Home » Dell Manuals » Hubs & Switches » Dell Brocade M5424 » Manual Viewer

Dell Brocade M5424 Brocade 7.1.0 Access Gateway Administrator's Guide - Page 56

Access Gateway policy enforcement matrix, Advanced Device Security policy, How the ADS policy works

Add to My Manuals
Save this manual to your list of manuals

Page 56 highlights

3 Advanced Device Security policy Access Gateway policy enforcement matrix Table 8 shows which policies can be enabled at the same time. For example, in the Auto Port Configuration policy row, only N_Port Trunking and Advanced Device Security can be enabled with this policy. TABLE 8 Policy enforcement matrix Policies Auto Port Configuration N_Port Grouping N_Port Trunking Advanced Device Security Auto Port Configuration N/A No Yes Yes N_Port Grouping Mutually exclusive N/A Yes Yes N_Port Trunking Yes Yes N/A Yes Advanced Device Yes Security1 Device Load Balancing2 No Yes Yes N/A Yes Yes Yes 1. The ADS policy is not supported when using device mapping. 2. Device Load Balancing and Automatic Login Balancing cannot be enabled for the same port group. Advanced Device Security policy Advanced Device Security (ADS) is a security policy that restricts access to the fabric at the AG level to a set of authorized devices. Unauthorized access is rejected and the system logs a RASLOG message. You can configure the list of allowed devices for each F_Port by specifying their Port WWN (PWWN). The ADS policy secures virtual and physical connections to the SAN. How the ADS policy works When you enable the ADS policy, it applies to all F_Ports on the AG-enabled module. By default, all devices have access to the fabric on all ports. You can restrict the fabric connectivity to a particular set of devices where AG maintains a per-port allow list for the set of devices whose PWWN you define to log in through an F_Port. You can view the devices with active connections to an F_Port using the ag --show command. NOTE The ag --show command only displays F_Ports on Core AGs, such as the AGs that are directly connected to fabric. Use the agshow --name command on the fabric switch to display the F_Ports of both the Core and Edge AGs. Alternatively, the security policy can be established in the Enterprise fabric using the Device Connection Control (DCC) policy. For information on configuring the DCC policy, see "Enabling the DCC policy on a trunk" on page 60. The DCC policy in the Enterprise fabric takes precedence over the ADS policy. It is generally recommended to implement the security policy in the AG module rather than in the main fabric, especially if the Failover and Failback policies are enabled. 36 Access Gateway Administrator's Guide 53-1002743-01

