m8-zonin
DESCRIPTION
M8-ZoninTRANSCRIPT
-
Brocade Zoning
Module 8
-
Objectives
This module prepares students to: Describe zoning concept advantages and
limitations
Define the different types of zoning for Brocade switches
Configure a multiple zone fabric Perform merging of two fabrics with zoning
configurations
-
Security Comparisons
Advantages Disadvantages Host Level (OV-SAM Allocater)
Mixed heterogeneous devices Independent of target devices Ease the management of a storage pool.
Management software is host/HBA specific and must be present on all hosts in the SAN to be effective. Someone can plug a host into the SAN that can see and corrupt data. This is particularly vulnerable in a multiple campus situation.
Infrastructure level (Switch zoning)
Independent of hosts and target devices. Safe-guard unauthorized hosts to interrupt the SAN
Granularity is at port and node level or WWN level (Not LUN level). When connecting switches from different vendors, zoning choices may be limited. Most switch vendors use WWN zoning when flexibility is required. (i.e. Separating devices on loop into different zones.)
Device Level (Secure Manager XP/VA, Selective Storage Presentation, EVA/MA)
Best granularity LUN level Best safe-guarded from anywhere
Device dependent low end array or JBOD may not support this function. Administration may become cumbersome for large node counts (e.g. 200 NT servers sharing a LUN for mail database.) Firmware changes can disturb settings (Secure Manager Only)
Comparisons of different security models
-
Overview Brocade zoning product Licensed product, part of the standard HP bundle Allows a finer segmentation of Storage Area Networks Used to setup barriers between different operating environments
to deploy logical Fabric subsets by creating defined user groups to create test or maintenance areas that are separate within the
Fabric
Allows the flexibility to manage a SAN to meet different closed user groups objectives
-
Zoning Example
The server in the red zone sees one loop of disks and one tape The server in the blue zone sees two storage arrays The server in the green zone sees one loop, one array, and one
tape No server sees loop 2
-
A Hierarchical Structure Zoning Components
Fabric may have more than one Cfg Only one Cfg can be active Cfg is a container for zones
Zones may overlap Zone is a container for members
Members may be Defined with Aliases Member can be
A fabric physical port number A node or port WWN An AL_PA An Alias
Cfg_I
Zone_ABC Member#1
Member#2
Member#n
Zone_XYZ
Cfg _N
Fabric
-
Zoning enforcement
mechanisms
Soft Zoning: Name-Server assisted Name Server restricts visibility Always available when zoning enabled elies o `good itizes for seurit No WWN
probing)
No reduction in performance Hard Zoning: Hardware enforced
Available when certain rule conditions are met through hardware logic checking
Provides additional security in addition to Soft zoning
Ihiits illegal aess fro `ad itizes
-
2x00 zoning
Mechanisms Soft Zoning for WWNs Hardware Zoning for Domain, Port Enforced at fabric-level QuickLoop Soft Zoning for AL-PAs
Granularity (domain, port), WWNs, AL-PA (QuickLoop)
Security Hardware enforcement is very secure Probing possible when soft zoning
-
2x00 zoning examples
Hardware Zoning (2x00 Silkworm) Port Zoning (Domain, Port) is enforced in hardware. Hardare efored zoig possile ol he o WWN eists i Effetie Cofiguratio Example: aliCreate Hosta , , aliCreate toragea , , zoeCreate p)oe , Hosta; toragea zoeCreate p)oe , ,; , Software Zoning (2x00 Silkworm) oftare efored zoig he WWN eists i Effetie Cofiguratio Example: aliCreate Host , :::::f: aliCreate torage , :::::f: zoeCreate p)oe , Host; torage zoeCreate p)oe , :::::f:; :::::f: Mixed configurations are enforced in Soft zoning, as with the following command: zoeCreate )oe ,; WWN
-
3x00 zoning
Mechanism
Port-level zoning is Hardware Enforced WWN zoning is Hardware Enforced Mixed zones, Fabric Assist zones and Quick Loop zones remain enforced
through Name Server (Soft zoning)
Granularity
Same as in v2.x Security
Hardware enforced zoning is very secure Probing is still possible for ports with no hardware enforcement
-
3x00 zoning examples
The Effetie Cofiguratio a otai oth hard ad soft zoes. Hardware Zoning (3x00 Silkworm) Port Zoning (Domain, Port) or WWN zoning is enforced in hardware. Example: aliCreate Hosta , , aliCreate toragea , , zoeCreate p)oe , Hosta; toragea zoeCreate p)oe , ,; , aliCreate Host , :::::f: aliCreate torage , :::::f: zoeCreate p)oe , Host; torage zoeCreate p)oe , :::::f:; :::::f: Software Zoning (3x00 Silkworm) Mixed configurations are enforced in Soft zoning, as with the following command: zoeCreate )oe ,; WWN
-
Soft Porting
If a device is defined by port (D,P) in one zone and by WWN in another, the
hardware enforcement at the port will be turned OFF and the zoning control will
e otrolled Nae erer. This is alled soft portig . Example:
aliCreate Hosta , , aliCreate toragea , , zoeCreate p)oe , Hosta; toragea zoeCreate p)oe , ,; , aliCreate Hosta , :::::f: aliCreate torage , :::::f: zoeCreate p)oe , Host; torage zoeCreate p)oe , :::::f:; :::::f:
Host1a is defined by port zoning in pZone1 and by WWN zoning in pZone3.
