Cisco Support Community

Cisco MDS SAN Zoning Best Practices




Zoning is a fabric-based service in Storage Area Networks that groups host and storage nodes that need to communicate. Zoning is required because SAN end-devices do not respond well to a fully open and dynamic network (like Ethernet). This is because SAN has different requirements and need to prevent data corruption and prevent ownership or mounting issues. This also ensures data is available only to specified hosts. A zone constitutes of a list of individual SAN end-devices which can intercommunicate. Zones are most commonly identified by port-WWN; but also switch port, FCID, alias, and many more device identification type are supported. Zoning not only prevents a host from unauthorized access of storage assets, but it also stops undesired host-to-host communication and fabric-wide RSCN disruptions.


Cisco SAN Zoning Modes

Cisco SAN switches have three zoning modes which dictate the behavior of zoneset distribution within the fabric. These modes are:


a) Enhanced Zoning: This method is the recommended for all Cisco native VSANs. In this method full zone database synchronization (full distribution) is enforced. Bulk zone information transfer is optimized such that zone-merge, and large activations happen more efficiently. Single administrator change locking is enforced.  Before another administrator can make changes, any pending changes must first be completed and activated.


b) Basic Zoning with full zoneset distribution: This method is recommended only if Cisco Enhanced Zoning cannot be used (interop VSANs). Upon any zone activation, the full zone database of both active and inactive zone information is pushed out and synchronized fabric-wide. Multiple administrators managing from different switches can overwrite each other’s changes (i.e no Locking).


c) Basic zoning with active-only zoneset distribution: This mode is not recommended for production Cisco SANs. In this method an independent zone database is maintained on each switch in the fabric. The ACTIVE zones and zoneset are in sync across the merged fabric. Inactive zones and zonesets are NOT necessarily in synchronization fabric-wide and can be difficult for SAN administrators to manage. Multiple administrators managing from different switches can overwrite each other’s changes (No Locking).


Hard Zoning vs. Soft Zoning

In case of Hard zoning switches inspect each individual frame on ingress to the fabric to ensure the destination address is valid for devices within a zone. This is generally implemented in switch hardware. With Soft zoning individual frames are not necessarily inspected on ingress. The fibre channel name server responds to end-device requests with a listing of zoned devices. Soft zoning has some disadvantages, for example end devices can malfunction, or spoof addresses, and a soft-zoning implementation may still forward this traffic unnecessarily. Soft zoning is generally implemented in software.


Cisco MDS-9000 switches enforce Hard zoning. Hard zoning on the Cisco MDS-9000 platform is implemented via special line-card memory called TCAM (Ternary Content Addressable Memory). TCAM is a memory hardware device on each line-card. While extensive, it is indeed a finite resource. Each zoned communication path between devices consumes an entry in the TCAM memory space.


Reducing TCAM Utilization

If TCAM resources are completely exhausted, zone activations and new FLOGIs may fail. A fully-utilized TCAM resource is a critical condition which will require zone configuration changes to resolve. It is recommended to take immediate action to reduce TCAM utilization if a Cisco SAN switch notifies the administrator of 80% and 90% utilization. It is recommended to follow these practices to reduce TCAM utilization:


a) Large zones with dozens of members should be avoided where possible.

b) Multiple-Initiator zones should be avoided unless absolutely required.

c) Use 2-member zones as these are most compact zoning method for TCAM utilization. Note that these are difficult for SAN administrators to manage as total zone count goes up.

d) In general, for all but the very largest fibre-channel SAN environments, Single-initiator, Multiple-target (SIMT) zoning is the recommended best practice.


Default Zoning

The recommended best practice is a default zone deny, this is also the default zoning configuration on Cisco SAN switches. With default one deny no end-device communication is possible unless explicitly and manually zoned. End devices in the “default zone” (ie devices not in any particular zone) are not allowed to communicate. The alternative of this is default zone permit where devices not explicitly zoned can intercommunicate. This is not recommended for production networks.


Zone and Zoneset Backups

It is recommended to periodically backup the full zoning database to an off-switch location. Backing up the “full zone database” will capture all zone and zoneset information within a fabric. The various zoneset backup methods are:

a) FMS Zone Backup tool.

b) CLI capture (MDS Scheduler, external script, etc.).

c) Switch running configuration “running-config” backup captures all zone and zoneset information (also recommended).


Related Information

MDS Zoning configuration guide

Advanced SAN Design Using Cisco MDS 9500

Community Member

Good practice to follow. Thanks.

Community Member

I've refererences to TCAM usage , and I understand that "large zones" use more resources. The formula is n*(n-1) where n is the number of members. So how to I see and/or monitor TCAM usage?

Community Member


How to update OpenSSH in CISCO 9222i SAN switch?


Upgrade NX-OS 

Community Member


I´m new on the zonning wolrd and i just made a rezonning on my job, everything works fine but i made the zones one to one  as follow:

zone name MDC2_to_SAN1-CTRLA vsan 2
* fcid 0x8900a0 [pwwn 10:00:8c:7c:ff:65:fe:48]
* fcid 0x8900e0 [pwwn 20:12:00:80:e5:32:40:68]

I want to know if it is possible to create a zone with more members


Community Member

Of course you can. Some like to put  all the tape drives in one zone, or all the nodes of a cluster. I personally quit doing that years ago.  I do all the zone building via scripts (can send an example if you like) which first minimizes mistakes and deviation from standards. Also its real easy to do, just make a list of source and destination and run the script. I've also found during migrations from old switches to new, old storage to new, or Brocade to Cisco, if you have nice orderly 1 to 1 relationships the work is much simpler.  My advice would be to stick to 1 to 1. 


i would be careful doing that.  Unless you have enabled SmartZoning you might have storage ports login into each other (IE, EMC VNX that have SANCopy enabler installed or VMAX with Open Replicator).  For these specific platforms it's not a good idea for storage ports to login into each other.

Community Member

part of why I only do 1 to 1


or enable SmartZoning, sure saves on a lot of zones.

Community Member

Hi Bruce

First, thanks a lot for your response, I would relly grateful if you can send me an script you can send it to my email:

Community Member

Hi Bruce,

Appreciate if you could send me a  copy of the script for zoning to my email-

Much appreciated.

thank you


Community Member

Hi Bruce,

Appreciate if you could send me a copy of the script for zoning to my email-

Much appreciated

Thank you,