Fibre Channel zoning
Encyclopedia
In storage networking, Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets to restrict interference, add security, and to simplify management. While a SAN
makes available several virtual disks (LUNs), each system connected to the SAN should only be allowed access to a controlled subset of the LUNs. Zoning applies only to the switched fabric
topology (FC-SW), it does not exist in simpler Fibre Channel topologies.
Zoning is sometimes confused with LUN masking
, because it serves the same goals. LUN masking, however, works on Fibre Channel level 4 (i.e. on SCSI
level), while zoning works on level 2. This allows zoning to be implemented on switches, whereas LUN masking is performed on endpoint devices - host adapter
s or disk array controller
s.
Zoning is also different from VSAN
s, in that each port can be a member of multiple zones, but only one VSAN. VSAN (similarly to VLAN) is in fact a separate network (separate sub-fabric), with its own fabric services (including its own separate zoning).
.
In contrast, hard zoning restricts actual communication across a fabric. This requires efficient hardware implementation (frame filtering) in the fabric switches, but is much more secure.
(WWN). With port zoning, even when a device is unplugged from a switch port and a different one is plugged in, the new device has access to the zone instead of the old one - i.e. the fact that a device's WWN changed is ignored. With WWN zoning, when a device is unplugged from a switch port and plugged into a different port (perhaps on a different switch) it still has access to the zone, because the switches check only a device's WWN - i.e. the specific port that a device connects to is ignored. This is more flexible, but WWNs can be easily spoofed
, reducing security. http://en.wikipedia.org/wiki/Template:Confusing
In order to bring the created zones together for ease of deployment and management a zoneset is employed (also called zoning config). A zoneset is merely a logical container for the individual zones, that are designed to work at the same time. A zoneset can contain WWN zones, port zones, or a combination of both (hybrid zones). The zoneset must be activated within the fabric (i.e. distributed through all the switches and then simultaneously enforced). Switches may contain more than one zoneset, but only one zoneset can be active in the entire fabric.
Storage area network
A storage area network is a dedicated network that provides access to consolidated, block level data storage. SANs are primarily used to make storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear like locally attached devices...
makes available several virtual disks (LUNs), each system connected to the SAN should only be allowed access to a controlled subset of the LUNs. Zoning applies only to the switched fabric
Switched fabric
Switched fabric, switching fabric, or just fabric, is a network topology where network nodes connect with each other via one or more network switches . The term is popular in telecommunication, Fibre Channel storage area networks and other high-speed networks, including InfiniBand...
topology (FC-SW), it does not exist in simpler Fibre Channel topologies.
Zoning is sometimes confused with LUN masking
Logical Unit Number Masking
Logical Unit Number Masking or LUN masking is an authorization process that makes a Logical Unit Number available to some hosts and unavailable to other hosts....
, because it serves the same goals. LUN masking, however, works on Fibre Channel level 4 (i.e. on SCSI
SCSI
Small Computer System Interface is a set of standards for physically connecting and transferring data between computers and peripheral devices. The SCSI standards define commands, protocols, and electrical and optical interfaces. SCSI is most commonly used for hard disks and tape drives, but it...
level), while zoning works on level 2. This allows zoning to be implemented on switches, whereas LUN masking is performed on endpoint devices - host adapter
Host adapter
In computer hardware, a host controller, host adapter, or host bus adapter connects a host system to other network and storage devices...
s or disk array controller
Disk array controller
A disk array controller is a device which manages the physical disk drives and presents them to the computer as logical units. It almost always implements hardware RAID, thus it is sometimes referred to as RAID controller. It also often provides additional disk cache.A disk array controller name is...
s.
Zoning is also different from VSAN
VSAN
In computer networking, a virtual storage area network is a collection of ports from a set of connected Fibre Channel switches, that form a virtual fabric. Ports within a single switch can be partitioned into multiple VSANs, despite sharing hardware resources...
s, in that each port can be a member of multiple zones, but only one VSAN. VSAN (similarly to VLAN) is in fact a separate network (separate sub-fabric), with its own fabric services (including its own separate zoning).
Zoning types
There are two main methods of zoning, the two methods being hard and soft, that combine with two sets of attributes, name and port.Soft and Hard zoning
The fabric name service allows each device to query the addresses of all other devices. Soft zoning restricts only the fabric name service, to show only an allowed subset of devices. Therefore, when a server looks at the content of the fabric, it will only see the devices it is allowed to see. However, any server can still attempt to contact any device on the network by address. In this way, soft zoning is similar to the computing concept of security through obscuritySecurity through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
.
In contrast, hard zoning restricts actual communication across a fabric. This requires efficient hardware implementation (frame filtering) in the fabric switches, but is much more secure.
Port and WWN zoning
Zoning can also be applied to either switch ports or end-station names. Port zoning restricts specific switch ports from seeing unauthorized ports. WWN zoning (also called name zoning) restricts access by a device's World Wide NameWorld Wide Name
A World Wide Name or World Wide Identifier is a unique identifier which identifies a particular Fibre Channel, Advanced Technology Attachment or Serial Attached SCSI target...
(WWN). With port zoning, even when a device is unplugged from a switch port and a different one is plugged in, the new device has access to the zone instead of the old one - i.e. the fact that a device's WWN changed is ignored. With WWN zoning, when a device is unplugged from a switch port and plugged into a different port (perhaps on a different switch) it still has access to the zone, because the switches check only a device's WWN - i.e. the specific port that a device connects to is ignored. This is more flexible, but WWNs can be easily spoofed
Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
, reducing security. http://en.wikipedia.org/wiki/Template:Confusing
Use
Currently, the combination of hard and WWN zoning is the most popular. Because port zoning is non-standard, it usually requires a homogeneous SAN (all switches from one vendor).In order to bring the created zones together for ease of deployment and management a zoneset is employed (also called zoning config). A zoneset is merely a logical container for the individual zones, that are designed to work at the same time. A zoneset can contain WWN zones, port zones, or a combination of both (hybrid zones). The zoneset must be activated within the fabric (i.e. distributed through all the switches and then simultaneously enforced). Switches may contain more than one zoneset, but only one zoneset can be active in the entire fabric.