Cisco MDS 9000 Family Configuration Guide, Release 1.3 (from Release 1.3(1) through Release 1.3(6))
Configuring and Managing Zones
Download this chapter
Configuring and Managing ZonesConfiguring and Managing Zones
Download the complete book
Full Book PDFFull Book PDF (PDF - 9 MB)
 Feedback

Table Of Contents

Configuring and Managing Zones

Zoning Features

Zoning Example

Zone Implementation

Zone Configuration

Configuring a Zone

Alias Configuration

Configuring an Alias

Zone Set Creation

Creating a Zone Set

Active and Full Zone Set Considerations

Activating a Zone Set

Zone Enforcement

The Default Zone

Configuring the Default Zone Policy

Zone Set Distribution

Config Mode Distribution

Distributing Zone Sets

EXEC Mode Distribution

Recovering from Link Isolation

Importing Zone Sets

Zone Set Duplication

Copying Zone Sets

Zone Database Information

Clearing the Zone Server Database

About LUN Zoning

Configuring a LUN-Based Zone

Assigning LUNs to Storage Subsystems

About Read-Only Zones

Guidelines to Configure Read-Only Zones

Configuring Read-Only Zones

Displaying Zone Information

Default Settings


Configuring and Managing Zones

Zoning enables you to set up access control between storage devices or user groups. If you have administrator privileges in your fabric, you can create zones to increase network security and to prevent data loss or corruption. Zoning is enforced by examining the source-destination ID field. This chapter defines various zoning concepts and provides details on zone set and management features in the switch and includes the following sections:

Zoning Features

Zoning Example

Zone Implementation

Zone Configuration

Alias Configuration

Zone Enforcement

Zone Set Creation

The Default Zone

Recovering from Link Isolation

Zone Set Distribution

Zone Set Duplication

Zone Database Information

About LUN Zoning

About Read-Only Zones

Displaying Zone Information

Default Settings

Note Table 9-1 lists the differences between zones and VSANs.

Zoning Features

Zoning has the following features:

A zone consists of multiple zone members.

Members in a zone can access each other; members in different zones cannot access each other.

If zoning is not activated, all devices are members of the default zone.

If zoning is activated, any device that is not in an active zone (a zone that is part of an active zone set) is a member of the default zone.

Zones can vary in size.

Devices can belong to more than one zone.

A zone set consists of one or more zones.

A zone set can be activated or deactivated as a single entity across all switches in the fabric.

Only one zone set can be activated at any time.

A zone can be a member of more than one zone set.

Zoning can be administered from any switch in the fabric.

When you activate a zone (from any switch), all switches in the fabric receive the active zone set. Additionally, full zone sets are distributed to all switches in the fabric, if this feature is enabled in the source switch.

If a new switch is added to an existing fabric, zone sets are acquired by the new switch.

Zone changes can be configured nondisruptively. New zones and zone sets can be activated without interrupting traffic on unaffected ports or devices.

Zone membership criteria is based on WWNs or FC IDs.

Port world wide name (pWWN)—Specifies the pWWN of an N port attached to the switch as a member of the zone.

Fabric pWWN—Specifies the WWN of the fabric port (switch port's WWN). This membership is also referred to as port-based zoning.

FC ID—Specifies the FC ID of an N port attached to the switch as a member of the zone.

Interface and switch WWN (sWWN)—Specifies the interface of a switch identified by the sWWN. This membership is also referred to as interface-based zoning.

Interface and domain ID—Specifies the interface of a switch identified by the domain ID.

Domain ID and port number—Specifies the domain ID of an MDS domain and additionally specifies a port belonging to a non-Cisco switch.

IP address—Specifies the IP address (and optionally the subnet mask) of an attached device.

Default zone membership includes all ports or WWNs that do not have a specific membership association. Access between default zone members is controlled by the default zone policy.

Zoning Example

Figure 13-1 illustrates a zone set with two zones, zone 1 and zone 2, in a fabric. Zone 1 provides access from all three hosts (H1, H2, H3) to the data residing on storage systems S1 and S2. Zone 2 restricts the data on S3 to access only by H3. Note that H3 resides in both zones.

Figure 13-1 Fabric with Two Zones

Of course, there are other ways to partition this fabric into zones. Figure 13-2 illustrates another possibility. Assume that there is a need to isolate storage system S2 for the purpose of testing new software. To achieve this, zone 3 is configured, which contains only host H2 and storage S2. You can restrict access to just H2 and S2 in zone 3, and to H1 and S1 in zone 1.

Figure 13-2 Fabric with Three Zones

Zone Implementation

All switches in the Cisco MDS 9000 Family automatically support the following basic zone features (no additional configuration is required):

Zones are contained in a VSAN.

Hard zoning cannot be disabled.

