Manualshelf

Brocade Secure Fabric OS Administrator's Guide - Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0, and 5.3.0 (53-1000244-02, June 2007)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/8 Base SAN Switch
61626364656667686970
Secure Fabric OS Administrator’s Guide 45
53-1000244-02
3
To create an SNMP policy
1. From a sectelnet or SSH session, log in to the primary FCS switch as admin.
2. Type secPolicyCreate “WSNMP_POLICY”, “member;...;member.
member is one or more IP addresses in dot-decimal notation. “0” can be entered in an octet to
indicate that any number can be matched in that octet.
For example, to create an WSNMP and an RSNMP policy to allow only IP addresses that match
192.168.5.0 read and write access to the fabric:
primaryfcs:admin> secpolicycreate "WSNMP_POLICY", "192.168.5.0"
WSNMP_POLICY has been created.
primaryfcs:admin> secpolicycreate "RSNMP_POLICY", "192.168.5.0"
RSNMP_POLICY has been created.
3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate
command.
If neither of these commands is entered, the changes are lost when the session is logged out.
For more information about these commands, see “Saving Changes to Secure Fabric OS
Policies” on page 56 and Activating Changes to Secure Fabric OS Policies” on page 56.
Telnet Policy
The Telnet policy can be used to specify which workstations can use sectelnet or SSH to connect to
the fabric. The policy is named TELNET _POLICY and contains a list of the IP addresses for the
trusted workstations (workstations that are in a physically secure area).
When a Brocade 24000 or 48000 director is in secure mode, sectelnet or SSH sessions cannot be
opened to the active CP. This prevents potential violation of the Telnet policy, since the active CP
can be used to access either of the logical switches on a two-domain Brocade 24000. However,
sectelnet or SSH sessions can be established to the IP addresses of the logical switches and to the
standby CP, if allowed by the Telnet policy. If the active CP fails over, any sectelnet or SSH sessions
to the standby CP are automatically terminated when the standby CP becomes the active CP.
CAUTION
Static host IP addresses are required to implement the Telnet policy effectively. Do not use DHCP for
hosts that are in the TELNET_POLICY, because as soon as the IP addresses change, the hosts will
no longer be able to access the fabric. Restricting output (such as placing a session on “hold” by use
of a command or keyboard shortcut) is not recommended.
This policy pertains to sectelnet and SSH. It does not pertain to telnet access, because telnet is not
available in secure mode. Use sectelnet as soon as a digital certificate is installed on the switch
NOTE
An empty TELNET_POLICY blocks all telnet access. To prevent this, keep one or more members in
the Telnet policy. If an empty Telnet policy is absolutely required, leave a meaningful entry in the API,
HTTP, or SERIAL policies (or do not create these policies) to ensure that some form of management
access is available to the switch. To restrict CLI access over the network to SSH, disable telnet as
described in “Telnet” on page 3.