HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 65

3 Note Static host IP addresses are required to implement the Telnet policy effectively. Do not use DHCP for hosts that are in the TELNET_POLICY, because as soon as the IP addresses change, the hosts will no longer be able to access the fabric. Restricting output (such as placing a session on "hold" by use of a command or keyboard shortcut) is not recommended. This policy pertains to sectelnet and SSH. It does not pertain to telnet access, because telnet is not available in secure mode. Use sectelnet as soon as a digital certificate is installed on the switch. Note An empty TELNET_POLICY blocks all telnet access. To prevent this, keep one or more members in the Telnet policy. If an empty Telnet policy is absolutely required, leave a meaningful entry in the API, HTTP, or SERIAL policies (or do not create these policies) to ensure that some form of management access is available to the switch. To restrict CLI access over the network to SSH, disable telnet as described in "Telnet" on page 1-3. The possible Telnet policy states are shown in Table 3-4. Table 3-4 Telnet Policy States Policy State Description No policy Any host can connect by sectelnet or SSH to the fabric. Policy with no entries No host can connect by sectelnet or SSH to the fabric. Policy with entries Only specified hosts can connect by sectelnet or SSH to the fabric. To create a Telnet policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate "TELNET_POLICY", "member;...;member". member is one or more IP addresses in dot-decimal notation. "0" can be entered in an octet to indicate that any number can be matched in that octet. 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see "Saving Changes to Secure Fabric OS Policies" on page 3-26 and "Activating Changes to Secure Fabric OS Policies" on page 3-27. For example, to create a Telnet policy to allow anyone on network 192.168.5.0 (where 0 can be any number) to access the fabric from a sectelnet or SSH session: primaryfcs:admin> secpolicycreate "TELNET_POLICY", "192.168.5.0" TELNET_POLICY has been created. HTTP Policy The HTTP policy can be used to specify which workstations can use HTTP to access the fabric. This is useful for applications that use Internet browsers, such as Brocade Web Tools. The policy is named HTTP_POLICY and contains a list of IP addresses for devices and workstations that are allowed to establish HTTP connections to the switches in the fabric. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-15