Query: Best practice SAN switch (network) access control rules?

Dear SAN experts,
Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
regards,
Will.

Hi William,
That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
for zones there are a few best practices:
* Default Zone: Don't use it. unless you're running Ficon.
* Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
* Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
* Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
* LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
* Read-Only exists, but again any modern array should be able to make a lun read-only.
* QoS on Zoning: Isn't really an ACL method, more of a congestion control.
VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

Similar Messages

  • What is the best practice for using the Calendar control with the Dispatcher?

    It seems as if the Dispatcher is restricting access to the Query Builder (/bin/querybuilder.json) as a best practice regarding security.  However, the Calendar relies on this endpoint to build the events for the calendar.  On Author / Publish this works fine but once we place the Dispatcher in front, the Calendar no longer works.  We've noticed the same behavior on the Geometrixx site.
    What is the best practice for using the Calendar control with Dispatcher?
    Thanks in advance.
    Scott

    Not sure what exactly you are asking but Muse handles the different orientations nicely without having to do anything.
    Example: http://www.cariboowoodshop.com/wood-shop.html

  • Best Practice to Assign Network

    Hi Experts,
    I have a question - What is best practice to Assign networks. Is it Header assignment or Activity Assignment.
    I have a requirement which asks for a WBS Level Cost and Revenue posting while settlement. I followed the standard design of having a 1st level WBS and assigned a Network to that. Also have 2nd level WBSs linked to 1st level WBS, which have the activities. Is this suffice the settlement requirement.
    Thanks
    Rajesh

    Hi,
    The asked question needs more clarifications.
    Header assigned Newtork is used in Assembly processing i.e. from sales order when the project is generated automatically. in that case each sales order line item will have one network assigned to it or there is activity assigned network which is observed intermediator between WBS and activity.
    Regarding project profile if you want to assign the network to Proejct defination then only 1 network will be there in project struructre or if to WBS element then Each WBS will have one network.
    Further you have also mentioned about settlement?? which question needs more elaboration.
    regards
    sameer

  • Access Control Rules Queries

    Howdy,
    I have a couple of queries about Access Control Rules that I am hoping someone can answer for me.
    We are running GW 8.0.2 with a single GWIA for our external (SMTP) mail. The access control is set up as follows:
    Default Class of Service (allow SMTP in and out, IMAP and POP3) assigned to Everyone.
    Allow Internet Email (allow SMTP in and out, allow IMAP, deny POP3) assigned to a distribution list.
    Deny Internet Email (deny SMTP in (with some source exceptions for internal systems) deny SMTP out, Deny IMAP and POP3) assigned to a distributon list. We add every user to this dist list by default.
    The net effect of these rules is that unless a user is added to the distribution lsit that the Allow Internet Email rule is assigned to they cannot send or receive SMTP mail. This is what we are after. These rules were set up some time ago by another adminstrator who is no longer around.
    My first query is relates to the order of the rules. Are they evaluated in any particular order? If so what determines the precedence?
    My second query is can we dispense with the specific Deny Internet Email rule we have in place by changing the Default Class of Service to DENY SMTP in and out or does this Class of Service need to be Allow for some reason. I note that I cannot delete the Default Clss of Service or change its membership. I can, however, edit it.
    Finally, I would like to set things up so that we can allow only a small group of people to send mail to a particular domain. These people are already members of the distribution list that allows SMTP out. What I am planning to do is:
    Create a distribution list and add the people who need this access to it.
    Modify the Allow Internet Email Class of service so that the SMTP out has an exception added for the domain we want to control.
    Create a new Class of Service that allows SMTP out with out any exceptions and assign the membership of this to the distribution list created above.
    Will this stop everyone who is allowed to send SMTP mail from sending to the nominated domain excpet for those people in the new distribution list?
    Thanks for any help or suggestions.
    Cheers
    Stuart

