Zoning Configuration
The configuration of the zoning on the Cisco MDS and Nexus switches is specific to Cisco’s implementation of the Fibre Channel Protocol, and even though it is based on the Fibre Channel Protocol standard, there’s still the need to have a more flexible approach that also considers features such as the VSANs—something that did not exist on other FCP-capable switches until recently.
The zone is a list of members. The members can communicate with each other. Because the zone is an ACL with permit statements, when members are added, the system generates the needed amount of permit rules to cover all the possible communication between the members. The formula to calculate the number of ACL entries based on the number of members (n) is n*(n–1). This means that if there are eight initiators and one target, the number of ACLs the switch will have to generate is 72! This is a huge number, and a lot of the resources of the switch will be consumed. At the same time, if you have a zone that has one initiator and one target as members, you can easily find out by using the same formula that the number of ACLs needed is two! If you take the first example of eight initiators and one target and convert that zone into eight separate one-to-one zones, one for each initiator, with the target belonging to all of them, then you will have two ACLs per zone, with eight zones, for a total of 16 ACLs. This is a significantly smaller number than 72. Also, in that zone with eight initiators and one target, most of these permissions will be controlling the communication between initiators, which is a waste of resources. That’s why it is always recommended to have multiple one-to-one zones, then a few zones, but each with multiple members. It is also true that in data centers with a huge number of initiators and targets, this approach can be an administrator’s nightmare. To help solve this challenge, Cisco has implemented a feature called Smart Zoning, but it’s not covered in this book.
Here are the two main approaches to creating zones:
- Multi-initiator, single target: The addresses of multiple initiators and the address of a single target are placed in the same zone. Multiple devices (initiators) are able to access the same target. The drawback is that each such zone generates more ACLs, which results in more hardware resources being used.
- Single-initiator, single target: The address of a single initiator and the address of a single target are placed in the same zone. A single device (initiator) is able to access a single target. This results in optimal hardware resource utilization, but it’s an administrator’s nightmare in environments with a huge number of end nodes.
The members are added using one of the following identities:
- WWN address (usually the WWPN).
- FCID.
- IP address (iSCSI).
- Symbolic node name.
- Device alias or Fibre Channel alias. (The Cisco MDS switches have the option to specify an alias (an administrator-friendly name) that maps to the WWPN of the end node.)
When the needed zones are created, they are combined into a group, which is called a zoneset. On a switch there can be multiple zonesets, each containing different zones with different configuration. The group of all the zonesets that exist on a switch is called a full zoneset. Figure 12-5 illustrates the difference between a full zoneset and an active zoneset.
Figure 12-5 Fibre Channel Full and Active Zonesets
The next step is to enforce one of the zonesets. This is called “activating a zoneset.” A copy of this zoneset is created that is read-only; in other words, it cannot be modified. The copy is sent to all the switches that have ports belonging to the same VSAN. The ACL rules from the zones in this zoneset are applied to the silicone of the ports on the switches. Only one zoneset can be active per VSAN.
When there is a need to modify the active zoneset, changes are made in the original zoneset (that is, the one that was activated). As you’ll remember, the active zoneset is a copy, which means that for the changes to be enforced, a new activation is required. Then the modified zoneset will be activated, and the currently active one will be deactivated.
This also means that if one zoneset has been activated and then you activate another zoneset, the same thing will happen—the currently active zoneset will be deactivated and the new one will become active.
To configure the zoning, your first task is to create the needed zones, and for that you need to know the identities of the members you want to add to the zones. You will be working with VSAN 999, and to find the initiators and targets in it, you use the sh fcns data vsan 999 command, as shown in Example 12-7.
Example 12-7 Output from the FCNS Command for a Specific VSAN
mds-9200-a(config)#
sh fcns data vsan 999
VSAN 999:
————————————————————————–
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
————————————————————————–
0x0c0000 N 21:00:f4:e9:d4:58:d7:88 scsi-fcp:init
0x360000 N 21:00:00:11:0d:40:af:00 scsi-fcp:target
Total number of entries = 2
mds-9200-a(config)#
There is one initiator and one target in this VSAN.
