SlideShare a Scribd company logo

FCIA-FC-Zoning-Basics-Final.pdf

R
RaymondKoh23

The document provides an overview and summary of fibre channel zoning basics. It discusses what zoning is, why it is needed for access control and isolation, how zoning works through configuration and activation of zone sets and zones, and best practices for connecting switches and ensuring consistency. Key terms like zone set, zone, member, and zone alias are defined.

Technology
1 of 43
Download to read offline
Fibre Channel Zoning Basics Live Webcast June 27, 2019 10:00 am PT
Today’s Presenters Ed Mazurek Cisco John Rodrigues Brocade J Metz Cisco
About the FCIA • The Fibre Channel Industry Association (FCIA) is a mutual benefit, non-profit, international organization of manufacturers, system integrators, developers, vendors, and industry professionals, and end users – Promotes the advancement of Fibre Channel technologies and products that conform to the existing and emerging T11 standards. – Maintains resources and supports activities to ensure multi-vendor interoperability for hardware, interconnection, and protocol solutions. – Promotion and marketing of FC solutions, educational awareness campaigns, hosting public interoperability demonstrations, and fostering technology and standards conformance. 3 h"ps://fibrechannel.org/
Agenda • What is Zoning? – Why is it needed? • How does Zoning work? – Configuration, activation flow, etc. • Connecting Switches via ISLs – What happens when switches connect? • What are the best practices? • Latest advances in Zoning – The introduction of Peer Zones • Summary
INCITS/T11 • International Committee for Information Technology Standards • T11 is the INCITS standard containing Fibre Channel • Various specification exist – FC-PI – Physical Interface – FC-FS – Framing and Signaling – FC-LS – Link Services – FC-GS – Generic Services – FC-SW – Switch Fabric – Etc… • Zoning is defined in FC-GS and FC-SW standards • Material for this presentation taken from in FC-GS and FC-SW
What is Zoning? • Zoning allows specific groups of devices to communicate with each other – Kind of like a mini-VPN (Virtual Private Network) • Individual zones limit communication between the devices that “care” about each other – A “Default” zone or no zone allows every device to communicate with every other device – This may be permitted or denied • In Fibre Channel switches, the “Fabric Zone Server” controls zoning Fibre Channel Fabric Source: Erik Smith, EMC
• Zone Set – A collection of zones • Active Zone Set – The Zone Set currently enforced by the Fabric. • Zone – A “container” with members representing end devices • Member – Two contexts: – In a zoneset a member is a zone – In a zone a member represents an end device or group of end devices • Zone Alias – a name that represents one or more FC devices Terminology What is Zoning?
What is Zoning? • Default Zone – Contains all devices not a member of any zone in the active zone set – This group of devices may be permitted to communicate or denied • Basic Zoning Mode – Zoning changes done w/o fabric wide lock. – Lock obtained once changes sent to fabric – Less efficient zone data structure • Enhanced Zoning Mode – All zoning changes occur only after a fabric wide lock is obtained. Ends with a commit of changes. – More efficient zone data structure Terminology – c o n t i n u e d …
What is Zoning? • Zoning Database - A database containing all: – zonesets (active or not) – zones – FC alias – Attributes • RSCN – Registered State Change Notification – Message sent by switch to end device notifying it that a device it is zoned with has either entered or left the fabric – Only sent when end device registers • SCR – State Change Registration – Request sent from end device to switch requesting RSCNs Terminology – c o n t i n u e d …
What is Zoning? Sample Zone Set containing 3 Zones from FC-GS
Zoning Framework What is Zoning?
Zone Member Types • PWWNs (WWPN) – Port WW name • Switch/domain-id + physical port/interface • N_Port_ID (FCID) • NWWN - Node WW Name • FC Alias – Contains one or more zone member types • Other vendor specific types are allowed What is Zoning?
Why is zoning needed? • Access Control Security (only devices in a zone can communicate) • Device/Group Isolation: – Less device chatter (fewer discovery queries, PLOGIs) – Fewer RSCNs • If default-zone deny is configured (or defaulted) then devices will not be able to communicate without zoning What is Zoning?
The Different Types of Zoning Soft Zoning • The Fabric enforces the Zoning configuration through Name Server (FCNS) visibility Hard Zoning • The Fabric enforces the Zoning configuration by frame-by-frame filtering • Normally both Hard and Soft zoning are both in effect What is Zoning?
The Different Types of Zoning GPN_FT (SCSI FCP) Zone1 Member host1 Member Target1 Zone2 Member host3 Member Target1 Zone3 Member host2 Member Target2 ACC (GPN_FT) (Host1, Host3) 1 - FCNS receives GPN_FT 2 - FCNS checks FCNS DB for SCSI FCP devices 3 - FCNS filters by zone where Target1 is a member 4 - FCNS returns response Target1 Zoneset So8 Zoning FCNS only returns informaXon for zoned desXnaXons! What is Zoning?
