Brocade BCFP 4.0 Zoning Guide

© 2006 Brocade Communications Systems, Incorporated.Revision CFP264 ILT 0806

Page 6-1

1

Brocade Education Services

Brocade®

Product Training

© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806

CFP264Brocade 4 Gbit/sec Accelerated BCFP

Instructor-Led Module 6Brocade SilkWorm Zoning


Page 6-2

2© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806

Following this module and associated lab, an attendee should be able to:Understand the basic concepts associated with ZoningIimplement a Zoning scheme using the command line syntaxActivate or deactivate a Default ZoneDdifferentiate between Hardware and Session enforcementAdd a new switch to an existing fabric with Zoning enabledState the best practices that should be considered when implementing Zoning

Objectives


Page 6-3


Server in the Red zone sees the disks in Loop 1Server in the Blue zone sees the two disk ArraysServer in the Green zone sees the disks in Loop 1 and one disk ArrayServer 4 sees no diskNo server sees the disks in Loop 2

Server 4

Zoning Overview

A zone is a specified group of fabric-connected devices, also called zone members. Any device, or zone member, connected to the fabric can be included in one or more zones. Devices can communicate only with devices that are in the same zone. After zoning has been enabled, if a device is not explicitly defined in a zone that device is considered not to exist. In the example above both Server 4 and Loop 2 are not defined. When Server 4 queries the fabric to discover what devices it can see, Zoning rejects the request because it is not defined in any zone. Likewise, when the Servers in the Red, Blue and Green zones query the fabric, none of them will see the disk in Loop 2 because it is not defined in any zone. The device will be isolated and will be inaccessible by other devices in the fabric. Devices that attach to the fabric need to be added to a new or existing zone before their ability to communicate is enabled.After the zone members are grouped into zones, zones are grouped into a zone configuration and the zone configuration can then be enabled. When enabled, the zone configuration is distributed to all switches in the fabric and an RSCN is delivered by each switch to its local nodes that are effected by changes in the enabled zone configuration. The Fabric OS Administrator’s Guide describes zoning concepts in more detail.


Page 6-4


Prepare – Create a detailed diagram of the fabric– All switches require a Zoning licenseDefine– Establish a naming convention– Identify members by port or WWN – Create aliases, zones, zone configuration– Exclude E_PortsAnalyze zone configuration– Can be done with CLI, Web Tools, Fabric Manager or

SAN HealthEnable the zone configurationVerify there is accessibility between zone members

Process to Implement Zoning

Create a detailed switch diagram of the fabric showing ISL connectivity. This will help account for every switch in the fabric and the E_Ports that are in use. Expand each switch diagram to show every port (F_Port, FL_Port). Switch ports that are not in use should remain disabled with a portcfgpersistentdisable command.

Define a naming convention to help identify and reference devices in the fabric. Naming conventions can also be used when creating zones and zone configurations.

The zoning syntax when creating a zoning set ultimately defines what zoning scheme will be enforced as the frame is delivered to the destination port. More information on this will follow.

Analyze the zones to ensure that all nodes are members of the correct zone(s). When the aliases have been added to zones and the zones are added to the zone configuration, enable the zone configuration and test from the host that each target can be accessed. For fabrics with multiple zones enabled, it is generally best to configure one zone at a time and then test it with the Zone Analyzer available in Web Tools. If you create all the zones without testing each zone as it is created, it is difficult to debug. After the first zone is setup in the fabric, the user may plug in devices and then test the connections to confirm that everything is functioning properly.


Page 6-5


Hierarchy of Objects

Members or Aliases

Config

Zones

Member:Alias is given a name, e.g. “Server_1”, “Disk_Array_2”.Physical Fabric port number or area number.Node World Wide Name - Obtained using nsshow or switchshow.Port World Wide Name – Obtained using nsshow or portloginshow.64 characters maximum: A-Z, a-z, 0-9 and the “_” are allowed.

Zone:Is given a name, e.g. “Red_Zone”.Contains two or more members and uses a “;” as a separator.The same member can be in multiple zones.Zone definition is persistent; it remains until deleted or changed by an administrator.

Configuration:Is given a name, e.g. “Production_Cfg”.Is one or more zones.Configuration may be disabled or one configuration may be in effect from any switch in the fabric.An administrator selects which configuration is currently enabled.A configuration is saved when enabled and then distributed to the remaining switches in the fabric where it is enabled and saved.


Page 6-6


Zone ManagementZoning can be managed using:– Command Line Interface (CLI)– Web Tools– Fabric Manager

Use the zonehelp command to display help information

Create Delete Add Remove Show

Alias alicreate alidelete aliadd aliremove alishow

Zone zonecreate zonedelete zoneadd zoneremove zoneshow

Zone Config

cfgcreate cfgdelete cfgadd cfgremove cfgshow

Fabric OS Zone Management Commands

The following commands are used to create/modify the defined zone configuration:*create – Creates a new alias, zone or configuration*delete – Deletes the entire alias, zone or configuration*add – Adds a member to an existing alias, zone or configuration*remove – Removes one or more members from an existing alias, zone or configuration*show – Displays alias, zone and/or configuration information

Web Tools and Fabric Manager provide a GUI that makes the administration of zoning easier.


