108 Configuring advanced security
Fabric OS is disabled; policies created in Fabric OS are deleted when Secure Fabric OS is enabled. Back
up SCC policies before enabling or disabling Secure Fabric OS.
The SCC policy is used to restrict which switches can join the fabric. Switches are checked against the
policy each time an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY and accepts
members listed as WWNs, domain IDs, or switch names. Only one SCC policy can be created.
By default, any switch is allowed to join the fabric; the SCC policy does not exist until it is created. When
connecting a Fibre Channel router to a fabric or switch that has an active SCC policy, the front domain of
the Fibre Channel router must be included in the SCC policy.
SCC policy states are shown in
Table 26
.
To create an SCC policy
1.
Connect to the switch and log in.
2.
Type
secPolicyCreate “
SCC_POLICY
”, “
member;...;member
”
.
member
indicates a switch that is permitted to join the fabric. Specify switches by WWN, domain ID,
or switch name. Enter an asterisk (*) to indicate all the switches in the fabric.
For example, to create an SCC policy that allows switches that have domain IDs 2 and 4 to join the
fabric:
3.
To save or activate the new policy, enter either the
secPolicySave
or the
secPolicyActivate
command.
If neither of these commands is entered, the changes are lost when the session is logged out. For more
information about these commands, see ”
Saving changes to ACL policies
” on page 108 and
”
Activating changes to ACL policies
” on page 108.
Saving changes to ACL policies
You can save changes to ACL policies without activating them by entering the
secPolicySave
command. This saves the changes to the defined policy set. Until the
secPolicySave
or
secPolicyActivate
command is issued, all policy changes are in volatile memory only and are lost if
the switch reboots or the current session is logged out.
To save changes without activating the policies
1.
Connect to the switch and log in.
2.
Type the
secPolicySave
command.
Activating changes to ACL policies
Implement changes to the ACL policies using the
secPolicyActivate
command. This saves the
changes to the active policy set and activates all policy changes since the last time the command was
issued. You cannot activate policies on an individual basis; all changes to the entire policy set are
activated by the command. Until a
secPolicySave
or
secPolicyActivate
command is issued, all
policy changes are in volatile memory only and are lost upon rebooting.
Table 26
SCC policy states
Policy state
SCC policy enforcement
No active policy
All switches can connect to the switch with the specified policy.
Active policy that has no members
All neighboring switches are segmented.
Active policy that has members
The neighboring switches not specified in the SCC policy are
segmented.
switch:admin>
secpolicycreate "SCC_POLICY", “2;4”
SCC_POLICY has been created
switch:admin>
secpolicysave
Summary of Contents for AE370A - Brocade 4Gb SAN Switch 4/12
Page 18: ...18 ...
Page 82: ...82 Managing user accounts ...
Page 102: ...102 Configuring standard security features ...
Page 126: ...126 Maintaining configurations ...
Page 198: ...198 Routing traffic ...
Page 238: ...238 Using the FC FC routing service ...
Page 260: ...260 Administering FICON fabrics ...
Page 280: ...280 Working with diagnostic features ...
Page 332: ...332 Administering Extended Fabrics ...
Page 414: ...398 Configuring the PID format ...
Page 420: ...404 Configuring interoperability mode ...
Page 426: ...410 Understanding legacy password behaviour ...
Page 442: ...426 ...
Page 444: ......
Page 447: ......