The Different Types of Zoning Zone1 Member host1 Member Target1 Zone2 Member host3 Member Target1 Zone3 Member host2 Member Target2 Target1 Zoneset Hard Zoning Host1 Host2 Host3 PLOGI (target1) Frames dropped to unzoned desXnaXons! What is Zoning?
How does Zoning work? • Zoning Configuration Flow • Zoneset Activation Flow • Results of Zoning
How does Zoning work? 5 (or 6) Steps 1. Create zoneset or use existing zoneset 2. Create zone using new name 3. Add members to zone 4. Add zone to zoneset 5. Activate zoneset 6. If enhanced mode then commit changes (may be implicit) Zoning Configuration Flow
How does Zoning work? 1. ACA - Acquire Change Authorization Request – Locks the fabric – Sent to all switches in fabric 2. SFC - Stage Fabric Configuration Update Request – Zoning data is sent to all switches 3. UFC Update Fabric Configuration Request – Once all switches acknowledge SFCs, update zone info 4. RCA - Release Change Authorization Request – Unlock the fabric All SW_ILS frames sent from/to Domain Controller WKA 0xFFFCxx All SW_ILS frames are acknowledged by an ACCept Zoneset Activation Flow
Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 1 1 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation ACA Request ACA Request ACA Accept ACA Accept Lock Acquired How does Zoning work? 1. ACA - Acquire Change Authorization Request – Locks the fabric – Sent to all switches in fabric – If lock is available, switch sends an Accept. – If lock is not available, switch sends a Reject.
Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 2 2. SFC - Stage Fabric Configuration Update Request – Zoning data is sent to all switches – Switches validate that data can be committed. After validation is complete, send an Accept. – If data fails validation a Reject is sent. 2 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation SFC Request SFC Request SFC Accept SFC Accept Lock Acquired Data Validated How does Zoning work?
Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 3 3. UFC - Update Fabric Configuration Request – Switches commit the zone data and send an Accept after commit is complete. 3 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation UFC Request UFC Request UFC Accept UFC Accept Lock Acquired Data Validated Data Committed How does Zoning work?
Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 4 4. RCA - Release Change Authorization Request – Once all switches accept, the fabric is unlocked. – If the ACA or SFC requests are rejected, the RCA phase will commence. 4 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation RCA Request RCA Request FC Switch 1 zoneset activation completes RCA Accept RCA Accept Lock Acquired Data Validated Data Committed Lock Released How does Zoning work?
Zoneset Activation Flow A c t i v a t i o n F a i l u r e E x a m p l e Switch 3 rejects SFC due to a failed validation (e.g. exceeds max zone size limits) 1 2 3 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation ACA Request ACA Request SFC Request SFC Request RCA Request RCA Request ACA Accept ACA Accept SFC Accept SFC REJECT RCA Accept RCA Accept Lock Acquired Lock Released Data Validation Failed! FC Switch 1 zoneset activation Fails. How does Zoning work?
How does Zoning work? • Zone databases are updated throughout the fabric • Hard zoning Access Control Lists are updated • Registered State Change Notifications (RSCNs) are generated to end devices involved in the change – If new associations are added “online” RSCNs are sent – If associations are removed “offline” RSCNs are sent • Once device receives RSCN it sends queries to FCNS Results of Zoning
Results of Zoning Zone1 Member host1 Member Target1 Zone2 Member host3 Member Target1 Zone3 Member host2 Member Target2 Target1 Zoneset New Zone3 added Host1 Host2 Host3 RSCN online (host2) Target2 RSCN online (target2) How does Zoning work?
Connecting Switches via ISLs Inter-Switch Links (ISLs) are activated to form multi-switch fabrics • Merge request is sent to merge two zoning databases • If zone DBs are the same then ISL comes up • If zone DBs are mergeable then ISL comes up • If zone DBs are not mergeable then isolate ISL
Connecting Switches via ISLs • Consistency checks for zone settings can involve the following: – Default-zone – Permit or Deny – Merge Control - Allow or Restrict • Restrict – zone DBs must be exact for ISL to come up • Allow – If zone DBs are “mergeable” ISL comes up – Zones with the same zone name but dissimilar • Members, Definitions, Attributes • Check switch’s error logs for messages when merge fails Consistency checks
Connecting Switches via ISLs Two switches prior to ISL activation Example – Successful Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zoneset name myzs Zone name zone2 member pwwn3 member pwwn4 Two switches Different zoneset contents Different zone names
Connecting Switches via ISLs Two switches after to ISL activation Example – Successful Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zone name zone2 member pwwn3 member pwwn4 Two switches Same(merged) zoneset contents Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zone name zone2 member pwwn3 member pwwn4 ISL - AcXvated