    Hi.
    On 11.07.2011 01:36, Big Stu wrote:
    > My first query is relates to the order of the rules. Are they
    > evaluated in any particular order? If so what determines the
    > precedence?
    >
    > My second query is can we dispense with the specific Deny Internet
    > Email rule we have in place by changing the Default Class of Service to
    > DENY SMTP in and out or does this Class of Service need to be Allow for
    > some reason. I note that I cannot delete the Default Clss of Service or
    > change its membership. I can, however, edit it.
    To answer both questions, no, you can't deny the default class of
    service, cause you can only *remove* access with other classes, but
    never *expand* from the default.
    > Finally, I would like to set things up so that we can allow only a
    > small group of people to send mail to a particular domain. These people
    > are already members of the distribution list that allows SMTP out. What
    > I am planning to do is:
    >
    > Create a distribution list and add the people who need this access to
    > it.
    > Modify the Allow Internet Email Class of service so that the SMTP out
    > has an exception added for the domain we want to control.
    > Create a new Class of Service that allows SMTP out with out any
    > exceptions and assign the membership of this to the distribution list
    > created above.
    >
    > Will this stop everyone who is allowed to send SMTP mail from sending
    > to the nominated domain excpet for those people in the new distribution
    > list?
    Yes, that should work.
    CU,
    Massimo Rosen
    Novell Knowledge Partner
    No emails please!
    http://www.cfc-it.de

  • Cannot display Access Control Rules page --- BUG REPORT

    iWS 4.1sp9 on Linux Admin GUI cannot display Access Control Rules page for Netscape browsers 4.7 and 6.2 or for IE 4.
    It does work for IE 5.5 (running this in Vmware).
    I'm reporting this bug here as I can't see anywhere else to put it.

    It could be a firmware bug, or it could be something else bugging out. If the router hasn't been factory reset and it's been through a few firmware upgrades, try resetting it to factory defaults. Take note of any custom settings you have, so you can go in and manually re-configure the router. I would avoid importing a backed up config file in case the config turns out to be the problem, but it doesn't hurt to download a copy of your config now.
    Give that a try. Others might have some more ideas.
    ========
    The first to bring me 1Gbps Fiber for $30/m wins!

  • Template(best practice) for Switch ports

    Hi,
    Looking for best practice advice on switchport config for client facing ports.
    We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!
    For Access Ports(First two should stop DTP I'm hoping?):
    switchport mode access
    switchport nonegotiate
    storm-control broadcast level 20.00
    storm-control action trap
    no cdp enable
    spanning-tree portfast
    spanning-tree bpdufilter enable
    spanning-tree guard root
    switchport port-security maximum 10
    switchport port-security
    switchport port-security aging time 10
    And for trunk ports to clients:
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport trunk allowed vlan xxx,xxx
    switchport nonegotiate
    storm-control broadcast level 20.00
    storm-control action trap
    no cdp enable
    spanning-tree bpdufilter enable
    spanning-tree guard root
    Thanks in advance.

    Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930
    That's Cisco's branch design doc from Design Zone.
    For those that want a fast answer:
    For VoIP phones and PC:
    interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23
    description phone with PC connected to phone
    switchport access vlan 102
    switchport mode access
    switchport voice vlan 101
    switchport port-security maximum 2
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    ip arp inspection limit rate 100
    load-interval 30
    srr-queue bandwidth share 1 70 25 5
    srr-queue bandwidth shape 3 0 0 0
    priority-queue out
    mls qos trust device cisco-phone
    spanning-tree portfast
    spanning-tree bpduguard enable
    ip verify source
    ip dhcp snooping limit rate 100
    For data only:
    interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28
    description DATA only ports
    switchport access vlan 102
    switchport mode access
    switchport port-security maximum 3
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    ip arp inspection limit rate 100
    load-interval 30
    srr-queue bandwidth share 1 70 25 5
    srr-queue bandwidth shape 3 0 0 0
    priority-queue out
    spanning-tree portfast
    spanning-tree bpduguard enable
    ip verify source
    ip dhcp snooping limit rate 100
    That's Cisco's recommendation.
    And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

  • Looking for some best practice regarding Content Administrator access

    Hi. I am looking for some best practice or rule of thumb from SAP or from different companies how they address Portal Content Administrator access in Production environment. Basically, our company is implementing portal to work with SAP BW.  We are on SP 9. Basically, I am trying to determine if we should have 1-2 Portal Content Administrator in Production with 24/7 access or we should limit them from NOT having this.  Can you share with me some ideas of what is right? and what is not?
    Should we have access in Production? Or Should we have this access but limited? By the way, our users are allow to Publish BI reports/queries into Production.

