Dell PowerEdge M420 8/4 Gbps FC SAN Module Administrator's Guide - Page 22

FC SAN Module policy enforcement matrix, Advanced Device Security policy, How the ADS policy works

Get Dell PowerEdge M420 PDF manuals and user guides View all Dell PowerEdge M420 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 22 highlights

3 Advanced Device Security policy FC SAN Module policy enforcement matrix The following table shows which combinations of policies can co-exist with each other. TABLE 4 Policy enforcement matrix Policies Auto Port Configuration Port Grouping ADS Policy Auto Port Configuration N/A Cannot co-exist Can co-exist N_Port Grouping Mutually exclusive N/A Can co-exist ADS Policy Can co-exist Can co-exist N/A Advanced Device Security policy The Advanced Device Security (ADS) is disabled by default for the FC SAN Module. ADS is a security policy that restricts access to the fabric at the to a set of authorized devices. Unauthorized access is rejected and the system logs a RASLOG message. You can configure the list of allowed devices for each internal port (F_Port) by specifying their Port WWN (PWWN). The ADS policy secures virtual and physical connections to the SAN. How the ADS policy works When you enable this policy, it applies to all internal ports (F_Ports) on the FC SAN Module. By default, all devices have access to the fabric on all ports. You can restrict the fabric connectivity to a particular set of devices where FC SAN Module maintains a per-port allow list for the set of devices whose PWWN you define to log in through an internal port. You can view the devices with active connections to an internal port using the ag --show command. NOTE The ag --show command only displays the Core FC SAN Module, such as the modules that are directly connected to fabric. The agshow --name name command displays the internal ports of both the Core and Edge modules. Enabling and disabling the Advanced Device Security policy By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the configuration using the configupload command in case you need this configuration again. 1. Connect to the FC SAN Module and log in using an account assigned to the admin role. 2. Enter the ag --policyenable ads command to enable the ADS policy. switch:admin> ag --policyenable ads The policy ADS is enabled 3. Enter the ag --policydisable ads command to disable the ADS policy. switch:admin> ag --policydisable ads The policy ADS is disabled 8 Dell 8/4Gbps FC SAN Module Administrator's Guide 53-1001345-01

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
8
Dell 8/4Gbps FC SAN Module Administrator’s Guide
53-1001345-01
Advanced Device Security policy
3
FC SAN Module policy enforcement matrix
The following table shows which combinations of policies can co-exist with each other.
Advanced Device Security policy
The Advanced Device Security (ADS) is disabled by default for the FC SAN Module. ADS is a security
policy that restricts access to the fabric at the to a set of authorized devices. Unauthorized access
is rejected and the system logs a RASLOG message. You can configure the list of allowed devices
for each internal port (F_Port) by specifying their Port WWN (PWWN). The ADS policy secures virtual
and physical connections to the SAN.
How the ADS policy works
When you enable this policy, it applies to all internal ports (F_Ports) on the FC SAN Module. By
default, all devices have access to the fabric on all ports. You can restrict the fabric connectivity to
a particular set of devices where FC SAN Module maintains a per-port allow list for the set of
devices whose PWWN you define to log in through an internal port. You can view the devices with
active connections to an internal port using the
ag --show
command.
NOTE
The
ag
--
show
command only displays the Core FC SAN Module, such as the modules that are
directly connected to fabric. The
agshow
--
name
name
command displays the internal ports of both
the Core and Edge modules.
Enabling and disabling the Advanced Device Security policy
By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow
lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the
configuration using the
configupload
command in case you need this configuration again.
1.
Connect to the FC SAN Module and log in using an account assigned to the admin role.
2.
Enter the
ag
--
policyenable ads
command to enable the ADS policy.
switch:admin>
ag --policyenable ads
The policy ADS is enabled
3.
Enter the
ag
--
policydisable ads
command to disable the ADS policy.
switch:admin>
ag --policydisable ads
The policy ADS is disabled
TABLE 4
Policy enforcement matrix
Policies
Auto Port Configuration
Port Grouping
ADS Policy
Auto Port Configuration
N/A
Cannot co-exist
Can co-exist
N_Port Grouping
Mutually exclusive
N/A
Can co-exist
ADS Policy
Can co-exist
Can co-exist
N/A