Page 6-7


Zone AliasesThe use of aliases is optional but aids in the understanding of the zoning structure and contentNaming– May be up to 64 characters– Are case sensitive

Members– <domain, port> or <domain, area>– Node World Wide Name - from nsshow– Port World Wide Name - from nsshow or portloginshow

Sample naming conventions– SRV for Server SRV_SunHost1– STO for Storage STO_Entprise– TPE for Tape TPE_Drive1– VRA for Virtual Appliance VRA_Prod2

Zone objects identified by “port number” or “area number” are specified as a pair of decimal numbers “d,area”, where “d” is the Domain ID of the switch and “area” is the area number on that switch. If the switch is replaced that is referenced by <domain, port> or <domain, area>, the new switch should be configured with the predecessor’s Domain ID. If a Domain ID is changed to a new value, all zonesthat referenced the predecessor’s domain number will need to be updated with the successor’s value.

Worldwide Names are specified as a 16 digit hexadecimal number separated by colons, for example “10:00:00:90:69:00:00:8a”. When node name is used to specify a zone object, all ports on that device are in the zone. When port name is used to specify a zone object, only that single port is in the zone.

Zone aliases simplify repetitive entry of “zone objects” such as port numbers or NWWN. For example, the name “Eng” could be used as an alias for “10:00:00:80:33:3f:aa:11”. An alias is a name assigned to a device or group of devices. By creating an alias you can assign a familiar name to a device, or you can group multiple devices into a single name. This can simplify cumbersome entries and it allows an intuitive naming structure such as using NT_Storage to define all NT storage ports in the fabric.

When a zoned host is returned the list of network targets (referenced by <domain,port> or PWWN or NWWN) by the Name Server, the host will send a PLOGI request to the destination addresses. If the PLOGI frame is allowed to pass at the egress port and the target at the destination address replies an accept to the PLOGI request, the Brocade switch and Zoning has completed its responsibility of networking the source and destination. Limiting the amount of LUNs and target IDs that the host can access when the SCSI inquiry command is sent, is the responsibility by the storage provisioning software located at the storage device.


Page 6-8


Domain 1

Zoning Example1. Plan for your zoning scheme to meet objectives

Eng HostMkt Host

S1S2

S3

S4

S5

2. Create Aliases>alicreate “Eng_Host”,“1,0”

>alicreate “Eng_Stor”,“s1wwn; s2wwn”

>alicreate “Mkt_Host”,“1,16”

>alicreate “Mkt_Stor”,“s3wwn; s4wwn; s5wwn”

3. Create Zones>zonecreate “Zone_Eng”,“Eng_Host; Eng_Stor”

>zonecreate “Zone_Mkt”,“Mkt_Host; Mkt_Stor”

4. Create Configuration>cfgcreate “Cfg_EngMkt”,“Zone_Eng; Zone_Mkt”

This example should not be viewed as a “best practice” but rather an example that shows how a domain, port and WWN would be coded. The CLI is used to illustrate the zoning structure. Once this is understood, the Web Tools GUI would be a better tool to use.

Zoning has a very systematic yet simple approach to implementing:

Zoning requires prior planning. What are your goals? How will you achieve them? Create members using aliases. Create zones using alias members.Create a configuration using zones.Enable the zone configuration throughout the fabric.

Note: A cfgenable also saves the defined configuration and the name of the effective configuration to flash memory.


Page 6-9


Domain 1

Zoning Example (cont.)

sw4100:admin> cfgshow

Defined configuration:

cfg: Cfg_EngMkt

Zone_Eng; Zone_Mkt

zone: Zone_Eng Eng_Host; Eng_Stor

zone: Zone_Mkt Mkt_Host; Mkt_Stor

alias: Eng_Stor 21:00:00:20:37:87:48:e7; 21:00:00:20:37:87:23:e2

alias: Eng_Host 1,0

alias: Mkt_Stor 21:00:00:20:37:87:49:29; 21:00:00:20:37:87:e5:20;21:00:00:20:37:87:20:c5

alias: Mkt_Host 1,16

Effective configuration:

no configuration in effect

Eng HostMkt Host

S1S2

S3

S4

S5

A cfgshow displays the defined configuration and since zoning has not been enabled, there is no effective configuration. Zoning is fabric-wide, thus any switch can be used to display the current zoning configurations.

The defined configuration is the Zoning Database and contains all zone objects that have been created. It is possible to have several zone configurations but only one can be enabled.


Page 6-10


Domain 1

Zoning Example (cont.)

Eng HostMkt Host

S1S2

S3

S4

S5

5. Enable Configuration>cfgenable “Cfg_EngMkt”

Note: A cfgenable also saves the defined configuration and the name of the effective configuration to flash memory.


Page 6-11


Domain 1

Zoning Example (cont.) sw4100:admin> cfgshow


cfg: Cfg_EngMkt

Zone_Eng; Zone_Mkt

zone: Zone_Eng Eng_Host; Eng_Stor

zone: Zone_Mkt Mkt_Host; Mkt_Stor

alias: Eng_Stor 21:00:00:20:37:87:48:e7; 21:00:00:20:37:87:23:e2

alias: Eng_Host 1,0

alias: Mkt_Stor 21:00:00:20:37:87:49:29; 21:00:00:20:37:87:e5:20;21:00:00:20:37:87:20:c5

alias: Mkt_Host 1,16


cfg: Cfg_EngMkt

zone: Zone_Eng 1,0; 21:00:00:20:37:87:23:e2;

21:00:00:20:37:87:48:e7

zone: Zone_Mkt 1,16; 21:00:00:20:37:87:e5:20;

21:00:00:20:37:87:49:29; 21:00:00:20:37:87:20:c5

Eng HostMkt Host

S1S2

S3

S4

S5

Since zoning is now enabled, the configuration in effect is displayed.


