDX 8770-8 DC port side seal locations
A
B
C
D
E
F
G
H
I
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 46 of 50
VDX 8770-8 Non-Port Side Tamper Evident Seal Application Procedure for AC and DC modules
Eight (8) tamper evident seals are required to complete the physical security requirements illustrated in Figure 31
All fan slots must be filled with a FAN FRU or FAN FRU filler panel to maintain adequate cooling.
A
B
C
D
E
F
G
Figure 31 Brocade VDX 8770-8 non-port side seal locations
1. Apply two (2) seals to each FAN FRU or FAN FRU filler panel installed in the non-port side of the VDX 8770-8. Eight (8)
seals are required to complete this step. See Figure 31A-G for details on how to position each seal.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 47 of 50
Applying seals to the Brocade VDX 8770-4
Twenty-three (23) tamper evident seals are required to complete the physical security requirements illustrated
in Figure 32, Figure 33, Figure 34 and Figure 35.
VDX 8770-4 Port Side Tamper Evident Seal Application Procedure
Fifteen (15) tamper evident seals are required to complete the physical security requirements illustrated in
Figure 32 and Figure 33. Unused slots must be filled with the module or filler panel appropriate for that slot to
maintain adequate cooling.
A B
C
D
F
E
Figure 32 Brocade VDX 8770-4 port side seal locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 48 of 50
Figure 33 Brocade VDX 8770-4 DC PSU seal locations
1. Apply one (1) seal to each Switch Fabric Module (SFM) or filler panel installed in SFM slots S1, S2 and
S3. Three (3) seals are required to complete this step. See Figure 32A, 26A and 26C for details on
how to position each seal.
2. Apply one (1) seal to each Management Module (MM) or filler panel installed in MM slots M1 and M2.
Two (2) seals are required to complete this step. See Figure 32A, 26A and 26C for details on how to
position each seal.
3. Apply one (1) seal to each blade or filler panel installed in line card slots L1 through L4. Four (4) seals
are required to complete this step. See Figure 32C, 26D and 26E for details on how to position each
seal.
4. The VDX 8770-4 accepts both AC and DC power supply module. Depending on the type of installed
power supply module complete step 4a or 4b.
a. For a VDX 8770-4 with AC Power Supply Units (PSU) apply one (1) seal to each AC PSU or PSU
filler panel installed in PSU slots P1 through P4. For this example, an AC PSUs are installed in
slots P1 and P2. PSU filler panels are installed in slots P3 and P4. Four (4) seals are
required to complete this step. See Figure 32C and 26F for details on how to position each
seal.
b. For a VDX 8770-4 with DC Power Supply Units (PSU) apply one (1) seal to each DC PSU or PSU
filler panel installed in PSU slots P1 through P4. For this example, a DC PSUs are installed in
slot P1. A PSU filler panels are installed in slot P2. Four (4) seals are required to complete
this step. See Figure 33 for details on how to position each seal.
5. Apply one (1) seal on each FIPS bracket. The upper left FIPS bracket is shown in Figure 32A and 26C.
The lower left FIPS bracket is shown in Figure 32E and 26C. Two (2) seals are required to complete
this step. See Figure 32A, 26C and 26E for details on how to position each seal.
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 49 of 50
VDX 8770-4 Non-Port Side Tamper Evident Seal Application Procedure
Five (5) tamper evident seals are required to complete the physical security requirements illustrated in Figure
34. All fan slots must be filled with a FAN FRU or FAN FRU filler panel to maintain adequate cooling.
C
A
B
C
D E
Figure 34 Brocade VDX 8770-4 Non-port side seal locations
VDX 6710, VDX 6720, VDX 6730, VDX 6740, VDX 6740T and VDX 8770 Switches with Network OS v4.0.0 Firmware v1.0
Brocade Communications Systems, Inc. Page 50 of 50
1. Apply one (1) seals to each FAN FRU or FAN FRU filler panel installed in the non-port side of the VDX
8770-4. For the FAN FRU on the left the seal wraps from the flange on the FAN FRU or filler around
the outside corner of the chassis. For the FAN FRU on the right the seal wraps from the flange on the
FAN FRU or filler around the inside corner of the chassis. Two (2) seals are required to complete this
step. See Figure 34A-C for details on how to position each seal.
2. Apply one (1) seals that bridges the gap between the FAN FRU positions installed in the non-port side
of the VDX 8770-4. One (1) seals are required to complete this step. See Figure 34C and 28D for
details on how to position each seal.
3. Apply one (1) seal on each FIPS bracket. The upper right FIPS bracket is shown in Figure 34B and
28C. The lower right FIPS bracket is shown in Figure 34C and 28E. Two (2) seals are required to
complete this step. See Figure 34B, 28C and 28E for details on how to position each seal.
VDX 8770-4 Air Duct Tamper Evident Seal Application Procedure
Three (3) tamper evident seals are required to complete the physical security requirements illustrated in Figure
35. Relative to the port side of the VDX 8770-4 chassis the air duct is secured to the left side of the chassis.
Figure 35 Brocade VDX 8770-4 Air Duct side seal locations
1. Apply thee (3) seals to the rubber flap that touches the top of the VDX 8770-4. Position each seal
such that approximately half of each seal adheres to the rubber flap and half of each seal adheres to
the top of the chassis. Three (3) seals are required to complete this step. See Figure 35 for details on
how to position each seal.