Cisco MDS 9000 Family Cookbook, Release 1.x - Zoning [Cisco MDS 9000 NX-OS and SAN-OS Software]

Table Of Contents

Zoning

Zones

Creating a Zone and Adding It to a Zone Set (Standalone Method)

Creating a Zone and Adding It to a Zone Set (Inline Method)

Creating a Fibre Channel Alias Based Zone

Creating an Interface Based Zone

Zone Sets

Zone Set Distribution

Automatic Zone Set Distribution

Manual Zone Set Distribution

Zoning

Zones and zone sets are the basic form of data path security within a Fibre Channel environment. A zone set is a collection of zones which in turn have individual members in them. Only those members within the same zone can communicate with each other. A device can be a member of multiple zones and those devices not in a zone are in the default zone. The policy for the default zone can either be to permit devices to see each other or to deny devices in the default zone from seeing each other.

This chapter focuses on the creation of zones, zone sets, and ways to manipulate them. It includes the following sections:

•Zones

•Zone Sets

Zones

In order for two devices to communicate, they must be in the same zone. Valid members of a zone can be:

•Port WWN (pWWN)

•Fibre Channel alias

•FC ID

•FWWN (WWN of a Fibre Channel interface)

•Switch interface (Fibre Channel X/Y)

•Symbolic node name

The three most common types of zone members are pWWN, FC alias, and the switch interface.

Tip We recommend that pWWN (or a Fibre Channel Alias representing a pWWN) be used for zoning as it provides the most security and ties a zone member to a specific HBA rather than to the switch port.

The name that you choose for the zone is very important. Many environments use different zone names, however, all name formats should provide relevant information as to their contents. Names like Zone1 or TapeZone do not provide sufficient information about their contents.

A zone name should contain two members and, within the zone name, contain identifiers related to the two devices, such as Z_testhost_fcaw0_symm13FA3aa. The name may be longer than Z_testhost_hba0, but should provide enough detailed information about the contents that consulting further documentation is not necessary.

Creating a Zone and Adding It to a Zone Set (Standalone Method)

This procedure demonstrates how to create a single zone with a Solaris host and a disk storage port in it, and then add it to the zone set ZS_Engr_primary. The procedure uses the standalone method, which does not automatically add the zone to the zone set upon creation of the zone. You can also use this procedure to determine how to add an existing zone to a zone set.

This example uses pWWNs as the zone members, which can be obtained either from the device itself or from the show flogi database vsan 804 command. (See Figure 7-1.)

Resources:

Zone set: ZS_Engr_primary

Solaris host1, hba instance fcaw0: 22:35:00:0c:85:e9:d2:c2

Symmetrix 78, FA port 03ab: 10:00:00:00:c9:32:8b:a8

Figure 7-1 Standalone Zoning Topology

To create a single zone and add it to a zone set using the standalone method, follow these steps:

Step 1 Create the zone, building a zone name that reflects the names of the members.
ca-9506# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# zone name Z_host1_fcaw0_symm78FA03ab vsan 804
ca-9506(config-zone)# member pwwn 22:35:00:0c:85:e9:d2:c2
ca-9506(config-zone)# member pwwn 10:00:00:00:c9:32:8b:a8
Step 2 Add the zone to the zone set.
ca-9506(config)# zoneset name ZS_Engr_primary vsan 804
ca-9506(config-zoneset)# member Z_host1_fcaw0_symm78FA03ab
Step 3 Display the zone set.
ca-9506# show zoneset name ZS_Engr_primary vsan 804
zoneset name ZS_Engr_primary vsan 804
  zone name Z_host1_fcaw0_symm78FA03ab vsan 804
    pwwn 22:35:00:0c:85:e9:d2:c2
    pwwn 10:00:00:00:c9:32:8b:a8
Step 4 Finally, to put the zone set into production, activate the it using zone set activate name ZS_Engr_primary vsan 804. This command activates all the zones in the zone set, not just the one just added.

Creating a Zone and Adding It to a Zone Set (Inline Method)

This procedure demonstrates how to create a single zone with a Solaris host and a disk storage port in it, and add it to the zone set ZS_Engr_primary. The procedure uses the inline method, which automatically adds the zone to the zone set upon creation of the zone.

This example uses pWWNs as the zone members, which can be obtained either from the device itself or from the show flogi database vsan 804 command. (See Figure 7-2.)

