SAN Zoning

This page is mainly based on Brocade zoning standards.

SAN zoning is used to logically group hosts and storage devices together in a physical SAN, so that authorised devices can only communicate with each other if they are in the same SAN zone. A typical SAN setup will have several zones and a device in a SAN can belong to more than one zone. It might seem intuitively wrong to design a SAN to allow inter-device communication and then restrict that communication, but zoning servers two purposes

  • It restricts access so that hosts can only see the data that they are authorized to see.
  • It helps prevent RSCN traffic floods.

When a change is made to a SAN fabric, or an event occurs like a switch going offline, the Fabric Name Server sends out Registered State Change Notification (RSCN) signals so that all the nodes in the fabric know about the change. As nodes are usually zoned together in small groups, zoning means that an RSCN will only be sent to devices in the correct zone, so the SAN is not flooded by fabric-wide RSCN traffic. However while zoning will help prevent RSCN floods, to be honest they are much less of a problem these days anyway with modern HBAs.

While this is not about LUN masking, you need to complement SAN zoning with LUN Masking.

A LUN is a single drive, a drive partition or a set of RAID devices that is presented to a host as a single disk. However a Fibre Channel port can service more than one LUN. You use zoning to restrict access to a port but an authorised server will see all LUNs presented to that port. If you need to restrict access to a subset of LUNs on a port then you need to use LUN masking.

Which type of SAN zoning is best?

Zoning used to be described as 'hard' or 'soft', but these terms mean nothing with modern switches as all zoning is implemented in hardware. Application Specific Integrated Circuits (ASICs) do the hardware enforcement by filtering out all unauthorised traffic, so only that which is intended for a specific zone can pass through. Now there are only two zoning methods, pWWN or D,P.

  • Domain, Port or D,P zoning uses switch domain ids and port index numbers to build zones.
  • Port World Wide Name or pWWN zoning uses port World Wide Names to build zones. Every port on an HBA has a unique pWWN. (This should not be confused with the HBA node identifier or nWWN. A dual port HBA will have 1 nWWN and 2 pWWNs).

You should consider a few factors when choosing between pWWN and D,P zoning -

   

Accelerate DB2 Write with zHyperWrite and "EADM™ by Improving DB2 Logs Volumes Response Time:

Ease of Maintenance

If you use D,P zoning and a device moves to a different port, then the zoning configuration must be changed. However a zone change is not required when you swap an HBA.
If you use pWWN and you swap out an HBA card then the WWNs will change so you will need to change the zoning, but you do not need to change the zoning if you move a node to a different port.
The switch domain ID does not have to be unique between two fabrics, so the D,P zoning method is not globally unique, unlike pWWN which is unique. However you can make use of this duplication feature for D,P zoning if you have a dual fabric SAN, as you can make the zoning identical on both sides of the fabric, which makes maintenance easier.

Special Requirements

The type of zoning you will use is restricted to some extent by what you are configuring. If you are installing FICON channels then you need D,P zones.

Virtualisation and Futures

Most sites use some kind of server virtualisation these days and this requires pWWN zoning. It actually adds a whole new level of complexity to your SAN and the virtual hosts are zoned on physical hypervisors, which makes it that much harder to track down problems.
Fibre Channel Routing (FCR) lets nodes in two different fabrics communicate without requiring the fabrics to merge. This needs pWWN as all the zones names must be unique and D,P cannot guarantee this between fabrics.
N_PORT ID Virtualisation (NPIV) allows several fiber channel port IDs to share single physical n-port, so saving on hardware. This means that there is more than one device on a port so they need pWWN to identify them. Think about it, if you have several servers sharing one port, then how could you zone them independently with D,P zoning?
So the conclusion seems to be that pWWN zoning is the future way to go.

Security

pWWN is more secure than D,P as it is harder to spoof access by adding a device to a port. OK, to do this, you need an unused port in the correct zone, but it could be done. For this reason, unused ports should be disabled and E-port functionality disabled for N-ports . You can add a duplicate device into a zone as duplicate logins are allowed. Device Connection Control (DCC) Policies or port ACLs can be used to prevent this as they map a PWWN to a specific port.

