Fibre Channel Zoning

Information About Fibre Channel Zoning

Fibre Channel zoning allows you to partition the Fibre Channel fabric into one or more zones. Each zone defines the set of Fibre Channel initiators and Fibre Channel targets that can communicate with each other in a VSAN. Zoning also enables you to set up access control between hosts and storage devices or user groups.


Note

Fibre Channel Zoning is not supported on Cisco UCS 6454 Fabric Interconnect

The access and data traffic control provided by zoning does the following:

  • Enhances SAN network security

  • Helps prevent data loss or corruption

  • Reduces performance issues

Information About Zones

A zone consists of multiple zone members and has the following characteristics:

  • Members in a zone can access each other; members in different zones cannot access each other.

  • Zones can vary in size.

  • Devices can belong to more than one zone.

  • A physical fabric can have a maximum of 8,000 zones.

Information About Zone Sets

Each zone set consists of one or more zones. You can use zone sets to enforce access control within the Fibre Channel fabric. In addition, zone sets provide you with the following advantages:

  • Only one zone set can be active at any time.

  • All zones in a zone set can be activated or deactivated as a single entity across all switches in the fabric.

  • Changes to a zone set are not applied until the zone set has been activated. If you make changes to the active zone set, you must reactivate that zone set to apply the changes.

  • A zone can be a member of more than one zone set.

  • A switch in a zone can have a maximum of 500 zone sets.

Support for Fibre Channel Zoning in Cisco UCS Manager

Cisco UCS Manager supports switch-based Fibre Channel zoning and Cisco UCS Manager-based Fibre Channel zoning. You cannot configure a combination of zoning types in the same Cisco UCS domain. You can configure a Cisco UCS domain with one of the following types of zoning:

  • Cisco UCS Manager-based Fibre Channel zoning—This configuration combines direct attach storage with local zoning. Fibre Channel or FCoE storage is directly connected to the fabric interconnects and zoning is performed in Cisco UCS Manager, using Cisco UCS local zoning. Any existing Fibre Channel or FCoE uplink connections need to be disabled. Cisco UCS does not currently support active Fibre Channel or FCoE uplink connections coexisting with the utilization of the UCS Local Zoning feature.

  • Switch-based Fibre Channel zoning—This configuration combines direct attach storage with uplink zoning. The Fibre Channel or FCoE storage is directly connected to the fabric interconnects and zoning is performed externally to the Cisco UCS domain through an MDS or Nexus 5000 switch. This configuration does not support local zoning in the Cisco UCS domain.


Note

Zoning is configured on a per-VSAN basis. You cannot enable zoning at the fabric level.

Cisco UCS Manager-Based Fibre Channel Zoning

With Cisco UCS Manager-based zoning, Cisco UCS Manager controls the Fibre Channel zoning configuration for the Cisco UCS domain, including creating and activating zones for all VSANs that you set up with this type of zoning. This type of zoning is also know as local zoning or direct attach storage with local zoning.


Note

You cannot implement Cisco UCS Manager-based zoning if the VSAN is also configured to communicate with a VSAN on an upstream switch and includes Fibre Channel or FCoE uplink ports.

Supported Fibre Channel Zoning Modes

Cisco UCS Manager-based zoning supports the following types of zoning:

  • Single initiator single target—Cisco UCS Manager automatically creates one zone for each vHBA and storage port pair. Each zone has two members. We recommend that you configure this type of zoning unless you expect the number of zones to exceed the maximum supported.

  • Single initiator multiple targets—Cisco UCS Manager automatically creates one zone for each vHBA. We recommend that you configure this type of zoning if you expect the number of zones to reach or exceed the maximum supported.

vHBA Initiator Groups

vHBA initiator groups determine the Fibre Channel zoning configuration for all vHBAs in a service profile. Cisco UCS Manager does not include any default vHBA initiator groups. You must create vHBA initiator groups in any service profile that is to be assigned to servers included in a zone.

The configuration in a vHBA initiator group determines the following:

  • The vHBAs included in the initiator group, which are sometimes referred to as vHBA initiators.