Name server queries are soft-zoned.

Only active zone sets are distributed.

Unzoned devices cannot access each other.

A zone or zone set with the same name can exist in each VSAN.

Each VSAN has a full database and an active database.

Active zone sets cannot be changed, without activating a full zone database.

Active zone sets are preserved across switch reboots.

Changes to the full database must be explicitly saved.

Zone reactivation (a zone set is active and you activate another zone set) does not disrupt existing traffic.

If required, you can additionally configure the following zone features:

Propagate full zone sets to all switches on a per VSAN basis.

Change the default policy for unzoned members.

Interoperate with other vendors by configuring a VSAN in the interop mode. You can also configure one VSAN in the interop mode and another VSAN in the basic mode in the same switch without disrupting each other

Bring E ports out of isolation.

Zone Configuration

A zone can be configured using one of the following types to assign members:

pWWN—The WWN of the N or NL port in hex format (for example, 10:00:00:23:45:67:89:ab).

Fabric port WWN—The WWN of the fabric port name in hex format (for example, 10:00:00:23:45:67:89:ab).

FC ID—The N port ID in 0xhhhhhh format (for example, 0xce00d1).

FC alias—The alias name is in alphabetic characters (for example, Payroll) and denotes a port ID or WWN. The alias can also include multiple members.

Domain ID—The domain ID is an integer from 1 to 239. A mandatory port number of a non-Cisco switch is required to complete this membership configuration.

IP address—The IP address of an attached device in 32 bytes in dotted decimal format along with an optional subnet mask. If a mask is specified, any device within the subnet becomes a member of the specified zone.

Interface—Interface-based zoning is similar to port-based zoning because the switch interface is used to configure the zone. You can specify a switch interface as a zone member for both local and remote switches. To specify a remote switch, enter the remote switch WWN (sWWN) or the domain ID in the particular VSAN.

Configuring a Zone

To configure a zone and assign a zone name, follow these steps:

 
Command
Purpose

Step 1  

switch# config t

Enters configuration mode.

Step 2  

switch(config)# zone name Zone1 vsan 3

switch(config-zone)#

Configures a zone called Zone 1 for the VSAN called vsan3.

Step 3  

switch(config-zone)# member <type> <value>

pWWN example:

sswitch(config-zone)# member pwwn 10:00:00:23:45:67:89:ab

Fabric pWWN example:

switch(config-zone)# member fwwn 10:01:10:01:10:ab:cd:ef 

FC ID example:

switch(config-zone)# member fcid 0xce00d1 

FC alias example:

switch(config-zone)# member fcalias Payroll

Domain ID example:

switch(config-zone)# member domain-id 2 portnumber 23

FC alias example:

switch(config-zone)# member ipaddress 10.15.0.0 255.255.0.0

Local sWWN interface example:

switch(config-zone)# member interface fc 2/1

Remote sWWN interface example:

switch(config-zone)# member interface fc2/1 swwn 
20:00:00:05:30:00:4a:de 

Domain ID interface example:

switch(config-zone)# member interface fc2/1 domain-id 25

Configures a member for the specified zone (Zone1) based on the type (pWWN, fabric pWWN, FC ID, FC alias, domain ID, IP address, or interface) and value specified.

Tip Use a relevant display command (for example, show interface or show flogi database) to obtain the required value in hex format.

Note Interface-based zoning only works with Cisco MDS 9000 Family switches. Interface-based zoning does not work if interop mode is configured in that VSAN.

Tip Use the show wwn switch command to retrieve the sWWN. If you do not provide a sWWN, the software automatically uses the local sWWN.

Alias Configuration

You can assign an alias name and configure an alias member using either the FC ID, fabric port WWN (fWWN), or pWWN values.

Tip As of Cisco MDS SAN-OS Release 1.3(4), the Cisco SAN-OS software supports a maximum of 2048 aliases per VSAN.

Configuring an Alias

To create an alias using the fcalias command, follow these steps:

 
Command
Purpose

Step 1  

switch# config t

Enters configuration mode.

Step 2  

switch(config)# fcalias name AliasSample vsan 3

switch-config-fcalias#

Configures an alias name (AliasSample).

Step 3  

switch-config-fcalias# member fcid 0x222222

Configures alias members based on the specified FC ID type and value (0x222222). 

switch-config-fcalias# member pwwn 
10:00:00:23:45:67:89:ab

Configures alias members based on the specified port WWN type and value (pWWN 10:00:00:23:45:67:89:ab). 

switch-config-fcalias# member fwwn 
10:01:10:01:10:ab:cd:ef

Configures alias members based on the specified fWWN type and value (fWWN 10:01:10:01:10:ab:cd:ef).

Note Multiple members can be specified on multiple lines.

