Zoning

Module 3
Objectives

– Describe
– Basic Zoning
– Traffic Isolation zones
– LSAN zones
– Target Driven Peer Zones

– Understand why zoning is necessary

– Understand why merging fabrics may fail

Confidential – For Training Purposes Only 2

B-series switch zoning

– Fabric-based service that enables partitioning the network into logical groups of devices that can
communicate
– Devices not zoned with another device will not be able to communicate with each other
– Devices not included in an effective zone configuration are inaccessible to all other devices in the fabric
– Devices can be members of multiple zones

Confidential – For Training Purposes Only 3

Types of zones

– Standard zones
– Frame redirection zones
– LSAN zones
– LSAN Peer zones
– Quality of Service zones (QoS zones)
– Traffic Isolation zones (TI zones)
– Peer zones
– Target Driven Peer zones
– For example HPE 3PAR Smart SAN

Confidential – For Training Purposes Only 4

Default zoning mode

– Controls device access if zoning is not implemented or – View the current zone configuration using cfgActvShow
there is no effective zone configuration
– View the current default zone access mode
– All Access – default setting – defzone --show
– All devices with the fabric can communicate with all other
devices – Setting the default to No Access
– defzone –noaccess
– No Access
– cfgsave
– Devices in the fabric cannot access any other device in the
fabric – Setting the default zone to All Access
– All switches in a fabric must have the same setting – defzone –allaccess
– cfgsave
– Switches in large fabrics > 120 devices should set the
default zone to No Access

NOTE: C-series default zoning setting is to deny access

 
H-series default zoning setting is to allow access

Confidential – For Training Purposes Only 5

Zoning example

– The server in the red zone sees only Storage 1

– The server in the blue zone sees Server 2, Storage 2,
and RAID disks
– The server in the green zone sees Storage 1 and RAID
disks
– No server sees Storage 3

Confidential – For Training Purposes Only 6

Zoning naming conventions

– Names must start with an alphabetic character and may contain alphanumeric characters and underscore
– Names are not case-sensitive
– Zone, alias and configuration names cannot begin with
– “bfa_”, “red_”, “lsan_red_”, “d_efault_”
– Zone configuration names cannot begin with the string “r_e_d_i_r_c_fg”

– Normal zone names cannot begin with “bfa_” prefixes or end with “blun_” suffixes
– Recommended character limit of 64 characters
– Duplicate names are not allowed within a zone database

Confidential – For Training Purposes Only 7

Zone database size

– Maximum zone database size is 1 MB

– If the fabric contains only Backbone Chassis platforms the maximum database size is 2 MB
– If Virtual Fabrics is enabled the sum of the zone database sizes on all of the logical fabrics must not
exceed the size allowed for the chassis(1MB)
– Network Advisor Professional the maximum database size without alias is 32 KB
– If it does contain aliases it is less than 32 KB

– cfgsize allows you to monitor and view the size of the zoning database

Confidential – For Training Purposes Only 8

Standard Zoning

Confidential – For Training Purposes Only 9

Standard zoning

– Members
– Identified by the
– Physical port number or port index on the switch (Domain ID, Port)
– Node World Wide Name (N-WWN)
– Port World Wide Name (P-WWN)
– Alias
– Can be a member of multiple Zones

– Members are grouped together in Zones

– Zones are grouped together in configurations
– Multiple configurations can be defined

Confidential – For Training Purposes Only 10

Alias

– A zone alias is a name assigned to a logical group of ports or WWNs

– Simplifies zoning and fabric maintenance
– Created using aliCreate
alicreate “aliasname”, “member [; member…]”

– Adding members to an alias using aliadd

aliadd “aliasname”, “member [; member…]”

– Removing members from an alias using aliremove

aliremove “aliasname”, “member [; member…]”

– Deleting an alias using alidelete

alidelete “aliasname”

– Viewing an alias
– alishow

Confidential – For Training Purposes Only 11

Zones

– Created using zoneCreate

zonecreate "zonename ", "member[; member...]"

