Home » Dell Manuals » Hubs & Switches » Dell Brocade M5424 » Manual Viewer

Dell Brocade M5424 Brocade 7.1.0 Access Gateway Administrator's Guide - Page 57

Enabling and disabling the ADS policy, Allow lists, Setting the list of devices allowed to log

Add to My Manuals
Save this manual to your list of manuals

Page 57 highlights

Advanced Device Security policy 3 Enabling and disabling the ADS policy By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the configuration using the configUpload command in case you need this configuration again. 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ag --policyenable ads command to enable the ADS policy. switch:admin> ag --policyenable ads The policy ADS is enabled 3. Enter the ag --policydisable ads command to disable the ADS policy. switch:admin> ag --policydisable ads The policy ADS is disabled NOTE Use the ag --policyshow command to determine the current status of the ADS policy. Allow lists You can determine which devices are allowed to log in on a per-F_Port basis by specifying lists of F_Ports and device WWNs in the ag --adsset command. The ADS policy must be enabled for this command to succeed. ag --adsset "F_Port [;F_Port2;...]" "WWN [;WWN2;...]" Lists must be enclosed in quotation marks. List members must be separated by semicolons. The maximum number of entries in the allowed device list is twice the per-port maximum login count. Use an asterisk (*) instead of port numbers in the F_Port list to add the specified WWNs to all the F_Ports allow lists. Use an asterisk (*) instead of WWNs to indicate access to all devices from the specified F_Port list. A blank WWN list ("") indicates no access. NOTE Use an asterisk enclosed in quotation marks ("*") to set the allow list to "all access"; use a pair of double quotation marks ("") to set the allow list to "no access". Note the following characteristics of the allow list: • The maximum device entries allowed in the allow list is twice the per-port maximum login count. • Each port can be configured to "not allow any device" or "to allow all the devices" to log in. • If the ADS policy is enabled, by default, every port is configured to allow all devices to log in. • The same allow list can be specified for more than one F_Port. Setting the list of devices allowed to log in 1. Connect to the switch and log in using an account assigned to the admin role. 2. Enter the ag --adsset command with the appropriate options to set the list of devices allowed to log in to specific ports. In the following example, ports 1, 10, and, 13 are set to "all access." switch:admin> ag --adsset "1;10;13" "*" WWN list set successfully as the Allow Lists of the F_Port[s] Access Gateway Administrator's Guide 37 53-1002743-01

