SAN Zoning Explained

0
393

In a storage area network (SAN), Zoning is an FC switch function that enables node ports within the fabric to be logically segmented into groups and communicate with each other within the group.
Zoning also provides access control, along with other access control mechanisms, such as LUN masking. Zoning provides control by allowing only the members in the same zone to establish communication with each other.
Depending on how it is done, zoning can offer a number of benefits:

  • Enhances SAN network security
  • Helps prevent data loss or corruption
  • Reduces performance issues
  • Reduces the number of targets and LUNs presented to a host.
  • Controls and isolates paths in a fabric.

 Zoning can be categorized into three types:
WWN zoning, Port zoning & Mixed zoning
WWN zoning: WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric.
A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information.
WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA.
Port zoning: It uses the switch port ID to define zones. In port zoning, access to node is determined by the physical switch port to which a node is connected. The zone members are the port identifiers (switch domain ID and port number) to which FC HBA and its targets (storage systems) are connected. If a node is moved to another switch port in the fabric, port zoning must be modified to allow the node, in its new port, to participate in its original zone. However, if an FC HBA or storage system port fails, an administrator just has to replace the failed device without changing the zoning configuration.
Mixed zoning: It combines the qualities of both WWN zoning and port zoning. Using mixed zoning enables a specific node port to be tied to the WWN of another node.


                WWN/Soft Zoning Steps (Brocade FOS)
1. Telnet/SSH to Brocade SAN Switch
2. It’s always recommended to take SAN configuration backup before and after zoning.
Example of configUpload on a logical switch configuration
SANFCW1:admin> configupload
 Server Name or IP Address [host]: 10.1.1.4
 User Name [user]: administrator
 File Name [config.txt]: switch1_config.txt
 Protocol (RSHD or FTP) [rshd]: ftp
 Password:
 upload complete
Example of configUpload on a switch with Virtual Fabrics
SANFCW1:admin> configupload -vf
Protocol (scp, ftp, sftp, local) [ftp]:
Server Name or IP Address [host]: 10.1.1.4
User Name [user]: administrator
Path/Filename [<home dir>/config.txt]: switch1_config_vf.txt
configUpload complete: VF config parameters are uploaded
2017/07/20-09:13:40, [LOG-1000], 225, SLOT 7 | CHASSIS, INFO, BrocadeDCX, Previous message repeated 7 time(s)
2017/07/20-10:27:14, [CONF-1001], 226, SLOT 7 | FID 128, INFO, DCX_80, configUpload completed successfully for VF config parameters.

3. Validate host/storage connectivity on SAN Switch with host/storage wwpn.
SANFCW1:admin> nodefind 50:06:0b:00:00:24:d0:c0
4. Create alias for the HBA's on the switch.
SANFCW1:admin> alicreate "Servername_HBA1","50:06:0b:00:00:24:d0:c0"
Identify storage port for zoning, if alias is not created create storage then create alias for storage port. 
SANFCW1:admin> alicreate "StorageID_port","50:06:04:84:52:a6:64:16"
5. Display created alias information.
SANFCW1:admin> alishow Servername_HBA1
 alias: Servername_HBA1
                50:06:0b:00:00:24:d0:c0
SANFCW1:admin> alishow StorageID_port
 alias: StorageID_port
                50:06:04:84:52:a6:64:16
6. Create zone using aliases.
SANFCW1:admin> zonecreate "Z_Servername_HBA1_ StorageID_port ", "Servername_HBA1 ; StorageID_port"
7. Display zone created configuration.
SANFCW1:admin> zoneshow Z_Servername_HBA1_ StorageID_port
 zone:  Z_Servername_HBA1_ StorageID_port
                Servername_HBA1; StorageID_port
8. Identify currently effective zoneset
SANFCW1:admin> cfgactvshow
9. Add the zone to effective zoneset.
SANFCW1:admin> cfgadd " SANFCW1"," Z_Servername_HBA1_ StorageID_port "
10. Save zoning configuration.
SANFCW1:admin> cfgsave
You are about to save the Defined zoning configuration.
This action will only save the changes on Defined configuration.
Any changes made on the Effective configuration will not take effect until it is re-enabled.
Do you want to save Defined zoning configuration only?  (yes, y, no, n): [no] yes
Updating flash .
11. Enable zoneset configuration.
DELSANSW01:admin> cfgenable SANFCW1
You are about to enable a new zoning configuration.
This action will replace the old zoning configuration with the current configuration selected.
Do you want to enable ‘SANFCW1’ configuration  (yes, y, no, n): [no] yes
zone config " SANFCW1" is in effect
Updating flash ...
12. Backup SAN Switch Configuration.
Example of configUpload on a logical switch configuration
SANFCW1:admin> configupload
 Server Name or IP Address [host]: 10.1.1.4
 User Name [user]: administrator
 File Name [config.txt]: switch1_config.txt
 Protocol (RSHD or FTP) [rshd]: ftp
 Password:
 upload complete
Example of configUpload on a switch with Virtual Fabrics
SANFCW1:admin> configupload -vf
Protocol (scp, ftp, sftp, local) [ftp]:
Server Name or IP Address [host]: 10.1.1.4
User Name [user]: administrator
Path/Filename [<home dir>/config.txt]: switch1_config_vf.txt
configUpload complete: VF config parameters are uploaded
2017/07/20-09:13:40, [LOG-1000], 225, SLOT 7 | CHASSIS, INFO, BrocadeDCX, Previous message repeated 7 time(s)
2017/07/20-10:27:14, [CONF-1001], 226, SLOT 7 | FID 128, INFO, DCX_80, configUpload

