The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Zoning enables you to set up access control between storage devices or user groups. If you have administrator privileges in your fabric, you can create zones to increase network security and to prevent data loss or corruption. Zoning is enforced by examining the source-destination ID field.
Advanced zoning capabilities specified in the FC-GS-4 and FC-SW-3 standards are provided. You can use either the existing basic zoning capabilities or the advanced, standards-compliant zoning capabilities.
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.
lists the New and Changed features.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Autozone |
8.5(1) |
The autozone --enable --vsan id command was modified. |
|
Zoning Single Session |
8.4(2) |
Introduced the single session option for enhanced zoning mode. The following commands were modified:
|
|
Autozone |
8.4(1) |
The enableautosave and disableautosave options are added to the autozone command to enable or disable automatically saving of the running configuration to the startup-configuration after making a zoning change. The following commands were introduced:
|
|
Autozone |
8.3(1) |
The Autozone feature was introduced. The following commands were introduced:
|
Zoning has the following features:
A zone consists of multiple zone members.
Members in a zone can access each other; members in different zones cannot access each other.
If zoning is not activated, all devices are members of the default zone.
If zoning is activated, any device that is not in an active zone (a zone that is part of an active zoneset) is a member of the default zone.
Zones can vary in size.
Devices can belong to more than one zone.
A zoneset consists of one or more zones.
A zoneset can be activated or deactivated as a single entity across all switches in the fabric.
Only one zoneset can be activated at any time.
A zone can be a member of more than one zoneset.
An MDS switch can have a maximum of 1000 zonesets.
Zoning can be administered from any switch in the fabric.
When you activate a zone (from any switch), all switches in the fabric receive the active zoneset. Additionally, full zone sets are distributed to all switches in the fabric, if this feature is enabled in the source switch.
If a new switch is added to an existing fabric, zone sets are acquired by the new switch.
Zone changes can be configured nondisruptively. New zones and zone sets can be activated without interrupting traffic on unaffected ports or devices.
Zone membership criteria is based mainly on WWNs or FC IDs.
Port world wide name (pWWN)—Specifies the pWWN of an N port attached to the switch as a member of the zone.
Fabric pWWN—Specifies the WWN of the fabric port (switch port’s WWN). This membership is also referred to as port-based zoning.
FC ID—Specifies the FC ID of an N port attached to the switch as a member of the zone.
Interface and switch WWN (sWWN)—Specifies the interface of a switch identified by the sWWN. This membership is also referred to as interface-based zoning.
Interface and domain ID—Specifies the interface of a switch identified by the domain ID.
Domain ID and port number—Specifies the domain ID of an MDS domain and additionally specifies a port belonging to a non-Cisco switch.
IPv4 address—Specifies the IPv4 address (and optionally the subnet mask) of an attached device.
IPv6 address—The IPv6 address of an attached device in 128 bits in colon(:)-separated hexadecimal format.
Symbolic-nodename—Specifies the member symbolic node name. The maximum length is 240 characters.
Default zone membership includes all ports or WWNs that do not have a specific membership association. Access between default zone members is controlled by the default zone policy.
 Note |
For configuration limits on configuring the number of zones, zone members and zone sets, refer to the Cisco MDS NX-OS Configuration Limits. |
Fabric with Two Zones illustrates a zoneset with two zones, zone 1 and zone 2, in a fabric. Zone 1 provides access from all three hosts (H1, H2, H3) to the data residing on storage systems S1 and S2. Zone 2 restricts the data on S3 to access only by H3. Note that H3 resides in both zones.
There are other ways to partition this fabric into zones. Fabric with Three Zones illustrates another possibility. Assume that there is a need to isolate storage system S2 for the purpose of testing new software. To achieve this, zone 3 is configured, which contains only host H2 and storage S2. You can restrict access to just H2 and S2 in zone 3, and to H1 and S1 in zone 1.
All switches in the Cisco MDS 9000 Series automatically support the following basic zone features (no additional configuration is required):
If required, you can additionally configure the following zone features:
All members of a zone can communicate with each other. For a zone with N members, N *(N -1) access permissions need to be enabled. The best practice is to avoid configuring large numbers of targets or large numbers of initiators in a single zone. This type of configuration wastes switch resources by provisioning and managing many communicating pairs (initiator-to-initiator or target-to-target) that will never actually communicate with each other. For this reason, a single initiator with a single target is the most efficient approach to zoning.
The following guidelines must be considered when creating zone members:
Configuring only one initiator and one target for a zone provides the most efficient use of the switch resources.
Configuring the same initiator to multiple targets is accepted.
Configuring multiple initiators to multiple targets is not recommended.
While configuring a zone member based on interface type always select a fabric switch which potentially has the highest interface count in the fabric.
Before configuring a zoneset, consider the following guidelines:
Each VSAN can have multiple zone sets but only one zoneset can be active at any given time.
When you create a zoneset, that zoneset becomes a part of the full zoneset.
When you activate a zoneset, a copy of the zoneset from the full zoneset is used to enforce zoning, and is called the active zoneset. An active zoneset cannot be modified. A zone that is part of an active zoneset is called an active zone.
The administrator can modify the full zoneset even if a zoneset with the same name is active. However, the modification will be enforced only upon reactivation.
When the activation is done, the active zoneset is automatically stored in persistent configuration. This enables the switch to preserve the active zoneset information across switch resets.
All other switches in the fabric receive the active zoneset so they can enforce zoning in their respective switches.
Hard and soft zoning are implemented using the active zoneset. Modifications take effect during zoneset activation.
An FC ID or Nx port that is not part of the active zoneset belongs to the default zone and the default zone information is not distributed to other switches.
Note |
If one zoneset is active and you activate another zoneset, the currently active zoneset is automatically deactivated. You do not need to explicitly deactivate the currently active zoneset before activating a new zoneset. |
Figure shows a zone being added to an activated zoneset.
Note |
The Quick Config Wizard supports only switch interface zone members. |
As of Cisco SAN-OS Release 3.1(1) and NX-OS Release 4.1(2), you can use the Quick Config Wizard on the Cisco MDS 9124 Switch to add or remove zone members per VSAN. You can use the Quick Config Wizard to perform interface-based zoning and to assign zone members for multiple VSANs using Device Manager.
Note |
The Quick Config Wizard is supported on Cisco MDS 9124, MDS 9134, MDS 9132T, MDS 9148, MDS 9148S, MDS 9148T, MDS 9396S, and MDS 9396T fabric switches, the Cisco Fabric Switch for HP c-Class BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter. |
 Caution |
The Quick Config Wizard can only be used on stand-alone switches that do not have any existing zoning defined on the switch. |
To add or remove ports from a zone and to zone only the devices within a specific VSAN using Device Manager on the Cisco MDS 9124 Switch, follow these steps:
| Step 1 |
Choose FC > Quick Config or click the Zone icon in the toolbar. You see the Quick Config Wizard (see Quick Config Wizard) with all controls disabled and the Discrepancies dialog box (see Discrepancies Dialog Box), which shows all unsupported configurations.
 |
||
| Step 2 |
Click OK to continue. You see the Quick Config Wizard dialog box (see Quick Config Wizard).
|
||
| Step 3 |
Check the check box in the Ports Zoned To column for the port you want to add or remove from a zone. The check box for the matching port is similarly set. The selected port pair is added or removed from the zone, creating a two-device zone. The VSAN drop-down menu provides a filter that enables you to zone only those devices within a selected VSAN. |
||
| Step 4 |
Right-click any of the column names to show or hide a column. |
||
| Step 5 |
Click Next to verify the changes. You see the Confirm Changes dialog box (see Confirm Changes Dialog Box).  |
||
| Step 6 |
If you want to see the CLI commands, right-click in the dialog box and click CLI Commands from the pop-up menu. |
||
| Step 7 |
Click Finish to save the configuration changes. |
The Autozone feature is a mechanism to automate zoning of devices. This feature can be used to reduce the administrative overhead of manually creating and updating the switch zone configuration each time a device is added to the SAN to a one-time command. An administrator has to configure the Autozone feature after the initial deployment and does not have to manually change or modify the zone configuration each time a new device is added to a fabric. The Autozone feature is intended for fabrics comprise of a single fabric switch that has no more than 100 devices connected.
Initially, Autozone configures zoning that enables connectivity from every initiator to every target, based on the FC4 type registered by each device. The zones that are created are placed in a single zoneset in VSAN 1 and activated. When in automatic mode, a scheduler job is created to scan for newly logged in devices every 5 minutes. New initiators are zoned with all the targets and new targets are zoned with all the initiators. The new zones are then added to the active zoneset. This process allows the switch to be administered with minimal effort by simply plugging in new devices and having automatic connectivity for the devices within minutes. Autozone can be run manually by the administrator if connectivity to the newly logged-in devices is required before the next scheduled scan. Autozone does not change the existing zones created either by Autozone or manually by an administrator. This prevents duplication of any existing zones by Autozone and allows specialized zones to be added manually by an administrator.
Autozone has two modes of operation:
Automatic mode—The Autozone scheduler job runs every 5 minutes, checking for changes in device logins, and updates the zoneset accordingly.
Manual mode—No scheduler job is created. The administrator has to run the autozone --update command each time a new device is connected to a switch for the device to be added to the zoning configuration.
Works only on Cisco MDS 9132T, MDS 9148T, and MDS 9396T fabric switches.
Works only on single-switch fabrics.
From Cisco MDS NX-OS Release 8.5(1), Autozone can be enabled on VSANs apart from VSAN 1, but can be enabled on only one VSAN per switch.
In Cisco MDS NX-OS Release 8.4(2b) and earlier release, Autozone works only for ports that are logged on VSAN 1. If the administrator moves ports to other VSANs, Autozone does not move them back into VSAN 1 or zone them.
If Autozone detects an active zoneset with a name different from AUTOZONESET, Autozone exits with a message without making any changes to the existing zone configuration.
If Autozone detects an Inter-Switch Link (ISL), Autozone exits with a message, and no zones are created.
Autozone will not work when the default zone is enabled.
The Autozone feature considers only devices that are registered as FC4 type init or target. Since devices that are registered as both are considered as both init and target, starting from Cisco MDS NX-OS Release 8.4(2), the Autozone feature will zone these devices with devices that register as init, target, and both. Any other types are ignored and must be zoned manually by the administrator.
Starting with Cisco MDS NX-OS Release 8.5(1), the Autozone feature zones a maximum of 250 devices. In releases prior to Cisco MDS NX-OS Release 8.5(1), Autozone feature zones a maximum of 100 devices.
The Autozone feature does not support Smart Zoning.
Avoid enabling the Autozone feature if you want to use the Inter VSAN Routing (IVR) feature.
Avoid creating a manual zone of the name format AUTOZONE_<SwitchSerialNumber>_<number> because this is the format that is used by Autozone to create zone names. Autozone will delete zones with this name format when you use the autozone --delete command.
When Autozone is first run in automatic mode, it creates a scheduler job called AUTOZONE_SCHEDULER_JOB and a schedule called AUTOZONE_SCHEDULER_SCHEDULE to run the autozone --update command every 5 minutes. If either the scheduler job or schedule is deleted by the administrator, then periodic zone updates by Autozone will cease.
When Autozone is enabled and if a zone lock or zone single-session lock is acquired, you will have to clear the zone lock using the clear zone lock vsan command and then retry Autozone configuration.
When Autozone is configured in automatic mode and you execute the show accounting log command, there will be entries with an empty command field each time the Autozone scheduler job is run. This is expected.
Cisco NX-OS releases that support the Autozone feature creates a CLI alias named autozone when the switch boots. Even if the autozone --enable command is not run, this configuration change triggers the "Unsaved configuration" warning during an upgrade. Ensure that you save the configuration to prevent this message during future upgrades. As a best practice, we recommend that you copy the running configuration to the startup configuration on the switch before upgrading.
If you have the Autozone feature enabled and you are downgrading from Cisco MDS NX-OS Release 8.3(1) to earlier releases that do not support the Autozone feature, the Autozone scheduler job continues to check for new device logins every 5 minutes. However, the scheduler job fails if any new device logins are detected, and generates a syslog. Therefore, we recommend that you disable Autozone before downgrading.
If you have the Autozone feature enabled and you are downgrading from Cisco MDS NX-OS Release 8.4(1) to earlier releases that do not support the Autozone feature, the autozone --enable CLI alias command is available. However, when you execute the command, it fails. You may delete the autozone CLI alias name using the cli alias name autozone command.
Do not delete the autozone CLI alias name to ensure that the Autozone feature functions as documented.
If the Autozone feature is enabled, during upgrade or downgrade, the Autozone scheduler job might temporarily fail. The scheduler job resumes executing successfully after the upgrade or downgrade is complete.
The Autozone feature creates zones and a zoneset on VSAN 1 for unzoned devices and creates a scheduler job to periodically add new device logins on VSAN 1.
Review the Guidelines and Limitations for Autozone.
|
Enable autozone to automatically create zones, add them to a zoneset, and activate the zoneset as needed every 5 minutes: switch# autozone --enable --vsan id
|
To enable autozone to automatically save the running-configuration to the startup-configuration after it makes a zoning change, perform the step below:
|
Enable automatic saving of the autozone configuration: switch# autozone --enableautosave |
You can execute Autozone manually for updating the zoning information each time a new device is logged into the switch.
To execute Autozone in manual mode, perform this step:
switch# autozone --update
An Autozone scheduler job runs using the identity of a user who has enabled the Autozone feature on the switch. If the user has remote authentication (AAA), the user's credentials must be added manually to the scheduler configuration for the periodic Autozone scheduler job to succeed.
To enable the Autozone feature for a remotely authenticated user, perform these steps:
| Step 1 |
Enter global configuration mode: switch# configure |
||
| Step 2 |
Enable the command scheduler: switch(config)# feature scheduler |
||
| Step 3 |
Configure a cleartext password for a remotely authenticated user: switch(config)# scheduler aaa-authentication user name password password |
||
| Step 4 |
Create zones and a zoneset on a VSAN automatically and schedule a timer to check for new device logins: switch(config)# autozone --enable --vsan id
|
To disable autozone from automatically saving the running-configuration to the startup-configuration after it makes a zoning change, perform the step below:
|
Disable automatic saving of the autozone configuration: switch# autozone --disableautosave |
To prevent new devices from being zoned automatically and retaining the existing zone configuration, run this command:
switch# autozone --disable
To display the Autozone status, the existing zone and zoneset configuration created by Autozone, and the zoning configuration that Autozone would create for unzoned devices that are currently logged in to a switch, run this command:
switch# autozone --show
To display only the zone configuration changes which Autozone configures for unzoned devices before the Autozone scheduler job is run, run this command:
switch# autozone --showpending
By default, if the Autozone feature is enabled, the Autozone scheduler job automatically runs every 5 minutes. However, to optionally force Autozone to run before the end of the 5-minute cycle or to run Autozone without creating the Autozone scheduler job, run this command:
switch# autozone --update
To delete all the zones and the zoneset created by Autozone on VSAN 1, run this command:
switch# autozone --delete
Note |
Deleting the zones and zoneset created by Autozone does not disable the Autozone feature. To disable the Autozone feature, use the autozone --disable command. We recommend that you use the autozone --disable command before using the autozone --delete command because Autozone reconfigures all the zones again if it is enabled and the devices are still connected. Optionally, you can use both the options together using the autozone --disable --delete command. |
The following example shows how to enable Autozone in automatic mode. In this mode, all currently logged in devices are zoned and new logins are automatically added periodically. In this example, a device without a suitable FC4 type is detected and not included in the zone configuration.
switch# autozone --enable --vsan 1
This command will automatically create and activate single-initiator and single-target zones for all end-devices currently logged-in to VSAN 1; all initiators will be zoned to all targets. This may lead to a large TCAM and RSCN load on the switch. Please use AutoZone judiciously.
AutoZone feature is enabled
Device with pwwn 10:00:00:de:fb:74:e8:31 is not registered with FC4-type Init or Target. Hence, it will be ignored for AutoZone configuration.
Configuring zones for vsan 1
AUTOZONE_JPG21190082_1
Configuring zoneset for vsan 1
Activating the zoneset. Please wait...
Configured zoneset AUTOZONESET for vsan 1 successfully.
The following example shows how to enable Autozone in automatic mode on VSAN 2:
switch# autozone --enable --vsan 2
This command will automatically create and activate single-initiator and single-target zones for all end-devices currently logged-in to VSAN 2; all initiators will be zoned to all targets. This may lead to a large TCAM and RSCN load on the switch. Please use AutoZone judiciously.
AutoZone feature is enabled
Device with pwwn 10:00:00:de:fb:74:e8:31 is not registered with FC4-type Init or Target. Hence, it will be ignored for AutoZone configuration.
Configuring zones for vsan 2
AUTOZONE_JPG21190082_1
Configuring zoneset for vsan 2
Activating the zoneset. Please wait...
Configured zoneset AUTOZONESET for vsan 2 successfully.
The following example shows how to execute the Autozone feature once to zone all the unzoned devices logged in on VSAN 1, and add them to the active zoneset of VSAN 1 without creating the Autozone scheduler job. A device without a suitable FC4 type is detected and not included in the zone configuration.
switch# autozone --update
Device with pwwn 10:00:00:de:fb:74:e8:31 is not registered with FC4-type Init or Target. Hence, it will be ignored for AutoZone configuration.
Configuring zones for vsan 1
AUTOZONE_JPG21190082_1
AUTOZONE_JPG21190082_2
AUTOZONE_JPG21190082_3
AUTOZONE_JPG21190082_4
Configuring zoneset for vsan 1
Activating the zoneset. Please wait...
Configured zoneset AUTOZONESET for vsan 1 successfully.
The following example shows how to disable the Autozone feature so that newly logged-in devices are not zoned while retaining the existing zone configuration:
switch# autozone --disable
This will disable the AutoZone feature. Do you wish to continue? [y/n]|y: y
AutoZone feature disabled successfully.
