Brocade Zoning

Introduction to SANs Brocade Zoning

1Rev. 4.21


2Rev. 4.21


Security Comparisons

Data access can be implemented at several different levels within the SAN environment. Each of these has advantages and disadvantages. The level selected will be chosen for the particular needs of the customer’s SAN environment.

Host level security offers a single point of management for a large data center. Hosts with many different operating systems can be managed by Open View Storage Area Manager, as clients. However, a host that lacks the software may be unaware of the disk allocations and may access and corrupt

3Rev. 4.21

software may be unaware of the disk allocations and may access and corrupt storage in the SAN.

Switch level security may be more secure than host security, but can be constrained by the topology. Port zoning is very limiting for topologies that have many devices connected through hubs. Switch level zoning cannot separate LUN access for a given device.

Device level security is highly secure, but may require time-consuming administration to implement. Not all devices have this function. Firmware changes on these devices may alter the security function, and can impact the availability of the device.


Overview – Brocade Zoning Product

Microsoft Windows and HP-UX do not interact well on the same fabric. If the hba’s of the two operating systems see each other, data corruption can occur.

Another example for creating zones is to secure devices from each other, such as: payroll, engineering data, corporate finance.

You cannot zone down to the LUN level. This is accomplished using Secure Manager or Selective Storage Presentation.

4Rev. 4.21


Zoning Example

Zones may be configured dynamically. The number of zones and zone members are effectively unlimited. Zones vary in size and shape, depending on the number of Fabric connected devices and device locations.

Devices may be members of more than one zone. This is called “over-lapping zones”.

In addition, multiple configurations can be created, as an example, for enterprise backup and for normal work access. Zone members see only members in their zones and, therefore, access only one another.

5Rev. 4.21

members in their zones and, therefore, access only one another.

A device not included in a zone is not able to access any devices devices.


6Rev. 4.21


Zone EnforcementSoft zoningSoft zoning is software enforced Brocade zoning. The zoning enforcement is implemented in the firmware, using the entries of the Simple Name Server to determine if the transaction is allowed. The members of the zones must be “good citizens”. A “good citizen” is a member that uses the Name Server, supports RSCN (Remote State Change Notification) and does not circumvent the Name Server for access to other ports.A “bad citizen” is a node that probes the switch, either because of malfunction or malice, to access a device that it should not access. What this means is if there is a server/HBA/Driver that will probe the ports on the switch, that server/HBA/Driver would be able to talk to any device it found because it did not use the Name Server and behave properly.In the Brocade 2x00 Silkworm switches, WWN zoning is software enforced. The term “soft zoning” became used to mean the same thing as World-wide Name

8Rev. 4.21

term “soft zoning” became used to mean the same thing as World-wide Name zoning. In the Brocade 3x00 Silkworm switches, WWN zoning can be hardware enforced. It is important to separate the enforcement from the format for zoning.Hard zoningHard zoning is hardware enforced zoning. Zoning is enforced by the ASIC. It is not vulnerable to probing by a “bad citizen” node. In the Brocade 2x00 Silkworm switches, port zoning is enforced in the hardware. The term “hard zoning” came to mean the same thing as “port zoning”. With the 3x00 Silkworm switches, WWN zoning is also hard zoning. This terminology is no longer valid.


Brocade 2x00 zoningZoning is enabled differently on the 2x00 family and the 3x00 family.

On the 2x00 Silkworm switches, WWN zoning is enforced with software, relying on Simple Name Server entries for validation. WWN zoning has been called “soft zoning” because of this implementation.

Port zoning is enforced in the ASIC hardware. Port zoning has been called “hard zoning” because of this implementation. However, this naming is no longer correct because of the changes in the 3x00 Silkworm switches. The references to hard and soft zoning must be differentiated from those to port

9Rev. 4.21

references to hard and soft zoning must be differentiated from those to port and WWN zoning.

Hardware enforced zoning is inherently more secure than software enforced zoning. A node, through malice or malfunction, may succeed in accessing a port outside its zone if it bypasses the Simple Name Server and probes directly for WWNs.


2x00 Silkworm Zoning ExamplesHard Zoning

In the 2x00 Silkworm switch, hard zoning is used to enforce Port zoning.

In the examples shown, the alias for port zoning defines the device associated with the alias name using the domain and port. The alias can then be used as a member when defining a zone (pZone1). However, aliases are not required. A zone can be defined using the domain and port reference (pZone2).

Soft Zoning

10Rev. 4.21

In the 2x00 Silkworm switch, soft zoning is used to enforce World-wide Name zoning.

In the examples shown, the alias for WWN zoning defines the device associated with the alias name using the world-wide name. The alias is then used as a member when defining the zone (pZone3). A fourth zone is shown where the world-wide name is directly entered in the zone definition (pZone4)

Mixed Configurations

Where both port and WWN references are used in the configuration definitions, the enforcement will default to software zoning.


3x00 Silkworm ZoningThe 3rd Generation ASIC on the 3x00 Silkworm switches can enforce both Port and WWN zoning. Therefore, both Port and WWN zoning are “hard zones”. The term “hard zoning” can no longer refer to port zoning.

11Rev. 4.21


12Rev. 4.21


Soft portingIn the example shown, the device identified as “Host1a” is defined using port zoning in Zone1, and defined using its WWN in Zone3. Either definition alone would result in Hard zoning. However, when the device is defined in each zoning type within a single configuration, the switch will not be able to enforce zoning within the ASIC. Soft zoning will be used, instead.

13Rev. 4.21


Error / Warning CodesSome common error codes are shown here. They point to configuration conditions which should be corrected for proper zoning function.