Connecting Switches via ISLs Two switches prior to ISL activation Example – Failed Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zoneset name myzs Zone name zone1 member pwwn3 member pwwn4 Two switches Different zoneset contents Same zone name different members
Connecting Switches via ISLs Two switches after to ISL activation and isolation Example – Failed Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zoneset name myzs Zone name zone1 member pwwn3 member pwwn4 Two switches Different zoneset contents ISL - Isolated
Zoning best practices When zones contain more than 2 members all members are allowed to communicate with each other zone name myzone member alias init1 … member alias init12 member alias target1 member alias target2 Above allows all members to communicate with each other! This can increase cross talk Single Initiator / Single Target zones 12 x I 2 x T I I T T I I I I I I I I I I
Zoning best practices • ACL entries for hard zoning result in n*(n-1) entries per zone • Each pair consumes two ACL entries in hardware – Result: n*(n-1) entries per zone • Greatly increased Name Server queries • Zones should contain 2 members: – Initiator – PWWN or Alias – Target – PWWN or Alias – “Single initiator / Single target scheme” 0 2,000 4,000 6,000 8,000 10,000 0 10 20 30 40 50 60 70 80 90 100 Number of ACL Entries Number of Members Number of ACLs Single Initiator / Single Target zones
Single Initiator / Single Target Zones • A zoning best practice • Limits each zone to two members – Initiator – PWWN or Alias – Target – PWWN or Alias • Isolates access control and reduces communication – Only the devices that “care” about each other H1 H2 H3 H4 H5 H6 H7 H8 T1 FC Fabric
Zoning best practices • Aliases are alternative names for zone members • User Friendly – Administrators can assign a descriptive name to a member or group of members • Simpler Zone Creation – Adding devices to multiple zones can be done with one alias instead of manually adding individual WWNs repetitively • Device Replacement – If a device needs to be replaced, a single alias can be changed instead of changing numerous zones H1 H2 H3 H4 T1 FC Fabric “Fourth_Floor_HR_Servers” Example: The alias “Fourth_Floor_HR_Servers” contains the members Host1_WWN; Host2_WWN Zone Alias
Zoning best practices • Be consistent with zone types (try to use WWPN, alias) • Use default zone deny mode – FICON may need to use default zone permit • Back up your zone set periodically • Keep zone object names as concise as possible • Remove zones that are no longer needed • Allow time for zone changes to propagate through the fabric – Do each fabric separately, verify function prior to next fabric Continued…
Advances in Zoning • Peer Zoning – Allows a Principal device to communicate with peer devices in the zone. – Peer devices cannot communicate with each other. – Benefits over Single Initiator zoning scheme: • Fewer zones to be created compared to Single Initiator zoning. • Uses less zone database space since one zone can take the place of multiple Single Initiator zones. • No communication between Peer-to-Peer or Principal-to- Principal members. • Optimal hardware resource utilization – Same as single initiator scheme – New in FC-GS-7
Peer Zones • Peer Zones are formalized “single initiator / single target” zones • Zones with Principal and Peer members – Connectivity Rules: • Principal member(s) can communicate with all Peer members in the zone. Principal-to- Principal communication is not allowed. • Peer-to-Peer communication is not allowed. – Advantages: • Easier to configure and manage due to requiring fewer zones to be created compared to Single Initiator zoning. • Smaller memory footprint (zone database and hardware) compared to Single Initiator zoning. • More efficient ACL entry usage compared to similar 1-to-Many zoning scheme. • Less RSCN-related traffic compared to similar 1-to-Many zoning scheme. H1 H2 H3 H4 H5 H6 H7 H8 T1 FC Fabric
Summary • Zoning provides a secure method of ensuring only certain devices communicate with each other • Zoning database will be uniform throughout fabric switches • Use Single Initiator / Single Target zones whenever possible • Follow other best practices
Q & A If you have questions… …We have answers!
Fibre Channel and Security August 27, 2019 10:00 am PT/1:00 pm ET Register at: https://www.brighttalk.com/webcast/14967/363593 Our Next FCIA Webcast: 42
• Please rate this event – we value your feedback • We will post a Q&A blog at http://fibrechannel.org/ with answers to the questions we received today • Follow us on Twitter @FCIAnews for updates on future FCIA webcasts • Visit our library of FCIA on-demand webcasts at http://fibrechannel.org/webcasts/ to learn about: – Fibre Channel Fundamentals – FC-NVMe – Long Distance Fibre Channel – Fibre Channel Speedmap – FCIP (Extension): Data Protection and Business Continuity – Fibre Channel Performance – FICON – Fibre Channel Cabling – 64GFC After this Webcast 43

