HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch

101

102

103

104

105

106

107

108

109

110

108 Configuring advanced security features

When a policy is activated, the defined policy either replaces the policy with the same name in the active

set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the

policy was saved but has not been activated. If a policy with the same name appears in both the defined

and active sets but they have different values, the policy has been modified but the changes have not been

activated.

Admin Domain considerations: ACL management can be done on AD255 and in AD0 only if other there

are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and

AD255 provide an unfiltered view of the fabric.

Identifying policy members

Specify the FCS, DCC and SCC policy members by device port WWN, switch WWN, Domain IDs, or

switch names, depending on the policy. The valid methods for specifying policy members are listed in

Table 24.

ACL policy management

All policy modifications are saved in volatile memory until those changes are saved or activated. You can

create multiple sessions to the switch from one or more hosts. It is recommended to make changes from one

switch only to avoid having multiple transactions from occurring.

The FCS, SCC and DCC policies in Secure Fabric OS are not interchangeable with Fabric OS FCS, SCC

and DCC policies. Uploading and saving a copy of the Fabric OS configuration after creating policies is

recommended. For more information on configuration uploads, see the ”Maintaining the Switch

Configuration File” on page 139.

Use the secPolicyShow command to display the active and defined policy sets. You can view the active

an defined policy sets at any time.

NOTE: Note that in a defined policy set, policies created in the same login session also appear but these

policies are automatically deleted if you log out without saving.

NOTE: All changes, including the creation of new policies, are saved and activated on the local switch

only—unless the switch is in a fabric that has a strict or tolerant fabric-wide consistency policy for the ACL

policy type for SCC or DCC. See ”Distributing the policy database” on page 129 for more information on

the database settings and fabric-wide consistency policy.

Use the instructions in the following sections to manage common settings between two or more of the DCC,

FCS, and SCC policies. For instructions relating to a specific policy, see the appropriate section:

• ”Displaying ACL policies” on page 109

Displays a list of all active and defined ACL policies on the switch.

• ”ACL policy modifications” on page 116

Save changes to memory without actually implementing the changes within the fabric or to the switch.

This saved but inactive information is known as the defined policy set. Simultaneously save and

implement all the policy changes made since the last time changes were activated. The activated

policies are known as the active policy set. Delete an entire policy; deleting a policy opens up that

aspect of the fabric to all access.

Table 24 Valid methods for specifying policy members

Policy name Device port

WWN

Switch

WWN

Domain ID Switch

name

FCS_POLICY No Yes Yes Yes

DCC_POLICY_nnn Yes Yes Yes Yes

SCC_POLICY No Yes Yes Yes