-
Zoning Rules(3x00)
ERROR/WARNING CODES HARDSOFTMIX(warning) - Overlapping SOFT/FA and HARD zones. WWNINPORT Overlapping hard WWN and PORT zones.
FAQLMIX Overlapping hard WWN or PORT zones with QL or FA zones DRIVERERR port-level detected unknown error
NOMORECAM port-level depleted hardware resource CHECKBADWWN WWN probing detected
-
Port Zoning
Host O
Switch 1
HSG
Orange Zone: 1,1;2,11; 1,8; 1,5;2,15; 1,4;2,14 1 11
8 4 14
Host G
Switch 2
HSG
DLT
Green Zone: 2,1;1,11; 2,8; 2,5;1,15; 2,4; 1,14 1 11
8
4 14
XP XP
5 15 15 5
1,5 2,15
1,4 2,14 1,14 2,4
2,5 1,15
2,8
Bridge
DLT DLT
1,8
Bridge
DLT
1,1 2,11 2,1 1,11
-
World-Wide Name Zoning Host O
Switch 1
HSG
Orange Zone: O-L0/6;O-L0/7 O-DLTS; O-XP1;O-XP2 O-FC1, O-FC2
1 11 8
4 14
Host G
Switch 2
HSG
DLT
Green Zone: G-L0/6;G-L0/7 G-DLTS; G-XP1; G-XP2 G-FC1; G-FC2
1 11 8
4 14
XP XP
5 15 15 5
B-XP1 B-XP2
B-FC1 B-FC2 G-FC1 G-FC2
G-XP1 G-XP2
G-DLTS
Bridge
DLT DLT
B-DLTS
Bridge
DLT
G-L0/6 G-L0/7 B-L0/6 B-L0/7
B-L0/6: 50:06:0b:00:00:e6:e8
-
Zoning commands (1 of 4)
Zoning commands are issued from any switch in a fabric (you must be logged-in to the admin
account) to manage zones, zone aliases, and zone
configurations.
This is also true when working from the zoning GUI. All add, create, delete, and remove commands
modify the defined configuration only.
Very important: This has no effect on the effective ofiguratio util ou eeute a fgEale oad.
-
Zoning commands (2 of 4) Configuration commands allow you to manipulate fabric configurations:
cfgAdd Adds a zone to a configuration. cfgCreate Creates a zone configuration. cfgDelete Deletes a zone configuration. cfgRemove Removes a zone from a configuration. cfgShow Shows the zone configurations (defined and
effective).
Alias commands allow you to manipulate zone aliases: aliAdd Adds a member to a zone alias. aliCreate Creates a zone alias. aliDelete Deletes a zone alias. aliRemove Removes a member from a zone alias. aliShow Shows all defined aliases.
-
Zoning commands (3 of 4)
Zone commands allow you to manipulate zones. zoneAdd Adds a member to a zone. zoneCreate Creates a zone. zoneDelete Deletes a zone. zoneRemove Removes a member from a zone. zoneShow Shows all defined zones.
-
Zoning commands (4 of 4) Management commands allow you to manipulate preexisting configurations.
cfgEnable Enables a zone configuration. cfgDisable Disables a zone configuration (caution). Note: You should disable the effective configuration by
enabling another configuration (for example, cfgEnable e_ofiguratio.
cfgSave Saves all zoning information into flash memory. (to all switches in the fabric)
cfgShow Shows all zoning information. cfgClear Clears all zone configurations.