Resources:

Zone set: ZS_Engr_primary

Solaris host1, hba instance fcaw0: 22:35:00:0c:85:e9:d2:c2

Symmetrix 78, FA port 03ab: 10:00:00:00:c9:32:8b:a8

Figure 7-2 Inline Zoning Topology

To create a single zone and add it to a zone set using the inline method, follow these steps:

Step 1 Enter the submode of the zone set.
ca-9506# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# zoneset name ZS_Engr_primary vsan 804
Step 2 Create the zone.
ca-9506(config-zoneset)# zone name Z_host1_fcaw0_symm78FA03ab
Step 3 Add the members.
ca-9506(config-zoneset-zone)# member pwwn 22:35:00:0c:85:e9:d2:c2
ca-9506(config-zoneset-zone)# member pwwn 10:00:00:00:c9:32:8b:a8
Step 4 Display the zone set.
ca-9506# show zoneset name ZS_Engr_primary vsan 804
zoneset name ZS_Engr_primary vsan 804
  zone name Z_host1_fcaw0_symm78FA03ab vsan 804
    pwwn 22:35:00:0c:85:e9:d2:c2
    pwwn 10:00:00:00:c9:32:8b:a8
Step 5 Finally, to put the zone set into production, activate the zone set using zone set activate name ZS_Engr_primary vsan 804. This command activates all the zones in the zone set, not just the one just added.

Creating a Fibre Channel Alias Based Zone

Fibre Channel aliases allow the administrator to assign a plain text, human readable name to a pWWN, FC ID, interface, IP address, nWWN or symbolic node name. Fibre Channel aliases are restricted to the VSAN in which they were created. The most common and recommended Fibre Channel alias is the pWWN, which is the basis for this procedure. (See Figure 7-3.)

Tip•Aliases are distributed with the full zone set database. Therefore, if zoning is going to be edited on multiple switches, full zone set distribution should be enabled.

•An alias can be mapped to more than one device, however, we recommend that a one-to-one mapping be used.

Resources:

Zone set: ZS_Engr_primary

Solaris host1, hba instance fcaw0: 22:35:00:0c:85:e9:d2:c2

Symmetrix 78, FA port 03ab: 10:00:00:00:c9:32:8b:a8

Figure 7-3 Alias Zoning Topology

To create a Fibre Channel alias based zone, follow these steps:

Step 1 Create the Fibre Channel alias to pWWN mappings.
ca-9506# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# fcalias name host1_fcaw0 vsan 804
ca-9506(config-fcalias)# member pwwn 22:35:00:0c:85:e9:d2:c2
ca-9506(config-fcalias)# exit
ca-9506(config)# fcalias name symm78_fa03ab vsan 804
ca-9506(config-fcalias)# member pwwn 10:00:00:00:c9:32:8b:a8
ca-9506(config-fcalias)# end
Step 2 Display the newly created Fibre Channel aliases.
ca-9506# show fcalias vsan 804
fcalias name host1_fcaw0 vsan 804
  pwwn 22:35:00:0c:85:e9:d2:c2
fcalias name symm78_fa03ab vsan 804
  pwwn 10:00:00:00:c9:32:8b:a8
Step 3 Create the zone using the Fibre Channel aliases.
ca-9506# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# zoneset name ZS_Engr_primary vsan 804
ca-9506(config-zoneset)# zone name Z_host1_fcaw0_symm78FA03ab
ca-9506(config-zoneset-zone)# member fcalias host1_fcaw0
ca-9506(config-zoneset-zone)# member fcalias symm78_fa03ab
Step 4 Optionally, display the zone set.
ca-9506# show zoneset vsan 804
zoneset name ZS_Engr_primary vsan 804
  zone name Z_host1_fcaw0_symm78FA03ab vsan 804
    fcalias name host1_fcaw0 vsan 804
      pwwn 22:35:00:0c:85:e9:d2:c2
    fcalias name symm78_fa03ab vsan 804
      pwwn 10:00:00:00:c9:32:8b:a8
Step 5 Activate the zone set.
ca-9506# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# zoneset activate name ZS_Engr_primary vsan 804
Zoneset activation initiated. check zone status
Creating an Interface Based Zone

This procedure describes how to create a zone based upon the physical interface (fc X/Y) of the switch. (See Figure 7-4.)

Tip Use interface based zoning when you need to create a zone prior to connecting the HBA to the fabric. After connecting the HBA to the fabric, convert the zone member to a pWWN based member.

