Fibre Channel Zoning – Cisco Describing VSANs and Fibre Channel Zoning

Fibre Channel Zoning

The concept of using zones and zoning is the basic security mechanism in the Fibre Channel Protocol standard. With the many different types of servers and storage devices on the network, the need for security is crucial. For example, if a host were to access a disk that another host is using, potentially with a different operating system, then the data on the disk could become corrupted. The zoning provides security within a single fabric, whether physical or logical, by restricting and controlling the access between initiators and targets. The zoning is very similar to the access control list (ACL) mechanism used in the IT as a whole, as the zones are sets of explicit rules that specify which initiator will be allowed to access the resources of which target. Think of an environment in which you have an explicit deny for any communication, and then by using these rules, you can allow very specific communication. In the previous section we discussed VSANs, but here it is important to note that the zoning is per switched fabric, and because the VSANs are logical switched fabrics, the zoning is created and executed on a per-VSAN basis. This also means that the zoning configuration in one VSAN has nothing to do with the zoning configuration in another VSAN. Here, you can see that the Cisco implementation of the Fibre Channel Protocol actually allows for using two layers to virtualize the physical SAN and to control the communication in more detail. These layers are the VSANs and the zoning.

The goals and benefits of the zoning can be summarized as follows:

  • Zoning provides a means of restricting visibility and connectivity among devices that share the same SAN fabric.
  • The primary goal is to prevent certain devices from accessing other fabric devices.
  • Zoning provides basic device security.

Understanding zoning correctly is important for creating and deploying stable switched fabrics. Oftentimes the “limitations” of the zoning are discussed, with the idea that it is supposed to provide other functions such as load balancing (bandwidth allocation) or redundancy.

Zoning was designed to be a simple and effective security mechanism only! It prevents devices from communicating with other unauthorized devices. That’s it—nothing more, nothing less.

Because of that, I do not like to discuss the “limitations” of the zoning mechanism. Instead, I focus on what it is and how it can be used. When one understands what zoning is, how it is implemented and operates, what its options are, and how to configure and manage it, then the switched fabric is stable and secure.

The specific rules of engagement for the zones are as follows (see Figure 12-4):

  

Figure 12-4 Fibre Channel Zones

  • The zoning is mandatory in a Fibre Channel switched fabric. It is not optional.
  • Until an initiator and a target belong to a zone, they cannot see each other.
  • The zone is a mapping between initiators and targets.
  • A zone can have one member, no members at all, or multiple members.
  • Zones can be overlapping, which means that an initiator or a target can be a member of multiple different zones.
  • The zoning configuration is per VSAN.

The zoning access control is enforced in two ways:

  • Hard zoning
    • Enforced as access control lists (ACLs) in the hardware of the Fibre Channel port.
    • The ACL rules are applied to the whole data path, which means that these limitations are applied in the hardware of every switch port on the path.
    • The initiator cannot communicate with a wrong target.
    • This is the default mode of operation on Cisco Fibre Channel switches. No need to be changed to soft zoning.
  • Soft zoning
    • Software-based limitations enforced by the name server.
    • The name server responds to discovery queries only with the devices that are in the zones of the requester.
    • The initiator can access a target, if the FCID is known.
    • Soft zoning is not recommended.

The soft zoning is based on a mechanism that relies on the information the name server returns to the end devices, when they log in to the fabric and try to discover it. Then the FCNS returns a list of the devices that can be accessed by the end device. These are the devices that are configured to be in the same zones with the end device that requested this information. In other words, the end device will know only of the devices that the name server told it about. Then it will be able to communicate with them, as it knows their addresses from the information in the FCNS response. This means that if the FCID of a different target becomes known to this end device, regardless of whether or not that FCID was in the response from the name server, communication will be possible because there is nothing else on the path to apply the limitations in the zoning configuration.

This is the major reason why soft zoning is not recommended.

With hard zoning, the control is total, as the limitations in the zoning configuration are applied to each of the ports on the communication path between an initiator and a target. They are applied in the silicone of the ports and are enforced on each frame of the communication.