SAN Zoning

In a simple SAN configuration where only 1 or 2 hosts are connected zoning is not terribly important however in more complex SANs where many hosts of different types and OSes along with tape libraries are connected zoning becomes crucial. Essentially the goal of zoning is to isolate the connected hosts from each other for security purposes. For example say you have both unix and windows hosts connected to the SAN along with a fibre channel tape library. You may want your Unix Netbackup or Legato server to control the tape devices but you discover that when the windows box rebooted following a blue screen that it saw the tape drives and automatically loaded drivers for them and configured windows to use them. Next the clueless windows admin notices this and starts doing windows backups on top of your catelog tapes. If you're the SAN administrator you'll probably start reading up on zoning between job interviews.

SAN Types

There are 3 types of zones:

• Port Zones - These are zones where physical ports on the switch are placed into a zone.

• WWN Zones - These are zones where World Wide Numbers are zoned together. A typical example would be the worldwide numbers of an array controller port being zoned with whe world wide number of an HBA in a host.

• Mixed Zones - These zones contain at least 1 port number and 1 WWN.

Important

For best security the zones should be hardware enforced and not software enforced. This is often referred to as "Hard Zoning" and "Soft Zoning". The distinction is that with software enforced zoning security is based on the assumption that hosts and devices logging into the switch fabric will only rely on the fabric name server for finding devices on the SAN. This is possibly a weak assumption. With hardware enforced zoning a host that is not zoned to see another device on the SAN will be prevented at a hardware level from seeing the device.

For newer Brocade silkworm switches, zones containing only port numbers and zones containing only WWNs are hardware enforced. Mixed zones are software enforced.

Aliases

Often zones are created from alias names of WWNs or port numbers for readability. For example, say you want your backup server whose HBA's WWN is 20:00:00:00:c9:67:23:11 to see an LTO-2 fibre channel drive connect to the SAN whose WWN is 50:01:04:f0:00:6f:7c:c1. First create an alias named backup1_hba0 then add 20:00:00:00:c9:67:23:11 to the alias. Next create an alias named lto2_Drive1 and add 50:01:04:f0:00:6f:7c:c1 to the alias. Finally, create a zone named backup1_hba0_lto2_Drive1 and add the aliases backup1_hba0 and lto2_Drive1 as zone members. This kind of naming convention will make things easier for admins left to support the SAN.