Figure 7-4 Interface Zoning Topology

To create a zone based on the physical interface of the switch, follow these steps:

Step 1 Create the zone using the interfaces.
ca-9506# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# zoneset name ZS_Engr_primary vsan 804
ca-9506(config-zoneset)# zone name Z_host1_fcaw0_symm78FA03ab
ca-9506(config-zoneset-zone)# member interface fc1/1
ca-9506(config-zoneset-zone)# member interface fc1/2
Step 2 Optionally, display the zone set.
ca-9506# show zoneset vsan 804
zoneset name ZS_Engr_primary vsan 804
  zone name Z_host1_fcaw0_symm78FA03ab vsan 804
    interface fc1/1 swwn 20:00:00:0c:85:e9:d2:c0
    interface fc1/2 swwn 20:00:00:0c:85:e9:d2:c0
Note The sWWN is the switch's WWN, as displayed by the show wwn switch command:
ca-9506# show wwn switch
Switch WWN is 20:00:00:0c:85:e9:d2:c0

Step 3 Activate the zone set.
ca-9506# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# zoneset activate name ZS_Engr_primary vsan 804
Zoneset activation initiated. check zone status
Zone Sets

Zone sets are containers of zones. There are two zone set types on the Cisco MDS 9000 platform:

•Active Zone set—The active zone set provides the rules by which the Cisco MDS 9000 platform enforces its zoning security policy. The active zone set cannot be modified and is distributed to all switches in the VSAN. There are specific rules to merging the active zone set when two switches are connected by an ISL, as set by the Fibre Channel standards.

•Local Zone set—The local zone sets are contained in the full zone set database on the switch. The zone sets can be edited directly and then activated to become the active zone set. They can optionally be distributed to other switches, either manually or when a zone set is activated.

Zone Set Distribution

There are two distribution methods for zone sets: automatic and manual.

Automatic Zone Set Distribution

To enable the switch to distribute the local zone set to all other switches in the VSAN when a zone set is activated, use the zone set distribute full vsan 804 command:
ca-9506# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ca-9506(config)# zoneset distribute full vsan 804
Tip You can enable the automatic distribution feature on all switches in the fabric by specifying it in the initial setup script.

Manual Zone Set Distribution

To distribute the full zone set database to other switches without activating a zone set, use the zone set distribute vsan 804 command. This method can be effective when a new switch is brought into the fabric and the zone set with its zones and Fibre Channel aliases needs to be distributed. This command will overwrite the exiting zone set database in the target switch.
ca-9506# zoneset distribute vsan 804
Zoneset distribution initiated. check zone status

