HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 105
Configuring advanced security features
View all HP StorageWorks 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 105 highlights
4 Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP's Fibre Channel switches. NOTE: Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain (AD) 255 or, if Administrative Domains have not been implemented, log in to AD 0. About access control list (ACL) policies Fabric OS provides the following policies: • Fabric Configuration Server (FCS) policy-Used to restrict which switches can change the configuration of the fabric. • Device Connection Control (DCC) policies-Used to restrict which Fibre Channel device ports can connect to which Fibre Channel switch ports. • Switch Connection Control (SCC) policy-Used to restrict which switches can join with a switch. • IP Filter Policy (IPFilter) policy-Used to filter traffic based on IP addresses. Each supported policy is identified by a specific name, and only one policy of each type can exist (except for DCC policies). Policy names are case-sensitive and must be entered in all uppercase. How the ACL policies are stored The policies are stored in a local database. The database contains the ACL policies types of FCS, DCC, SCC, and IPFilter. The number of policies that may be defined is limited by the size of the database. FCS, SCC and DCC policies are all stored in the same database. When a Fabric OS 6.1.x switch joins the fabric containing only pre-6.0 switches, the policy database size limit is restricted to the Fabric OS version's lowest database size. Table 23 shows the Fabric OS version and its associated database size restriction. Distribution of any of the given policies to pre-6.0 switches would fail if the size of the database being distributed is greater than the lowest database size in the fabric. In a fabric with only Fabric OS 6.0 switches present, the limit for security policy database size would be set to 1Mb. In this case, the pre-6.0 switches cannot join the fabric if the fabric security database size is greater than their Fabric OS database size. Table 23 Security database size restrictions Fabric OS version Security database size 4.4 256K 5.1/5.2/5.3 256K 6.0/6.1.x 1Mb The policies are grouped by state and type. A policy can be in either of the following states: • Active-The policy is being enforced by the switch. • Defined-The policy has been set up but is not enforced. A group of policies is called a Policy Set. Each switch has the following two sets: • Active policy set-Contains ACL policies being enforced by the switch. • Defined policy set-Contains a copy of all ACL policies on the switch. When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated. If a policy with the same name appears in both the defined Fabric OS 6.1.x administrator guide 105