Recommended

Parameters for drive test
Parameters for drive testParameters for drive test
Parameters for drive test
Jakoba Fetindrainibe
 
Predstavitev osnov klasičnih pomnilniških sistemov - disk
Predstavitev osnov klasičnih pomnilniških sistemov - diskPredstavitev osnov klasičnih pomnilniških sistemov - disk
Predstavitev osnov klasičnih pomnilniških sistemov - disk
Klemen Bacak
 
Drive Test Nemo
Drive Test NemoDrive Test Nemo
Drive Test Nemo
toha ardi nugraha
 
2.7 wlan ieee 802.11
2.7 wlan ieee 802.112.7 wlan ieee 802.11
2.7 wlan ieee 802.11
JAIGANESH SEKAR
 
WiFi - IEEE 802.11
WiFi - IEEE 802.11WiFi - IEEE 802.11
WiFi - IEEE 802.11
Damien Magoni
 
Sonet fall2011
Sonet fall2011Sonet fall2011
Sonet fall2011
kongara
 
Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks
Paolo Giaccone
 
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATIONCCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
Aswini Badatya
 

Recommended

Parameters for drive test
Parameters for drive testParameters for drive test
Parameters for drive test
Jakoba Fetindrainibe
 
Predstavitev osnov klasičnih pomnilniških sistemov - disk
Predstavitev osnov klasičnih pomnilniških sistemov - diskPredstavitev osnov klasičnih pomnilniških sistemov - disk
Predstavitev osnov klasičnih pomnilniških sistemov - disk
Klemen Bacak
 
Drive Test Nemo
Drive Test NemoDrive Test Nemo
Drive Test Nemo
toha ardi nugraha
 
2.7 wlan ieee 802.11
2.7 wlan ieee 802.112.7 wlan ieee 802.11
2.7 wlan ieee 802.11
JAIGANESH SEKAR
 
WiFi - IEEE 802.11
WiFi - IEEE 802.11WiFi - IEEE 802.11
WiFi - IEEE 802.11
Damien Magoni
 
Sonet fall2011
Sonet fall2011Sonet fall2011
Sonet fall2011
kongara
 
Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks
Paolo Giaccone
 
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATIONCCNA BASIC SWITCHING AND SWITCH CONFIGURATION
CCNA BASIC SWITCHING AND SWITCH CONFIGURATION
Aswini Badatya
 
CCNA SWITCHING AND CONFIGURATION
CCNA SWITCHING AND CONFIGURATIONCCNA SWITCHING AND CONFIGURATION
CCNA SWITCHING AND CONFIGURATION
Shankar Ghorpade
 
F14_Class1.pptx
F14_Class1.pptxF14_Class1.pptx
F14_Class1.pptx
Sameer Ali
 
Unit 2 new
Unit 2 newUnit 2 new
Unit 2 new
PRABU M
 
Wireless Sensor Network
Wireless Sensor Network Wireless Sensor Network
Wireless Sensor Network
Dr Praveen Jain
 
Basic switch and switch configuration.pptx
Basic switch and switch configuration.pptxBasic switch and switch configuration.pptx
Basic switch and switch configuration.pptx
itwkd
 
NETWORKERS HOME Cisco UCS PPT .
NETWORKERS HOME Cisco UCS PPT .NETWORKERS HOME Cisco UCS PPT .
NETWORKERS HOME Cisco UCS PPT .
networkershome
 
1 networking devices 2014
1 networking devices 20141 networking devices 2014
1 networking devices 2014
Zuhaib Zaroon
 
M4 san features-4.3.1
M4 san features-4.3.1M4 san features-4.3.1
M4 san features-4.3.1
MrudulaJoshi10
 
ieee 802.4
ieee 802.4ieee 802.4
ieee 802.4
LautaroRondan
 
2.8 bluetooth ieee 802.15
2.8 bluetooth ieee 802.152.8 bluetooth ieee 802.15
2.8 bluetooth ieee 802.15
JAIGANESH SEKAR
 
Ieee 802.11.n
Ieee 802.11.nIeee 802.11.n
Ieee 802.11.nHari Krishnan
 
Ccna 9
Ccna 9Ccna 9
Ccna 9
Simanto Basher
 
Mr201304 open flow_security_eng
Mr201304 open flow_security_engMr201304 open flow_security_eng
Mr201304 open flow_security_engFFRI, Inc.
 
Using buffer mechanisms in FIBRE CHANNEL technology
Using buffer mechanisms in FIBRE CHANNEL technologyUsing buffer mechanisms in FIBRE CHANNEL technology
Using buffer mechanisms in FIBRE CHANNEL technologyPavel Bankov
 
Computer networks unit ii
Computer networks unit iiComputer networks unit ii
Computer networks unit ii
JAIGANESH SEKAR
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1
Chaing Ravuth
 
CCNA- part 8 switch
CCNA- part 8 switchCCNA- part 8 switch
CCNA- part 8 switch
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Chapter07
Chapter07Chapter07
Chapter07
Muhammad Ahad
 
Brkmpl 1261
Brkmpl 1261Brkmpl 1261
Brkmpl 1261
Arrive Technologies, Inc.
 