	Cisco MDS 9000 Family Cookbook, Release 1.x
	Zoning
Cisco MDS 9000 Family Cookbook, Release 1.x Index Preface Account Management Switch Management Physical Interfaces Logical Interfaces VSANs Inter-VSAN Routing Zoning iSCSI FCIP	Download this chapter Zoning Download the complete book Full Book PDF (PDF - 8 MB) Feedback Table Of Contents Zoning Zones Creating a Zone and Adding It to a Zone Set (Standalone Method) Creating a Zone and Adding It to a Zone Set (Inline Method) Creating a Fibre Channel Alias Based Zone Creating an Interface Based Zone Zone Sets Zone Set Distribution Automatic Zone Set Distribution Manual Zone Set Distribution Zoning Zones and zone sets are the basic form of data path security within a Fibre Channel environment. A zone set is a collection of zones which in turn have individual members in them. Only those members within the same zone can communicate with each other. A device can be a member of multiple zones and those devices not in a zone are in the default zone. The policy for the default zone can either be to permit devices to see each other or to deny devices in the default zone from seeing each other. This chapter focuses on the creation of zones, zone sets, and ways to manipulate them. It includes the following sections: •Zones •Zone Sets Zones In order for two devices to communicate, they must be in the same zone. Valid members of a zone can be: •Port WWN (pWWN) •Fibre Channel alias •FC ID •FWWN (WWN of a Fibre Channel interface) •Switch interface (Fibre Channel X/Y) •Symbolic node name The three most common types of zone members are pWWN, FC alias, and the switch interface. Tip We recommend that pWWN (or a Fibre Channel Alias representing a pWWN) be used for zoning as it provides the most security and ties a zone member to a specific HBA rather than to the switch port. The name that you choose for the zone is very important. Many environments use different zone names, however, all name formats should provide relevant information as to their contents. Names like Zone1 or TapeZone do not provide sufficient information about their contents. A zone name should contain two members and, within the zone name, contain identifiers related to the two devices, such as Z_testhost_fcaw0_symm13FA3aa. The name may be longer than Z_testhost_hba0, but should provide enough detailed information about the contents that consulting further documentation is not necessary. Creating a Zone and Adding It to a Zone Set (Standalone Method) This procedure demonstrates how to create a single zone with a Solaris host and a disk storage port in it, and then add it to the zone set ZS_Engr_primary. The procedure uses the standalone method, which does not automatically add the zone to the zone set upon creation of the zone. You can also use this procedure to determine how to add an existing zone to a zone set. This example uses pWWNs as the zone members, which can be obtained either from the device itself or from the show flogi database vsan 804 command. (See Figure 7-1.) Resources: Zone set: ZS_Engr_primary Solaris host1, hba instance fcaw0: 22:35:00:0c:85:e9:d2:c2 Symmetrix 78, FA port 03ab: 10:00:00:00:c9:32:8b:a8 Figure 7-1 Standalone Zoning Topology To create a single zone and add it to a zone set using the standalone method, follow these steps: Step 1 Create the zone, building a zone name that reflects the names of the members. ca-9506# config terminal Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# zone name Z_host1_fcaw0_symm78FA03ab vsan 804 ca-9506(config-zone)# member pwwn 22:35:00:0c:85:e9:d2:c2 ca-9506(config-zone)# member pwwn 10:00:00:00:c9:32:8b:a8 Step 2 Add the zone to the zone set. ca-9506(config)# zoneset name ZS_Engr_primary vsan 804 ca-9506(config-zoneset)# member Z_host1_fcaw0_symm78FA03ab Step 3 Display the zone set. ca-9506# show zoneset name ZS_Engr_primary vsan 804 zoneset name ZS_Engr_primary vsan 804 zone name Z_host1_fcaw0_symm78FA03ab vsan 804 pwwn 22:35:00:0c:85:e9:d2:c2 pwwn 10:00:00:00:c9:32:8b:a8 Step 4 Finally, to put the zone set into production, activate the it using zone set activate name ZS_Engr_primary vsan 804. This command activates all the zones in the zone set, not just the one just added. Creating a Zone and Adding It to a Zone Set (Inline Method) This procedure demonstrates how to create a single zone with a Solaris host and a disk storage port in it, and add it to the zone set ZS_Engr_primary. The procedure uses the inline method, which automatically adds the zone to the zone set upon creation of the zone. This example uses pWWNs as the zone members, which can be obtained either from the device itself or from the show flogi database vsan 804 command. (See Figure 7-2.) Resources: Zone set: ZS_Engr_primary Solaris host1, hba instance fcaw0: 22:35:00:0c:85:e9:d2:c2 Symmetrix 78, FA port 03ab: 10:00:00:00:c9:32:8b:a8 Figure 7-2 Inline Zoning Topology To create a single zone and add it to a zone set using the inline method, follow these steps: Step 1 Enter the submode of the zone set. ca-9506# config terminal Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# zoneset name ZS_Engr_primary vsan 804 Step 2 Create the zone. ca-9506(config-zoneset)# zone name Z_host1_fcaw0_symm78FA03ab Step 3 Add the members. ca-9506(config-zoneset-zone)# member pwwn 22:35:00:0c:85:e9:d2:c2 ca-9506(config-zoneset-zone)# member pwwn 10:00:00:00:c9:32:8b:a8 Step 4 Display the zone set. ca-9506# show zoneset name ZS_Engr_primary vsan 804 zoneset name ZS_Engr_primary vsan 804 zone name Z_host1_fcaw0_symm78FA03ab vsan 804 pwwn 22:35:00:0c:85:e9:d2:c2 pwwn 10:00:00:00:c9:32:8b:a8 Step 5 Finally, to put the zone set into production, activate the zone set using zone set activate