Enhanced Zoning and Other Zoning Notes

From what I've read so far, Enhanced Zoning seems complex and tricky enough to have a post dedicated to it.  I'll write down some notes and do some lab testing so that I understand it well.

I'll start with copying the Cisco introduction to Enhanced Zoning:

 Enhanced zoning enables you to perform all configurations using a single configuration session. It enforces and exchanges the default zone setting throughout the fabric. Enhanced zoning uses the same techniques and tools as basic zoning, with a few added commands. The flow of enhanced zoning, however, differs from that of basic zoning.

Enhanced zoning has the following features:
  • VSAN wide scope, so that while VSAN X is using enhanced zoning, other VSANs can continue to use basic zoning.
  • Is IVR compatible.
  • Provides session locking, so that two SAN administrators cannot simultaneously modify a zoning database within a VSAN.
  • Provides implicit full zone set distribution, so that the zone set database local to each switch remains in sync when a zone set is modified.
  • Allows full zone set changes to be distributed without having to activate a zone set. This can be used to ready features in the daytime and activate the zone set at night.
  • Stages modifications until they are explicitly committed or aborted, allowing the SAN administrator to review changes before activation.
  • Can control how a zone merge is done. Merging can be accomplished either by performing a union of two zone sets according to the same rules as basic zoning, or by merging only identical active zone sets. The latter method prevents accidental merging.
Here is the section on enabling Enhanced Zoning:
Enhanced zoning can be turned on per VSAN as long as each switch within that VSAN is enhanced zoning capable. Enhanced zoning only needs to be enabled on one switch within the VSAN (existing SAN). At the time enhanced zoning is enabled the command will be propagated to the other switches within the VSAN automatically.

The rules for enabling enhanced zoning are:
  • Enhanced zoning only needs to be enabled on one switch in the VSAN of an existing converged SAN fabric. Enabling it on multiple switches within the same VSAN can result in failure to activate properly.
  • Enabling enhanced zoning does not perform a zone set activation.
  • The switch that is chosen to initiate the migration to enhanced zoning will distribute its full zone database to the other switches in the VSAN. Thereby overwriting the destination switches’ full zone set database.
Note that it is critical that zone distribution is turned on and each switch has its zoning information up to date. Failure to do so will result in deleting the full zone set database. This can be done by verifying zone distribution is turned on and a zone activation is preformed before enabling enhanced zoning.

To enable enhanced zoning via CLI follow the following procedure.
Switch# conf t
Switch(config)# zone mode enhanced vsan <vsan number>
Switch(config)# end
Switch# copy run start

To display the zoning mode status
Switch# show zone status vsan <vsan number>

Lab configuration and testing 


I started of by enabling enhanced zoning on the first MDS in my lab:
 MDS1(config)#zone mode enhanced vsan 10

Then I added the devices as members to the 'test-zone' that I have been using:
MDS1(config)#zone name TEST-ZONE vsan 10

    member pwwn 22:00:00:18:62:07:ff:e1
    member pwwn 22:00:00:11:c6:31:f7:bd
    member pwwn 22:00:00:11:c6:f5:1a:f2
    member pwwn 10:00:00:00:c9:6e:b6:21
    member pwwn 22:00:00:14:c3:1b:a2:ba
    member pwwn 22:00:00:14:c3:1b:9d:4f
    member pwwn 22:00:00:14:c3:1b:9f:57
    member pwwn 22:00:00:14:c3:1b:9c:da
zone commit vsan 10

The zone entries appear on the #2 MDS switch:
MDS2# sh zone vsan 10
zone name TEST-ZONE vsan 10
  pwwn 22:00:00:18:62:07:ff:e1 [DISK-300GB-1]
  pwwn 22:00:00:11:c6:31:f7:bd [DISK-300GB-2]
  pwwn 22:00:00:11:c6:f5:1a:f2 [DISK-174GB-1]
  pwwn 10:00:00:00:c9:6e:b6:21 [HELLA-HBA]
  pwwn 22:00:00:14:c3:1b:a2:ba [DISK-174GB-2]
  pwwn 22:00:00:14:c3:1b:9d:4f [DISK-174GB-3]
  pwwn 22:00:00:14:c3:1b:9f:57 [DISK-174GB-4]
  pwwn 22:00:00:14:c3:1b:9c:da [DISK-174GB-5]

Now to create the zoneset:
MDS1(config)#zoneset name TEST-ZONESET vsan 10
    member TEST-ZONE

