Manualshelf

Brocade Secure Fabric OS Administrator's Guide - Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0, and 5.3.0 (53-1000244-02, June 2007)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/8 SAN Switch
61626364656667686970
Secure Fabric OS Administrator’s Guide 51
53-1000244-02
3
By default, use of node WWNs is allowed; the Options policy does not exist until it is created by the
administrator. Table 12 displays the possible Options policy states.
To create an Options policy:
1. Log in to the primary FCS switch as admin from a sectelnet or SSH session.
2. Type secPolicyCreate “OPTIONS_POLICY”, “NoNodeWWNZoning”.
primaryfcs:admin> secpolicycreate “OPTIONS_POLICY”, “NoNodeWWNZoning”
OPTIONS_POLICY has been created.
3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate
command.
If neither of these commands is entered, the changes are lost when the session is logged out.
For more information about these commands, see “Saving Changes to Secure Fabric OS
Policies” on page 56 and Activating Changes to Secure Fabric OS Policies” on page 56.
4. To apply the change to current transactions, disable the switch then re-enable it by entering
the switchDisable and switchEnable commands. This stops any current traffic between devices
that are zoned using node names.
CREATING A DCC POLICY
CAUTION
Fabric OS v5.2.0 supports local DCC policies; however the local DCC polices created in non-secure
mode cannot be used while in secure mode. Policies created in non-secure mode are deleted when
secure mode is enabled. Back up DCC policies before enabling secure mode.
Multiple DCC policies can be used to restrict which device ports can connect to which switch ports.
The devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs.
By default, all device ports are allowed to connect to all switch ports; no DCC policies exist until
they are created by the administrator.
Each device port can be bound to one or more switch ports; the same device ports and switch
ports might be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it
permits connections only from designated device ports. Device ports that are not specified in any
DCC policies are allowed to connect only to switch ports that are not specified in any DCC policies.
NOTE
Some older private-loop HBAs do not respond to port login from the switch and are not enforced by
the DCC policy. However, this does not create a security problem because these HBAs cannot
contact any device outside of their immediate loop.
TABLE 12 Options Policy States
Policy State Characteristics
No policy Node WWNs can be used for WWN-based zoning.
Policy with no entries Node WWNs can be used for WWN-based zoning.
Policy with entries Node WWNs cannot be used for WWN-based zoning.