Page 6-12


Enabling ZoningOnly one active zone configuration for entire fabricEnabled with cfgenable

– You do not have to disable one zone configuration to enable another– Enable one configuration over another– Saves the zone configuration (no subsequent cfgsave needed)

Saved across power cycles, rebootsEffective zone configuration displayed in switchshow

sw4100:admin> switchshow

switchName: sw4100

switchType: 32.0

switchState: Online

switchMode: Native

switchRole: Principal

switchDomain: 1

switchId: fffc01

switchWwn: 10:00:00:05:1e:34:01:e6

switchBeacon: OFF

Zoning: ON (Cfg_EngMkt)

A zone configuration is a group of zones that are enforced whenever that zone configuration is enabled. A zone can be included in more than one zone configuration.

To define a zone configuration, specify the list of zones to be included and assign a zone configuration name. Zoning may be disabled at any time. When a zone configuration is in effect, all zones that are members of that configuration are in effect.

Defined configuration: The complete set of all zone objects that have been defined in the fabric.

Effective configuration: A single zone configuration that is currently in effect. The effective configuration is built when an administrator enables a specified zone configuration. This configuration is “compiled” by checking for undefined zone names, or zone alias names, or other issues.

Saved configuration: A copy of the defined configuration plus the name of the effective configuration which is saved in flash memory by the cfgsavecommand. There may be differences between the saved configuration and the defined configuration if the system administrator has modified any of the zone definitions and has not saved them.


Page 6-13


FlashMemory

DEFINEDCONFIGURATION

Cfg_EngMktZone_EngZone_Mkt

EFFECTIVECONFIGURATION

RAM

Domain1

Enabling Zoning (cont.)

sw4100:admin> cfgenable “Cfg_EngMkt”


1

23

1 Cfg_EngMkt becomeseffective configuration

2 Defined configurationis written to flash memory

3 Name of effective configurationis written to flash memory(“Cfg_EngMkt”)

Note: cfgenable performs animplicit cfgsave

Use the cfgenable command to enable a zone configuration. The specified zone configuration is built by checking for undefined zone names, zone alias names, or other inconsistencies by expanding zone aliases, removing duplicate entries, and then installing the current configuration.

If the build fails, the previous state is preserved (zoning remains disabled, or the previous configuration remains in effect). If the build succeeds, the new configuration replaces the previous configuration.


Page 6-14


FlashMemory




RAM

Domain1

Disabling Zoning

sw4100:admin> cfgdisable


2

1 Effective configurationis disabled


3 Name of effective configurationset to “none” in flash memory

1


3

Use the cfgdisable command to disable the current zone configuration. The fabric returns to non-zoning mode, in which all devices see each other.

This command ends and commits the current zoning transaction buffer to both volatile and flash memory. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message is displayed on the other switches to indicate the aborting of the transaction.


Page 6-15


FlashMemory



xxxxxxxx …


RAM

Domain1

Saving Zoning

sw4100:admin> cfgsave


1

23


3 Name of effective configurationis written to flash memory(“Cfg_EngMkt”)

1 Any changes made to the definedconfiguration before issuing cfgsave

Note: cfgsave does not do a cfgenable

Use the cfgsave command to save the current zone configuration. The defined configuration and the name of the enabled configuration are written to flash memory in all switches in the fabric. This allows changes to be made to the defined configuration without an immediate enabling of them. The saved configuration is automatically reloaded by the switch on power on and, if a configuration was in effect at the time it was saved, the same configuration is reinstalled with an automatic cfgenable command. Because the saved configuration is reloaded at power on, only valid configurations are saved. The cfgsave command verifies that the enabled configuration is valid by performing the same tests as cfgenable. If the tests fail, an error is displayed and the configuration is not saved. Tests might fail if a configuration has been modified since the last cfgenable. This command ends and commits the current transaction. If a transaction is open on a different switch in the fabric when this command is run, the transaction on the other switch is automatically aborted. A message is displayed on the other switches to indicate the aborting of the transaction.If the defined configuration is larger than the supported maximum zoning database size, the following message is issued: “Commit zone DB larger than supported -<zone db size> greater than <max zone db size>”Note: A cfgsave does not make any changes to the effective configuration. A cfgenable command is still needed to enable any changes made in the defined configuration.


Page 6-16


FlashMemory




RAM

Domain1

Clearing Zoning

sw4100:admin> cfgclear

1 Defined configuration is clearedfrom RAM


1

Note: cfgclear does not disable theeffective configuration and doesnot save anything to flash memory

Use the cfgclear command to clear all zone information in the defined configuration. All defined zone objects are deleted. If an attempt is made to clear the defined configuration while a zone configuration is enabled, you are warned to first disable the enabled zone configuration.

After using the cfgclear command, use the cfgsave command to commit the defined and effective configuration to flash memory for all the switches in the fabric.


