84 Enterprise Fabric Suite 2007 User Guide • September 2008
Fabric BindingEach switch maintains its own fabric security configuration consisting of the active
security set (if one has been activated), any inactive security sets, domain IDs, world
wide names, authentication type (Chap or None), Chap hash protocol (MD5 or SHA-
1) and a hashing protocol secret. A switch may have more than one configured
security set, but only one security set may be active on a switch.
Fabric binding requires that both the WWN and domain ID of a ISL security group
member be verified to permit communication with other members in a security set.
Fabric Binding is specific to the ISL security group type and provides an additional
level of fabric security. Essentially, this "fabric binding security" limits the fabric to
known domain IDs and switch WWNs. Fabric binding is associated with only the
ISL security group type, and not with the Port and MS security group types. Security
information configured for Port and MS security group types remains on the
originating switch, and are not propagated fabric-wide.
If the Fabric Binding Enabled option is enabled in the Security Config dialog and the
Domain ID Binding field is set (1—239), then the security sets that have ISL security
group types will propagate/share the switch WWNs and the domain IDs associated
with those switch WWNs with all switches in the fabric. However, authentication
and secrets for each switch are not shared fabric-wide.
The following two conditions must be met to enforce fabric binding for ISL security
groups:
■The Fabric Binding Enabled setting on the Security Config dialog must be
selected.
■The Binding field then becomes active on the Create Security Group Member
dialog, and must contain the domain ID associated with the Switch WWN for
the ISL group member.
The Fabric Binding Enabled setting on the Security Config dialog has two functions:
■If selected, it enables the Binding field on the Create Security Group Member
dialog.
■When selected, it permits the appropriate ISL-related security information in
the activated security set and security configuration to be propagated fabric-
wide. Note that the security information for Port and MS security group types
does not get propagated.
When you activate a security set that does not contain a configured ISL security
group, the security information remains local (pertains only to that switch). That is,
no security information is propagated fabric-wide. When you activate a security set
that does contain a configured ISL security group, the ISL-related security
information is propagated fabric-wide.