Home » HP Manuals » Storage Devices » HP 8/40 » Manual Viewer

HP 8/40 Brocade Access Gateway Administrator's Guide v6.3.0 (53-1001345-01, Ju - Page 38

Access Gateway policy enforcement matrix, Advanced Device Security policy, How the ADS policy works

Add to My Manuals
Save this manual to your list of manuals

Page 38 highlights

3 Advanced Device Security policy Access Gateway policy enforcement matrix The following table shows which combinations of policies can co-exist with each other. TABLE 6 Policy enforcement matrix Policies Auto Port Configuration Port Grouping N_Port Trunking ADS Policy Auto Port Configuration N/A Cannot co-exist Can co-exist Can co-exist N_Port Grouping Mutually exclusive N/A Can co-exist Can co-exist N_Port Trunking Can co-exist Can co-exist N/A Can co-exist ADS Policy Can co-exist Can co-exist Can co-exist N/A Advanced Device Security policy The Advanced Device Security (ADS) is disabled by default for Access Gateway. ADS is a security policy that restricts access to the fabric at the AG level to a set of authorized devices. Unauthorized access is rejected and the system logs a RASLOG message. You can configure the list of allowed devices for each F_Port by specifying their Port WWN (PWWN). The ADS policy secures virtual and physical connections to the SAN. How the ADS policy works When you enable this policy, it applies to all F_ports on the AG-enabled module. By default, all devices have access to the fabric on all ports. You can restrict the fabric connectivity to a particular set of devices where AG maintains a per-port allow list for the set of devices whose PWWN you define to log in through an F_Port. You can view the devices with active connections to an F_Port using the ag --show command. NOTE The ag --show command only displays the Core AGs, such as the AGs that are directly connected to fabric. The agshow --name name command displays the F_Ports of both the Core and Edge AGs. Alternatively, the security policy can be established in the Enterprise fabric using the DCC policy. For information on configuring the DCC policy, see "Enabling the DCC policy on trunk" on page 40. The DCC policy in the Enterprise fabric takes precedence over the ADS policy. It is generally recommended to implement the security policy in the AG module rather than in the main fabric, especially if Failover and Failback policies are enabled. 18 Access Gateway Administrator's Guide 53-1001345-01

