HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

ManualsBrandsHP ManualsStorageHP DC04 SAN Director Switch

121

122

123

124

125

126

127

128

129

130

126 Configuring advanced security features

Under both conflicting conditions, secPolicyActivate is blocked in the merged fabric.Use fddcfg

–fabwideset command to resolve the fabric-wide consistency policy conflicts. Use the distribute

command to explicitly resolve conflicting ACL policies.

When a switch is joined to a fabric with a strict SCC or DCC fabric-wide consistency policy, the joining

switch must have a matching fabric-wide consistency policy. If the strict SCC or DCC fabric-wide

consistency policies do not match, the switch cannot join the fabric and the neighboring E_Ports will be

disabled. If the strict SCC and DCC fabric-wide consistency policies match, the corresponding SCC and

DCC ACL policies are compared.

The enforcement of fabric-wide consistency policy involves comparison of only the Active policy set. If the

ACL polices match, the switch joins the fabric successfully. If the ACL policies are absent either on the

switch or on the fabric, the switch joins the fabric successfully, and the ACL policies are copied

automatically from where they are present to where they are absent. The Active policy set where it is

present overwrites the Active and Defined policy set where it is absent. If the ACL policies do not match, the

switch cannot join the fabric and the neighboring E_Ports are disabled.

Use the fddcfg

–fabwideset command on either this switch or the fabric to set a matching strict SCC

or DCC fabric-wide consistency policy. Use ACL policy commands to delete the conflicting ACL policy from

one side to resolve ACL policy conflict. If neither the fabric nor the joining switch is configured with a

fabric-wide consistency policy, there are no ACL merge checks required.

The descriptions above also apply to joining two fabrics. In this context, the joining switch becomes a

joining fabric.

Matching fabric-wide consistency policies

This section describe the interaction between the databases with active SCC and DCC policies and

combinations of fabric-wide consistency policy settings when fabrics are merged.

For example: Fabric A with SCC:S;DCC (strict SCC and tolerant DCC) joins Fabric B with SCC:S;DCC

(strict SCC and tolerant DCC), the fabrics can merge as long as the SCC policies match (both are strict).

Table 37 describes the impact of merging fabrics with the same fabric-wide consistency policy that have

SCC, DCC, or both policies.

Table 37 Merging fabrics with matching fabric-wide consistency policies

Fabric-wide

consistency policy

Fabric A

ACL policies

Fabric B

ACL policies

Merge

results

Database copied

None None None Succeeds No ACL policies copied.

None SCC/DCC Succeeds No ACL policies copied.

Tolerant None None Succeeds No ACL policies copied.

None SCC/DCC Succeeds ACL policies are copied from

B to A.

SCC/DCC SCC/DCC Succeeds If A and B policies do not

match, a warning displays

and policy commands are

disabled

1. To resolve the policy conflict, manually distribute the database you want to use to the switch with the mismatched

database. Until the conflict is resolved commands such as fddcfg --fabwideset and secpolicy activate are blocked.

Strict None None Succeeds No ACL policies copied.

None SCC/DCC Succeeds ACL policies are copied from

B to A.

Matching

SCC/DCC

Matching

SCC/DCC

Succeeds No ACL policies copied.

Different

SCC/DCC

policies

Different

SCC/DCC

policies

Fails Ports are disabled.