Secpolicycreate – Dell POWEREDGE M1000E User Manual
Page 944
916
Fabric OS Command Reference
53-1002746-01
secPolicyCreate
2
secPolicyCreate
Creates a new security policy.
SYNOPSIS
secpolicycreate "name" [, "member[;member...]"] [-legacy]
DESCRIPTION
Use this command to create a new policy and to edit Switch Connection Control (SCC), Device
Connection Control (DCC), and Fabric Configuration Server (FCS) policies on the local switch. All
policies can be created only once, except for the DCC_POLICY_nnn. Each DCC_POLICY_nnn must
have a unique name. This command can be issued on all switches in the current fabric for SCC and DCC
policies if they are not intended to be fabric-wide.
Adding members while creating a policy is optional. You can add members to a policy later, using the
secPolicyAdd command.
Each policy corresponds to a management method. The list of members of a policy acts as an access
control list for that management method. Before a policy is created, there is no enforcement for that
management method, which is all access is granted. After a policy is created and a member is added to
the policy, that policy is closed to all access except to included members. If all members are then deleted
from the policy, all access is denied for that management access method.
All newly created policies are saved on the local switch only, unless the switch has a fabric-wide
consistency policy for that policy.
In a Virtual Fabric environment, when you create a DCC lockdown policy on a logical switch, the DCC
policy is created for each port in the chassis, even though the ports are not currently present in the local
logical switch. This is done to provision the DCC policy for the ports that may be moved later. If a policy
seems stale at any point, use the secPolicyDelete command to remove all stale DCC policies.
Fabric wide consistency policies can be configured on a logical switch basis, which applies the FCS
policy to the corresponding fabric connecting to the logical switch. Automatic policy distribution behavior
for DCC, SCC and FCS remains unchanged in Fabric OS v6.2.0 or later and can be configured on a
logical switch basis.
On switches running Fabric OS v7.1.0 or later, all DCC and SCC security policy members are sorted
based on their world wide names (WWNs) in order to avoid a segmentation of ports. This is not the case
for switches running earlier firmware versions; on these switches, security member lists are unsorted.
When a switch with an unsorted security policy member list tries to join a switch that runs Fabric OS
v7.1.0 or later and is configured with an ordered security policy list, port segmentation occurs because of
mismatching security policy lists. To prevent this from happening, use the -legacy option to create
security policy members in a manner that matches the order of security policy members in Fabric OS
v7.1.0 and later.
NOTES
When an FCS policy is enabled, this command can be issued only from the Primary FCS switch.
The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that may be in
place. Refer to Chapter 1, "Using Fabric OS Commands" and Appendix A, "Command Availability" for
details.
OPERANDS
This command has the following operands:
"name"
Specify the name of the policy you want to create. Valid values for this operand
include the following:
•
DCC_POLICY_nnn
•
SCC_POLICY
•
FCS_POLICY