Globecom 2015: Adaptive Raptor Carousel for 802.11
Globecom 2015: Adaptive Raptor Carousel for 802.11Globecom 2015: Adaptive Raptor Carousel for 802.11
Globecom 2015: Adaptive Raptor Carousel for 802.11
Andrew Nix
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

More Related Content

Similar to FCIA-FC-Zoning-Basics-Final.pdf

CCNA SWITCHING AND CONFIGURATION
CCNA SWITCHING AND CONFIGURATIONCCNA SWITCHING AND CONFIGURATION
CCNA SWITCHING AND CONFIGURATION
Shankar Ghorpade
 
F14_Class1.pptx
F14_Class1.pptxF14_Class1.pptx
F14_Class1.pptx
Sameer Ali
 
Unit 2 new
Unit 2 newUnit 2 new
Unit 2 new
PRABU M
 
Wireless Sensor Network
Wireless Sensor Network Wireless Sensor Network
Wireless Sensor Network
Dr Praveen Jain
 
Basic switch and switch configuration.pptx
Basic switch and switch configuration.pptxBasic switch and switch configuration.pptx
Basic switch and switch configuration.pptx
itwkd
 
NETWORKERS HOME Cisco UCS PPT .
NETWORKERS HOME Cisco UCS PPT .NETWORKERS HOME Cisco UCS PPT .
NETWORKERS HOME Cisco UCS PPT .
networkershome
 
1 networking devices 2014
1 networking devices 20141 networking devices 2014
1 networking devices 2014
Zuhaib Zaroon
 
M4 san features-4.3.1
M4 san features-4.3.1M4 san features-4.3.1
M4 san features-4.3.1
MrudulaJoshi10
 
ieee 802.4
ieee 802.4ieee 802.4
ieee 802.4
LautaroRondan
 
2.8 bluetooth ieee 802.15
2.8 bluetooth ieee 802.152.8 bluetooth ieee 802.15
2.8 bluetooth ieee 802.15
JAIGANESH SEKAR
 
Mr201304 open flow_security_eng
Mr201304 open flow_security_engMr201304 open flow_security_eng
Mr201304 open flow_security_engFFRI, Inc.
 
Using buffer mechanisms in FIBRE CHANNEL technology
Using buffer mechanisms in FIBRE CHANNEL technologyUsing buffer mechanisms in FIBRE CHANNEL technology
Using buffer mechanisms in FIBRE CHANNEL technologyPavel Bankov
 
Computer networks unit ii
Computer networks unit iiComputer networks unit ii
Computer networks unit ii
JAIGANESH SEKAR
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1
Chaing Ravuth
 
Chapter07
Chapter07Chapter07
Chapter07
Muhammad Ahad
 
Brkmpl 1261
Brkmpl 1261Brkmpl 1261
Brkmpl 1261
Arrive Technologies, Inc.
 
Globecom 2015: Adaptive Raptor Carousel for 802.11
Globecom 2015: Adaptive Raptor Carousel for 802.11Globecom 2015: Adaptive Raptor Carousel for 802.11
Globecom 2015: Adaptive Raptor Carousel for 802.11
Andrew Nix
 

Similar to FCIA-FC-Zoning-Basics-Final.pdf (20)

CCNA SWITCHING AND CONFIGURATION
CCNA SWITCHING AND CONFIGURATIONCCNA SWITCHING AND CONFIGURATION
CCNA SWITCHING AND CONFIGURATION
 
F14_Class1.pptx
F14_Class1.pptxF14_Class1.pptx
F14_Class1.pptx
 
Unit 2 new
Unit 2 newUnit 2 new
Unit 2 new
 
Wireless Sensor Network
Wireless Sensor Network Wireless Sensor Network
Wireless Sensor Network
 
Basic switch and switch configuration.pptx
Basic switch and switch configuration.pptxBasic switch and switch configuration.pptx
Basic switch and switch configuration.pptx
 
NETWORKERS HOME Cisco UCS PPT .
NETWORKERS HOME Cisco UCS PPT .NETWORKERS HOME Cisco UCS PPT .
NETWORKERS HOME Cisco UCS PPT .
 
1 networking devices 2014
1 networking devices 20141 networking devices 2014
1 networking devices 2014
 
M4 san features-4.3.1
M4 san features-4.3.1M4 san features-4.3.1
M4 san features-4.3.1
 
ieee 802.4
ieee 802.4ieee 802.4
ieee 802.4
 
2.8 bluetooth ieee 802.15
2.8 bluetooth ieee 802.152.8 bluetooth ieee 802.15
2.8 bluetooth ieee 802.15
 
Ieee 802.11.n
Ieee 802.11.nIeee 802.11.n
Ieee 802.11.n
 
Ccna 9
Ccna 9Ccna 9
Ccna 9
 
Mr201304 open flow_security_eng
Mr201304 open flow_security_engMr201304 open flow_security_eng
Mr201304 open flow_security_eng
 
Using buffer mechanisms in FIBRE CHANNEL technology
Using buffer mechanisms in FIBRE CHANNEL technologyUsing buffer mechanisms in FIBRE CHANNEL technology
Using buffer mechanisms in FIBRE CHANNEL technology
 
Computer networks unit ii
Computer networks unit iiComputer networks unit ii
Computer networks unit ii
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1
 
CCNA- part 8 switch
CCNA- part 8 switchCCNA- part 8 switch
CCNA- part 8 switch
 
Chapter07
Chapter07Chapter07
Chapter07
 
Brkmpl 1261
Brkmpl 1261Brkmpl 1261
Brkmpl 1261
 
Globecom 2015: Adaptive Raptor Carousel for 802.11
Globecom 2015: Adaptive Raptor Carousel for 802.11Globecom 2015: Adaptive Raptor Carousel for 802.11
Globecom 2015: Adaptive Raptor Carousel for 802.11
 

