Port

Full Name

N-port

network port

Port Function
Node port used to connect a node to a Fibre Channelswitch

or node port
F-port

fabric port

Switch port used to connect the Fibre Channel fabric to a node

L-port

loop port

Node port used to connect a node to a Fibre Channel loop

NL-port network +

Node port which connects to both loops and switches

loop port
FL-port

fabric + loop

Switch port which connects to both loops and switches

port
E-port

extender port

Used to cascade Fibre Channel switches together

G-port

general port

General purpose port which can be configured to emulate other port

types

EX_por external port

Connection between a fibre channel router and a fibre channel

switch; on the switch side, it looks like a normal E_port -- but on the
router side, it is a EX_port

TE_por trunking E-

Povides standard E_port functions and allows for routing of multiple

virtual SANs by modifying the standard Fibre Channel frame upon

port

ingress/egress of the VSAN environment

EMC Symmetrix Access Control symacl

by sanaswati on 05/09/2013 in EMC

With Enginuity 5875 and SE 7.2.0, new array based licensing has been introduced. This means any host attached to the
array with SE installed will have unrestricted access to the array and can make configuration changes. This has necessiated
the implementation of Host based Symmetrix Access Control on the arrays. The purpose is to disable servers from making
config changes on the arrays, and restrict their access to a certain set of snaps/clones and corresponding source devices.
Oveall process involves readying the array for access control, and then configuring the accesses as per the requirements.

Initial configuration on the array will be carried out by EMC CE. Steps involve:
* Enable Symmetrix Access Control (symacl)
* Create administrator accgroup
* Add management hosts to the group to carry out ACL administration
* Add service processor to the group for EMC remote support
* Create symacl pin or password which will be required to carry out ACL administration. Environment variable
SYMCLI_ACCESS_PIN can be set so as to avoid prompt for PIN every time symacl command is run to change the
configuration.
Initial set up can be verified as below.

MgmtHostA# symacl -sid 1234 show accgroup AdminGrp

Access Group: AdminGrp
Symmetrix ID: 000294901234
Access ID Name
-------------gmthostA

- Management Host (ECC)

gmthostB

- Management Host (SE, SPA, SMC)

aclpin123 - PIN used for ACL manipulation

SP1234

- Service Processor

MgmtHostA# symacl -sid 1234 list -acl

Symmetrix ID: 000294901234
Group Name

Pool Name

Access Type

---------------------------------- --------------------------------- ----------AdminGrp

ALL_DEVS

ADMIN

AdminGrp

ALL_DEVS

ALL

UnknwGrp

ALL_DEVS

BASE

UnknwGrp

!INPOOLS

ALL

MgmtHostA #

Now that the initial set up is complete, lets proceed to the configurations on arrays for servers accessing its storage. Steps
listed below illustates the commands to run when you have a hostname, snap or clone devices, and their corresponding
source devices (could be replicated or non-replicated).

Setting ACL for non-replicated devices

Summary of steps:

* Create an access group containing the hostname

* Create an access pool containing the devices
* Associate access group and access pool by granting desired permissions
Steps in detail with commands:
* Generate uniq acl id for a given host (to be run on given host)
servA# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-9D3D758B
servA#
* Prepare a file containing related commands on management host
MgmtServ# cat servA_acl
# Create an access group with appropriate naming convention
create accgroup servA_grp;

# Add the host to access group using its unique id

# There is a limitation of 8 characters on the name that you can assign
add host accid 2F5800AD-55448DCE-9D3D758B name servA to accgroup servA_grp;

# Create an access pool with appropriate naming convention

create accpool servA_pool;

# Add source and target devices to access pool

add dev 1000:100F to accpool servA_pool; # these are standard devices which are either
snapped or cloned
add dev 2000:200F to accpool servA_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access together

grant access=BASE to accgroup servA_grp for ALL devs;
grant access=BCV to accgroup servA_grp for accpool servA_pool; # To grant BCV access for
clones
#grant access=SNAP to accgroup servA_grp for accpool servA_pool; # To grant SNAP access for
snaps