Enforcement

One top of this, you have two methods of zoning enforcement, Frame based enforcement and Session based enforcement. If you define zones where all the members are pWWN or all the members are D,P then the enforcement will be Frame based, whereas if the zoning is mixed or overlapping the enforcement will be Session based

Configuration and configuration databases

A 'configuration' is a set of SAN zones.

The 'Defined Configuration' is the complete set of all the zone objects that have been defined in the Zone Configuration database. This database will be replicated over all the switches in the fabric when the cfgsave command is issued. You can use the cfgshow command to display its contents. The config database is used to store alias relationships and it has a limited size, so it's best to keep alias lengths reasonably small to prevent the database running out of space. You can use the cfgsize command to see you big your database is.

The 'Effective Configuration' is the configuration that is currently active, and includes any changes made to the configuration that have not been 'hardened' or saved.

The 'Saved Configuration' is the configuration that was stored in flash memory last time the cfgsave command was run. This configuration will be loaded on power up, or when the cfgenable command is run, and any unsaved changes in the effective configuration will be lost

SAN Zoning design

When you design a SAN you need to take 4 things into consideration

  • Stability
  • Scalability
  • Future proofing
  • Ease of maintenance

In all probability, you will not be designing a SAN from scratch, but working out how to upgrade or extend an existing SAN. You can do this yourself, but I'd recommend that you involve your switch vendor, as they know the parameters and limitations of their equipment. If you are going to use switches from more than one vendor then vendor support can be an issue.

Before making any changes to a SAN fabric, or if you need to design a new SAN architecture, I suggest you start by drawing pictures. Many switch management applications will do this for you. Another method that works well is to use an Excel spreadsheet with a worksheet for each switch.

Start with an overview diagram that shows the ISL links between all the switches and includes details of all the E-ports. Then draw a series of diagrams for each switch, that details every port on the switch, what type it is, and what it is connected to. An Excel spreadsheet with colour coding can be very effective. You should show all the unused ports, and indicate if they are reserved or free. Next you need to detail each zone, but if you have a large fabric that uses SIZ, then that will need too many diagrams. A simple table is more than adequate. Remember that while you can include E-Ports in a D,P zone , they will not be locked down as any user can use any E-Port. Also E-Ports do not have a WWN, so they cannot be specified in pWWN zoning schemes.

Next, you need to decide on the basic type of zoning for each zone, pWWN or D,P, based on any special requirements.

Use Aliases, especially for pWWN zoning, and work out a good alias naming scheme to make the configuration easy to understand, and so easier to maintain. You need to keep the right balance on your alias name length. Make them long enough the be meaningful and to cope for future expansion, but not so long that the fill up the configuration database.

Don't forget your physical SAN security strategy, which should include physical access to the switches, password access and access to the IP addresses.

How should you decide how to group objects into zones? Methods can be based on application, host, storage array or machine hall, but these all have disadvantages with RSCN flooding, scalability and the possibility of affecting a large part of your enterprise if things go wrong. The suggested good practice is to define a zone for every HBA. If an HBA can serve both tape and disk devices, then give that HBA two zones, one for disk and one for tape. This is known as Single Initiator Zoning (SIZ). The reason it is preferred is because it limits problems to a single HBA, and separates disk and tape as tape systems are worst affected by RSCN storms.

You should also define a default zone that has a -noaccess setting. While you are enabling a new configuration, the zoning drops to a default setting for a very short time. The normal default setting is that all nodes can access all other nodes.

Conclusion

  • Use Single Initiator zoning for stability, and possibly even Single Initiator / Single Target
  • Keep disk and tape devices in separate zones
  • Use pWWN zoning where possible, and just use D,P zoning where it is a requirement
  • Do not mix pWWN and D,P in the same zone
  • Set up a default -noaccess zone
  • Define a good set of naming standards
  • Keep your switch vendor involved in design

back to top