  • A Fibre Channel storage connection policy, which includes the associated VSAN and the Fibre Channel target ports on the storage array.

  • The type of Fibre Channel zoning to be configured for the vHBAs included in the group.

Fibre Channel Storage Connection Policy

The Fibre Channel storage connection policy contains a collection of target storage ports on storage arrays that you use to configure Cisco UCS Manager-based Fibre Channel zoning. You can create this policy under an organization or an initiator group.

The storage arrays in these zones must be directly connected to the fabric interconnects. The target storage ports on these arrays that you include in the Fibre Channel storage connection policy can be either Fibre Channel storage ports or FCoE storage ports. You use the WWN of a port to add it to the policy and to identify the port for the Fibre Channel zone.


Note

Cisco UCS Manager does not create default Fibre Channel storage.

Fibre Channel Active Zone Set Configuration

In each VSAN that has been enabled for Fibre Channel zoning, Cisco UCS Manager automatically configures one zone set and multiple zones. The zone membership specifies the set of initiators and targets that are allowed to communicate with each other. Cisco UCS Manager automatically activates that zone set.

Cisco UCS Manager processes the user-configured vHBA initiator groups and their associated Fibre Channel storage connection policy to determine the desired connectivity between Fibre Channel initiators and targets. Cisco UCS Manager uses the following information to build pair-wise zone membership between initiators and targets:

  • The port WWNs of the vHBA initiators derived from the vHBA initiator groups.

  • The port WWNs of the storage array derived from the storage connection policy.

Switch-Based Fibre Channel Zoning

With switch-based zoning, a Cisco UCS domain inherits the zoning configuration from the upstream switch. You cannot configure or view information about your zoning configuration in Cisco UCS Manager. You have to disable zoning on a VSAN in Cisco UCS Manager to use switch-based zoning for that VSAN.

Guidelines and recommendations for Cisco UCS Manager-Based Fibre Channel Zoning

When you plan your configuration for Fibre Channel zoning, consider the following guidelines and recommendations:

Fibre Channel Switching Mode Must Be Switch Mode for Cisco UCS Manager Configurations

If you want Cisco UCS Manager to handle Fibre Channel zoning, the fabric interconnects must be in Fibre Channel Switch mode. You cannot configure Fibre Channel zoning in End-Host mode.

Symmetrical Configuration Is Recommended for High Availability

If a Cisco UCS domain is configured for high availability with two fabric interconnects, we recommend that both fabric interconnects are configured with the same set of VSANs.

Configuring Cisco UCS Manager Fibre Channel Zoning


Note

This procedure provides a high level overview of the steps required to configure a Cisco UCS domain for Fibre Channel zoning that is controlled by Cisco UCS Manager. You must ensure that you complete all of the following steps.

Procedure

Step 1

If you have not already done so, disconnect the fabric interconnects in the Cisco UCS domain from any external Fibre Channel switches, such as an MDS.

Step 2

If the Cisco UCS domain still includes zones that were managed by the external Fibre Channel switch, run the clear-unmanaged-fc-zone-all command on every affected VSAN to remove those zones.

This functionality is not currently available in the Cisco UCS Manager GUI. You must perform this step in the Cisco UCS Manager CLI.

Step 3

Configure the Fibre Channel switching mode for both fabric interconnects in Fibre Channel Switch mode.

You cannot configure Fibre Channel zoning in End-Host mode.

Step 4

Configure the Fibre Channel and FCoE storage ports that you require to carry traffic for the Fibre Channel zones.

Step 5

Create one or more VSANs and enable Fibre Channel zoning on all VSANs that you require to carry traffic for the Fibre Channel zones.

For a cluster configuration, we recommend that you create the VSANs that you intend to include in a Fibre Channel zone in Fibre Channel storage mode and accessible to both fabric interconnects.

Step 6

Create one or more Fibre Channel storage connection policies.

You can perform this step when you configure Fibre Channel zoning in the service profiles, if you prefer.

