Cisco's idea of hard and soft zoning.

stephen2615 · ‎09-30-2006

As I am relatively new to Cisco switches but have used Qlogic for quite some time, I found Cisco's idea of hard and soft zoning reversed. Eg, to me a soft zone is port zoning and a hard zone is WWN zoning. But the MDS training notes have exactly the opposite.

I made a complete muckup with a couple of VSAN's which I had mafe that used WWN zoning which appears to be the default when using Fabric Manager. Each zone had one initiator and one target port in the zone and I had eight zones in the zoneset.

During a recent large migration, the ports on the host (SunFire 6900) had to be moved to give better redundancy and as the switch was using WWN zoning, I could not move the ports on the host. It took me 30 odd minutes to make new port based zones and a zoneset to fix this and when I activated the new zoneset, the host never even wrote one message about this change. I was very impressed with that. Almost every other change I have made with the Qlogic switches would make the host write many entries that were harmless enough but alarmed the operators no end. I put it down to the Qlogic switches being LIP crazy.

So am I wrong with my idea of zoning or has Cisco wrote its own ideas on this?

Stephen

reberhar · ‎09-30-2006

Well it's easy, we only have hard-zoning :-))

Hard-zoning actually means that zoning is enforced in hardware instead of in software.

With soft-zoning you rely on the fibre channel name server and zone server to allow a device to only discover the devices it is allowed to talk to on the SAN (i.e. that are in the same zone).

With hard-zoning we actually enforce zoning policy on the port asics of every MDS port.

This reduces control traffic to the CPUs and enforces the zoning policy in hardware (no bypassing possible).

The hardware enforced zoning on the MDS is independent of what criteria you use for zone membership (pWWN, fwwn, IP address for iSCSI etc) and you can even use a mix of zoning criteria in the same zone.

The fact that hard-zoning and soft-zoning seem to be attached to WWN zoning and port zoning in a lot of people's minds is due to the fact that legacy switch vendors have actually very limited capacity in enforcing zoning in hardware so they restricted it to e.g. port zoning and sold port zoning as "hard-zoning".

So don't get confused, to the MDS it's all the same. We enforce in hardware and you can use whatever criteria you like to identify a device (the most popular being WWN zoning).

Ralf

stephen2615 · ‎09-30-2006

Hi Ralf,

I think that this tends to be a bit confusing for most "legacy people" but I can overcome it. I put most of this confusion down to the Cisco marketing approach where the MDS series are not sold directly by Cisco (at least not where I am). So, most vendors don't seem to have a clue about them and we then go to do the fabulous training which falls a bit short in some things.. in particular some of the intrinsic parts of the MDS switches.

I spent more time trying to figure out how to add a new user than I did adding a complex VSAN as my training was on SAN-OS 2.x (but I am use version 3.0.1) and lots have changed in the Fabric Manager GUI. I think the MDS are a terrific switch but I just need time to get to know them and the oddities associated with them.

Thanks..

Stephen

mkoch · ‎07-31-2007

Hey,

how many entrys can the ASIC enforce? I could not find any information.

Michael

dmcloon · ‎08-01-2007

Depends on the lincard model and whether your talking ingress or egress.

Following command tells you how many tcam entries are avail for different features. Region 3 is for zoning. In this example there is 12 port DS-X9112 in slot 5 and DS-X9032 in slot 6.

avalanche# show system internal acl tcam-usage module 5

TCAM Entries:

=============

Region1 Region2 Region3 Region4 Region5 Region6

Mod Fwd Dir TOP SYS SECURITY ZONING BOTTOM FCC DIS FCC ENA

Eng Use/Total Use/Total Use/Total Use/Total Use/Total Use/Total

--- --- ------ ---------- --------- ------------ --------- --------- ---------

5 0 INPUT 53/3264 0/3264 2/22912* 204/3320 0/0 0/0

5 0 OUTPUT 9/3264 0/3264 0/18016 0/3264 3/1632 29/3320

Adjacency Entries:

==================

Mod Fwd Dir Static Adj Dynamic Adj Adj Counters

Eng Used/Total Used/Total Used/Total

--- --- ------ ----------- ----------- ------------

5 0 INPUT 96/512 13/130552 0/1921

5 0 OUTPUT 0/0 0/0 0/0

---------------------------------------------------

* 1024 entries are reserved for LUN Zoning purpose

avalanche#

avalanche# show system internal acl tcam-usage module 6

TCAM Entries:

=============

Region1 Region2 Region3 Region4 Region5 Region6

Mod Fwd Dir TOP SYS SECURITY ZONING BOTTOM FCC DIS FCC ENA

Eng Use/Total Use/Total Use/Total Use/Total Use/Total Use/Total

--- --- ------ ---------- --------- ------------ --------- --------- ---------

6 0 INPUT 254/6424 0/1912 6/45144 99/6488 0/0 0/0

6 0 OUTPUT 31/3256 0/3256 0/18008 0/3256 2/1624 41/3320

Adjacency Entries:

==================

Mod Fwd Dir Static Adj Dynamic Adj Adj Counters

Eng Used/Total Used/Total Used/Total

--- --- ------ ----------- ----------- ------------

6 0 INPUT 96/256 1/3840 0/0

6 0 OUTPUT 0/0 0/0 0/0

---------------------------------------------------

* 1024 entries are reserved for LUN Zoning purpose

avalanche#

But the main thing is what has been tested. The verified limits for SAN-OS 3.x is 8000 zones and 16000 members. See,

http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/3_0/fmcfg/limits.htm

mkoch · ‎08-01-2007

Thanks for your answer, but those commands do not work on our 9216s... do i need a different command?

mds# sho mod

Mod Ports Module-Type Model Status

--- ----- -------------------------------- ------------------ ------------

1 16 1/2 Gbps FC/Supervisor DS-X9216-K9-SUP active *

Mod Sw Hw World-Wide-Name(s) (WWN)

--- ----------- ------ --------------------------------------------------

1 3.0(2) 1.0 20:01:00:0c:xx:xx:xx:xx to 20:10:00:0c:xx:xx:xx:xx

Mod MAC-Address(es) Serial-Num

--- -------------------------------------- ----------

1 00-0c-30-xx-xx-xx to 00-0c-30-xx-xx-xx JABxxxxxxxx

* this terminal session

mds#

mds# sho system internal acl tcam-usage module 1

Module 1 is a supervisor card. Can't get TCAM usage for it.

mds#

Thanks,

Michael

inch · ‎08-01-2007

Howdy,

its a sanos 3.0 command... :)

I've had a quick poke around on the actual line cards in a sanos 2.x switch and cant see anything really "human" readable.

You can get acltcam process info from an individual line card.

Perhaps all you can do is use a "sh zone status" and make sure you see

Hard zoning is enabled

:-)

Cheers

Andrew

dmcloon · ‎08-01-2007

Interesting the command does not work for hybrid Sup module. Anyway, the TCAM memory layout for 9216 slot 1 is exactly same for any DS-X9016 or DS-X9032 linecard, ie same as module 6 in my previous post. The 2nd gen (4gbps) linecards have a different layout. Either way, the verified zoning limits are same for 1st and 2nd gen linecards.

inch · ‎08-01-2007

Howdy,

Is there a way of getting it "human readable" on sanos 1 and 2?