A zone is a collection of ports that can communicate between them over the SAN. It is recommended to define a zone per initiator and target, and deploy multiple small zones, rather than having larger zones defined as they consume more resources. A Zoneset is a collection of zones that define the zoning configuration applied to a VSAN. There can be only one active zoneset per VSAN, but there can be multiple zonesets configured in a switch. It is a good idea to define naming conventions for zones and zonesets that can later be easily recognized. For Zone naming, define a server-centric format, and include the initiator and target device aliases if using single-initiator / single-target zones. For Zoneset naming, include information about the DC site & location and the VSAN number.
Virtual SAN (VSAN) technology partitions a single physical SAN into multiple VSANs. VSAN capabilities allow Cisco NX-OS software to logically divide a large physical fabric into separate, isolated environments. Each VSAN is a logically and functionally separate SAN with its own set of Fibre Channel fabric services. The strict traffic segregation provided by VSANs helps ensure that the control and data traffic of a specified VSAN are confined within the VSAN's own domain, increasing SAN security.
N Port Virtualization
Cisco NX-OS software supports industry-standard N port identifier virtualization (NPIV), which allows multiple N port fabric logins concurrently on a single physical Fibre Channel link. HBAs that support NPIV can help improve SAN security by enabling zoning and port security to be configured independently for each virtual machine (OS partition) on a host. N port virtualizer (NPV) is a complementary feature that reduces the number of Fibre Channel domain IDs in core-edge SANs.
Zoning will be used in the Access switches to control which end nodes (initiators and targets) can communicate.
Zoning configuration will be based on the following characteristics:
Enhanced Zoning will be enabled. This provides for automatic full zoneset distribution and synchronization, as well as preventing multiple administrators from modifying a VSAN’s zoneset at the same time. It is recommended to use enhanced zoning for all configured VSANs in the SAN
Device-aliases will be used to configure zoning, as they are independent of the zoning database and can provide name resolution to applications beyond the zone server.
It is recommended to configure each zone as a “single initiator / single target” zone. This method specifies that a zone will include only one initiator and one target.
Note that Enhanced zoning can be used in a Cisco-only SAN network. When changes to the zoning configuration of a VSAN are committed in a switch, the changes are automatically distributed to the other SAN switches in the same VSAN, using the CFS protocol over FC/FCoE.
Zoning configuration is done as a global configuration, and it is performed in one switch, which distributes the configuration via CFS.
Note that when a new Access switch is connected to a SAN, it is recommended to not configure any zoning in the Access switch. Before connecting to the SAN, the switch is configured with “enhanced zoning” and “enhanced device-alias” activated. Once connected to the SAN, the switch will retrieve the zoning configuration via CFS (a Fabric merge event will take place).
! Add a zone to the VSAN
zone name Z_<server-alias-name>_<target-alias-name> vsan <vsan-id>
! Add the members to the Zone
member device-alias <server-alias-name>
member device-alias <target-alias-name>
! Create the Zoneset for the VSAN
zoneset name ZS_<DC-id>_<vsan-id> vsan <vsan-id>
! Activate the Zoneset
zoneset activate name ZS_<DC-id>_<vsan-id> vsan <vsan-id>