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person event
DianaGray10
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
Overkill Security
 

Recently uploaded (20)

Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person event
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Ransomware Mallox [EN].pdf
Ransomware Mallox [EN].pdfRansomware Mallox [EN].pdf
Ransomware Mallox [EN].pdf
 

FCIA-FC-Zoning-Basics-Final.pdf

  • 1. Fibre Channel Zoning Basics Live Webcast June 27, 2019 10:00 am PT
  • 2. Today’s Presenters Ed Mazurek Cisco John Rodrigues Brocade J Metz Cisco
  • 3. About the FCIA • The Fibre Channel Industry Association (FCIA) is a mutual benefit, non-profit, international organization of manufacturers, system integrators, developers, vendors, and industry professionals, and end users – Promotes the advancement of Fibre Channel technologies and products that conform to the existing and emerging T11 standards. – Maintains resources and supports activities to ensure multi-vendor interoperability for hardware, interconnection, and protocol solutions. – Promotion and marketing of FC solutions, educational awareness campaigns, hosting public interoperability demonstrations, and fostering technology and standards conformance. 3 h"ps://fibrechannel.org/
  • 4. Agenda • What is Zoning? – Why is it needed? • How does Zoning work? – Configuration, activation flow, etc. • Connecting Switches via ISLs – What happens when switches connect? • What are the best practices? • Latest advances in Zoning – The introduction of Peer Zones • Summary
  • 5. INCITS/T11 • International Committee for Information Technology Standards • T11 is the INCITS standard containing Fibre Channel • Various specification exist – FC-PI – Physical Interface – FC-FS – Framing and Signaling – FC-LS – Link Services – FC-GS – Generic Services – FC-SW – Switch Fabric – Etc… • Zoning is defined in FC-GS and FC-SW standards • Material for this presentation taken from in FC-GS and FC-SW
  • 6. What is Zoning? • Zoning allows specific groups of devices to communicate with each other – Kind of like a mini-VPN (Virtual Private Network) • Individual zones limit communication between the devices that “care” about each other – A “Default” zone or no zone allows every device to communicate with every other device – This may be permitted or denied • In Fibre Channel switches, the “Fabric Zone Server” controls zoning Fibre Channel Fabric Source: Erik Smith, EMC
  • 7. • Zone Set – A collection of zones • Active Zone Set – The Zone Set currently enforced by the Fabric. • Zone – A “container” with members representing end devices • Member – Two contexts: – In a zoneset a member is a zone – In a zone a member represents an end device or group of end devices • Zone Alias – a name that represents one or more FC devices Terminology What is Zoning?
  • 8. What is Zoning? • Default Zone – Contains all devices not a member of any zone in the active zone set – This group of devices may be permitted to communicate or denied • Basic Zoning Mode – Zoning changes done w/o fabric wide lock. – Lock obtained once changes sent to fabric – Less efficient zone data structure • Enhanced Zoning Mode – All zoning changes occur only after a fabric wide lock is obtained. Ends with a commit of changes. – More efficient zone data structure Terminology – c o n t i n u e d …
  • 9. What is Zoning? • Zoning Database - A database containing all: – zonesets (active or not) – zones – FC alias – Attributes • RSCN – Registered State Change Notification – Message sent by switch to end device notifying it that a device it is zoned with has either entered or left the fabric – Only sent when end device registers • SCR – State Change Registration – Request sent from end device to switch requesting RSCNs Terminology – c o n t i n u e d …
  • 10. What is Zoning? Sample Zone Set containing 3 Zones from FC-GS
  • 12. Zone Member Types • PWWNs (WWPN) – Port WW name • Switch/domain-id + physical port/interface • N_Port_ID (FCID) • NWWN - Node WW Name • FC Alias – Contains one or more zone member types • Other vendor specific types are allowed What is Zoning?
  • 13. Why is zoning needed? • Access Control Security (only devices in a zone can communicate) • Device/Group Isolation: – Less device chatter (fewer discovery queries, PLOGIs) – Fewer RSCNs • If default-zone deny is configured (or defaulted) then devices will not be able to communicate without zoning What is Zoning?
  • 14. The Different Types of Zoning Soft Zoning • The Fabric enforces the Zoning configuration through Name Server (FCNS) visibility Hard Zoning • The Fabric enforces the Zoning configuration by frame-by-frame filtering • Normally both Hard and Soft zoning are both in effect What is Zoning?
  • 15. The Different Types of Zoning GPN_FT (SCSI FCP) Zone1 Member host1 Member Target1 Zone2 Member host3 Member Target1 Zone3 Member host2 Member Target2 ACC (GPN_FT) (Host1, Host3) 1 - FCNS receives GPN_FT 2 - FCNS checks FCNS DB for SCSI FCP devices 3 - FCNS filters by zone where Target1 is a member 4 - FCNS returns response Target1 Zoneset So8 Zoning FCNS only returns informaXon for zoned desXnaXons! What is Zoning?