Page 6-17


FlashMemory


RAM

Domain1

Maximum Zoning Database Size

Determined by the amount of Flash Memory available for storing the defined configurationAmount varies by Fabric OS releaseSize displayed with cfgsizecommand in bytes– Zone DB max size– Committed size– Transaction size



Use the cfgsize command to display the size details of the zone database. The size details include the Zone DB maximum size, the committed size, and the transaction size. All sizes are in bytes.

Zone DB max size is the upper limit for the defined configuration, determined by the amount of flash memory available for storing the defined configuration.

Committed size is the size of the defined configuration currently stored in flash memory.

Transaction size is the size of the uncommitted defined configuration. This value will be nonzero if the defined configuration is being modified, otherwise it is 0.

sw4100:admin> cfgsize Zone DB max size - 127726 bytes committed - 8812 transaction - 0


Page 6-18


Maximum Zoning Database Size (cont.)

The switch with the lowest maximum determines the maximum zoning database size for the fabric

96 KB128 KB

256 KB

Zoning DatabaseMaximum Size by FOS

v2.6.xv3.1.x

v3.0.xv4.0.xv4.1.xv4.2.x

v3.2.xv4.4.xv5.0.xv5.1.x

Max DB Size?

The switch with the lowest maximum determines the maximum zoning database size for the fabric.If a switch attempts to join a fabric that has a zone database size greater than the supported maximum size of the switch, a segmentation error will occur (the request to join the fabric will be rejected) preventing the switch from joining the fabric.


Page 6-19


Zone Object Commands

You can use these commands for all zone object types: configuration, zone and alias– zoneobjectcopy

Copies a zone object to a new zone objectzoneobjectcopy “Cfg_EngMkt”, “Cfg_Test”

– zoneobjectrenameRenames a zone objectzoneobjectrename “Zone_Redd”, “Zone_Red”

– zoneobjectexpungeDeletes the zone object and removes it from the member list of all other objectszoneobjectexpunge “Mkt_Host”

sw4100:admin> cfgshow "*"

cfg: USA_cfg Red_zone; White_zone; Blue_zone

sw4100:admin> zoneobjectcopy "USA_cfg", "UK_cfg"

sw4100:admin> cfgshow "*"

cfg: UK_cfg Red_zone; White_zone; Blue_zone





zone: Blue_zone 1,0; 1,1

zone: Red_zone 1,2; 1,3

zone: White_zone 1,4; 1,5

sw4100:admin> zoneobjectexpunge “Blue_zone"



cfg: USA_cfg Red_zone; White_zone

zone: Red_zone 1,2; 1,3

zone: White_zone 1,4; 1,5


Page 6-20


Zoning Display Commandsnsaliasshow

Displays local name server information and the defined configuration aliases to which the device belongs

sw4100:admin> nsaliasshow{ Type Pid COS PortName NodeName TTL(sec) NL 0204e2; 3;21:00:00:fa:ce:00:21:1e;20:00:00:fa:ce:00:21:1e; naFC4s: FCP [STOREX RS2999FCPH3 MT09] Fabric Port Name: 20:04:00:60:69:01:44:22 Permanent Port Name: 21:00:00:fa:ce:00:21:1e Aliases: Sun_Disk1

NL 0204ef; 3;21:00:00:ad:bc:04:6f:70;20:00:00:ad:bc:04:6f:70; naFC4s: FCP [STOREX RS2999FCPH3 JB09] Fabric Port Name: 20:04:00:60:69:01:44:22 Permanent Port Name: 21:00:00:ad:bc:04:6f:70 Aliases: The Local Name Server has 2 entries }

This node has notbeen definedin any alias

This command is a duplicate of the nsshow command with the added feature of displaying the defined configuration aliases that the device belongs to.The message “There is no entry in the Local Name Server” is displayed if there is no information in this switch, but there still may be devices connected to other switches in the Fabric. The command nsallshow shows information from all switches.


Page 6-21


Displays all the name server entries matching a given WWN, PID (in hex) or alias

sw4100:admin> nodefind Disk_1Local: Type Pid COS PortName NodeName SCR NL 0314d9; 3;22:00:00:04:cf:5d:dc:2d;20:00:00:04:cf:5d:dc:2d; 0 FC4s: FCP [SEAGATE ST318452FC 0001] Fabric Port Name: 20:14:00:60:69:80:04:79 Permanent Port Name: 22:00:00:04:cf:5d:dc:2d Device type: Physical Target Aliases: Disk_1

Zoning Display Commands (cont.)nodefind

RSL1_ST07_B41:admin> nodefind 21:00:00:04:cf:bd:56:bd

Local:

Type Pid COS PortName NodeName SCR

NL 0200e2; 3;21:00:00:04:cf:bd:56:bd;20:00:00:04:cf:bd:56:bd; 0

FC4s: FCP [SEAGATE ST318452FC 0005]

Fabric Port Name: 20:00:00:05:1e:02:a6:6d

Permanent Port Name: 21:00:00:04:cf:bd:56:bd

Device type: Physical Target

Aliases:

RSL1_ST07_B41:admin> nodefind 0x0200e2

Local:

Type Pid COS PortName NodeName SCR

NL 0200e2; 3;21:00:00:04:cf:bd:56:bd;20:00:00:04:cf:bd:56:bd; 0

FC4s: FCP [SEAGATE ST318452FC 0005]