name ZS_Engr_primary vsan 804. This command activates all the zones in the zone set, not just the one just added. Creating a Fibre Channel Alias Based Zone Fibre Channel aliases allow the administrator to assign a plain text, human readable name to a pWWN, FC ID, interface, IP address, nWWN or symbolic node name. Fibre Channel aliases are restricted to the VSAN in which they were created. The most common and recommended Fibre Channel alias is the pWWN, which is the basis for this procedure. (See Figure 7-3.) Tip•Aliases are distributed with the full zone set database. Therefore, if zoning is going to be edited on multiple switches, full zone set distribution should be enabled. •An alias can be mapped to more than one device, however, we recommend that a one-to-one mapping be used. Resources: Zone set: ZS_Engr_primary Solaris host1, hba instance fcaw0: 22:35:00:0c:85:e9:d2:c2 Symmetrix 78, FA port 03ab: 10:00:00:00:c9:32:8b:a8 Figure 7-3 Alias Zoning Topology To create a Fibre Channel alias based zone, follow these steps: Step 1 Create the Fibre Channel alias to pWWN mappings. ca-9506# config terminal Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# fcalias name host1_fcaw0 vsan 804 ca-9506(config-fcalias)# member pwwn 22:35:00:0c:85:e9:d2:c2 ca-9506(config-fcalias)# exit ca-9506(config)# fcalias name symm78_fa03ab vsan 804 ca-9506(config-fcalias)# member pwwn 10:00:00:00:c9:32:8b:a8 ca-9506(config-fcalias)# end Step 2 Display the newly created Fibre Channel aliases. ca-9506# show fcalias vsan 804 fcalias name host1_fcaw0 vsan 804 pwwn 22:35:00:0c:85:e9:d2:c2 fcalias name symm78_fa03ab vsan 804 pwwn 10:00:00:00:c9:32:8b:a8 Step 3 Create the zone using the Fibre Channel aliases. ca-9506# config terminal Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# zoneset name ZS_Engr_primary vsan 804 ca-9506(config-zoneset)# zone name Z_host1_fcaw0_symm78FA03ab ca-9506(config-zoneset-zone)# member fcalias host1_fcaw0 ca-9506(config-zoneset-zone)# member fcalias symm78_fa03ab Step 4 Optionally, display the zone set. ca-9506# show zoneset vsan 804 zoneset name ZS_Engr_primary vsan 804 zone name Z_host1_fcaw0_symm78FA03ab vsan 804 fcalias name host1_fcaw0 vsan 804 pwwn 22:35:00:0c:85:e9:d2:c2 fcalias name symm78_fa03ab vsan 804 pwwn 10:00:00:00:c9:32:8b:a8 Step 5 Activate the zone set. ca-9506# conf t Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# zoneset activate name ZS_Engr_primary vsan 804 Zoneset activation initiated. check zone status Creating an Interface Based Zone This procedure describes how to create a zone based upon the physical interface (fc X/Y) of the switch. (See Figure 7-4.) Tip Use interface based zoning when you need to create a zone prior to connecting the HBA to the fabric. After connecting the HBA to the fabric, convert the zone member to a pWWN based member. Figure 7-4 Interface Zoning Topology To create a zone based on the physical interface of the switch, follow these steps: Step 1 Create the zone using the interfaces. ca-9506# config terminal Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# zoneset name ZS_Engr_primary vsan 804 ca-9506(config-zoneset)# zone name Z_host1_fcaw0_symm78FA03ab ca-9506(config-zoneset-zone)# member interface fc1/1 ca-9506(config-zoneset-zone)# member interface fc1/2 Step 2 Optionally, display the zone set. ca-9506# show zoneset vsan 804 zoneset name ZS_Engr_primary vsan 804 zone name Z_host1_fcaw0_symm78FA03ab vsan 804 interface fc1/1 swwn 20:00:00:0c:85:e9:d2:c0 interface fc1/2 swwn 20:00:00:0c:85:e9:d2:c0 Note The sWWN is the switch's WWN, as displayed by the show wwn switch command: ca-9506# show wwn switch Switch WWN is 20:00:00:0c:85:e9:d2:c0 Step 3 Activate the zone set. ca-9506# conf t Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# zoneset activate name ZS_Engr_primary vsan 804 Zoneset activation initiated. check zone status Zone Sets Zone sets are containers of zones. There are two zone set types on the Cisco MDS 9000 platform: •Active Zone set—The active zone set provides the rules by which the Cisco MDS 9000 platform enforces its zoning security policy. The active zone set cannot be modified and is distributed to all switches in the VSAN. There are specific rules to merging the active zone set when two switches are connected by an ISL, as set by the Fibre Channel standards. •Local Zone set—The local zone sets are contained in the full zone set database on the switch. The zone sets can be edited directly and then activated to become the active zone set. They can optionally be distributed to other switches, either manually or when a zone set is activated. Zone Set Distribution There are two distribution methods for zone sets: automatic and manual. Automatic Zone Set Distribution To enable the switch to distribute the local zone set to all other switches in the VSAN when a zone set is activated, use the zone set distribute full vsan 804 command: ca-9506# conf t Enter configuration commands, one per line. End with CNTL/Z. ca-9506(config)# zoneset distribute full vsan 804 Tip You can enable the automatic distribution feature on all switches in the fabric by specifying it in the initial setup script. Manual Zone Set Distribution To distribute the full zone set database to other switches without activating a zone set, use the zone set distribute vsan 804 command. This method can be effective when a new switch is brought into the fabric and the zone set with its zones and Fibre Channel aliases needs to be distributed. This command will overwrite the exiting zone set database in the target switch. ca-9506# zoneset distribute vsan 804 Zoneset distribution initiated. check zone status
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks