HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)
Fabric OS 6.x administrator guide 121
To abort a transaction associated with IP Filter:
1. Log in to the switch using an account assigned to the admin role.
2. Type in the following command:
ipfilter –-transabort
IP Filter policy distributions
The IP Filter policy is manually distributed, using the distribute --p “IPFILTER” command. The
distribution includes both active and defined IP Filter policies. All policies are combined as a single entity
to be distributed and cannot be selectively distributed. However, you may choose the time at which to
implement the policy for optimization purposes. If a distribution includes an active IP Filter policy, the
receiving switches will activate the same IP Filter policy automatically. When a switch receives IP Filter
policies, all uncommitted changes left in its local transaction buffer will be lost, and the transaction will be
aborted.
When firmware is upgraded for the first time from pre-5.3.0 to 5.3.0, the default IPv4 and IPv6 filter
policies are active. If non-default IP Filter policies are created, and then saved but not activated, and
firmware is downgraded to pre-5.3.0, the non-default IP Filter policies are preserved. Subsequently, if the
firmware is upgraded again to 5.3.0, the saved IP Filter policies remains present and become visible
again. If, however, the default IP Filter policy is not active, a firmware downgrade to pre-5.3.0 is blocked.
Switches with Fabric OS 5.3.0 or later will have the ability to accept or deny IP Filter policy distribution,
through the commands fddCfg --localaccept or fddcfg --localreject. However, automatic
distribution of IP Filter policy through Fabric Wide Consistent Policy is not supported in Fabric OS 6.0.0.
See ”Distributing ACL policies to other switches” on page 123 for more information on distributing the IP
Filter policy.
IP Filter policy restrictions
In a mixed fabric with Fabric OS 5.3.0 or later and pre-5.3.0 switches, IP Filter policies cannot be
distributed from a Fabric OS 6.0.0 switch to a pre-5.3.0 switch. This means that the sending switch will fail
distribute --p “IPFILTER” operation, if the specified receiving domain list contains switches with
Fabric OS 5.2.0 and earlier. When the asterisk (*) is used as the receiving domain, the sending switch will
distribute the IP Filter policies only to switches with Fabric OS 5.3.0 or later.
Distributing the policy database
Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide
basis. The local switch distribution setting and the fabric-wide consistency policy affect the switch ACL
policy database and related distribution behavior.
The ACL policy database is managed as follows:
• Switch database distribution setting—Controls whether or not the switch accepts or rejects
databases distributed from other switches in the fabric. The distribute command sends the
database from one switch to another, overwriting the target switch database with the distributed one. To
send or receive a database the setting must be accept. For configuration instructions, see ”Configuring
the database distribution settings” on page 122.
• Manually distribute an ACL policy database—Run the distribute command to push the
local database of the specified policy type to target switches. ”Distributing ACL policies to other
switches” on page 123.
• Fabric-wide consistency policy—Use to ensure that switches in the fabric enforce the same
policies. Set a strict or tolerant fabric-wide consistency policy for each ACL policy type to automatically
distribute that database when a policy change is activated. If a fabric-wide consistency policy is not set,
then the policies are managed on per switch basis. For configuration instructions, see”Setting the
consistency policy fabric-wide” on page 124.