m8-zonin

Brocade Zoning

Module 8

Objectives

This module prepares students to: Describe zoning concept advantages and

limitations

Define the different types of zoning for Brocade switches

Configure a multiple zone fabric Perform merging of two fabrics with zoning

configurations

Security Comparisons

Advantages Disadvantages Host Level (OV-SAM Allocater)

Mixed heterogeneous devices Independent of target devices Ease the management of a storage pool.

Management software is host/HBA specific and must be present on all hosts in the SAN to be effective. Someone can plug a host into the SAN that can see and corrupt data. This is particularly vulnerable in a multiple campus situation.

Infrastructure level (Switch zoning)

Independent of hosts and target devices. Safe-guard unauthorized hosts to interrupt the SAN

Granularity is at port and node level or WWN level (Not LUN level). When connecting switches from different vendors, zoning choices may be limited. Most switch vendors use WWN zoning when flexibility is required. (i.e. Separating devices on loop into different zones.)

Device Level (Secure Manager XP/VA, Selective Storage Presentation, EVA/MA)

Best granularity LUN level Best safe-guarded from anywhere

Device dependent low end array or JBOD may not support this function. Administration may become cumbersome for large node counts (e.g. 200 NT servers sharing a LUN for mail database.) Firmware changes can disturb settings (Secure Manager Only)

Comparisons of different security models

Overview Brocade zoning product Licensed product, part of the standard HP bundle Allows a finer segmentation of Storage Area Networks Used to setup barriers between different operating environments

to deploy logical Fabric subsets by creating defined user groups to create test or maintenance areas that are separate within the

Fabric

Allows the flexibility to manage a SAN to meet different closed user groups objectives

Zoning Example

The server in the red zone sees one loop of disks and one tape The server in the blue zone sees two storage arrays The server in the green zone sees one loop, one array, and one

tape No server sees loop 2

A Hierarchical Structure Zoning Components

Fabric may have more than one Cfg Only one Cfg can be active Cfg is a container for zones

Zones may overlap Zone is a container for members

Members may be Defined with Aliases Member can be

A fabric physical port number A node or port WWN An AL_PA An Alias

Cfg_I

Zone_ABC Member#1

Member#2

Member#n

Zone_XYZ

Cfg _N

Fabric

Zoning enforcement

mechanisms

Soft Zoning: Name-Server assisted Name Server restricts visibility Always available when zoning enabled elies o `good itizes for seurit No WWN

probing)

No reduction in performance Hard Zoning: Hardware enforced

Available when certain rule conditions are met through hardware logic checking

Provides additional security in addition to Soft zoning

Ihiits illegal aess fro `ad itizes

2x00 zoning

Mechanisms Soft Zoning for WWNs Hardware Zoning for Domain, Port Enforced at fabric-level QuickLoop Soft Zoning for AL-PAs

Granularity (domain, port), WWNs, AL-PA (QuickLoop)

Security Hardware enforcement is very secure Probing possible when soft zoning

2x00 zoning examples

Hardware Zoning (2x00 Silkworm) Port Zoning (Domain, Port) is enforced in hardware. Hardare efored zoig possile ol he o WWN eists i Effetie Cofiguratio Example: aliCreate Hosta , , aliCreate toragea , , zoeCreate p)oe , Hosta; toragea zoeCreate p)oe , ,; , Software Zoning (2x00 Silkworm) oftare efored zoig he WWN eists i Effetie Cofiguratio Example: aliCreate Host , :::::f: aliCreate torage , :::::f: zoeCreate p)oe , Host; torage zoeCreate p)oe , :::::f:; :::::f: Mixed configurations are enforced in Soft zoning, as with the following command: zoeCreate )oe ,; WWN

3x00 zoning

Mechanism

Port-level zoning is Hardware Enforced WWN zoning is Hardware Enforced Mixed zones, Fabric Assist zones and Quick Loop zones remain enforced

through Name Server (Soft zoning)

Granularity

Same as in v2.x Security

Hardware enforced zoning is very secure Probing is still possible for ports with no hardware enforcement