    Hello Michael,
    Refer to this guide about managing initial content in portal.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/00bfbf7c-7aa1-2910-6b9e-94f4b1d320e1
    Regards
    Deb
    [Reward Points for helpful answers]

  • Query Best Practice for Reports

    I am new to Apex and I am wondering what is the best practice for store your sql quries for reports.  I am a believer of storing all sql behind pacakge functions or procedures.  And it looks like the only options for report pages are to use a direct SQL query, or a function that returns a query as a string.  Yes the function method counts as putting the code in Oracle but not really.  It is still getting compiled and parsed on the Apex side.  It would be nice if Apex could handle a cursor but I have read that it doesn't directly. You have to have a function that returns a cursor and then create a pipelined function that calls the cursor function.  That is kind of silly.  Is there some other way to do this?
    Apex 4.2
    Oracle 11.2.0.2
    Thanks for any input.
    Jeff

    Hi Jeff,
    I'm not necessarily a believer in packaging queries. I'm a little more pragmatic in that I believe it may make sense in environments where you have a client environment that just expects a result set that is then manipulated by the client for the purposes of presentation, pagination etc. Apex has a different architecture in that the client is purely an HTML presentation layer (browser) and the presentation, pagination etc is formulated in the database along with the data using the Oracle web toolkit, which is a set of internal packages that produce HTML. Note that handling and manipulating ref cursors inside PL/SQL is not a joy, they were mainly designed to be passed out to external clients. (Often to shield programmers who don't or won't even try to understand relational concepts)
    This means that when you create a report based on a query, the Apex engine will manipulate that base query, depending on the display requirements and pagination requirements of your report, before it submits that query to the database for execution. To get an idea of how this manipulation occurs, you can run your report in debug mode and check the actual query that is submitted to the database. If the query is presented as an already executed ref cursor, then the Apex engine can't execute in the way that it does. As you have already found out, the only way of using packaged queries returning ref cursors is by the use of a pipelined function, so that the Apex engine can treat the result as a normal query.
    This is the architecture of Apex, and I suspect that re-engineering the Apex engine to handle ref cursors natively, as opposed to using a pipelining trick, would be a considerable change. I hope this at least helps to explain why ref cursors and Apex don't mix. I personally don't see the purpose of having an abstraction layer of packaged queries below an abstraction layer of an API such as Apex. SQL is a perfectly good API.
    Regards
    Andre

  • Best practice for limiting network management to few devices

    Hello ,
    I have set up a very basic security implementation that is no way realistic, but I just want to experiment and learn...
    In my 1801 router that answers DHCP requests on separate wired and wireless vlans, I have bound static IP addresses to the MAC addresses of my laptop wireless and wired interfaces.
    Then I set up an ACL to permit inbound traffic from these IPs only for the vty lines.
    Obviously this is easily defeated by statically assigning these same IPs to any device on the network, so I was thinking about a better way to limit management of the router to a few devices.
    What is the best practice in professional environments?
    Thanks.

    Obviously this is easily defeated by statically assigning these same IPs to any device on the network, so I was thinking about a better way to limit management of the router to a few devices.
    TACACs or RADIUS with robust password policy and regular interval to change the passwords (30 to 45 days).
    Read this and go to the "Composing hard-to-guess passwords" section.

  • Best practice for how to access a set of wsdl and xsd files

    I've recently beeing poking around with the Oracle ESB, which requires a bunch of wsdl and xsd files from HOME/bpel/system/xmllib. What is the best practice for including these files in a BPEL project? It seems like a bad idea to copy all these files into every project that uses the ESB, especially if there are quite a few consumers of the bus. Is there a way I can reference this directory from the project so that the files can just stay in a common place for all the projects that use them?
    Bret

    Hi,
    I created a project (JDeveloper) with local xsd-files and tried to delete and recreate them in the structure pane with references to a version on the application server. After reopening the project I deployed it successfully to the bpel server. The process is working fine, but in the structure pane there is no information about any of the xsds anymore and the payload in the variables there is an exception (problem building schema).
    How does bpel know where to look for the xsd-files and how does the mapping still work?
    This cannot be the way to do it correctly. Do I have a chance to rework an existing project or do I have to rebuild it from scratch in order to have all the references right?
    Thanks for any clue.
    Bette

  • ACS 5.3 cannot create default network access authorization rule

    Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

    Looks like you are using chrome amd it's not a supported browser.
    Supported Web Client/Browsers
    You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
    •Windows 7 32 bit
    •Windows XP Professional (Service Pack 2 and 3)
    •Windows Vista
    •Internet Explorer version 7.x
    •Internet Explorer version 8.x
    •Internet Explorer version 9.x
    •Mozilla Firefox version 3.x
    •Mozilla Firefox version 4.x
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
    Jatin Katyal
    - Do rate helpful posts -