– Adding members to an existing zone using zoneAdd

zoneadd "zonename", "member [; member...]"

– Removing members from a zone using zoneRemove

zoneremove "zonename ", "member [; member ...]"

– Replacing zone members using zoneObjectReplace

zoneobjectreplace old wwn/D,I new wwn/D,I

– Deleting a zone using zoneDelete

zonedelete "zonename"

– Viewing a zone using zoneshow

zoneshow

Confidential – For Training Purposes Only 12

Zone Configurations

– Defined Configuration
– Complete set of all zone objects defined in a fabric

– Effective Configuration
– Built when a configuration is enabled
– Only one configuration can be in effect at a time

– Saved configuration
– Copy of the defined configuration plus the name of the effective configuration which is saved in flash memory

– Disabled configuration
– The effective configuration is removed from flash memory
– Is not deleted from the zone database

Confidential – For Training Purposes Only 13

Configurations

– Created using cfgCreate – Deleting a zone configuration using cfgDelete

cfgcreate "cfgname ", "member [; member ...]" – The configuration cannot be deleted if it is in effect

– Adding zones to an existing configuration using cfgAdd cfgdelete “cfgname”

cfgadd “cfgname", "member [; member...]" – Clearing all zone configurations using cfgclear
– Removing members from a configuration using – Will clear all configurations that are defined not in effect
cfgRemove cfgclear
cfgremove “cfgname ", "member [; member ...]" – Viewing all zone configuration information using
– Enabling a configuration using cfgenable cfgShow
cfgenable “cfgname” cfgshow

– Disabling a configuration using cfgDisable

– To enable a new configuration do not disable the
configuration just enable the new configuration
cfgDisable

Confidential – For Training Purposes Only 14

Zone management commands (1 of 5)

B-series switches

Configuration Enabled
definitions configuration

Create
configurations cfgEngMkt
aliCreate ZoneEng
zoneCreate ZoneMkt
cfgCreate

SDRAM
Switch
domain 1 Flash
memory

Confidential – For Training Purposes Only 15

Zone management commands (2 of 5)
cfgEnable “cfgEngMkt”
B-series switches
Configuration Enabled
definitions configuration

cfgEngMkt cfgEngMkt
ZoneEng ZoneEng
ZoneMkt ZoneMkt

SDRAM

Switch
domain 1
Flash
memory
Confidential – For Training Purposes Only 16
Zone management commands (3 of 5)
cfgDisable
B-series switches
Configuration Enabled
definitions configuration

cfgEngMkt cfgEngMkt
ZoneEng ZoneEng
ZoneMkt ZoneMkt

SDRAM

Switch
domain 1
Flash
memory
Confidential – For Training Purposes Only 17
Zone management commands (4 of 5)
cfgclear

B-series switches
Configuration Enabled
definitions configuration

cfgEngMkt
ZoneEng
ZoneMkt

SDRAM

Switch
domain 1
Flash
memory
Confidential – For Training Purposes Only 18
Zone management commands (5 of 5)
cfgSave
B-series switches
Configuration Enabled
definitions configuration

cfgEngMkt cfgEngMkt
ZoneEng ZoneEng
ZoneMkt ZoneMkt Writes “name”
Only to
flash
SDRAM

Switch
domain 1
Flash
memory
Confidential – For Training Purposes Only 19
Creating a configuration example

aliCreate “Alias_Name”,“member”

zoneCreate “Zone_Name”,“Alias_Name_1;Alias_Name_2”

cfgCreate “cfg_Name”,”Zone_Name;Zone_Name”

cfgEnable “cfg_Name”

cfgSave “cfg_Name”

configUpload “host_IP”,“user”,“/file_name”,“password”

Confidential – For Training Purposes Only 20

Zoning enforcement

– Fabric OS uses hardware-enforced zoning

– Each frame is checked by the hardware ASIC before it is delivered to a zone member
– The frame is discarded if there is a zone mismatch
– FOS switch monitors the communications and blocks any frames that do not comply with the effective zone
configuration

