HP AE370A HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 20 - Page 120
ACL policy management
UPC - 882780362611
View all HP AE370A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 120 highlights
When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated. If a policy with the same name appears in both the defined and active sets but the two versions have different values, the policy has been modified but the changes have not been activated. Admin Domain considerations: ACL management can be done on AD255 and AD0 only if there are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and AD255 provide an unfiltered view of the fabric. Virtual Fabric considerations: ACL policies such as DCC, SCC, and FCS can be configured on each Logical Switch. Policy members The FCS, DCC, and SCC policy members are specified by device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 25. Table 25 Valid methods for specifying policy members Policy name Device port Switch WWN WWN Domain ID Switch name FCS_POLICY No Yes Yes Yes DCC_POLICY_nnn Yes Yes Yes Yes SCC_POLICY No Yes Yes Yes ACL policy management All policy modifications are temporarily stored in volatile memory until those changes are saved or activated. You can create multiple sessions to the switch from one or more hosts. HP recommends that you make changes only from one switch to prevent multiple transactions from occurring. Each Logical Switch will have its own access control list. The FCS, SCC and DCC policies in Secure Fabric OS are not interchangeable with Fabric OS FCS, SCC, and DCC policies. HP recommends uploading and saving a copy of the Fabric OS configuration after creating policies. For more information on configuration uploads, see the Chapter 5, "Maintaining the switch configuration file" on page 163. You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies created in the same login session also appear but these policies are automatically deleted if the you log out without saving them. NOTE: All changes, including the creation of new policies, are saved and activated on the local switch only-unless the switch is in a fabric that has a strict or tolerant fabric-wide consistency policy for the ACL policy type for SCC or DCC. See "Policy database distribution" on page 139 for more information on the database settings and fabric-wide consistency policy. Use the instructions in the following sections to manage common settings between two or more of the DCC, FCS, and SCC policies. For instructions relating to a specific policy, see the appropriate section. • "Displaying ACL policies" on page 119 displays a list of all active and defined ACL policies on the switch. • "ACL policy modifications" on page 126 discusses the changes to memory without actually implementing the changes within the fabric or to the switch. This saved, but inactive, information is known as the "defined policy set." Simultaneously save and implement all the policy changes made since the last time changes were activated, the activated policies are known as the active policy set. If you delete the entire policy, that aspect of the fabric is open to all access. • "Member modification to existing policies" on page 127 discusses the addition of one or more members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices 118 Configuring advanced security features