Zone Enforcement – Cisco CCNP and CCIE

Zoning can be enforced in two ways: soft and hard. Each end device (N port) discovers other devices in the fabric by querying the name server. When a device logs in to the name server, the name server returns the list of other devices that can be accessed by the querying device. If an N port does not know about the FCIDs of other devices outside its zone, it cannot access those devices.

In soft zoning, zoning restrictions are applied only during interaction between the name server and the end device. If an end device somehow knows the FCID of a device outside its zone, it can access that device.

In this mode, only control plane traffic is policed by the switch supervisor/CPU services. In particular, the Fibre Channel Name Server (FCNS) will limit the list of permitted devices in an FCNS reply to only those that are in the zone configuration. However, the end device data plane traffic is unpoliced. This means a rogue end device may connect to other devices it is not zoned with.

Hard zoning is enforced by the hardware on each frame sent by an N port. As frames enter the switch, source-destination IDs are compared with permitted combinations to allow the frame at wirespeed. Hard zoning is applied to all forms of zoning. Hard zoning enforces zoning restrictions on every frame and prevents unauthorized access.

In this mode, both control plane and data plane traffic are policed. Control plane traffic is policed by the switch supervisor/CPU, and data plane traffic is policed on each ingress port with hardware assistance. The policing rules are set by the zone set that is programmed into each linecard/port ASIC. The destination of each frame is checked by hardware and, if it is not permitted by zoning, it is dropped. In this mode, any device can communicate only with end devices it is authorized to.

Cisco SAN switches support both hard and soft zoning. By default, both types of zoning are enabled, with hard zoning used in priority over soft zoning. In the event that the system is unable to use hard zoning due to hardware resource exhaustion, it will be disabled and the system will fall back to use soft zoning.

Full and Active Zone Set

Zones provide a method for specifying access control, while zone sets are a grouping of zones to enforce access control in the fabric. Zone sets are configured with the names of the member zones and the VSAN (if the zone set is in a configured VSAN). You can make a copy of a zone set and then edit it without altering the original zone set. You can copy an active zone set from the bootflash: directory, volatile: directory, or slot0, to one of the following areas:

To the full zone set

To a remote location (using FTP, SCP, SFTP, or TFTP)

The active zone set is not part of the full zone set. You cannot make changes to an existing zone set and activate it if the full zone set is lost or is not propagated.

Before configuring a zone set, consider these specifics:

Leave a Reply

Your email address will not be published. Required fields are marked *