– There are two methods of hardware enforcement

– Frame-based hardware enforcement
– All frames are checked by the hardware
– Session-based hardware enforcement
– The only frames check by the hardware are the ELS frames used to establish a session

– The enforcement method is determined by how the zones are configured

– To identify the enforced zone type use portZoneShow

Confidential – For Training Purposes Only 21

Enforcement

– Zones can contain all WWN members or all Domain ID/Port members or a combination
– Frame-based hardware enforcement is in effect if all members of a zone are identified the same way
– Session-based hardware enforcement is in effect if the zone has a mix of WWN and Domain ID/Port
members
– If a port is in multiple zones and is defined by WWN in one zone and Domain/ID in another then session-
based hardware enforcement is in effect.

Confidential – For Training Purposes Only 22

Best Practices

– When zoning a fabric with different releases of FOS zoning tasks should be performed from the latest FOS
– Zone using the core switch is preferred to using an edge switch
– When adding a switch to a fabric the defzone policy should be configured prior to connecting the new
switch.

Confidential – For Training Purposes Only 23

Fabric merging scenarios

Confidential – For Training Purposes Only 24

Merging criteria

– Before the new fabric can successfully merge:

– Defaultzone
– One fabric is all access the other fabric is no access the merge will complete but no access will be in effect
– If both fabrics have the same setting a clean merge will complete
– If one fabric is zoned and the other is not the effective configuration will propagate to the unzoned fabric
– If one fabric is not zoned and set to no access and the other fabric is zoned they will segment
– If one fabric is zoned and the other is not zoned the fabrics will merge and the zone configuration is propagated
– If both fabrics are zoned and are identical they will merge
– If both fabrics are zoned and are not identical they will segment

Confidential – For Training Purposes Only 25

Zone merging scenarios
Defined and Effective Configuration
Description Switch A Switch B Expected results
Switch A has a defined defined:cfg1: zone1: ali1; ali2 defined: none effective: none Configuration from Switch A to
configuration. effective: none propagate throughout the fabric
Switch B does not have a in an inactive state, because the
defined configuration configuration is not enabled.
Switch A has a defined and defined: cfg1zone1: ali1; ali2 defined: cfg1zone1: ali1; ali2 Configuration from Switch A to
effective configuration. Switch B effective: cfg1 effective: none propagate throughout the fabric.
has a defined configuration but The configuration is enabled
no effective configuration. after the merge in the fabric.
Switch A and Switch B have the defined: cfg1zone1: ali1; ali2 defined: cfg1zone1: ali1; ali2 No change (clean merge).
same defined configuration. effective: none effective: none
Neither have an effective
configuration.
Switch A and Switch B have the defined: cfg1zone1: ali1; ali2 defined: cfg1zone1: ali1; ali2 No change (clean merge).
same defined and effective effective: cfg1: effective: cfg1:
configuration.

Confidential – For Training Purposes Only 26

Zone merging scenarios - segmentation

Description Switch A Switch B Expected results

Effective configuration defined: cfg1 zone1: ali1; defined: cfg2 zone2: ali3; Fabric segments due to:
mismatch. ali2 effective: cfg1 ali4 effective: cfg2 Zone Conflict cfg
zone1: ali1; ali2 zone2: ali3; ali4 mismatch
Configuration content defined: cfg1 zone1: ali1; defined: cfg1 zone1: ali3; Fabric segments due to:
mismatch. ali2 effective: irrelevant ali4 effective: irrelevant Zone Conflict content
mismatch
Same name, different effective: zone1: effective: cfg1: Fabric segments due to:
types. MARKETING MARKETING Zone Conflict type
mismatch

Confidential – For Training Purposes Only 27

Traffic Isolation zones

Confidential – For Training Purposes Only 28

Traffic Isolation Zoning

– Allows the administrator to control the flow of the interswitch traffic by creating a dedicated path for traffic
flowing from a specific set of source ports
– Use case:
– Dedicate an ISL to high priority, host to target traffic
– Force high volume, low priority traffic onto a given ISL to limit the effect on the fabric of this high traffic patter
– To ensure that requests and response of FCIP-based applications such as tape pipelining use the same VE_port
tunnel across a metaSAN

