Matching Fabric-Wide Consistency Policies; Merging Fabrics With Matching Fabric-Wide Consistency Policies - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Under both conflicting conditions, secPolicyActivate is blocked in the merged fabric.Use fddcfg
–fabwideset command to resolve the fabric-wide consistency policy conflicts. Use the distribute
command to explicitly resolve conflicting ACL policies.
When a switch is joined to a fabric with a strict SCC or DCC fabric-wide consistency policy, the joining
switch must have a matching fabric-wide consistency policy. If the strict SCC or DCC fabric-wide
consistency policies do not match, the switch cannot join the fabric and the neighboring E_Ports will be
disabled. If the strict SCC and DCC fabric-wide consistency policies match, the corresponding SCC and
DCC ACL policies are compared.
The enforcement of fabric-wide consistency policy involves comparison of only the Active policy set. If the
ACL polices match, the switch joins the fabric successfully. If the ACL policies are absent either on the
switch or on the fabric, the switch joins the fabric successfully, and the ACL policies are copied
automatically from where they are present to where they are absent. The Active policy set where it is
present overwrites the Active and Defined policy set where it is absent. If the ACL policies do not match, the
switch cannot join the fabric and the neighboring E_Ports are disabled.
Use the fddcfg
or DCC fabric-wide consistency policy. Use ACL policy commands to delete the conflicting ACL policy from
one side to resolve ACL policy conflict. If neither the fabric nor the joining switch is configured with a
fabric-wide consistency policy, there are no ACL merge checks required.
The descriptions above also apply to joining two fabrics. In this context, the joining switch becomes a
joining fabric.

Matching fabric-wide consistency policies

This section describe the interaction between the databases with active SCC and DCC policies and
combinations of fabric-wide consistency policy settings when fabrics are merged.
For example: Fabric A with SCC:S;DCC (strict SCC and tolerant DCC) joins Fabric B with SCC:S;DCC
(strict SCC and tolerant DCC), the fabrics can merge as long as the SCC policies match (both are strict).
Table 37 describes the impact of merging fabrics with the same fabric-wide consistency policy that have
SCC, DCC, or both policies.
Table 37

Merging fabrics with matching fabric-wide consistency policies

Fabric-wide
consistency policy
None
Tolerant
Strict
1. To resolve the policy conflict, manually distribute the database you want to use to the switch with the mismatched
database. Until the conflict is resolved commands such as fddcfg --fabwideset and secpolicy activate are blocked.
126 Configuring advanced security features
fabwideset command on either this switch or the fabric to set a matching strict SCC
–
Fabric A Fabric B
ACL policies ACL policies
None None
None SCC/DCC
None None
None SCC/DCC
SCC/DCC SCC/DCC
None None
None SCC/DCC
Matching Matching
SCC/DCC SCC/DCC
Different Different
SCC/DCC SCC/DCC
policies policies
Merge Database copied
results
Succeeds No ACL policies copied.
Succeeds No ACL policies copied.
Succeeds No ACL policies copied.
Succeeds ACL policies are copied from
B to A.
Succeeds If A and B policies do not
match, a warning displays
and policy commands are
1
disabled .
Succeeds No ACL policies copied.
Succeeds ACL policies are copied from
B to A.
Succeeds No ACL policies copied.
Fails Ports are disabled.