Chapter 4 Managing Fabric Security 85
The propagated ISL-related security information is then combined with the active
security set on each switch and is automatically renamed the "Learned" security set.
The Learned security set now consists of the most current active security set on that
switch with new propagated domain ID and WWN information. The active security
set is not renamed on the originating switch.
To activate a security set on a switch, open the Security menu, select Activate
Security Set to open the Activate Security Set dialog. In the Activate Security Set
dialog, select a security set from the drop-down list. Click the Activate button to
activate that security set and turn on fabric binding on all switches in the fabric.
When a security set is de-activated on a switch with the fabric binding enabled, the
active security set on a switch is de-activated and the Fabric Binding Enabled setting
is disabled on all switches in the fabric, except on the originating switch.
Before joining a switch to a fabric in which all switches have the Fabric Binding
Enabled setting enabled, the Fabric Binding Enabled setting must be enabled on that
switch. If not, an error will result and the switch will isolate.
Device SecurityDevice security provides for the authorization and authentication of devices that you
attach to a switch. You can configure a switch with a group of devices against which
the switch authorizes new attachments by devices, other switches, or devices issuing
management server commands. Device security is configured through the use of
security sets and groups. A group is a list of device world wide names that are
authorized to attach to a switch. There are three types of groups: one for other
switches (ISL), another for devices (port), and a third for devices issuing
management server commands (MS). A security set is a set of up to three groups
with no more than one of each group type. Each switch maintains its own security
configuration consisting of the active security set (if one has been activated), inactive
security sets, domain IDs, world wide names, authentication type (Chap or None),
Chap hash protocol (MD5 or SHA-1) and a hashing protocol secret.
Note – The Security dialogs are available only on a secure (SSL) fabric and on the
entry switch (out of band switch). Open the Switch menu and select Services to
enable the SSL option for that switch. You must then close the fabric and re-establish
a connection to secure the fabric using SSL.
In addition to authorization, the switch can be configured to require authentication
to validate the identity of the connecting switch, device, or host. Authentication can
be performed locally using the switch security database, or remotely using a Remote
Authentication Dial-In User Service (RADIUS) server. With a RADIUS server, the