Zone Set Creation

In Figure 13-3, two separate sets are created, each with its own membership hierarchy and zone members.

Figure 13-3 Hierarchy of Zone Sets, Zones, and Zone Members

Zones provide a mechanism for specifying access control, while zone sets are a grouping of zones to enforce access control in the fabric. Either zone set A or zone set B can be activated (but not together).

Creating a Zone Set

Tip Zone sets are configured with the names of the member zones. If the zone set is in a configured VSAN, you must also specify the VSAN.

To create a zone set to include several zones, follow these steps:

 
Command
Purpose

Step 1  

switch# config t

Enters configuration mode.

Step 2  

switch(config)# zoneset name Zoneset1 vsan 3

switch-config-zoneset#

Configures a zone set called Zoneset1.

Tip To activate a zone set, you must first create the zone and a zone set.

Step 3  

switch-config-zoneset# member Zone1

Adds Zone1 as a member of the specified zone set (Zoneset1).

Tip If the specified zone name was not previously configured, this command will return the Zone not present error message.

Step 4  

switch-config-zoneset# zone name InlineZone1 

switch-config-zoneset-zone#

Adds a zone (InlineZone1) to the specified zone set (Zoneset1).

Tip Execute this step only if you need to create a zone from a zone set prompt.

Step 5  

switch-config-zoneset-zone# member fcid 
0x111112

switch-config-zoneset-zone#

Adds a new member (FC ID 0x111112) to the newly created zone (InlineZone1).

Tip Execute this step only if you need to add a member to a zone from a zone set prompt.

Active and Full Zone Set Considerations

Before configuring a zone set, consider the following guidelines:

Each VSAN can have multiple zone sets but only one zone set can be active at any given time.

When you create a zone set, that zone set becomes a part of the full zone set.

When you activate a zone set, a copy of the zone set from the full zone set is used to enforce zoning, and is called the active zone set.An active zone set cannot be modified. A zone that is part of an active zone set is called an active zone.

The administrator can modify the full zone set even if a zone set with the same name is active. However, the modification will be enforced only upon reactivation.

When the activation is done, the active zone set is automatically stored in persistent configuration. This enables the switch to preserve the active zone set information across switch resets.

All other switches in the fabric receive the active zone set so they can enforce zoning in their respective switches.

Hard and soft zoning are implemented using the active zone set. Modifications take effect during zone set activation.

An FC ID or Nx port that is not part of the active zone set belongs to the default zone and the default zone information is not distributed to other switches.

Note If one zone set is active and you activate another zone set, the currently active zone set is automatically deactivated. You do not need to explicitly deactivate the currently active zone set before activating a new zone set.

Figure 13-4 shows a zone being added to an activated zone set.

Figure 13-4 Active and Full Zone Sets

Activating a Zone Set

You can activate a zone set using the zoneset activate name command. The changes to a full zone set do not take effect until the zone set is activated with the zoneset activate name command.

Tip You do not have to issue the copy running-config startup-config command to store the active zone set. However, you need to issue the copy running-config startup-config command to explicitly store full zone sets. It is not available across switch resets.

To activate a zone set, follow these steps:

 
Command
Purpose

Step 1  

switch# config t

switch(config)#

Enters configuration mode.

Step 2  

switch(config)# zoneset activate name Zoneset1 vsan 3

Activates the specified zone set. 

switch(config)# no zoneset activate name Zoneset1 vsan 3

Deactivates the specified zone set

Zone Enforcement

Zoning can be enforced in two ways: soft and hard. Each end device (N port or NL port) discovers other devices in the fabric by querying the name server. When a device logs in to the name server, the name server returns the list of other devices that can be accessed by the querying device. If an Nx port does not know about the FC IDs of other devices outside its zone, it cannot access those devices.

In soft zoning, zoning restrictions are applied only during interaction between the name server and the end device. If an end device somehow knows the FC ID of a device outside its zone, it can access that device.

Hard zoning is enforced by the hardware on each frame sent by an Nx port. As frames enter the switch, source-destination IDs are compared with permitted combinations to allow the frame at wirespeed. Hard zoning is applied to all forms of zoning.

Note Hard zoning enforces zoning restrictions on every frame, and prevents unauthorized access.

Switches in the Cisco MDS 9000 Family support both hard and soft zoning.

The Default Zone

Each member of a fabric (in effect a device attached to an Nx port) can belong to any zone. If a member is not part of any active zone, it is considered to be part of the default zone. Therefore, if no zone set is active in the fabric, all devices are considered to be in the default zone. Even though a member can belong to multiple zones, a member that is part of the default zone cannot be part of any other zone. The switch determines whether a port is a member of the default zone when the attached port comes up.

Note Unlike configured zones, default zone information is not distributed to the other switches in the fabric.

