HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 119

4 Configuring advanced security features This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP's Fibre Channel switches. ACL policies overview Each supported Access Control List (ACL) policy listed below is identified by a specific name. Only one policy of each type can exist, except for DCC policies. Policy names are case-sensitive and must be entered in all uppercase. Fabric OS provides the following policies: • Fabric configuration server (FCS) policy - Used to restrict which switches can change the configuration of the fabric. • Device connection control (DCC) policies - Used to restrict which Fibre Channel device ports can connect to which Fibre Channel switch ports. • Switch connection control (SCC) policy - Used to restrict which switches can join with another switch. • IP filter policy (IPFilter) policy - Used to filter traffic based on IP addresses. NOTE: Run all commands in this chapter by logging in to Administrative Domain (AD) 255 with the suggested role. If Administrative Domains have not been implemented, log in to AD0. How the ACL policies are stored The ACL policies are stored in a local database. The database contains the ACL policy types FCS, DCC, SCC, and IPFilter. The number of policies that may be defined is limited by the size of the database. FCS, SCC, and DCC policies are all stored in the same database. When a Fabric OS 6.2.0 switch joins the fabric containing only pre-6.0.0 switches, the policy database size limit is restricted to the Fabric OS version's smallest database size. Table 24 shows the Fabric OS version and its associated database size restriction. Distribution of any of the given policies to pre-6.0.0 switches would fail if the size of the database being distributed is greater than the smallest database size in the fabric. In a fabric with Fabric OS 6.0.0 and later switches present, the limit for security policy database size is set to 1Mb. In this case, the pre-6.0.0 switches cannot join the fabric if the fabric security database size is greater than their Fabric OS database size. Table 24 Security database size restrictions Fabric OS version Security database size 4.4.0 5.1.0/5.2.0/5.3.0 6.0.0/6.1.0/6.1.1 6.2.0 256K 256K 1Mb 1Mb per switch and Logical Switch The policies are grouped by state and type. A policy can be in either of the following states: • Active, which means the policy is being enforced by the switch. • Defined, which means the policy has been set up but is not enforced. A group of policies is called a Policy Set. Each switch has the following two sets: • Active policy set, which contains ACL policies being enforced by the switch. • Defined policy set, which contains a copy of all ACL policies on the switch. Fabric OS 6.2 administrator guide 117