HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch

101

102

103

104

105

106

107

108

109

110

Fabric OS 6.1.1 administrator guide 107

Configuring advanced security features

This chapter provides information and procedures for configuring advanced Fabric OS security features

such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel

switches.

ACL policies overview

Each supported Access Control List (ACL) policy listed below is identified by a specific name; only one

policy of each type can exist, except for DCC policies. Policy names are case sensitive and must be entered

as all uppercase. Fabric OS provides the following policies:

• Fabric Configuration Server (FCS) policy—Used to restrict which switches can change the configuration

of the fabric.

• Device Connection Control (DCC) policies—Used to restrict which Fibre Channel device ports can

connect to which Fibre Channel switch ports.

• Switch Connection Control (SCC) policy—Used to restrict which switches can join with a switch.

• IP Filter Policy (IPFilter) policy—Used to filter traffic based on IP addresses.

NOTE: Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain

(AD) 255 or, if Administrative Domains have not been implemented, log in to AD0.

How the ACL policies are stored

The policies are stored in a local database. The database contains the ACL policy types of FCS, DCC,

SCC, and IPFilter. The number of policies that may be defined is limited by the size of the database. FCS,

SCC and DCC policies are all stored in the same database.

When a Fabric OS 6.1.x switch joins the fabric containing only pre-6.0 switches, the policy database size

limit is restricted to the Fabric OS version’s lowest database size. Table 23 shows the Fabric OS version

and its associated database size restriction. Distribution of any of the given policies to pre-6.0 switches

would fail if the size of the database being distributed is greater than the lowest database size in the

fabric. In a fabric with only Fabric OS 6.0 switches present, the limit for security policy database size

would be set to 1Mb. In this case, the pre-6.0 switches cannot join the fabric if the fabric security database

size is greater than their Fabric OS database size.

The policies are grouped by state and type. A policy can be in either of the following states:

• Active—The policy is being enforced by the switch.

• Defined—The policy has been set up but is not enforced.

A group of policies is called a Policy Set. Each switch has the following two sets:

• Active policy set—Contains ACL policies being enforced by the switch.

• Defined policy set—Contains a copy of all ACL policies on the switch.

Table 23 Security database size restrictions

Fabric OS version Security database size

4.4 256K

5.1/5.2/5.3 256K

6.0/6.1.x 1Mb