HP StorageWorks Secure Fabric OS 5.0.0 User Guide (AA-RW1UA-TE, May 2005)
Creating Secure Fabric OS policies68
Creating a MAC policy
Management Access Control (MAC) policies can be used to restrict the following
management access to the fabric:
• Access by hosts using SNMP, telnet/sectelnet/Secure Shell, HTTP, API
• Access by device ports using SES or management server
• Access through switch serial ports and front panels
The individual MAC policies and how to create them are described in the following sections.
By default, all MAC access is allowed; no MAC policies exist until they are created.
NOTE: An empty MAC policy blocks all access through that management channel. When
creating policies, ensure that all desired members are added to each policy.
Providing fabric access to proxy servers is strongly discouraged. When a proxy server is
included in a MAC policy for IP-based management, such as the HTTP_POLICY, all IP packets
leaving the proxy server appear to originate from the proxy server. This could result in
allowing any hosts that have access to the proxy server to access the fabric.
Serial, Telnet, and API violations that occur on the standby CP of a chassis-based platform do
not display on the active CP. Also, during an HA failover, security violation counters and
events are not propagated from the former active CP to the current active CP.
Creating an SNMP policy
Read and write SNMP policies can be used to specify which SNMP hosts are allowed read
and write access to the fabric. The SNMP hosts must be identified by IP address.
• RSNMP_POLICY (read access)
Only the specified SNMP hosts can perform read operations to the fabric.
• WSNMP_POLICY (write access)
Only the specified SNMP hosts can perform write operations to the fabric.
Any host granted write permission by the WSNMP policy is automatically granted read
permission by the RSNMP policy.
How to create SNMP policies is described in ”To create an SNMP policy:” on page 69.