Must be followed by a cfgSave. If it is your intention to get rid of all zoning fabric-wide, with
switch FW v2.6.0c, this command must be preceded by a cfgDisable command.
-
Zone Management Commands (1 of 5)
Create Configurations
aliCreate
zoneCreate
cfgCreate
Brocade SilkWorm
Configuration Definitions
Enabled Configuration
Flash Memory
Switch Domain
1
SDRAM
cfgEngMkt ZoneEng ZoneMkt
-
Zone Management Commands (2 of 5)
Brocade SilkWorm Configuration
Definitions Enabled
Configuration
Flash Memory
Switch Domain
1
SDRAM
cfgEngMkt ZoneEng ZoneMkt
cfgEnable cfgEngMkt
cfgEngMkt ZoneEng ZoneMkt
-
Zone Management Commands (3 of 5)
Brocade SilkWorm Configuration
Definitions Enabled
Configuration
Flash Memory
Switch Domain
1
SDRAM
cfgEngMkt ZoneEng ZoneMkt
cfgDisable
cfgEngMkt ZoneEng ZoneMkt
-
Zone Management Commands (4 of 5)
Brocade SilkWorm
Configuration Definitions
Enabled Configuration
Flash Memory
Switch Domain
1
SDRAM
cfgEngMkt ZoneEng ZoneMkt
cfgclear
-
Zone Management Commands (5 of 5)
Brocade SilkWorm Configuration
Definitions Enabled
Configuration
Flash Memory
Switch Domain
1
SDRAM
cfgEngMkt ZoneEng ZoneMkt
cfgSave
cfgEngMkt ZoneEng ZoneMkt
Writes name Only to
flash
-
Creating a Configuration Example
=> aliCreate Alias_Name,member;member;member => zoneCreate Zone_Name,Alias_Name;1,2; WWN => cfgCreate cfg_Name,Zone_Name;Zone_Name => cfgEnable cfg_Name => cfgSave cfg_Name => configUpload host_IP,user,/file_name,password
-
Changes to the Fabric
Adding a new switch/fabric Not previously had zoning or cfgClear command has been run When added, all zone configuration data is copied from the zoned fabric into the
new switch/fabric
Merging two switches/fabric If both fabrics have identical zone configuration data and the same configuration
is enabled, fabrics join for one larger fabric If fabrics have different zone configuration data, the ISL is segmented. One
switch configuration may become disabled.
Splitting fabric If an ISL goes down, causing a fabric to split into two separate fabrics, then each
new fabric retains the same zone configuration Fabric will re-merge when ISL is back up and no zone changes have been made
-
Zoning Example #1
Host A
Switch 6
FC10
DLT
0/2/0/0 0/4/0/0
3
7 15
Host B
Switch 7
FC10
DLT
0/2/0/0 0/4/0/0
3 7
15
8 9
XP XP
0 0
ZoneG: 6,0; 6,3
ZoneG is enabled. Which devices can Host A see? Which devices can Host B see?
-
Zoning Example #2a
Host A
Switch 6
FC10
DLT
3
7 15
Host B
Switch 7
FC10
DLT
3 7
15
8 9
XP XP
0 0
ZoneB: 6,0; 6,3; 6,7; 6, 15
1)No ISL: ZoneB on Domain6. No Zone on Domain7. Which devices can Host A see? Which devices can Host B see?
-
Zoning Example #2b
Host A
Switch 6
FC10
DLT
3
7 15
Host B
Switch 7
FC10
DLT
3 7
15
8 9
XP XP
0 0
ZoneB: 6,0; 6,3; 6,7; 6, 15
After connecting the ISL, which devices can Host A see? Which devices can Host B see?
-
Zoning Example #3a
Host A
Switch 6
FC10
DLT
3
7 15
Host B
Switch 7
FC10
DLT
3 7
15
8 9
XP XP
0 0
ZoneB: 6,0; 6,3 ZoneG: 7,0; 7,3
No ISL: ZoneB on Domain6. ZoneG on Domain7. Which devices can Host A see? Which devices can Host B see ?
-
Zoning Example #3b
Host A
Switch 6
FC10
DLT
3
7 15
Host B
Switch 7
FC10
DLT
3 7
15
8 9
XP XP
0 0
ZoneB: 6,0; 6,3 ZoneG: 7,0; 7,3
After connecting the ISL, which devices can Host A see? Which devices can Host B see?
-
Learning check
-
Lab #
Lab title