Step 7

Configure zoning in service profiles or service profile templates for servers that need to communicate through Fibre Channel zones.

Complete the following steps to complete this configuration:

  • Enable zoning in the VSAN or VSANs assigned to the VHBAs.

  • Configure one or more vHBA initiator groups.

Creating a VSAN for Fibre Channel Zoning

Procedure

Step 1

UCS-A# scope fc-uplink

Enters Fibre Channel uplink mode.

Step 2

UCS-A /fc-uplink #create vsan {VSAN_Name} {VSAN_ID} {FCoE_VLAN_ID}

Enter the following:

  • VSAN_Name- The name assigned to the network. This name can be between 1 and 32 alphanumeric characters. You cannot use spaces or any special characters other than - (hyphen), _ (underscore), : (colon), and . (period), and you cannot change this name after the object is saved.

  • VSAN_ID- The unique identifier assigned to the network. The ID can be between 1 and 4078, or between 4080 and 4093. 4079 is a reserved VSAN ID.

  • FCoE_VLAN_ID- The unique identifier assigned to the VLAN used for Fibre Channel connections. The ID can be between 1 and 4029, or between 4048 and 4093. VLAN 4048 is user configurable. However, Cisco UCS Manager uses VLAN 4048 for the following default values. If you want to assign 4048 to a VLAN, you must reconfigure these values:

    • After an upgrade to Cisco UCS, Release 2.0—The FCoE storage port native VLAN uses VLAN 4048 by default. If the default FCoE VSAN was set to use VLAN 1 before the upgrade, you must change it to a VLAN ID that is not used or reserved. For example, consider changing the default to 4049 if that VLAN ID is not in use.

    • After a fresh install of Cisco UCS, Release 2.0—The FCoE VLANfor the default VSAN uses VLAN 4048 by default. The FCoEstorage port native VLAN uses VLAN 4049.

For FIP-capable, converged network adapters, such as the Cisco UCSCNA M72KR-Q and the Cisco UCS CNA M72KR-E, the named VSANmust be configured with a named VLAN that is not the native VLANfor the FCoE VLAN ID. This configuration ensures that FCoE trafficcan pass through these adapters.

Step 3

UCS-A /fc-uplink #commit-buffer

Example

The following examples creates a VSAN named TestVsan and commits the changes in the system: 

UCS-A # scope fc-uplink
UCS-A /fc-uplink # create vsan TestVsan 2 30
UCS-A /fc-uplink/vsan* # commit-buffer
UCS-A /fc-uplink/vsan #

Creating a New Fibre Channel Zone Profile

Perform the following procedure to create a new Fibre Channel Zone Profile.

Before you begin

Ensure that the VSAN is created for the Fiber Channel Zoning.

Procedure

  Command or Action Purpose

Step 1

UCS-A # scope fc-storage

Enters Fibre Channel storage mode.

Step 2

UCS-A /fc-storage # create fc-zone-profile Profile_Name

Creates a Fibre Channel profile with the specified name.

Step 3

UCS-A /fc-storage/fc-zone-profile * # create fc-user-zone Zone_Name

Enters Fibre Channel zone profile mode and creates the specified Fibre Channel zone.

Step 4

UCS-A /fc-storage/fc-zone-profile/fc-user-zone* # set path {A | B}

Sets the Fibre Channel zone path.

Step 5

UCS-A /fc-storage/fc-zone-profile/fc-user-zone* # set vsan VSAN_Name

Sets the Fibre Channel zone to the named VSAN.

Step 6

UCS-A /fc-storage/fc-zone-profile/fc-user-zone* # create member wwpn

Creates the WWPN for the Fibre Channel zone profile.