The following example shows how to delete the Autozone and zoneset created for VSAN 1:
switch# autozone --delete
Checking if zoneset name AUTOZONESET present on switch...[Found]
Checking if AutoZone is enabled on switch...[Disabled]
This option will only delete the zone/zoneset configurations done by AutoZone feature.
Do you wish to continue? [n]|y: y
Deleting zoneset name AUTOZONESET and all zones for vsan 1 configured by AutoZone
Deleting following zones -
AUTOZONE_JPG21190082_1
AUTOZONE_JPG21190082_2
AUTOZONE_JPG21190082_3
AUTOZONE_JPG21190082_4
Deactivating zoneset for vsan 1.
Deactivated zoneset for vsan 1.
The following example displays the Autozone status, the zones already created, as well as uncreated (pending) zones, by Autozone:
switch# autozone --show
Feature AutoZone : Enabled
AutoSave Configuration : Enabled
The possible zone/zoneset configuration with AutoZone feature for currently logged-in devices is :
zoneset name AUTOZONESET vsan 1
zone name AUTOZONE_JPG21190082_1 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:01
zone name AUTOZONE_JPG21190082_2 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:00
zone name AUTOZONE_JPG21190082_3 vsan 1
member pwwn 20:00:00:11:0d:97:00:00
member pwwn 20:01:00:11:0d:97:01:01
zone name AUTOZONE_JPG21190082_4 vsan 1
member pwwn 20:00:00:11:0d:97:00:00
member pwwn 20:01:00:11:0d:97:01:00
The following example shows how to check for the zoning configuration that Autozone creates for any unzoned devices and then apply those changes. In this example, Autozone is disabled so that zoning is updated only once and there is no periodic zoning by Autozone.
switch# autozone --showpending
Feature AutoZone : Disabled
zoneset name AUTOZONESET vsan 1
zone name AUTOZONE_JPG21190082_1 vsan 1
member pwwn 20:00:00:11:0d:97:00:00
member pwwn 20:01:00:11:0d:97:01:00
switch# autozone --update
Configuring zones for vsan 1
AUTOZONE_JPG21190082_1
Configuring zoneset for vsan 1
Activating the zoneset. Please wait...
Configured zoneset AUTOZONESET for vsan 1 successfully.
The following example shows how to verify if the Autozone feature is already enabled and if there are currently unzoned devices:
switch# autozone --showpending
Feature AutoZone : Enabled
zoneset name AUTOZONESET vsan 1
zone name AUTOZONE_JPG21190082_2 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:00
zone name AUTOZONE_JPG21190082_3 vsan 1
member pwwn 20:00:00:11:0d:97:00:00
member pwwn 20:01:00:11:0d:97:01:01
zone name AUTOZONE_JPG21190082_4 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:01
The following example shows how to obtain information about the autozone command:
switch# autozone --help
usage: autozone.py [-h] [--enable] [--disable] [--update] [--delete] [--show]
[--showpending] [--enableautosave] [--disableautosave]
[--vsan VSAN]
Enables AutoZone feature for vsan 1
optional arguments:
-h, --help show this help message and exit
--enable Enables AutoZone automatic mode for VSAN 1. New devices
logging in will be zoned automatically. No changes will
be done for existing configuration. To have autzone
automatically save the running configuration to startup
configuration include the --enable argument followed by
--enableautosave argument.
--disable Disables AutoZone feature for VSAN 1. New devices logging
in will not be zoned automatically. No changes will be
done for existing configuration.
--update Computes and applies any pending AutoZone configuration
to switch for vsan 1
--delete Deletes zone/zoneset configuration done by AutoZone for VSAN
1
--show Displays the current active zone/zonset configuration done by
Autozone for VSAN 1.
--showpending Displays only zoning configuration that is pending and
not yet applied on the switch.
--enableautosave Enables Auto saving of running configuration to startup
configuration whenever an automatic zoning change is
done. Allowed with the --enable argument and --update
argument respectively.
--disableautosave Disables Auto saving of running configuration to startup
configuration whenever an automatic zoning change is
done.. To save any automatic zoning changes to startup,
"copy running-config startup-config" must be manually
executed.
--vsan VSAN Please provide VSAN between 1-4093
Let us consider a topology where two devices—Initiator 1 and Target 1—are logged on to a Cisco MDS switch. We configure the Autozone feature on the switch and verify the zone configuration for these devices. Then, we introduce two new devices—Initiator 2 and Target 2—to this network and verify if they are automatically configured in the zone.
Verify the existing zone configuration using the show zoneset active vsan 1 command:
switch# show zoneset active vsan 1
Zoneset not present
Verify the existing device logins using the show fcns database command:
switch# show fcns database
VSAN 1:
-----------------------------------------------------------------------
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
-----------------------------------------------------------------------
0xee0000 N 20:00:00:11:0d:97:00:00 scsi-fcp:init
0xee0020 N 20:01:00:11:0d:97:01:00 scsi-fcp:target
0xee0400 N 10:00:00:de:fb:74:e8:31 (Cisco) ipfc
Total number of entries = 2
Create zones and a zoneset on VSAN 1 automatically and schedule a timer to check for new device logins on the Cisco MDS switch using the autozone --enable command:
switch# autozone --enable
This command will create and activate single-initiator and single-target zones for all end-devices are already logged-in automatically; that may lead to more tcam entries and also RSCN load on network. Please use AutoZone judiciously.
AutoZone feature is enabled
Device with pwwn 10:00:00:de:fb:74:e8:31 is not registered with FC4-type Init or Target. Hence, it will be ignored for AutoZone configuration.
Configuring zones for vsan 1
AUTOZONE_JPG21190082_1
Configuring zoneset for vsan 1
Activating the zoneset. Please wait...
Configured zoneset AUTOZONESET for vsan 1 successfully.
Verify the zone configuration using the show zoneset active vsan 1 command:
switch# show zoneset active vsan 1
zoneset name AUTOZONESET vsan 1
zone name AUTOZONE_JPG21190082_1 vsan 1
* fcid 0xee0000 [pwwn 20:00:00:11:0d:97:00:00]
* fcid 0xee0020 [pwwn 20:01:00:11:0d:97:01:00]
You can see that a new zoneset named AUTOZONESET is created and a new zone of the format AUTOZONE_<SwitchSerialNumber>_<number> is created and the devices are added to this zoneset:
Add Initiator 2 and Target 2 to the network:
Verify the new device logins using the show fcns database command:
switch# show fcns database
VSAN 1:
-----------------------------------------------------------------------
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
-----------------------------------------------------------------------
0xee0000 N 20:00:00:11:0d:97:00:00 scsi-fcp:init
0xee0001 N 20:00:00:11:0d:97:00:01 scsi-fcp:init
0xee0020 N 20:01:00:11:0d:97:01:00 scsi-fcp:target
0xee0021 N 20:01:00:11:0d:97:01:01 scsi-fcp:target
0xee0400 N 10:00:00:de:fb:74:e8:31 (Cisco) ipfc
Total number of entries = 5
Verify the pending zone configurations using the autozone --showpending command:
switch# autozone --showpending
Feature AutoZone : Enabled
zoneset name AUTOZONESET vsan 1
zone name AUTOZONE_JPG21190082_2 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:00
zone name AUTOZONE_JPG21190082_3 vsan 1
member pwwn 20:00:00:11:0d:97:00:00
member pwwn 20:01:00:11:0d:97:01:01
zone name AUTOZONE_JPG21190082_4 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:01
(Optional) You can execute Autozone manually for updating the zoning information each time a new device is logged into the switch using the autozone --update command:
switch# autozone --update
Device with pwwn 10:00:00:de:fb:74:e8:31 is not registered with FC4-type Init or Target.
Hence, it will be ignored for AutoZone configuration.
Configuring zones for vsan 1
AUTOZONE_JPG21190082_1
AUTOZONE_JPG21190082_2
AUTOZONE_JPG21190082_3
AUTOZONE_JPG21190082_4
Configuring zoneset for vsan 1
Activating the zoneset. Please wait...
Configured zoneset AUTOZONESET for vsan 1 successfully.
Verify the zone configuration for the new devices using the autozone --show command:
switch# autozone --show
Feature AutoZone : Enabled
AutoSave Configuration : Enabled
The possible zone/zoneset configuration with AutoZone feature for currently logged-in devices is :
zoneset name AUTOZONESET vsan 1
zone name AUTOZONE_JPG21190082_1 vsan 1
member pwwn 20:00:00:11:0d:97:00:00
member pwwn 20:01:00:11:0d:97:01:00
zone name AUTOZONE_JPG21190082_2 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:00
zone name AUTOZONE_JPG21190082_3 vsan 1
member pwwn 20:00:00:11:0d:97:00:00
member pwwn 20:01:00:11:0d:97:01:01
zone name AUTOZONE_JPG21190082_4 vsan 1
member pwwn 20:00:00:11:0d:97:00:01
member pwwn 20:01:00:11:0d:97:01:01
Zone Configuration
Use the Edit Full Zone Database tool to complete the following tasks:
Displays the information by VSAN, by using the down-down menu without having to get out of the window, selecting a VSAN, and re-entering.
Move devices up or down by alias or by zone, using the Add to zone or alias button.
Add zoning characteristics based on the alias in different folders.
Rename zone sets, zones, or aliases.
The Edit Local Full Zone Database tool allows you to zone across multiple switches and all zoning features are available through the Edit Local Full Zone Database dialog box (see Edit Local Full Zone Database Dialog Box).
|
1 |
You can display information by VSAN by using the drop-down menu without closing the dialog box, selecting a VSAN, and re-entering. |
3 |
You can add zoning characteristics based on alias in different folders. |
|
2 |
You can use the Add to zone button to move devices up or down by alias or by zone. |
4 |
You can triple-click to rename zone sets, zones, or aliases in the tree. |
Note |
The Device Alias radio button is visible only if device alias is in enhanced mode. For more information, see Creating Device Aliases section. |
 Tip |
Use a relevant display command (for example, show interface or show flogi database ) to obtain the required value in hex format. |
Tip |
Use the show wwn switch command to retrieve the sWWN. If you do not provide a sWWN, the software automatically uses the local sWWN. |
Tip |
Expand Switches from the Physical Attributes pane to retrieve the sWWN. If you do not provide a sWWN, the software automatically uses the local sWWN. |
Note |
Interface-based zoning only works with Cisco MDS 9000 Series switches. Interface-based zoning does not work if interop mode is configured in that VSAN. |
When the number of zones configured has exceeded the maximum number of zones allowed across all VSANs, this message is displayed:
switch(config)# zone name temp_zone1 vsan 300
cannot create the zone; maximum possible number of zones is already configured Note |
For configuration limits on configuring the number of zones, zone members and zone sets, refer to the Cisco MDS NX-OS Configuration Limits. |
To configure a zone and assign a zone name, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||||
| Step 2 |
switch(config)# zone name Zone1 vsan 3 Example:Configures a zone called Zone1 for the VSAN called vsan3.
|
||||
| Step 3 |
switch(config-zone)# member type value Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Example:Configures a member for the specified zone (Zone1) based on the type (pWWN, fabric pWWN, FC ID, fcalias, domain ID, IPv4 address, IPv6 address, or interface) and value specified.
|
To create a zone and move it into a zone set using DCNM SAN Client, follow these steps:
| Step 1 |
Click the Zone icon in the toolbar (see Zone Icon).  You see the Select VSAN dialog box. |
||
| Step 2 |
Select the VSAN where you want to create a zone and click OK. switch(config)# callhome You see the Edit Local Full Zone Database dialog box (see Edit Local Full Zone Database Dialog Box).  If you want to view zone membership information, right-click in the All Zone Membership(s) column, and then click Show Details for the current row or all rows from the pop-up menu. |
||
| Step 3 |
Click Zones in the left pane and click the Insert icon to create a zone. You see the Create Zone dialog box (see Create Zone Dialog Box).  |
||
| Step 4 |
Enter a zone name. |
||
| Step 5 |
Check one of the following check boxes:
|
||
| Step 6 |
Click OK to create the zone. If you want to move this zone into an existing zone set, skip to Step 8. |
||
| Step 7 |
Click Zoneset in the left pane and click the Insert icon to create a zone set. You see the Zoneset Name dialog box (see Zoneset Name Dialog Box).  |
||
| Step 8 |
Enter a zone set name and click OK .
|
||
| Step 9 |
Select the zone set where you want to add a zone and click the Insert icon or you can drag and drop Zone3 over Zoneset1.  |
||
| Step 10 |
Click Add to add the zone. |
Once you create a zone, you can add members to the zone. You can add members using multiple port identification types.
To add a member to a zone using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
||
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN.  |
||
| Step 3 |
Select the members you want to add from the Fabric pane (see Edit Local Full Zone Database Dialog Box) and click Add to Zone or click the zone where you want to add members and click the Insert icon. You see the Add Member to Zone dialog box (see Add Member to Zone Dialog Box). 
|
||
| Step 4 |
Click the browse button and select a port name or check the LUN check box and click the browse button to configure LUNs. |
||
| Step 5 |
Click Add to add the member to the zone.
|
To filter the end devices and device aliases, follow these steps:
| Step 1 |
Click the Zone icon in the toolbar (see Zone Icon). |
| Step 2 |
Select Name, WWN or FC ID from the With drop-down list. |
| Step 3 |
Enter a filter condition, such as *zo1*, in the Filter text box. |
| Step 4 |
Click Go. |
To add multiple end devices to multiple zones, follow these steps:
| Step 1 |
Click the Zone icon in the toolbar (see Zone Icon). |
| Step 2 |
Use the Ctrl key to select multiple end devices. |
| Step 3 |
Right-click and then select Add to Zone. |
| Step 4 |
Use the Ctrl key to select multiple zones from the pop-up window displayed. |
| Step 5 |
Click Add. Selected end devices are added to the selected zones. |
Zones provide a method for specifying access control, while zone sets are a grouping of zones to enforce access control in the fabric.
Zone sets are configured with the names of the member zones and the VSAN (if the zoneset is in a configured VSAN).
Zoneset Distribution —You can distribute full zone sets using one of two methods: one-time distribution or full zoneset distribution.
Zoneset Duplication —You can make a copy of a zoneset and then edit it without altering the original zoneset. You can copy an active zoneset from the bootflash: directory, volatile: directory, or slot0, to one of the following areas:
To the full zoneset
To a remote location (using FTP, SCP, SFTP, or TFTP)
The active zoneset is not part of the full zoneset. You cannot make changes to an existing zoneset and activate it, if the full zoneset is lost or is not propagated.
In the figure, two separate sets are created, each with its own membership hierarchy and zone members.
Either zoneset A or zoneset B can be activated (but not together).
Tip |
Zonesets are configured with the names of the member zones and the VSAN (if the zoneset is in a configured VSAN). |
Changes to a zoneset do not take effect in a full zoneset until you activate it.
Tip |
You do not have to issue the copy running-config startup-config command to store the active zoneset. However, you need to issue the copy running-config startup-config command to explicitly store full zone sets. If there is more than one switch in a fabric, the copy running-config startup-config fabric command should be issued. The fabric keyword causes the copy running-config startup-config command to be issued on all the switches in the fabric, and also saves the full zone information to the startup-config on all the switches in the fabric. This is important in the event of a switch reload or power cycle. |
To activate or deactivate an existing zoneset, follow these steps:
| Step 1 |
switch# config terminal Example:Enters configuration mode. |
||
| Step 2 |
switch(config)# zoneset activate name Zoneset1 vsan 3 Activates the specified zoneset. If full zoneset distribution is configured for a VSAN, the zoneset activation also distributes the full zoning database to the other switches in the fabric. If enhanced zoning is configured for a VSAN then the zoneset activation is held pending until the zone commit vsan vsan-id command is enabled. The show zone pending-diff vsan vsan-id displays the pending changes.
|
||
| Step 3 |
switch(config)# no zoneset activate name Zoneset1 vsan 3 Deactivates the specified zoneset. |
To activate an existing zone set using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN. |
| Step 3 |
Click Activate to activate the zone set. You see the pre-activation check dialog box (see Pre-Activation Check Dialog Box).  |
| Step 4 |
Click Yes to review the differences. You see the Local vs. Active Differences dialog box (see Local vs Active Differences Dialog Box).  |
| Step 5 |
Click Close to close the dialog box. You see the Save Configuration dialog box (see Save Configuration Dialog Box).  |
| Step 6 |
Check the Save Running to Startup Configuration check box to save all changes to the startup configuration. |
| Step 7 |
Click Continue Activation to activate the zone set, or click Cancel to close the dialog box and discard any unsaved changes. You see the Zone Log dialog box, which shows if the zone set activation was successful (see Zone Log Dialog Box).  |
To deactivate an existing zone set, follow these steps:
| Step 1 |
Right-click the zone set you want to deactivate and then click Deactivate from the pop-up menu. You see the Deactivate Zoneset dialog box. |
||
| Step 2 |
Enter deactivate in the text box and then click OK. You see the Input dialog box. |
||
| Step 3 |
Enter deactivate in the text box and then click OK to deactivate the zone set.
|
To display zone membership information for members assigned to zones in DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
||||
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN. |
||||
| Step 3 |
Click Zones in the left pane. The right pane lists the members for each zone.
|
When activating a new zoneset, if users make a mistake while entering the zoneset name, and if this name already exists on the switch, it results in activation of the wrong zoneset and traffic loss. To avoid activating a wrong zoneset, the zoneset overwrite-control vsan id command is introduced.
