Home » HP Manuals » Storage Devices » HP StorageWorks 2/16V » Manual Viewer

HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 72

Table 3-12, Policy State, Characteristics, portEnable

View all HP StorageWorks 2/16V manuals

Add to My Manuals
Save this manual to your list of manuals

Page 72 highlights

3 DCC policies must follow the naming convention "DCC_POLICY_nnn," where nnn represents a unique string. To save memory and improve performance, one DCC policy per switch or group of switches is recommended. Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number. To specify an allowed connection, enter the device port WWN, a semicolon, and the switch port identification. Following are the possible methods of specifying an allowed connection: • deviceportWWN;switchWWN (port or area number) • deviceportWWN;domainID (port or area number) • deviceportWWN;switchname (port or area number) How to create a DCC policy is described after Table 3-12, which shows the possible DCC policy states. Table 3-12 DCC Policy States Policy State Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the fabric if connected to a switch port listed in the same policy. If a switch port is specified in a DCC policy, it only permits connections from devices that are listed in the policy. Devices with WWNs that are not specified in a DCC policy are allowed to connect to the fabric at any switch ports that are not specified in a DCC policy. Switch ports and device WWNs may exist in multiple DCC policies. Proxy devices are always granted full access and can connect to any switch port in the fabric. Note When a DCC violation occurs, the related port is automatically disabled and must be re-enabled using the portEnable command. Proxy device access cannot be managed using a DCC policy in a secure fabric. Proxy devices are always granted full access, even if the DCC policy has an entry that restricts or limits access of a proxy device. 3-22 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01

Section	Page
About This Document	5
Chapter 1 Introducing Secure Fabric OS	5
Chapter 2 Preparing the Fabric for Secure Fabric OS	5
Chapter 3 Enabling Secure Fabric OS and Creating Policies	6
Chapter 4 Managing Secure Fabric OS	7
Appendix A Removing Secure Fabric OS Capability	7
Appendix B Secure Fabric OS Commands and Secure Mode Restrictions	7
Index	7
About This Document	9
How This Document Is Organized	9
Supported Hardware and Software	10
What’s New in This Document	10
Document Conventions	11
Text Formatting	11
Notes, Cautions, and Warnings	11
Key Terms	12
Additional Information	12
Brocade Resources	12
Other Industry Resources	14
Getting Technical Help	15
Document Feedback	16
Introducing Secure Fabric OS	17
Management Channel Security	18
Switch-to-Switch Authentication	19
Using PKI	19
Using DH-CHAP	20
Fabric Configuration Server Switches	20
Fabric Management Policy Set	21
Preparing the Fabric for Secure Fabric OS	23
Prerequisites for a Secure Fabric Environment	23
Verifying Compatible Fabric OS Version	24
Verifying or Activating Secure Fabric OS and Advanced Zoning Licenses	25
Verifying the Digital Certificate	26
Displaying the Digital Certificate Status	26
Creating PKI Objects	27
Removing PKI Objects	28
Obtaining the Digital Certificate File	29
Configuring Switch-to-Switch Authentication	44
Selecting Authentication Protocols	45
Managing Shared Secrets	46
Preparing SilkWorm 24000 for Secure Fabric OS	48
Installing a Supported CLI Client on a Workstation	50
Enabling Secure Fabric OS and Creating Policies	51
Prerequisites to Enabling Secure Mode	51
Default Fabric and Switch Accessibility	52
Enabling Secure Mode	52
Modifying the FCS Policy	58
Changing the Position of a Switch Within the FCS Policy	59
Failing Over the Primary FCS Switch	60
Creating Secure Fabric OS Policies Other Than the FCS Policy	61
Creating a MAC Policy	62
Creating an Options Policy	70
Creating a DCC Policy	71
Creating an SCC Policy	74
Managing Secure Fabric OS Policies	75
Saving Changes to Secure Fabric OS Policies	76
Activating Changes to Secure Fabric OS Policies	77
Adding a Member to an Existing Policy	77
Removing a Member from a Policy	78
Deleting a Policy	78
Aborting All Uncommitted Changes	79
Aborting a Secure Fabric OS Transaction	79
Managing Secure Fabric OS	81
Viewing Secure Fabric OS Information	81
Displaying General Secure Fabric OS Information	82
Viewing the Secure Fabric OS Policy Database	82
Displaying Individual Secure Fabric OS Policies	83
Displaying Status of Secure Mode	84
Displaying and Resetting Secure Fabric OS Statistics	85
Displaying Secure Fabric OS Statistics	86
Resetting Secure Fabric OS Statistics	87
Managing Passwords	88
Modifying Passwords in Secure Mode	90
Using Temporary Passwords	91
Resetting the Version Number and Time Stamp	92
Adding Switches and Merging Fabrics with Secure Mode Enabled	93
Preventing a LUN Connection	97
Troubleshooting	97
Removing Secure Fabric OS Capability	103
Preparing the Fabric for Removal of Secure Fabric OS Policies	103
Disabling Secure Mode	104
Deactivating the Secure Fabric OS License on Each Switch	105
Uninstalling Related Items from the Host	105
Secure Fabric OS Commands and Secure Mode Restrictions	107
Secure Fabric OS Commands	107
Command Restrictions in Secure Mode	112
Zoning Commands	112
Miscellaneous Commands	113
Index	115
A	115
C	115
D	116
E	116
F	116
H	116
I	116
J	116
L	116
M	116
N	116
O	117
P	117
R	117
S	117
T	118
U	118
V	118
W	118

Match case Limit results 1 per page

3-22

Secure Fabric OS Administrator’s Guide

Publication Number: 53-1000244-01

DCC policies must follow the naming convention “DCC_POLICY_

nnn,

” where

nnn

represents a

unique string. To save memory and improve performance, one DCC policy per switch or group of

switches is recommended.

Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN,

domain ID, or switch name followed by the port or area number. To specify an allowed connection,

enter the device port WWN, a semicolon, and the switch port identification. Following are the possible

methods of specifying an allowed connection:

•

deviceportWWN

;

switchWWN

(port or area number)

•

deviceportWWN

;

domainID

(port or area number)

•

deviceportWWN

;

switchname

(port or area number)

How to create a DCC policy is described after

Table 3-12

, which shows the possible DCC policy states.

Table 3-12

DCC Policy States

Policy State

Characteristics

No policy

Any device can connect to any switch port in the fabric.

Policy with no entries

Any device can connect to any switch port in the fabric. An empty

policy is the same as no policy.

Policy with entries

If a device WWN is specified in a DCC policy, that device is only

allowed access to the fabric if connected to a switch port listed in the

same policy.

If a switch port is specified in a DCC policy, it only permits connections

from devices that are listed in the policy.

Devices with WWNs that are not specified in a DCC policy are allowed

to connect to the fabric at any switch ports that are not specified in a

DCC policy.

Switch ports and device WWNs may exist in multiple DCC policies.

Proxy devices are always granted full access and can connect to any

switch port in the fabric.

Note

When a DCC violation occurs, the related port is automatically disabled and must be re-enabled using

the

portEnable

command.

Proxy device access cannot be managed using a DCC policy in a secure fabric. Proxy devices are always

granted full access, even if the DCC policy has an entry that restricts or limits access of a proxy device.