Configuring defined and active scc policy sets, Creating a defined scc policy – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

fcsp auth hash md5

fcsp auth policy switch on

Configuring a Brocade VDX 6730 to access a SAN fabric

Configuring a Brocade VDX 6730 switch to access a SAN fabric connected through an FC Router
involves the following steps:

1. Configure the matching shared secret pairs on the VDX 6730 and on the FC router.
2. Configure the authentication policy on the VDX 6730 switch (The FC router configuration is fixed).
3. Activate the authentication policy.

Configuring defined and active SCC policy sets

The Switch Connection Control (SCC) policy maintains two versions, active, and defined, and creating
a policy includes two distinct operations:

1. Creating the defined SCC policy set.

2. Activating the SCC policy.

The defined policy includes a list of WWN members and it is configurable. You can create the SCC
policy and its members using a single command, secpolicy defined-policy SCC_POLICY. Or you
can create the SCC policy first and add the members later. You can modify the defined policy at any
time thereafter.

When you create the SCC policy and its defined member set, it remains inactive until you explicitly
activate the policy with the secpolicy activate command. The SCC policy is enforced on the E_Ports
only after you activate the policy. When the policy is active, only the members included in the activated
policy can communicate with each other. If you add additional devices to the defined policy, they
remain inactive and access is blocked until you active the defined policy again.

Follow these guidelines and restrictions when configuring SCC policy:

• During the configuration replay operation, the defined and active policies are replayed and the

E_Ports are enabled or disabled based on the SCC policy entries in the active policy list.

During a configuration replay operation, if an E_Port is already disabled due to a violation, it will not
come online even if the WWN entry is found in the active policy list. You must explicitly bring up the
E_Port to enforce the active policy.

• During execution of the copy file running-config command, only the defined policy in the switch is

updated with the config file entries; the active policy entries remain unchanged. In this case, you
must use the secpolicy activate command to activate the defined policy list.

• If an empty policy is created and activated, but not saved, all Fibre Channel (FC) E_Ports will be in

the disabled state after a reboot.

• Network OS requires that you invoke the shutdown command, followed by the no shutdown

command to bring up the E_Port. Invoking the no shutdown command alone does not enable the
port.

Creating a defined SCC policy

The following procedure creates a Switch Connection Control (SCC) policy, adds two members, and
verifies the configuration.

1. In privileged EXEC mode, issue the configure terminal command to enter global configuration

mode.

2. Enter the secpolicy defined-policy SCC_POLICY command.

Configuring a Brocade VDX 6730 to access a SAN fabric

310

Network OS Administrator’s Guide

53-1003225-04