Ip Filter Policy Distributions; Ip Filter Policy Restrictions; Distributing The Policy Database - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

To abort a transaction associated with IP Filter:
Log in to the switch using an account assigned to the admin role.
1.
2. Type in the following command:
ipfilter –-transabort

IP Filter policy distributions

The IP Filter policy is manually distributed, using the distribute --p "IPFILTER" command. The
distribution includes both active and defined IP Filter policies. All policies are combined as a single entity
to be distributed and cannot be selectively distributed. However, you may choose the time at which to
implement the policy for optimization purposes. If a distribution includes an active IP Filter policy, the
receiving switches will activate the same IP Filter policy automatically. When a switch receives IP Filter
policies, all uncommitted changes left in its local transaction buffer will be lost, and the transaction will be
aborted.
When firmware is upgraded for the first time from pre-5.3.0 to 5.3.0, the default IPv4 and IPv6 filter
policies are active. If non-default IP Filter policies are created, and then saved but not activated, and
firmware is downgraded to pre-5.3.0, the non-default IP Filter policies are preserved. Subsequently, if the
firmware is upgraded again to 5.3.0, the saved IP Filter policies remains present and become visible
again. If, however, the default IP Filter policy is not active, a firmware downgrade to pre-5.3.0 is blocked.
Switches with Fabric OS 5.3.0 or later will have the ability to accept or deny IP Filter policy distribution,
through the commands fddCfg --localaccept or fddcfg --localreject. However, automatic
distribution of IP Filter policy through Fabric Wide Consistent Policy is not supported in Fabric OS 6.0.0.
See "Distributing ACL policies to other
Filter policy.

IP Filter policy restrictions

In a mixed fabric with Fabric OS 5.3.0 or later and pre-5.3.0 switches, IP Filter policies cannot be
distributed from a Fabric OS 6.0.0 switch to a pre-5.3.0 switch. This means that the sending switch will fail
distribute --p "IPFILTER" operation, if the specified receiving domain list contains switches with
Fabric OS 5.2.0 and earlier. When the asterisk (*) is used as the receiving domain, the sending switch will
distribute the IP Filter policies only to switches with Fabric OS 5.3.0 or later.

Distributing the policy database

Fabric OS lets you manage and enforce the ACL policy database on either a per-switch or fabric-wide
basis. The local switch distribution setting and the fabric-wide consistency policy affect the switch ACL
policy database and related distribution behavior.
The ACL policy database is managed as follows:
Switch database distribution setting—Controls whether or not the switch accepts or rejects
•
databases distributed from other switches in the fabric. The distribute command sends the
database from one switch to another, overwriting the target switch database with the distributed one. To
send or receive a database the setting must be accept. For configuration instructions, see
the database distribution
Manually distribute an ACL policy database—Run the distribute command to push the
•
local database of the specified policy type to target switches.
switches" on page 123.
• Fabric-wide consistency policy—Use to ensure that switches in the fabric enforce the same
policies. Set a strict or tolerant fabric-wide consistency policy for each ACL policy type to automatically
distribute that database when a policy change is activated. If a fabric-wide consistency policy is not set,
then the policies are managed on per switch basis. For configuration instructions,
consistency policy
switches" on page 123 for more information on distributing the IP
settings" on page 122.
fabric-wide" on page 124.
"Distributing ACL policies to other
see"Setting the
Fabric OS 6.x administrator guide 121
"Configuring