Home » HP Manuals » Storage Devices » HP 8/40 » Manual Viewer

HP 8/40 Access Gateway Administrator's Guide (53-1001760-01, June 2010) - Page 49

Enabling and disabling the Advanced Device Security policy

Add to My Manuals
Save this manual to your list of manuals

Page 49 highlights

Advanced Device Security policy 3 Enabling and disabling the Advanced Device Security policy By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the configuration using the configupload command in case you need this configuration again. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ag --policyenable ads command to enable the ADS policy. switch:admin> ag --policyenable ads The policy ADS is enabled 3. Enter the ag --policydisable ads command to disable the ADS policy. switch:admin> ag --policydisable ads The policy ADS is disabled NOTE Use the ag --policyshow command to determine the current status of the ADS policy. Setting the list of devices allowed to log in You can determine which devices are allowed to log in on a per F_Port basis by specifying the device's port WWN (PWWN). Lists must be enclosed in double quotation marks. List members must be separated by semicolons. The maximum number of entries in the allowed device list is twice the per port maximum log in count. Replace the WWN list with an asterisk (*) to indicate all access on the specified F_Port list. Replace the F_Port list with an asterisk (*) to add the specified WWNs to all the F_Ports' allow lists. A blank WWN list ("") indicates no access. The ADS policy must be enabled for this command to succeed. NOTE Use an asterisk enclosed in quotation marks,"*", to set the Allow list to "All Access" to all F_Ports; use a pair of double quotation marks ("") to set the Allow list to "No Access". Note the following characteristics of the Allow List: • The maximum device entries allowed in the Allow List is twice the per port max login count. • Each port can be configured to "not allow any device" or "to allow all the devices" to log in. • If the ADS policy is enabled, by default, every port is configured to allow all devices to log in. • The same Allow List can be specified for more than one F_Port. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ag --adsset command with the appropriate operands to set the list of devices allowed to log into specific ports. In the following example, ports 1, 10, and, 13 are set to "all access." switch:admin> ag --adsset "1;10;13" "*" WWN list set successfully as the Allow Lists of the F_Port[s] Access Gateway Administrator's Guide 29 53-1001760-01

