cisco - zoning
TRANSCRIPT
Cisco - Zoning
Cisco - Zoning
High Sensitivity Process: Consult online version before proceeding
Compliance Monitored
Storage Service Line
Version: 3.5
Owner: Jim Olson
Authors:
John Locke
Karen Haberli
Andrew Newman
1
Cisco - Zoning
Table of Contents
Cisco - Zoning..................................................................................................................1
Table of Contents.............................................................................................................2
Change History................................................................................................................3
Process Sensitivity: High – Compliance Monitored....................................................4
Prerequisites:...................................................................................................................4
1. Configuring VSANs and Interfaces....................................................................4
2. Creating VSANs....................................................................................................5
2.1. Default VSAN.........................................................................................................5
3. Configuring Interfaces.........................................................................................6
3.1. Adding Interfaces to VSANs..................................................................................7
4. Configuring Zones and Zone Sets.......................................................................7
5. Zone Set Backups.................................................................................................12
2
Cisco - Zoning
Change History
Revision Number
Revision Date
Summary of Changes Updated By
2.0 10/11/2011 Moved the process to the Sapphire repository Andrew Newman
3.0 11/28/2011 Added steps to the process that indicate server admins need to be added to the change record to do verification after the server is zoned to each fabric.
Updated Document Formatting
Added a Table of Contents
John Locke
3.5 12/23/2011 Important Notice section was added that describes the rules for compliance and indicates the consequences for failure to comply.
Additional instructions for zoning verification added between updates of each fabric
Update Regarding CLI Usage
Kirby Dahman
3
Cisco - Zoning
Process Sensitivity: High – Compliance Monitored
Review this document prior to each zoning change action.
Review Storage Technical Quality Review Process document appendices to determine level of formal review required prior to proceeding with changes.
If non-compliance with this process is determined to have contributed to a customer incident, the following actions will be taken by Delivery Management:
1) The storage administrator’s local 2nd and 1st line management will be notified of the non-compliance
2) Retraining in the process will be required. Certification of the completion of the retraining will be provided by the storage administrator’s 2nd line management.
3) Non-compliance will be subject to possible disciplinary review by local management.
Prerequisites:
You must include two verification steps in your change record and assign them to the server admin team. The server admin must verify the server can see the fabric after each zoneset is activated
Using the GUI is approved method. * USING CLI IS NOT CONSIDERED BEST PRACTICE. USE OF CLI IS ONLY PERMITTED WITH PRIOR WRITTEN MANAGEMENT APPROVAL ON A CASE BY CASE BASIS. CLI STEPS MUST BE REVIEWED VIA STQRP PROCESS.
IF THE GUI IS NON FUNCTIONAL, A SEVERITY 1 PROBLEM TICKET SHOULD BE OPENED TO ADDRESS THIS.
1. Configuring VSANs and Interfaces
You can achieve higher security and greater stability in Fibre Channel fabrics by using virtual storage area networks (VSANs). VSANs provide isolation among devices that are physically connected to the same fabric.
Interfaces are members of a VSAN. Interfaces enable communication between switches in a VSAN. Interfaces that are members of the same VSAN can communicate with each
4
Cisco - Zoning
other; interfaces that are members of different VSANs cannot communicate with each other.
2. Creating VSANs
VSANs help you create multiple logical SANs over a common physical infrastructure. Each VSAN can contain up to 239 switches and has an independent address space that allows identical Fibre Channel IDs (FC IDs) to be used simultaneously in different VSANs.
2.1. Default VSAN
VSAN 1, also known as the default VSAN, is typically used for communication, management, or testing purposes. We recommend that you do not use VSAN 1 as your production environment VSAN. There are several features that, when configured, disrupt traffic on VSAN 1. If you use VSAN 1 as your production environment VSAN, you risk disrupting traffic when these features are configured.
Note VSAN 1 is enabled by default. We recommend that you use other available VSANs as your production environment VSAN.
To add and configure a VSAN, follow these steps.
5
Cisco - Zoning
Create VSAN
Step 2 Complete the fields in the Create VSAN dialog box.
• Select the switches that you wish to assign to the VSAN. For example switch_name is the switch selected to be assigned to a VSAN.
• Select a VSAN ID for the VSAN.
• Assign a name to the VSAN. For example VSAN_test is the assigned VSAN name.
3. Configuring Interfaces
The main function of a switch is to relay frames from one data link to another. To do that, the characteristics of the interfaces through which the frames are sent and received must be defined. The configured interfaces can be Fibre Channel interfaces, the management interface (mgmt0), or VSAN interfaces.
The following procedures are used to move the ports on a switch of a previously created VSAN, configure the interfaces, and add them to the VSAN.
6
Cisco - Zoning
3.1. Adding Interfaces to VSANs
To configure Fibre Channel interfaces, follow these steps:
Step 1 In the Physical Attributes pane, expand Switches > Interfaces then choose FC Physical .
You see the interface configuration in the Information pane.
Step 2 From the General tab, set the values for Mode Admin, Port VSAN membership, and Status Admin.
Step 3 Optionally, set other configuration parameters using the other tabs.
Step 4 Click Apply Changes .
Step 5 Click Yes .
4. Configuring Zones and Zone Sets
Before setting up zones and zone sets make sure you have configured VSANs and interfaces.
Zoning enables you to set up access control between storage devices or user groups. If you have administrator privileges in your fabric, you can create zones to increase network security and to prevent data loss or corruption. You can configure up to 8K zones in a VSAN.
