HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 71

Creating a DCC Policy, To create an Options policy

Get HP StorageWorks 2/16V - SAN Switch PDF manuals and user guides View all HP StorageWorks 2/16V manuals
Add to My Manuals
Save this manual to your list of manuals

Page 71 highlights

3 Table 3-11 Options Policy States Policy State Characteristics No policy Node WWNs can be used for WWN-based zoning. Policy with no entries Node WWNs can be used for WWN-based zoning. Policy with entries Node WWNs cannot be used for WWN-based zoning. To create an Options policy: 1. Log in to the primary FCS switch as admin from a sectelnet or SSH session. 2. Type secPolicyCreate "OPTIONS_POLICY", "NoNodeWWNZoning". primaryfcs:admin> secpolicycreate "OPTIONS_POLICY", "NoNodeWWNZoning" OPTIONS_POLICY has been created. 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see "Saving Changes to Secure Fabric OS Policies" on page 3-26 and "Activating Changes to Secure Fabric OS Policies" on page 3-27. 4. To apply the change to current transactions, disable the switch then re-enable it by entering the switchDisable and switchEnable commands. This stops any current traffic between devices that are zoned using node names. Creating a DCC Policy Note Fabric OS v5.2.0 supports local DCC policies; however the local DCC polices created in non-secure mode cannot be used while in secure mode. Policies created in non-secure mode are deleted when secure mode is enabled. Back up DCC policies before enabling secure mode. Multiple DCC policies can be used to restrict which device ports can connect to which switch ports. The devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs. By default, all device ports are allowed to connect to all switch ports; no DCC policies exist until they are created by the administrator. Each device port can be bound to one or more switch ports; the same device ports and switch ports might be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it permits connections only from designated device ports. Device ports that are not specified in any DCC policies are allowed to connect only to switch ports that are not specified in any DCC policies. Note Some older private-loop HBAs do not respond to port login from the switch and are not enforced by the DCC policy. However, this does not create a security problem because these HBAs cannot contact any device outside of their immediate loop. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-21

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
Secure Fabric OS Administrator’s Guide
3-21
Publication Number: 53-1000244-01
3
To create an Options policy:
1.
Log in to the primary FCS switch as admin from a sectelnet or SSH session
.
2.
Type
secPolicyCreate “OPTIONS_POLICY”, “NoNodeWWNZoning”
.
3.
To save or activate the new policy, enter either the
secPolicySave
or the
secPolicyActivate
command.
If neither of these commands is entered, the changes are lost when the session is logged out. For
more information about these commands, see
“Saving Changes to Secure Fabric OS Policies”
on
page 3-26 and
“Activating Changes to Secure Fabric OS Policies”
on page 3-27.
4.
To apply the change to current transactions, disable the switch then re-enable it by entering the
switchDisable
and
switchEnable
commands. This stops any current traffic between devices that
are zoned using node names.
Creating a DCC Policy
Multiple DCC policies can be used to restrict which device ports can connect to which switch ports. The
devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs. By
default, all device ports are allowed to connect to all switch ports; no DCC policies exist until they are
created by the administrator.
Each device port can be bound to one or more switch ports; the same device ports and switch ports
might be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it permits
connections only from designated device ports. Device ports that are not specified in any DCC policies
are allowed to connect only to switch ports that are not specified in any DCC policies.
Table 3-11
Options Policy States
Policy State
Characteristics
No policy
Node WWNs can be used for WWN-based zoning.
Policy with no entries
Node WWNs can be used for WWN-based zoning.
Policy with entries
Node WWNs cannot be used for WWN-based zoning.
primaryfcs:admin>
secpolicycreate “OPTIONS_POLICY”, “NoNodeWWNZoning”
OPTIONS_POLICY has been created.
Note
Fabric OS v5.2.0 supports local DCC policies; however the local DCC polices created in non-secure
mode cannot be used while in secure mode. Policies created in non-secure mode are deleted when secure
mode is enabled. Back up DCC policies before enabling secure mode.
Note
Some older private-loop HBAs do not respond to port login from the switch and are not enforced by the
DCC policy. However, this does not create a security problem because these HBAs cannot contact any
device outside of their immediate loop.