Access gateway policy enforcement matrix, Advanced device security policy, How the ads policy works – Dell POWEREDGE M1000E User Manual

Page 48: Table 6

Advertising
background image

28

Access Gateway Administrator’s Guide

53-1001760-01

Advanced Device Security policy

3

Access Gateway policy enforcement matrix

The following table shows which combinations of policies can co-exist with each other.

Advanced Device Security policy

ADS is a security policy that restricts access to the fabric at the AG level to a set of authorized
devices. Unauthorized access is rejected and the system logs a RASLOG message. You can
configure the list of allowed devices for each F_Port by specifying their Port WWN (PWWN). The ADS
policy secures virtual and physical connections to the SAN.

How the ADS policy works

When you enable this policy, it applies to all F_Ports on the AG-enabled module. By default, all
devices have access to the fabric on all ports. You can restrict the fabric connectivity to a particular
set of devices where AG maintains a per-port allow list for the set of devices whose PWWN you
define to log in through an F_Port. You can view the devices with active connections to an F_Port
using the ag --show command.

NOTE

The ag

--

show command only displays the Core AGs, such as the AGs that are directly connected to

fabric. The agshow

--

name name command displays the F_Ports of both the Core and Edge AGs.

Alternatively, the security policy can be established in the Enterprise fabric using the DCC policy.
For information on configuring the DCC policy, see

“Enabling the DCC policy on trunk”

on page 53.

The DCC policy in the Enterprise fabric takes precedence over the ADS policy. It is generally
recommended to implement the security policy in the AG module rather than in the main fabric,
especially if Failover and Failback policies are enabled.

TABLE 6

Policy enforcement matrix

Policies

Auto Port Configuration

Port Grouping

N_Port Trunking

ADS Policy

Auto Port Configuration

N/A

Cannot co-exist

Can co-exist

Can co-exist

N_Port Grouping

Mutually exclusive

N/A

Can co-exist

Can co-exist

N_Port Trunking

Can co-exist

Can co-exist

N/A

Can co-exist

ADS Policy

1

1.

The ADS policy is not supported when using Device mapping.

Can co-exist

Can co-exist

Can co-exist

N/A

Device Load Balancing

2

2.

Device Load Balancing and Automatic Login Balancing cannot be enabled for the same port group.

Cannot co-exist

Can co-exist

Can co-exist

Can co-exist

Advertising
Popular Brands
Popular manuals