Traffic can either be permitted or denied among members of the default zone. This information is not distributed to all switches; it must be configured in each switch.

Note When the switch is initialized for the first time, no zones are configured and all members are considered to be part of the default zone. Members are not permitted to talk to each other.

Configure the default zone policy on each switch in the fabric. If you change the default zone policy on one switch in a fabric, be sure to change it on all the other switches in the fabric.

Note The default settings for default zone configurations can be changed.

Configuring the Default Zone Policy

The default zone members are explicitly listed when the default policy is configured as permit or when a zone set is active. When the default policy is configured as deny, the members of this zone are not explicitly enumerated when you issue the show zoneset active command.

To permit or deny traffic in the default zone, follow these steps:

 
Command
Purpose

Step 1  

switch# config t

Enters configuration mode.

Step 2  

switch(config)# zone default-zone permit vsan 1

Permits traffic flow to default zone members. 

switch(config)# no zone default-zone permit vsan 1

Denies traffic flow to default zone members and reverts to factory default.

Zone Set Distribution

You can distribute full zone sets using one of two methods: at the EXEC mode level or at the configuration mode level. Both methods are explained in this section and the differences are illustrated in Table 13-1.

Table 13-1 Command Differences 

The zoneset distribute vsan Command
The zoneset distribute full vsan Command

EXEC mode

Configuration mode

Distributes the full zone set immediately.

Does not distribute the full zone set immediately.

Does not propagate the full zone set information along with the active zone set during activation, deactivation, or merge process.

Remembers to propagate the full zone set information along with the active zone set during activation, deactivation, and merge processes.


Config Mode Distribution

All switches in the Cisco MDS 9000 Family distribute active zone sets when new E port links come up or when a new zone set is activated in a VSAN. The zone set distribution takes effect while sending merge requests to the adjacent switch or while activating a zone set.

Distributing Zone Sets

The zoneset distribute full vsan command distributes the full zone set along with the active zone set.

To propagate full zone sets to all switches on a per VSAN basis, follow these steps:

 
Command
Purpose

Step 1  

switch# config t

Enters configuration mode.

Step 2  

switch(config)# zoneset distribute full vsan 33

Enables sending a full zone set along with an active zone set.

EXEC Mode Distribution

As of Cisco MDS SAN-OS Release1.3(4), you can configure the Cisco MDS switch to perform a one-time distribution of inactive, unmodified zone sets throughout the fabric. Use the zoneset distribute vsan vsan-id command in EXEC mode to perform this distribution. 

switch# zoneset distribute vsan 2

Zoneset distribution initiated. check zone status

This command only distributes the full zone set information—it does not save the information to the startup config. You must explicitly issue the copy running start command to save the full zone set information to the startup configuration.

Note The zoneset distribute vsan vsan-id command is supported in interop 2 and interop 3 modes—not in interop 1 mode.

Use the show zone status vsan vsan-id command to check the status of the zoneset distribute vsan vsan-id command. 

switch# show zone status vsan 2

VSAN: 3 default-zone: permit distribute: active only Interop: 100

Full Zoning Database :

    Zonesets:0  Zones:0 Aliases: 0

Active Zoning Database :

    Name: nozoneset  Zonesets:1  Zones:2

Status: Zoneset distribution completed at 04:01:06 Aug 28 1980

Recovering from Link Isolation

When two switches in a fabric are merged using a TE or E port, these TE and E ports may become isolated when the active zone set databases are different between the two switches or fabrics. When a TE port or an E port become isolated, you can recover that port from its isolated state using one of three options:

Import the neighboring switch's active zone set database and replace the current active zone set (see Figure 13-5).

Export the current database to the neighboring switch (see Figure 13-5).

Manually resolve the conflict by editing the full zone set, activating the corrected zone set, and then bringing up the link.

Figure 13-5 Importing and Exporting the Database

Importing Zone Sets

Note Issue the import and export commands from a single switch. Importing from one switch and exporting from another switch can lead to isolation again.

Tip You can also issue the zoneset import and the zoneset export commands for a range of VSANs.

To import the zone set from an adjacent switch, follow these steps:

 
Command
Purpose

Step 1  

switch# zoneset import interface fc1/3 vsan 2

Imports the zone set from the adjacent switch connected through the VSAN 2 interface. 

switch# zoneset export vsan 5

Exports the zone set to the adjacent switch connected through VSAN 5.

Zone Set Duplication

You can make a copy and then edit it without altering the existing active zone set. You can copy an active zone set from the bootflash: directory, volatile: directory, or slot0, to one of the following areas:

To the full zone set

To a remote location (using FTP, SCP, SFTP, or TFTP).

The active zone set is not part of the full zone set. You cannot make changes to an existing zone set and activate it, if the full zone set is lost or is not propagated.

