Enabling and disabling the ads policy, Allow lists, Setting the list of devices allowed to log in – Dell POWEREDGE M1000E User Manual

Access Gateway Administrator’s Guide

37

53-1002743-01

Advanced Device Security policy

3

Enabling and disabling the ADS policy

By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow
lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the
configuration using the configUpload command in case you need this configuration again.

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ag

--

policyenable ads command to enable the ADS policy.

switch:admin> ag --policyenable ads

The policy ADS is enabled

3. Enter the ag

--

policydisable ads command to disable the ADS policy.

switch:admin> ag --policydisable ads

The policy ADS is disabled

NOTE

Use the ag --policyshow command to determine the current status of the ADS policy.

Allow lists

You can determine which devices are allowed to log in on a per-F_Port basis by specifying lists of
F_Ports and device WWNs in the ag --adsset command. The ADS policy must be enabled for this
command to succeed.

ag --adsset “F_Port [;F_Port2;...]” “WWN [;WWN2;...]”

Lists must be enclosed in quotation marks. List members must be separated by semicolons. The
maximum number of entries in the allowed device list is twice the per-port maximum login count.

Use an asterisk (*) instead of port numbers in the F_Port list to add the specified WWNs to all the
F_Ports allow lists. Use an asterisk (*) instead of WWNs to indicate access to all devices from the
specified F_Port list. A blank WWN list (““) indicates no access.

NOTE

Use an asterisk enclosed in quotation marks (”*”) to set the allow list to “all access”; use a pair of
double quotation marks (“”) to set the allow list to “no access”.

Note the following characteristics of the allow list:

•

The maximum device entries allowed in the allow list is twice the per-port maximum login
count.

•

Each port can be configured to “not allow any device” or “to allow all the devices” to log in.

•

If the ADS policy is enabled, by default, every port is configured to allow all devices to log in.

•

The same allow list can be specified for more than one F_Port.

Setting the list of devices allowed to log in

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ag --adsset command with the appropriate options to set the list of devices allowed

to log in to specific ports. In the following example, ports 1, 10, and, 13 are set to “all access.”

switch:admin> ag --adsset "1;10;13" "*"

WWN list set successfully as the Allow Lists of the F_Port[s]