Home » HP Manuals » Storage Devices » HP StorageWorks 16-EL » Manual Viewer

HP StorageWorks 16-EL HP StorageWorks Zoning V3.1.x/4.1.x User Guide (AA-RS26C - Page 69

Using Zoning to Administer Security

View all HP StorageWorks 16-EL manuals

Add to My Manuals
Save this manual to your list of manuals

Page 69 highlights

Using Zoning to Administer Security B Zones can be used to provide controlled access to fabric segments and to establish barriers between operating environments, such as to isolate systems with different uses or protect systems in a heterogeneous environment. For example, when Zoning is in secure mode, merge operations do not occur. HP Zoning is done on the primary Fabric Configuration Server (FCS). The primary FCS switch makes zoning changes and other security-related changes. The primary FCS switch also distributes zoning to all other switches in the secure fabric. All existing interfaces can be used to administer zoning. Zone management operations must be performed from the primary FCS switch using a zone management interface, such as telnet or Web Tools. A zoning database can be altered, provided you are connected to the primary FCS switch. When two secure fabrics join, the traditional zoning merge does not occur. Instead, a zoning database is downloaded from the primary FCS switch of the merged secure fabric. When E_ports are active between two switches, the name of the FCS server and a zoning policy set version identifier are exchanged between the switches. If the views of the two secure fabrics are the same, the fabric's primary FCS server downloads the zoning database and security policy sets to each switch in the fabric. If there is a view conflict, the E_ports are segmented as incompatible security data. Note: Secure Fabric OS requires the activation of an HP security license. As part of zoning architecture, the user will need to determine which of the two basic zoning architectures will work best for their fabric. With time and planning, the basic hard zone configuration will work for most sites. If a site has additional security needs, the user will need to add the additional layer of Secure Fabric OS to lock down the fabric, in addition to the standard zoning architecture. Zoning Version 3.1.x/4.1.x User Guide 69

Section	Page
Contents	3
About this Guide	7
Overview	8
Intended Audience	8
Related Documentation	8
Conventions	9
Document Conventions	9
Table 1: Document Conventions	9
Text Symbols	9
Getting Help	11
HP Technical Support	11
HP Storage Website	11
HP Authorized Reseller	11
Introducing Zoning	13
Overview	14
Customizing Environments	14
Optimizing Resources	14
License Activation	15
License Activation Using Telnet	16
Figure 1: License activation using telnet	16
License Activation Using Web Tools	17
Zoning Concepts	19
About Zoning	20
Figure 2: Fabric with three zones	20
Guidelines to Setting Up Zoning	21
Zone Definitions	22
Zone Objects	22
Selecting Ports on the Core Switch 2/64	23
Table 2: Area and Port Mappings (Continued)	23
Zone Objects and Aliases	24
Zone Objects	24
Zone Aliases	24
Zone Configurations	25
Zone Management	26
Commands to Open a Transaction	26
Commands to Close a Transaction	27
Zoning Schemes	28
Zone Enforcement	28
Figure 3: PortZoneShow output	29
Implementing Zoning	30
Create and Enable a Basic Zone Configuration	30
Detailed Zone Configuration Procedures	30
Review Current Configurations	31
Create an Alias	32
Define a Zone	32
Define a Zone Configuration	33
Analyze the Zone Configuration	33
Enable a Zone Configuration	33
Review The Enabled Configuration	34
Modifying Configurations	36
Before Merging Zones	36
Adding a New Switch	36
Adding a New Fabric	37
Merging and Segmentation	37
Merging Rules	38
Merging Two Fabrics	38
Merging with a V4.1 Fabric	38
Merge Conflicts	39
Splitting a Fabric	39
Zone Merging Scenarios	40
Table 3: Zone Merging Scenarios (Continued)	40
Resolving Zone Conflicts	42
Rules of Zoning Architecture	43
Using QuickLoop Zones	45
QuickLoop Zones	46
QuickLoop Zoning Advantages	47
Configuring QuickLoop Zones	48
Create a QuickLoop	48
Define a QuickLoop Zone	48
To Specify by Looplet	48
To Specify by AL_PA	49
To specify a Combination of looplet and AL_PA	49
Define a QuickLoop Zone Configuration	49
QuickLoop Fabric Assist	50
Fabric Assist Zone Setup	51
Fabric Assist Zone Creation	51
Fabric Assist Operation	51
LIP Propagation	51
Fabric Assist Debugging	52
Zoning Concepts and Guidelines	53
Storage Area Networks	54
Zoning	55
Zone Management	56
Zoning Implementations	57
Host-Based Zoning	57
Storage-Based Zoning	57
Fabric-Based Zoning	57
Fabric-Based Zoning Philosophies	58
No Fabric Zoning	58
Zoning by Application	58
Zoning by Operating System	58
Port allocation	59
Single HBA	59
The Effect of Zoning on RSCN Delivery	60
Table 4: RSCN Delivery	61
Implementing Zoning	62
Naming Convention	62
Implementing Zoning on an Existing Fabric	63
Deviations from Single HBA Zoning	64
Hardware-Enforced Zoning in an HP Fabric	65
Fabrics Composed of Only StorageWorks 1 Gb SAN Switch Models	65
Fabrics Composed of StorageWorks 2 Gb SAN Switch and StorageWorks Core Switch Models	66
Fabrics Composed of 1 Gb SAN, 2 Gb SAN, and Core Switch Models	66
Best Practices for Hardware Zone Enforcement	66
Using Zoning to Administer Security	69
Glossary	71
Index	103
A	103
C	103
D	103
F	103
G	103
H	103
I	103
L	103
M	103
O	103
Q	103
R	104
S	104
T	104
W	104

Match case Limit results 1 per page

Zoning Version 3.1.x/4.1.x User Guide

Using Zoning to Administer Security

Zones can be used to provide controlled access to fabric segments and to establish barriers

between operating environments, such as to isolate systems with different uses or protect

systems in a heterogeneous environment. For example, when Zoning is in secure mode,

merge operations do not occur.

HP Zoning is done on the primary Fabric Configuration Server (FCS). The primary FCS

switch makes zoning changes and other security-related changes. The primary FCS switch

also distributes zoning to all other switches in the secure fabric. All existing interfaces can

be used to administer zoning.

Zone management operations must be performed from the primary FCS switch using a

zone management interface, such as telnet or Web Tools. A zoning database can be

altered, provided you are connected to the primary FCS switch.

When two secure fabrics join, the traditional zoning merge does not occur. Instead, a

zoning database is downloaded from the primary FCS switch of the merged secure fabric.

When E_ports are active between two switches, the name of the FCS server and a zoning

policy set version identifier are exchanged between the switches. If the views of the two

secure fabrics are the same, the fabric’s primary FCS server downloads the zoning

database and security policy sets to each switch in the fabric. If there is a view conflict, the

E_ports are segmented as incompatible security data.

Note:

Secure Fabric OS requires the activation of an HP security license.

As part of zoning architecture, the user will need to determine which of the two

basic zoning architectures will work best for their fabric. With time and planning,

the basic hard zone configuration will work for most sites. If a site has additional

security needs, the user will need to add the additional layer of Secure Fabric OS

to lock down the fabric, in addition to the standard zoning architecture.