HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 52

Default Fabric and Switch Accessibility, Enabling Secure Mode

Get HP StorageWorks 2/16V - SAN Switch PDF manuals and user guides View all HP StorageWorks 2/16V manuals
Add to My Manuals
Save this manual to your list of manuals

Page 52 highlights

3 Default Fabric and Switch Accessibility Following is the default fabric and switch access when secure mode is enabled but no additional Secure Fabric OS policies have been created: • Switches: - Only the primary FCS switch can be used to make Secure Fabric OS changes. - Any SilkWorm switch can join the fabric, provided it is connected to the fabric, a SilkWorm 2000-series switch or later, and meets the minimum Secure Fabric OS requirements (such as Secure Fabric OS and Advanced Zoning licenses and digital certificates). - All switches in the fabric can be accessed through a serial port. - All switches in the fabric that have front panels (SilkWorm 2000-series switches) can be accessed through the front panel. • Computer hosts and workstations: - Any host can access the fabric by using SNMP. - Any host can access any switch in the fabric by using the CLI (such as by sectelnet or SSH). - Any host can establish an HTTP connection to any switch in the fabric. - Any host can establish an API connection to any switch in the fabric. • Devices: - All device ports can access SES. - All devices can access the management server. - Any device can connect to any Fibre Channel port in the fabric. • Zoning: node WWNs can be used for WWN-based zoning. Enabling Secure Mode Secure mode is enabled and disabled on a fabric-wide basis. Secure mode can be enabled and disabled as often as desired; however, all Secure Fabric OS policies, including the FCS policy, are deleted each time secure mode is disabled, and they must be re-created the next time it is enabled. The Secure Fabric OS database can be backed up using the configUpload command. For more information about this command, see the Fabric OS Command Reference. Secure mode is enabled using the secModeEnable command. This command must be entered through a sectelnet, SSH, or serial connection to the switch designated as the primary FCS switch. The command fails if any switch in the fabric is not capable of enforcing Secure Fabric OS policies. If the primary FCS switch fails to participate in the fabric, the role of the primary FCS switch moves to the next available switch listed in the FCS policy. See the Fabric OS Command Reference for more information. Note Proxy device access cannot be managed using a DCC policy in a secure fabric. Proxy devices are always granted full access, even if the DCC policy has an entry that restricts the proxy device's access. 3-2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
3-2
Secure Fabric OS Administrator’s Guide
Publication Number: 53-1000244-01
3
Default Fabric and Switch Accessibility
Following is the default fabric and switch access when secure mode is enabled but no additional Secure
Fabric OS policies have been created:
Switches:
-
Only the primary FCS switch can be used to make Secure Fabric OS changes.
-
Any SilkWorm switch can join the fabric, provided it is connected to the fabric, a SilkWorm
2000-series switch or later, and meets the minimum Secure Fabric OS requirements (such as
Secure Fabric OS and Advanced Zoning licenses and digital certificates).
-
All switches in the fabric can be accessed through a serial port.
-
All switches in the fabric that have front panels (SilkWorm 2000-series switches) can be
accessed through the front panel.
Computer hosts and workstations:
-
Any host can access the fabric by using SNMP.
-
Any host can access any switch in the fabric by using the CLI (such as by sectelnet or SSH).
-
Any host can establish an HTTP connection to any switch in the fabric.
-
Any host can establish an API connection to any switch in the fabric.
Devices:
-
All device ports can access SES.
-
All devices can access the management server.
-
Any device can connect to any Fibre Channel port in the fabric.
Zoning: node WWNs can be used for WWN-based zoning.
Enabling Secure Mode
Secure mode is enabled and disabled on a fabric-wide basis. Secure mode can be enabled and disabled
as often as desired; however, all Secure Fabric OS policies, including the FCS policy, are deleted each
time secure mode is disabled, and they must be re-created the next time it is enabled. The Secure Fabric
OS database can be backed up using the
configUpload
command. For more information about this
command, see the
Fabric OS Command Reference
.
Secure mode is enabled using the
secModeEnable
command. This command must be entered through a
sectelnet, SSH, or serial connection to the switch designated as the primary FCS switch. The command
fails if any switch in the fabric is not capable of enforcing Secure Fabric OS policies. If the primary FCS
switch fails to participate in the fabric, the role of the primary FCS switch moves to the next available
switch listed in the FCS policy. See the
Fabric OS Command Reference
for more information.
Note
Proxy device access cannot be managed using a DCC policy in a secure fabric. Proxy devices are always
granted full access, even if the DCC policy has an entry that restricts the proxy device’s access.