– Implemented using a special zone called a Traffic Isolation zone (TI zone)
– TI zone failover
– Can be enabled or disabled
– Disabled guarantees the TI zone traffic uses only the dedicated path
– Enabled allows alternate routes if the dedicated path cannot be used and if you want other traffic to be able to use the
dedicated path if the non-dedicated paths cannot be used

Confidential – For Training Purposes Only 29

General rules for TI zones

– TI zone must include E_Ports and N_Ports that for a complete end to end route from initiator to target
– When an E_Port is a member of a TI zone that E_Port cannot have its index swapped with another port
– An E_Port used in a TI zone should not be a member of more than one TI zone
– If multiple E_Ports are configured on the lowest cost route to a domain, the various source ports for that zone are
load-balanced

– TI zones reside only in the defined configuration, not the effective configuration and must be enabled to
become active
– TI zones only provide traffic isolation and is not a regular zone
– FSPF supports a maximum of 16 paths to a given domain and includes paths in a TI zone
– For any trunk group, all members of the group need to belong to the TI zone

Confidential – For Training Purposes Only 30

TI Zoning Example

– In the example the TI zone consists of the following:

– N_Ports: “1,7”, “1,8:, “4,5”, and “4,6”
– E_Ports: “1,1”, 3,9”, “3,12” and “4,7”
– The dotted line indicates the dedicated path between the
initiator in Domain 1 to the target in Domain 4

– In this illustration, all traffic entering Domain 1 from

N_Ports 7 and 8 is routed through E_Port 1. Similarly,
traffic entering Domain 3 from E_Port 9 is routed to
E_Port 12, and traffic entering Domain 4 from E_Port 7
is routed to the devices through N_Ports 5 and 6. Traffic
coming from other ports in Domain 1 would not use
E_Port 1, but would use E_Port 2 instead

Confidential – For Training Purposes Only 31

Rules for creating Fabric-level TI zones

– Include all EX-Ports connected to the two edge fabrics

– Include E_Ports for the path between the backbone switches
– Do not include E_Ports from the edge fabrics
– Do not include device PWWNs
– Ensure that failover is enabled

Confidential – For Training Purposes Only 32

Fabric-level traffic isolation

– Uses the zone command

– Example: to create a single TI zone for all paths
switch:admin> zone --create -t ti TI_Zone_ALL -p "20,3; 20,4; 20,5; 20,6; 30,7; 30,8; 30,9 30,10“

‒ To activate the TI zone use cfgactvshow then cfgenable “current effective configuration”

Confidential – For Training Purposes Only 33

Creating a separate TI zone for each path

‒ Example: to create a separate TI zone for each path

switch:admin> zone --create -t ti TI_Zone_Red -p "20,5; 20,3; 30,7; 30,9"
switch:admin> zone --create -t ti TI_Zone_Blue -p "20,6; 20,4; 30,8; 30,10"

‒ To activate the TI zone use cfgactvshow then cfgenable “current effective configuration”

Confidential – For Training Purposes Only 34

Example, enabling a TI zone

switch:admin> cfgactvshow zone config "name" is in effect

Effective configuration: Updating flash ...

cfg: <current effective configuration> switch:admin>

... Switch:admin> zone --show

switch:admin> cfgenable <current effective Defined TI zone configuration:

configuration>
TI Zone Name: TI_Zone_ALL
You are about to enable a new zoning
configuration. Port List: 20,3; 20,4; 20,5; 20,6; 30,7; 30,8;
30,9; 30,10
This action will replace the old zoning
configuration with the current configuration Configured Status: Activated / Failover-Enabled
selected. If the update includes changes to one
Enabled Status: Activated / Failover-Enabled
or more traffic isolation zones, the update may
result in localized disruption to traffic on
ports associated with the traffic isolation zone
changes Do you want to enable ’TI_Config’
configuration (yes, y, no, n): [no] y