Step 7

UCS-A /fc-storage/fc-zone-profile/fc-user-zone* # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to create FC Zoning Policy named myProfilie: 

UCS-A# scope fc-storage
UCS-A /fc-storage # create fc-zone-profile myProfile
UCS-A /fc-storage/fc-zone-profile* # create fc-user-zone myZone
UCS-A /fc-storage/fc-zone-profile/fc-user-zone* # set path A
UCS-A /fc-storage/fc-zone-profile/fc-user-zone* # set vsan test
UCS-A /fc-storage/fc-zone-profile/fc-user-zone* # create member 20:c2:11:25:b5:00:00:7f
UCS-A /fc-storage/fc-zone-profile/fc-user-zone/member* # commit-buffer

Deleting a Fibre Channel Zone Profile

Perform the following procedure to delete a Fibre Channel Zone Profile.

Procedure

  Command or Action Purpose

Step 1

UCS-A # scope fc-storage

Enters Fibre Channel storage mode.

Step 2

UCS-A /fc-storage # delete fc-zone-profile Profile_Name

Deletes a Fibre Channel profile with the specified name.

Step 3

UCS-A /fc-storage* # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to delete an FC Zone Profile named myProfile: 

UCS-A # scope fc-storage
UCS-A /fc-storage # delete fc-zone-profile myProfile
UCS-A /fc-storage* # commit-buffer
UCS-A /fc-storage #

Deleting a Fibre Channel User Zone

Perform the following procedure to delete a Fibre Channel User Zone.

Procedure

Step 1

UCS-A # scope fc-storage

Enters Fibre Channel storage mode.

Step 2

UCS-A /fc-storage # scope fc-zone-profile Profile_Name

Enters the specified Fibre Channel profile.

Step 3

UCS-A /fc-storage/fc-zone-profile # delete fc-user-zone Userzone_Name

Deletes the specified Fibre Channel User Zone.

Step 4

UCS-A /fc-storage/fc-zone-profile* # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to delete an FC User Zone Profile named myZone: 

UCS-A # scope fc-storage
UCS-A /fc-storage # scope fc-zone-profile myProfile
UCS-A /fc-storage/fc-zone-profile # delete fc-user-zone myZone
UCS-A /fc-storage/fc-zone-profile* # commit-buffer
UCS-A /fc-storage #

Removing Unmanaged Zones from a VSAN Accessible to Both Fabric Interconnects

After you disconnect the external Fibre Channel switch, the Fibre Channel zones that were managed by that switch might not been cleared from the Cisco UCS domain. This procedure removes those zones from each VSAN in the Cisco UCS domain so that you can configure Fibre Channel zoning in Cisco UCS.

Before you begin

If you have not already done so, disconnect the fabric interconnects in the Cisco UCS domain from any external Fibre Channel switches, such as an MDS.

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope fc-uplink

Enters Fibre Channel uplink mode.

Step 2

UCS-A /fc-uplink # scope fabric {a | b}

Enters Fibre Channel uplink mode for the specified fabric interconnect.

Step 3

UCS-A /fc-uplink/fabric # scope vsan vsan-name

Enters VSAN mode for the specified named VSAN.

Step 4

UCS-A /fc-uplink/fabric/vsan # clear-unmanaged-fc-zones-all

Clears all unmanaged Fibre Channel zones from the specified named VSAN.

If desired, you can repeat Steps 2 through 4 to remove unmanaged zones from all VSANs that are accessible to the specified fabric interconnect before you commit the buffer.

Step 5

UCS-A /fc-uplink/fabric/vsan # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to remove unmanaged zones from a named VSAN accessible to fabric interconnect A and commit the transaction: 

UCS-A# scope fc-uplink
UCS-A /fc-uplink # scope fabric a
UCS-A /fc-uplink/fabric # scope vsan finance
UCS-A /fc-uplink/fabric/vsan # clear-unmanaged-fc-zones-all
UCS-A /fc-uplink/fabric/vsan* # commit-buffer
UCS-A /fc-uplink #

Removing Unmanaged Zones from a VSAN Accessible to One Fabric Interconnect

After you disconnect the external Fibre Channel switch, the Fibre Channel zones that were managed by that switch might not been cleared from the Cisco UCS domain. This procedure removes those zones from each VSAN in the Cisco UCS domain so that you can configure Fibre Channel zoning in Cisco UCS.