Note |
Even when the zoneset overwrite-control vsan id command is enabled, the user can override it and continue with the activation of a new zoneset using the zoneset activate name zoneset name vsan vsan -id force command. |
| Step 1 |
switch# configure terminal Example:Enters configuration mode. |
||
| Step 2 |
switch(config)# zoneset overwrite-control vsan 3 Enables overwrite-control for the specified VSAN.
|
||
| Step 3 |
switch(config)# show zone status vsan 3 Displays the status of the VSAN, if overwrite-control is enabled or not. |
Displaying Zone Status
switch(config)# show zone status vsan 3
VSAN: 2 default-zone: deny distribute: full Interop: default
mode: enhanced merge-control: allow
session: none
hard-zoning: enabled broadcast: unsupported
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control: enabled
Default zone:
qos: none broadcast: unsupported ronly: unsupported
Full Zoning Database :
DB size: 348 bytes
Zonesets:2 Zones:2 Aliases: 0 Attribute-groups: 1
Active Zoning Database :
DB size: 68 bytes
Name: hellset Zonesets:1 Zones:1
Current Total Zone DB Usage: 416 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: 0 bytes
Active DB Copy size: 0 bytes
SFC size: 0 / 2097152 bytes (0 % used)
Status: Commit completed at 15:19:49 UTC Jun 11 2015Each member of a fabric (in effect a device attached to an Nx port) can belong to any zone. If a member is not part of any active zone, it is considered to be part of the default zone. Therefore, if no zoneset is active in the fabric, all devices are considered to be in the default zone. Even though a member can belong to multiple zones, a member that is part of the default zone cannot be part of any other zone. The switch determines whether a port is a member of the default zone when the attached port comes up.
Note |
Unlike configured zones, default zone information is not distributed to the other switches in the fabric. |
Traffic can either be permitted or denied among members of the default zone. This information is not distributed to all switches; it must be configured in each switch.
Note |
When the switch is initialized for the first time, no zones are configured and all members are considered to be part of the default zone. Members are not permitted to talk to each other. |
Configure the default zone policy on each switch in the fabric. If you change the default zone policy on one switch in a fabric, be sure to change it on all the other switches in the fabric.
Note |
The default settings for default zone configurations can be changed. |
The default zone members are explicitly listed when the default policy is configured as permit or when a zoneset is active. When the default policy is configured as deny, the members of this zone are not explicitly enumerated when you issue the show zoneset active command.
Note |
The current default zoning policy is deny. The hidden active zoneset is d__efault__cfg in MDS. When there is a mismatch in default-zoning policies between two switches (permit on one side and deny on the other), zone merge will fail. The behavior is the same between two Brocade switches as well. The error messages will be as shown below. |
The error messages will be as shown below:
Switch1 syslog:
switch(config-if)# 2014 Sep 2 06:33:21 hac15 %ZONE-2-ZS_MERGE_FAILED: %$VSAN 1%$ Zone merge failure, isolating interface fc2/10 received reason: Default zoning policy conflict. Received rjt from adjacent switch:[reason:0]
Switch2 syslog:
switch(config-if)# 2014 Sep 2 12:13:17 hac16 %ZONE-2-ZS_MERGE_FAILED: %$VSAN 1%$ Zone merge failure, isolating interface fc3/10 reason: Default zoning policy conflict.:[reason:0]
You can change the default zone policy for any VSAN by choosing VSANxx > Default Zone from the DCNM SAN Client menu tree and clicking the Policies tab. It is recommended that you establish connectivity among devices by assigning them to a non-default zone.
To permit or deny traffic to members in the default zone, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone default-zone permit vsan 1 Permits traffic flow to default zone members. |
| Step 3 |
switch(config)# no zone default-zone permit vsan 1 Denies (default) traffic flow to default zone members. |
To permit or deny traffic to members in the default zone using DCNM SAN Client, follow these steps:
| Step 1 |
Expand a VSAN and then select Default Zone in the DCNM SAN Client Logical Domains pane. |
| Step 2 |
Click the Policies tab in the Information pane. You see the zone policies information in the Information pane (see Default Zone Policies).  The active zone set is shown in italic type. After you make changes to the active zone set and before you activate the changes, the zone set is shown in boldface italic type. |
| Step 3 |
In the Default Zone Behaviour field, choose either permit or deny from the drop-down menu. |
While the pWWN, fWWN, and so on of an end node or fabric port have to be specified to configure different features on a Cisco MDS switch, you must ensure to assign the correct value. An incorrect value, derived from a typo for example, may cause unexpected results. You can avoid this if you define a user-friendly name and use this name in all of the configuration commands, as required. These user-friendly names are referred to as FC aliases and they are defined according to naming conventions that are specific to each and every organization.
FC aliases are stored within the zone server database and the NX-OS software automatically converts FC aliases into their corresponding zone member types. A device alias name is a different type of alias and is described in the Distributing Device Alias Services chapter. Device aliases can be assigned to FC aliases, but not vice-versa.
FC aliases are case sensitive and restricted to 64 alphanumeric characters. An FC alias name may include one or more of the following characters:
a to z and A to Z
1 to 9
- (hyphen) and _ (underscore)
$ (dollar sign) and ^ (up caret)
You can assign an FC alias name and configure an FC alias member using the following values:
pWWN—The WWN of the N or NL port is in hex format (for example, 10:00:00:23:45:67:89:ab).
fWWN—The WWN of the fabric port name is in hex format (for example, 10:00:00:23:45:67:89:ab).
FC ID—The N port ID is in 0xhhhhhh format (for example, 0xce00d1).
Domain ID—The domain ID is an integer from 1 to 239. A mandatory port number of a non-Cisco switch is required to complete this membership configuration.
IPv4 address—The IPv4 address of an attached device is in 32 bits in dotted decimal format along with an optional subnet mask. If a mask is specified, any device within the subnet becomes a member of the specified zone.
IPv6 address—The IPv6 address of an attached device is in 128 bits in colon- (:) separated) hexadecimal format.
Interface—Interface-based zoning is similar to port-based zoning because the switch interface is used to configure the zone. You can specify a switch interface as a zone member for both local and remote switches. To specify a remote switch, enter the remote switch WWN (sWWN) or the domain ID in the particular VSAN.
Device Alias—A device alias name is a different type of alias and it can be assigned as a member to a FC alias.
Tip |
The Cisco NX-OS software supports a maximum of 2048 aliases per VSAN. |
To create an alias, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# fcalias name AliasSample vsan 3 Configures an alias name (AliasSample). |
| Step 3 |
switch(config-fcalias)# member type value Configures a member for the specified fcalias (AliasSample) based on the type and value specified (pWWN, fabric pWWN, FC ID, domain ID, IPv4 address, IPv6 address, or interface). |
| Step 4 |
switch(config-fcalias)# zone commit vsan id Commits the changes made to the specified VSAN. |
To create an FC alias using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN. |
| Step 3 |
Click Aliases in the lower left pane (see Creating an FC Alias). The right pane lists the existing aliases.  |
| Step 4 |
Click the Insert icon to create an alias.  |
| Step 5 |
Set the Alias Name and the pWWN. |
| Step 6 |
Click OK to create the alias. |
To add a member to an alias using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
||
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN (see Edit Local Full Zone Database Dialog Box).  |
||
| Step 3 |
Select the member(s) you want to add from the Fabric pane (see Edit Local Full Zone Database Dialog Box) and click Add to Alias or click the alias where you want to add members and click the Insert icon. You see the Add Member to Alias dialog box (see Add Member to Alias Dialog Box). 
|
||
| Step 4 |
Click the browse button and select a port name or check the LUN check box and click the browse button to configure LUNs. |
||
| Step 5 |
Click Add to add the member to the alias. |
You can convert zone and alias members from switch port or FC ID based membership to pWWN-based membership. You can use this feature to convert to pWWN so that your zone configuration does not change if a card or switch is changed in your fabric.
To convert switch port and FC ID members to pWWN members using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN. |
| Step 3 |
Click the zone you want to convert. |
| Step 4 |
Choose Tools > Convert Switch Port/FCID members to By pWWN. You see the conversion dialog box, listing all members that will be converted. |
| Step 5 |
Verify the changes and click Continue Conversion. |
| Step 6 |
Click Yes in the confirmation dialog box to convert that member to pWWN-based membership. |
Tip |
You do not have to issue the copy running-config startup-config command to store the active zoneset. However, you need to issue the copy running-config startup-config command to explicitly store full zone sets. If there is more than one switch in a fabric, the copy running-config startup-config fabric command should be issued. The fabric keyword causes the copy running-config startup-config command to be issued on all the switches in the fabric, and also saves the full zone information to the startup-config on all the switches in the fabric. This is important in the event of a switch reload or power cycle. |
Caution |
If you deactivate the active zoneset in a VSAN that is also configured for IVR, the active IVR zoneset (IVZS) is also deactivated and all IVR traffic to and from the switch is stopped. This deactivation can disrupt traffic in more than one VSAN. Before deactivating the active zoneset, check the active zone analysis for the VSAN (see the Zone and ZoneSet Analysis). To reactivate the IVZS, you must reactivate the regular zoneset (refer to the Cisco MDS 9000 Series NX-OS Inter-VSAN Routing Configuration Guide ). |
Caution |
If the currently active zoneset contains IVR zones, activating the zoneset from a switch where IVR is not enabled disrupts IVR traffic to and from that VSAN. We strongly recommend that you always activate the zoneset from an IVR-enabled switch to avoid disrupting IVR traffic. |
Note |
The pWWN of the virtual target does not appear in the zoning end devices database in DCNM SAN Client. If you want to zone the virtual device with a pWWN, you must enter it in the Add Member to Zone dialog box when creating a zone. However, if the device alias is in enhanced mode, the virtual device names appear in the device alias database in the DCNM SAN Client zoning window. In this case, users can choose to select either the device alias name or enter the pWWN in the Add Member to Zone dialog box. For more information, see the Adding Zone Members section. |
To create a zoneset to include several zones, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config)# zoneset name Zoneset1 vsan 3 Example:Configures a zoneset called Zoneset1.
|
||
| Step 3 |
switch(config-zoneset)# member Zone1 Adds Zone1 as a member of the specified zoneset (Zoneset1).
|
||
| Step 4 |
switch(config-zoneset)# zone name InlineZone1 Example:Adds a zone (InlineZone1) to the specified zoneset (Zoneset1).
|
||
| Step 5 |
switch(config-zoneset-zone)# member fcid 0x111112 Example:Adds a new member (FC ID 0x111112) to the new zone (InlineZone1).
|
To filter the zones, zone sets or device aliases, follow these steps:
| Step 1 |
Click the Zone icon in the toolbar (see Zone Icon). |
| Step 2 |
Enter a filter condition, such as *zo1*, in the Filter text box. |
| Step 3 |
Click Go. |
To add multiple zones to multiple zone sets, follow these steps:
| Step 1 |
Click the Zone icon in the toolbar (see Zone Icon). |
| Step 2 |
From the tree view, select Zoneset. |
| Step 3 |
Use the Ctrl key to select multiple end devices. |
| Step 4 |
Right-click and then select Add to Zoneset. |
| Step 5 |
Use the Ctrl key to select multiple zones from the pop-up window displayed. |
| Step 6 |
Click Add. Selected zones are added to the selected zone sets. |
Zoning can be enforced in two ways: soft and hard. Each end device (N port or NL port) discovers other devices in the fabric by querying the name server. When a device logs in to the name server, the name server returns the list of other devices that can be accessed by the querying device. If an Nx port does not know about the FCIDs of other devices outside its zone, it cannot access those devices.
In soft zoning, zoning restrictions are applied only during interaction between the name server and the end device. If an end device somehow knows the FCID of a device outside its zone, it can access that device.
Hard zoning is enforced by the hardware on each frame sent by an Nx port. As frames enter the switch, source-destination IDs are compared with permitted combinations to allow the frame at wirespeed. Hard zoning is applied to all forms of zoning.
Note |
Hard zoning enforces zoning restrictions on every frame, and prevents unauthorized access. |
Switches in the Cisco MDS 9000 Series support both hard and soft zoning.
You can distribute full zone sets using one of two methods: one-time distribution at the EXEC mode level or full zoneset distribution at the configuration mode level.
You can distribute full zone sets using one of two methods: one-time distribution or full zone set distribution.
Table 1 lists the differences between these distribution methods.
|
One-Time Distribution zoneset distribute vsan Command (EXEC Mode) |
Full Zone Set Distribution zoneset distribute full vsan Command (Configuration Mode) |
|---|---|
|
Distributes the full zoneset immediately. |
Does not distribute the full zoneset immediately. |
|
Does not distribute the full zoneset information along with the active zoneset during activation, deactivation, or merge process. |
Remembers to distribute the full zoneset information along with the active zoneset during activation, deactivation, and merge processes. |
Tip |
You do not have to issue the copy running-config startup-config command to store the active zoneset. However, you need to issue the copy running-config startup-config command to explicitly store full zone sets. If there is more than one switch in a fabric, the copy running-config startup-config fabric command should be issued. The fabric keyword causes the copy running-config startup-config command to be issued on all the switches in the fabric, and also saves the full zone information to the startup-config on all the switches in the fabric. This is important in the event of a switch reload or power cycle. |
All switches in the Cisco MDS 9000 Series distribute active zone sets when new E port links come up or when a new zoneset is activated in a VSAN. The zoneset distribution takes effect while sending merge requests to the adjacent switch or while activating a zoneset.
To enable full zoneset and active zoneset distribution to all switches on a per VSAN basis, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zoneset distribute full vsan 33 Enables sending a full zoneset along with an active zoneset. |
To enable full zone set and active zone set distribution to all switches on a per VSAN basis using DCNM SAN Client, follow these steps:
| Step 1 |
Expand a VSAN and select a zone set in the Logical Domains pane. You see the zone set configuration in the Information pane. The Active Zones tab is the default. |
| Step 2 |
Click the Policies tab. You see the configured policies for the zone (see Configured Policies for the Zone).  |
| Step 3 |
In the Propagation column, choose fullZoneset from the drop-down menu. |
| Step 4 |
Click Apply Changes to propagate the full zone set. |
Use the zoneset distribute vsan vsan-id command in EXEC mode to perform this distribution.
switch# zoneset distribute vsan 2
Zoneset distribution initiated. check zone status
This procedure command only distributes the full zoneset information; it does not save the information to the startup configuration. You must explicitly save the running configuration to the startup configuration issue the copy running-config startup-config command to save the full zoneset information to the startup configuration.
Note |
The zoneset distribute vsan vsan-id commandone-time distribution of the full zone set is supported in interop 2 and interop 3 modes, not in interop 1 mode. |
Use the show zone status vsan vsan-id command to check the status of the one-time zoneset distribution request.
switch# show zone status vsan 9
VSAN: 9 default-zone: deny distribute: full Interop: default
mode: enhanced merge-control: allow
session: none
hard-zoning: enabled broadcast: enabled
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control:disabled
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 2002584 bytes
Zonesets:4 Zones:7004 Aliases: 0 Attribute-groups: 1
Active Zoning Database :
DB size: 94340 bytes
Name: zoneset-hac13-200 Zonesets:1 Zones:176
Current Total Zone DB Usage: 2096924 / 2097152 bytes (99 % used)
Pending (Session) DB size:
Full DB Copy size: 0 bytes
Active DB Copy size: 0 bytes
SFC size: 0 / 2097152 bytes (0 % used)
Status: Activation completed at 17:28:04 UTC Jun 16 2014
You can perform a one-time distribution of inactive, unmodified zone sets throughout the fabric. To propagate a one-time distribution of the full zone set using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Edit Local Full Zone Database dialog box. |
| Step 2 |
Click the appropriate zone from the list in the left pane. |
| Step 3 |
Click Distribute to distribute the full zone set across the fabric. |
When two switches in a fabric are merged using a TE or E port, these TE and E ports may become isolated when the active zoneset databases are different between the two switches or fabrics. When a TE port or an E port become isolated, you can recover that port from its isolated state using one of three options:
Import the neighboring switch's active zoneset database and replace the current active zoneset (see Importing and Exporting the Database .
Export the current database to the neighboring switch.
Manually resolve the conflict by editing the full zoneset, activating the corrected zoneset, and then bringing up the link.
Note |
Issue the import and export commands from a single switch. Importing from one switch and exporting from another switch can lead to isolation again. |
To import or export the zoneset information from or to an adjacent switch, follow these steps:
| Step 1 |
switch# zoneset import interface fc1/3 vsan 2 Imports the zoneset from the adjacent switch connected through the fc 1/3 interface for VSAN 2. |
| Step 2 |
switch# zoneset import interface fc1/3 vsan 2-5 Imports the zoneset from the adjacent switch connected through the fc 1/3 interface for VSANs ranging from 2 through 5. |
| Step 3 |
switch# zoneset export vsan 5 Exports the zoneset to the adjacent switch connected through VSAN 5. |
| Step 4 |
switch# zoneset export vsan 5-8 Exports the zoneset to the adjacent switch connected through the range of VSANs 5 through 8. |
To import or export the zone set information from or to an adjacent switch using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Tools > Zone Merge Fail Recovery. You see the Zone Merge Failure Recovery dialog box (see Zone Merge Failure Recovery Dialog Box).  |
| Step 2 |
Click the Import Active Zoneset or the Export Active Zoneset radio button. |
| Step 3 |
Select the switch from which to import or export the zone set information from the drop-down list. |
| Step 4 |
Select the VSAN from which to import or export the zone set information from the drop-down list. |
| Step 5 |
Select the interface to use for the import process. |
| Step 6 |
Click OK to import or export the active zone set. Issue the import and export commands from a single switch. Importing from one switch and exporting from another switch can lead to isolation again. |
You can make a copy and then edit it without altering the existing active zoneset. You can copy an active zoneset from the bootflash: directory, volatile: directory, or slot0, to one of the following areas:
To the full zoneset
To a remote location (using FTP, SCP, SFTP, or TFTP)
The active zoneset is not part of the full zoneset. You cannot make changes to an existing zoneset and activate it, if the full zoneset is lost or is not propagated.
Caution |
Copying an active zoneset to a full zoneset may overwrite a zone with the same name, if it already exists in the full zoneset database. |
On the Cisco MDS Series switches, you cannot edit an active zoneset. However, you can copy an active zoneset to create a new zoneset that you can edit.
