PortFull NamePort Function

N-portnetwork port or node portNode port used to connect a node to a Fibre Channelswitch

F-portfabric portSwitch port used to connect the Fibre Channel fabric to a node

L-portloop portNode port used to connect a node to a Fibre Channel loop

NL-portnetwork + loop portNode port which connects to both loops and switches

FL-portfabric + loop portSwitch port which connects to both loops and switches

E-portextender portUsed to cascade Fibre Channel switches together

G-portgeneral portGeneral purpose port which can be configured to emulate other port types

EX_portexternal portConnection between a fibre channel router and a fibre channel switch; on the switch side, it looks like a normal E_port -- but on the router side, it is a EX_port

TE_porttrunking E-portPovides standard E_port functions and allows for routing of multiple virtual SANs by modifying the standard Fibre Channel frame upon ingress/egress of the VSAN environment

EMC Symmetrix Access Control symaclbysanaswation05/09/2013inEMC

With Enginuity 5875 and SE 7.2.0, new array based licensing has been introduced. This means any host attached to the array with SE installed will have unrestricted access to the array and can make configuration changes. This has necessiated the implementation of Host based Symmetrix Access Control on the arrays. The purpose is to disable servers from making config changes on the arrays, and restrict their access to a certain set of snaps/clones and corresponding source devices. Oveall process involves readying the array for access control, and then configuring the accesses as per the requirements.Initial configuration on the array will be carried out by EMC CE. Steps involve:* Enable Symmetrix Access Control (symacl)* Create administrator accgroup* Add management hosts to the group to carry out ACL administration* Add service processor to the group for EMC remote support* Create symacl pin or password which will be required to carry out ACL administration. Environment variable SYMCLI_ACCESS_PIN can be set so as to avoid prompt for PIN every time symacl command is run to change the configuration.Initial set up can be verified as below.MgmtHostA# symacl -sid 1234 show accgroup AdminGrp Access Group: AdminGrp Symmetrix ID: 000294901234 Access ID Name -------------- gmthostA- Management Host (ECC) gmthostB- Management Host (SE, SPA, SMC) aclpin123 - PIN used for ACL manipulation SP1234- Service Processor MgmtHostA# symacl -sid 1234 list -acl Symmetrix ID: 000294901234 Group Name Pool Name Access Type ---------------------------------- --------------------------------- ----------- AdminGrp ALL_DEVSADMINAdminGrp ALL_DEVSALL UnknwGrp ALL_DEVSBASE UnknwGrp !INPOOLSALL MgmtHostA #

Now that the initial set up is complete, lets proceed to the configurations on arrays for servers accessing its storage. Steps listed below illustates the commands to run when you have a hostname, snap or clone devices, and their corresponding source devices (could be replicated or non-replicated).Setting ACL for non-replicated devicesSummary of steps:* Create an access group containing the hostname* Create an access pool containing the devices* Associate access group and access pool by granting desired permissionsSteps in detail with commands:* Generate uniq acl id for a given host (to be run on given host)servA# symacl -uniqueThe unique id for this host is: 2F5800AD-55448DCE-9D3D758BservA#* Prepare a file containing related commands on management hostMgmtServ# cat servA_acl# Create an access group with appropriate naming conventioncreate accgroup servA_grp;

# Add the host to access group using its unique id # There is a limitation of 8 characters on the name that you can assignadd host accid 2F5800AD-55448DCE-9D3D758B name servA to accgroup servA_grp;

# Create an access pool with appropriate naming conventioncreate accpool servA_pool;

# Add source and target devices to access pooladd dev 1000:100F to accpool servA_pool; # these are standard devices which are either snapped or clonedadd dev 2000:200F to accpool servA_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access togethergrant access=BASE to accgroup servA_grp for ALL devs;grant access=BCV to accgroup servA_grp for accpool servA_pool; # To grant BCV access for clones #grant access=SNAP to accgroup servA_grp for accpool servA_pool; # To grant SNAP access for snaps

MgmtServ#* Preview/Prepare/Commit ACL changesMgmtServ # symacl -sid 1234 -file servA_acl Enter Access PIN: # This is symacl pin generated by CE. It won't be prompted # if SYMCLI_ACCESS_PIN has been set.Command file: (servA_acl) PREVIEW............................................................Started.PREVIEW............................................................Done.PREPARE............................................................Started. Creating group servA_grp........................................Done. Adding Host access id servA to group servA_grp..................Done. ... ... ... ...PREPARE............................................................Done. Starting COMMIT....................................................Done. MgmtServ #* Verify the changesMgmtServ# symacl -sid 1234 list -acl Symmetrix ID: 000294901234 Group Name Pool Name Access Type ---------------------------------- --------------------------------- ----------- AdminGrp ALL_DEVSADMINAdminGrp ALL_DEVSALL UnknwGrp ALL_DEVSBASE UnknwGrp !INPOOLSALL servA_grpservA_poolBCVservA_grpALL_DEVSBASE

MgmtServ# symacl -sid 1234 list -accpool Symmetrix ID: 000294901234 Number of Number of Pool Name Devices ACLs --------------------------------- --------- --------- servA_pool16 1

MgmtServ# symacl -sid 1234 list -accgroupSymmetrix ID: 000294901234 Number of Number of Group NameAccess IDsACLs -------------------------------- ----------- --------- AdminGrp 2 1 UnknwGrp 1 1 servA_pool 1 1

