Manuals / Brands / Baby / Model Vehicle / Brocade Communications Systems / Baby / Model Vehicle

Brocade Communications Systems 53-1003126-02 Advanced Device Security policy

1 104

Download 104 pages, 1.65 Mb

Policy enforcement matrix (Continued)TABLE 8

Policies Auto Port

Configuration

N_Port Grouping N_Port Trunking Advanced Device

Security

N_Port Grouping Mutually exclusive N/A Yes Yes

N_Port Trunking Yes Yes N/A Yes

Advanced Device Security Yes Yes Yes N/A

Device Load Balancing No Yes Yes Yes

Advanced Device Security policy

Advanced Device Security (ADS) is a security policy that restricts access to the fabric at the AG level

to a set of authorized devices. Unauthorized access is rejected and the system logs a RASLOG

message. You can configure the list of allowed devices for each F_Port by specifying their Port WWN

(PWWN). The ADS policy secures virtual and physical connections to the SAN.

How the ADS policy works

When you enable the ADS policy, it applies to all F_Ports on the AG-enabled module. By default, all

devices have access to the fabric on all ports. You can restrict the fabric connectivity to a particular set

of devices where AG maintains a per-port allow list for the set of devices whose PWWN you define to

log in through an F_Port. You can view the devices with active connections to an F_Port using the ag

--show command.

NOTE

The ag --show command only displays F_Ports on Core AGs, such as the AGs that are directly

connected to fabric. Use the agshow --name command on the fabric switch to display the F_Ports of

both the Core and Edge AGs.

Alternatively, the security policy can be established in the Enterprise fabric using the Device

Connection Control (DCC) policy. For information on configuring the DCC policy, refer to Enabling the

DCC policy on a trunk on page 77. The DCC policy in the Enterprise fabric takes precedence over

the ADS policy. It is generally recommended to implement the security policy in the AG module rather

than in the main fabric, especially if the Failover and Failback policies are enabled.

Enabling and disabling the ADS policy

By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow lists

(global and per-port) are cleared. Before disabling the ADS policy, you should save the configuration

using the configUpload command in case you need this configuration again.

4The ADS policy is not supported when using device mapping.

5Device Load Balancing and Automatic Login Balancing cannot be enabled for the same port group.

