HP StorageWorks Fabric OS 5.3.x administrator guide (5697-0244, November 2009)

ManualsBrandsHP ManualsComputer AccessoriesHP 8/40 SAN Switch 8-port Upgrade E-LTU

121

122

123

124

125

126

127

128

129

130

Fabric OS 5.3.0 administrator guide 125

Configuring a DCC policy

Multiple DCC policies can be used to restrict which device ports can connect to which switch ports. The

devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs. By default,

all device ports are allowed to connect to all switch ports; no DCC policies exist until they are created.

Each device port can be bound to one or more switch ports; the same device ports and switch ports may

be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it permits connections

only from designated device ports. Device ports that are not specified in any DCC policies are allowed to

connect only to switch ports that are not specified in any DCC policies.

When a DCC violation occurs, the related port is automatically disabled and must be re-enabled using the

portEnable command.

The procedure used to create a DCC policy is described after Table 26, which shows the possible DCC

policy states.

DCC policy restrictions

The following restrictions apply when using DCC policies:

• Fabric OS 5.2.0 and later support DCC policies. You cannot directly transfer DCC policies created in

Secure Fabric OS to policies to be used in Fabric OS.

Policies created in Secure Fabric OS are deleted when Secure Fabric OS is disabled; policies created in

Fabric OS are deleted when Secure Fabric OS is enabled. Therefore, back up DCC policies before

enabling or disabling Secure Fabric OS.

• Some older private-loop HBAs do not respond to port login from the switch and are not enforced by the

DCC policy. This does not create a security problem because these HBAs cannot contact any device

outside of their immediate loop.

• DCC policies cannot manage or restrict iSCSI connections, that is, an FC Initiator connection from an

iSCSI gateway.

• You cannot manage proxy devices with DCC policies. Proxy devices are always granted full access,

even if the DCC policy has an entry that restricts or limits access of a proxy device.

Table 34 DCC policy states

Policy state Characteristics

No policy Any device can connect to any switch port in the fabric.

Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same

as no policy.

Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to

the switch if connected by a switch port listed in the same policy.

If a switch port is specified in a DCC policy, it only permits connections from devices

that are listed in the policy.

Devices with WWNs that are not specified in a DCC policy are allowed to connect

to the switch at any switch ports that are not specified in a DCC policy.

Switch ports and device WWNs may exist in multiple DCC policies.

Proxy devices are always granted full access and can connect to any switch port in

the fabric.