Section	Page
About This Document	13
How this document is organized	13
Supported hardware and software	13
What’s new in this document	14
Document conventions	15
Text formatting	15
Command syntax conventions	15
Notes, cautions, and warnings	15
Notice to the reader	16
Key terms	16
Additional information	17
Brocade resources	17
Other industry resources	17
Optional Brocade features	18
Getting technical help	18
Document feedback	19
Access Gateway Basic Concepts	21
In this chapter	21
Brocade Access Gateway overview	21
Comparing Native Fabric and Access Gateway modes	21
Fabric OS features in Access Gateway mode	23
Access Gateway port types	24
Comparison of Access Gateway ports to standard switch ports	24
Access Gateway limitations	25
Configuring Ports in Access Gateway mode	27
In this chapter	27
Enabling and disabling Access Gateway mode	27
Port state description	29
Access Gateway mapping	30
Default port mapping	31
Adding F_Ports to an N_Port	33
Removing F_Ports from N_Ports	34
N_Port configurations	35
Displaying N_Port configurations	36
Unlocking N_Ports	36
Managing Policies and Features in Access Gateway Mode	37
In this chapter	37
Access Gateway policies overview	37
Displaying current policies	37
Access Gateway policy enforcement matrix	38
Advanced Device Security policy	38
How the ADS policy works	38
Enabling and disabling the Advanced Device Security policy	39
Setting the list of devices allowed to log in	39
Setting the list of devices not allowed to log in	40
Removing devices from the list of allowed devices	40
Adding new devices to the list of allowed devices	40
Displaying the list of allowed devices on the switch	41
ADS policy considerations	41
Upgrade and downgrade considerations for the ADS policy	41
Automatic Port Configuration policy	41
How the APC policy works	42
Enabling and disabling the APC policy	42
Automatic Port Configuration policy considerations	43
Upgrade and downgrade considerations for the APC policy	43
Port Grouping policy	43
How port groups work	43
Adding an N_Port to a port group	44
Deleting an N_Port from a port group	45
Removing a port group	45
Renaming a port group	45
Disabling the Port Grouping policy	45
Port Grouping policy modes	46
Creating a port group and enabling login balancing mode	46
Rebalancing F_Ports	47
Enabling Managed Fabric Name Monitoring mode	48
Disabling Managed Fabric Name Monitoring mode	48
Displaying the current fabric name monitoring timeout value	48
Setting the current fabric name monitoring timeout value	48
Port Grouping policy considerations	48
Upgrade and downgrade considerations for the Port Grouping policy	49
Persistent ALPA Policy	49
Enabling Persistent ALPA	50
Disabling Persistent ALPA	50
Persistent ALPA device data	50
Removing device data from the database	50
Displaying device data	51
Clearing ALPA values	51
Persistent ALPA policy considerations	51
Upgrade and downgrade considerations for Persistent ALPA	51
Failover	52
Failover configurations in Access Gateway	52
Enabling and disabling Failover on a N_Port	53
Enabling and disabling Failover for a port group	54
Upgrade and downgrade considerations for Failover	54
Adding a preferred secondary N_Port	54
Deleting F_Ports from a preferred secondary N_Port	54
Failback	55
Failback configurations in Access Gateway	55
Enabling and disabling Failback on an N_Port	56
Enabling and disabling Failback for a port group	57
Upgrade and downgrade considerations for Failback	57
Trunking in Access Gateway mode	57
How Trunking works	57
Trunking on the Edge switch in Access Gateway mode	58
Configuration management for trunk areas	59
Enabling Access Gateway trunking	60
Disabling F_Port trunking	62
F_Port Trunking monitoring	62
Trunking considerations for the Edge switch	62
Trunking considerations for Access Gateway mode	66
Upgrade and downgrade considerations for Trunking in Access Gateway mode	66
Adaptive Networking on Access Gateway	66
Upgrade and downgrade considerations with Adaptive Networking in AG mode enabled	67
Adaptive Networking on Access Gateway considerations	67
SAN Configuration with Access Gateway	69
In this chapter	69
Connectivity of multiple devices overview	69
Access Gateway cascading	69
Fabric and Edge switch configuration	70
Verifying the switch mode	71
Enabling NPIV on M-EOS switches	72
Connectivity to Cisco Fabrics	72
Enabling NPIV on a Cisco switch	73
Workaround for certain 4 Gbps QLogic-based devices	73
Editing Company ID List if no FC target devices on switch	73
Adding or deleting an OUI from the Company ID List	74
Enabling Flat FCID mode if no FC target devices on switch	74
Editing Company ID list if target devices on switch	75
Rejoining Fabric OS switches to a fabric	75
Reverting to a previous configuration	76
Troubleshooting	77

Match case Limit results 1 per page

Access Gateway Administrator’s Guide

53-1001345-01

Advanced Device Security policy

Access Gateway policy enforcement matrix

The following table shows which combinations of policies can co-exist with each other.

Advanced Device Security policy

The Advanced Device Security (ADS) is disabled by default for Access Gateway. ADS is a security

policy that restricts access to the fabric at the AG level to a set of authorized devices. Unauthorized

access is rejected and the system logs a RASLOG message. You can configure the list of allowed

devices for each F_Port by specifying their Port WWN (PWWN). The ADS policy secures virtual and

physical connections to the SAN.

How the ADS policy works

When you enable this policy, it applies to all F_ports on the AG-enabled module. By default, all

devices have access to the fabric on all ports. You can restrict the fabric connectivity to a particular

set of devices where AG maintains a per-port allow list for the set of devices whose PWWN you

define to log in through an F_Port. You can view the devices with active connections to an F_Port

using the

ag --show

command.

NOTE

The

show

command only displays the Core AGs, such as the AGs that are directly connected to

fabric. The

agshow

name

command displays the F_Ports of both the Core and Edge AGs.

Alternatively, the security policy can be established in the Enterprise fabric using the DCC policy.

For information on configuring the DCC policy, see

“Enabling the DCC policy on trunk”

on page 40.

The DCC policy in the Enterprise fabric takes precedence over the ADS policy. It is generally

recommended to implement the security policy in the AG module rather than in the main fabric,

especially if Failover and Failback policies are enabled.

TABLE 6

Policy enforcement matrix

Policies

Auto Port Configuration

Port Grouping

N_Port Trunking

ADS Policy

Auto Port Configuration

N/A

Cannot co-exist

Can co-exist

N_Port Grouping

Mutually exclusive

N/A

Can co-exist

N_Port Trunking

Can co-exist

N/A

Can co-exist

ADS Policy

Can co-exist

N/A