Advanced Device Security policy

52 Access Gateway Administrator's Guide

53-1003126-02

Contents

Main Page Contents Page Page Page Preface Document conventions Text formatting conventions Command syntax conventions Notes, cautions, and warnings Notes, cautions, and warnings Brocade resources Contacting Brocade Technical Support Brocade customers Brocade OEM customers Brocade resources Document feedback Document feedback About This Document Supported hardware and software Whats new in this document Changes made for Fabric OS 7.3.0a Key terms for Access Gateway Key terms for Access Gateway About This Document Page Access Gateway Basic Concepts Brocade Access Gateway overview Comparing Native Fabric and Access Gateway modes Page Fabric OS features in Access Gateway mode Fabric OS features in Access Gateway mode Page Fabric OS components supported on Access Gateway (Continued)TABLE 1 Buffer credit recovery support Forward error correction support Buffer credit recovery support Virtual Fabrics support Device authentication support Supported policy modes Virtual Fabrics support Supported Fabric OS commands Supported Fabric OS commands Limitations and considerations AG mode without all POD licenses Password distribution support Limitations and considerations FDMI support Access Gateway port types Comparison of Access Gateway ports to standard switch ports FDMI support Page Access Gateway hardware considerations Access Gateway hardware considerations Configuring Ports in Access Gateway Mode Enabling and disabling Access Gateway mode Port state description Port state description Access Gateway mapping Port mapping Access Gateway mapping Default port mapping Default port mapping Page Page Page Page Considerations for initiator and target ports Adding F_Ports to an N_Port Considerations for initiator and target ports Removing F_Ports from an N_Port F_Port Static Mapping Removing F_Ports from an N_Port Considerations for using F_Port Static Mapping with other AG features and policies Upgrade and downgrade considerations Device mapping Considerations for using F_Port Static Mapping with other AG features and policies Page Page Page Device mapping to port groups (recommended) Device mapping to port groups (recommended) Device mapping to N_Ports Disabling device mapping Device mapping to N_Ports Enabling device mapping Displaying device mapping information Pre-provisioning Enabling device mapping VMware configuration considerations Considerations for Access Gateway mapping VMware configuration considerations Mapping priority Device mapping considerations Mapping priority N_Port configurations N_Port configurations Displaying N_Port configurations Unlocking N_Ports Persisting port online state Displaying N_Port configurations D_Port support Limitations and considerations D_Port support Saving port mappings Saving port mappings Page Managing Policies and Features in Access Gateway Mode Access Gateway policies overview Displaying current policies Access Gateway policy enforcement matrix Advanced Device Security policy How the ADS policy works Enabling and disabling the ADS policy Advanced Device Security policy Allow lists Setting the list of devices allowed to log in Allow lists Setting the list of devices not allowed to log in Removing devices from the list of allowed devices Adding new devices to the list of allowed devices Setting the list of devices not allowed to log in Displaying the list of allowed devices on the switch Automatic Port Configuration policy How the APC policy works Enabling and disabling the APC policy Enabling the APC policy Displaying the list of allowed devices on the switch Port Grouping policy Disabling the APC policy How port groups work How port groups work Adding an N_Port to a port group Deleting an N_Port from a port group Removing a port group Adding an N_Port to a port group Renaming a port group Disabling the Port Grouping policy Port Grouping policy modes Automatic Login Balancing mode Managed Fabric Name Monitoring mode Creating a port group and enabling Automatic Login Balancing mode Rebalancing F_Ports Considerations when disabling Automatic Login Balancing mode Creating a port group and enabling Automatic Login Balancing mode Enabling MFNM mode Disabling MFNM mode Displaying the current MFNM mode timeout value Setting the current MFNM mode timeout value Port Grouping policy considerations Device Load Balancing policy Enabling the Device Load Balancing policy Upgrade and downgrade considerations for the Port Grouping policy Disabling the Device Load Balancing policy Device Load Balancing policy considerations Persistent ALPA policy Disabling the Device Load Balancing policy Enabling the Persistent ALPA policy Disabling the Persistent ALPA policy Persistent ALPA device data Removing device data from the database Enabling the Persistent ALPA policy Failover policy Displaying device data Failover with port mapping Failover configurations in Access Gateway Failover example Failover with port mapping Page Page Adding a preferred secondary N_Port (optional) Deleting F_Ports from a preferred secondary N_Port Failover with device mapping Adding a preferred secondary N_Port (optional) Adding a preferred secondary N_Port for device mapping (optional) Deleting a preferred secondary N_Port for device mapping (optional) Enabling and disabling the Failover policy on an N_Port Adding a preferred secondary N_Port for device mapping (optional) Enabling and disabling the Failover policy for a port group Upgrade and downgrade considerations for the Failover policy Failback policy Enabling and disabling the Failover policy for a port group Failback policy configurations in Access Gateway Failback example Failback policy configurations in Access Gateway Enabling and disabling the Failback policy on an N_Port Enabling and disabling the Failback policy on an N_Port Enabling and disabling the Failback policy for a port group Upgrade and downgrade considerations for the Failback policy Failback policy disabled on unreliable links (N_Port monitoring) Considerations for Failback policy disabled on unreliable links Enabling and disabling the Failback policy for a port group Trunking in Access Gateway mode How trunking works Configuring trunking on the Edge switch Trunking in Access Gateway mode Trunk group creation Configuration management for trunk areas Trunk area assignment example Assigning a trunk area Trunk group creation Enabling the DCC policy on a trunk Enabling trunking Enabling the DCC policy on a trunk Disabling F_Port trunking Monitoring trunking AG trunking considerations for the Edge switch Disabling F_Port trunking Access Gateway trunking considerations for the Edge switch (Continued)TABLE 10 Managing Policies and Features in Access Gateway Mode Access Gateway trunking considerations for the Edge switch (Continued)TABLE 10 Trunking considerations for Access Gateway mode Upgrade and downgrade considerations for trunking in Access Gateway mode Trunking considerations for Access Gateway mode Adaptive Networking on Access Gateway QoS: Ingress rate limiting QoS: SID/DID traffic prioritization Adaptive Networking on Access Gateway Upgrade and downgrade considerations for Adaptive Networking in AG mode Adaptive Networking on Access Gateway considerations Upgrade and downgrade considerations for Adaptive Networking in AG mode Per-Port NPIV login limit Setting the login limit Duplicate PWWN handling during device login Per-Port NPIV login limit Performance Monitoring Flow Monitor Performance Monitoring Legacy performance monitoring features End-to-end monitors Frame monitors Legacy performance monitoring features Limitations for using legacy APM features Limitations for using legacy APM features Page SAN Configuration with Access Gateway Connectivity of multiple devices overview Considerations for connecting multiple devices Direct target attachment Considerations for direct target attachment Considerations for direct target attachment Target aggregation Target aggregation Access Gateway cascading Access Gateway cascading considerations Access Gateway cascading Fabric and Edge switch configuration Verifying the switch mode Fabric and Edge switch configuration Enabling NPIV on M-EOS switches Connectivity to Cisco fabrics Enabling NPIV on a Cisco switch Enabling NPIV on M-EOS switches Rejoining Fabric OS switches to a fabric Reverting to a previous configuration Rejoining Fabric OS switches to a fabric Page Troubleshooting Troubleshooting (Continued)TABLE 12 Troubleshooting Index A B C D E F H I J L M N Q R S T U