HP A7533A HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, Dece - Page 110

Table 25 FCS policy states (continued) Policy state Characteristics Active policy with one entry Active policy with multiple entries A primary FCS switch is designated (local switch), but there are no backup FCS switches. If the primary FCS switch becomes unavailable for any reason, the fabric is left without an FCS switch. A primary FCS switch and one or more backup FCS switches are designated. If the primary FCS switch becomes unavailable, the next switch in the list becomes the primary FCS switch. The FCS policy is designed to accommodate mixed fabric environments that contain switches with pre-5.3.0 and later versions of Fabric OS. By setting the configuration parameters to accept fabric distribution, Fabric OS 6.0.0 and later switches may enforce FCS policy and perform database distribution among 5.3.0 and 6.0.0 and later switches while still allowing pre-5.3.0 switches to join the fabric. The following items describe distribution behavior for pre-Fabric OS 5.3.0: • Distribution to pre-5.3.0 switches with specific Domain IDs When specific Domain IDs are given for the distribution, all domains must be on a switch with Fabric OS 5.3.0 or later. If one of the domains is pre-5.3.0 the distribution operation will fail. • Distribution to pre-5.3.0 switches using the wild card (*) character When the wild card character is specified, distribution succeeds even if the fabric contains pre-5.3.0 switches. However, the FCS database will be sent only to switches with a Fabric OS of 5.2.0 or later in the fabric and not to pre-5.2.0 switches. Fabric OS 5.2.0 switches receive the distribution and will ignore the FCS database. FCS policy restrictions The backup FCS switches normally cannot modify the policy. However, if the primary FCS switch in the policy list is not reachable, a back-up FCS switch will be allowed to modify the policy. Once an FCS policy is configured and distributed across the fabric, only the primary FCS switch can perform certain operations. Operations which affect fabric-widefabric-wide configuration are allowed only from the primary FCS switch. Backup and non-FCS switches cannot perform security, zoning and AD operations that affect the fabric configuration. The following error message is returned if a backup or non-FCS switch tries to perform these operations: Can only execute this command on the primary FCS switch. Operations that do not affect the fabric configuration, such as show or local switch commands, would be allowed on back-up and non-FCS switches. FCS enforcement applies only for user-initiated fabric-widefabric-wide operations. Internal fabric data propagation because of a fabric merge is not blocked. Consequently, a new switch which joins the FCS enabled fabric could still propagate the AD and zone database. Table 26 shows the commands for switch operations for a Primary FCS enforcement. Table 26 Switch operations Allowed on FCS switches Allowed on all switches secPolicyAdd (Allowed on all switches for secPolicyShow SCC/DCC policies as long as it is not fabric-wide) secPolicyCreate (Allowed on all switches for fddcfg -localaccept/localreject SCC/DCC policies as long as it is not fabric-wide) secPolicyDelete (Allowed on all switches for SCC/DCC policies as long as its not fabric-wide) userconfig, Passwd, Passwdcfg (Fabric-wide distribution is not allowed from a backup or non-FCS switch.) secPolicyRemove (Allowed on all switches for secPolicyActivate SCC/DCC policies as long as its not fabric-wide) fddcfg --fabwideset secPolicySave 110 Configuring advanced security features