2
Advanced Device Security policy
Advanced Device Security policy
The Advanced Device Security (ADS) policy is supported on AG F_Ports. Fabric OS v6.2.0 extends
the DCC policy to switches in AG mode to provide an additional level of security. It does this by
extending the DCC policy to the physical F_Ports and the NPIV logins on F_Ports. As more physical
servers become virtual, virtual servers can become vulnerable and security becomes an integral
part of server IO virtualization. This security policy is a mechanism that restricts fabric connectivity
to a set of devices that you can specify or allow to log in to the fabric connected through a switch in
AG mode. By default, the ADS policy is not enabled. After you set a switch in AG mode, you can
enable the ADS policy, and then specify which devices to allow at login on a per F_Port basis.
Security enforcement can also be done in the Enterprise fabric; the DCC policy in the Enterprise
fabric takes precedence over the ADS policy. When you enable the ADS policy, it applies to all the
ports on the switch. By default, all devices have access to the fabric on all ports.
Enabling the Advanced Device Security policy
1. Connect to the switch and log in as admin.
2. Enter the ag
Disabling the Advanced Device Security policy
1. Connect to the switch and log in as admin.
2. Enter the ag
Setting which devices can log in if ADS policy is enabled
You can determine which devices are allowed to log in on a per F_Port basis by specifying the
device's port WWN (PWWN). Use the ag --adsset command to determine which devices are
allowed to log in to a specified set of F_Ports. Lists must be enclosed in double quotation marks.
List members must be separated by semicolons. The maximum number of entries in the allowed
device list is twice the per port maximum log in count. Replace the WWN list with an asterisk (*) to
indicate all access on the specified F_Port list. Replace the F_Port list with an asterisk (*) to add
the specified WWNs to all the F_Ports' allow lists. A blank WWN list ("") indicates no access. The
ADS policy must be enabled for this command to succeed.
NOTE
Use an asterisk enclosed in quotation marks,"*", to set the Allow list to "All Access" to all F_Ports;
use a pair of double quotation marks ("") to set the Allow list to "No Access".
Note the following characteristics of the Allow List:
10
policyenable ads command.
--
switch:admin> ag --policyenable ads
The policy ADS is enabled
policydisable ads command.
--
switch:admin> ag --policydisable ads
The policy ADS is disabled
•
The maximum device entries allowed in the Allow List is twice the per port max login count
•
Each port can be configured to "not allow any device" or "to allow all the devices" to log in
•
If the ADS policy is enabled, by default, every port is configured to allow all devices to log in
Access Gateway Administrator's Guide
53-1001189-01