Configuring and Troubleshooting MDS Enhanced Zoning

Sandeep Singh · ‎08-09-2012

Introduction
Fabric Login (FLogi)
Virtual SANs (VSANs)
Zones
Enabling Enhanced Zoning
Modifying Zone Database
Troubleshooting
Zoning Lock and Lock Owners
Changing back to Basic Zoning
Related Information

Introduction

Enhanced zoning enables to perform all configurations using a single configuration session. It enforces and exchanges the default zone setting throughout the fabric. Enhanced zoning uses the same techniques and tools as basic zoning, with a few added commands. The flow of enhanced zoning, however, differs from that of basic zoning.

Enhanced zoning has the following features:

VSAN wide scope, so that while VSAN X is using enhanced zoning, other VSANs can continue to use basic zoning.
Is IVR compatible.
Provides session locking, so that two SAN administrators cannot simultaneously modify a zoning database within a VSAN.
Provides implicit full zone set distribution, so that the zone set database local to each switch remains in sync when a zone set is modified.
Allows full zone set changes to be distributed without having to activate a zone set. This can be used to ready features in the daytime and activate the zone set at night.
Stages modifications until they are explicitly committed or aborted, allowing the SAN administrator to review changes before activation.
Can control how a zone merge is done. Merging can be accomplished either by performing a union of two zone sets according to the same rules as basic zoning, or by merging only identical active zone sets. The latter method prevents accidental merging.

Fabric Login (FLogi)

In a Fibre Channel network, the actual number of physical ports in the fabric is not the most critical concern when designing for large SAN fabrics. Since Fibre Channel ports consist of E/TE ports and F/FL ports, the main consideration is the number of fabric logins in the network. The number of actual physical ports in the fabric is larger than the number of end devices (server, storage, and tape ports) in the physical fabric. The Cisco MDS Family supports up to 10,000 fabric logins in a physical fabric, regardless of the number of VSANs in the network.

Virtual SANs (VSANs)

Cisco MDS switches offer VSAN technology, which is a simple and secure way to consolidate many SAN islands into a single physical fabric. Separate fabric services and separate role base management are provided for each VSAN, while providing separation of both the control plane and the data plane.

Zones

Within each VSAN, there is only one active zoneset that contains one or more zones. Each zone consists of one or more members to allow for communication between the members.Cisco MDS switches support up to 8000 zones and 20,000 zone members in a physical fabric.

Enabling Enhanced Zoning

Enhanced zoning can be turned on per VSAN as long as each switch within that VSAN is enhanced zoning capable. Enhanced zoning only needs to be enabled on one switch within the VSAN (existing SAN). At the time enhanced zoning is enabled the command will be propagated to the other switches within the VSAN automatically.

The rules for enabling enhanced zoning are:

Enhanced zoning only needs to be enabled on one switch in the VSAN of an existing converged SAN fabric. Enabling it on multiple switches within the same VSAN can result in failure to activate properly.
Enabling enhanced zoning does not perform a zone set activation.
The switch that is chosen to initiate the migration to enhanced zoning will distribute its full zone database to the other switches in the VSAN. Thereby overwriting the destination switches’ full zone set database.

Note that it is critical that zone distribution is turned on and each switch has its zoning information up to date. Failure to do so will result in deleting the full zone set database. This can be done by verifying zone distribution is turned on and a zone activation is preformed before enabling enhanced zoning.

To enable enhanced zoning via CLI follow the following procedure.

Switch# conf t

Switch(config)# zone mode enhanced vsan <vsan number>

Switch(config)# end

Switch# copy run start

To display the zoning mode status

Switch# show zone status vsan <vsan number>

Modifying Zone Database

Modifications to the zone database is done within a session. A session is created at the time of the first successful configuration command. On creation of a session, a copy of the zone database is created. Any changes done within the session are performed on this copy of the zoning database. These changes in the copy zoning database are not applied to the effective zoning database, until you commit. the changes. Once you apply the changes, the session is closed.

If the fabric is locked by another user and for some reason the lock is not cleared, you can force the operation and close the session. You must have permission (role) to clear the lock in this switch and perform the operation on the switch from where the session was originally created.

switch# config t

switch(config)# zone commit vsan <vsan number> //Applies the changes to the enhanced zone configuration and closes the session

OR

switch(config)# zone commit vsan <vsan number> force //Forcefully applies the changes to the enhanced zone and closes the session created by another user.

Troubleshooting

When troubleshooting enhanced zoning, it is important to understand the process flow when performing a zone configuration. The following operations detail the process flow:

•The first configuration command on the zoning database acquires a fabric wide lock preventing other changes on the VSAN.

