Again, this is a rather long post, but hopefully it will be useful as a reference point for you

Cisco MDS zoning

ByRavikiran Paladugu

Zones and zone sets are the basic form of data path security within a Fibre Channel environment. A zone set is a collection of zones which in turn have individual members in them. Only those members within the same zone can communicate with each other. A device can be a member of multiple zones and those devices not in a zone are in the default zone. The policy for the default zone can either be to permit devices to see each other or to deny devices in the default zone from seeing each other.Zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric.Hard Zoning vs Soft Zoning:Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning which is implemented in software.Hard zoning physically blocks access to a zone from any device outside of the zone.Soft zoning uses filtering implemented in fibre channel switches to prevent ports from being seen from outside of their assigned zones. The security vulnerability in soft zoning is that the ports are still accessible if the user in another zone correctly guesses the fibre channel address.Soft Zoning utilizes World Wide Names to assign security permissions.Port Zoning:Port zoning utilizes physical ports to define security zones. A users access to data is determined by what physical port he or she is connected to.With port zoning, zone information must be updated every time a user changes switch ports. In addition, port zoning does not allow zones to overlap.Port zoning is normally implemented using hard zoning, but could also be implemented using soft zoning.WWN Zoning:WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric.A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information.WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA.World Wide Name (WWN):A World Wide Name, or WWN, is a 64-bit address used in fibre channel networks to uniquely identify each element in a Fibre Channel network.The use of World Wide Names for security purposes is inherently insecure, because the World Wide Name of a device is a user-configurable parameter.For example, to change the World Wide Name (WWN) of an Emulex HBA, the users simply needs to run the `elxcfg` command.VSAN overview:A VSAN is a logical fabric. Each VSAN has all the required fabric services, independent of the other VSANs, configured on the same switch or set of switches.A VSAN provides: SAN island consolidation on a high-port-density physical switch Traffic isolation Increased securityVSANs can be numbered from 1 to 4094. VSAN 1 and VSAN 4094 are predefined and have very specific roles. VSAN 1 is the default VSAN which holds all the ports by default and the VSAN 4094 is the isolated VSAN into which orphaned ports are assigned.The following shows the basic zoning example on Cisco MDS FC switch:Assumptions:==========To zone host and vmax_3ab(existing member)vsan: 10Zoneset name: zoneset1Prerequisites:=============Connect host to switch, if not choose a available F port on switch and turn it onshow interface briefSelect a interface that is in VSAN1 with admin mode F and turn it on, say fc1/1 for exampleconfigure terminalinterface fc1/1no shutdownexitCheck to see if flogi is successful and get the port name (WWN) from itshow flogi databaseSample outputswitch#show flogi databaseINTERFACEVSANFCIDPORT NAMENODE NAME

fc1/1100x2800af10:00:00:00:d9:81:4f:ba20:00:00:00:d9:81:4f:ba

Step: 1 Add interface to the target VSANvsan databasevsan 10 interface fc1/1exitStep: 2 Create fcaliasfcalias name host vsan 10member pwwn 10:00:00:00:d9:81:4f:baexitStep: 3 Create ZoneAssuming we are zoning to a existing member, say vmax_3ab for examplezone name zn_host_vmzx_3ab vsan 10member fcalias hostmember fcalias vmax_3abexitStep: 4 Add zone to zonesetzoneset name zoneset1 vsan 10member zn_host_vmzx_3abexitStep: 5 Activate zonesetzoneset activate name zoneset1 vsan 10Step: 6 Commitzone commit vsan 10endStep: 7 Copy running config to start-up configcopy run startStep: 8 Verificationshow zone name zn_host_vmzx_3abDone!