Before you begin

If you have not already done so, disconnect the fabric interconnects in the Cisco UCS domain from any external Fibre Channel switches, such as an MDS.

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope fc-uplink

Enters Fibre Channel uplink mode.

Step 2

UCS-A /fc-uplink # scope vsan vsan-name

Enters VSAN mode for the specified named VSAN.

Step 3

UCS-A /fc-uplink/vsan # clear-unmanaged-fc-zones-all

Clears all unmanaged Fibre Channel zones from the specified named VSAN.

If desired, you can repeat steps 2 and 3 to remove unmanaged zones from all VSANs that are accessible to both fabric interconnects before you commit the buffer.

Step 4

UCS-A /fc-uplink/vsan # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to remove unmanaged zones from a named VSAN and commit the transaction: 

UCS-A# scope fc-uplink
UCS-A /fc-uplink # scope vsan finance
UCS-A /fc-uplink/vsan # clear-unmanaged-fc-zones-all
UCS-A /fc-uplink/vsan* # commit-buffer
UCS-A /fc-uplink #

Configuring Fibre Channel Storage Connection Policies

Creating a Fibre Channel Storage Connection Policy

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope org org-name

Enters the organization mode for the specified organization. To enter the root organization mode, enter / as the org-name .

Step 2

UCS-A /org # create storage-connection-policy policy-name

Creates a storage connection policy with the specified policy name, and enters organization storage connection policy mode.

Step 3

UCS-A /org # set zoning-type {none | simt | sist}

  • NoneCisco UCS Manager does not configure Fibre Channel zoning.

  • Single Initiator Single TargetCisco UCS Manager automatically creates one zone for each vHBA and storage port pair. Each zone has two members. We recommend that you configure this type of zoning unless you expect the number of zones to exceed the maximum supported.

  • Single Initiator Multiple TargetsCisco UCS Manager automatically creates one zone for each vHBA. We recommend that you configure this type of zoning if you expect the number of zones to reach or exceed the maximum supported.

Step 4

UCS-A /org/storage-connection-policy # create storage-target wwpn

Creates a storage target endpoint with the specified WWPN, and enters storage target mode.

Step 5

UCS-A /org/storage-connection-policy/storage-target # set target-path {a | b}

Specifies which fabric interconnect is used for communications with the target endpoint.

Step 6

UCS-A /org/storage-connection-policy/storage-target # set target-vsan vsan

Specifies which VSAN is used for communications with the target endpoint.

Step 7

UCS-A /org/storage-connection-policy # commit-buffer

Commits the transaction to the system configuration.

Example

The following example configures a Fibre Channel storage connection policy in the root organization named scPolicyZone1, using fabric interconnect A and the default VSAN, and commits the transaction: 

UCS-A# scope org /
UCS-A /org* # create storage-connection-policy scPolicyZone1
UCS-A /org/storage-connection-policy* set zoning-type sist
UCS-A /org/storage-connection-policy* # create storage-target 20:10:20:30:40:50:60:70
UCS-A /org/storage-connection-policy/storage-target* # set target-path a
UCS-A /org/storage-connection-policy/storage-target* # set target-vsan default
UCS-A /org/storage-connection-policy* # commit-buffer
UCS-A /org/storage-connection-policy #

Deleting a Fibre Channel Storage Connection Policy

Procedure

  Command or Action Purpose

Step 1

UCS-A# scope org org-name

Enters the organization mode for the specified organization. To enter the root organization mode, enter / as the org-name .

Step 2

UCS-A /org # delete storage-connection-policy policy-name

Deletes the specified storage connection policy.

Step 3

UCS-A /org # commit-buffer

Commits the transaction to the system configuration.

Example

The following example deletes the storage connection policy named scPolicyZone1 from the root organization and commits the transaction: 

UCS-A# scope org /
UCS-A /org # delete san-connectivity-policy scPolicyZone1
UCS-A /org* # commit-buffer
UCS-A /org #