Caution Copying an active zone set to a full zone set may overwrite a zone with the same name, if it already exists in the full zone set database.

Copying Zone Sets

You can copy an active zone set using the zone copy active-zoneset command. This command does not distribute zone sets. Because you cannot edit an active zone set, this command is helpful in copying an active zone set.

To copy zone sets, follow this step:

 
Command
Purpose

Step 1  

switch# zone copy active-zoneset full-zoneset 
vsan 2

Please enter yes to proceed.(y/n) [n]? y

Makes a copy of the active zone set in VSAN 2 to the full zone set. 

switch# zone copy vsan 3 active-zoneset 
scp://guest@myserver/tmp/active_zoneset.txt

Copies the active zone in VSAN 3 to a remote location using SCP.

Zone Database Information

If required, you can clear configured information stored in the zone server database.

Note Clearing a zone set only erases the full zone database, not the active zone database.

Clearing the Zone Server Database

To clear the zone server database, use the clear zone database command. 

switch# clear zone database vsan 2

This command clears all configured information in the zone server for the specified VSAN.

Note After issuing a clear zone database command, you need to explicitly issue the copy running-config startup-config to ensure that the running configuration is used when you next start the switch.

About LUN Zoning

Logical unit number (LUN) zoning is a feature specific to switches in the Cisco MDS 9000 Family.

Caution LUN zoning can only be implemented in Cisco MDS 9000 Family switches. If LUN zoning is implemented in a switch, you cannot configure the interop mode in that switch.

Note LUN zoning can be implemented in Cisco MDS 9000 Family switches running Cisco MDS SAN-OS Release 1.2 or earlier.

A storage device can have multiple LUNs behind it. If the device port is part of a zone, a member of the zone can access any LUN in the device. With LUN zoning, you can restrict access to specific LUNs associated with a device.

Note When LUN 0 is not included within a zone, then, as per standards requirements, control traffic to LUN 0 (for example, REPORT_LUNS, INQUIRY) is supported, but data traffic to LUN 0 (for example, READ, WRITE) is denied.

Host H1 can access LUN 2 in S1 and LUN 0 in S2. It cannot access any other LUNs in S1 or S2.

Host H2 can access LUNs 1 and 3 in S1 and only LUN 1 in S2. It cannot access any other LUNs in S1 or S2.

Note Unzoned LUNs automatically become members of the default zone.

Figure 13-6 shows a LUN-based zone example.

Figure 13-6 LUN Zoning Access

Configuring a LUN-Based Zone

To configure a LUN-based zone, follow these steps:

 
Command
Purpose

Step 1  

switch# config t

switch(config)#

Enters configuration mode.

Step 2  

switch(config)# zone name LunSample vsan 2

switch(config-zone)#

Configures a zone called LunSample for the specified VSAN (vsan 2).

Step 3  

switch(config-zone)# member pwwn 
10:00:00:23:45:67:89:ab lun 64

Configures a zone member based on the specified pWWN and LUN value.

Note LUN x64 in hex format corresponds to 100 in decimal format. 

switch(config-zone)# member fcid 0x12465 
lun 64

Configures a zone member based on the FC ID and LUN value.

Assigning LUNs to Storage Subsystems

LUN masking and mapping restricts server access to specific LUNs. If LUN masking is enabled on a storage subsystem and if you want to perform additional LUN zoning in a Cisco MDS 9000 Family switch, obtain the LUN number for each Host Bus Adapter (HBA) from the storage subsystem and then configure the LUN-based zone procedure provided earlier.

Note Refer to the relevant user manuals to obtain the LUN number for each HBA.

Caution If you make any errors when configuring this scenario, you are prone to loose data.

About Read-Only Zones

Note Read-only zoning can be implemented in Cisco MDS 9000 Family switches running Cisco MDS SAN-OS Release 1.2 or later.

By default, an initiator has both read and write access to the target's media when they are members of the same Fibre Channel zone. The read-only zone feature allows members to have only read access to the media within a read-only Fibre Channel zone.

You can also configure LUN zones as read-only zones.

Guidelines to Configure Read-Only Zones

Any zone can be identified as a read-only zone. By default all zones have read-write permission unless explicitly configured as a read-only zone.

Follow these guidelines when configuring read-only zones:

If read-only zones are implemented, the switch prevents write access to user data within the zone.

If two members belong to a read-only zone and to a read-write zone, read-only zone has priority and write access is denied.

LUN zoning can only be implemented in Cisco MDS 9000 Family switches. If LUN zoning is implemented in a switch, you cannot configure interop mode in that switch.