You can check the current zoning configuration as follows:
mds-9200-a(config)#
show zone vsan 999
Zone not present
mds-9200-a(config)#
show zoneset vsan 999
Zoneset not present
mds-9200-a(config)#
There is no zoning-related configuration for VSAN 999. This also means that the initiator and the target cannot see each other and communicate.
Once you make sure you have the correct initiator and target, the next step is to create a zone. You will have to specify a name for the zone as well as the VSAN to which it will belong:
mds-9200-a(config)#
zone name Zone999 vsan 999
mds-9200-a(config-zone)#
This will take you into the zone configuration submode. Here you can add the members. The identity options for adding members are shown in the output of Example 12-8.
Example 12-8 Different Options to Define the Member
mds-9200-a(config-zone)# member ?
device-alias Add device-alias member to zone
domain-id Add member based on domain-id,port-number
fcalias Add fcalias to zone
fcid Add FCID member to zone
fwwn Add Fabric Port WWN member to zone
interface Add member based on interface
ip-address Add IP address member to zone
pwwn Add Port WWN member to zone
symbolic-nodename Add Symbolic Node Name member to zone
Based on the output of the show fcns database vsan 999 command, the WWPNs are known for the initiator and the target. They will be added as members of this zone:
mds-9200-a(config-zone)#
member pwwn 21:00:f4:e9:d4:58:d7:88
mds-9200-a(config-zone)#
member pwwn 21:00:00:11:0d:40:af:00
mds-9200-a(config-zone)#
Verify that the zone is created with the show zone vsan X command:
mds-9200-a(config-zone)#
show zone vsan 999
zone name Zone999 vsan 999
pwwn 21:00:f4:e9:d4:58:d7:88
pwwn 21:00:00:11:0d:40:af:00
mds-9200-a(config-zone)#
At this stage, a zone has been created. In order for you to work with it, it needs to become a member of a zoneset; even if there is only a single zone, it still needs to be in a zoneset. When a zoneset is created, a name and the VSAN need to be specified:
mds-9200-a(config)#
zoneset name ZoneSet999 vsan 999
mds-9200-a(config-zoneset)#
Now you can add the zone as a member of the zoneset:
mds-9200-a(config-zoneset)#
member Zone999
mds-9200-a(config-zoneset)#
Next, verify that the zoneset is created and the zone is a member of it:
mds-9200-a(config)#
sh zoneset vsan 999
zoneset name ZoneSet999 vsan 999
zone name Zone999 vsan 999
pwwn 21:00:f4:e9:d4:58:d7:88
pwwn 21:00:00:11:0d:40:af:00
mds-9200-a(config)#
So far, a zone has been created and members have been added to it. Then, this zone was added as a member of the newly created zoneset. However, is it active in the VSAN? To check, use the following command:
mds-9200-a(config)#
show zoneset active vsan 999
Zoneset not present
mds-9200-a(config)#
There is no currently active zoneset for VSAN 999. To activate the zoneset you just created, use the following command:
mds-9200-a(config)#
zoneset activate name ZoneSet999 vsan 999
Zoneset activation initiated. check zone status
mds-9200-a(config)#
2021 Oct 9 17:40:51 mds-9200-a %ZONE-2-ZS_ZONE_
SET_ACTIVATED: %$VSAN 999%$ Zoneset ZoneSet999 activated
mds-9200-a(config)#
The switch also informs you that the zoneset was activated. Now, let’s verify it on both the switches that communicate in VSAN 999 (see Example 12-9).
Example 12-9 Zoning Verification on Both Switches
Click here to view code image
mds-9200-a
(config)#
sh zoneset active vsan 999
zoneset name ZoneSet999 vsan 999
zone name Zone999 vsan 999
* fcid 0x0c0000 [pwwn 21:00:f4:e9:d4:58:d7:88]
* fcid 0x360000 [pwwn 21:00:00:11:0d:40:af:00]
mds-9200-a(config)#
mds-9100-a
(config)#
sh zoneset active vsan 999
zoneset name ZoneSet999 vsan 999
zone name Zone999 vsan 999
* fcid 0x0c0000 [pwwn 21:00:f4:e9:d4:58:d7:88]
* fcid 0x360000 [pwwn 21:00:00:11:0d:40:af:00]
mds-9100-a(config)#
From this output, you can come to a few conclusions:
- The zoneset is active on the switch mds-9200-a.
