Fibre Channel (SAN)

Reply
N/A
Posts: 1
Registered: ‎06-29-2009

How to restrict edge switches from zone creation.

Hello,

Is there any way to restrict edge switches from zone creation?. My aim is to give authority to few selected switches for creating zones and restrict the  use edge of swiches for creation zones. can we disable "zonecreate" ?

kindly help.

Frequent Contributor
Posts: 104
Registered: ‎07-27-2009

Re: How to restrict edge switches from zone creation.

My suggestion is to NOT muck around with disabling or retrofitting at this level. What you should (or can) do is have different users on each of those switches and restrict on a privilege level. You can even create separate admin domains to restrict which switches/ports they are able to use.

Cheers

E

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: How to restrict edge switches from zone creation.

You have another option which more restrictive. Create with secpolicycreate an FCS_POLICY.

FCS_POLICY means Fabric Configuration Server. This is quite simple to introduce.

This means fabricwide changes are only allowed on the FCS switch. Zoning changes can be done only on the primary switch. Show commands are possible on all switches.

In addition create a SCC_POLICY (Switch Connection Control Policy) to avoid an unwanted fabric merge.

Both together will make your security officer happy ;-)

Regards,

Andreas

Frequent Contributor
Posts: 104
Registered: ‎07-27-2009

Re: How to restrict edge switches from zone creation.

In order to make your security officer happy you could also turn on FIPS to lock down you entire fabric. This will also disable http, telnet and other non-secure communications to the switch.

It all depends how far you want to go.

Regards,

E

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.