Caution |
If the Inter-VSAN Routing (IVR) feature is enabled and if IVR zones exist in the active zoneset, then a zoneset copy operation copies all the IVR zones to the full zone database. To prevent copying to the IVR zones, you must explicitly remove them from the full zoneset database before performing the copy operation. For more information on the IVR feature see the Cisco MDS 9000 Series NX-OS Inter-VSAN Routing Configuration Guide . |
To make a copy of a zoneset, follow this step:
| Step 1 |
switch# zone copy active-zoneset full-zoneset vsan 2 Example:Makes a copy of the active zoneset in VSAN 2 to the full zoneset. |
| Step 2 |
switch# zone copy vsan 3 active-zoneset scp://guest@myserver/tmp/active_zoneset.txt Copies the active zone in VSAN 3 to a remote location using SCP. |
To make a copy of a zone set using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Edit > Copy Full Zone Database. You see the Copy Full Zone Database dialog box (see Copy Full Zone Database Dialog Box).  |
| Step 2 |
Click the Active or the Full radio button, depending on which type of database you want to copy. |
| Step 3 |
Select the source VSAN from the drop-down list. |
| Step 4 |
If you selected Copy Full, select the source switch and the destination VSAN from those drop-down lists. |
| Step 5 |
Select the destination switch from the drop-down list. |
| Step 6 |
Click Copy to copy the database. |
You can back up the zone configuration to a workstation using TFTP. This zone backup file can then be used to restore the zone configuration on a switch. Restoring the zone configuration overwrites any existing zone configuration on a switch.
To back up the full zone configuration using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database . You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK . You see the Edit Local Full Zone Database dialog box for the selected VSAN (see Edit Local Full Zone Database).  |
| Step 3 |
Choose File > Backup > This VSAN Zones to back up the existing zone configuration to a workstation using TFTP, SFTP, SCP, or FTP. You see the Backup Zone Configuration dialog box (see Backup Zone Configuration Dialog Box).  You can edit this configuration before backing up the data to a remote server. |
| Step 4 |
Provide the following Remote Options information to back up data onto a remote server:
|
| Step 5 |
Click Backup or click Cancel to close the dialog box without backing up. |
To restore the full zone configuration using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database . You see the Select VSAN dialog box. |
||||
| Step 2 |
Select a VSAN and click OK . You see the Edit Local Full Zone Database dialog box for the selected VSAN (see Edit Local Full Zone Database). |
||||
| Step 3 |
Choose File > Restore to restore a saved zone configuration using TFTP, SFTP, SCP or FTP. You see the Restore Zone Configuration dialog box (see Restore Zone Configuration Dialog Box).  You can edit this configuration before restoring it to the switch. |
||||
| Step 4 |
Provide the following Remote Options information to restore data from a remote server:
|
||||
| Step 5 |
Click Restore to continue or click Cancel to close the dialog box without restoring.
|
Note |
Backup option is available to switches that run Cisco NX-OS Release 4.1(3) or later. Restore option is only supported on Cisco DCNM SAN Client Release 4.1(3) or later. |
To rename a zone, zone set, fcalias, or zone-attribute-group, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zoneset rename oldname newname vsan 2 Renames a zone set in the specified VSAN. |
| Step 3 |
switch(config)# zone rename oldname newname vsan 2 Renames a zone in the specified VSAN. |
| Step 4 |
switch(config)# fcalias rename oldname newname vsan 2 Renames a fcalias in the specified VSAN. |
| Step 5 |
switch(config)# zone-attribute-group rename oldname newname vsan 2 Renames a zone attribute group in the specified VSAN. |
| Step 6 |
switch(config)# zoneset activate name newname vsan 2 Activates the zone set and updates the new zone name in the active zone set. |
To rename a zone, zone set, or alias using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN (see Edit Local Full Zone Database Dialog Box).  |
| Step 3 |
Click a zone or zone set in the left pane. |
| Step 4 |
Choose Edit > Rename. An edit box appears around the zone or zone set name. |
| Step 5 |
Enter a new name. |
| Step 6 |
Click Activate or Distribute. |
To clone a zone, zoneset, fcalias, or zone-attribute-group, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zoneset clone oldname newnamevsan 2 Clones a zoneset in the specified VSAN. |
| Step 3 |
switch(config)# zone clone oldname newname vsan 2 Clones a zone in the specified VSAN. |
| Step 4 |
switch(config)# fcalias clone oldname newnamevsan 2 Clones a fcalias in the specified VSAN. |
| Step 5 |
switch(config)# zone-attribute-group clone oldname newname vsan 2 Clones a zone attribute group in the specified VSAN. |
| Step 6 |
switch(config)# zoneset activate name newname vsan 2 Activates the zoneset and updates the new zone name in the active zoneset. |
To clone a zone, zone set, fcalias, or zone attribute group, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN. |
| Step 3 |
Choose Edit > Clone. You see the Clone Zoneset dialog box (see Clone Zoneset Dialog Box). The default name is the word Clone followed by the original name.  |
| Step 4 |
Change the name for the cloned entry. |
| Step 5 |
Click OK to save the new clone. The cloned database now appears along with the original database. |
To use the Zone Migration Wizard to migrate a non-MDS database using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Migrate Non-MDS Database. You see the Zone Migration Wizard. |
| Step 2 |
Follow the prompts in the wizard to migrate the database. |
You can clear all configured information in the zone server database for the specified VSAN.
To clear the zone server database, use the following command:
switch# clear zone database vsan 2
Note |
To clear the zone server database, refer to the Cisco MDS 9000 Series NX-OS Fabric Configuration Guide. |
Note |
After issuing a clear zone database command, you must explicitly issue the copy running-config startup-config to ensure that the running configuration is used when the switch reboots. |
Note |
Clearing a zoneset only erases the full zone database, not the active zone database. |
Note |
After clearing the zone server database, you must explicitly copy the running configuration to the startup configuration to ensure that the running configuration is used when the switch reboots. |
The zoning feature provides an additional segregation mechanism to prioritize select zones in a fabric and set up access control between devices. Using this feature, you can configure the quality of service (QoS) priority as a zone attribute. You can assign the QoS traffic priority attribute to be high, medium, or low. By default, zones with no specified priority are implicitly assigned a low priority. Refer to the Cisco MDS 9000 NX-OS Series Quality of Service Configuration Guide for more information.
To use this feature, you need to obtain the ENTERPRISE_PKG license (refer to the Cisco NX-OS Series Licensing Guide ) and you must enable QoS in the switch (refer to the Cisco MDS 9000 Series NX-OS Quality of Service Configuration Guide ).
This feature allows SAN administrators to configure QoS in terms of a familiar data flow identification paradigm. You can configure this attribute on a zone-wide basis rather than between zone members.
Caution |
If zone-based QoS is implemented in a switch, you cannot configure the interop mode in that VSAN. |
To configure the zone priority, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config)# zone name QosZone vsan 2 Example:Configures an alias name (QosZone) and enters zone configuration submode. |
||
| Step 3 |
switch(config-zone)# attribute-group qos priority high Example:Configures this zone to assign high priority QoS traffic to each frame matching this zone in enhanced mode. |
||
| Step 4 |
switch(config-zone)# attribute qos priority { high | low | medium} Configures this zone to assign QoS traffic to each frame matching this zone. |
||
| Step 5 |
switch(config-zone)# exit Example:Returns to configuration mode. |
||
| Step 6 |
switch(config)# zone set name QosZoneset vsan 2 Example:Configures a zoneset called QosZoneset for the specified VSAN (vsan 2) and enters zoneset configuration submode.
|
||
| Step 7 |
switch(config-zoneset)# member QosZone Adds QosZone as a member of the specified zoneset (QosZoneset).
|
||
| Step 8 |
switch(config-zoneset)# exit Example:Returns to configuration mode. |
||
| Step 9 |
switch(config)# zoneset activate name QosZoneset vsan 2 Activates the specified zoneset. |
To configure the zone priority using DCNM SAN Client, follow these steps:
| Step 1 |
Expand a VSAN and then select a zone set in the Logical Domains pane. |
| Step 2 |
Click the Policies tab in the Information pane. You see the Zone policy information in the Information pane (see Zone Policies Tab in the Information Pane). |
| Step 3 |
Use the check boxes and drop-down menus to configure QoS on the default zone. |
| Step 4 |
Click Apply Changes to save the changes. |
QoS priority attribute configuration changes take effect when you activate the zoneset of the associated zone.
Note |
If a member is part of two zones with two different QoS priority attributes, the higher QoS value is implemented. This situation does not arise in the VSAN-based QoS as the first matching entry is implemented. |
To configure the QoS priority attributes for a default zone, follow these steps:
| Step 1 |
switch# configure terminal Example:Enters configuration mode. |
| Step 2 |
switch(config)# zone default-zone vsan 1 Example:Enters the default zone configuration submode. |
| Step 3 |
switch(config-default-zone)# attribute qos priority high Sets the QoS priority attribute for frames matching these zones. |
| Step 4 |
switch(config-default-zone)# no attribute qos priority high Removes the QoS priority attribute for the default zone and reverts to default low priority. |
To configure the QoS priority attributes for a default zone using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN. |
| Step 3 |
Choose Edit > Edit Default Zone Attributes to configure the default zone QoS priority attributes (see QoS Priority Attributes).  |
| Step 4 |
Check the Permit QoS Traffic with Priority check box and set the Qos Priority drop-down menu to low, medium, or high. |
| Step 5 |
Click OK to save these changes. |
To permit or deny traffic in the default zone using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Edit Local Full Zone Database. You see the Select VSAN dialog box. |
| Step 2 |
Select a VSAN and click OK. You see the Edit Local Full Zone Database dialog box for the selected VSAN. |
| Step 3 |
Choose Edit > Edit Default Zone Attributes to configure the default zone QoS priority attributes. You see the Modify Default Zone Properties dialog box (see Modify Default Zone Properties Dialog Box).  |
| Step 4 |
Set the Policy drop-down menu to permit to permit traffic in the default zone, or set it to deny to block traffic in the default zone. |
| Step 5 |
Click OK to save these changes. |
Smart zoning implements hard zoning of large zones with fewer hardware resources than was previously required. The traditional zoning method allows each device in a zone to communicate with every other device in the zone. The administrator is required to manage the individual zones according to the zone configuration guidelines. Smart zoning eliminates the need to create a single initiator to single target zones. By analyzing device-type information in the FCNS, useful combinations can be implemented at the hardware level by the Cisco MDS NX-OS software, and the combinations that are not used are ignored. For example, initiator-target pairs are configured, but not initiator-initiator. The device is treated as unknown if:
The FC4 types are not registered on the device.
During Zone Convert, the device is not logged into the fabric.
The zone is created, however, initiator, target, or initiator and target is not specified.
The device type information of each device in a smart zone is automatically populated from the Fibre Channel Name Server (FCNS) database as host, target, or both. This information allows more efficient utilisation of switch hardware by identifying initiator-target pairs and configuring those only in hardware. In the event of a special situation, such as a disk controller that needs to communicate with another disk controller, smart zoning defaults can be overridden by the administrator to allow complete control.
Note |
|
Table displays the supported smart zoning member configurations.
|
Feature |
Supported |
|---|---|
|
PWWN |
Yes |
|
FCID |
Yes |
|
FCalias |
Yes |
|
Device-alias |
Yes |
|
Interface |
No |
|
IP address |
No |
|
Symbolic nodename |
No |
|
FWWN |
No |
|
Domain ID |
No |
To configure the smart zoning for a VSAN, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone smart-zoning enable vsan 1 Enables smart zoning on a VSAN. |
| Step 3 |
switch(config)# no zone smart-zoning enable vsan 1 Disables smart zoning on a VSAN. |
To set the default value, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# system default zone smart-zone enable Enables smart zoning on a VSAN that are created based on the specified default value. |
| Step 3 |
switch(config)# no system default zone smart-zone enable Disables smart zoning on a VSAN. |
To fetch the device-type information from nameserver and to add that information to the member, follow the steps below: This can be performed at zone, zoneset, FCalias, and VSAN levels. After the zoneset is converted to smart zoning, you need to activate zoneset.
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config)# zone convert smart-zoning fcalias name <alias-name> vsan <vsan no> Fetches the device type information from the nameserver for the fcalias members.
|
||
| Step 3 |
switch(config)# zone convert smart-zoning zone name <zone name> vsan <vsan no> Fetches the device type information from the nameserver for the zone members. |
||
| Step 4 |
switch(config)# zone convert smart-zoning zoneset name <zoneset name> vsan <vsan no> Fetches the device type information from the nameserver for all the zones and fcalias members in the specified zoneset. |
||
| Step 5 |
switch(config)# zone convert smart-zoning vsan <vsan no> Fetches the device type information from the nameserver for all the zones and fcalias members for all the zonesets present in the VSAN. |
||
| Step 6 |
switch(config)# show zone smart-zoning auto-conv status vsan 1 Displays the previous auto-convert status for a VSAN. |
||
| Step 7 |
switch(config)# show zone smart-zoning auto-conv log errors Displays the error-logs for smart-zoning auto-convert. |
Use the show fcns database command to check if the device is initiator, target or both:
switch# show fcns database
VSAN 1:
--------------------------------------------------------------------------
FCID TYPE PWWN (VENDOR) FC4-TYPE:FEATURE
--------------------------------------------------------------------------
0x9c0000 N 21:00:00:e0:8b:08:96:22 (Company 1) scsi-fcp:init
0x9c0100 N 10:00:00:05:30:00:59:1f (Company 2) ipfc
0x9c0200 N 21:00:00:e0:8b:07:91:36 (Company 3) scsi-fcp:init
0x9c03d6 NL 21:00:00:20:37:46:78:97 (Company 4) scsi-fcp:target
Note |
When device types are explicitly configured in smart zoning, any device must be configured with the same type in all zones of which the device is a member. A zone member must not be configured as initiator in some zones and target in other zones. |
To configure the device types for zone members, follow these step:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config-zoneset-zone)# member device-alias name both Configures the device type for the device-alias member as both. For every supported member-type, init, target, and both are supported. |
||
| Step 3 |
switch(config-zoneset-zone)# member pwwn number target Configures the device type for the pwwn member as target. For every supported member-type, init, target, and both are supported. |
||
| Step 4 |
switch(config-zoneset-zone)# member fcid number Configures the device type for the FCID member. There is no specific device type that is configured. For every supported member-type, init, target, and both are supported.
|
To remove the smart zoning configuration, follow this steps:
| Step 1 |
switch(config)# clear zone smart-zoning fcalias name alias-name vsan number Removes the device type configuration for all the members of the specified fcalias. |
| Step 2 |
switch(config)# clear zone smart-zoning zone name zone name vsan number Removes the device type configuration for all the members of the specified zone. |
| Step 3 |
switch(config)# clear zone smart-zoning zoneset name zoneset name vsan number Removes the device type configuration for all the members of the zone and fcalias for the specified zoneset. |
| Step 4 |
switch(config)# clear zone smart-zoning vsan number Removes the device type configuration for all the members of the zone and fcalias of all the specified zonesets in the VSAN. |
To disable smart zoning at the zone level for a VSAN in basic zoning mode, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config)# zone name zone1 vsan 1 Configures a zone name. |
||
| Step 3 |
switch(config-zone)# attribute disable-smart-zoning Disables Smart Zoning for the selected zone.
|
To disable smart zoning at the zone level for a VSAN in enhanced zoning mode, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config)# zone-attribute-group name disable-sz vsan 1 Creates an enhanced zone session. |
||
| Step 3 |
switch(config-attribute-group)#disable-smart-zoning Disables Smart Zoning for the selected zone.
|
||
| Step 4 |
switch(config-attribute-group)# zone name prod vsan 1 Configures a zone name. |
||
| Step 5 |
switch(config-zone)# attribute-group disable-sz Configures to assign a group-attribute name for the selected zone. |
||
| Step 6 |
switch(config-zone)# zone commit vsan 1 Commits zoning changes to the selected VSAN. |
To broadcast frames in the basic zoning mode using DCNM SAN Client, follow these steps:
| Step 1 |
Expand a VSAN and then select a zone set in the Logical Domains pane. |
| Step 2 |
Click the Policies tab in the Information pane. You see the Zone policy information in the Information pane. |
| Step 3 |
Check the Broadcast check box to enable broadcast frames on the default zone. |
| Step 4 |
Click Apply Changes to save these changes. |
You can view any zone information by using the show command. If you request information for a specific object (for example, a specific zone, zoneset, VSAN, or alias, or keywords such as brief or active ), only information for the specified object is displayed. If you do not request specific information, all available information is displayed.
Displays Zone Information for All VSANs
switch# show zone
zone name Zone3 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:9c:48:e5
zone name Zone2 vsan 2
fwwn 20:41:00:05:30:00:2a:1e
fwwn 20:42:00:05:30:00:2a:1e
fwwn 20:43:00:05:30:00:2a:1e
zone name Zone1 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
pwwn 21:00:00:20:37:9c:48:e5
fcalias Alias1
zone name Techdocs vsan 3
ip-address 10.15.0.0 255.255.255.0
zone name Zone21 vsan 5
pwwn 21:00:00:20:37:a6:be:35
pwwn 21:00:00:20:37:a6:be:39
fcid 0xe000ef
fcid 0xe000e0
symbolic-nodename iqn.test
fwwn 20:1f:00:05:30:00:e5:c6
fwwn 12:12:11:12:11:12:12:10
interface fc1/5 swwn 20:00:00:05:30:00:2a:1e
ip-address 12.2.4.5 255.255.255.0
fcalias name Alias1 vsan 1
pwwn 21:00:00:20:37:a6:be:35
zone name Zone2 vsan 11
interface fc1/5 pwwn 20:4f:00:05:30:00:2a:1e
zone name Zone22 vsan 6
fcalias name Alias1 vsan 1
pwwn 21:00:00:20:37:a6:be:35
zone name Zone23 vsan 61
pwwn 21:00:00:04:cf:fb:3e:7b lun 0000
Displays Zone Information for a Specific VSAN
switch# show zone vsan 1
zone name Zone3 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:9c:48:e5
zone name Zone2 vsan 1
fwwn 20:4f:00:05:30:00:2a:1e
fwwn 20:50:00:05:30:00:2a:1e
fwwn 20:51:00:05:30:00:2a:1e
fwwn 20:52:00:05:30:00:2a:1e
fwwn 20:53:00:05:30:00:2a:1e
zone name Zone1 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
pwwn 21:00:00:20:37:9c:48:e5
fcalias Alias1
Use the show zoneset command to view the configured zonesets.
