Fabric OS Administrator's Guide v6.4.0 (53-1001763-01, June 2010)

158 Fabric OS Administrator’s Guide
53-1001763-01
Policy database distribution
7
IP Filter policy distribution
The IP Filter policy is manually distributed by command. The distribution includes both active and
defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be
selectively distributed. However, you may choose the time at which to implement the policy for
optimization purposes. If a distribution includes an active IP Filter policy, the receiving switches
activate the same IP Filter policy automatically. When a switch receives IP Filter policies, all
uncommitted changes left in its local transaction buffer are lost, and the transaction is aborted.
The IPFilter policy can be manually distributed to the fabric by command; there is no support for
automatic distribution. To distribute the IPFilter policy, see “Distributing the local ACL policies” on
page 160 for instructions.
Switches with Fabric OS v6.2.0 or later have the ability to accept or deny IP Filter policy distribution,
through the commands fddCfg
--localaccept or fddCfg --localreject. See “Policy database
distribution” on page 158 for more information on distributing the IP Filter policy.
Virtual Fabric considerations: To distribute the IPFilter policy in a logical fabric, use the
chassisDistribute command.
Policy database distribution
Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or
fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect
the switch ACL policy database and related distribution behavior.
The ACL policy database is managed as follows:
Switch database distribution setting Controls whether or not the switch accepts or rejects
databases distributed from other switches in the fabric. The distribute command sends the
database from one switch to another, overwriting the target switch database with the
distributed one. To send or receive a database the setting must be accept. For configuration
instructions, see “Database distribution settings” on page 159.
Virtual Fabric considerations: FCS, DCC, SCC, and AUTH databases can be distributed using
the -distribute command, but the PWD and IPFILTER databases are blocked from distribution.
Manually distribute an ACL policy database — Run the distribute command to push the local
database of the specified policy type to target switches. ACL policy distribution to other
switches” on page 160.
Fabric-wide consistency policy — Use to ensure that switches in the fabric enforce the same
policies. Set a strict or tolerant fabric-wide consistency policy for each ACL policy type to
automatically distribute that database when a policy change is activated. If a fabric-wide
consistency policy is not set, then the policies are managed on a per switch basis. For
configuration instructions, see “Fabric-wide enforcement” on page 160.
Virtual Fabric considerations: Fabric-wide consistency policies are configured on a per logical
switch-basis and are applied to the fabrics connected to the logical switches. Automatic policy
distribution behavior for DCC, SCC and FCS is the same as that of pre-v6.2.0 releases and are
configured on a per logical switch basis.
Table 35 on page 159 explains how the local database distribution settings and the fabric-wide
consistency policy affect the local database when the switch is the target of a distribution
command.