beautypg.com

Secpolicyadd – Dell POWEREDGE M1000E User Manual

Page 941

background image

Fabric OS Command Reference

913

53-1002746-01

secPolicyAdd

2

secPolicyAdd

Adds members to an existing security policy.

SYNOPSIS

secpolicyadd "name","member[;member...]" [-legacy]

DESCRIPTION

Use this command to add one or more members to an existing access policy.

Each policy corresponds to a management method. The list of members of a policy acts as an access
control list for that management method. Before a policy is created, there is no enforcement for that
management method; all access is granted. After a policy has been created and a member has been
added to the policy, that policy becomes closed to all access except from included members. If all
members are then deleted from the policy, all access is denied for that management method (the
DCC_POLICY is an exception).

Attempting to add a member to a policy that already is a member causes this command to fail.

In a Virtual Fabric Environment, when you create a DCC lockdown policy on a logical switch, the DCC
policy is created for each port in the chassis, even though the ports are not currently present in the local
logical switch. This is done to provision the DCC policy for the ports that may be moved later. If a policy
seems stale at any point, use secPolicyDelete to remove all stale DCC policies.

Fabric-wide consistency policies can be configured on per logical switch basis, which applies the FCS
policy to the corresponding fabric connecting to the logical switch. Automatic policy distribution for DCC,
SCC and FCS remains unchanged in Fabric OS v6.2.0 and can be configured on a per logical switch
basis.

On switches running Fabric OS v7.1.0 or later, all DCC and SCC security policy members are sorted
based on their world wide names (WWNs) in order to avoid a segmentation of ports. This is not the case
for switches running earlier firmware versions; on these switches, security member lists are unsorted.
When a switch with an unsorted security policy member list tries to join a switch that runs Fabric OS
v7.1.0 or later and is configured with an ordered security policy list, port segmentation occurs because of
mismatching security policy lists. To prevent this from happening, use the -legacy option to add security
policy members in a manner that matches the order of security policy members in Fabric OS v7.1.0 and
later.

NOTES

When an FCS policy is enabled, this command can be issued only from the Primary FCS switch. The
secpolicyadd command can be issued on all switches for SCC and DCC policies as long as fabric-wide
consistency policy is not set for the particular policy.

Do not add the WWNs of front or translate (xlate) domains to the FCS policy if the edge fabric is
connected to an FC Router.

Backup FCS switches typically cannot modify the policy. However, if the Primary FCS switch in the policy
list is not reachable, then a backup FCS switch is allowed to modify the policy. If all the reachable backup
FCS switches are running pre-v5.3.0 versions of Fabric OS, a non-FCS v5.3.0 switch is allowed to
modify the policy so that a new switch can be added to the policy.

The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that may be in
place. Refer to Chapter 1, "Using Fabric OS Commands" and Appendix A, "Command Availability" for
details.