MgmtServ# symacl -sid 1234 show accgroup servA_grp -aclSymmetrix ID: 000294901234 Group NamePool NameAccess Type---------------------------------------------------------------- ----------- servA_grp servA_pool BCVservA_grp ALL_DEVS BASE

MgmtServ# symacl -sid 1234 show accpool servA_pool -aclAccess Pool: servA_pool Symmetrix ID: 000294901274 Number of Access Control Entries: 1 Number of Member Devices: 16Access Control Entries (1): { -------------------------------------- GroupType -------------------------------------- servA_grp BCV } Member Devices (16): { Device Name Device ---------------------------- -------------------------------------- Cap SymPhysicalConfig AttributeSts(MB) ---------------------------- -------------------------------------- 1000 Not Visible TDEV N/Grp'dRW 23200 ...............} MgmtServ# Setting ACL for replicated devicesWhen devices involved are either R1 or R2 and are being snapped/cloned on the same server as with R1 or R2, configuration changes as it needs to cover both the arrays.Summary of steps:* Create same named access group on both the arrays, and add unique host id for both the hosts to the access group. Name of access group must be same on both the arrays.* Create access pools on each array which includes local R1 or R2 devices, and corresponding snap/clone devices* Grant BASE, RDF, SNAP/BCV permission to the access pool. Assignment of BASE permission is a must.Steps in detail with commands* Generate unique acl id for both the hostsservR1# symacl -uniqueThe unique id for this host is: 2F5800AD-55448DCE-9D3D758BservR1#

servR2# symacl -uniqueThe unique id for this host is: 2F5800AD-55448DCE-AE4E869C servR2#* Prepare a file containing related commands on management hosts per siteCommand file for primary nodeservR1MgmtServA# cat servR1_acl# Create an access group with appropriate naming conventioncreate accgroup servR1_R2_grp;

# Add both the hosts to access group using their unique id (beware of 8 char limitation on host name)add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;

# Create an access poolwith appropriate naming conventioncreate accpool servR1_pool;

# Add source and target devices to access pooladd dev 1000:100F to accpool servR1_pool; # these are R1 devices which are either snapped or clonedadd dev 2000:200F to accpool servR1_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access togethergrant access=BASE to accgroup servR1_R2_grp for ALL devs;grant access=RDF to accgroup servR1_R2_grp for accpool servR1_pool; # To grant RDF access for R1 devicesgrant access=BCV to accgroup servR1_R2_grp for accpool servR1_pool; # To grant BCV access for clones #grant access=SNAP to accgroup servR1_R2_grp for accpool servA_pool; # To grant SNAP access for snaps

Command file for secondary nodeservR2

MgmtServB# cat servR2_acl# Create an access group with appropriate naming conventioncreate accgroup servR1_R2_grp;

# Add both the hosts to access group using their unique id (beware of 8 char limitation on host name)add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;

# Create an access pool with appropriate naming conventioncreate accpool servR2_pool;

# Add source and target devices to access pooladd dev 3000:300F to accpool servR2_pool; # these are R2 devices which are either snapped or clonedadd dev 4000:400F to accpool servR2_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access togethergrant access=BASE to accgroup servR1_R2_grp for ALL devs;grant access=RDF to accgroup servR1_R2_grp for accpool servR2_pool; # To grant RDF access for R1 devicesgrant access=BCV to accgroup servR1_R2_grp for accpool servR2_pool; # To grant BCV access for clones #grant access=SNAP to accgroup servR1_R2_grp for accpool servR2_pool; # To grant SNAP access for snaps* Preview/Prepare/Commit ACL changes on both the arrays and run the commands to verifySYMACL commands cheatsheet* To list ACLs defined on given array# symacl -sid 1234 list -acl -v* To list access groups defined on given array# symacl -sid 1234 list -accgroup -v* To list access pool defined on given array# symacl -sid 1234 list -accpool -v* To show details of given accgroup on given array# symacl -sid 1234 show accgroup -acl* To show details of given accpool on given array# symacl -sid 1234 show accpool -acl* To make configuration changes on given array# symacl -sid 1234 -file preview|prepare|commit* accgroup related commands in configuration filecreateaccgroup ;# to create an accgroupadd host accid name to accgroup ;# to add the host to accgroupremove accid name from accgroup ;# to remove a host from accgroupmove accid name to accgroup ;# to move a host from existing to new accgroupdelete accgroup [remove_aces=true];# to delete an accgroup* accpool related commands in configuration filecreateaccpool ;# to create an accpooladd dev to accpool ;# to add a single device to accpooladd dev to accpool ;# to add a range of devices to accpoolremove dev from accpool ;# to remove devices from the accpooldelete accpool [remove_aces=true];# to delete an accpool* commands in configuration file related to granting the permissiongrant access= to accgroup for accpool | ;remove access= from accgroup for accpool | ;Different levels of permissionsFor host based symacl, permissions allowed are listed below along with their description.ADMIN: Administrative rights allowing ACL configuration changes. Lets you run symaclALL: All type of access granted except ADMIN and ADMINRD. Must be used only with devices (ALL devs)BASE: Allows the host to discover the devices, and to obtain further information about directors and devices from the arrayBCV: Allows the host to run TF/Clone related commandsSNAP: Allows the host to run TF/Snapshot related commandsRDF: Allows the host to run SRDF related commands

HPContinuous Access XP

CompaqDRM

HDSTruecopy

EMCSRDF

IBMPPRC