Displays Configured Zoneset Information
switch# show zoneset vsan 1
zoneset name ZoneSet2 vsan 1
zone name Zone2 vsan 1
fwwn 20:4e:00:05:30:00:2a:1e
fwwn 20:4f:00:05:30:00:2a:1e
fwwn 20:50:00:05:30:00:2a:1e
fwwn 20:51:00:05:30:00:2a:1e
fwwn 20:52:00:05:30:00:2a:1e
zone name Zone1 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
pwwn 21:00:00:20:37:9c:48:e5
fcalias Alias1
zoneset name ZoneSet1 vsan 1
zone name Zone1 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
pwwn 21:00:00:20:37:9c:48:e5
fcalias Alias1
Displays Configured Zoneset Information for a Range of VSANs
switch# show zoneset vsan 2-3
zoneset name ZoneSet2 vsan 2
zone name Zone2 vsan 2
fwwn 20:52:00:05:30:00:2a:1e
fwwn 20:53:00:05:30:00:2a:1e
fwwn 20:54:00:05:30:00:2a:1e
fwwn 20:55:00:05:30:00:2a:1e
fwwn 20:56:00:05:30:00:2a:1e
zone name Zone1 vsan 2
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
pwwn 21:00:00:20:37:9c:48:e5
fcalias Alias1
zoneset name ZoneSet3 vsan 3
zone name Zone1 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
pwwn 21:00:00:20:37:9c:48:e5
fcalias Alias1
Use the show zone name command to display members of a specific zone.
Displays Members of a Zone
switch# show zone name Zone1
zone name Zone1 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
pwwn 21:00:00:20:37:9c:48:e5
fcalias Alias1
Use the show fcalias command to display fcalias configuration.
Displays fcalias Configuration
switch# show fcalias vsan 1
fcalias name Alias2 vsan 1
fcalias name Alias1 vsan 1
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:9c:48:e5
Use the show zone member command to display all zones to which a member belongs using the FC ID.
Displays Membership Status
switch# show zone member pwwn 21:00:00:20:37:9c:48:e5
VSAN: 1
zone Zone3
zone Zone1
fcalias Alias1
Use the show zone statistics command to display the number of control frames exchanged with other switches.
Displays Zone Statistics
switch# show zone statistics
Statistics For VSAN: 1
**********************************
Number of Merge Requests Sent: 24
Number of Merge Requests Recvd: 25
Number of Merge Accepts Sent: 25
Number of Merge Accepts Recvd: 25
Number of Merge Rejects Sent: 0
Number of Merge Rejects Recvd: 0
Number of Change Requests Sent: 0
Number of Change Requests Recvd: 0
Number of Change Rejects Sent: 0
Number of Change Rejects Recvd: 0
Number of GS Requests Recvd: 0
Number of GS Requests Rejected: 0
Statistics For VSAN: 2
**********************************
Number of Merge Requests Sent: 4
Number of Merge Requests Recvd: 4
Number of Merge Accepts Sent: 4
Number of Merge Accepts Recvd: 4
Number of Merge Rejects Sent: 0
Number of Merge Rejects Recvd: 0
Number of Change Requests Sent: 0
Number of Change Requests Recvd: 0
Number of Change Rejects Sent: 0
Number of Change Rejects Recvd: 0
Number of GS Requests Recvd: 0
Number of GS Requests Rejected: 0
Displays LUN Zone Statistics
switch# show zone statistics lun-zoning
LUN zoning statistics for VSAN: 1
************************************************************
S-ID: 0x123456, D-ID: 0x22222, LUN: 00:00:00:00:00:00:00:00
------------------------------------------------------------
Number of Inquiry commands received: 10
Number of Inquiry data No LU sent: 5
Number of Report LUNs commands received: 10
Number of Request Sense commands received: 1
Number of Other commands received: 0
Number of Illegal Request Check Condition sent: 0
S-ID: 0x123456, D-ID: 0x22222, LUN: 00:00:00:00:00:00:00:01
------------------------------------------------------------
Number of Inquiry commands received: 1
Number of Inquiry data No LU sent: 1
Number of Request Sense commands received: 1
Number of Other commands received: 0
Number of Illegal Request Check Condition sent: 0
Displays LUN Zone Statistics
Need the latest output
switch# show zone statistics read-only-zoning
Read-only zoning statistics for VSAN: 2
************************************************************
S-ID: 0x33333, D-ID: 0x11111, LUN: 00:00:00:00:00:00:00:64
------------------------------------------------------------
Number of Data Protect Check Condition Sent: 12
Displays Active Zone Sets
switch# show zoneset active
zoneset name ZoneSet1 vsan 1
zone name zone1 vsan 1
fcid 0x080808
fcid 0x090909
fcid 0x0a0a0a
zone name zone2 vsan 1
* fcid 0xef0000 [pwwn 21:00:00:20:37:6f:db:dd]
* fcid 0xef0100 [pwwn 21:00:00:20:37:a6:be:2f]
Displays Brief Descriptions of Zone Sets
switch# show zoneset brief
zoneset name ZoneSet1 vsan 1
zone zone1
zone zone2
Displays Active Zones
switch# show zone active
zone name Zone2 vsan 1
* fcid 0x6c01ef [pwwn 21:00:00:20:37:9c:48:e5]
zone name IVRZ_IvrZone1 vsan 1
pwwn 10:00:00:00:77:99:7a:1b
* fcid 0xce0000 [pwwn 10:00:00:00:c9:2d:5a:dd]
zone name IVRZ_IvrZone4 vsan 1
* fcid 0xce0000 [pwwn 10:00:00:00:c9:2d:5a:dd]
* fcid 0x6c01ef [pwwn 21:00:00:20:37:9c:48:e5]
zone name Zone1 vsan 1667
fcid 0x123456
zone name $default_zone$ vsan 1667
Displays Active Zone Sets
switch# show zoneset active
zoneset name ZoneSet4 vsan 1
zone name Zone2 vsan 1
* fcid 0x6c01ef [pwwn 21:00:00:20:37:9c:48:e5]
zone name IVRZ_IvrZone1 vsan 1
pwwn 10:00:00:00:77:99:7a:1b
* fcid 0xce0000 [pwwn 10:00:00:00:c9:2d:5a:dd]
zoneset name QosZoneset vsan 2
zone name QosZone vsan 2
attribute qos priority high
* fcid 0xce0000 [pwwn 10:00:00:00:c9:2d:5a:dd]
* fcid 0x6c01ef [pwwn 21:00:00:20:37:9c:48:e5]
Active zoneset vsan 1667
zone name Zone1 vsan 1667
fcid 0x123456
zone name $default_zone$ vsan 1667
Displays Zone Status
switch(config)# show zone status
VSAN: 1 default-zone: deny distribute: active only Interop: default
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control:disabled
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 4 bytes
Zonesets:0 Zones:0 Aliases: 0
Active Zoning Database :
Database Not Available
Current Total Zone DB Usage: 4 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: n/a
Active DB Copy size: n/a
SFC size: 4 / 2097152 bytes (0 % used)
Status:
VSAN: 8 default-zone: deny distribute: full Interop: default
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
smart-zoning: disabled
rscn-format: fabric-address
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 1946498 bytes
Zonesets:6 Zones:8024 Aliases: 0
Active Zoning Database :
DB size: 150499 bytes
Name: zoneset-1000 Zonesets:1 Zones:731
Current Total Zone DB Usage: 2096997 / 2097152 bytes (99 % used)
Pending (Session) DB size:
Full DB Copy size: n/a
Active DB Copy size: n/a
SFC size: 2096997 / 2097152 bytes (99 % used)
Status: Zoneset distribution failed [Error: Fabric changing Dom 33]:
at 17:05:06 UTC Jun 16 2014
VSAN: 9 default-zone: deny distribute: full Interop: default
mode: enhanced merge-control: allow
session: none
hard-zoning: enabled broadcast: enabled
smart-zoning: disabled
rscn-format: fabric-address
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 2002584 bytes
Zonesets:4 Zones:7004 Aliases: 0 Attribute-groups: 1
Active Zoning Database :
DB size: 94340 bytes
Name: zoneset-hac13-200 Zonesets:1 Zones:176
Current Total Zone DB Usage: 2096924 / 2097152 bytes (99 % used)
Pending (Session) DB size:
Full DB Copy size: 0 bytes
Active DB Copy size: 0 bytes
SFC size: 0 / 2097152 bytes (0 % used)
Status: Activation completed at 17:28:04 UTC Jun 16 2014
VSAN: 12 default-zone: deny distribute: full Interop: default
mode: enhanced merge-control: allow
session: none
hard-zoning: enabled broadcast: enabled
smart-zoning: disabled
rscn-format: fabric-address
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 84 bytes
Zonesets:0 Zones:1 Aliases: 0 Attribute-groups: 1
Active Zoning Database :
DB size: 144 bytes
Name: zs1 Zonesets:1 Zones:2
Current Total Zone DB Usage: 228 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: 0 bytes
Active DB Copy size: 0 bytes
SFC size: 0 / 2097152 bytes (0 % used)
Status: Commit completed at 14:39:33 UTC Jun 27 201
Use the show zone command to display the zone attributes for all configured zones.
Displays Zone Statistics
switch# show zone
zone name lunSample vsan 1 <-----------------Read-write attribute
zone name ReadOnlyZone vsan 2
attribute read-only <-----------------Read-only attribute
Use the show running and show zone active commands to display the configured interface-based zones.
Displays the Interface-Based Zones
switch# show running zone name if-zone vsan 1
member interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2
member fwwn 20:4f:00:0c:88:00:4a:e2
member interface fc2/1 swwn 20:00:00:05:30:00:4a:9e
member pwwn 22:00:00:20:37:39:6b:dd
Displays the fWWNs and Interfaces in an Active Zone
switch# show zone active zone name if-zone vsan 1
* fcid 0x7e00b3 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]
* fcid 0x7e00b1 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]
* fcid 0x7e00ac [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]
* fcid 0x7e00b3 [fwwn 20:4f:00:0c:88:00:4a:e2]
* fcid 0x7e00b1 [fwwn 20:4f:00:0c:88:00:4a:e2]
* fcid 0x7e00ac [fwwn 20:4f:00:0c:88:00:4a:e2]
interface fc2/1 swwn 20:00:00:05:30:00:4a:9e
A similar output is also available on the remote switch (see the following example).
Displays the Local Interface Active Zone Details for a Remote Switch
switch# show zone active zone name if-zone vsan 1
* fcid 0x7e00b3 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]
* fcid 0x7e00b1 [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]
* fcid 0x7e00ac [interface fc2/15 swwn 20:00:00:0c:88:00:4a:e2]
* fcid 0x7e00b3 [fwwn 20:4f:00:0c:88:00:4a:e2]
* fcid 0x7e00b1 [fwwn 20:4f:00:0c:88:00:4a:e2]
* fcid 0x7e00ac [fwwn 20:4f:00:0c:88:00:4a:e2]
interface fc2/1 swwn 20:00:00:05:30:00:4a:9e
Displays the Zone Status for a VSAN
switch(config)# show zone status vsan 1
VSAN: 1 default-zone: deny distribute: active only Interop: default
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control:disabled
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 4 bytes
Zonesets:0 Zones:0 Aliases: 0
Active Zoning Database :
Database Not Available
Current Total Zone DB Usage: 4 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: n/a
Active DB Copy size: n/a
SFC size: 4 / 2097152 bytes (0 % used)
Status:
Displays the Zone Policy for a VSAN
switch# show zone policy vsan 1
Vsan: 1
Default-zone: deny
Distribute: full
Broadcast: enable
Merge control: allow
Generic Service: read-write
Smart-zone: enabled
Displays How to Create a Zone Attribute-Group to for a VSAN in the Enhanced Mode to Disable Smart Zoning at an Individual Zone Level
Note |
After the attribute-group is created, it needs to be applied to any zones requiring smart zoning to be disabled. |
config# zone-attribute-group name <name> vsan 1
config-attribute-group# disable-smart-zoning
config-attribute-group# exit
config# zone commit vsan 1
Displays how to Auto-convert Zones
config# show zoneset vsan 1
zoneset name ZSv1 vsan 1
zone name ddasZone vsan 1
device-alias Init1
device-alias Init2
device-alias Init3
device-alias Target1
config# zone convert smart-zoning vsan 1
smart-zoning auto_convert initiated. This operation can take few minutes. Please wait..
config# show zoneset vsan1
zoneset name ZSv1 vsan 1
zone name ddasZone vsan 1
device-alias Init1 init
device-alias Init2 init
device-alias Init3 init
device-alias Target1 target
Displays how to Clear Device type Configuration for Members
config# show zoneset vsan 1
zoneset name ZSv1 vsan 1
zone name ddasZone vsan 1
device-alias Init1 init
device-alias Init2 init
device-alias Init3 init
device-alias Target1 target
config# clear zone smart-zoning vsan1
config# show zoneset vsan 1
zoneset name ZSv1 vsan 1
zone name ddasZone vsan 1
device-alias Init1
device-alias Init2
device-alias Init3
device-alias Target1The zoning feature complies with the FC-GS-4 and FC-SW-3 standards. Both standards support the basic zoning functionalities explained in the previous section and the enhanced zoning functionalities described in this section.
Table 1 lists the advantages of the enhanced zoning feature in all switches in the Cisco MDS 9000 Series.
|
Basic Zoning |
Enhanced Zoning |
Enhanced Zoning Advantages |
|---|---|---|
|
Administrators can make simultaneous configuration changes. Upon activation, one administrator can overwrite another administrator’s changes. |
Performs all configurations within a single configuration session. When you begin a session, the switch locks the entire fabric to implement the change. |
One configuration session for the entire fabric to ensure consistency within the fabric. |
|
If a zone is part of multiple zonesets, you create an instance of this zone in each zoneset. |
References to the zone are used by the zonesets as required once you define the zone. |
Reduced payload size as the zone is referenced. The size is more pronounced with bigger databases. |
|
The default zone policy is defined per switch. To ensure smooth fabric operation, all switches in the fabric must have the same default zone setting. |
Enforces and exchanges the default zone setting throughout the fabric. |
Fabric-wide policy enforcement reduces troubleshooting time. |
|
To retrieve the results of the activation on a per switch basis, the managing switch provides a combined status about the activation. It does not identify the failure switch. |
Retrieves the activation results and the nature of the problem from each remote switch. |
Enhanced error reporting eases the troubleshooting process. |
|
To distribute the zoning database, you must reactivate the same zoneset. The reactivation may affect hardware changes for hard zoning on the local switch and on remote switches. |
Implements changes to the zoning database and distributes it without reactivation. |
Distribution of zone sets without activation avoids hardware changes for hard zoning in the switches. |
|
The MDS-specific zone member types (IPv4 address, IPv6 address, symbolic node name, and other types) may be used by other non-Cisco switches. During a merge, the MDS-specific types can be misunderstood by the non-Cisco switches. |
Provides a vendor ID along with a vendor-specific type value to uniquely identify a member type. |
Unique vendor type. |
|
The fWWN-based zone membership is only supported in Cisco interop mode. |
Supports fWWN-based membership in the standard interop mode (interop mode 1). |
The fWWN-based member type is standardized. |
To change to the enhanced zoning mode from the basic mode, follow these steps:
| Step 1 |
Verify that all switches in the fabric are capable of working in the enhanced mode. If one or more switches are not capable of working in enhanced mode, then your request to move to enhanced mode is rejected. |
||
| Step 2 |
Set the operation mode to enhanced zoning mode. By doing so, you will automatically start a session, acquire a fabric wide lock, distribute the active and full zoning database using the enhanced zoning data structures, distribute zoning policies and then release the lock. All switches in the fabric then move to the enhanced zoning mode.
|
The standards do not allow you to move back to basic zoning. However, Cisco MDS switches allow this move to enable you to downgrade and upgrade to other Cisco SAN-OS or Cisco NX-OS releases.
To change to the basic zoning mode from the enhanced mode, follow these steps:
| Step 1 |
Verify that the active and full zoneset do not contain any configuration that is specific to the enhanced zoning mode. If such configurations exist, delete them before proceeding with this procedure. If you do not delete the existing configuration, the Cisco NX-OS software automatically removes them. |
||
| Step 2 |
Set the operation mode to basic zoning mode. By doing so, you will automatically start a session, acquire a fabric wide lock, distribute the zoning information using the basic zoning data structure, apply the configuration changes and release the lock from all switches in the fabric. All switches in the fabric then move to basic zoning mode.
|
By default, the enhanced zoning feature is disabled on all switches in the Cisco MDS 9000 Series.
To enable enhanced zoning in a VSAN, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone mode enhanced vsan id Enables enhanced zoning in the specified VSAN. |
| Step 3 |
switch(config)# no zone mode enhanced vsan id Disables enhanced zoning in the specified VSAN. |
To enable enhanced zoning in a VSAN using DCNM SAN Client, follow these steps:
| Step 1 |
Expand a VSAN and then select a zone set in the Logical Domains pane. You see the zone set configuration in the Information pane. |
| Step 2 |
Click the Enhanced tab. You see the current enhanced zoning configuration. |
| Step 3 |
From the Action drop-down menu, choose enhanced to enable enhanced zoning in this VSAN. |
| Step 4 |
Click Apply Changes to save these changes. |
Modifications to the zone database is done within a session. A session is created at the time of the first successful configuration command. On creation of a session, a copy of the zone database is created. Any changes done within the session are performed on this copy of the zoning database. These changes in the copy zoning database are not applied to the effective zoning database until you commit the changes. Once you apply the changes, the session is closed.
