Brocade Communications Systems 53-1003126-02 Virtual Fabrics support, Device authentication support

• A Fabric OS downgrade requires FEC to be disabled.

• Specific switch platforms support this feature either in R_RDY or VC_RDY mode.

Virtual Fabrics support

Although you cannot enable AG mode on a switch enabled for Virtual Fabrics or enable Virtual Fabrics

on an AG switch, you can connect ports on an AG switch to Virtual Fabrics.

Device authentication support

Devices use authentication as a mechanism to log in into switches only after exchanging DH_CHAP

authorization keys. This prevents any unauthorized device from logging into switch and fabric by

default.

Authentication policy is supported in the following configurations for Access Gateway switches.

Regardless of the enabled policy, the AG port disables if the DH-CHAP or FCAP fails to authenticate

each other.

• Access Gateway switch N_Port connected to Brocade fabric switch F_Port. The N_Port should

enable authentication when authentication is enabled on the connected switch. This can be done by

enabling switch policy on the AG switch and device policy on the fabric switch.

• Access Gateway switch F_Port connected to an HBA. The F_Port also should enable authentication

when the connected device is sending login request with authentication enabled. This is done by

enabling device policy on the AG switch.

By default, Brocade switches use DH-CHAP or FCAP authentication protocols. For authentication

between fabric switches and AG switches, FCAP and DH-CHAP are used. If an FCAP certificate is

present on the AG switch and fabric switch, FCAP has precedence over DHCAP. For authentication

between AG switches and HBAs, DH-CHAP is used because the HBA only supports DH-CHAP.

For details on installing FCAP certificates and creating DHCAP secrets on the switch in AG or native

mode, refer to the Fabric OS Administrator’s Guide or Fabric OS Command Reference.

For general information on authentication, refer to the section on authentication policy for fabric

elements in the "Configuring Security Policies" chapter of the Fabric OS Administrator’s Guide.

The following switch and device policy modes are supported by Access Gateway:

• On - Strict authentication will be enforced on all ports. The ports on the AG connected to the switch

or device will disable if the connecting switch or device does not support authentication or the policy

mode is set to off. During AG initialization, authentication initiates on all ports automatically.

• Off - The AG switch does not support authentication and rejects any authentication negotiation

request from the connected fabric switch or HBA. A fabric switch with the policy mode set to off

should not be connected to an AG switch with policy mode set to on since the on policy is strict. This

will disable the port if any switch rejects the authentication. You must configure DH-CHAP shared

secrets or install FCAP certificates on the AG and connected fabric switch before switching from a

policy "off" mode to policy "on" mode. Off is the default mode for both switch and device policy.

• Passive - The AG does not initiate authentication when connected to a device, but participates in

authentication if the connecting device initiates authentication. The AG will not initiate authentication

on ports, but accepts incoming authentication requests. Authentication will not disable AG F_Ports if

the connecting device does not support authentication or the policy mode is set to off. Passive mode

is the safest mode to use for devices connected to an AG switch if the devices do not support

authentication.

Access Gateway Administrator's Guide 21

53-1003126-02