- The zoneset was copied and then sent to and enforced on the switch mds-9100-a, regardless that no zoning configuration was performed on it.
- On the mds-9100-a switch, the full zoneset is empty, as no zoning configuration was performed on it. It only has a copy of the zoneset that was activated on the other switch.
mds-9100-a(config)#
sh zoneset vsan 999
Zoneset not present
mds-9100-a(config)#
- An asterisk (*) appears in front of the members in the zone in the active zoneset, which means that the members are connected and online in the VSAN and the zone. They will be able to communicate with each other.
This is the flow of configuring zoning on the Cisco MDS/Nexus switches. The configuration was performed in basic zone mode for VSAN 999.
To see the attributes and settings for the zoning in a VSAN, use the sh zone status vsan 999 command, as shown in Example 12-10.
Example 12-10 Verifying the Status of a Zone
mds-9200-a(config)#
sh zone status vsan 999
VSAN: 999 default-zone: deny distribute: active only Interop: default
mode: basic
merge-control: allow
session: none
hard-zoning: enabled broadcast: unsupported
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control: disabled
Default zone:
qos: none broadcast: unsupported ronly: unsupported
Full Zoning Database :
DB size: 236 bytes
Zonesets: 1 Zones: 1 Aliases: 0
Active Zoning Database :
DB Size: 64 bytes
Name: ZoneSet999 Zonesets: 1 Zones: 1
Current Total Zone DB Usage: 300 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: n/a
Active DB Copy size: n/a
SFC size: 300 / 2097152 bytes (0 % used)
Status: Activation completed at 17:40:51 UTC Oct 9 2021
mds-9200-a(config)#
When the zoning for a VSAN is set to basic mode, the configuration can be made simultaneously from any switch in this VSAN. Also, it can simultaneously be activated in different zonesets from different switches. This can cause a serious misconfiguration, which can also lead to a loss of data.
To avoid such a situation and to address full zoneset database consistency across the switches, you can use enhanced zone mode. In this mode, you perform all configurations within a single configuration session. When a session begins, the switch advertises a lock to all switches in the entire fabric for the specific VSAN. The lock does not allow any zoning configuration for this VSAN to be performed on any other switch in the same VSAN. Once you have finished with the configuration and are sure it is correct, you need to perform a commit with the zone commit vsan command. The commit will write the configuration to the local full zoneset database and will synchronize it with the rest of the switches. This approach ensures consistency within the fabric.
In basic zoning, even with distribute full enabled, it is possible that the full zone database is different among switches. With enhanced zoning, it is not possible to change only the local full zoning database, as shown in Figure 12-6.
Figure 12-6 Enhanced Zone Mode
To change the zone mode, use the zone mode enhanced vsan 999 command, as shown in Example 12-11.
Example 12-11 Enabling Enhanced Zoning for a Specific VSAN
mds-9200-a(config)#
zone mode enhanced vsan 999
WARNING: This command would distribute the zoning database of this switch throughout
the fabric. Do you want to continue? (y/n) [n] y
Set zoning mode command initiated. Check zone status
mds-9200-a(config)# 2021 Oct 9 18:09:23 mds-9200-a %ZONE-2-ZS_ZONE_SET_ACTIVATED:
%$VSAN 999%$ Zoneset ZoneSet999 activated
2021 Oct 9 18:09:23 mds-9200-a %ZONE-2-ZS_POLICY_CHANGE: %$VSAN 999%$ Default zon-
ing policy changed to deny
You can verify this using the command shown in Example 12-12.
Example 12-12 Verify the Enhanced Zoning
Click here to view code image
mds-9200-a(config)#
sh zone status vsan 999
VSAN: 999 default-zone: deny distribute: full Interop: default
mode: enhanced
merge-control: allow
session: none
hard-zoning: enabled broadcast: unsupported
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control: disabled
SFC size: 0 / 2097152 bytes (0 % used)
Status: Set zoning mode complete at 18:09:23 UTC Oct 9 2021