MgmtServ#
* Preview/Prepare/Commit ACL changes

MgmtServ # symacl -sid 1234 -file servA_acl <preview|prepare|commit>

Enter Access PIN: <aclpin123> # This is symacl pin generated by CE. It won't be prompted
# if SYMCLI_ACCESS_PIN has been set.
Command file: (servA_acl)
PREVIEW............................................................Started.
PREVIEW............................................................Done.
PREPARE............................................................Started.
Creating group servA_grp........................................Done.
Adding Host access id servA to group servA_grp..................Done.
...
...
...
...
PREPARE............................................................Done.
Starting COMMIT....................................................Done.
MgmtServ #
* Verify the changes
MgmtServ# symacl -sid 1234 list -acl
Symmetrix ID: 000294901234
Group Name

Pool Name

Access Type

---------------------------------- --------------------------------- ----------AdminGrp

ALL_DEVS

ADMIN

AdminGrp

ALL_DEVS

ALL

UnknwGrp

ALL_DEVS

BASE

UnknwGrp

!INPOOLS

ALL

servA_grp

servA_pool

BCV

servA_grp

ALL_DEVS

BASE

MgmtServ# symacl -sid 1234 list -accpool

Symmetrix ID: 000294901234
Number of Number of
Pool Name

Devices

ACLs

--------------------------------- --------- --------servA_pool

16

MgmtServ# symacl -sid 1234 list -accgroup

Symmetrix ID: 000294901234

Group Name

Number of

Number of

Access IDs

ACLs

-------------------------------- ----------- --------AdminGrp

UnknwGrp

servA_pool

MgmtServ# symacl -sid 1234 show accgroup servA_grp -acl

Symmetrix ID: 000294901234
Group Name

Pool Name

Access Type

--------------------------------

-------------------------------- -----------

servA_grp

servA_pool

BCV

servA_grp

ALL_DEVS

BASE

MgmtServ# symacl -sid 1234 show accpool servA_pool -acl

Access Pool: servA_pool
Symmetrix ID

: 000294901274

Number of Access Control Entries: 1

Number of Member Devices

: 16

Access Control Entries (1):

{
-------------------------------------Group

Type

-------------------------------------servA_grp

BCV

}
Member Devices (16):
{
Device Name

Device

---------------------------- -------------------------------------Cap
Sym

Physical

Config

Attribute

Sts

(MB)

---------------------------- -------------------------------------1000 Not Visible

TDEV

N/Grp'd

RW

23200

.....
.....
.....
}
MgmtServ#

Setting ACL for replicated devices

When devices involved are either R1 or R2 and are being snapped/cloned on the same server as with R1 or R2,
configuration changes as it needs to cover both the arrays.
Summary of steps:
* Create same named access group on both the arrays, and add unique host id for both the hosts to the access group. Name
of access group must be same on both the arrays.
* Create access pools on each array which includes local R1 or R2 devices, and corresponding snap/clone devices
* Grant BASE, RDF, SNAP/BCV permission to the access pool. Assignment of BASE permission is a must.
Steps in detail with commands
* Generate unique acl id for both the hosts
servR1# symacl -unique
The unique id for this host is: 2F5800AD-55448DCE-9D3D758B
servR1#

servR2# symacl -unique

The unique id for this host is: 2F5800AD-55448DCE-AE4E869C
servR2#
* Prepare a file containing related commands on management hosts per site
Command file for primary node servR1
MgmtServA# cat servR1_acl
# Create an access group with appropriate naming convention
create accgroup servR1_R2_grp;

# Add both the hosts to access group using their unique id (beware of 8 char limitation on
host name)
add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;
add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;

# Create an access pool

with appropriate naming convention

create accpool servR1_pool;

