Home » HP Manuals » Storage Devices » HP StorageWorks 2/16V » Manual Viewer

HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 63

Creating an SNMP Policy, Table 3-3, RSNMP Policy, Read Result, Write Result

View all HP StorageWorks 2/16V manuals

Add to My Manuals
Save this manual to your list of manuals

Page 63 highlights

3 The individual MAC policies and how to create them are described in the following sections. By default, all MAC access is allowed; no MAC policies exist until they are created. Note An empty MAC policy blocks all access through that management channel. When creating policies, ensure that all desired members are added to each policy. Providing fabric access to proxy servers is strongly discouraged. When a proxy server is included in a MAC policy for IP-based management, such as the HTTP_POLICY, all IP packets leaving the proxy server appear to originate from the proxy server. This could result in allowing any hosts that have access to the proxy server to access the fabric. Serial, Telnet, and API violations that occur on the standby CP of a chassis-based platform do not display on the active CP. Also, during an HA failover, security violation counters and events are not propagated from the former active CP to the current active CP. Creating an SNMP Policy Read and write SNMP policies can be used to specify which SNMP hosts are allowed read and write access to the fabric: • RSNMP_POLICY (read access) Only the specified SNMP hosts can perform read operations to the fabric. • WSNMP_POLICY (write access) Only the specified SNMP hosts can perform write operations to the fabric. The SNMP hosts must be identified by IP address. Any host granted write permission by the WSNMP policy is automatically granted read permission by the RSNMP policy. See "To create an SNMP policy" on page 3-14. Table 3-3 lists the expected read and write behaviors resulting from combinations of the RSNMP and WSNMP policies. Table 3-3 Read and Write Behaviors of SNMP Policies RSNMP Policy WSNMP Policy Read Result Write Result Nonexistent Nonexistent Nonexistent Empty Empty Nonexistent Empty Host B in policy Nonexistent Empty Any host can read Any host can write Any host can read No host can write Any host can read Only B can write This combination is not supported. If the WSNMP policy is not defined, the RSNMP policy cannot be created. No host can read No host can write Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-13