•The first configuration command on the zoning creates a local copy of that VSAN’s zoning database.

•Changes done to the zoning database are done on the copy.

•Commit has to be issued to apply the changes.

•Commit destroys the copy of the zoning database after activation.

•Commit also releases the fabric wide lock

•If the changes are to be discarded prior to the commit, issue “no zone commit” command, which releases the lock and throws away the changes.

Zoning Lock and Lock Owners

The zoning lock is issued to a single user on a single switch. Only one user is allowed to hold the lock. If for some reason the lock is held by another user, and the lock has to be cleared forcefully, issue “no commit” with the force flag.

switch (config)# no zone commit vsan 1 force

switch# clear zone lock vsan <vsan_id>

Identifying the Lock Owner

If you’re locked out, follow these steps.

Determine which switch (domain) has the lock
Determine which user has the lock on that switch
Clear the lock for that user on that switch.

Determining Switch holding lock

If there is a lock, Zone configuration attempt displays error or Zone database locked due to update in progress

switch-1(config)# zoneset name azone vsan 10

Zoning database update in progress, command rejected

Show zone status command displays what switch has the lock

switch-1# show zone status vsan 10

VSAN: 10 default-zone: deny distribute: active only Interop: default

mode: enhanced merge-control: allow

session: remote [dom: 100][ip: 10.87.100.22] // this switch is having the lock

hard-zoning: enabled broadcast: enabled

Default zone:

qos: none broadcast: disabled ronly: disabled

---snip---

Confirm remote (Adj) switch and domain ID for vsan 10

switch-1# show fcs ie vsan 10

IE List for VSAN: 10

--------------------------------------------------------------------

IE-WWN IE Mgmt-Id Mgmt-Addr (Switch-name)

--------------------------------------------------------------------

20:0a:00:05:30:01:b1:b3 S(Loc) 0xfffc67 10.87.100.23 (switch-1)

20:0a:00:0b:fd:a7:72:41 S(Adj) 0xfffc64 10.87.100.22 (switch-2)

20:0a:00:0d:ec:19:43:c1 S(Adj) 0xfffc66 10.87.100.16 (switch-3)

[Total 3 IEs in Fabric]

Telnet to remote switch holding the lock (10.87.100.22) and confirm local (Loc) switch has domain ID 100 (0x64)

switch-2# show fcs ie vsan 10

IE List for VSAN: 10

-------------------------------------------------------------------

IE-WWN IE Mgmt-Id Mgmt-Addr (Switch-name)

-------------------------------------------------------------------

20:0a:00:05:30:01:b1:b3 S(Adj) 0xfffc67 10.87.100.23 (switch-1)

20:0a:00:0b:fd:a7:72:41 S(Loc) 0xfffc64 10.87.100.22 (switch-2)

20:0a:00:0d:ec:19:43:c1 S(Rem) 0xfffc66 10.87.100.16 (switch-3)

[Total 3 IEs in Fabric]

switch-2# show fcdomain domain-list vsan 10

Number of domains: 3

Domain ID WWN

--------- -----------------------

0x67(103) 20:0a:00:05:30:01:b1:b3 [Principal]

0x64(100) 20:0a:00:0b:fd:a7:72:41 [Local]

0x66(102) 20:0a:00:0d:ec:19:43:c1

Determining User Holding Lock

Show zone status command displays user who has the lock

switch-2# show zone status vsan 10

VSAN: 10 default-zone: deny distribute: active only Interop: default

mode: enhanced merge-control: allow

session: cli [admin] // user "admin" is holding the lock.

hard-zoning: enabled broadcast: enabled

Default zone:

qos: none broadcast: disabled ronly: disabled

---snip---

Clear the Lock

Contact admin to determine if this is an active session. If not active, clear the lock.

switch-2# clear zone lock vsan 10

Confirm that lock has been cleared

switch-2# show zone status vsan 10

VSAN: 10 default-zone: deny distribute: active only Interop: default

mode: enhanced merge-control: allow

session: none // Session field shows none

hard-zoning: enabled broadcast: enabled

Default zone:

qos: none broadcast: disabled ronly: disabled

---snip---

Changing back to Basic Zoning

If for some reason you need to change back to basic zoning follow these steps:

1) Check that the active and full zone set do not contain any configuration that is specific to the enhanced zoning mode. If there is any such config, remove it and then cross check the SAN working.

2) Change the operation mode to basic zoning. Doing this will grant you a fabric wide lock and distribute zoning information.

3) Apply the configuration changes and release the lock from all switches in the fabric.