Zoning is a fabric-based service in Storage Area Networks that groups host and storage nodes that need to communicate. Zoning is required because SAN end-devices do not respond well to a fully open and dynamic network (like Ethernet). This is because SAN has different requirements and need to prevent data corruption and prevent ownership or mounting issues. This also ensures data is available only to specified hosts. A zone constitutes of a list of individual SAN end-devices which can intercommunicate. Zones are most commonly identified by port-WWN; but also switch port, FCID, alias, and many more device identification type are supported. Zoning not only prevents a host from unauthorized access of storage assets, but it also stops undesired host-to-host communication and fabric-wide RSCN disruptions.
Cisco SAN Zoning Modes
Cisco SAN switches have three zoning modes which dictate the behavior of zoneset distribution within the fabric. These modes are:
a) Enhanced Zoning: This method is the recommended for all Cisco native VSANs. In this method full zone database synchronization (full distribution) is enforced. Bulk zone information transfer is optimized such that zone-merge, and large activations happen more efficiently. Single administrator change locking is enforced. Before another administrator can make changes, any pending changes must first be completed and activated.
b) Basic Zoning with full zoneset distribution: This method is recommended only if Cisco Enhanced Zoning cannot be used (interop VSANs). Upon any zone activation, the full zone database of both active and inactive zone information is pushed out and synchronized fabric-wide. Multiple administrators managing from different switches can overwrite each other’s changes (i.e no Locking).
c) Basic zoning with active-only zoneset distribution: This mode is not recommended for production Cisco SANs. In this method an independent zone database is maintained on each switch in the fabric. The ACTIVE zones and zoneset are in sync across the merged fabric. Inactive zones and zonesets are NOT necessarily in synchronization fabric-wide and can be difficult for SAN administrators to manage. Multiple administrators managing from different switches can overwrite each other’s changes (No Locking).
Hard Zoning vs. Soft Zoning
In case of Hard zoning switches inspect each individual frame on ingress to the fabric to ensure the destination address is valid for devices within a zone. This is generally implemented in switch hardware. With Soft zoning individual frames are not necessarily inspected on ingress. The fibre channel name server responds to end-device requests with a listing of zoned devices. Soft zoning has some disadvantages, for example end devices can malfunction, or spoof addresses, and a soft-zoning implementation may still forward this traffic unnecessarily. Soft zoning is generally implemented in software.
Cisco MDS-9000 switches enforce Hard zoning. Hard zoning on the Cisco MDS-9000 platform is implemented via special line-card memory called TCAM (Ternary Content Addressable Memory). TCAM is a memory hardware device on each line-card. While extensive, it is indeed a finite resource. Each zoned communication path between devices consumes an entry in the TCAM memory space.
Reducing TCAM Utilization
If TCAM resources are completely exhausted, zone activations and new FLOGIs may fail. A fully-utilized TCAM resource is a critical condition which will require zone configuration changes to resolve. It is recommended to take immediate action to reduce TCAM utilization if a Cisco SAN switch notifies the administrator of 80% and 90% utilization. It is recommended to follow these practices to reduce TCAM utilization:
a) Large zones with dozens of members should be avoided where possible.
b) Multiple-Initiator zones should be avoided unless absolutely required.
c) Use 2-member zones as these are most compact zoning method for TCAM utilization. Note that these are difficult for SAN administrators to manage as total zone count goes up.
d) In general, for all but the very largest fibre-channel SAN environments, Single-initiator, Multiple-target (SIMT) zoning is the recommended best practice.
The recommended best practice is a default zone deny, this is also the default zoning configuration on Cisco SAN switches. With default one deny no end-device communication is possible unless explicitly and manually zoned. End devices in the “default zone” (ie devices not in any particular zone) are not allowed to communicate. The alternative of this is default zone permit where devices not explicitly zoned can intercommunicate. This is not recommended for production networks.
Zone and Zoneset Backups
It is recommended to periodically backup the full zoning database to an off-switch location. Backing up the “full zone database” will capture all zone and zoneset information within a fabric. The various zoneset backup methods are:
a) FMS Zone Backup tool.
b) CLI capture (MDS Scheduler, external script, etc.).
c) Switch running configuration “running-config” backup captures all zone and zoneset information (also recommended).
Hi, I have a lab where I have deployed a triangle of bgp evpn NXOS 9000v switches. On each side of the triangle a have a host. Lets say the following: Host A with mac a.a.a.a in side A of the triangleHost B with mac b.b.b.b in side B of the...
Dear Community, I'm trying to do a POC for a client of VXLAN and I notice that I'm unable to ping systems from one leaf on another leaf. The weird thing is when I wireshark it I can see the ARP request from the source machine and the reply from the d...
Hello dear community members, We have two switches Nexus 3064-X and we would like to build a new iSCSI SAN. Expected iSCSI storage performance is 30 Gig iSCSI-A + 30 Gig iSCSI-BMy questions:1) can Nexus 3064-X handle such workload?2) in general, what...
Hi there, I'm trying to get it four Nexus 3524-X to login authenticate with windows 2019 NPS via radius protocol, but so far no luck.I see in the NPS logs there 2 of the switches are sending radius requests, but somehow NPS doesn't like them, i have ...