Brocade Access Gateway Administrator's Guide Supporting Fabric OS v7.0.0 (53-1002156-01, April 2011)
Access Gateway Administrator’s Guide 31
53-1002156-01
Advanced Device Security policy
3
Enabling and disabling the ADS policy
By default, the ADS policy is disabled. When you manually disable the ADS policy, all of the allow
lists (global and per-port) are cleared. Before disabling the ADS policy, you should save the
configuration using the configUpload command in case you need this configuration again.
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the ag
--policyenable ads command to enable the ADS policy.
switch:admin> ag --policyenable ads
The policy ADS is enabled
3. Enter the ag --policydisable ads command to disable the ADS policy.
switch:admin> ag --policydisable ads
The policy ADS is disabled
NOTE
Use the ag --policyshow command to determine the current status of the ADS policy.
Setting the list of devices allowed to log in
You can determine which devices are allowed to log in on a per-F_Port basis by specifying lists of
F_Ports and device WWNs in the ag --adsset command. The ADS policy must be enabled for this
command to succeed.
ag --adsset “F_Port [;F_Port2;...]” “WWN [;WWN2;...]”
where,
F_Port Port numbers in the port list.
WWN Device WWN.
Lists must be enclosed in quotation marks. List members must be separated by semicolons. The
maximum number of entries in the allowed device list is twice the per-port maximum login count.
Use an asterisk (*) instead of port numbers in the F_Port list to add the specified WWNs to all the
F_Ports’ allow lists. Use an asterisk (*) instead of WWNs to indicate access to all devices from the
specified F_Port list. A blank WWN list (““) indicates no access.
NOTE
Use an asterisk enclosed in quotation marks “*” to set the allow list to “all access”; use a pair of
double quotation marks (“”) to set the allow list to “no access”.
Note the following characteristics of the allow list:
• The maximum device entries allowed in the allow list is twice the per-port maximum login
count.
• Each port can be configured to “not allow any device” or “to allow all the devices” to log in.
• If the ADS policy is enabled, by default, every port is configured to allow all devices to log in.
• The same allow list can be specified for more than one F_Port.
1. Connect to the switch and log in using an account assigned to the admin role.
2. Enter the ag --adsset command with the appropriate options to set the list of devices allowed
to log in to specific ports. In the following example, ports 1, 10, and, 13 are set to “all access.”