Configuring advanced security features
This chapter provides information and procedures for configuring advanced Fabric OS security features
such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP's Fibre Channel
Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain
(AD) 255 or, if Administrative Domains have not been implemented, log in to AD 0.
About access control list (ACL) policies
Fabric OS provides the following policies:
Fabric Configuration Server (FCS) policy—Used to restrict which switches can change the
configuration of the fabric.
Device Connection Control (DCC) policies—Used to restrict which Fibre Channel device ports can
connect to which Fibre Channel switch ports.
Switch Connection Control (SCC) policy—Used to restrict which switches can join with a switch.
IP Filter Policy (IPFilter) policy—Used to filter traffic based on IP addresses.
Each supported policy is identified by a specific name, and only one policy of each type can exist (except
for DCC policies). Policy names are case-sensitive and must be entered in all uppercase.
How the ACL policies are stored
The policies are stored in a local database. The database contains the ACL policies types of FCS, DCC,
SCC, and IPFilter. The number of policies that may be defined is limited by the size of the database. FCS,
SCC and DCC policies are all stored in the same database.
When a Fabric OS 6.0 switch joins the fabric containing only pre-6.0 switches, the policy database size
limit is restricted to the Fabric OS version's lowest database size.
and its associated database size restriction. Distribution of any of the given policies to pre-6.0 switches
would fail if the size of the database being distributed is greater than the lowest database size in the
fabric. In a fabric with only Fabric OS 6.0 switches present, the limit for security policy database size
would be set to 1Mb. In this case, the pre-6.0 switches cannot join the fabric if the fabric security database
size is greater than their Fabric OS database size.
Security database size restrictions
Fabric OS version
The policies are grouped by state and type. A policy can be in either of the following states:
Active—The policy is being enforced by the switch.
Defined—The policy has been set up but is not enforced.
A group of policies is called a Policy Set. Each switch has the following two sets:
Active policy set—Contains ACL policies being enforced by the switch.
Defined policy set—Contains a copy of all ACL policies on the switch.
When a policy is activated, the defined policy either replaces the policy with the same name in the active
set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the
policy was saved but has not been activated. If a policy with the same name appears in both the defined
Security database size
shows the Fabric OS version
Fabric OS 6.x administrator guide