  • 16. The Different Types of Zoning Zone1 Member host1 Member Target1 Zone2 Member host3 Member Target1 Zone3 Member host2 Member Target2 Target1 Zoneset Hard Zoning Host1 Host2 Host3 PLOGI (target1) Frames dropped to unzoned desXnaXons! What is Zoning?
  • 17. How does Zoning work? • Zoning Configuration Flow • Zoneset Activation Flow • Results of Zoning
  • 18. How does Zoning work? 5 (or 6) Steps 1. Create zoneset or use existing zoneset 2. Create zone using new name 3. Add members to zone 4. Add zone to zoneset 5. Activate zoneset 6. If enhanced mode then commit changes (may be implicit) Zoning Configuration Flow
  • 19. How does Zoning work? 1. ACA - Acquire Change Authorization Request – Locks the fabric – Sent to all switches in fabric 2. SFC - Stage Fabric Configuration Update Request – Zoning data is sent to all switches 3. UFC Update Fabric Configuration Request – Once all switches acknowledge SFCs, update zone info 4. RCA - Release Change Authorization Request – Unlock the fabric All SW_ILS frames sent from/to Domain Controller WKA 0xFFFCxx All SW_ILS frames are acknowledged by an ACCept Zoneset Activation Flow
  • 20. Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 1 1 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation ACA Request ACA Request ACA Accept ACA Accept Lock Acquired How does Zoning work? 1. ACA - Acquire Change Authorization Request – Locks the fabric – Sent to all switches in fabric – If lock is available, switch sends an Accept. – If lock is not available, switch sends a Reject.
  • 21. Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 2 2. SFC - Stage Fabric Configuration Update Request – Zoning data is sent to all switches – Switches validate that data can be committed. After validation is complete, send an Accept. – If data fails validation a Reject is sent. 2 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation SFC Request SFC Request SFC Accept SFC Accept Lock Acquired Data Validated How does Zoning work?
  • 22. Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 3 3. UFC - Update Fabric Configuration Request – Switches commit the zone data and send an Accept after commit is complete. 3 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation UFC Request UFC Request UFC Accept UFC Accept Lock Acquired Data Validated Data Committed How does Zoning work?
  • 23. Zoneset Activation Flow A c t i v a t i o n E x a m p l e – P h a s e 4 4. RCA - Release Change Authorization Request – Once all switches accept, the fabric is unlocked. – If the ACA or SFC requests are rejected, the RCA phase will commence. 4 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation RCA Request RCA Request FC Switch 1 zoneset activation completes RCA Accept RCA Accept Lock Acquired Data Validated Data Committed Lock Released How does Zoning work?
  • 24. Zoneset Activation Flow A c t i v a t i o n F a i l u r e E x a m p l e Switch 3 rejects SFC due to a failed validation (e.g. exceeds max zone size limits) 1 2 3 FC Switch 1 FC Switch 2 FC Switch 3 FC Switch 1 user initiates zoneset activation ACA Request ACA Request SFC Request SFC Request RCA Request RCA Request ACA Accept ACA Accept SFC Accept SFC REJECT RCA Accept RCA Accept Lock Acquired Lock Released Data Validation Failed! FC Switch 1 zoneset activation Fails. How does Zoning work?
  • 25. How does Zoning work? • Zone databases are updated throughout the fabric • Hard zoning Access Control Lists are updated • Registered State Change Notifications (RSCNs) are generated to end devices involved in the change – If new associations are added “online” RSCNs are sent – If associations are removed “offline” RSCNs are sent • Once device receives RSCN it sends queries to FCNS Results of Zoning
  • 26. Results of Zoning Zone1 Member host1 Member Target1 Zone2 Member host3 Member Target1 Zone3 Member host2 Member Target2 Target1 Zoneset New Zone3 added Host1 Host2 Host3 RSCN online (host2) Target2 RSCN online (target2) How does Zoning work?
  • 27. Connecting Switches via ISLs Inter-Switch Links (ISLs) are activated to form multi-switch fabrics • Merge request is sent to merge two zoning databases • If zone DBs are the same then ISL comes up • If zone DBs are mergeable then ISL comes up • If zone DBs are not mergeable then isolate ISL
  • 28. Connecting Switches via ISLs • Consistency checks for zone settings can involve the following: – Default-zone – Permit or Deny – Merge Control - Allow or Restrict • Restrict – zone DBs must be exact for ISL to come up • Allow – If zone DBs are “mergeable” ISL comes up – Zones with the same zone name but dissimilar • Members, Definitions, Attributes • Check switch’s error logs for messages when merge fails Consistency checks
  • 29. Connecting Switches via ISLs Two switches prior to ISL activation Example – Successful Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zoneset name myzs Zone name zone2 member pwwn3 member pwwn4 Two switches Different zoneset contents Different zone names
  • 30. Connecting Switches via ISLs Two switches after to ISL activation Example – Successful Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zone name zone2 member pwwn3 member pwwn4 Two switches Same(merged) zoneset contents Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zone name zone2 member pwwn3 member pwwn4 ISL - AcXvated