Section	Page
About This Document	13
How this document is organized	13
Supported hardware and software	13
What’s new in this document	14
Document conventions	15
Text formatting	15
Command syntax conventions	15
Notes, cautions, and warnings	15
Notice to the reader	16
Key terms	16
Additional information	17
Brocade resources	17
Other industry resources	17
Optional Brocade features	18
Getting technical help	18
Document feedback	19
Access Gateway Basic Concepts	21
In this chapter	21
Brocade Access Gateway overview	21
Comparing Native Fabric and Access Gateway modes	21
Fabric OS features in Access Gateway mode	23
Access Gateway port types	24
Comparison of Access Gateway ports to standard switch ports	24
Access Gateway hardware considerations	25
Configuring Ports in Access Gateway mode	27
In this chapter	27
Enabling and disabling Access Gateway mode	27
Port state description	29
Access Gateway mapping	30
Port-based mapping	30
Device-based mapping	35
Considerations for Access Gateway mapping	42
N_Port configurations	44
Displaying N_Port configurations	45
Unlocking N_Ports	45
Managing Policies and Features in Access Gateway Mode	47
In this chapter	47
Access Gateway policies overview	47
Displaying current policies	47
Access Gateway policy enforcement matrix	48
Advanced Device Security policy	48
How the ADS policy works	48
Enabling and disabling the Advanced Device Security policy	49
Setting the list of devices allowed to log in	49
Setting the list of devices not allowed to log in	50
Removing devices from the list of allowed devices	50
Adding new devices to the list of allowed devices	50
Displaying the list of allowed devices on the switch	51
ADS policy considerations	51
Upgrade and downgrade considerations for the ADS policy	51
Automatic Port Configuration policy	51
How the APC policy works	51
Enabling and disabling the APC policy	52
Automatic Port Configuration policy considerations	52
Upgrade and downgrade considerations for the APC policy	53
Port Grouping policy	53
How port groups work	53
Adding an N_Port to a port group	54
Deleting an N_Port from a port group	55
Removing a port group	55
Renaming a port group	55
Disabling the Port Grouping policy	55
Port Grouping policy modes	56
Creating a port group and enabling Automatic Login Balancing mode	56
Rebalancing F_Ports	57
Enabling Managed Fabric Name Monitoring mode	58
Disabling Managed Fabric Name Monitoring mode	58
Displaying the current fabric name monitoring timeout value	58
Setting the current fabric name monitoring timeout value	59
Port Grouping policy considerations	59
Upgrade and downgrade considerations for the Port Grouping policy	60
Device Load Balancing Policy	60
Enabling WWN Load Balancing	60
Disabling Device Load Balancing	60
Device Load Balancing considerations	61
Persistent ALPA Policy	61
Enabling Persistent ALPA	62
Disabling Persistent ALPA	62
Persistent ALPA device data	62
Removing device data from the database	62
Displaying device data	63
Clearing ALPA values	63
Persistent ALPA policy considerations	63
Upgrade and downgrade considerations for Persistent ALPA	63
Failover	64
Failover with port-based mapping	64
Failover with device-based mapping	66
Enabling and disabling Failover on a N_Port	67
Enabling and disabling Failover for a port group	67
Upgrade and downgrade considerations for Failover	68
Failback	68
Failback configurations in Access Gateway	68
Enabling and disabling Failback on an N_Port	69
Enabling and disabling Failback for a port group	70
Upgrade and downgrade considerations for Failback	70
Trunking in Access Gateway mode	70
How Trunking works	70
Configuring Trunking on the Edge switch	71
Configuration management for trunk areas	72
Enabling trunking	73
Disabling F_Port trunking	74
Trunking monitoring	74
Trunking considerations for the Edge switch	74
Trunking considerations for Access Gateway module	77
Upgrade and downgrade considerations for Trunking in Access Gateway mode	77
Adaptive Networking on Access Gateway	78
Upgrade and downgrade considerations with Adaptive Networking in AG mode enabled	79
Adaptive Networking on Access Gateway considerations	79
Per Port NPIV login limit	80
Setting the login limit	80
Considerations for the Brocade 8000	80
SAN Configuration with Access Gateway	83
In this chapter	83
Connectivity of multiple devices overview	83
Direct target attachment	83
Considerations	83
Target aggregation	84
Access Gateway cascading	84
Fabric and Edge switch configuration	85
Verifying the switch mode	85
Enabling NPIV on M-EOS switches	86
Connectivity to Cisco Fabrics	87
Enabling NPIV on a Cisco switch	87
Rejoining Fabric OS switches to a fabric	87
Reverting to a previous configuration	87
Troubleshooting	89

Match case Limit results 1 per page

Access Gateway Administrator’s Guide

53-1001760-01

Advanced Device Security policy

Enabling and disabling the Advanced Device Security policy

By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow

lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the

configuration using the

configupload

command in case you need this configuration again.

Connect to the switch and log in using an account assigned to the admin role.

Enter the

policyenable ads

command to enable the ADS policy.

switch:admin>

ag --policyenable ads

The policy ADS is enabled

Enter the

policydisable ads

command to disable the ADS policy.

switch:admin>

ag --policydisable ads

The policy ADS is disabled

NOTE

Use the

ag --policyshow

command to determine the current status of the ADS policy.

Setting the list of devices allowed to log in

You can determine which devices are allowed to log in on a per F_Port basis by specifying the

device’s port WWN (PWWN). Lists must be enclosed in double quotation marks. List members must

be separated by semicolons. The maximum number of entries in the allowed device list is twice the

per port maximum log in count. Replace the WWN list with an asterisk (*) to indicate all access on

the specified F_Port list. Replace the F_Port list with an asterisk (*) to add the specified WWNs to

all the F_Ports' allow lists. A blank WWN list (““) indicates no access. The ADS policy must be

enabled for this command to succeed.

NOTE

Use an asterisk enclosed in quotation marks,“*”, to set the Allow list to “All Access” to all F_Ports;

use a pair of double quotation marks (“”) to set the Allow list to “No Access”.

Note the following characteristics of the Allow List:

•

The maximum device entries allowed in the Allow List is twice the per port max login count.

•

Each port can be configured to “not allow any device” or “to allow all the devices” to log in.

•

If the ADS policy is enabled, by default, every port is configured to allow all devices to log

in.

•

The same Allow List can be specified for more than one F_Port.

Connect to the switch and log in using an account assigned to the admin role.

Enter the

adsset

command with the appropriate operands to set the list of devices

allowed to log into specific ports. In the following example, ports 1, 10, and, 13 are set to “all

access.”

switch:admin> ag --adsset "1;10;13" "*"

WWN list set successfully as the Allow Lists of the F_Port[s]