  • Access Control Rule Set deletion in GRC 10

    Greetings,
    Has anyone tried deleting rulesets or have experienced any issues while deleting rule sets in GRC 10. I have tried to delete them from SPRO as well as from Setup Tab in Access Control , however its not working for me . Even in SPRO , after chooseing the physical system and logical system infromation , it stays on that screen for ever and nothing happens.
    Any help or guidance here will be much appreciated.
    Thanks everyone for your valueable time.
    Vikas

    Hey ,
    There are no tricks or tips.  It was something stupid on my part.
    I Just had a look at the system again and found a function left in the system which was mapped to this Ruleset , so that was the only i was not able to delete the ruleset . As soon as i deleted that function , it worked .
    So i was able to delete the entire rule set after deleting all the risks and functions mapped to this rule set.
    Have a great day ahead ...
    Vikas

  • Best practice for switching from Windows vCenter to vCenter Appliance?

    CrimsonKidA wrote:Mike Bailey wrote:
    what are the limitations?
    Also I was considering this for 6.0 migration, anything in 6 to be concerned about? or sticking with windows version still the best path..Our license is for 5.5 so moving to 6.0 vCenter Appliance isn't an option for us. :/ Do you not have a support contract? Something I would recommend for a production environment. 

    Does anyone have documentation on this? I cannot seem to find anything online, or it's depricated. I'm switching from vCenter hosted on a Windows Server 2012 R2 to the vCenter virtual appliance (both are version 5.5). I have already deployed the OVA but have yet to configure anything beyond basic networking. Can I export the config from our Windows vCenter, then import it into the vCenter appliance. Help appreciated....
    This topic first appeared in the Spiceworks Community

  • Best practice for code structure to control multiple devices in a 2 stage-sequ​ence

    I have a question about code architecture and getting multiple devices controlled and sychronized for one experiment. This is an "architecture"-type inquiry, so I am hoping for some suggestions on how to proceed.
    I run an experiment in which I control 2 NI PCI-6733. I am soon to add a Tektronix AFG 3022B, and have long been putting off an opportunity to rewrite my labview code from the ground up. I inherited it from an earlier research, and while functional, I would like to make it easier to modify and break up into subVi's and such. Link to the current program (labview 8.6.1) is here if you would like to see the code that is currently used, and the subvi's are in a zip file. The current version of the experiment consists of just one stage, all the writing of the data to the PCI cards is saved for the end. I need to change this in my new setup though. 
    The new experiment consists of 2 stages. The first will run (looping an output array to the PCI cards) until it hears a "true" from another computer (connected via TCP). At that point, it should switch to stage 2 and run a sequence (usually 10^5 timeunits in length, where the time unit is 0.1 ms) that outputs to the two PCI cards, the AFG 3022B, and with the flexibility to add more devices in the future.
    Most appreciated would be structural advice. How to arrange the VIs, if it's good to use a "master" VI that would control the two subVi's of stage 1 and 2, etc...  Feel free to ask for more details if it would help clarify my question. Thanks!
    Solved!
    Go to Solution.

    Programs of this type usually use a state machine of some sort.  You can find many tutorials on LabVIEW state machines in these forums or the LAVA forums.  If you are doing a rewrite, I would also recommend you consider LabVIEW classes.  They help modularize your code and make the subparts more reuseable.  You may end up with less to maintain, as a result.
    <shamelessPlug>You may also want to consider TestStand.  It was designed to run sequences of tests, so may make your life easier.  It could also be gross overkill.</shamelessPlug>
    Let us know if you run into issues with state machines or classes.
    This account is no longer active. Contact ShadesOfGray for current posts and information.

  • Best practice for having an access point giving out only a specific range

    Hey All,
    I have an access point which is currently set to relay all dhcp request to the server DC-01, However the range that has been setup is becoming low on available IP addresses so I have been asked if it is possible to setup another range for the AP only.
    Is there a way to set the DHCP up with a new range and say anything from that access point it will then give out a 192.168.2 subnet address as apposed to the standard 192.168.1 subnet?
    Or would it be easier / better to create a superscope? and slowly migrate the users to a new subnet with a larger range?
    Any help suggestions would be appreciated
    thanks
    Anthony

    Hi,
    Maybe we could configure a DHCP superscope to achieve your target.
    For details, please refer to the following articles.
    Configuring a DHCP Superscope
    http://technet.microsoft.com/en-us/library/dd759168.aspx
    Create a superscope to solve the problem of dwindling IP addresses
    http://www.techrepublic.com/article/create-a-superscope-to-solve-the-problem-of-dwindling-ip-addresses/
    Best Regards,
    Andy Qi
    Andy Qi
    TechNet Community Support

Maybe you are looking for