Section	Page
About This Document	13
How this document is organized	13
Supported hardware and software	14
What’s new in this document	14
Document conventions	15
Text formatting	15
Command syntax conventions	15
Notes, cautions, and warnings	16
Notice to the reader	16
Key terms for Access Gateway	17
Additional information	18
Brocade resources	18
Other industry resources	18
Optional Brocade features	18
Getting technical help	18
Document feedback	19
Access Gateway Basic Concepts	21
Brocade Access Gateway overview	21
Comparing Native Fabric and Access Gateway modes	21
Fabric OS features in Access Gateway mode	23
Buffer credit recovery support	25
Forward error correction support	26
Virtual Fabrics support	26
Device authentication support	26
Access Gateway port types	29
Comparison of Access Gateway ports to standard switch ports	29
Access Gateway hardware considerations	31
Configuring Ports in Access Gateway Mode	33
Enabling and disabling Access Gateway mode	33
Port state description	34
Access Gateway mapping	35
Port mapping	36
F_Port Static Mapping	40
Device mapping	42
Considerations for Access Gateway mapping	48
N_Port configurations	50
Displaying N_Port configurations	51
Unlocking N_Ports	51
Persisting port online state	51
D_Port support	52
Limitations and considerations	52
Saving port mappings	53
Managing Policies and Features in Access Gateway Mode	55
Access Gateway policies overview	55
Displaying current policies	55
Access Gateway policy enforcement matrix	56
Advanced Device Security policy	56
How the ADS policy works	56
Enabling and disabling the ADS policy	57
Allow lists	57
ADS policy considerations	59
Upgrade and downgrade considerations for the ADS policy	59
Automatic Port Configuration policy	59
How the APC policy works	59
Enabling and disabling the APC policy	60
APC policy considerations	60
Upgrade and downgrade considerations for the APC policy	60
Port Grouping policy	61
How port groups work	61
Adding an N_Port to a port group	62
Deleting an N_Port from a port group	62
Removing a port group	62
Renaming a port group	63
Disabling the Port Grouping policy	63
Port Grouping policy modes	63
Creating a port group and enabling Automatic Login Balancing mode	64
Enabling MFNM mode	65
Disabling MFNM mode	65
Displaying the current MFNM mode timeout value	66
Setting the current MFNM mode timeout value	66
Port Grouping policy considerations	66
Upgrade and downgrade considerations for the Port Grouping policy	67
Device Load Balancing policy	67
Enabling the Device Load Balancing policy	67
Disabling the Device Load Balancing policy	67
Device Load Balancing policy considerations	68
Persistent ALPA policy	68
Enabling the Persistent ALPA policy	68
Disabling the Persistent ALPA policy	69
Persistent ALPA device data	69
Clearing ALPA values	69
Persistent ALPA policy considerations	70
Failover policy	70
Failover with port mapping	70
Failover with device mapping	73
Enabling and disabling the Failover policy on an N_Port	74
Enabling and disabling the Failover policy for a port group	74
Upgrade and downgrade considerations for the Failover policy	75
Failback policy	75
Failback policy configurations in Access Gateway	75
Enabling and disabling the Failback policy on an N_Port	76
Enabling and disabling the Failback policy for a port group	77
Upgrade and downgrade considerations for the Failback policy	77
Failback policy disabled on unreliable links (N_Port monitoring)	77
Trunking in Access Gateway mode	78
How trunking works	78
Configuring trunking on the Edge switch	78
Configuration management for trunk areas	79
Enabling trunking	81
Disabling F_Port trunking	81
Monitoring trunking	81
AG trunking considerations for the Edge switch	82
Trunking considerations for Access Gateway mode	85
Upgrade and downgrade considerations for trunking in Access Gateway mode	85
Adaptive Networking on Access Gateway	85
QoS: Ingress rate limiting	86
QoS: SID/DID traffic prioritization	86
Upgrade and downgrade considerations for Adaptive Networking in AG mode	86
Adaptive Networking on Access Gateway considerations	87
Per-Port NPIV login limit	87
Setting the login limit	87
Advanced Performance Monitoring	88
End-to-end monitors	88
Frame monitors	89
Limitations for using APM	90
Considerations for the Brocade 8000	90
Port mapping	90
Policy and feature support	90
Fabric OS command support	91
Considerations for the Brocade 6505 and 6510	92
SAN Configuration with Access Gateway	93
Connectivity of multiple devices overview	93
Considerations for connecting multiple devices	93
Direct target attachment	94
Considerations for direct target attachment	94
Target aggregation	95
Access Gateway cascading	96
Access Gateway cascading considerations	96
Fabric and Edge switch configuration	97
Verifying the switch mode	97
Enabling NPIV on M-EOS switches	98
Connectivity to Cisco fabrics	98
Enabling NPIV on a Cisco switch	98
Rejoining Fabric OS switches to a fabric	99
Reverting to a previous configuration	99
Troubleshooting	101

Match case Limit results 1 per page

Access Gateway Administrator’s Guide

53-1002743-01

Advanced Device Security policy

Access Gateway policy enforcement matrix

Table 8

shows which policies can be enabled at the same time. For example, in the Auto Port

Configuration policy row, only N_Port Trunking and Advanced Device Security can be enabled with

this policy.

Advanced Device Security policy

Advanced Device Security (ADS) is a security policy that restricts access to the fabric at the AG level

to a set of authorized devices. Unauthorized access is rejected and the system logs a RASLOG

message. You can configure the list of allowed devices for each F_Port by specifying their Port

WWN (PWWN). The ADS policy secures virtual and physical connections to the SAN.

How the ADS policy works

When you enable the ADS policy, it applies to all F_Ports on the AG-enabled module. By default, all

devices have access to the fabric on all ports. You can restrict the fabric connectivity to a particular

set of devices where AG maintains a per-port allow list for the set of devices whose PWWN you

define to log in through an F_Port. You can view the devices with active connections to an F_Port

using the

ag --show

command.

NOTE

The

show

command only displays F_Ports on Core AGs, such as the AGs that are directly

connected to fabric. Use the

agshow

name

command on the fabric switch to display the F_Ports

of both the Core and Edge AGs.

Alternatively, the security policy can be established in the Enterprise fabric using the Device

Connection Control (DCC) policy. For information on configuring the DCC policy, see

“Enabling the

DCC policy on a trunk”

on page 60. The DCC policy in the Enterprise fabric takes precedence over

the ADS policy. It is generally recommended to implement the security policy in the AG module

rather than in the main fabric, especially if the Failover and Failback policies are enabled.

TABLE 8

Policy enforcement matrix

Policies

Auto Port Configuration

N_Port Grouping

N_Port Trunking

Advanced Device

Security

Auto Port Configuration

N/A

Yes

N_Port Grouping

Mutually exclusive

N/A

Yes

N_Port Trunking

Yes

N/A

Yes

Advanced Device

Security

The ADS policy is not supported when using device mapping.

Yes

N/A

Device Load Balancing

Device Load Balancing and Automatic Login Balancing cannot be enabled for the same port group.

Yes