Section	Page
About This Document	13
How this document is organized	13
Supported hardware and software	14
What’s new in this document	14
Document conventions	15
Text formatting	15
Command syntax conventions	15
Notes, cautions, and warnings	16
Notice to the reader	16
Key terms for Access Gateway	17
Additional information	18
Brocade resources	18
Other industry resources	18
Optional Brocade features	18
Getting technical help	18
Document feedback	19
Access Gateway Basic Concepts	21
Brocade Access Gateway overview	21
Comparing Native Fabric and Access Gateway modes	21
Fabric OS features in Access Gateway mode	23
Buffer credit recovery support	25
Forward error correction support	26
Virtual Fabrics support	26
Device authentication support	26
Access Gateway port types	29
Comparison of Access Gateway ports to standard switch ports	29
Access Gateway hardware considerations	31
Configuring Ports in Access Gateway Mode	33
Enabling and disabling Access Gateway mode	33
Port state description	34
Access Gateway mapping	35
Port mapping	36
F_Port Static Mapping	40
Device mapping	42
Considerations for Access Gateway mapping	48
N_Port configurations	50
Displaying N_Port configurations	51
Unlocking N_Ports	51
Persisting port online state	51
D_Port support	52
Limitations and considerations	52
Saving port mappings	53
Managing Policies and Features in Access Gateway Mode	55
Access Gateway policies overview	55
Displaying current policies	55
Access Gateway policy enforcement matrix	56
Advanced Device Security policy	56
How the ADS policy works	56
Enabling and disabling the ADS policy	57
Allow lists	57
ADS policy considerations	59
Upgrade and downgrade considerations for the ADS policy	59
Automatic Port Configuration policy	59
How the APC policy works	59
Enabling and disabling the APC policy	60
APC policy considerations	60
Upgrade and downgrade considerations for the APC policy	60
Port Grouping policy	61
How port groups work	61
Adding an N_Port to a port group	62
Deleting an N_Port from a port group	62
Removing a port group	62
Renaming a port group	63
Disabling the Port Grouping policy	63
Port Grouping policy modes	63
Creating a port group and enabling Automatic Login Balancing mode	64
Enabling MFNM mode	65
Disabling MFNM mode	65
Displaying the current MFNM mode timeout value	66
Setting the current MFNM mode timeout value	66
Port Grouping policy considerations	66
Upgrade and downgrade considerations for the Port Grouping policy	67
Device Load Balancing policy	67
Enabling the Device Load Balancing policy	67
Disabling the Device Load Balancing policy	67
Device Load Balancing policy considerations	68
Persistent ALPA policy	68
Enabling the Persistent ALPA policy	68
Disabling the Persistent ALPA policy	69
Persistent ALPA device data	69
Clearing ALPA values	69
Persistent ALPA policy considerations	70
Failover policy	70
Failover with port mapping	70
Failover with device mapping	73
Enabling and disabling the Failover policy on an N_Port	74
Enabling and disabling the Failover policy for a port group	74
Upgrade and downgrade considerations for the Failover policy	75
Failback policy	75
Failback policy configurations in Access Gateway	75
Enabling and disabling the Failback policy on an N_Port	76
Enabling and disabling the Failback policy for a port group	77
Upgrade and downgrade considerations for the Failback policy	77
Failback policy disabled on unreliable links (N_Port monitoring)	77
Trunking in Access Gateway mode	78
How trunking works	78
Configuring trunking on the Edge switch	78
Configuration management for trunk areas	79
Enabling trunking	81
Disabling F_Port trunking	81
Monitoring trunking	81
AG trunking considerations for the Edge switch	82
Trunking considerations for Access Gateway mode	85
Upgrade and downgrade considerations for trunking in Access Gateway mode	85
Adaptive Networking on Access Gateway	85
QoS: Ingress rate limiting	86
QoS: SID/DID traffic prioritization	86
Upgrade and downgrade considerations for Adaptive Networking in AG mode	86
Adaptive Networking on Access Gateway considerations	87
Per-Port NPIV login limit	87
Setting the login limit	87
Advanced Performance Monitoring	88
End-to-end monitors	88
Frame monitors	89
Limitations for using APM	90
Considerations for the Brocade 8000	90
Port mapping	90
Policy and feature support	90
Fabric OS command support	91
Considerations for the Brocade 6505 and 6510	92
SAN Configuration with Access Gateway	93
Connectivity of multiple devices overview	93
Considerations for connecting multiple devices	93
Direct target attachment	94
Considerations for direct target attachment	94
Target aggregation	95
Access Gateway cascading	96
Access Gateway cascading considerations	96
Fabric and Edge switch configuration	97
Verifying the switch mode	97
Enabling NPIV on M-EOS switches	98
Connectivity to Cisco fabrics	98
Enabling NPIV on a Cisco switch	98
Rejoining Fabric OS switches to a fabric	99
Reverting to a previous configuration	99
Troubleshooting	101

Match case Limit results 1 per page

Access Gateway Administrator’s Guide

53-1002743-01

Advanced Device Security policy

Enabling and disabling the ADS policy

By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow

lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the

configuration using the

configUpload

command in case you need this configuration again.

Connect to the switch and log in using an account assigned to the admin role.

Enter the

policyenable ads

command to enable the ADS policy.

switch:admin>

ag --policyenable ads

The policy ADS is enabled

Enter the

policydisable ads

command to disable the ADS policy.

switch:admin>

ag --policydisable ads

The policy ADS is disabled

NOTE

Use the

ag --policyshow

command to determine the current status of the ADS policy.

Allow lists

You can determine which devices are allowed to log in on a per-F_Port basis by specifying lists of

F_Ports and device WWNs in the

adsset

command. The ADS policy must be enabled for this

command to succeed.

ag --adsset “

F_Port [;F_Port2;...]

”

“

WWN [;WWN2;...]”

Lists must be enclosed in quotation marks. List members must be separated by semicolons. The

maximum number of entries in the allowed device list is twice the per-port maximum login count.

Use an asterisk (*) instead of port numbers in the F_Port list to add the specified WWNs to all the

F_Ports allow lists. Use an asterisk (*) instead of WWNs to indicate access to all devices from the

specified F_Port list. A blank WWN list (““) indicates no access.

NOTE

Use an asterisk enclosed in quotation marks (”*”) to set the allow list to “all access”; use a pair of

double quotation marks (“”) to set the allow list to “no access”.

Note the following characteristics of the allow list:

•

The maximum device entries allowed in the allow list is twice the per-port maximum login

count.

•

Each port can be configured to “not allow any device” or “to allow all the devices” to log in.

•

If the ADS policy is enabled, by default, every port is configured to allow all devices to log in.

•

The same allow list can be specified for more than one F_Port.

Setting the list of devices allowed to log in

Connect to the switch and log in using an account assigned to the admin role.

Enter the

adsset

command with the appropriate options to set the list of devices allowed

to log in to specific ports. In the following example, ports 1, 10, and, 13 are set to “all access.”

switch:admin> ag --adsset "1;10;13" "*"

WWN list set successfully as the Allow Lists of the F_Port[s]