If the fabric is locked by another user and for some reason the lock is not cleared, you can force the operation and close the session. You must have permission (role) to clear the lock in this switch and perform the operation on the switch from where the session was originally created.
To commit or discard changes to the zoning database in a VSAN, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config)# zone commit vsan 2 Applies the changes to the enhanced zone database and closes the session. |
||
| Step 3 |
switch(config)# zone commit vsan 3 force Forcefully applies the changes to the enhanced zone database and closes the session created by another user. |
||
| Step 4 |
switch(config)# no zone commit vsan 2 Discards the changes to the enhanced zone database and closes the session. |
||
| Step 5 |
switch(config)# no zone commit vsan 3 force Forcefully discards the changes to the enhanced zone database and closes the session created by another user.
|
To enable the display of pending-diff and subsequent confirmation on issuing a zone commit in enhanced mode, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone confirm-commit enable vsan vsan-id Enables the confirm-commit option for zone database for a given VSAN. |
| Step 3 |
switch(config-zone)# zone commit vsan 12 If the zone confirm-commit command is enabled for a VSAN, on committing the pending database, the pending-diff is displayed on the console and the user is prompted for Yes or No. If the zone confirm-commit command is disabled, the pending-diff is not displayed and the user is not prompted for Yes or No. |
| Step 4 |
switch(config)# no zone commit vsan 12 If the zone confirm-commit command is enabled for a VSAN, on discarding the pending database, the pending-diff is displayed on the console and the user is prompted for Yes or No. If the zone confirm-commit command is disabled, the pending-diff is not displayed and the user is not prompted for Yes or No. |
To release the session lock on the zoning database on the switches in a VSAN, use the no zone commit vsan command from the switch where the database was initially locked.
switch# configure terminal
switch(config)# no zone commit vsan 2
If session locks remain on remote switches after using the no zone commit vsan command, you can use the clear zone lock vsan command on the remote switches.
switch# clear zone lock vsan 2
Note |
We recommend using the no zone commit vsan command first to release the session lock in the fabric. If that fails, use the clear zone lock vsan command on the remote switches where the session is still locked. |
In enhanced mode, you can directly configure attributes using attribute groups.
To configure attribute groups, follow these steps:
| Step 1 |
Create an attribute group. Example: |
| Step 2 |
Add the attribute to an attribute-group object. Example: |
| Step 3 |
Attach the attribute-group to a zone. Example: |
| Step 4 |
Activate the zoneset. Example:The attribute-groups are expanded and only the configured attributes are present in the active zoneset. To configure attribute groups, refer to the Cisco MDS 9000 Series NX-OS Fabric Configuration Guide. |
The merge behavior depends on the fabric-wide merge control setting:
Restrict—If the two databases are not identical, the ISLs between the switches are isolated.
Allow—The two databases are merged using the merge rules specified in the Table 1.
|
Local Database |
Adjacent Database |
Merge Status |
Results of the Merge |
||
|---|---|---|---|---|---|
|
The databases contain zone sets with the same name1 but different zones, aliases, and attributes groups. |
Successful. |
The union of the local and adjacent databases. |
|||
|
The databases contains a zone, zone alias, or zone attribute group object with same name 1 but different members.
|
Failed. |
ISLs are isolated. |
|||
|
Empty. |
Contains data. |
Successful. |
The adjacent database information populates the local database. |
||
|
Contains data. |
Empty. |
Successful. |
The local database information populates the adjacent database. |
Caution |
Remove all non-PWWN-type zone entries on all MDS switches running Cisco SAN-OS prior to merging fabrics if there is a Cisco MDS 9020 switch running FabricWare in the adjacent fabric. |
When two Fibre Channel (FC) switches that have already been configured with active zonesets and are not yet connected are brought together with an Extended ISL (EISL) link, the zonesets merge. However, steps must be taken to ensure zone consistency before configuring and activating new zones.
Best Practices
When a zone merge occurs, as long as there is not competing information, each switch learns the others zones. Each switch then has three configuration entities. The switches have:
The saved configuration in NVRAM. This is the configuration as it was the last time the copy running-configuration startup-configuration command was issued.
The running configuration. This represents the configuration brought into memory upon the last time the MDS was brought up, plus any changes that have been made to the configuration. With reference to the zoning information, the running configuration represents the configurable database, known as the full database.
The configured zoning information from the running configuration plus the zoning information learned from the zone merge. This combination of configured and learned zone information is the active zoneset.
The merge process operates as follows:
The software compares the protocol versions. If the protocol versions differ, then the ISL is isolated.
If the protocol versions are the same, then the zone policies are compared. If the zone policies differ, then the ISL is isolated.
If the zone merge options are the same, then the comparison is implemented based on the merge control setting.
If the setting is restrict, the active zoneset and the full zoneset should be identical. Otherwise the link is isolated.
If the setting is allow, then the merge rules are used to perform the merge.
When an MDS is booted, it comes up with the configuration previously saved in NVRAM. If you configured the switch after loading the configuration from NVRAM, there is a difference between the bootup and running configuration until the running configuration is saved to the startup configuration. This can be likened to having a file on the local hard drive of your PC. The file is saved and static, but if you open the file and edit, there exists a difference between the changed file and the file that still exists on saved storage. Only when you save the changes, does the saved entity look represent the changes made to the file.
When zoning information is learned from a zone merge, this learned information is not part of the running configuration. Only when the zone copy active-zoneset full-zoneset vsan X command is issued, the learned information becomes incorporated into the running configuration. This is key because when a zone merge is initiated by a new EISL link or activating a zoneset, the zoneset part is ignored by the other switch and the member zone information is considered topical.
Caution |
The zone copy command will delete all fcalias configuration. |
Example
For example, you have two standalone MDS switches, already in place and each with their own configured zone and zoneset information. Switch 1 has an active zoneset known as set A, and Switch 2 has an active zoneset known as set B. Within set A on Switch 1 is zone 1, and on Switch 2, set B has member zone 2. When an ISL link is created between these two switches, each sends their zoneset including their zone information to the other switch. On a merge, the switch will select zoneset name with the higher ASCII value and then merge their zone member. After the merge, both switches will have a zoneset name set B with zone member zone 1 and zone 2.
Everything should be still working for all of the devices in zone 1 and zone 2. To add a new zone, you have to create a new zone, add the new zone to the zoneset, and then activate the zoneset.
Step-by-step, the switches are booted up and have no zoning information. You need to create the zones on the switches and add them to the zonesets.
Basic mode: When zones are in basic mode, refer to the sample command outputs below.
Switch1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch1#(config)# vsan database
Switch1#(config-vsan-db)# vsan 100
Switch1#(config-vsan-db)# exit
Switch1#(config)# zone name zone1 vsan 100
Switch1#(config-zone)# member pwwn 11:11:11:11:11:11:11:1a
Switch1#(config-zone)# member pwwn 11:11:11:11:11:11:11:1b
Switch1#(config-zone)# exit
Switch1#(config)# zoneset name setA vsan 100
Switch1#(config-zoneset)# member zone1
Switch1#(config-zoneset)# exit
Switch1#(config)# zoneset activate name setA vsan 100
Zoneset activation initiated. check zone status
Switch1#(config)# exit
Switch1# show zoneset active vsan 100
zoneset name setA vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1bSwitch1#
Switch2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch2#(config)# vsan database
Switch2#config-vsan-db)# vsan 100
Switch2#(config-vsan-db)# exit
Switch2#(config)# zone name zone2 vsan 100
Switch2#(config-zone)# member pwwn 22:22:22:22:22:22:22:2a
Switch2#(config-zone)# member pwwn 22:22:22:22:22:22:22:2b
Switch2#(config-zone)# exit
Switch2#(config)# zoneset name setB vsan 100
Switch2#(config-zoneset)# member zone2
Switch2#(config-zoneset)# exit
Switch2#(config)# zoneset activate name setB vsan 100
Zoneset activation initiated. check zone status
Switch2#(config)# exit
Switch2# show zoneset active vsan 100
zoneset name setB vsan 100
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Switch1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)# interface fc1/5
Switch1(config-if)# no shutdown
Switch1(config-if)# exit
Switch1(config)# exit
Note |
Note Ensure that vsan 100 is allowed on ISL. |
Switch1# show zoneset active vsan 100
zoneset name setB vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
Switch1# show zoneset vsan 100
zoneset name setA vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
Switch2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch2(config)# int fc2/5
Switch2(config-if)# no shut
Switch2(config-if)# exit
Switch2(config)# exit
Switch2# show zoneset active vsan 100 zoneset name setB vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Switch2# show zoneset vsan 100zoneset name setB vsan 100
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Note |
The name of the newly merged zoneset will be the name of the zoneset with alphabetically higher value. In the given example, the active zoneset is setB. To avoid future zoneset activation problems, the zone copy active-zoneset full-zoneset vsan 100 command should be given, at this point on the switch. Examine if the command is given, and how the new zoning information is handled. |
When the zone copy command is issued, it adds the learned zone information, zone 2 in this case, to the running configuration. If zone 2 has not been copied from residing in memory to copied into the running configuration, zone 2 information is not pushed back out.
Note |
The zone copy command will delete all fcalias configuration. |
Switch1# show run | b "Active Zone Database Section for vsan 100"
!Active Zone Database Section for vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zoneset name setB vsan 100
member zone1
member zone2
zoneset activate name setB vsan 100
do clear zone database vsan 100
!Full Zone Database Section for vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zoneset name setA vsan 100
member zone1
Switch1# zone copy active-zoneset full-zoneset vsan 100
WARNING: This command may overwrite common zones in the full zoneset. Do you want to continue? (y/n) [n] y
Switch1# show run | b "Active Zone Database Section for vsan 100"
!Active Zone Database Section for vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zoneset name setB vsan 100
member zone1
member zone2
zoneset activate name setB vsan 100
do clear zone database vsan 100
!Full Zone Database Section for vsan 100
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zoneset name setA vsan 100
member zone1
zoneset name setB vsan 100
member zone1
member zone2
Running-Configuration of Switch2 ( before issuing the "zone copy active-zoneset full-zoneset vsan 100" command)
Switch2# show run | b "Active Zone Database Section for vsan 100"
!Active Zone Database Section for vsan 100
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zoneset name setB vsan 100
member zone2
member zone1
zoneset activate name setB vsan 100
do clear zone database vsan 100
!Full Zone Database Section for vsan 100
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2
apwwn 22:22:22:22:22:22:22:2b
zoneset name setB vsan 100
member zone2
Running-Configuration of Switch2 ( after issuing the "zone copy active-zoneset full-zoneset vsan 100" command)
Switch2# zone copy active-zoneset full-zoneset vsan 100
WARNING: This command may overwrite common zones in the full zoneset. Do you want to continue? (y/n) [n] y
Switch2# show run | b "Active Zone Database Section for vsan 100"
!Active Zone Database Section for vsan 100
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zoneset name setB vsan 100
member zone2
member zone1
zoneset activate name setB vsan 100
do clear zone database vsan 100
!Full Zone Database Section for vsan 100
zone name zone2 vsan 100
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zone name zone1 vsan 100
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zoneset name setB vsan 10
0member zone2
member zone1
Referring back to the three entities of configuration, they are as follows on zone 1 before the zone merge:
Saved configuration: nothing since zone information has not been saved by issuing the copy run start command.
Running configuration: consists of zone 1.
Configured and learned information: consists of zone 1.
After the zone merge, the entities are:
Saved configuration: nothing has been saved.
Running configuration: consists of zone 1.
Configured and learned information: consists of zone 1 and zone 2.
Zone 2 has not become part of the running configuration. Zone 2 has been learned, and is in the active zoneset. Only when the zone copy active-zoneset full-zoneset vsan 100 command is issued, zone 2 becomes copied from being learned to added to the running configuration. The configuration looks as follows after the command is issued:
Note |
The zone copy command will delete all fcalias configuration. |
Saved configuration: nothing has been saved.
Running configuration: consists of zone 1 and zone 2.
Configured and learned information: consists of zone 1 and zone 2.
Commands
By default zone in basic mode will only distribute active zoneset database only, this command was introduced in 1.0.4 SAN-OS will propagate active zoneset and full zoneset database:
zoneset distribute full vsan vsan_id
If the zone update or zoneset activation is going on, the above command must be explicitly enabled on each VSAN on every switch.
Enhanced mode: When zones are in enhanced mode, refer to the sample command outputs below.
Create zones and zoneset. Activate on Switch1.
Switch1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)# vsan database
Switch1(config-vsan-db)# vsan 200
Switch1(config-vsan-db)# zone mode enhanced vsan 200
WARNING: This command would distribute the zoning database of this switch throughout the fabric. Do you want to continue? (y/n) [n] y
Set zoning mode command initiated.
Check zone status
Switch1(config-vsan-db)# zone name zone1 vsan 200
Enhanced zone session has been created. Please 'commit' the changes when done.
Switch1(config-zone)# member pwwn 11:11:11:11:11:11:11:1a
Switch1(config-zone)# member pwwn 11:11:11:11:11:11:11:1b
Switch1(config-zone)# zoneset name SetA vsan 200
Switch1(config-zoneset)# member zone1
Switch1(config-zoneset)# zoneset activate name SetA vsan 200
Switch1(config)# zone commit vsan 200
Commit operation initiated. Check zone status
Switch1(config)# exit
Switch1# show zoneset activate vsan 200
zoneset name SetA vsan 200
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
Switch1# show zoneset vsan 200
zoneset name SetA vsan 200
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
Create zones and zoneset. Activate on Switch2.
Switch2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch2(config)# vsan database
Switch2(config-vsan-db)# vsan 200
Switch2(config-vsan-db)# zone mode enhanced vsan 200
WARNING: This command would distribute the zoning database of this switch throughout the fabric. Do you want to continue? (y/n) [n] y
Set zoning mode command initiated. Check zone status
Switch2(config)# zone name zone2 vsan 200
Enhanced zone session has been created. Please 'commit' the changes when done.
Switch2(config-zone)# member pwwn 22:22:22:22:22:22:22:2a
Switch2(config-zone)# member pwwn 22:22:22:22:22:22:22:2b
Switch2(config-zone)# zoneset name SetB vsan 200
Switch2(config-zoneset)# member zone2
Switch2(config-zoneset)# zoneset act name SetB vsan 200
Switch2(config)# zone commit vsan 200
Commit operation initiated. Check zone status
Switch2(config)# exit
Switch2# show zoneset activate vsan 200
zoneset name SetB vsan 200
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Switch2# show zoneset vsan 200
zoneset name SetB vsan 200
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Bring ISL link up and verify zone merge on Switch1.
Switch1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch1(config)# interface fc4/1
Switch1(config-if)# no shutdown
Switch1(config-if)# exit
Switch1(config)# exit
Switch1(config-if)# show zoneset activate vsan 200
zoneset name SetB vsan 200
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Switch1(config-if)# show zoneset vsan 200
zoneset name SetA vsan 200
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zoneset name SetB vsan 200
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Note |
Unlike basic mode, the entire zone database is merged in the case of enhanced mode, wherein Switch1 has the information of zonesets originally configured in Switch2 and vice versa. |
Bring ISL link up and verify zone merge on Switch2. After bringing up ISL between two switches:
Switch2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch2(config)# interface fc4/1
Switch2(config-if)# no shutdown
Switch2(config-if)# exit
Switch2(config)# exit
Switch2(config-zoneset)# show zoneset activate vsan 200
zoneset name SetB vsan 200
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
Switch2(config-zoneset)# show zoneset vsan 200
zoneset name SetB vsan 200
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zoneset name SetA vsan 200
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
Execute the zone copy command for enhanced zone.
Switch 1
Switch1# zone copy active-zoneset full-zoneset vsan 200
WARNING: This command may overwrite common zones in the full zoneset. Do you want to
continue? (y/n) [n] y
Switch1(config-if)# show zoneset activate vsan 200
zoneset name SetB vsan 200
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Switch1(config-if)# show zoneset vsan 200
zoneset name SetB vsan 200
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
Switch 2
Switch2# zone copy active-zoneset full-zoneset vsan 200
WARNING: This command may overwrite common zones in the full zoneset. Do you want to
continue? (y/n) [n] y
Switch2(config-zoneset)# show zoneset activate vsan 200
zoneset name SetB vsan 200
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
Switch2(config-zoneset)# show zoneset vsan 200
zoneset name SetB vsan 200
zone name zone2 vsan 200
pwwn 22:22:22:22:22:22:22:2a
pwwn 22:22:22:22:22:22:22:2b
zone name zone1 vsan 200
pwwn 11:11:11:11:11:11:11:1a
pwwn 11:11:11:11:11:11:11:1b
To perform a zone merge analysis using DCNM SAN Client, follow these steps:
| Step 1 |
Choose Zone > Merge Analysis. You see the Zone Merge Analysis dialog box.  |
| Step 2 |
Select the first switch to be analyzed from the Check Switch 1 drop-down list. |
| Step 3 |
Select the second switch to be analyzed from the And Switch 2 drop-down list. |
| Step 4 |
Enter the VSAN ID where the zone set merge failure occurred in the For Active Zoneset Merge Problems in VSAN Id field. |
| Step 5 |
Click Analyze to analyze the zone merge. |
| Step 6 |
Click Clear to clear the analysis data in the Zone Merge Analysis dialog box. |
To configure merge control policies, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone merge-control restrict vsan 4 Configures a restricted merge control setting for this VSAN. |
| Step 3 |
switch(config)# no zone merge-control restrict vsan 2 Defaults to using the allow merge control setting for this VSAN. |
| Step 4 |
switch(config)# zone commit vsan 4 Commits the changes made to VSAN 4. To configure merge control policies, refer to the Cisco MDS 9000 Series NX-OS Fabric Configuration Guide. |
By using the zone fc2 merge throttle enable command you can throttle the merge requests that are sent from zones to FC2 and prevent zones from flooding FC2 buffers. This command is enabled by default. This command can be used to prevent any zone merge scalability problem when you have a lot of zones. Use the show zone status command to view zone merge throttle information.