3x00 zoning examples

The Effetie Cofiguratio a otai oth hard ad soft zoes. Hardware Zoning (3x00 Silkworm) Port Zoning (Domain, Port) or WWN zoning is enforced in hardware. Example: aliCreate Hosta , , aliCreate toragea , , zoeCreate p)oe , Hosta; toragea zoeCreate p)oe , ,; , aliCreate Host , :::::f: aliCreate torage , :::::f: zoeCreate p)oe , Host; torage zoeCreate p)oe , :::::f:; :::::f: Software Zoning (3x00 Silkworm) Mixed configurations are enforced in Soft zoning, as with the following command: zoeCreate )oe ,; WWN

Soft Porting

If a device is defined by port (D,P) in one zone and by WWN in another, the

hardware enforcement at the port will be turned OFF and the zoning control will

e otrolled Nae erer. This is alled soft portig . Example:

aliCreate Hosta , , aliCreate toragea , , zoeCreate p)oe , Hosta; toragea zoeCreate p)oe , ,; , aliCreate Hosta , :::::f: aliCreate torage , :::::f: zoeCreate p)oe , Host; torage zoeCreate p)oe , :::::f:; :::::f:

Host1a is defined by port zoning in pZone1 and by WWN zoning in pZone3.

Zoning Rules(3x00)

ERROR/WARNING CODES HARDSOFTMIX(warning) - Overlapping SOFT/FA and HARD zones. WWNINPORT Overlapping hard WWN and PORT zones.

FAQLMIX Overlapping hard WWN or PORT zones with QL or FA zones DRIVERERR port-level detected unknown error

NOMORECAM port-level depleted hardware resource CHECKBADWWN WWN probing detected

Port Zoning

Host O

Switch 1

HSG

Orange Zone: 1,1;2,11; 1,8; 1,5;2,15; 1,4;2,14 1 11

8 4 14

Host G

Switch 2

HSG

DLT

Green Zone: 2,1;1,11; 2,8; 2,5;1,15; 2,4; 1,14 1 11

8

4 14

XP XP

5 15 15 5

1,5 2,15

1,4 2,14 1,14 2,4

2,5 1,15

2,8

Bridge

DLT DLT

1,8

Bridge

DLT

1,1 2,11 2,1 1,11

World-Wide Name Zoning Host O

Switch 1

HSG

Orange Zone: O-L0/6;O-L0/7 O-DLTS; O-XP1;O-XP2 O-FC1, O-FC2

1 11 8

4 14

Host G

Switch 2

HSG

DLT

Green Zone: G-L0/6;G-L0/7 G-DLTS; G-XP1; G-XP2 G-FC1; G-FC2

1 11 8

4 14

XP XP

5 15 15 5

B-XP1 B-XP2

B-FC1 B-FC2 G-FC1 G-FC2

G-XP1 G-XP2

G-DLTS

Bridge

DLT DLT

B-DLTS

Bridge

DLT

G-L0/6 G-L0/7 B-L0/6 B-L0/7

B-L0/6: 50:06:0b:00:00:e6:e8

Zoning commands (1 of 4)

Zoning commands are issued from any switch in a fabric (you must be logged-in to the admin

account) to manage zones, zone aliases, and zone

configurations.

This is also true when working from the zoning GUI. All add, create, delete, and remove commands

modify the defined configuration only.

Very important: This has no effect on the effective ofiguratio util ou eeute a fgEale oad.

Zoning commands (2 of 4) Configuration commands allow you to manipulate fabric configurations:

cfgAdd Adds a zone to a configuration. cfgCreate Creates a zone configuration. cfgDelete Deletes a zone configuration. cfgRemove Removes a zone from a configuration. cfgShow Shows the zone configurations (defined and

effective).

Alias commands allow you to manipulate zone aliases: aliAdd Adds a member to a zone alias. aliCreate Creates a zone alias. aliDelete Deletes a zone alias. aliRemove Removes a member from a zone alias. aliShow Shows all defined aliases.

Zoning commands (3 of 4)

Zone commands allow you to manipulate zones. zoneAdd Adds a member to a zone. zoneCreate Creates a zone. zoneDelete Deletes a zone. zoneRemove Removes a member from a zone. zoneShow Shows all defined zones.