Confidential – For Training Purposes Only 35

Limitations and restrictions

– Maximum 255 TI zones in a fabric with Fabric OS 6.1.0 or later

– Maximum 239 TI zones in a fabric with Fabric OS 6.0.x
– Port swapping is not permitted in TI zones
– TI zones with member of a port index greater than 511 are not supported with Fabric OS versions earlier
than v6.4.0.
– Not prevented but behavior is unpredictable

– When merging switches TI zones are not automatically activated after the merge
– Ports in different TI zones cannot communicate with each other if failover is disabled
– TI zone members in multiple TI zones must have the same failover policy on each TI zone

Confidential – For Training Purposes Only 36

LSAN zones

Confidential – For Training Purposes Only 37

LSAN zoning

– Consist of zones in two or more fabrics that contain the

same devices
– Provides selective device connectivity between fabrics
without merging the fabrics
– In the metaSAN example:
– 3 FC routers in the backbone and each router connects to an
edge fabric
– LSAN zones communicate between edge fabric 1 and edge
fabric 2
– LSAN zones communicate between edge fabric 2 and edge
fabric 3
– There is no communication between edge fabric 1 and edge
fabric 3
– LSAN_21_Fab is configured on edge fabric 1 and 2
– LSAN_23fabrics is configured on edge fabric 2 and 3

Confidential – For Training Purposes Only 38

Creating a simple LSAN configuration (1 of 2)

– Fabric 1 contains a host that will be connecting to 2 – Add the LSAN to the zone configuration
target devices in Fabric 2 – cfgadd “zone_cfg”, “lsan_zone_fabric75”
– Host has WWN 10:00:00:00:c9:2b:c9:0c (connected to
Fabric1) – Enable the configuration
– Target A has WWN 50:05:07:61:00:5b:62:ed (connected to – cfgenable “zone_cfg”
Fabric2)
– Target B has WWN 50:05:07:61:00:49:20:b4 (connected to
Fabric2) – On Fabric 2

– On Fabric1 – Use zonecreate to create the LSAN zone

zonecreate "lsan_zone_fabric2",
– use zonecreate to create the LSAN zone
"10:00:00:00:c9:2b:c9:0c;
zonecreate "lsan_zone_fabric75", 50:05:07:61:00:5b:62:ed;50:05:07:61:00:49:20:b4“
“10:00:00:00:c9:2b:c9:0c;50:05:07:61:00:5b:62:ed”
switch:admin> cfgadd "zone_cfg",
"lsan_zone_fabric2“
switch:admin> cfgenable "zone_cfg"

Confidential – For Training Purposes Only 39

Creating a simple LSAN configuration (2 of 2)

– Connect to the router or switch with the EX_port or VEX_port and verify using lsanzoneshow –d
switch:admin> lsanzoneshow -d
Fabric ID: 2 Zone Name: lsan_zone_fabric2
10:00:00:00:c9:2b:c9:0c Imported from FID 75
50:05:07:61:00:5b:62:ed EXIST in FID 2
50:05:07:61:00:49:20:b4 EXIST in FID 2
Fabric ID: 75 Zone Name: lsan_zone_fabric75
10:00:00:00:c9:2b:c9:0c EXIST in FID 75
50:05:07:61:00:5b:62:ed Imported from FID 2

Confidential – For Training Purposes Only 40

Target Driven Peer Zoning

Confidential – For Training Purposes Only 41

Target driven peer zones

– Configured in a fabric through a target

– Only configured through target members attached to the fabric
– Supports only WWN member types and one principal member
– Is not configured from switch management
– Can be configured on a fabric with standard zones
– Uses a third-party management interface for managing device and switch interaction
– Target driven zoning must be enabled on the F-Port that connects the principal device to the fabric
– HPE implements this with the HPE 3PAR Smart SAN feature
– Requires 3PAR OS 3.2.2 or higher
– Requires HPE Smart SAN license on the array
– Requires a support host OS and HBA