Section	Page
About This Document	5
Chapter 1 Introducing Secure Fabric OS	5
Chapter 2 Preparing the Fabric for Secure Fabric OS	5
Chapter 3 Enabling Secure Fabric OS and Creating Policies	6
Chapter 4 Managing Secure Fabric OS	7
Appendix A Removing Secure Fabric OS Capability	7
Appendix B Secure Fabric OS Commands and Secure Mode Restrictions	7
Index	7
About This Document	9
How This Document Is Organized	9
Supported Hardware and Software	10
What’s New in This Document	10
Document Conventions	11
Text Formatting	11
Notes, Cautions, and Warnings	11
Key Terms	12
Additional Information	12
Brocade Resources	12
Other Industry Resources	14
Getting Technical Help	15
Document Feedback	16
Introducing Secure Fabric OS	17
Management Channel Security	18
Switch-to-Switch Authentication	19
Using PKI	19
Using DH-CHAP	20
Fabric Configuration Server Switches	20
Fabric Management Policy Set	21
Preparing the Fabric for Secure Fabric OS	23
Prerequisites for a Secure Fabric Environment	23
Verifying Compatible Fabric OS Version	24
Verifying or Activating Secure Fabric OS and Advanced Zoning Licenses	25
Verifying the Digital Certificate	26
Displaying the Digital Certificate Status	26
Creating PKI Objects	27
Removing PKI Objects	28
Obtaining the Digital Certificate File	29
Configuring Switch-to-Switch Authentication	44
Selecting Authentication Protocols	45
Managing Shared Secrets	46
Preparing SilkWorm 24000 for Secure Fabric OS	48
Installing a Supported CLI Client on a Workstation	50
Enabling Secure Fabric OS and Creating Policies	51
Prerequisites to Enabling Secure Mode	51
Default Fabric and Switch Accessibility	52
Enabling Secure Mode	52
Modifying the FCS Policy	58
Changing the Position of a Switch Within the FCS Policy	59
Failing Over the Primary FCS Switch	60
Creating Secure Fabric OS Policies Other Than the FCS Policy	61
Creating a MAC Policy	62
Creating an Options Policy	70
Creating a DCC Policy	71
Creating an SCC Policy	74
Managing Secure Fabric OS Policies	75
Saving Changes to Secure Fabric OS Policies	76
Activating Changes to Secure Fabric OS Policies	77
Adding a Member to an Existing Policy	77
Removing a Member from a Policy	78
Deleting a Policy	78
Aborting All Uncommitted Changes	79
Aborting a Secure Fabric OS Transaction	79
Managing Secure Fabric OS	81
Viewing Secure Fabric OS Information	81
Displaying General Secure Fabric OS Information	82
Viewing the Secure Fabric OS Policy Database	82
Displaying Individual Secure Fabric OS Policies	83
Displaying Status of Secure Mode	84
Displaying and Resetting Secure Fabric OS Statistics	85
Displaying Secure Fabric OS Statistics	86
Resetting Secure Fabric OS Statistics	87
Managing Passwords	88
Modifying Passwords in Secure Mode	90
Using Temporary Passwords	91
Resetting the Version Number and Time Stamp	92
Adding Switches and Merging Fabrics with Secure Mode Enabled	93
Preventing a LUN Connection	97
Troubleshooting	97
Removing Secure Fabric OS Capability	103
Preparing the Fabric for Removal of Secure Fabric OS Policies	103
Disabling Secure Mode	104
Deactivating the Secure Fabric OS License on Each Switch	105
Uninstalling Related Items from the Host	105
Secure Fabric OS Commands and Secure Mode Restrictions	107
Secure Fabric OS Commands	107
Command Restrictions in Secure Mode	112
Zoning Commands	112
Miscellaneous Commands	113
Index	115
A	115
C	115
D	116
E	116
F	116
H	116
I	116
J	116
L	116
M	116
N	116
O	117
P	117
R	117
S	117
T	118
U	118
V	118
W	118

Match case Limit results 1 per page

Secure Fabric OS Administrator’s Guide

3-13

Publication Number: 53-1000244-01

The individual MAC policies and how to create them are described in the following sections. By

default, all MAC access is allowed; no MAC policies exist until they are created.

Creating an SNMP Policy

Read and write SNMP policies can be used to specify which SNMP hosts are allowed read and write

access to the fabric:

•

RSNMP_POLICY (read access)

Only the specified SNMP hosts can perform read operations to the fabric.

•

WSNMP_POLICY (write access)

Only the specified SNMP hosts can perform write operations to the fabric.

The SNMP hosts must be identified by IP address.

Any host granted write permission by the WSNMP policy is automatically granted read permission by

the RSNMP policy.

See

“To create an SNMP policy”

on page 3-14.

Table 3-3

lists the expected read and write behaviors resulting from combinations of the RSNMP and

WSNMP policies.

Note

An empty MAC policy blocks all access through that management channel. When creating policies,

ensure that all desired members are added to each policy.

Providing fabric access to proxy servers is strongly discouraged. When a proxy server is included in a

MAC policy for IP-based management, such as the HTTP_POLICY, all IP packets leaving the proxy

server appear to originate from the proxy server. This could result in allowing any hosts that have access

to the proxy server to access the fabric.

Serial, Telnet, and API violations that occur on the standby CP of a chassis-based platform do not

display on the active CP. Also, during an HA failover, security violation counters and events are not

propagated from the former active CP to the current active CP.

Table 3-3

Read and Write Behaviors of SNMP Policies

RSNMP Policy

WSNMP Policy

Read Result

Write Result

Nonexistent

Any host can read

Any host can write

Nonexistent

Empty

Any host can read

No host can write

Nonexistent

Host B in policy

Any host can read

Only B can write

Empty

Nonexistent

This combination is not supported. If the WSNMP

policy is not defined, the RSNMP policy cannot be

created.

Empty

No host can read

No host can write