Figure describes the steps for configuring zones and zone sets.
Zones and Zone Sets
7
Cisco - Zoning
Device Aliases/Zoning Process
1. Initially, to be able to zone by Device Aliases in FM, we need to turn on Device Alias "Enhanced Mode".
1. Go to Fabric Manager -> Physical Attributes -> End Devices -> Device Alias
2. Top Information Pane -> Global column, Change ConfigMode to "enhanced" and click the Green Box to commit your changes. This should be already set during the initial switch configuration process.
2. To create Device AliasA . For Devices already connected to Fabric1. Go to Fabric Manager -> Physical Attributes -> End Devices -> Either Hosts
8
Cisco - Zoning
or Storage
2. Top Information Pane -> Alias, populate Alias column of the device(s)Click in the alias cell and type in the alias name to e used.3. Select row(s) and click ALias -> Enclosure box4. Click Green Box to commit your changes(when you make a change the green commit button will be to the right of the Alias ->Enclosure button)
B. To pre-populate a Device Alias prior to it being connected to the fabric1. Go to Fabric Manager -> Physical Attributes -> End Devices -> Device Alias2. Top Information Pane -> Configuration Column
9
Cisco - Zoning
3. Click Blue Box to create a new row(the blue box inserts a new entrie)
After clicking the blue box the below screen will appear.
4. Enter Alias name and pwwn.5. Click Green Box to commit your changes.6. Click Green CFS button to distribute the Device Aliases throughout the Fabric(Cisco Fabric Services does this in the background)
3. ZoningA. Go to Fabric Manager -> Logical DomainsB. Right click on selected VSAN -> Edit Local Full Zone DatabaseC. Popup Window1. Create Zoneset (Right-Click on Zonesets -> Insert, if this is a new VSAN, otherwise the zoneset should already be there)2. Create Zone (Right-Click on Zones -> Insert)
10
Cisco - Zoning
Put in the name for the zone. Take the defaults for the rest of the screen.3. Add Device Alias to Zonea. Expand Zones and Select newly created zoneb. Select "Zone by: Device Alias" radio button [you can also filterwhat devices appear with the "Show:" dropdown box.c. Select device(s) and click "Add to Zone" box.4. Add Zone to Zoneset - In tree, drag selected Zone on top of selectedZoneset5. repeat for multiple zones6. Perform final reviews. Activate Zoneset -> Click on Selected Zoneset and click the Activate box
Note: You MUST review your zoning changes. Ensure you have NOT deleted zones that you did not intend to delete. When you are satisfied your actions are correct, then click the Continue Activation box.
*NOTE*
Once the new configuration is activated, review it again to ensure it is what you expected for the full configuration (unchanged parts and changed parts).
In addition, when the changed zoneset is activated, the server administrators must verify their servers are zoned correctly. (This step needs to be documented and assigned to the server admin in the change record). This step should be accomplished after changes to each fabric. In a redundant fabric, this should be done for both the first and the second (redundant partner) fabric being changed.
7. After each fabric change, and before continuing to the next fabric in a redundant pair, perform the following:
a.) Contact Server SA and have them verify that zoning changes for the server are correct.
b.) Have SA also check at least 3 other servers in the fabric to ensure unintended zoning changes did not occur
c.) Check fabric for any pathing or fabric issues
d.) Check to be sure no server or applications outages have been reported subsequent to your changes.
e.) Do NOT proceed to rezone the second fabric of a redundant fabric pair until these steps have completed. At least one hour should pass following completion of rezoning of one fabric prior to the subsequent rezoning of the second fabric of a redundant pair.
Zoning is now complete for this fabric. If more zoning is needed, repeat steps on other fabric.
11
Cisco - Zoning
*NOTE*
YOU MUST VERIFY YOUR CHANGES BEFORE CONTINUING, PLEASE REVIEW CHANGES BEING MADE ARE WHAT YOU EXPECTED TO SEE
Once the zoneset is activated on the second fabric, the server admins must verify their servers can see both fabrics. (This step needs to be documented and assigned to the server admin in the change record)
5. Zone Set Backups
There is a limit to the number of zone/zonesets that can be stored locally on the switch.
The following are the tested configuration limits as of NX-OS 5.x
Zone members
Verified: 16,000 zone members per physical fabric (includes all VSANs)
Maximum: 20,000 zone members per physical fabric (includes all VSANs)
Zones
Verified: 8000 zones per switch (includes all VSANs)
Maximum: 8000 zones per switch (includes all VSANs)
Zone sets
Verified: 500 zone sets per switch (includes all VSANs)
Maximum: 1000 zone sets per switch (includes all VSANs)
To get around the limitations you can backup older zonesets directly to the FMS server. The following is the process to do that.
12
Cisco - Zoning
1) Select Zone-> Edit Local Full Zone Database2) Select the appropriate VSAN -> Click ok
After you backup you may need to restore the backup zoneset.
13
Select File-> Backup-> This VSAN (or all Zones)
The Backup All Zone Configuration window will appear.
Select Local or Remote backup.
Local-> Choose destination folder in the FMS server
Remote-> Fill in xFTP Server IP address and the File Name.
Cisco - Zoning
END OF DOCUMENT
14
In the edit local full zone database tool select restore.
The restore window will appear.
Local-> Browse to the backup zonesetconfig
Remote-> enter the xFTP IP address and the enter the file name of the backup config.