                WWN/Soft Zoning Steps (CISCO)
1. Telnet/SSH to CISCO SAN Switch
2. Display existing VSAN
SANFCW1# show vsan
vsan 1 information
 name:VSAN0001 state:active
 interoperability mode:default
 loadbalancing:src-id/dst-id/oxid
 operational state:up
vsan 10 information
 name:VSAN10 state:active
 interoperability mode:default
 loadbalancing:src-id/dst-id/oxid
 operational state:up
vsan 20 information
 name:VSAN20 state:active
 interoperability mode:default
 loadbalancing:src-id/dst-id/oxid
 operational state:up
vsan 4094:isolated_vsan
3. Create new VSAN if needed
Example :
You can use the below commands to create the new VSAN and add the FC interfaces
to the VSANs.
SANFCW1# config t
SANFCW1(config)# vsan database
SANFCW1(config-vsan-db)# vsan 30  (Creates the new VSAN with VSAN ID 30)
SANFCW1(config-vsan-db)# vsan 30 name VSAN30
updated vsan 30
SANFCW1(config-vsan-db)# end
SANFCW1# config t
SANFCW1(config)# vsan database
SANFCW1(config-vsan-db)# vsan 30 interface fc1/40  (add fc interfaces to VSAN30)
SANFCW1(config-vsan-db)# end
4. Show FCS Commands
Below is the list of show commands available to display the port and FCS database
information and to find the interfaces statistics on the switch.
SANFCW1(config)# # show fcs ?
  database       Show local database of FCS
  ie             Show Interconnect Element Objects Information
  inter          Show FCS internals
  platform       Show Platform Objects Information
  port           Show Port Objects Information
  statistics     Show statistics for FCS packets.
  vsan           Show list of all the VSANs and plat-check-mode for each
5. Check the currently active zoneset
SANFCW1# show zoneset active
zoneset name Test_zoneset vsan 10
6. Backup current zoneset (assuming current zoneset is Test_zoneset)
SANFCW1# zoneset clone Test_zoneset Test_zoneset_Backup.<Date&time> vsan 10

7. Create FC Alias
SANFCW1(config)# fcalias name server_hba1 vsan 10   *Creates alias
SANFCW1(config-alias)# member pwwn                  *Add HBA WWPN to alias
SANFCW1(config-alias)#exit
fcalias has been created with name server_hba1  
You can check fcalias by using below command
SANFCW1# show fcalias vsan 10
8.Create zone
SANFCW1(config)# zone name z_server_hba1_storage_port vsan10  * Creates zone
SANFCW1(config-zone)# member fcalias Storage_Port        *Add storage port fcalias
SANFCW1(config-zone)# member fcalias server_hba1         *Add server’s HBA fcalias
SANFCW1(config-zone)# exit
*zone has been created with server and storage fcalias.
9. Add zone to zoneset
Check the currently active zoneset
SANFCW1# show zoneset active
zoneset name Test_zoneset vsan10
“Test_zoneset " is the active zoneset add new zone to active zoneset
SANFCW1#config t
SANFCW1(config)# zoneset name Test_zoneset vsan10    
SANFCW1(config-zoneset)# member z_server_hba1_storage_port vsan10   * Add new zone to zoneset

10. Activate the zoneset
SANFCW1(config)# zoneset activate name Test_zoneset vsan1

11. Verify zone activation status
SANFCW1# show zone status vsan 10
12. Ensure that the new zone is part of the active zoneset
SANFCW1# show zone name z_server_hba1_storage_port active vsan 10
13. Copy the running config to the startup config
SANFCW1# copy run start
14. Backup current zoneset (assuming current zoneset is Test_zoneset)
SANFCW1# zoneset clone Test_zoneset Test_zoneset_Backup.<Date&time>  vsan 10
15.Repeat the above steps on Fabric B

LEAVE A REPLY

Please enter your comment!
Please enter your name here