Confidential – For Training Purposes Only 42

Example exercises

Confidential – For Training Purposes Only 43

Zoning example 1

– ConfigG is enabled with Zone1 and Zone3

Host A Host B
– Zones defined on the fabric are:
– Zone1: 6, 0; 6, 3 3 3
– Zone2: 6, 7; 6, 15 Switch ID 6 8 8 Switch ID 7
– Zone3: 7, 0; 7, 3 7 0 15 7 0 15
– Zone4; 7, 7; 7, 15

– What devices can Host A see? Nearline Nearline

Storage- 3PAR Storage- 3PAR
– What devices can Host B see? 1 XP7 2 XP7
-1 -2
-1 -2

Confidential – For Training Purposes Only 44

Zoning example 2

– ConfigG is enabled on fabric ID 6 with

Zone1 and Zone2 Host A Host B
– Zones defined on the fabric ID 6 are:
3 3
– Zone1: 6, 0; 6, 3 Switch ID 6 Switch ID 7
– Zone2: 6, 7; 6, 15 7 0 15 7 0 15
– The default zone is enabled on fabric ID 7
– What devices can Host A see? Nearline Nearline
Storage- 3PAR Storage- 3PAR
– What devices can Host B see? 1 XP7 2 XP7
-1 -2
-1 -2

Confidential – For Training Purposes Only 45

Zoning example 3

– ConfigG is enabled on fabric ID 6 with

Zone1 and Zone2 Host A Host B
– Zones defined on the fabric ID 6 are:
3 3
– Zone1: 6, 0; 6, 3 Switch ID 6 8 8 Switch ID 7
– Zone2: 6, 7; 6, 15 7 0 15 7 0 15
– The default zone is enabled on fabric ID 7
– An ISL is connected between the switches Nearline Nearline
Storage- 3PAR Storage- 3PAR
– Does the fabric merge? 1 XP7 2 XP7
-1 -2
– What devices can Host A see? -1 -2
– What devices can Host B see?

Confidential – For Training Purposes Only 46

Zoning example 4

– ConfigG is enabled on Fabric ID 6 with

Zone1, Zone2, Zone3, Zone4 Host A Host B
– Zone1: 6, 0; 6, 3
3 3
– Zone 2: 6, 3; 6, 7
Switch ID 6 Switch ID 7
– Zone3: 6, 3; 6, 15
7 0 15 7 0 15
– Zone4: 6, 7; 6, 15

– ConfigB is enabled on Fabric ID 7 with

Zone1, Zone2, Zone3 and Zone4 Nearline Nearline
Storage- 3PAR Storage- 3PAR
– Zone1: 7, 0; 7, 3 1 XP7 2 XP7
-1 -2
– Zone2: 7, 3; 7, 7 -1 -2
– Zone3: 7, 3; 7, 15
– Zone4; 7, 7; 7, 0

– Backup jobs are failing to complete on

3PAR-1 and XP7-2 Why?

Confidential – For Training Purposes Only 47

Zoning example 5
– ConfigG is enabled on Fabric ID 6 with Zone1,
Zone2, Zone3, Zone4
– Zone1: 6, 0; 6, 3
Host A Host B
– Zone 2: 6, 3; 6, 7
– Zone3: 6, 3; 6, 15 3 3
– Zone4: 6, 7; 6, 15 Switch ID 6 8 8 Switch ID 7
– ConfigB is enabled on Fabric ID 7 with Zone1, 7 0 15 7 0 15
Zone2, Zone3 and Zone4
– Zone1: 7, 0; 7, 3
– Zone2: 7, 3; 7, 7 Nearline Nearline
– Zone3: 7, 3; 7, 15
Storage- 3PAR Storage- 3PAR
1 -1 XP7 2 -2 XP7
– Zone4; 7, 7; 7, 0
-1 -2
– An ISL is connected

– Does the fabric merge?

– What devices does Host A see?

– What devices does Host B see?

Confidential – For Training Purposes Only 48

Activity

Lab 6 Zoning a fabric using Web Tool

Lab 7 Zoning a fabric using Network Advisor
Lab 8 Zoning a fabric using CLI

Confidential – For Training Purposes Only 49

Thank you
Confidential – For Training Purposes Only 50