# Add source and target devices to access pool

add dev 1000:100F to accpool servR1_pool; # these are R1 devices which are either snapped
or cloned
add dev 2000:200F to accpool servR1_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access together

grant access=BASE to accgroup servR1_R2_grp for ALL devs;
grant access=RDF to accgroup servR1_R2_grp for accpool servR1_pool; # To grant RDF access
for R1 devices
grant access=BCV to accgroup servR1_R2_grp for accpool servR1_pool; # To grant BCV access
for clones
#grant access=SNAP to accgroup servR1_R2_grp for accpool servA_pool; # To grant SNAP access
for snaps

Command file for secondary node servR2

MgmtServB# cat servR2_acl

# Create an access group with appropriate naming convention
create accgroup servR1_R2_grp;

# Add both the hosts to access group using their unique id (beware of 8 char limitation on
host name)
add host accid 2F5800AD-55448DCE-9D3D758B name servR1 to accgroup servR1_R2_grp;
add host accid 2F5800AD-55448DCE-AE4E869C name servR2 to accgroup servR1_R2_grp;

# Create an access pool with appropriate naming convention

create accpool servR2_pool;

# Add source and target devices to access pool

add dev 3000:300F to accpool servR2_pool; # these are R2 devices which are either snapped
or cloned
add dev 4000:400F to accpool servR2_pool; # these are either snaps or clones

# Bring access group, access pool, and level of access together

grant access=BASE to accgroup servR1_R2_grp for ALL devs;
grant access=RDF to accgroup servR1_R2_grp for accpool servR2_pool; # To grant RDF access
for R1 devices
grant access=BCV to accgroup servR1_R2_grp for accpool servR2_pool; # To grant BCV access
for clones
#grant access=SNAP to accgroup servR1_R2_grp for accpool servR2_pool; # To grant SNAP
access for snaps
* Preview/Prepare/Commit ACL changes on both the arrays and run the commands to verify

SYMACL commands cheatsheet

* To list ACLs defined on given array
# symacl -sid 1234 list -acl -v
* To list access groups defined on given array
# symacl -sid 1234 list -accgroup -v
* To list access pool defined on given array
# symacl -sid 1234 list -accpool -v
* To show details of given accgroup on given array
# symacl -sid 1234 show accgroup <groupname> -acl
* To show details of given accpool on given array
# symacl -sid 1234 show accpool <poolname> -acl
* To make configuration changes on given array
# symacl -sid 1234 -file <filename> preview|prepare|commit
* accgroup related commands in configuration file
create

accgroup <groupname>; # to create an accgroup

add host accid <acl id> name <host_identifier> to accgroup <groupname>; # to add the host to
accgroup
remove accid name <host_identifier> from accgroup <groupname>; # to remove a host from accgroup
move accid name <host_identifier> to accgroup <new_groupname>; # to move a host from existing to new
accgroup
delete accgroup <groupname> [remove_aces=true]; # to delete an accgroup
* accpool related commands in configuration file
create

accpool <poolname>; # to create an accpool

add dev <devid> to accpool <poolname>; # to add a single device to accpool

add dev <firstdev:lastdevid> to accpool <poolname>; # to add a range of devices to accpool

remove dev <firstdev:lastdev> from accpool <poolname>; # to remove devices from the accpool
delete accpool <poolname> [remove_aces=true]; # to delete an accpool
* commands in configuration file related to granting the permission
grant access=<accesstype> to accgroup <groupname> for accpool <poolname> | <all|non-pooled
devs>;
remove access=<accesstype> from accgroup <groupname> for accpool <poolname> | <all|nonpooled devs>;

Different levels of permissions

For host based symacl, permissions allowed are listed below along with their description.
ADMIN: Administrative rights allowing ACL configuration changes. Lets you run symacl ALL : All type of access granted
except ADMIN and ADMINRD. Must be used only with devices (ALL devs)
BASE : Allows the host to discover the devices, and to obtain further information about directors and devices from the array
BCV : Allows the host to run TF/Clone related commands
SNAP : Allows the host to run TF/Snapshot related commands
RDF : Allows the host to run SRDF related commands

HP

Continuous Access XP

Compaq

DRM

HDS

Truecopy

EMC

SRDF

IBM

PPRC