  • 31. Connecting Switches via ISLs Two switches prior to ISL activation Example – Failed Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zoneset name myzs Zone name zone1 member pwwn3 member pwwn4 Two switches Different zoneset contents Same zone name different members
  • 32. Connecting Switches via ISLs Two switches after to ISL activation and isolation Example – Failed Merge Zoneset name myzs Zone name zone1 member pwwn1 member pwwn2 Zoneset name myzs Zone name zone1 member pwwn3 member pwwn4 Two switches Different zoneset contents ISL - Isolated
  • 33. Zoning best practices When zones contain more than 2 members all members are allowed to communicate with each other zone name myzone member alias init1 … member alias init12 member alias target1 member alias target2 Above allows all members to communicate with each other! This can increase cross talk Single Initiator / Single Target zones 12 x I 2 x T I I T T I I I I I I I I I I
  • 34. Zoning best practices • ACL entries for hard zoning result in n*(n-1) entries per zone • Each pair consumes two ACL entries in hardware – Result: n*(n-1) entries per zone • Greatly increased Name Server queries • Zones should contain 2 members: – Initiator – PWWN or Alias – Target – PWWN or Alias – “Single initiator / Single target scheme” 0 2,000 4,000 6,000 8,000 10,000 0 10 20 30 40 50 60 70 80 90 100 Number of ACL Entries Number of Members Number of ACLs Single Initiator / Single Target zones
  • 35. Single Initiator / Single Target Zones • A zoning best practice • Limits each zone to two members – Initiator – PWWN or Alias – Target – PWWN or Alias • Isolates access control and reduces communication – Only the devices that “care” about each other H1 H2 H3 H4 H5 H6 H7 H8 T1 FC Fabric
  • 36. Zoning best practices • Aliases are alternative names for zone members • User Friendly – Administrators can assign a descriptive name to a member or group of members • Simpler Zone Creation – Adding devices to multiple zones can be done with one alias instead of manually adding individual WWNs repetitively • Device Replacement – If a device needs to be replaced, a single alias can be changed instead of changing numerous zones H1 H2 H3 H4 T1 FC Fabric “Fourth_Floor_HR_Servers” Example: The alias “Fourth_Floor_HR_Servers” contains the members Host1_WWN; Host2_WWN Zone Alias
  • 37. Zoning best practices • Be consistent with zone types (try to use WWPN, alias) • Use default zone deny mode – FICON may need to use default zone permit • Back up your zone set periodically • Keep zone object names as concise as possible • Remove zones that are no longer needed • Allow time for zone changes to propagate through the fabric – Do each fabric separately, verify function prior to next fabric Continued…
  • 38. Advances in Zoning • Peer Zoning – Allows a Principal device to communicate with peer devices in the zone. – Peer devices cannot communicate with each other. – Benefits over Single Initiator zoning scheme: • Fewer zones to be created compared to Single Initiator zoning. • Uses less zone database space since one zone can take the place of multiple Single Initiator zones. • No communication between Peer-to-Peer or Principal-to- Principal members. • Optimal hardware resource utilization – Same as single initiator scheme – New in FC-GS-7
  • 39. Peer Zones • Peer Zones are formalized “single initiator / single target” zones • Zones with Principal and Peer members – Connectivity Rules: • Principal member(s) can communicate with all Peer members in the zone. Principal-to- Principal communication is not allowed. • Peer-to-Peer communication is not allowed. – Advantages: • Easier to configure and manage due to requiring fewer zones to be created compared to Single Initiator zoning. • Smaller memory footprint (zone database and hardware) compared to Single Initiator zoning. • More efficient ACL entry usage compared to similar 1-to-Many zoning scheme. • Less RSCN-related traffic compared to similar 1-to-Many zoning scheme. H1 H2 H3 H4 H5 H6 H7 H8 T1 FC Fabric
  • 40. Summary • Zoning provides a secure method of ensuring only certain devices communicate with each other • Zoning database will be uniform throughout fabric switches • Use Single Initiator / Single Target zones whenever possible • Follow other best practices
  • 41. Q & A If you have questions… …We have answers!
  • 42. Fibre Channel and Security August 27, 2019 10:00 am PT/1:00 pm ET Register at: https://www.brighttalk.com/webcast/14967/363593 Our Next FCIA Webcast: 42
  • 43. • Please rate this event – we value your feedback • We will post a Q&A blog at http://fibrechannel.org/ with answers to the questions we received today • Follow us on Twitter @FCIAnews for updates on future FCIA webcasts • Visit our library of FCIA on-demand webcasts at http://fibrechannel.org/webcasts/ to learn about: – Fibre Channel Fundamentals – FC-NVMe – Long Distance Fibre Channel – Fibre Channel Speedmap – FCIP (Extension): Data Protection and Business Continuity – Fibre Channel Performance – FICON – Fibre Channel Cabling – 64GFC After this Webcast 43