Fabric Port Name: 20:00:00:05:1e:02:a6:6d

Permanent Port Name: 21:00:00:04:cf:bd:56:bd

Device type: Physical Target

Aliases:


Page 6-22


Zoning Display Commands (cont.)nszonemember

Displays the information of all online devices which are zoned with the given device (WWN or PID)sw4100:admin> nszonemember 0x0406e22 local zoned members: Type Pid COS PortName NodeName SCRNL 0406e2; 3;22:00:00:20:37:d9:6b:b3;20:00:00:20:37:d9:6b:b3; 0 FC4s: FCP [SEAGATE ST318304FC 0005] Fabric Port Name: 20:06:00:60:69:50:06:78 Permanent Port Name: 22:00:00:20:37:d9:6b:b3 Device type: Physical Target

NL 040901; 2,3;10:00:00:00:c9:26:0e:ae;20:00:00:00:c9:26:0e:ae; 3 Fabric Port Name: 20:09:00:60:69:50:06:78 Permanent Port Name: 10:00:00:00:c9:26:0e:ae Device type: Physical Initiator

No remote zoned members

Also can use the WWN:sw4100:admin> nszonemember 22:00:00:20:37:d9:6b:b3


Page 6-23


Zoning Display Commands (cont.)nszonemember -u

Displays all unzoned devices in the entire fabricsw4100:admin> nszonemember -uPid: 0x041ea9; Aliases: stor32b_1Pid: 0x041eaa; Aliases: stor32b_2Pid: 0x041eab; Aliases: stor32b_3Pid: 0x041eac; Aliases: stor32b_4Pid: 0x041fad; Aliases: stor32a_5Pid: 0x041fae; Aliases: stor32a_6Pid: 0x041fb1; Aliases: stor32a_7Pid: 0x041fb2; Aliases: stor32a_8Pid: 0x062800; Aliases:Totally 9 unzoned devices in the fabric.

Some useful options with nszonemember:-a Displays each local device’s online zoned data, including PID and zone alias.-u Displays all unzoned devices in the entire fabric.


Page 6-24


Additional Zone Management Commandscfgtransshow– Displays the current zoning transaction information

cfgtransabort– Aborts the current zoning transaction (anything since the

last save)

cfgactvshow– Displays the zoning effective configuration

sw4100:admin> cfgtransshow

There is no outstanding zone transactions

sw4100:admin> cfgclear Do you really want to clear all configurations? (yes, y, no, n):[no] y Clearing All zoning configurations...

sw4100:admin> cfgtransshow

Current transaction token is 271010736 It is abortable

sw4100:admin> cfgtransabort

sw4100:admin> cfgactvshow


cfg: Cfg_EngMkt

zone: Zone_Eng 1,0;

21:00:00:20:37:87:23:e2;

21:00:00:20:37:87:48:e7 zone: Zone_Mkt 1,16;

21:00:00:20:37:87:e5:20;

21:00:00:20:37:87:49:29;

21:00:00:20:37:87:20:c5


Page 6-25


Default ZoningIn early versions of Fabric OS, when zoning was not implemented or a cfgdisable command was issued, all devices in the fabric could access each other

In Fabric OS v5.1.0, you can now create a default zone:– Controls what device access is allowed within a fabric when zoning

is not enabled– Enable all device access with defzone --allaccess (default)– Disable all device access with defzone --noaccess

How it works:– When a user-specified zone configuration is not enabled, defzone

is in effect– When a user-specified zone configuration is enabled, the defzone

is overridden

The new default zone feature can enable or disable device access within a fabric. Default zones are based on the FC-GS standard, but are not supported when the switch or Director is in interop mode.The defzone –allaccess is the default because it matches how zoning worked prior to Fabric OS v5.1.0.


Page 6-26


Default Zoning (cont.)defzone Command

To create a no-access default zone– defzone --noaccess

– Creates the following (hidden) zone configurationcfgcreate “d__efault__Cfg”, “d__efault__Zone”zonecreate “d__efault__Zone”,“00:00:00:00:00:00:00:01”

To create an all-access default zone– defzone --allaccess

– Does the equivalent of the following zoning commandscfgdelete “d__efault__Cfg”

zonedelete “d__efault__Zone”

Changes must be committed to the fabric– Normally a cfgsave will be used– A cfgenable or cfgdisable can be used since each includes an

implied save

Two underscorecharacters usedin all instances

The new defzone command configures a default zone configuration and displays the current configuration. The command has no optional parameters, and takes one of three required arguments:

--allaccess Create a default zone that enables all device-to-device access within the fabric. This is the default behavior in Fabric OS v5.1, and matches the default behavior in a non-zoned fabric.--noaccess Create a default zone that disables all device-to-

device access within the fabric.--show Display the current default zone.

Names beginning with d__efault__ are reserved for default zoning use (note: two underscore characters are used in each instance.)

Note: The setting of the defzone command is stored in the zoning transaction buffer. Normally, a cfgsave is used to commit the zoning transaction to the entire fabric. A cfgenable or cfgdisable will do the commit since each command does an implied cfgsave. Because the setting is stored in the zoning transaction buffer, a cfgtransabort could be used to abort the defzone command.


