HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 122

fabric and not to pre-5.2.0 switches. Fabric OS 5.2.0 switches receive the distribution and will ignore the FCS database. FCS policy restrictions The backup FCS switches normally cannot modify the policy. However, if the Primary FCS switch in the policy list is not reachable, a backup FCS switch is allowed to modify the policy. Once an FCS policy is configured and distributed across the fabric, only the Primary FCS switch can perform certain operations. Operations that affect fabric-wide configuration are allowed only from the Primary FCS switch. Backup and non-FCS switches cannot perform security, zoning, and AD operations that affect the fabric configuration. The following error message is returned if a backup or non-FCS switch tries to perform these operations. Can only execute this command on the Primary FCS switch. Operations that do not affect the fabric configuration, such as show or local switch commands, are allowed on backup and non-FCS switches. FCS enforcement applies only for user-initiated fabric-wide operations. Internal fabric data propagation because of a fabric merge is not blocked. Consequently, a new switch that joins the FCS-enabled fabric could still propagate the AD and zone database. Table 27 shows the commands for switch operations for Primary FCS enforcement. Table 27 Switch operations Allowed on FCS switches Allowed on all switches secPolicyAdd (Allowed on all switches for SCC and DCC policies as long as it is not fabric-wide) secPolicyCreate (Allowed on all switches for SCC and DCC policies as long as it is not fabric-wide) secPolicyDelete (Allowed on all switches for SCC and DCC policies as long as its not fabric-wide) secPolicyRemove (Allowed on all switches for SCC and DCC policies as long as its not fabric-wide) secPolicyShow fddCfg --localaccept or fddCfg --localreject userconfig, Passwd, Passwdcfg (Fabric-wide distribution is not allowed from a backup or non-FCS switch.) secPolicyActivate fddCfg --fabwideset Any fabric-wide commands All zoning commands except the show commands All AD commands secPolicySave secPolicyAbort SNMP commands configupload Any local-switch commands Any AD command that does not affect fabric-wide configuration FCS enforcement does not apply to pre-5.3.0 switches and they will be able to initiate all operations. Overview of FCS policy management Whether your intention is to create new FCS policies or manage your current FCS policies, you must follow certain steps to ensure that the domains throughout your fabric have the same policy. NOTE: The local-switch WWN cannot be deleted from the FCS policy. 1. Set the pre-5.3.0 switches in the fabric to accept the FCS policy using the fddCfg --localaccept or fddCfg --localreject command. 2. Create the FCS policy using the secPolicyCreate command. 120 Configuring advanced security features