HP StorageWorks 8/80 Brocade Access Gateway Administrator's Guide v6.2.0 (53-1 - Page 28

2 Advanced Device Security policy Advanced Device Security policy The Advanced Device Security (ADS) policy is supported on AG F_Ports. Fabric OS v6.2.0 extends the DCC policy to switches in AG mode to provide an additional level of security. It does this by extending the DCC policy to the physical F_Ports and the NPIV logins on F_Ports. As more physical servers become virtual, virtual servers can become vulnerable and security becomes an integral part of server IO virtualization. This security policy is a mechanism that restricts fabric connectivity to a set of devices that you can specify or allow to log in to the fabric connected through a switch in AG mode. By default, the ADS policy is not enabled. After you set a switch in AG mode, you can enable the ADS policy, and then specify which devices to allow at login on a per F_Port basis. Security enforcement can also be done in the Enterprise fabric; the DCC policy in the Enterprise fabric takes precedence over the ADS policy. When you enable the ADS policy, it applies to all the ports on the switch. By default, all devices have access to the fabric on all ports. Enabling the Advanced Device Security policy 1. Connect to the switch and log in as admin. 2. Enter the ag --policyenable ads command. switch:admin> ag --policyenable ads The policy ADS is enabled Disabling the Advanced Device Security policy 1. Connect to the switch and log in as admin. 2. Enter the ag --policydisable ads command. switch:admin> ag --policydisable ads The policy ADS is disabled Setting which devices can log in if ADS policy is enabled You can determine which devices are allowed to log in on a per F_Port basis by specifying the device's port WWN (PWWN). Use the ag --adsset command to determine which devices are allowed to log in to a specified set of F_Ports. Lists must be enclosed in double quotation marks. List members must be separated by semicolons. The maximum number of entries in the allowed device list is twice the per port maximum log in count. Replace the WWN list with an asterisk (*) to indicate all access on the specified F_Port list. Replace the F_Port list with an asterisk (*) to add the specified WWNs to all the F_Ports' allow lists. A blank WWN list ("") indicates no access. The ADS policy must be enabled for this command to succeed. NOTE Use an asterisk enclosed in quotation marks,"*", to set the Allow list to "All Access" to all F_Ports; use a pair of double quotation marks ("") to set the Allow list to "No Access". Note the following characteristics of the Allow List: • The maximum device entries allowed in the Allow List is twice the per port max login count • Each port can be configured to "not allow any device" or "to allow all the devices" to log in • If the ADS policy is enabled, by default, every port is configured to allow all devices to log in 10 Access Gateway Administrator's Guide 53-1001189-01