Table of Contents
Advertisement
7
Policy database distribution
IP Filter policy distribution
The IP Filter policy is manually distributed by command. The distribution includes both active and
defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be
selectively distributed. However, you may choose the time at which to implement the policy for
optimization purposes. If a distribution includes an active IP Filter policy, the receiving switches
activate the same IP Filter policy automatically. When a switch receives IP Filter policies, all
uncommitted changes left in its local transaction buffer are lost, and the transaction is aborted.
The IPFilter policy can be manually distributed to the fabric by command; there is no support for
automatic distribution. To distribute the IPFilter policy, see
page 160 for instructions.
Switches with Fabric OS v6.2.0 or later have the ability to accept or deny IP Filter policy distribution,
through the commands fddCfg
distribution"
Virtual Fabric considerations: To distribute the IPFilter policy in a logical fabric, use the
chassisDistribute command.
Policy database distribution
Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or
fabric-wide basis. The local switch distribution setting and the fabric-wide consistency policy affect
the switch ACL policy database and related distribution behavior.
The ACL policy database is managed as follows:
•
•
•
Table 35
consistency policy affect the local database when the switch is the target of a distribution
command.
158
on page 158 for more information on distributing the IP Filter policy.
Switch database distribution setting — Controls whether or not the switch accepts or rejects
databases distributed from other switches in the fabric. The distribute command sends the
database from one switch to another, overwriting the target switch database with the
distributed one. To send or receive a database the setting must be accept. For configuration
instructions, see
"Database distribution settings"
Virtual Fabric considerations: FCS, DCC, SCC, and AUTH databases can be distributed using
the -distribute command, but the PWD and IPFILTER databases are blocked from distribution.
Manually distribute an ACL policy database — Run the distribute command to push the local
database of the specified policy type to target switches.
switches"
on page 160.
Fabric-wide consistency policy — Use to ensure that switches in the fabric enforce the same
policies. Set a strict or tolerant fabric-wide consistency policy for each ACL policy type to
automatically distribute that database when a policy change is activated. If a fabric-wide
consistency policy is not set, then the policies are managed on a per switch basis. For
configuration instructions, see
Virtual Fabric considerations: Fabric-wide consistency policies are configured on a per logical
switch-basis and are applied to the fabrics connected to the logical switches. Automatic policy
distribution behavior for DCC, SCC and FCS is the same as that of pre-v6.2.0 releases and are
configured on a per logical switch basis.
on page 159 explains how the local database distribution settings and the fabric-wide
localaccept or fddCfg
--
--
on page 159.
"Fabric-wide enforcement"
"Distributing the local ACL policies"
localreject. See
"Policy database
"ACL policy distribution to other
on page 160.
Fabric OS Administrator's Guide
on
53-1001763-02
Hide quick links:
Advertisement
Table of Contents