Read-only volumes are not supported by some operating system and file system combinations (for example, Windows NT or Windows 2000 and NTFS file system). Volumes within read-only zones are not available to such hosts. However, if these hosts are already booted when the read-only zones are activated, then read-only volumes are available to those hosts.

The read-only zone feature behaves as designed if FAT16 or FAT32 file system is used with the above-mentioned Windows operating systems.

Configuring Read-Only Zones

To configure read-only zones, follow these steps:

 
Command
Purpose

Step 1  

switch# config t 

switch(config)#

Enters configuration mode.

Step 2  

switch(config)# zone name Sample2 vsan 2

switch(config-zone)#

Configures a zone called Sample2 for the specified VSAN (vsan 2).

Step 3  

switch123(config-zone)# attribute 
read-only

Sets read-only attributes for the Sample2 zone.

Note The default is read-write for all zones. 

switch123(config-zone)# no attribute 
read-only

Reverts the Sample2 zone attributes to read-write.

To configure the read-only option for a default zone, follow these steps:

 
Command
Purpose

Step 1  

switch# config t 

switch(config)#

Enters configuration mode.

Step 2  

switch(config)# zone default-zone vsan 1

switch(config-default-zone)#

Enters the default-zone submode.

Step 3  

switch123(config-zone)# attribute 
read-only

Sets read-only attributes for the default zone. 

switch123(config-zone)# no attribute 
read-only

Reverts the default zone attributes to read-write (default).

Displaying Zone Information

You can view any zone information by using the show command. If you request information for a specific object (for example, a specific zone, zone set, VSAN, alias, or even a keyword like brief or active), only information for the specified object is displayed. If you do not request specific information, all available information is displayed. See Examples 13-1 to 13-14.

Example 13-1 Displays Zone Information for All VSANs 

switch# show zone  
zone name Zone3 vsan 1

qwwn 21:00:00:20:37:6f:db:dd

  pwwn 21:00:00:20:37:9c:48:e5


zone name Zone2 vsan 2

  fwwn 20:41:00:05:30:00:2a:1e

  fwwn 20:42:00:05:30:00:2a:1e

  fwwn 20:43:00:05:30:00:2a:1e


zone name Zone1 vsan 1

  pwwn 21:00:00:20:37:6f:db:dd

  pwwn 21:00:00:20:37:a6:be:2f

  pwwn 21:00:00:20:37:9c:48:e5

  fcalias Alias1 


zone name Techdocs vsan 3

  ip-address 10.15.0.0 255.255.255.0


zone name Zone21 vsan 5

  pwwn 21:00:00:20:37:a6:be:35

  pwwn 21:00:00:20:37:a6:be:39

  fcid 0xe000ef

  fcid 0xe000e0

  symbolic-nodename iqn.test

  fwwn 20:1f:00:05:30:00:e5:c6

  fwwn 12:12:11:12:11:12:12:10

  interface fc1/5 swwn 20:00:00:05:30:00:2a:1e

  ip-address 12.2.4.5 255.255.255.0

  fcalias name Alias1 vsan 1

    pwwn 21:00:00:20:37:a6:be:35


zone name Zone2 vsan 11

  interface fc1/5 pwwn 20:4f:00:05:30:00:2a:1e


zone name Zone22 vsan 6

  fcalias name Alias1 vsan 1

    pwwn 21:00:00:20:37:a6:be:35


zone name Zone23 vsan 61

  pwwn 21:00:00:04:cf:fb:3e:7b lun 0000

Example 13-2 Displays Zone Information for a Specific VSAN 

switch# show zone vsan 1 
zone name Zone3 vsan 1

  pwwn 21:00:00:20:37:6f:db:dd

  pwwn 21:00:00:20:37:9c:48:e5


zone name Zone2 vsan 1

	fwwn 20:4f:00:05:30:00:2a:1e

	fwwn 20:50:00:05:30:00:2a:1e

	fwwn 20:51:00:05:30:00:2a:1e

	fwwn 20:52:00:05:30:00:2a:1e

	fwwn 20:53:00:05:30:00:2a:1e


zone name Zone1 vsan 1

  pwwn 21:00:00:20:37:6f:db:dd

  pwwn 21:00:00:20:37:a6:be:2f

  pwwn 21:00:00:20:37:9c:48:e5

  fcalias Alias1

Use the show zoneset command to view the configured zone sets.

