Professional Documents
Culture Documents
CB Zone PDF
CB Zone PDF
CB Zone PDF
C H A P T E R 7
Zoning
Zones and zone sets are the basic form of data path security within a Fibre Channel environment. A zone
set is a collection of zones which in turn have individual members in them. Only those members within
the same zone can communicate with each other. A device can be a member of multiple zones and those
devices not in a zone are in the default zone. The policy for the default zone can either be to permit
devices to see each other or to deny devices in the default zone from seeing each other.
This chapter focuses on the creation of zones, zone sets, and ways to manipulate them. It includes the
following sections:
• Zones, page 7-1
• Zone Sets, page 7-6
Zones
In order for two devices to communicate, they must be in the same zone. Valid members of a zone can be:
• Port WWN (pWWN)
• Fibre Channel alias
• FC ID
• FWWN (WWN of a Fibre Channel interface)
• Switch interface (Fibre Channel X/Y)
• Symbolic node name
The three most common types of zone members are pWWN, FC alias, and the switch interface.
Tip We recommend that pWWN (or a Fibre Channel Alias representing a pWWN) be used for zoning as it
provides the most security and ties a zone member to a specific HBA rather than to the switch port.
The name that you choose for the zone is very important. Many environments use different zone names,
however, all name formats should provide relevant information as to their contents. Names like Zone1
or TapeZone do not provide sufficient information about their contents.
A zone name should contain two members and, within the zone name, contain identifiers related to the
two devices, such as Z_testhost_fcaw0_symm13FA3aa. The name may be longer than Z_testhost_hba0,
but should provide enough detailed information about the contents that consulting further documentation
is not necessary.
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m .
To create a single zone and add it to a zone set using the standalone method, follow these steps:
Step 1 Create the zone, building a zone name that reflects the names of the members.
ca-9506# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
ca-9506(config)# zone name Z_host1_fcaw0_symm78FA03ab vsan 804
ca-9506(config-zone)# member pwwn 22:35:00:0c:85:e9:d2:c2
ca-9506(config-zone)# member pwwn 10:00:00:00:c9:32:8b:a8
Step 4 Finally, to put the zone set into production, activate the it using zone set activate name
ZS_Engr_primary vsan 804. This command activates all the zones in the zone set, not just the one just
added.
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m .
To create a single zone and add it to a zone set using the inline method, follow these steps:
Step 5 Finally, to put the zone set into production, activate the zone set using zone set activate name
ZS_Engr_primary vsan 804. This command activates all the zones in the zone set, not just the one just
added.
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m .
Tip • Aliases are distributed with the full zone set database. Therefore, if zoning is going to be edited on
multiple switches, full zone set distribution should be enabled.
• An alias can be mapped to more than one device, however, we recommend that a one-to-one
mapping be used.
Resources:
Zone set: ZS_Engr_primary
Solaris host1, hba instance fcaw0: 22:35:00:0c:85:e9:d2:c2
Symmetrix 78, FA port 03ab: 10:00:00:00:c9:32:8b:a8
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m .
Tip Use interface based zoning when you need to create a zone prior to connecting the HBA to the fabric.
After connecting the HBA to the fabric, convert the zone member to a pWWN based member.
To create a zone based on the physical interface of the switch, follow these steps:
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m .
Note The sWWN is the switch’s WWN, as displayed by the show wwn switch command:
ca-9506# show wwn switch
Switch WWN is 20:00:00:0c:85:e9:d2:c0
Zone Sets
Zone sets are containers of zones. There are two zone set types on the Cisco MDS 9000 platform:
• Active Zone set—The active zone set provides the rules by which the Cisco MDS 9000 platform
enforces its zoning security policy. The active zone set cannot be modified and is distributed to all
switches in the VSAN. There are specific rules to merging the active zone set when two switches
are connected by an ISL, as set by the Fibre Channel standards.
• Local Zone set—The local zone sets are contained in the full zone set database on the switch. The
zone sets can be edited directly and then activated to become the active zone set. They can optionally
be distributed to other switches, either manually or when a zone set is activated.
Tip You can enable the automatic distribution feature on all switches in the fabric by specifying it in the
initial setup script.
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m .
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a ck - d o c @ c i s c o . c o m .