10-21-2010 02:27 AM
Is there any way to restrict edge switches from zone creation?. My aim is to give authority to few selected switches for creating zones and restrict the use edge of swiches for creation zones. can we disable "zonecreate" ?
10-22-2010 12:28 AM
My suggestion is to NOT muck around with disabling or retrofitting at this level. What you should (or can) do is have different users on each of those switches and restrict on a privilege level. You can even create separate admin domains to restrict which switches/ports they are able to use.
10-24-2010 03:03 AM
You have another option which more restrictive. Create with secpolicycreate an FCS_POLICY.
FCS_POLICY means Fabric Configuration Server. This is quite simple to introduce.
This means fabricwide changes are only allowed on the FCS switch. Zoning changes can be done only on the primary switch. Show commands are possible on all switches.
In addition create a SCC_POLICY (Switch Connection Control Policy) to avoid an unwanted fabric merge.
Both together will make your security officer happy ;-)
10-25-2010 06:14 AM
In order to make your security officer happy you could also turn on FIPS to lock down you entire fabric. This will also disable http, telnet and other non-secure communications to the switch.
It all depends how far you want to go.