HARDSOFTMIX(warning) - Overlapping SOFT/FA and HARD zones.A device is defined in a soft zone or in a loop (using AL-PA) and in a hard zone. Soft zoning will be used to enforce the zoning for all zones.WWNINPORT – Overlapping hard WWN and PORT zones.A device is configured in a 3x00 Silkworm switch. It is configured using

14Rev. 4.21

A device is configured in a 3x00 Silkworm switch. It is configured using WWN in a WWN zone and using the domain/port in a Port zone. Soft zoning will be used to implement the zoning.FAQLMIX – Overlapping hard WWN or PORT zones with QL or FA zonesA device has been configured in a Fabric Assist or QuickLoop zone using the AL-PA. The same device is defined in another zone using either the WWN or the port. DRIVERERR – port-level detected unknown errorNOMORECAM – port-level depleted hardware resourceCHECKBADWWN – WWN probing detected


Port Zoning

Port zoning is defined within the Brocade switch by specifying the switch Domain and physical Port. In the example there are two zones defined: the Orange Zone and the Green Zone. Access is allowed only through the specified port. If the cable to a port is moved to another port, the device will be unavailable. If the port is down or disabled, there will be no device access on that path. This example shows

15Rev. 4.21

disabled, there will be no device access on that path. This example shows alternate paths in the zones.Port zoning logic is consistent with the HP-UX address and device file structure. Port zoning cannot separate or individually identify zone members of a looplet. All devices on the loop are defined in the zone by the port. Port zoning can be a disadvantage for consolidated storage devices, like the XP family. All the LUNs accessed through the port belong to the zone.


World-wide Name Zoning

WWN zoning is defined within the Brocade switch by specifying the node World-Wide Name. In the example there are two zones defined: the Orange Zone and the Green Zone. The 2x00 Silkworm switch uses the Simple Name Server to identify the host and target devices. The 3x00 Silkworm switch uses the ASIC to identify the hosts and targets.

WWN zoning has been called “soft zoning” because it is enforced through software on the 2x00 Silkworm switches. This reference is no longer valid for 3x00 Silkworm switches which use hard zoning for WWN and port

16Rev. 4.21

for 3x00 Silkworm switches which use hard zoning for WWN and port zones.

Access is not limited to a specified port. If the cable to a port is moved to another port, the device will still be available. However, on HP-UX, the target device now has a new devicefile name.

This example shows alternate paths in the zones.

WWN zoning can separate or individually identify zone members of a looplet. All devices on the loop are defined in the zone by the individual node WWNs. Usually the port WWN is specified.

On 3x00 Silkworm switches, there is some performance degradation while WWN zoning is initiated. Performance will increase to normal after initialization.


17Rev. 4.21


18Rev. 4.21


19Rev. 4.21


20Rev. 4.21


Enters configuration information into SDRAM only.

21Rev. 4.21


Flash memory gets updated on a cfgenable

22Rev. 4.21


Cfgdisable only disables the effective configuration.

23Rev. 4.21


Cfgclear does not clear the effective (active) configuration.

24Rev. 4.21


If you have issued a cfgclear and then a cfgsave the switch will now save the cleared SDRAM into flash and everything in the switch will be cleared.

25Rev. 4.21


Creating a Configuration ExampleThe following sequence of commands creates and enables a configuration called Day_Time, which is made up of two zones, Red_Zone and Blue_Zone…

aliCreate “Red_Server”, “10:00:00:00:c9:20:29:22”

aliCreate “Blue_Server”, “1,6”

aliCreate“Blue_Storage” , “50:00:0b:00:00:07:d0:c8”

aliCreate“Red_Storage” , “1,5”

zoneCreate “Red_Zone”, “Red_Server; Red_Storage”

26Rev. 4.21

zoneCreate “Blue_Zone”, “Blue_Server; Blue_Storage”

cfgCreate “Day_Time”, “Red_Zone; Blue_Zone”

cfgEnable “Day_Time”

configUpload …

Alternate forms of the commands:

zoneCreate “Red_Zone” ,”10:00:00:00:c9:20:29:22;“50:00:0b:00:00:07:d0:c8”

zoneCreate “Blue_Zone” , “1,6;1,5”


Changes to the Fabric

Adding a new Switch/Fabric:

A new switch is a switch that has not previously been connected to a Fabric with ZONING configured or adding a Fabric that has not previously had Zoning configured or, been cleared by using the cfgClear command before connecting it to the Fabric.

When a new switch or Fabric is connected to a zoned Fabric, all zone configuration data is immediately copied from the zoned Fabric into the new switch/Fabric. If a zone configuration is enabled in the Fabric, then the same

27Rev. 4.21

switch/Fabric. If a zone configuration is enabled in the Fabric, then the same configuration becomes enables in the new switch. After this operation, the cfgShow command displays the same output on all switches in the Fabric, including the new switch.


29Rev. 4.21


30Rev. 4.21


31Rev. 4.21


32Rev. 4.21


33Rev. 4.21


Learning Check

1. What is the difference between hard and soft zoning?

………………………………………………………………………………………….

………………………………………………………………………………………….

2. Describe the relationship between zone members, zones, and zoning configurations.

………………………………………………………………………………………….

………………………………………………………………………………………….

3. What is the process for merging two separate fabrics together as it pertains to

34Rev. 4.21

3. What is the process for merging two separate fabrics together as it pertains to zoning?

………………………………………………………………………………………….

………………………………………………………………………………………….


35Rev. 4.21


36Rev. 4.21

Date post:	03-Dec-2014
Category:	Documents
Upload:	denverosborn
View:	315 times
Download:	7 times

Brocade Zoning

Documents