Manualshelf

Specifications

ManualsBrandsBrocade ManualsNetworking340
61626364656667686970
DATA CENTER BEST PRACTICES
SAN Design and Best Practices 65 of 84
Use the SCC policy in environments where there is a need for strict control of fabric members. Since the SCC
policy can prevent switches from participating in a fabric, it is important to regularly review and properly maintain
the SCC ACL.
DCC Policy
The DCC policy restricts the devices that can attach to a single FC Port. The policy species the FC port and
one or more WWNs allowed to connect to the port. The DCC policy set comprises all of the DCC policies
dened for individual FC ports. {Note that not every FC port has to have a DCC policy, and only ports with a
DCC policy in the active policy set enforce access controls.} A port that is present in the active DCC policy
set will allow only WWNs in its respective DCC policy to connect and join the fabric. All other devices will fail
authentication when attempting to connect to the fabric, resulting in the respective F_Ports being disabled due
to the security violation.
Use the DCC policy in environments where there is a need for strict control of fabric members. Since the DCC
policy can prevent devices from participating in a fabric, it is important to regularly review and properly maintain
the DCC policy set.
FCS Policy
Use the FCS policy to restrict the source of fabric-wide settings to one FC switch. The policy contains the
WWN of one or more switches, and the rst WWN (that is online) in the list is the primary FCS. If the FCS
policy is active, then only the primary FCS is allowed to make and/or propagate fabric-wide parameters. These
parameters include zoning, security (ACL) policies databases, and other settings.
Use the FCS policy in environments where there is a need for strict control of fabric settings. As with other ACL
policies, it is important to regularly review and properly maintain the FCS policy.
IP Filter
The IP Filter policy is used to restrict access through the Ethernet management ports of a switch. Only the
IP addresses listed in the IP Filter policy are permitted to perform the specied type of activity via the
management ports.
The IP Filter policy should be used in environments where there is a need for strict control of fabric access. As
with other ACL policies, it is important to regularly review and properly maintain the IP Filter policy.
Authentication Protocols
Brocade FOS supports both Fibre Channel Authentication Protocols (FCAPs) and Dife-Hellman Challenge
Handshake Authentication Protocols (DH-CHAPs) on E_Ports and F_Ports. Authentication protocols provide
additional security during link initialization by assuring that only the desired device/device type is connecting to
a given port.
Policy Database Distribution
Security Policy Database Distribution provides a mechanism for controlling the distribution of each policy on a
per-switch basis. Switches can individually congure policies to either accept or reject a policy distribution from
another switch in the fabric. In addition, a fabric-wide distribution policy can be dened for the SCC and DCC
policies with support for strict, tolerant, and absent modes. This can be used to enforce whether or not the SCC
and/or DCC policy needs to be consistent throughout the fabric.
•Strict mode: All updated and new policies of the type specied (SCC, DCC, or both) must be distributed to all
switches in the fabric, and all switches must accept the policy distribution.
•Tolerant mode: All updated and new policies of the type specied (SCC, DCC, or both) are distributed to all
switches (Brocade FOS v6.2.0 or later) in the fabric, but the policy does not need to be accepted.
•Absent mode: Updated and new policies of the type specied (SCC, DCC, or both) are not automatically
distributed to other switches in the fabric; policies can still be manually distributed.