A Fabric OS downgrade requires FEC to be disabled.
Specific switch platforms support this feature either in R_RDY or VC_RDY mode.
Virtual Fabrics support
Although you cannot enable AG mode on a switch enabled for Virtual Fabrics or enable Virtual Fabrics
on an AG switch, you can connect ports on an AG switch to Virtual Fabrics.
Device authentication support
Devices use authentication as a mechanism to log in into switches only after exchanging DH_CHAP
authorization keys. This prevents any unauthorized device from logging into switch and fabric by
default.
Authentication policy is supported in the following configurations for Access Gateway switches.
Regardless of the enabled policy, the AG port disables if the DH-CHAP or FCAP fails to authenticate
each other.
Access Gateway switch N_Port connected to Brocade fabric switch F_Port. The N_Port should
enable authentication when authentication is enabled on the connected switch. This can be done by
enabling switch policy on the AG switch and device policy on the fabric switch.
Access Gateway switch F_Port connected to an HBA. The F_Port also should enable authentication
when the connected device is sending login request with authentication enabled. This is done by
enabling device policy on the AG switch.
By default, Brocade switches use DH-CHAP or FCAP authentication protocols. For authentication
between fabric switches and AG switches, FCAP and DH-CHAP are used. If an FCAP certificate is
present on the AG switch and fabric switch, FCAP has precedence over DHCAP. For authentication
between AG switches and HBAs, DH-CHAP is used because the HBA only supports DH-CHAP.
For details on installing FCAP certificates and creating DHCAP secrets on the switch in AG or native
mode, refer to the Fabric OS Administrator’s Guide or Fabric OS Command Reference.
For general information on authentication, refer to the section on authentication policy for fabric
elements in the "Configuring Security Policies" chapter of the Fabric OS Administrator’s Guide.

Supported policy modes

The following switch and device policy modes are supported by Access Gateway:
On - Strict authentication will be enforced on all ports. The ports on the AG connected to the switch
or device will disable if the connecting switch or device does not support authentication or the policy
mode is set to off. During AG initialization, authentication initiates on all ports automatically.
Off - The AG switch does not support authentication and rejects any authentication negotiation
request from the connected fabric switch or HBA. A fabric switch with the policy mode set to off
should not be connected to an AG switch with policy mode set to on since the on policy is strict. This
will disable the port if any switch rejects the authentication. You must configure DH-CHAP shared
secrets or install FCAP certificates on the AG and connected fabric switch before switching from a
policy "off" mode to policy "on" mode. Off is the default mode for both switch and device policy.
Passive - The AG does not initiate authentication when connected to a device, but participates in
authentication if the connecting device initiates authentication. The AG will not initiate authentication
on ports, but accepts incoming authentication requests. Authentication will not disable AG F_Ports if
the connecting device does not support authentication or the policy mode is set to off. Passive mode
is the safest mode to use for devices connected to an AG switch if the devices do not support
authentication.

Virtual Fabrics support

Access Gateway Administrator's Guide 21
53-1003126-02