Policy Members; Acl Policy Management; Valid Methods For Specifying Policy Members - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

When a policy is activated, the defined policy either replaces the policy with the same name in the active
set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the
policy was saved but has not been activated. If a policy with the same name appears in both the defined
and active sets but the two versions have different values, the policy has been modified but the changes
have not been activated.
Admin Domain considerations: ACL management can be done on AD255 and AD0 only if there are no
user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and AD255
provide an unfiltered view of the fabric.
Virtual Fabric considerations: ACL policies such as DCC, SCC, and FCS can be configured on each Logical
Switch.

Policy members

The FCS, DCC, and SCC policy members are specified by device port WWN, switch WWN, domain IDs,
or switch names, depending on the policy. The valid methods for specifying policy members are listed in
Table 25.
Table 25

Valid methods for specifying policy members

Policy name
FCS_POLICY
DCC_POLICY_nnn
SCC_POLICY

ACL policy management

All policy modifications are temporarily stored in volatile memory until those changes are saved or
activated. You can create multiple sessions to the switch from one or more hosts. HP recommends that you
make changes only from one switch to prevent multiple transactions from occurring. Each Logical Switch
will have its own access control list.
The FCS, SCC and DCC policies in Secure Fabric OS are not interchangeable with Fabric OS FCS, SCC,
and DCC policies. HP recommends uploading and saving a copy of the Fabric OS configuration after
creating policies. For more information on configuration uploads, see the Chapter 5,
switch configuration
You can view the active and defined policy sets at any time. Additionally, in a defined policy set, policies
created in the same login session also appear but these policies are automatically deleted if the you log
out without saving them.
NOTE: All changes, including the creation of new policies, are saved and activated on the local switch
only—unless the switch is in a fabric that has a strict or tolerant fabric-wide consistency policy for the ACL
policy type for SCC or DCC. See
database settings and fabric-wide consistency policy.
Use the instructions in the following sections to manage common settings between two or more of the DCC,
FCS, and SCC policies. For instructions relating to a specific policy, see the appropriate section.
• "Displaying ACL
switch.
• "ACL policy
implementing the changes within the fabric or to the switch. This saved, but inactive, information is
known as the "defined policy set." Simultaneously save and implement all the policy changes made
since the last time changes were activated, the activated policies are known as the active policy set. If
you delete the entire policy, that aspect of the fabric is open to all access.
• "Member modification to existing
members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices
118 Configuring advanced security features
Device port
WWN
No
Yes
No
file" on page 163.
"Policy database
policies" on page 1 19 displays a list of all active and defined ACL policies on the
modifications" on page 126 discusses the changes to memory without actually
policies" on page 127 discusses the addition of one or more
Switch Domain ID Switch
WWN
Yes Yes
Yes Yes
Yes Yes
distribution" on page 139 for more information on the
name
Yes
Yes
Yes
"Maintaining the