114 Configuring advanced security
The following example shows a not defined fabric-wide consistency policy.
To set the fabric-wide consistency policy
1.
Connect to the switch and log in.
2.
Enter the following command:
Where
policy_ID
is a semicolon-separated list
database_setting
;
database_setting
equal to
The following examples show how to set a strict SCC and tolerant DCC fabric-wide consistency policy.
Notes on joining a switch to the fabric
When a switch is joined to a fabric with a tolerant SCC or DCC fabric-wide consistency policy, the joining
switch must have a matching tolerant SCC or DCC fabric-wide consistency policy. If the tolerant SCC or
DCC fabric-wide consistency policies do not match, the switch can join the fabric, but an error message
flags the mismatch. If the tolerant SCC and DCC fabric-wide consistency policies match, the corresponding
SCC and DCC ACL policies are compared.
The enforcement of fabric-wide consistency policy involves comparison of only the Active policy set. If the
ACL policies match, the switch joins the fabric successfully. If the ACL policies are absent on the switch or
on the fabric, the switch joins the fabric successfully, and the ACL policies are copied automatically from
where they are present side to where they are absent. The Active policies set where they are present
overwrite the Active and Defined policies set where they are absent. If the ACL policies do not match, the
switch can join the fabric, but an error message flags the mismatch.
Under both conflicting conditions,
secPolicyActivate
is blocked in the merged fabric. Use
fddcfg
–fabwideset
command to resolve the fabric-wide consistency policy conflicts. Use the
distribute
command to explicitly resolve conflicting ACL policies.
When a switch is joined to a fabric with a strict SCC or DCC fabric-wide consistency policy, the joining
switch must have a matching fabric-wide consistency policy. If the strict SCC or DCC fabric-wide
consistency policies do not match, the switch cannot join the fabric and the neighboring E_ports will be
switch:admin> fddcfg --showall
Local Switch Configuration for all Databases:-
DATABASE - Accept/Reject
-------------------------
SCC - accept
DCC - accept
PWD - accept
Fabric Wide Consistency Policy:- ""
fddCfg --fabwideset “<policy_ID>”
null
Exclude the database ID from the list to set the policy to absent.
database_id
Sets a tolerant policy for a database. The database ID is either SCC or
DCC.
database_id:S
Sets the policy to strict. The database ID is either SCC or DCC.
switch:admin> fddcfg --fabwideset “SCC:S;DCC”
switch:admin> fddcfg --showall
Local Switch Configuration for all Databases:-
DATABASE - Accept/Reject
-------------------------
SCC - accept
DCC - accept
PWD - accept
Fabric Wide Consistency Policy:- “SCC:S;DCC”
Summary of Contents for AE370A - Brocade 4Gb SAN Switch 4/12
Page 18: ...18 ...
Page 82: ...82 Managing user accounts ...
Page 102: ...102 Configuring standard security features ...
Page 126: ...126 Maintaining configurations ...
Page 198: ...198 Routing traffic ...
Page 238: ...238 Using the FC FC routing service ...
Page 260: ...260 Administering FICON fabrics ...
Page 280: ...280 Working with diagnostic features ...
Page 332: ...332 Administering Extended Fabrics ...
Page 414: ...398 Configuring the PID format ...
Page 420: ...404 Configuring interoperability mode ...
Page 426: ...410 Understanding legacy password behaviour ...
Page 442: ...426 ...
Page 444: ......
Page 447: ......