Filter
Top Products
Fabric OS Administrator’s Guide 203
53-1002745-02
Device Connection Control policies
7
Device Connection Control policies
Multiple Device Connection Control (DCC) policies can be used to restrict which device ports can
connect to which switch ports. The devices can be initiators, targets, or intermediate devices such
as SCSI routers and loop hubs. By default, all device ports are allowed to connect to all switch
ports; no DCC policies exist until they are created. For information regarding DCC policies and
F_Port trunking, refer to the Access Gateway Administrator’s Guide.
Each device port can be bound to one or more switch ports; the same device ports and switch
ports may be listed in multiple DCC policies. After a switch port is specified in a DCC policy, it
permits connections only from designated device ports. Device ports that are not specified in any
DCC policies are allowed to connect only to switch ports that are not specified in any DCC policies.
When a DCC violation occurs, the related port is automatically disabled and must be re-enabled
using the portEnable command.
Table 32 on page 203 shows the possible DCC policy states.
Virtual Fabrics considerations
The DCC policies that have entries for the ports that are being moved from one logical switch to
another will be considered stale and will not be enforced. You can choose to keep stale policies in
the current logical switch or delete the stale policies after the port movements. Use the
secPolicyDelete command to delete stale DCC policies.
DCC policy restrictions
The following restrictions apply when using DCC policies:
• Some older private-loop host bus adaptors (HBAs) do not respond to port login from the switch
and are not enforced by the DCC policy. This does not create a security problem because these
HBAs cannot contact any device outside of their immediate loop.
• DCC policies cannot manage or restrict iSCSI connections, that is, an FC Initiator connection
from an iSCSI gateway.
• You cannot manage proxy devices with DCC policies. Proxy devices are always granted full
access, even if the DCC policy has an entry that restricts or limits access of a proxy device.
• DCC policies are not supported on the CEE ports of the Brocade 8000.
TABLE 32 DCC policy states
Policy state Characteristics
No policy Any device can connect to any switch port in the fabric.
Policy with no
entries
Any device can connect to any switch port in the fabric. An empty policy is the same as no
policy.
Policy with entries If a device WWN or Fabric port WWN is specified in a DCC policy, that device is only allowed
access to the switch if connected by a switch port listed in the same policy.
If a switch port is specified in a DCC policy, it only permits connections from devices that are
listed in the policy.
Devices with WWNs that are not specified in a DCC policy are allowed to connect to the
switch at any switch ports that are not specified in a DCC policy.
Switch ports and device WWNs may exist in multiple DCC policies.
Proxy devices are always granted full access and can connect to any switch port in the fabric.