To permit or deny traffic in the default zone, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone default-zone permit vsan 5 Permits traffic flow to default zone members. |
| Step 3 |
switch(config)# no zone default-zone permit vsan 3 Denies traffic flow to default zone members and reverts to factory default. |
| Step 4 |
switch(config)# zone commit vsan 5 Commits the changes made to VSAN 5. |
You can specify an enhanced zone to restrict broadcast frames generated by a member in this zone to members within that zone. Use this feature when the host or storage devices support broadcasting.
Note |
broadcast command is not supported from 5.x release onwards. |
Table 1 identifies the rules for the delivery of broadcast frames.
|
Active Zoning? |
Broadcast Enabled? |
Frames Broadcast? |
|---|---|---|
|
Yes |
Yes |
Yes |
|
No |
Yes |
Yes |
|
Yes |
No |
No |
|
Contains data. |
Empty. |
Successful. |
Tip |
If any NL port attached to an FL port shares a broadcast zone with the source of the broadcast frame, then the frames are broadcast to all devices in the loop. |
To broadcast frames in the enhanced zoning mode, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone-attribute-group name BroadcastAttr vsan 2 Configures the zone attribute group for the required VSAN. |
| Step 3 |
switch(config)# no zone-attribute-group name BroadAttr vsan 1 Removes the zone attribute group for the required VSAN. |
| Step 4 |
switch(config-attribute-group)# broadcast Creates a broadcast attribute for this group and exits this submode. |
| Step 5 |
switch(config-attribute-group)# no broadcast Removes broadcast attribute for this group and exits this submode. |
| Step 6 |
switch(config)# zone name BroadcastAttr vsan 2 Configures a zone named BroadcastAttr in VSAN 2. |
| Step 7 |
switch(config-zone)# member pwwn 21:00:00:e0:8b:0b:66:56 Adds the specified members to this zone and exits this submode. |
| Step 8 |
switch(config)# zone commit vsan 1 Applies the changes to the enhanced zone configuration and exits this submode. |
| Step 9 |
switch# show zone vsan 1 Displays the broadcast configuration |
You can configure default settings for default zone policies, full zone distribution, and generic service permissions for new VSANs on the switch. To configure switch-wide default settings, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
||
| Step 2 |
switch(config)# system default zone default-zone permit Configures permit as the default zoning policy for new VSANs on the switch. |
||
| Step 3 |
switch(config)# system default zone distribute full Enables full zone database distribution as the default for new VSANs on the switch. |
||
| Step 4 |
switch(config)# system default zone gs { read | read-write} Configures read only or read-write (default) as the default generic service permission for new VSANs on the switch.
|
Zone generic service permission setting is used to control zoning operation through generic service (GS) interface. The zone generic service permission can be read-only, read-write or none (deny).
To configure generic service (GS) settings, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone gs { read | read-write} vsan 3000 Configures gs permission value as read only or read-write in the specified VSAN. |
You can view any zone information by using the show command.
Displays the Active Zoneset Information for a Specified VSAN
switch(config)# show zoneset active vsan 1
zoneset name qoscfg vsan 1
zone name qos1 vsan 1
* fcid 0xe80200 [pwwn 50:08:01:60:01:5d:51:11]
* fcid 0xe60000 [pwwn 50:08:01:60:01:5d:51:10]
* fcid 0xe80100 [pwwn 50:08:01:60:01:5d:51:13]
zone name qos3 vsan 1
* fcid 0xe80200 [pwwn 50:08:01:60:01:5d:51:11]
* fcid 0xe60100 [pwwn 50:08:01:60:01:5d:51:12]
* fcid 0xe80100 [pwwn 50:08:01:60:01:5d:51:13]
zone name sb1 vsan 1
* fcid 0xe80000 [pwwn 20:0e:00:11:0d:10:dc:00]
* fcid 0xe80300 [pwwn 20:0d:00:11:0d:10:da:00]
* fcid 0xe60200 [pwwn 20:13:00:11:0d:15:75:00]
* fcid 0xe60300 [pwwn 20:0d:00:11:0d:10:db:00]
Displays the ZoneSet Information or a Specified VSAN
switch(config)# show zoneset vsan 1
zoneset name qoscfg vsan 1
zone name qos1 vsan 1
zone-attribute-group name qos1-attr-group vsan 1
pwwn 50:08:01:60:01:5d:51:11
pwwn 50:08:01:60:01:5d:51:10
pwwn 50:08:01:60:01:5d:51:13
zone name qos3 vsan 1
zone-attribute-group name qos3-attr-group vsan 1
pwwn 50:08:01:60:01:5d:51:11
pwwn 50:08:01:60:01:5d:51:12
pwwn 50:08:01:60:01:5d:51:13
zone name sb1 vsan 1
pwwn 20:0e:00:11:0d:10:dc:00
pwwn 20:0d:00:11:0d:10:da:00
pwwn 20:13:00:11:0d:15:75:00
pwwn 20:0d:00:11:0d:10:db:00
Displays the Zone Attribute Group Information for a Specified VSAN
switch# show zone-attribute-group vsan 2
zone-attribute-group name $default_zone_attr_group$ vsan 2
read-only
qos priority high
broadcast
zone-attribute-group name testattgp vsan 2
read-only
broadcast
qos priority high
Displays the fcalias Information for the Specified VSAN
switch# show fcalias vsan 2
fcalias name testfcalias vsan 2
pwwn 21:00:00:20:37:39:b0:f4
pwwn 21:00:00:20:37:6f:db:dd
pwwn 21:00:00:20:37:a6:be:2f
Displays the Zone Status for the Specified VSAN
switch(config)# show zone status vsan 1
VSAN: 1 default-zone: deny distribute: active only Interop: default
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control:disabled
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 4 bytes
Zonesets:0 Zones:0 Aliases: 0
Active Zoning Database :
Database Not Available
Current Total Zone DB Usage: 4 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: n/a
Active DB Copy size: n/a
SFC size: 4 / 2097152 bytes (0 % used)
Status:
Displays the Pending ZoneSet Information for the VSAN to be Committed
switch# show zoneset pending vsan 2
No pending info found
Displays the Pending Zone Information for the VSAN to be Committed
switch# show zone pending vsan 2
No pending info found
Displays the Pending Zone Information for the VSAN to be Committed
switch# show zone-attribute-group pending vsan 2
No pending info found
Displays the Pending Active ZoneSet Information for the VSAN to be Committed
switch# show zoneset pending active vsan 2
No pending info found
Displays the Difference Between the Pending and Effective Zone Information for the Specified VSAN
switch# show zone pending-diff vsan 2
zone name testzone vsan 2
- member pwwn 21:00:00:20:37:4b:00:a2
+ member pwwn 21:00:00:20:37:60:43:0c
Exchange Switch Support (ESS) defines a mechanism for two switches to exchange various supported features.
Displays the ESS Information for All Switches in the Specified VSAN
switch# show zone ess vsan 2
ESS info on VSAN 2 :
Domain : 210, SWWN : 20:02:00:05:30:00:85:1f, Cap1 : 0xf3, Cap2 : 0x0
Displays the Pending fcalias Information for the VSAN to be Committed
switch# show fcalias pending vsan 2
No pending info found
In enhanced mode zoning, the switch in which a zoning session is started takes the fabric wide zoning configuration lock for the VSAN. This configuration lock prevents users on other switches in the fabric from making simultaneous, and possibly conflicting, configuration changes. However, by default, the same user is allowed to login multiple times on the switch where the configuration is locked and start multiple zoning configuration sessions. This also may result in conflicting or undesired zone configuration.
The single session option enforces a maximum of one zoning configuration session per VSAN at a time on the switch with the zone configuration fabric lock. This limit causes the switch to disallow any new zoning configuration sessions to be started in the same VSAN. This limit also applies to any configuration source such as another user, Cisco DCNM, or NX-API.
Note |
|
To configure zoning session limit in a VSAN, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# zone mode enhanced vsan id single-session Enables the single session option in the specified VSAN. |
| Step 3 |
switch(config)# no zone mode enhanced vsan id single-session Disables the single session option in the specified VSAN and leaves the VSAN in enhanced zoning mode. |
Prior to Cisco SAN-OS Release 6.2(7), only 8000 zones are supported per VSAN. If you add more than 8000 zones to a VSAN, a configuration check is registered to indicate that downgrading to a previous release could cause you to lose the zones over the limit. To avoid the configuration check, delete the excess zones and compact the zone database for the VSAN. If there are 8000 zones or fewer after deleting the excess zones, the compacting process assigns new internal zone IDs and the configuration can be supported by Cisco SAN-OS Release 6.2(5) or earlier. Perform this procedure for every VSAN on the switch with more than 8000 zones.
Note |
A merge failure occurs when a switch supports more than 8000 zones per VSAN but its neighbor does not. Also, zoneset activation can fail if the switch has more than 8000 zones per VSAN and not all switches in the fabric support more than 8000 zones per VSAN. |
To delete zones and compact the zone database for a VSAN, follow these steps:
| Step 1 |
switch# configure terminal Enters configuration mode. |
| Step 2 |
switch(config)# no zone name ExtraZone vsan 10 Deletes a zone to reduce the number of zones to 8000 or fewer. |
| Step 3 |
switch(config)# zone compact vsan 10 Compacts the zone database for VSAN 10 to recover the zone ID released when a zone was deleted. To compact the zone database for downgrading, refer to the Cisco MDS 9000 Series NX-OS Fabric Configuration Guide. |
To better manage the zones and zone sets on your switch, you can display zone and zoneset information using the show zone analysis command.
Full Zoning Analysis
switch# show zone analysis vsan 1
Zoning database analysis vsan 1
Full zoning database
Last updated at: 15:57:10 IST Feb 20 2006
Last updated by: Local [ CLI ]
Num zonesets: 1
Num zones: 1
Num aliases: 0
Num attribute groups: 0
Formattted size: 36 bytes / 2048 Kb
Unassigned Zones: 1
zone name z1 vsan 1
Note |
The maximum size of the full zone database per VSAN is 4096 KB. |
Active Zoning Database Analysis
switch(config-zone)# show zone analysis active vsan 1
Zoning database analysis vsan 1
Active zoneset: qoscfg
Activated at: 14:40:55 UTC Mar 21 2014
Activated by: Local [ CLI ]
Default zone policy: Deny
Number of devices zoned in vsan: 8/8 (Unzoned: 0)
Number of zone members resolved: 10/18 (Unresolved: 8)
Num zones: 4
Number of IVR zones: 0
Number of IPS zones: 0
Formatted size: 328 bytes / 4096 Kb
Note |
The maximum size of the zone database per VSAN is 4096 KB. |
ZoneSet Analysis
switch(config-zone)# show zone analysis zoneset qoscfg vsan 1
Zoning database analysis vsan 1
Zoneset analysis: qoscfg
Num zonesets: 1
Num zones: 4
Num aliases: 0
Num attribute groups: 1
Formatted size: 480 bytes / 4096 Kb
Displays the Zone Status
switch(config-zone)# show zone status
VSAN: 1 default-zone: deny distribute: active only Interop: default
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
smart-zoning: disabled
rscn-format: fabric-address
activation overwrite control:disabled
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 4 bytes
Zonesets:0 Zones:0 Aliases: 0
Active Zoning Database :
Database Not Available
Current Total Zone DB Usage: 4 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: n/a
Active DB Copy size: n/a
SFC size: 4 / 2097152 bytes (0 % used)
Status:
VSAN: 8 default-zone: deny distribute: full Interop: default
mode: basic merge-control: allow
session: none
hard-zoning: enabled broadcast: disabled
smart-zoning: disabled
rscn-format: fabric-address
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 1946498 bytes
Zonesets:6 Zones:8024 Aliases: 0
Active Zoning Database :
DB size: 150499 bytes
Name: zoneset-1000 Zonesets:1 Zones:731
Current Total Zone DB Usage: 2096997 / 2097152 bytes (99 % used)
Pending (Session) DB size:
Full DB Copy size: n/a
Active DB Copy size: n/a
SFC size: 2096997 / 2097152 bytes (99 % used)
Status: Zoneset distribution failed [Error: Fabric changing Dom 33]:
at 17:05:06 UTC Jun 16 2014
VSAN: 9 default-zone: deny distribute: full Interop: default
mode: enhanced merge-control: allow
session: none
hard-zoning: enabled broadcast: enabled
smart-zoning: disabled
rscn-format: fabric-address
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 2002584 bytes
Zonesets:4 Zones:7004 Aliases: 0 Attribute-groups: 1
Active Zoning Database :
DB size: 94340 bytes
Name: zoneset-hac13-200 Zonesets:1 Zones:176
Current Total Zone DB Usage: 2096924 / 2097152 bytes (99 % used)
Pending (Session) DB size:
Full DB Copy size: 0 bytes
Active DB Copy size: 0 bytes
SFC size: 0 / 2097152 bytes (0 % used)
Status: Activation completed at 17:28:04 UTC Jun 16 2014
VSAN: 12 default-zone: deny distribute: full Interop: default
mode: enhanced merge-control: allow
session: none
hard-zoning: enabled broadcast: enabled
smart-zoning: disabled
rscn-format: fabric-address
Default zone:
qos: none broadcast: disabled ronly: disabled
Full Zoning Database :
DB size: 84 bytes
Zonesets:0 Zones:1 Aliases: 0 Attribute-groups: 1
Active Zoning Database :
DB size: 144 bytes
Name: zs1 Zonesets:1 Zones:2
Current Total Zone DB Usage: 228 / 2097152 bytes (0 % used)
Pending (Session) DB size:
Full DB Copy size: 0 bytes
Active DB Copy size: 0 bytes
SFC size: 0 / 2097152 bytes (0 % used)
Status: Commit completed at 14:39:33 UTC Jun 27 201
Displaying the System Defalult Zone
switch(config)# show system default zone
system default zone default-zone deny
system default zone distribute active only
system default zone mode basic
system default zone gs read-write
system default zone smart-zone disabled
See the Cisco MDS 9000 Series Command Reference for the description of the information displayed in the command output.
A Cisco Multilayer Director Switch (MDS) uses a special kind of memory called Ternary Content Addressable Memory (TCAM) on its Fibre Channel (FC) linecards. This special memory provides an Access Control List (ACL) type of function for Cisco MDS. The process that controls this functionality is called the ACLTCAM. The E/TE ports (Inter Switch Links - ISLs) and F (Fabric) ports have their own programming, which is unique to their respective port types.
TCAM is divided into several regions of various sizes. The main regions and the type of programming contained in each region are described in Table 1:
|
Region |
Programming Type |
|---|---|
|
Region 1 - TOP SYS |
Fabric-Login, Port-Login, Diagnostics features (10%-20%) |
|
Region 2 - SECURITY |
Security, Interop-Mode-4 features, IVR ELS capture (5%-10%) |
|
Region 3 - Zoning |
Zoning features, including IVR and SAN Analytics (50%-75%) |
|
Region 4 - Bottom2 |
PLOGI,ACC, and FCSP trap, ISL, ECHO-permit (10%-20%) |
TCAM regions are automatically configured and cannot be changed. TCAM is allocated on a per-module and per-forwarding engine (fwd-eng) basis.
TCAM space on MDS 9148S and MDS 9250i fabric switches is significantly less than that on the director-class Fibre Channel modules and newer fabric switches such as MDS 9396S, MDS 9132T, and the switches that will be launched in the future.
When a port comes online, some amount of basic programming is needed on that port. This programming differs according to the port type. This basic programming is minimal and does not consume many TCAM entries. Typically, programming is performed on inputs such that frames entering the switch are subject to this programming and frames egressing the switch are not.
ACL TCAM Alerting
Starting from Cisco MDS NX-OS Release 8.3(1), ACL TCAM usage alerting syslog messages were introduced on all Cisco MDS switches except on Cisco MDS 9148S and MDS 9250i switches. From Cisco MDS NX-OS Release 8.3(2), ACL TCAM usage alerting syslog messages were introduced on Cisco MDS 9148S and MDS 9250i switches.
When the TCAM usage crosses 80% in the module, direction, region, and forwarding engine listed, the following system message is generated. This system message does not indicate that TCAM was exhausted or any TCAM programming failed.
%ACLTCAM-SLOT1-4-REGION_RISING_THRESHOLD: ACL (region) (input | output) region usage (num of in use entries of total entries) exceeded 80% on forwarding engine (num)
When TCAM usage falls below the 80% threshold in the module, region, direction, and forwarding engine indicated, the following system message is generated. This system message does not indicate that TCAM was exhausted or any TCAM programming failed.
%ACLTCAM-SLOT1-4-REGION_FALLING_THRESHOLD: ACL (region) (input | output) region usage (num of in use entries of total entries) fell below 80% on forwarding engine (num)
When the overall TCAM usage indicated in the forwarding engine crosses 60% in the module, direction, and forwarding engine indicated, the following system message is generated:
%ACLTCAM-SLOT1-4-TOTAL_RISING_THRESHOLD: ACL total (input | output) usage (num of in use entries of total entries) exceeded 60% on forwarding engine (num)
When the overall TCAM usage indicated in the forwarding engine falls below 60% in the module, direction, and forwarding engine indicated, the following system message is generated:
%ACLTCAM-SLOT1-4-TOTAL_FALLING_THRESHOLD: ACL total (input | output) usage (num of in use entries of total entries) fell below 60% on forwarding engine (num)
Use the show system internal acl tcam-usage command to display the ACLTCAM usage except for Cisco MDS 9148S and MDS 9250i switches. For Cisco MDS 9148S and MDS 9250i switches, use the show system internal acltcam-soc tcam-usage command.
If you see the TCAM usage alerting syslog messages, the zoning, port-channel port allocation, and analytics configurations may need to be investigated. If TCAM usage reaches 100%, it is likely that some devices will not be able to communicate with other devices that they are zoned with. Follow the recommendations listed in this section to reduce the TCAM usage.
