Deployment Guide

ManualsBrandsDell ManualsserversDell Brocade 5100

211

212

213

214

215

216

217

218

219

220

Example of deleting stale DCC policies

switch:admin> secpolicydelete ALL_STALE_DCC_POLICY

About to clear all STALE DCC policies

ARE YOU SURE (yes, y, no, n): [no] y

DCC policy behavior with Fabric-Assigned PWWNs

A DCC policy check is always performed for the physical port WWN of a device when the HBA has

established that the device is attempting a normal FLOGI and has both a fabric-assigned port WWN

(FA-PWWN) and a physical port WWN.

DCC policies created with FA-PWWNs will result in the disabling of FA-PWWN assigned ports on

subsequent FLOGI. It is therefore recommended to create policies with the physical PWWN

DCC policies created with the lock down feature result in DCC policies with FA-PWWNs. It is therefore

recommended to avoid using the lock down feature in fabrics that are using FA-PWWNs.

A DCC policy created with a device WWN for a specific port allows the device to log in only on the same

port. The same device will not be allowed to log in on a different port. For devices that log in across an

AG, the policy should be created with all the NPIV ports, so even if failover occurs the device will be

allowed to log in on a different NPIV port.

Table 44 lists the behavior of the DCC policy with FA-PWWNs in the fabric when the DCC policy is

created using lockdown support.

DCC policy behavior with FA-PWWN when created using lockdown support TABLE 44

Configuration WWN seen on

DCC policy list

Behavior when DCC

policy activates

Behavior on portDisable

and portEnable

• FA-PWWN has logged into the

switch

• DCC policy creation with lock down

(uses FA-PWWN).

• DCC policy activation.

FA-PWWN Traffic will not be

disrupted.

Ports will be disabled for

security violation.

• DCC policy creation with lockdown

(uses physical PWWN).

• FA-PWWN has logged into the

switch

• DCC policy activation.

Physical PWWN Traffic will not be

disrupted.

Ports will come up without

security issues.

• DCC policy creation with lockdown

(uses physical PWWN)

• DCC policy activation

• FA-PWWN has logged into the

switch

Physical PWWN Traffic will not be

disrupted.

Ports will come up without

any security issues.

Table 45 shows the behavior of a DCC policy created manually with the physical PWWN of a device.

The configurations shown in this table are the recommended configurations when an FA-PWWN is

logged into the switch.

Indicates a security concern, because devices that are logged in with FA-PWWNs will not be disabled after activation of DCC policies

that are created with FA-PWWNs. This is done to avoid disturbing any existing management.

Any disruption in the port will disable the port for a security violation. As the traffic is already disrupted for this port, you must enforce

the DCC policy for a physical device WWN; otherwise, the device will not be allowed to login again.

DCC policy behavior with Fabric-Assigned PWWNs

Fabric OS Administrators Guide 219

53-1003130-01