Fabric OS Administrator’s Guide 311
53-1001763-02
Brocade SANtegrity implementation in mixed fabric SANS 14

Brocade SANtegrity implementation in mixed fabric SANS

SANtegrity is required only in legacy M-EOS fabrics running DCFM management software. In mixed
fabrics, FICON requires using Fabric Binding to define switches, and to verify the inter-switch link
(ISL) restrictions.
Because Fabric Binding authorizes joining switches based on both WWN and domain ID, Fabric
Binding requires that domain IDs are statically allocated, and thus requires Insistent Domain IDs in
conjunction with Fabric Binding.
Each device in the mixed fabric requires authentication and must prove its identity through the
protocols FC-SP, iSCSI, FC-GS, FC-SB, and iFCP. The standards-based authentication is used by
Brocade SANtegrity for both FC and IP block-based protocols, as well as in-band management.

Fabric OS Layer 2 Fabric Binding

The Fabric OS SANtegrity binding feature locks the fabric into its intended configuration and
ensures protection against WWN spoofing for E_Ports and N_Ports. Switches must exchange and
validate their Fabric Binding Membership list when bringing up an ISL.
Enabling Fabric Binding using DCFM automatically enables Insistent Domain ID on all Fabric OS
and M-EOS switches in the fabric. Disabling Fabric Binding does not turn off Insistent Domain ID.
The firmware supports a Fabric OS switch sending the Exchange Fabric Binding Membership Data
(EFMD) command to neighbor switches during link initialization whenever it has an active security
policy, such as the Switch Connection Control policy (SCC) Access Control List (ACL). McDATA Fabric
mode supports the EFMD, which supports FICON cascading security requirements.
When you enable Fabric Binding, only the switches that are currently in the fabric are included in
the binding list that is sent out. A Fabric Binding check is performed each time a link is initialized to
ensure that the switches can connect. If this check fails on either switch, the link segments.
You must disable Fabric Binding to downgrade to a Fabric OS version that does not support
SANtegrity; otherwise, the links will segment when you attempt to initialize the switch. In this case,
you should disable, and then re-enable or add a new ISL.
The DCFM software synchronizes the Fabric OS and M-EOS security policies and enables Fabric
Binding. This ensures that the security policies of both Fabric OS and M-EOS switches in a fabric
are properly configured so that Fabric Binding works properly.
Configurations through other management interfaces are not recommended. In cases where
existing configured SCC policies require consistency fabric-wide, use the fddCfg command, which
works in both McDATA Open Fabric mode and McDATA Fabric mode.
Refer to the Chapter 7, “Configuring Security Policies” for more information on setting the
fabric-wide consistency for the SCC policy.

E_Port authentication between Fabric OS and M-EOS switches

E_Port Authentication allows switches to authenticate connections to other switches. You can use
E_Port Authentication in both McDATA Open Fabric mode and McDATA Fabric mode. Using this
feature requires that the proper license keys are activated on both the Fabric OS and the M-EOS
switches. For information on setting the license keys, see Chapter 16,Administering Licensing”.
Switch secrets must be set correctly; otherwise, authentication will fail.