Page 6-27


Default Zoning defzone Command (cont.)

Display the current default zone

sw4100:admin> defzone --showDefault Zone Access Mode

committed - No Accesstransaction - No Transaction

If Zoning is notenabled, devicesin the fabric can notaccess each other


Page 6-28


Default Zoning defzone Command (cont.)

On a Fabric OS v5.1.0 switch, the cfgactvshow and cfgshow commands do not display the default zone or zone configuration

On switches running releases earlier than Fabric OS v5.1.0, the d__efault__Cfg and d__efault__Zone can be seen, but not managed

With defzone set to noaccess, perform all zoning tasks from a switch running Fabric OS v5.1– A cfgdisable issued from a switch running an earlier

version is rejected

From a switch running earlier versions of Fabric OS, the zone* commands cannot manage the default zone, and the cfg* commands cannot manage the default zone configuration.For example, attempting to disable d__efault__Cfg on a Fabric OS v5.0.1 switch results in the following error message:RCSRCA_SFC_REJECTED

Sfc Was Rejected: Remote Switch Unable To Process.


Page 6-29


Default Zoningdefzone Command (cont.)

When the defzone is configured as noaccess and zoning is disabled, then the cfgshow output on a Fabric OS v5.1.0 switch is different from a switch with an earlier release

sw4100:admin> cfgshowDefined configuration:

Effective configuration:no configuration in effect:

(No Access)

v5.1.0v5.0.1

sw200E:admin> cfgshowDefined configuration:cfg: d__efault__Cfg

d__efault__Zonezone: d__efault__Zone

00:00:00:00:00:00:00:01 Effective configuration:cfg: d__efault__Cfgzone: d__efault__Zone

00:00:00:00:00:00:00:01

When zoning is not enabled and the default zone is set to no access, the cfgshow output for the v5.1.0 switch is different from a switch with an earlier release. See slide above.

Use the defzone --show command to determine which mode the default zone is set to (Access or No Access).

sw4100:admin> defzone --showDefault Zone Access Mode

committed - No Accesstransaction - No Transaction

sw4100:admin> switchshow

switchName: sw4100

switchType: 32.0

switchState: Online

switchMode: Native

switchRole: Subordinate

switchDomain: 2

switchId: fffc02

switchWwn: 10:00:00:05:1e:02:a6:6d

zoning: ON (No Access)

switchBeacon: OFF

<truncated output>


Page 6-30


Web Tools – Zoning Administration

Click herefor

ZoningAdmin

Location of the Zone Admin icon. A login is required before the Zone Administration screen appears.


Page 6-31


Web Tools – Zoning Administration (cont.)

This screen allows for the creation and modification of aliases, zones and configuration.


Page 6-32


Zoning Enforcement

Session Enforcement– Name Server restricts PLOGIs

Hardware Enforcement– Available through ASIC hardware logic checking – Denies illegal access from “bad citizens1”– More secure than session

Enforcement based on how members in a zone are defined

Devices that are Session enforced cause any PLOGIs to the device to be rejected.Devices that are Hardware enforced cause any frames that do not comply with the effective zone configuration to be rejected. This blocking is performed at the transmit side of the port where the destination device is located. This is the highest level of protection for a device.Footnote 1: A bad citizen is best explained by defining good citizens. Good citizens are defined as fabric devices that support RSCNs, query name server when they receive RSCNs and only communicate with devices that the name server gives them when they query. Bad citizens do not do one or more of these things.The decision for what enforcement a device receives is based on how the members in a given zone are defined. The table on the next slide describes this process.


Page 6-33


Zoning EnforcementNon-overlapping Zones

Hardware Enforcement– Frame Filter

Session Enforcement– Trap PLOGI– Issues reject to

initiator

SessionMIXED

Z3=“dom2,port3; wwn4”

HardwareAll WWNs

Z2=“wwn1; wwn2; wwn3”

HardwareAll PORTS

Z1=“dom2,port1; dom2,port2”

2 & 4 Gbit/secASICsZone Members

Hardware Enforced Zoning:

Hardware Enforced zoning is used by zones with all members defined by their <domain id, port> or all members defined by their WWN. This the strongest form of enforcement and will block all frames that compromise the zone from a device that is not a member of a zone such as a “bad citizen”. Destination ASIC checks SID on every frame against CAM table entries. Overlapping zones (zone members that appear in two or more zones) are permitted and hardware enforcement will continue as long as the overlapping zones have either all WWNs or <domain id, port> entries. Using all WWNs in a zone allows for the node to attach to any port in the fabric and have hardware enforcement. Using all <domain, port>/<domain, area> members restricts the movement of devices in the fabric until a zone update is made.

Session Enforced Zoning :

A session enforced zone is a zoning protection that guarantees that only members of the zone can complete PLOGI/ADISC/PDISC which prevents any unauthorized access by devices that are not a member of the zone. Enforcement to a zone with WWN members and <domain, port> will change from hardware to session enforcement. The ASIC will perform authentication using the name server to compare the SID/DID in the primitive commands with the current zone configuration. If the current zone configuration does not permit the devices to communicate, the switch issues a reject to the SID, effectively blocking communications.