Zoning commands (4 of 4) Management commands allow you to manipulate preexisting configurations.

cfgEnable Enables a zone configuration. cfgDisable Disables a zone configuration (caution). Note: You should disable the effective configuration by

enabling another configuration (for example, cfgEnable e_ofiguratio.

cfgSave Saves all zoning information into flash memory. (to all switches in the fabric)

cfgShow Shows all zoning information. cfgClear Clears all zone configurations.

Must be followed by a cfgSave. If it is your intention to get rid of all zoning fabric-wide, with

switch FW v2.6.0c, this command must be preceded by a cfgDisable command.

Zone Management Commands (1 of 5)

Create Configurations

aliCreate

zoneCreate

cfgCreate

Brocade SilkWorm

Configuration Definitions

Enabled Configuration

Flash Memory

Switch Domain

1

SDRAM

cfgEngMkt ZoneEng ZoneMkt


Brocade SilkWorm Configuration

Definitions Enabled

Configuration

Flash Memory

Switch Domain

1

SDRAM


cfgEnable cfgEngMkt




Definitions Enabled

Configuration

Flash Memory

Switch Domain

1

SDRAM


cfgDisable



Brocade SilkWorm

Configuration Definitions

Enabled Configuration

Flash Memory

Switch Domain

1

SDRAM


cfgclear



Definitions Enabled

Configuration

Flash Memory

Switch Domain

1

SDRAM


cfgSave


Writes name Only to

flash

Creating a Configuration Example

=> aliCreate Alias_Name,member;member;member => zoneCreate Zone_Name,Alias_Name;1,2; WWN => cfgCreate cfg_Name,Zone_Name;Zone_Name => cfgEnable cfg_Name => cfgSave cfg_Name => configUpload host_IP,user,/file_name,password

Changes to the Fabric

Adding a new switch/fabric Not previously had zoning or cfgClear command has been run When added, all zone configuration data is copied from the zoned fabric into the

new switch/fabric

Merging two switches/fabric If both fabrics have identical zone configuration data and the same configuration

is enabled, fabrics join for one larger fabric If fabrics have different zone configuration data, the ISL is segmented. One

switch configuration may become disabled.

Splitting fabric If an ISL goes down, causing a fabric to split into two separate fabrics, then each

new fabric retains the same zone configuration Fabric will re-merge when ISL is back up and no zone changes have been made

Zoning Example #1

Host A

Switch 6

FC10

DLT

0/2/0/0 0/4/0/0

3

7 15

Host B

Switch 7

FC10

DLT

0/2/0/0 0/4/0/0

3 7

15

8 9

XP XP

0 0

ZoneG: 6,0; 6,3

ZoneG is enabled. Which devices can Host A see? Which devices can Host B see?

Zoning Example #2a

Host A

Switch 6

FC10

DLT

3

7 15

Host B

Switch 7

FC10

DLT

3 7

15

8 9

XP XP

0 0

ZoneB: 6,0; 6,3; 6,7; 6, 15

1)No ISL: ZoneB on Domain6. No Zone on Domain7. Which devices can Host A see? Which devices can Host B see?

Zoning Example #2b

Host A

Switch 6

FC10

DLT

3

7 15

Host B

Switch 7

FC10

DLT

3 7

15

8 9

XP XP

0 0

ZoneB: 6,0; 6,3; 6,7; 6, 15

After connecting the ISL, which devices can Host A see? Which devices can Host B see?

Zoning Example #3a

Host A

Switch 6

FC10

DLT

3

7 15

Host B

Switch 7

FC10

DLT

3 7

15

8 9

XP XP

0 0

ZoneB: 6,0; 6,3 ZoneG: 7,0; 7,3

No ISL: ZoneB on Domain6. ZoneG on Domain7. Which devices can Host A see? Which devices can Host B see ?

Zoning Example #3b

Host A

Switch 6

FC10

DLT

3

7 15

Host B

Switch 7

FC10

DLT

3 7

15

8 9

XP XP

0 0

ZoneB: 6,0; 6,3 ZoneG: 7,0; 7,3

After connecting the ISL, which devices can Host A see? Which devices can Host B see?

Learning check

Lab #

Lab title

m8-zonin

Documents