Example 13-3 Displays Configured Zone Set Information 

switch# show zoneset vsan 1 
zoneset name ZoneSet2 vsan 1

  zone name Zone2 vsan 1

	fwwn 20:4e:00:05:30:00:2a:1e

    fwwn 20:4f:00:05:30:00:2a:1e

    fwwn 20:50:00:05:30:00:2a:1e

    fwwn 20:51:00:05:30:00:2a:1e

    fwwn 20:52:00:05:30:00:2a:1e


  zone name Zone1 vsan 1

    pwwn 21:00:00:20:37:6f:db:dd

    pwwn 21:00:00:20:37:a6:be:2f

    pwwn 21:00:00:20:37:9c:48:e5

    fcalias Alias1


zoneset name ZoneSet1 vsan 1

  zone name Zone1 vsan 1

    pwwn 21:00:00:20:37:6f:db:dd

    pwwn 21:00:00:20:37:a6:be:2f

    pwwn 21:00:00:20:37:9c:48:e5

    fcalias Alias1

Example 13-4 Displays Configured Zone Set Information for a Range of VSANs 

switch# show zoneset vsan 2-3 
zoneset name ZoneSet2 vsan 2

  zone name Zone2 vsan 2

    	fwwn 20:52:00:05:30:00:2a:1e

    fwwn 20:53:00:05:30:00:2a:1e

    fwwn 20:54:00:05:30:00:2a:1e

    fwwn 20:55:00:05:30:00:2a:1e

    fwwn 20:56:00:05:30:00:2a:1e


  zone name Zone1 vsan 2

    pwwn 21:00:00:20:37:6f:db:dd

    pwwn 21:00:00:20:37:a6:be:2f

    pwwn 21:00:00:20:37:9c:48:e5

    fcalias Alias1


zoneset name ZoneSet3 vsan 3

  zone name Zone1 vsan 1

    pwwn 21:00:00:20:37:6f:db:dd

    pwwn 21:00:00:20:37:a6:be:2f

    pwwn 21:00:00:20:37:9c:48:e5

    fcalias Alias1

Use the show zone name command to display members of a specific zone.

Example 13-5 Displays Members of a Zone 

switch# show zone name Zone1 

zone name Zone1 vsan 1

  pwwn 21:00:00:20:37:6f:db:dd

  pwwn 21:00:00:20:37:a6:be:2f

  pwwn 21:00:00:20:37:9c:48:e5

  fcalias Alias1

Use the show fcalias command to display fcalias configuration.

Example 13-6 Displays fcalias Configuration 

switch# show fcalias vsan 1 
fcalias name Alias2 vsan 1


fcalias name Alias1 vsan 1

  pwwn 21:00:00:20:37:6f:db:dd

  pwwn 21:00:00:20:37:9c:48:e5

Use the show zone member command to display all zones to which a member belongs using the FC ID.

Example 13-7 Displays Membership Status 

switch# show zone member pwwn 21:00:00:20:37:9c:48:e5

           VSAN: 1

zone Zone3

zone Zone1

fcalias Alias1

Use the show zone statistics command to display the number of control frames exchanged with other switches.

Example 13-8 Displays Zone Statistics 

switch# show zone statistics  
Statistics For VSAN: 1

**********************************

Number of Merge Requests Sent: 24

Number of Merge Requests Recvd: 25

Number of Merge Accepts Sent: 25

Number of Merge Accepts Recvd: 25

Number of Merge Rejects Sent: 0

Number of Merge Rejects Recvd: 0

Number of Change Requests Sent: 0

Number of Change Requests Recvd: 0

Number of Change Rejects Sent: 0

Number of Change Rejects Recvd: 0

Number of GS Requests Recvd: 0

Number of GS Requests Rejected: 0

Statistics For VSAN: 2

**********************************

Number of Merge Requests Sent: 4

Number of Merge Requests Recvd: 4

Number of Merge Accepts Sent: 4

Number of Merge Accepts Recvd: 4

Number of Merge Rejects Sent: 0

Number of Merge Rejects Recvd: 0

Number of Change Requests Sent: 0

Number of Change Requests Recvd: 0

Number of Change Rejects Sent: 0

Number of Change Rejects Recvd: 0

Number of GS Requests Recvd: 0

Number of GS Requests Rejected: 0

Example 13-9 Displays LUN Zone Statistics 

switch# show zone statistics lun-zoning

LUN zoning statistics for VSAN: 1

************************************************************

S-ID: 0x123456, D-ID: 0x22222, LUN: 00:00:00:00:00:00:00:00

------------------------------------------------------------

Number of Inquiry commands received:												10

Number of Inquiry data No LU sent:												 5

Number of Report LUNs commands received:												10

Number of Request Sense commands received:												 1

Number of Other commands received:												 0

Number of Illegal Request Check Condition sent:												 0


S-ID: 0x123456, D-ID: 0x22222, LUN: 00:00:00:00:00:00:00:01

------------------------------------------------------------

Number of Inquiry commands received:												 1

Number of Inquiry data No LU sent:												 1

Number of Request Sense commands received:												 1

Number of Other commands received:												 0

Number of Illegal Request Check Condition sent:  0

Example 13-10 Displays LUN Zone Statistics 

switch# show zone statistics read-only-zoning

Read-only zoning statistics for VSAN: 2

************************************************************

S-ID: 0x33333, D-ID: 0x11111, LUN: 00:00:00:00:00:00:00:64

------------------------------------------------------------

Number of Data Protect Check Condition Sent:												 12

Example 13-11 Displays Active Zone Sets 

switch# show zoneset active 

zoneset name ZoneSet1 vsan 1

  zone name zone1 vsan 1

    fcid 0x080808

    fcid 0x090909

    fcid 0x0a0a0a

  zone name zone2 vsan 1

  * fcid 0xef0000 [pwwn 21:00:00:20:37:6f:db:dd]