Page 6-34


WWN1GREENZone

BLUEZone

Dom, Port2,9

Dom, Port2,8

REDZone

Dom, Port2,0

WWN3

PURPLEZone

WWN1

WWN2

Dom, Port2,6

WWN4

0 1 2 3 4 5 6 7

8 9 10 11 12 13 14 15

Domain 2

Zoning EnforcementNon-overlapping Zones (cont.)

CondorASIC

SessionEnforced

HardwareEnforced

HardwareEnforced

SessionEnforced

Blue Zone: This zone is Hardware enforced because all devices have been specified by WWN.Green Zone: This zone is Hardware enforced because all devices have been specified by Port. Red Zone: This zone is Session enforced because a mix of port and WWN have been specified in the zone.Purple Zone: This zone is also Session enforced because of a mix of port and WWN in the same zone.

Note: The Red and Purple Zones also illustrate that the type of device (initiator vs. target) has no bearing on the type of enforcement.


Page 6-35


WWN1GREENZone

BLUEZone

Dom, Port2,9

Dom, Port2,8

REDZone

SessionEnforced

Dom, Port2,0

WWN3

PURPLEZone

WWN1

WWN2

Dom, Port2,6

WWN4

0 1 2 3 4 5 6 7

8 9 10 11 12 13 14 15

Domain 2

Zoning EnforcementOverlapping Zones (cont.)

CondorASIC

HardwareEnforced

HardwareEnforced

SessionEnforced

This shows the results of Hardware and Session enforced overlapping zones. The Blue zone is defined with all WWNs (WWN1 and WWN2) and meets the rules for Hardware enforcement. The Purple zone is defined with a mix of port and WWNs and meets the rules for Session enforcement.The target device WWN1 is defined in both zones. When a device is defined in overlapping zones, where one is hardware enforced and the other is Session enforced, the device will become Session enforced in all zones. What is important to note is the host (WWN2) is still Hardware enforced even though the target device (WWN1) is now Session enforced. Under these conditions, zoning enforcement is determined at the device level, not the zone level.


Page 6-36


Displays zoning enforcement for each online device port on the local switch This is an unsupported, undocumented commandRSL1_ST07_B200:admin> portzoneshowPORT: 0 (0) F-Port Enforcement: HARD PORT defaultHard: 0 IFID: 0x43020000PORT: 1 (1) F-Port Enforcement: HARD PORT defaultHard: 1 IFID: 0x43020001PORT: 2 (2) Offline<truncated output>

RSL1_ST07_B200:admin> portzoneshowPORT: 0 (0) F-Port Enforcement: HARD WWN defaultHard: 0 IFID: 0x43020000PORT: 1 (1) F-Port Enforcement: HARD WWN defaultHard: 0 IFID: 0x43020001PORT: 2 (2) Offline

<truncated output>

RSL1_ST07_B200:admin> portzoneshowPORT: 0 (0) F-Port Enforcement: SESSION BASED HARD defaultHard: 0 IFID: 0x43020000PORT: 1 (1) F-Port Enforcement: SESSION BASED HARD defaultHard: 0 IFID: 0x43020001PORT: 2 (2) Offline

<truncated output>

Zoning Enforcement Commandportzoneshow

Some useful options with nszonemember:-a Displays each local device’s online zoned data, including PID and zone alias.-u Displays all unzoned devices in the entire fabric.


Page 6-37


Implementation ConsiderationsDefine all members in a zone with <domain,port> or <domain,area>– Provides hardware enforcement– Allows devices to communicate that are connected to the ports defined

within the zone– Requires a zoning change if a device is moved to a port outside the

zone– No zoning change if the device’s WWN changes

Define all members in a zone with their device WWN– Provides hardware enforcement– Allows devices to communicate that have their WWN in the same zone– Requires a zoning change if the device’s WWN changes– No zoning change if a device is moved to another port in the fabric

These implementation considerations focus on creating zones to achieve Hardware enforcement and identify when zoning changes are needed.


Page 6-38


Zoning Best PracticesMake all names meaningfulCreate aliases to easily identify devicesDefine each zone with a single HBA initiator Define zone members with either all domain, area (port number) or all WWNs for hardware enforcementConsider setting default zone to noaccess to prevent any device access when zoning is not enabledMonitor zone database sizeAnalyze zones to verify correct devices are communicating– nszonemember– fcping– Web Tools zone analysis– SAN Health

Backup with a configupload

Zoning by single Host Bus Adapter (HBA) most closely recreates the original SCSI bus. Each zone created has only one HBA (initiator) in the zone and all the targets nodes are members of that zone.Defining zone members with either all port numbers or all WWNs provides Hardware enforcement.Setting the default zone to no access when the fabric is first built allows devices to connect to the fabric, do their FLOGI and Name Server update but not access any other device connected to the fabric. This permits the physical connection to be done in one phase and the enabling of a zone configuration to allow access to be done in another phase.Monitor the zone database sizing as new switches are added to the fabric. Newer switches will tend to have a larger maximum size but the fabric may not be able to take advantage of it due to an older FOS running on an existing switch with a lower maximum.With zoning enabled, check the servers to verify they have access to the desired target devices. Also, use the nszonemember command and SAN Health as tools to discover devices that are online but not defined in a zone, etc.


