Reference Guide
TABLE 39 FCS policy states (continued)
Policy state Characteristics
Active policy with multiple entries A Primary FCS switch and one or more backup FCS switches are
designated. If the Primary FCS switch becomes unavailable, the next
switch in the list becomes the Primary FCS switch.
FCS policy restrictions
The backup FCS switches normally cannot modify the policy. However, if the Primary FCS switch in the policy list is not reachable, then
a backup FCS switch is allowed to modify the policy.
Once an FCS policy is configured and distributed across the fabric, only the Primary FCS switch can perform certain operations.
Operations that affect fabric-wide configuration are allowed only from the Primary FCS switch. Backup and non-FCS switches cannot
perform security, zoning and AD operations that affect the fabric configuration. The following error message is returned if a backup or
non-FCS switch tries to perform these operations:
Can only execute this command on the Primary FCS switch.
Operations that do not affect the fabric configuration, such as show or local switch commands, are allowed on backup and non-FCS
switches.
FCS enforcement applies only for user-initiated fabric-wide operations. Internal fabric data propagation because of a fabric merge is not
blocked. Consequently, a new switch that joins the FCS-enabled fabric could still propagate the AD and zone database.
Table 40 shows the commands for switch operations for Primary FCS enforcement.
TABLE 40 FCS switch operations
Allowed on FCS switches Allowed on all switches
secPolicyAdd (Allowed on all switches for SCC and DCC policies as long
as it is not fabric-wide)
secPolicyShow
secPolicyCreate (Allowed on all switches for SCC and DCC policies as
long as it is not fabric-wide)
fddCfg --localaccept or fddCfg --localreject
secPolicyDelete (Allowed on all switches for SCC and DCC policies as
long as its not fabric-wide)
userconfig, Passwd, Passwdcfg (Fabric-wide distribution is not allowed
from a backup or non-FCS switch.)
secPolicyRemove (Allowed on all switches for SCC and DCC policies as
long as its not fabric-wide)
secPolicyActivate
fddCfg -- fabwideset secPolicySave
Any fabric-wide commands secPolicyAbort
All zoning commands except the show commands SNMP commands
All AD commands configupload
Any local-switch commands
In Fabric OS v7.1.0 and later, to avoid segmentation of ports due to a member-list order mismatch, security policy members are sorted
based on WWN. By default, DCC and SCC policy members are sorted based on WWN. Switches running earlier Fabric OS versions will
have the member list in the unsorted manner. Any older-version switch with a policy already created in unsorted order will have port
segmentation due to order mismatch when attempting to join any switch with Fabric OS v7.1.0 or later. To overcome the order mismatch,
you can modify the member list in the switch by using the -legacy option in the secPolicyAdd and secPolicyCreate commands.
Configuring Security Policies
Brocade Fabric OS Administration Guide, 8.0.1
53-1004111-02 219