  * fcid 0xef0100 [pwwn 21:00:00:20:37:a6:be:2f]

Example 13-12 Displays Brief Descriptions of Zone Sets 

switch# show zoneset brief

zoneset name ZoneSet1 vsan 1

  zone zone1

  zone zone2

Example 13-13 Displays Active Zones 

switch# show zone active 

zone name zone1 vsan 1

  fcid 0x080808

  fcid 0x090909

  fcid 0x0a0a0a


zone name zone2 vsan 1

* fcid 0xef0000 [pwwn 21:00:00:20:37:6f:db:dd]

* fcid 0xef0100 [pwwn 21:00:00:20:37:a6:be:2f]

Example 13-14 Displays Zone Status 

switch# show zone status

VSAN: 1 default-zone: deny distribute: full Interop: Off

Full Zoning Database :

    Zonesets:1  Zones:11  Aliases:0

Active Zoning Database :

    Name: zoneset-1  Zonesets:1  Zones:11  Aliases:0

Status: Activation completed at Thu Feb 13 10:22:34 2003


VSAN: 2 default-zone: deny distribute: full Interop: Off

Full Zoning Database :

    Zonesets:1  Zones:10  Aliases:0

Active Zoning Database :

    Name: zoneset-2  Zonesets:1  Zones:10  Aliases:0

Status: Activation completed at Thu Feb 13 10:23:12 2003


VSAN: 3 default-zone: deny distribute: full Interop: Off

Full Zoning Database :

    Zonesets:1  Zones:10  Aliases:0

Active Zoning Database :

    Name: zoneset-3  Zonesets:1  Zones:10  Aliases:0

Status: Activation completed at Thu Feb 13 10:23:50 2003

Use the show zone command to display the zone attributes for all configured zones.

Example 13-15 Displays Zone Statistics 

switch# show zone 

zone name lunSample vsan 1										<-----------------Read-write attribute 

zone name ReadOnlyZone vsan 2

	attribute read-only									<-----------------Read-only attribute

Use the show running and show zone active commands to display the configured interface-based zones (see Example 13-16 and Example 13-17).

Example 13-16 Displays the Interface-Based Zones 

switch# show running

zone name if-zone vsan 1

      member interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2

      member fwwn 20:4f:00:0c:88:00:4a:e2

      member interface fc2/1 swwn 20:00:00:05:30:00:4a:9e

      member pwwn 22:00:00:20:37:39:6b:dd

Example 13-17 Displays the fWWNs and Interfaces in an Active Zone 

switch# show zone active

zone name if-zone vsan 1

  * fcid 0x7e00b3 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]

  * fcid 0x7e00b1 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]

  * fcid 0x7e00ac [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]

  * fcid 0x7e00b3 [fwwn 20:4f:00:0c:88:00:4a:e2]

  * fcid 0x7e00b1 [fwwn 20:4f:00:0c:88:00:4a:e2]

  * fcid 0x7e00ac [fwwn 20:4f:00:0c:88:00:4a:e2]

    interface fc2/1 swwn 20:00:00:05:30:00:4a:9e

A similar output is also available on the remote switch (see Example 13-18).

Example 13-18 Displays the Local Interface Active Zone Details for a Remote Switch 

switch# show zone active

zone name if-zone vsan 1

  * fcid 0x7e00b3 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]

  * fcid 0x7e00b1 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]

  * fcid 0x7e00ac [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]

  * fcid 0x7e00b3 [fwwn 20:4f:00:0c:88:00:4a:e2]

  * fcid 0x7e00b1 [fwwn 20:4f:00:0c:88:00:4a:e2]

  * fcid 0x7e00ac [fwwn 20:4f:00:0c:88:00:4a:e2]

    interface fc2/1 swwn 20:00:00:05:30:00:4a:9e

Default Settings

Table 13-2 lists the default settings for zone parameters.

Table 13-2 Default Zone Parameters 

Parameters
Default

Default zone policy

Denied to all members.

Full zone set distribute

The full zone set(s) is not distributed.

Read-only zones

Read-write attributes for all zones.