Page 6-39


Adding a New Switch to a Zoned Fabric

1. Ensure new switch has no zoning– cfgshow– cfgdisable; cfgclear; cfgsave

2. Connect switch to existing fabric3. Defined and effective configurations are propagated to

new switch

A new switch is one that has not previously been connected to a fabric. Before connecting the new switch, check to see if any zoning data exists with the cfgshow command. If it exists, use the cfgdisable, cfgclear, and cfgsave commands to sanitize it.When a new switch is connected to a zoned fabric, all zone configuration data is immediately copied from the zoned fabric into the new switch. If a zone configuration is enabled in the fabric, then the same configuration becomes enabled in the new switch. After this operation, the cfgshow command displays the same output on all switches in the fabric, including the new switch.


Page 6-40


FlashMemory



RAM

Domain2

Ensure New Switch has no Zoning



no configuration defined


no configuration in effect

The cfgshow command displays the status of the defined and effective configurations on a new switch.


Page 6-41


FlashMemory

RAM

FlashMemory



RAMDomain

1Domain

2

ISL

EFECTIVECONFIGURATION


Connect New Switch to Existing Fabric





Propagate Definitions

The defined and effective configurations from the existing fabric are propagated to the new switch.


Page 6-42


Merging Two Zoned FabricsZoning Segmentation Errors

Occurs when the name and type of a zone object in one fabric is also used in the other fabric but the content or order is different.Fabric “A”: alias: Eng_Stor wwn2; wwn1Fabric “B”: alias: Eng_Stor wwn1; wwn2

Content mismatch

Occurs when the name of a zone object in one fabric is also used for a different type of zone object in the other fabric.Fabric “A”: alias: Mkt_Host 1,16Fabric “B”: zone: Mkt_Host 1,16

Type mismatch

Occurs when zoning is enabled in both fabrics and the effective configurations are different.Configuration mismatch

DescriptionSegmentation due to:

If the zoning changes are not done correctly, it is possible to have the merging of the fabrics fail due to a segmentation error.The table above shows the three possible mismatches that would cause this error.Note: View the WBT module associated with merging two zoned fabrics.


Page 6-43


Other Merge Fabric Considerations Use a Brocade router– Allows fabrics to remain autonomous– Devices can communicate between fabrics via LSAN

zonesUse Fabric Manger Fabric Merge Check– Checks each fabric for:

Duplicate Domain IdsIncompatible fabric.ops switch configuration settingsAny zoning mismatch conditions

– Check before you connect!

There are other considerations for merging two fabrics.Use a Brocade router rather than merge the fabrics. A router allows each fabric to remain autonomous but via a “backbone” fabric that contains a router, permits access between devices in the fabrics through LSAN zones.Use Fabric Manager to invoke the Fabric Merge Check. This function allows the comparing of two fabrics and their settings that could cause a fabric segmentation error. Best to check before you connect.


Page 6-44


Fabric Manager Fabric Merge Check

The Fabric Merge Check is under the Tools pull-down window.


Page 6-45


Fabric Selection

Retrieving and ComparingZoning Data

Fabric Compare Retrieving and comparing configuration Info

In preparation for the merge check, two fabrics will be selected. In the example above, fabric-sw51 and fabric-RSL1_BRCD47 have been selected for a check. Once the fabrics have been selected you can select the Check… button to extract the elements from each fabric for comparison.


Page 6-46


Merging Check Results - Successful

At the end of the process a Merge Check Results pop up window will be displayed. To validate all of the compared results you can select the up and down buttons to the right to display any identified mismatches.


Page 6-47


Other Zoning Tools

SAN Health– Creates zoning tables to quickly

compare for differences – Highlights “hanging zones”

(zones with defined devices that aren’t logged into the Name Server)

– Highlights “unzoned devices”(devices logged into the Name Server that aren’t defined in a zone)

– Quick check of zoning metrics on Summary tab to see if one is nearing the capacity of zone database

SAN Health is a very good tool for cleaning up a zoning database.


Page 6-48


SAN Health – Sample Zoning Spreadsheet


Page 6-49


Summary

Zoning logically separates the Fabric into subsetsSingle HBA zoning is a good practiceHardware enforcement denies illegal access from “bad citizen” HBAsSession enforcement restricts PLOGIsA default zone can be set to control what device access is allowed within a fabric when zoning is not enabledSanitize new switch before connecting to existing fabric


Page 6-50


Review Questions

1. Which command can delete a zone object and remove it from the member list of all other objects?

2. What happens when the effective zone configurations do not match when merging two fabrics?

3. What is the zoning enforcement for a device that is defined in one zone by its WWN and defined in another zone by its domain, area (zones are overlapped because of this device)?

4. What does the defzone command control?

5. What commands will give you a list of devices in a zone with your device?

1. zoneobjectexpunge

2. A fabric segmentation due to a configuration mismatch

3. Session

4. It controls what device access is allowed within a fabric when zoning is not enabled. (noaccess or allaccess)

5. The nszonemember, cfgshow, zoneshow, and alishowcommands


Page 6-51

51

Brocade Education Services

Brocade®

Product Training

© 2006 Brocade Communications Systems, Incorporated.CFP264 ILT 0806

CFP264Brocade 4 Gbit/sec Accelerated BCFP

End of Instructor-Led Module 6Brocade SilkWorm Zoning


Page 6-52

This page left blank for formatting

Documents

Brocade BCFP 4.0 Zoning Guide