HP StorageWorks 4000/6000/8000 .HP StorageWorks SAN Design Reference Guide, Pa - Page 421

Zoning, Zoning enforcement, Zoning guidelines

Get HP StorageWorks 4000/6000/8000 - Enterprise Virtual Arrays PDF manuals and user guides View all HP StorageWorks 4000/6000/8000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 421 highlights

and returns the LUNs assigned to the WWN. Any other LUNs on that storage port are not available to the server. Zoning This section describes configuration recommendations for: • Zoning enforcement, page 421 • Zoning guidelines, page 421 • EBS zoning, page 423 • Zone naming, page 423 Zoning enforcement To protect against unauthorized access, Fibre Channel switches provide three types of zoning enforcement (listed here in order of enforcement): • Access authorization Access authorization provides frame-level access control in hardware and verifies the SID-DID combination of each frame. The frame is delivered to the destination only if specified as a valid combination in the zone definition. This method offers a high level of security and is classified as hard zoning because it requires hardware resources at the ASIC level. • Discovery authentication Discovery authentication occurs during access to the NS) directory. The fabric presents only a partial list of authorized devices from the NS directory. This method may be enforced by software or hardware, depending on the switch model. When enforced by software, this method is susceptible to security threats from unauthorized devices that violate Fibre Channel protocols. • Soft-plus zoning by login authentication In addition to discovery authentication, some switches enforce authentication at the Fibre Channel protocol login frame level. For example, if a host sends a PLOGI frame to a device that is not a member of its zone, the frame is dropped. Login authentication provides more protection than discovery authentication but is not as secure as access authorization. The zone configuration and the switch model determine the type of zoning enforcement you can implement in your SAN fabric. For information about the relationship of zone configuration with zoning enforcement, see the following tables: • Table 17 on page 91 (H-series) • Table 35, page 128 (B-series) • Table 53, page 150 (C-series) • Table 70, page 165 (M-series) Some system restrictions affect the movement of devices within the fabric, regardless of zoning type. For example, some operating systems, such as HP-UX, create device file names based on the 24-bit fabric address and do not allow moving the device to a different port. A change in the address causes the device to be treated as a different device. Zoning guidelines Use one of the following zoning methods: • Operating system (minimum level required) SAN Design Reference Guide 421

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358
  • 359
  • 360
  • 361
  • 362
  • 363
  • 364
  • 365
  • 366
  • 367
  • 368
  • 369
  • 370
  • 371
  • 372
  • 373
  • 374
  • 375
  • 376
  • 377
  • 378
  • 379
  • 380
  • 381
  • 382
  • 383
  • 384
  • 385
  • 386
  • 387
  • 388
  • 389
  • 390
  • 391
  • 392
  • 393
  • 394
  • 395
  • 396
  • 397
  • 398
  • 399
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 419
  • 420
  • 421
  • 422
  • 423
  • 424
  • 425
  • 426
  • 427
  • 428
  • 429
  • 430
  • 431
  • 432
  • 433
  • 434
  • 435
  • 436
  • 437
  • 438
  • 439
  • 440
  • 441
  • 442
  • 443
  • 444
  • 445
  • 446
  • 447
  • 448
  • 449
  • 450
  • 451
  • 452
  • 453
  • 454
  • 455
  • 456
and returns the LUNs assigned to the WWN. Any other LUNs on that storage port are not available
to the server.
Zoning
This section describes configuration recommendations for:
Zoning enforcement
, page 421
Zoning guidelines
, page 421
EBS zoning
, page 423
Zone naming
, page 423
Zoning enforcement
To protect against unauthorized access, Fibre Channel switches provide three types of zoning
enforcement (listed here in order of enforcement):
Access authorization
Access authorization provides frame-level access control in hardware and verifies the SID-DID
combination of each frame. The frame is delivered to the destination only if specified as a valid
combination in the zone definition. This method offers a high level of security and is classified as
hard zoning because it requires hardware resources at the ASIC level.
Discovery authentication
Discovery authentication occurs during access to the NS) directory. The fabric presents only a
partial list of authorized devices from the NS directory. This method may be enforced by software
or hardware, depending on the switch model. When enforced by software, this method is suscept-
ible to security threats from unauthorized devices that violate Fibre Channel protocols.
Soft-plus zoning by login authentication
In addition to discovery authentication, some switches enforce authentication at the Fibre Channel
protocol login frame level. For example, if a host sends a PLOGI frame to a device that is not a
member of its zone, the frame is dropped. Login authentication provides more protection than
discovery authentication but is not as secure as access authorization.
The zone configuration and the switch model determine the type of zoning enforcement you can
implement in your SAN fabric. For information about the relationship of zone configuration with
zoning enforcement, see the following tables:
Table 17
on page 91 (H-series)
Table 35
, page 128 (B-series)
Table 53
, page 150 (C-series)
Table 70
, page 165 (M-series)
Some system restrictions affect the movement of devices within the fabric, regardless of zoning type.
For example, some operating systems, such as HP-UX, create device file names based on the 24-bit
fabric address and do not allow moving the device to a different port. A change in the address causes
the device to be treated as a different device.
Zoning guidelines
Use one of the following zoning methods:
Operating system (minimum level required)
SAN Design Reference Guide
421