cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1671
Views
0
Helpful
7
Replies

Prevent host/initiator from discovering Fabric information

Robert Elmes
Level 1
Level 1

I've a W2K8 system installed and using "Storage Explorer" it can see the whole fibre channel fabric, including information on all Zones and ZoneSets - which surprised me.  I thought it would at least be limited to only seeing information about the systems in the zone it was in, but it appears to have everything for the entire VSAN.

From the MS information on this tool it states

Storage Explorer uses CT commands (FC-GS-4 spec) to query FC switches  for fabric information. Only Fabric switches are supported.

On the network side, we disable CDP on the switch port to prevent information on the network being available to the host.  Is there an equivalent for the FC storage network?

If it can't be "switched off", is there are way to limit what can be discovered?

Hoping I've just missed something obvious :-)

7 Replies 7

maminhas
Level 1
Level 1

Although the description is missing  information which switch the Win2K8 host was connected to.

Assuming it was connected to Cisco Fibre Channel switch (MDS 9000 family) ?

CDP isn't any pertiular requirement for Fibre channel switches and has no co-relation for zones/zoneset .

Fibre channel switch uses cfs  distribute to get config information from its peer fibre channel switches in a fabric.

It isn't clear How was it learned on switch perspective ....For Host Win2k8 in question

"it can see the whole fibre channel fabric, including information on all Zones and ZoneSets"

Thanks for the response, here's a little more detail.

The blade is in a UCS system which is indeed connected to a pair of MDS9124's.  This blade is using M71KR-Q mezzanine card.  We also have blades with the M72KR-Q card, I've yet to test against those to see if it is any different. The service profile offers up two HBAs to the OS, one connected to each SAN fabric.  FC is used for the boot LUN presentation in the UCS environment and zoning used to keep systems seperate. 

Aggreed CDP has nothing to do with FC, I'm just using it as an analogy from the network world.

The output from storage explorer gives WWPNs, zoneset names and zone names for all those defined in the VSAN for which the HBA is connected.

Hi Rob,

Can you open a TAC Case for this?

Regards,

David

Will do.

Can you please post the work around/fix for this. As Storage Explorer can circumnavigate Fabric Manager for anybody with access to a SAN attached Windows 2008 server.

I was looking at changing the permissions on "storexpl.msc" but that's using a Sledgehammer to crack a nut.

Thanks

infact the only way to "Prevent host/initiator from discovering fabric" is ..Just don't connect the HBA to switchport..as simple as that..

As mentioned  above "work around/fix for this. As Storage Explorer can circumnavigate Fabric Manager for anybody with access to a SAN attached Windows 2008 server...changing the permissions on "storexpl.msc  ?"

these things are beyond the scope of switch.. If you think those can be done ..good.

the straight answer to above question is ..  For "switch perspective" simply unplug it from switchport or shut down the port where it is connected. and device would not be able to discover fabric..

If there are any other questions beyond this one , better to open a TAC case.

The device does need to be connected to the fabric, otherwise it would be a little tricky to boot it from the SAN

The remainder of the section from the MicroSoft site regarding this issue is:

2.2 – FC Switch blocking CT commands

Storage Explorer uses CT commands (FC-GS-4 spec) to query FC switches  for fabric information. Only Fabric switches are supported.

Certain switches are pre-configured not to respond to CT commands and  this will prevent Storage Explorer from showing any information about  the FC fabric.

You can find additional information about these CT command and a link to the latest FC-GS-4 specification at http://www.t11.org/t11/stat.nsf/upnum/1505-d

Some switches do not support any CT Passthrough commands by default,  thus preventing Storage Explorer from showing any fabric or server  information.

Please note that this might not affect all hardware revisions and/or models of an FC switch.

If you find that appropriate, you can reconfigured your switch by  changing from the closed mode (default) to open mode (not default).

Please check with your switch vendor before making any modifications  to your default configuration and validate this in a test environment  first.

So it appears that some switches either by default/design block this data or at least have the ability to be configured to do so.  Hopefully TAC will be able to answer whether this is possible or not for the MDS9124.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: