04-13-2012 08:28 AM
I've a W2K8 system installed and using "Storage Explorer" it can see the whole fibre channel fabric, including information on all Zones and ZoneSets - which surprised me. I thought it would at least be limited to only seeing information about the systems in the zone it was in, but it appears to have everything for the entire VSAN.
From the MS information on this tool it states
Storage Explorer uses CT commands (FC-GS-4 spec) to query FC switches for fabric information. Only Fabric switches are supported.
On the network side, we disable CDP on the switch port to prevent information on the network being available to the host. Is there an equivalent for the FC storage network?
If it can't be "switched off", is there are way to limit what can be discovered?
Hoping I've just missed something obvious :-)
04-13-2012 07:44 PM
Although the description is missing information which switch the Win2K8 host was connected to.
Assuming it was connected to Cisco Fibre Channel switch (MDS 9000 family) ?
CDP isn't any pertiular requirement for Fibre channel switches and has no co-relation for zones/zoneset .
Fibre channel switch uses cfs distribute to get config information from its peer fibre channel switches in a fabric.
It isn't clear How was it learned on switch perspective ....For Host Win2k8 in question
"it can see the whole fibre channel fabric, including information on all Zones and ZoneSets"
04-16-2012 02:25 AM
Thanks for the response, here's a little more detail.
The blade is in a UCS system which is indeed connected to a pair of MDS9124's. This blade is using M71KR-Q mezzanine card. We also have blades with the M72KR-Q card, I've yet to test against those to see if it is any different. The service profile offers up two HBAs to the OS, one connected to each SAN fabric. FC is used for the boot LUN presentation in the UCS environment and zoning used to keep systems seperate.
Aggreed CDP has nothing to do with FC, I'm just using it as an analogy from the network world.
The output from storage explorer gives WWPNs, zoneset names and zone names for all those defined in the VSAN for which the HBA is connected.
04-16-2012 08:40 AM
Hi Rob,
Can you open a TAC Case for this?
Regards,
David
04-16-2012 08:50 AM
Will do.
04-16-2012 09:53 AM
Can you please post the work around/fix for this. As Storage Explorer can circumnavigate Fabric Manager for anybody with access to a SAN attached Windows 2008 server.
I was looking at changing the permissions on "storexpl.msc" but that's using a Sledgehammer to crack a nut.
Thanks
04-16-2012 10:18 AM
infact the only way to "Prevent host/initiator from discovering fabric" is ..Just don't connect the HBA to switchport..as simple as that..
As mentioned above "work around/fix for this. As Storage Explorer can circumnavigate Fabric Manager for anybody with access to a SAN attached Windows 2008 server...changing the permissions on "storexpl.msc ?"
these things are beyond the scope of switch.. If you think those can be done ..good.
the straight answer to above question is .. For "switch perspective" simply unplug it from switchport or shut down the port where it is connected. and device would not be able to discover fabric..
If there are any other questions beyond this one , better to open a TAC case.
04-17-2012 01:17 AM
The device does need to be connected to the fabric, otherwise it would be a little tricky to boot it from the SAN
The remainder of the section from the MicroSoft site regarding this issue is:
2.2 – FC Switch blocking CT commands
Storage Explorer uses CT commands (FC-GS-4 spec) to query FC switches for fabric information. Only Fabric switches are supported.
Certain switches are pre-configured not to respond to CT commands and this will prevent Storage Explorer from showing any information about the FC fabric.
You can find additional information about these CT command and a link to the latest FC-GS-4 specification at http://www.t11.org/t11/stat.nsf/upnum/1505-d
Some switches do not support any CT Passthrough commands by default, thus preventing Storage Explorer from showing any fabric or server information.
Please note that this might not affect all hardware revisions and/or models of an FC switch.
If you find that appropriate, you can reconfigured your switch by changing from the closed mode (default) to open mode (not default).
Please check with your switch vendor before making any modifications to your default configuration and validate this in a test environment first.
So it appears that some switches either by default/design block this data or at least have the ability to be configured to do so. Hopefully TAC will be able to answer whether this is possible or not for the MDS9124.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide