Users Guide

ManualsBrandsDell ManualsComputer equipmentBrocade M5424

231

232

233

234

235

236

237

238

239

240

Fabric OS Administrator’s Guide 239

53-1002920-02

Device Connection Control policies

Each device port can be bound to one or more switch ports; the same device ports and switch

ports may be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it

permits connections only from designated device ports. Device ports that are not specified in any

DCC policies are allowed to connect only to switch ports that are not specified in any DCC policies.

When a DCC violation occurs, the related port is automatically disabled and must be re-enabled

using the portEnable command.

Table 40 shows the possible DCC policy states.

Virtual Fabrics considerations

The DCC policies that have entries for the ports that are being moved from one logical switch to

another will be considered stale and will not be enforced. You can choose to keep stale policies in

the current logical switch or delete the stale policies after the port movements. Use the

secPolicyDelete command to delete stale DCC policies.

DCC policy restrictions

The following restrictions apply when using DCC policies:

• Some older private-loop host bus adaptors (HBAs) do not respond to port login from the switch

and are not enforced by the DCC policy. This does not create a security problem because these

HBAs cannot contact any device outside of their immediate loop.

• DCC policies cannot manage or restrict iSCSI connections, that is, an FC Initiator connection

from an iSCSI gateway.

• You cannot manage proxy devices with DCC policies. Proxy devices are always granted full

access, even if the DCC policy has an entry that restricts or limits access of a proxy device.

Creating a DCC policy

DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a

unique string. The maximum length is 30 characters, including the prefix DCC_POLICY_.

Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN,

domain ID, or switch name followed by the port or area number. To specify an allowed connection,

enter the device port WWN, a semicolon, and the switch port identification.

TABLE 40 DCC policy states

Policy state Characteristics

No policy Any device can connect to any switch port in the fabric.

Policy with no

entries

Any device can connect to any switch port in the fabric. An empty policy is the same as no

policy.

Policy with entries If a device WWN or Fabric port WWN is specified in a DCC policy, that device is only allowed

access to the switch if connected by a switch port listed in the same policy.

If a switch port is specified in a DCC policy, it only permits connections from devices that are

listed in the policy.

Devices with WWNs that are not specified in a DCC policy are allowed to connect to the

switch at any switch ports that are not specified in a DCC policy.

Switch ports and device WWNs may exist in multiple DCC policies.

Proxy devices are always granted full access and can connect to any switch port in the fabric.