Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)
Fabric OS Administrator’s Guide 311
53-1001336-02
E_Port authentication between Fabric OS and M-EOS switches
14
Fabric OS Layer 2 Fabric Binding
The Fabric OS SANtegrity binding feature locks the fabric into its intended configuration and
ensures protection against WWN spoofing for E_Ports and N_Ports. Switches must exchange and
validate their Fabric Binding Membership list when bringing up an ISL.
Enabling Fabric Binding using DCFM automatically enables Insistent Domain ID on all Fabric OS
and M-EOS switches in the fabric. Disabling Fabric Binding does not turn off Insistent Domain ID.
The firmware supports a Fabric OS switch sending the Exchange Fabric Binding Membership Data
(EFMD) command to neighbor switches during link initialization whenever it has an active security
policy, such as the Switch Connection Control policy (SCC) Access Control List (ACL). McDATA Fabric
mode supports the EFMD, which supports FICON cascading security requirements.
When you enable Fabric Binding, only the switches that are currently in the fabric are included in
the binding list that is sent out. A Fabric Binding check is performed each time a link is initialized to
ensure that the switches can connect. If this check fails on either switch, the link segments.
You must disable Fabric Binding to downgrade to a Fabric OS version that does not support
SANtegrity; otherwise, the links will segment when you attempt to initialize the switch. In this case,
you should disable, and then re-enable or add a new ISL.
The DCFM software synchronizes the Fabric OS and M-EOS security policies and enables Fabric
Binding. This ensures that the security policies of both Fabric OS and M-EOS switches in a fabric
are properly configured so that Fabric Binding works properly.
Configurations through other management interfaces are not recommended. In cases where
existing configured SCC policies require consistency fabric-wide, use the fddCfg command, which
works in both McDATA Open Fabric mode and McDATA Fabric mode.
Refer to the Chapter 7, “Configuring Advanced Security Features” for more information on setting
the fabric-wide consistency for the SCC policy.
E_Port authentication between Fabric OS and M-EOS switches
E_Port Authentication allows switches to authenticate connections to other switches. You can use
E_Port Authentication in both McDATA Open Fabric mode and McDATA Fabric mode. Using this
feature requires that the proper license keys are activated on both the Fabric OS and the M-EOS
switches. For information on setting the license keys, see Chapter 16, “Administering Licensing”.
Switch secrets must be set correctly; otherwise, authentication will fail.
Because M-EOS only supports the DH-CHAP authentication, not all Fabric OS authentication
configurations work when connected to an M-EOS switch. With DH-CHAP authentication, you must
configure the shared secrets on both switches. For details on procedures to configure shared
secrets, see the “Configuring Advanced Security Features” on page 123.
Table 54 describes the Fabric OS authentication types.
TABLE 54 Fabric OS switch authentication types
Fabric OS authentication types M-EOS support M-EOS switch explanation
FCAP, DH-CHAP Yes M-EOS switch selects the
supported DH-CHAP protocol.