Activate the zoneset:
MDS1(config)# zoneset activate name TEST-ZONESET vsan 10

Commit the changes
MDS1(config)# zone commit vs 10
Commit operation initiated. Check zone status

Zone is now active on MDS #2:
MDS2# sh zone active
zone name TEST-ZONE vsan 10
  pwwn 22:00:00:18:62:07:ff:e1 [DISK-300GB-1]
  pwwn 22:00:00:11:c6:31:f7:bd [DISK-300GB-2]
  pwwn 22:00:00:11:c6:f5:1a:f2 [DISK-174GB-1]
  pwwn 10:00:00:00:c9:6e:b6:21 [HELLA-HBA]
  pwwn 22:00:00:14:c3:1b:a2:ba [DISK-174GB-2]
  pwwn 22:00:00:14:c3:1b:9d:4f [DISK-174GB-3]
  pwwn 22:00:00:14:c3:1b:9f:57 [DISK-174GB-4]
  pwwn 22:00:00:14:c3:1b:9c:da [DISK-174GB-5]
 
The next step that I want to try is removing the default zone statement from VSAN 10 and adding the interfaces that connect to the disk shelves and the HBA to the TEST-ZONE:
MDS1(config)# no zone default-zone permit vsan 10
MDS1(config)# zone commit vs 10
Commit operation initiated. Check zone status


MDS1(config-zone)# member interface fc1/1
Enhanced zone session has been created. Please 'commit' the changes when done.
MDS1(config-zone)# member interface fc1/4
MDS1(config-zone)# zone commit vs 10
Commit operation initiated. Check zone status

MDS2(config-zone)# member int fc1/1
Enhanced zone session has been created. Please 'commit' the changes when done.
MDS2(config-zone)# zone commit vs 10
Commit operation initiated. Check zone status

MDS2# sh zone vsan 10
zone name TEST-ZONE vsan 10
  pwwn 22:00:00:18:62:07:ff:e1 [DISK-300GB-1]
  pwwn 22:00:00:11:c6:31:f7:bd [DISK-300GB-2]
  pwwn 22:00:00:11:c6:f5:1a:f2 [DISK-174GB-1]
  pwwn 10:00:00:00:c9:6e:b6:21 [HELLA-HBA]
  pwwn 22:00:00:14:c3:1b:a2:ba [DISK-174GB-2]
  pwwn 22:00:00:14:c3:1b:9d:4f [DISK-174GB-3]
  pwwn 22:00:00:14:c3:1b:9f:57 [DISK-174GB-4]
  pwwn 22:00:00:14:c3:1b:9c:da [DISK-174GB-5]
  interface fc1/1 swwn 20:00:00:0d:ec:1f:bc:00
  interface fc1/4 swwn 20:00:00:0d:ec:1f:bc:00
  interface fc1/1 swwn 20:00:00:0d:ec:0e:96:c0

Now if I rescan my HBA in vSphere, I should see all 7 drives and the HBA:



Other Zoning Notes

Default Zone
From the SAN OS Guide
Each member of a fabric (in effect a device attached to an Nx port) can belong to any zone. If a member is not part of any active zone, it is considered to be part of the default zone. Therefore, if no zone set is active in the fabric, all devices are considered to be in the default zone. Even though a member can belong to multiple zones, a member that is part of the default zone cannot be part of any other zone.

So since the default policy is set to deny communication, if you don't have any zones set up, you can change the zone behavior to allow communication:

MDS1(config)#zone default-zone permit vsan 1

Here is the output of the current zone status:
MDS1# sh zone status
VSAN: 1 default-zone: permit distribute: active only Interop: default
    mode: basic merge-control: allow
    session: none
    hard-zoning: enabled broadcast: disabled
Default zone:
    qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
    DB size: 4 bytes
    Zonesets:0  Zones:0 Aliases: 0
Active Zoning Database :
    Database Not Available
Status:

VSAN: 10 default-zone: deny distribute: active only Interop: default
    mode: enhanced merge-control: allow
    session: none
    hard-zoning: enabled broadcast: enabled
Default zone:
    qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
    DB size: 288 bytes
    Zonesets:1  Zones:1 Aliases: 0 Attribute-groups: 1
Active Zoning Database :
    DB size: 156 bytes
    Name: TEST-ZONESET  Zonesets:1  Zones:1
Status:

Removing Devices from a Zone







Labels: