Reference Guide
Policy database distribution
Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide basis. The local switch distribution
setting and the fabric-wide consistency policy affect the switch ACL policy database and related distribution behavior.
The ACL policy database is managed as follows:
∙ Switch database distribution setting -- Controls whether or not the switch accepts or rejects databases distributed from other
switches in the fabric. The distribute command sends the database from one switch to another, overwriting the target switch
database with the distributed one. To send or receive a database the setting must be accept. For configuration instructions, refer
to .
Virtual Fabric considerations: FCS, DCC, SCC, and AUTH databases can be distributed using the -distribute command, but the PWD is
blocked from distribution. The IPFILTER databases can be distributed using the FID in VF environment.
∙ Manually distribute an ACL policy database -- Use the distribute command to push the local database of the specified policy
type to target switches. Refer to ACL policy distribution to other switches on page 244.
∙ Fabric-wide consistency policy -- Use this policy to ensure that switches in the fabric enforce the same policies. Set a strict or
tolerant fabric-wide consistency policy for each ACL policy type to automatically distribute that database when a policy change
is activated. If a fabric-wide consistency policy is not set, then the policies are managed on a per-switch basis. For configuration
instructions, refer to Fabric-wide enforcement on page 244.
Virtual Fabric considerations: Fabric-wide consistency policies are configured on a per-logical switch basis and are applied to the fabrics
connected to the logical switches. Automatic policy distribution behavior for DCC, SCC, and FCS is the same as that of pre-v6.2.0
releases and are configured on a per-logical switch basis.
The following table explains how the local database distribution settings and the fabric-wide consistency policy affect the local database
when the switch is the target of a distribute command.
TABLE 49 Interaction between fabric-wide consistency policy and distribution settings
Distribution setting Fabric-wide consistency policy
Absent (default) Tolerant Strict
Reject Database is protected, it cannot be
overwritten.
May not match other databases in
the fabric.
Invalid configuration.
5
Invalid configuration.
5
Accept (default) Database is not protected, the
database can be overwritten.
If the switch initiating a distribute
command has a strict or tolerant
fabric-wide consistency policy, the
fabric-wide policy is also
overwritten.
May not match other databases in
the fabric.
Database is not protected.
Automatically distributes activated
changes to other v6.2.0 or later
switches in the fabric.
If the fabric-wide consistency is set
as "strict" for a particular policy, then
the manual distribution is blocked.
May not match other databases in
the fabric.
Database is not protected.
Automatically distributes activated
changes to all switches in the fabric.
Fabric can only contain switches
running Fabric OS v6.2.0 or later.
Active database is the same for all
switches in the fabric.
5
An error is returned indicating that the distribution setting must be Accept before you can set the fabric-wide consistency policy.
Configuring Security Policies
Brocade Fabric OS Administration Guide, 8.0.1
242 53-1004111-02