106 Configuring advanced security
DCC policy restrictions
The following restrictions apply when using DCC policies:
•
Fabric OS 5.2.x supports DCC policies. You cannot directly transfer DCC policies created in Secure
Fabric OS to policies to be used in Fabric OS.
Policies created in Secure Fabric OS are deleted when Secure Fabric OS is disabled; policies created in
Fabric OS are deleted when Secure Fabric OS is enabled. Therefore, back up DCC policies before
enabling or disabling Secure Fabric OS.
•
Some older private-loop HBAs do not respond to port login from the switch and are not enforced by the
DCC policy. This does not create a security problem because these HBAs cannot contact any device
outside of their immediate loop.
•
DCC policies cannot manage or restrict iSCSI connections, that is an FC Initiator connection from an
iSCSI gateway.
•
You cannot manage proxy devices with DCC policies. Proxy devices are always granted full access,
even if the DCC policy has an entry that restricts or limits access of a proxy device.
Creating a DCC policy
DCC policies must follow the naming convention “DCC_POLICY_
nnn,
” where
nnn
represents a unique
string. To save memory and improve performance, one DCC policy per switch or group of switches is
recommended.
Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN,
domain ID, or switch name followed by the port or area number. To specify an allowed connection, enter
the device port WWN, a semicolon, and the switch port identification.
Following are the possible methods of specifying an allowed connection:
•
deviceportWWN
;
switchWWN
(port or area number)
•
deviceportWWN
;
domainID
(port or area number)
•
deviceportWWN
;
switchname
(port or area number)
To create a DCC policy
1.
Connect to the switch and log in.
2.
Type
secPolicyCreate “
DCC_POLICY_nnn
”, “
member
;
...
;
member
”
.
DCC_POLICY_nnn
is the name of the DCC policy;
nnn
is a string consisting of up to 19 alphanumeric
or underscore characters to differentiate it from any other DCC policies.
Policy with no entries
Any device can connect to any switch port in the fabric. An empty policy is the
same as no policy.
Policy with entries
If a device WWN is specified in a DCC policy, that device is only allowed
access to the switch if connected by a switch port listed in the same policy.
If a switch port is specified in a DCC policy, it only permits connections from
devices that are listed in the policy.
Devices with WWNs that are not specified in a DCC policy are allowed to
connect to the switch at any switch ports that are not specified in a DCC policy.
Switch ports and device WWNs may exist in multiple DCC policies.
Proxy devices are always granted full access and can connect to any switch port
in the fabric.
Table 25
DCC policy states
Policy state
Characteristics
Содержание AE370A - Brocade 4Gb SAN Switch 4/12
Страница 1: ...HP StorageWorks Fabric OS 5 2 x administrator guide Part number 5697 0014 Fifth edition May 2009 ...
Страница 18: ...18 ...
Страница 82: ...82 Managing user accounts ...
Страница 102: ...102 Configuring standard security features ...
Страница 126: ...126 Maintaining configurations ...
Страница 198: ...198 Routing traffic ...
Страница 238: ...238 Using the FC FC routing service ...
Страница 260: ...260 Administering FICON fabrics ...
Страница 280: ...280 Working with diagnostic features ...
Страница 332: ...332 Administering Extended Fabrics ...
Страница 414: ...398 Configuring the PID format ...
Страница 420: ...404 Configuring interoperability mode ...
Страница 426: ...410 Understanding legacy password behaviour ...
Страница 442: ...426 ...
Страница 444: ......
Страница 447: ......