The Cisco MDS platform uses two types of zoning - 'Hard' and 'Soft' zoning.
Soft zoning - In this mode only control plane traffic is policed by the switch supervisor services. In particular, the Fibre Channel Name Server (FCNS) will limit the list of permitted devices in an FCNS reply to only those that are in the zone configuration. However, the end device data plane traffic is unpoliced. This means a rogue end device may connect to other devices it is not zoned with.
Hard zoning - In this mode both control plane and data plane traffic are policed. Control plane traffic is policed by the switch supervisor and data plane traffic is policed on each ingress port with hardware assistance. The policing rules are set by the zoneset which programmed into each linecard. The destination of each frame is checked by hardware and, if it is not permitted by zoning, it is dropped. In this mode any device can only communicate with end devices it is authorized to.
By default, both types of zoning are enabled, with hard zoning used in priority over soft zoning. In the event that the system is unable to use hard zoning due to hardware resource exhaustion it will be disabled and the system will fall back to use soft zoning
The following example shows how Cisco MDS programs TCAM on a port:
The following example shows a zone in the active zone set for a VSAN. This is the basic programming that exists on an interface because of Hard zoning.
zone1
member host (FCID 0x010001)
member target1 (FCID 0x010002)In such a scenario, the following is the ACL programming:
fc1/1 - Host interface
Entry# Source ID Mask Destination ID Mask Action
1 010001 ffffff 010002(target1) ffffff Permit
2 000000 000000 000000 000000 Drop
fc1/2 - Target1 interface
Entry# Source ID Mask Destination ID Mask Action
1 010002 ffffff 010001(Host) ffffff Permit
2 000000 000000 000000 000000 DropNote |
In addition to what is provided here, additional programming exists. Moreover, any TCAM table is ended by a drop-all entry. |
The mask indicates which parts of the FCIDs are matched with the input frame. So, when there is a mask 0xffffff, the entire FCID is considered when matching it to the ACL entry. If the mask is 0x000000, none of it is considered because, by default, it will match all the FCIDs.
In the above programming example, note that when a frame is received on fc1/1, and if it has a source ID(FCID) of 0x010001(the host) and a destination ID(FCID) of 0x010002(Target1), it will be permitted and routed to the destination. If it is any other end-to-end communication, it will be dropped.
The following example shows another scenario where zoning is changed:
zone1
member host (FCID 010001)
member target1 (FCID 010002)
member target2 (FCID 010003)
member target3 (FCID 010004)In such a scenario, the following is the ACL programming:
fc1/1 Host interface
Entry# Source ID Mask Destination ID Mask Action
1 010001 ffffff 010002(target1) ffffff Permit
2 010001 ffffff 010003(target2) ffffff Permit
3 010001 ffffff 010004(target3) ffffff Permit
4 000000 000000 000000 000000 Drop
fc1/2 - Target1 interface
Entry# Source ID Mask Destination ID Mask Action
1 010002 ffffff 010001(host) ffffff Permit
2 010002 ffffff 010003(target2) ffffff Permit
3 010002 ffffff 010004(target3) ffffff Permit
4 000000 000000 000000 000000 Drop
fc1/3 - Target2 interface
Entry# Source ID Mask Destination ID Mask Action
1 010003 ffffff 010001(host) ffffff Permit
2 010003 ffffff 010002(target1) ffffff Permit
3 010003 ffffff 010004(target3) ffffff Permit
4 000000 000000 000000 000000 Drop
fc1/4 - Target3 interface
Entry# Source ID Mask Destination ID Mask Action
1 010004 ffffff 010001(host) ffffff Permit
2 010004 ffffff 010002(target1) ffffff Permit
3 010004 ffffff 010003(target2) ffffff Permit
4 000000 000000 000000 000000 Drop
The above example demonstrates that the number of TCAM entries consumed by a zone (N) is equal to N*(N-1). So, a zone with four members would have used a total of 12 TCAM entries (4*3 = 12). Note the drop-all entry does not count against the N*(N-1) rule.
The above example shows two entries in each of the target interfaces (fc1/2-fc1/4) that are probably not needed since it is usually not advantageous to zone multiple targets together. For example, in fc1/2, there is an entry that permits Target1 to communicate with Target2, and an entry that permits Target1 to communicate with Target3.
As these entries are not needed and could even be detrimental, they should be avoided. You can avoid the addition of such entries by using single-initiator or single-target zones (or use Smart Zoning).
Note |
If the same two devices are present in more than one zone in a zone set, TCAM programming will not be repeated. |
The following example shows a zone that is changed to three separate zones:
zone1
member host (FCID 010001)
member target1 (FCID 010002)
zone2
member host (FCID 010001)
member target2 (FCID 010003)
zone3
member host (FCID 010001)
member target3 (FCID 010004)
In such a scenario, the following is the ACL programming:
fc1/1 - Host interface - This would look the same
Entry# Source ID Mask Destination ID Mask Action
1 010001 ffffff 010002(target1) ffffff Permit
2 010001 ffffff 010003(target2) ffffff Permit
3 010001 ffffff 010004(target3) ffffff Permit
4 000000 000000 000000 000000 Drop
fc1/2 - Target1 interface
Entry# Source ID Mask Destination ID Mask Action
1 010002 ffffff 010001(host) ffffff Permit
2 000000 000000 000000 000000 Drop
fc1/3 - Target2 interface
Entry# Source ID Mask Destination ID Mask Action
1 010003 ffffff 010001(host) ffffff Permit
2 000000 000000 000000 000000 Drop
fc1/4 - Target3 interface
Entry# Source ID Mask Destination ID Mask Action
1 010004 ffffff 010001(host) ffffff Permit
2 000000 000000 000000 000000 Drop
Note that in the above example, the target-to-target entries are not found, and that six of the 12 entries are no longer programmed. This results in lesser use of TCAM and better security (only the host can communicate with the three targets, and the targets themselves can communicate only with one host, and not with each other).
A Cisco Multilayer Director Switch (MDS) uses a special kind of memory called Ternary Content Addressable Memory (TCAM) on its Fibre Channel modules. This special memory provides an Access Control List (ACL) type of function for Cisco MDS. The process that controls this functionality is called ACLTCAM. The E or TE ports (ISLs) and F (Fabric) ports have their own programming that is unique to their respective port types.
TCAM is allocated to individual forwarding engines and forwarding engines are assigned a group of ports. Director-class Fibre Channel modules have more TCAM space than fabric switches. The number of forwarding engines, the ports assigned to each forwarding engine, and the amount of TCAM allocated to each forwarding engine is hardware dependent.
The following example shows an output from Cisco MDS 9148S:
switch# show system internal acltcam–soc tcam–usage
TCAM Entries:
=============
Region1 Region2 Region3 Region4 Region5 Region6
Mod Fwd Dir TOP SYS SECURITY ZONING BOTTOM FCC DIS FCC ENA
Eng Use/Total Use/Total Use/Total Use/Total Use/Total Use/Total
––– ––– –––––– –––––––––– ––––––––– –––––––––––– ––––––––– ––––––––– –––––––––
1 1 INPUT 19/407 1/407 1/2852 * 4/407 0/0 0/0
1 1 OUTPUT 0/25 0/25 0/140 0/25 0/12 1/25
1 2 INPUT 19/407 1/407 0/2852 * 4/407 0/0 0/0
1 2 OUTPUT 0/25 0/25 0/140 0/25 0/12 1/25
1 3 INPUT 19/407 1/407 0/2852 * 4/407 0/0 0/0
1 3 OUTPUT 0/25 0/25 0/140 0/25 0/12 1/25
–––––––––––––––––––––––––––––––––––––––––––––––––––
* 1024 entries are reserved for LUN Zoning purpose.
The above example indicates the following:
There are three forwarding engines, 1 through 3.
Since there are 48 ports on Cisco MDS 9148 switches, each forwarding engine handles 16 ports.
Each forwarding engine has 2852 entries in region 3 (the zoning region) for input. This is the main region used, and consequently, has the largest amount of available entries.
Forwarding engine 3 has only one entry that is currently in use out of the total 2852 in the zoning region.
The following example shows the output from Cisco MDS 9710 switch with a 2/4/8/10/16 Gbps Advanced Fibre Channel Module (DS–X9448–768K9):
F241–15–09–9710–2# show system internal acl tcam–usage
TCAM Entries:
=============
Region1 Region2 Region3 Region4 Region5 Region6
Mod Fwd Dir TOP SYS SECURITY ZONING BOTTOM FCC DIS FCC ENA
Eng Use/Total Use/Total Use/Total Use/Total Use/Total Use/Total
––– ––– –––––– –––––––––– ––––––––– –––––––––––– ––––––––– ––––––––– –––––––––
1 0 INPUT 55/19664 0/9840 0/49136* 17/19664 0/0 0/0
1 0 OUTPUT 13/4075 0/1643 0/11467 0/4075 6/1649 21/1664
1 1 INPUT 52/19664 0/9840 2/49136* 14/19664 0/0 0/0
1 1 OUTPUT 7/4078 0/1646 0/11470 0/4078 6/1652 5/1651
1 2 INPUT 34/19664 0/9840 0/49136* 10/19664 0/0 0/0
1 2 OUTPUT 5/4078 0/1646 0/11470 0/4078 6/1652 1/1647
1 3 INPUT 34/19664 0/9840 0/49136* 10/19664 0/0 0/0
1 3 OUTPUT 5/4078 0/1646 0/11470 0/4078 6/1652 1/1647
1 4 INPUT 34/19664 0/9840 0/49136* 10/19664 0/0 0/0
1 4 OUTPUT 5/4078 0/1646 0/11470 0/4078 6/1652 1/1647
1 5 INPUT 34/19664 0/9840 0/49136* 10/19664 0/0 0/0
1 5 OUTPUT 5/4078 0/1646 0/11470 0/4078 6/1652 1/1647
...
The above example indicates the following:
There are six forwarding engines, 0 through 5.
Since there are 48 ports on a Cisco MDS DS–X9448–768K9 module, each forwarding engine handles eight ports.
Each forwarding engine has 49136 entries in region 3 (the zoning region) for input. This is the main region that is used, and consequently, has the largest amount of available entries.
Forwarding engine 2 has only two entries that are currently in use out of the total 49136 in the zoning region.
Note |
The commands that are used to view TCAM usage on fabric switches are different from the ones used for director–class switches. For MDS 9148, MDS 9148S, and MDS 9250i fabric switches, use the show system internal acltcam-soc tcam-usage command. For director class switches, MDS 9396S, and 32 Gbps fabric switches, use the show system internal acl tcam-usage command. |
The following table provides information about ports to forwarding engines mapping:
|
Switch or Module |
Forwarding Engines |
Port Ranges |
Forwarding Engine Number |
Zoning Region Entries |
Bottom Region Entries |
|---|---|---|---|---|---|
|
MDS 9132T |
2 |
1–16 |
0 |
49136 |
19664 |
|
17–32 |
1 |
49136 |
19664 |
||
|
MDS 9148 |
3 |
fc1/25–36 and fc1/45–48 |
1 |
2852 |
407 |
|
fc1/5–12 and fc1/37–44 |
2 |
2852 |
407 |
||
|
fc1–4 and fc1/13–24 |
3 |
2852 |
407 |
||
|
MDS 9148S |
3 |
fc1/1–16 |
1 |
2852 |
407 |
|
fc1/17–32 |
2 |
2852 |
407 |
||
|
fc1/33–48 |
3 |
2852 |
407 |
||
|
MDS 9148T |
3 |
1–16 |
0 |
49136 |
19664 |
|
17–32 |
1 |
49136 |
19664 |
||
|
33–48 |
2 |
49136 |
19664 |
||
|
MDS 9250i |
4 |
fc1/5–12 and eth1/1–8 |
1 |
2852 |
407 |
|
fc1/1–4, fc1/13–20, and fc1/37–40 |
2 |
2852 |
407 |
||
|
fc1/21–36 |
3 |
2852 |
407 |
||
|
ips1/1–2 |
4 |
2852 |
407 |
||
|
MDS 9396S |
12 |
fc1/1–8 |
0 |
49136 |
19664 |
|
fc1/9–16 |
1 |
49136 |
19664 |
||
|
fc1/17–24 |
2 |
49136 |
19664 |
||
|
fc1/25–32 |
3 |
49136 |
19664 |
||
|
fc1/33–40 |
4 |
49136 |
19664 |
||
|
fc1/41–48 |
5 |
49136 |
19664 |
||
|
fc1/49–56 |
6 |
49136 |
19664 |
||
|
fc1/57–64 |
7 |
49136 |
19664 |
||
|
fc1/65–72 |
8 |
49136 |
19664 |
||
|
fc1/73–80 |
9 |
49136 |
19664 |
||
|
fc1/81–88 |
10 |
49136 |
19664 |
||
|
fc1/89–96 |
11 |
49136 |
19664 |
||
|
MDS 9396T |
6 |
1–16 |
0 |
49136 |
19664 |
|
17–32 |
1 |
49136 |
19664 |
||
|
33–48 |
2 |
49136 |
19664 |
||
|
49–64 |
3 |
49136 |
19664 |
||
|
65-80 |
4 |
49136 |
19664 |
||
|
81-96 |
5 |
49136 |
19664 |
||
|
DS–X9248–48K9 |
1 |
1–48 |
0 |
27168 |
2680 |
|
DS–X9248–96K9 |
2 |
1–24 |
0 |
27168 |
2680 |
|
25–48 |
1 |
27168 |
2680 |
||
|
DS–X9224–96K9 |
2 |
1–12 |
0 |
27168 |
2680 |
|
13–24 |
1 |
27168 |
2680 |
||
|
DS–X9232–256K9 |
4 |
1–8 |
0 |
49136 |
19664 |
|
9–16 |
1 |
49136 |
19664 |
||
|
17–24 |
2 |
49136 |
19664 |
||
|
25–32 |
3 |
49136 |
19664 |
||
|
DS–X9248–256K9 |
4 |
1–12 |
0 |
49136 |
19664 |
|
13–24 |
1 |
49136 |
19664 |
||
|
25–36 |
2 |
49136 |
19664 |
||
|
37–48 |
3 |
49136 |
19664 |
||
|
DS–X9448–768K9 |
6 |
1–8 |
0 |
49136 |
19664 |
|
9–16 |
1 |
49136 |
19664 |
||
|
17–24 |
2 |
49136 |
19664 |
||
|
25–32 |
3 |
49136 |
19664 |
||
|
33–40 |
4 |
49136 |
19664 |
||
|
41–48 |
5 |
49136 |
19664 |
||
|
DS–X9334–K9 |
3 |
1–8 |
0 |
49136 |
19664 |
|
9–16 |
1 |
49136 |
19664 |
||
|
17–24 |
2 |
49136 |
19664 |
||
|
DS–X9648–1536K9 |
3 |
1–16 |
0 |
49136 |
19664 |
|
17–32 |
1 |
49136 |
19664 |
||
|
33–48 |
2 |
49136 |
19664 |
Note |
We do not recommend using interface, fWWN, or domain-ID based zoning for devices that are connected to the edge Cisco N-Port Virtualization (NPV) switches. |
F port channels provide fault tolerance and performance benefits on connections to N-Port Virtualization (NPV) switches, including Cisco UCS Fabric Interconnects (FIs). F port channels present unique challenges to ACL TCAM programming. When F ports are aggregated into a port channel, ACL TCAM programming is repeated on each member interface. Consequently, these types of port channels multiply the amount of TCAM entries needed. Because of this, it is imperative that the member interfaces are allocated as optimally as possible, and that zoning best practices are also followed. If you also consider the fact that these F port channels can contain 100+ host logins, TCAM can easily be exceeded, especially for fabric switches if best practices are not followed.
The following is a sample topology:
This example assumes that the port channel (PC) contains 8 interfaces, fc1/1-fc1/8.
In addition, the following two zones are active:
zone1
member host (host 0x010001)
member target1 (target1 0x010002)
zone2
member host (host 0x010001)
member target2 (target2 0x010003)
In such a scenario, the following ACL programming will be present on each member of the PC:
fc1/1(through fc1/8) (port-channel)
Entry# Source ID Mask Destination ID Mask Action
1 010001 ffffff 010002(target1) ffffff Permit
2 010001 ffffff 010003(target2) ffffff Permit
3 000000 000000 000000 000000 Drop
The above example shows the ACL TCAM programming that will be duplicated on each member of the F port-channel. Consequently, if a lot of programming is required because of a large number of FLOGIs on the F port channel, or a large number of devices are zoned with the devices on the F port channel, TCAM can be exhausted on a forwarding engine. The following are the best practices for efficient use of TCAM with respect to F ports and F port-channels:
Distribute port-channel member interfaces into different forwarding engines, especially on fabric switches.
If TCAM usage is still too high in the case of port-channel with a large number of interfaces, then split the port-channel into two separate port-channels each with half the interfaces. This will still provide redundancy but will reduces the number of FLOGIs per individual port-channel and thus reduce TCAM usage.
Distribute member interfaces into different linecards on director-class switches.
Distribute member interfaces into forwarding engines with lower TCAM zoning region usage.
Use single-initiator zones, single-target zones, or Smart Zoning.
E port channels provide Inter Switch Links (ISLs) between fabric switches. Typically, there is minimal TCAM programming on these types of interfaces. Therefore, besides placing them into different linecards, and perhaps port groups on director-class switches, there is a little more to be done. However, when the Inter VSAN Routing (IVR) feature is being deployed, extensive TCAM programming can exist on ISLs because the IVR topology transitions from one VSAN to another. Consequently, most of the considerations that apply on F/TF port channels will be applicable here too.
The following is an example of a topology:
In this topology:
Both Cisco MDS 9148S-1 and MDS 9148S-2 are in the IVR VSAN topology:
MDS9148S-1 vsan 1 and vsan 2
MDS9148S-2 vsan 2 and vsan 3IVR NAT is configured.
VSAN 2 is the transit VSAN.
FCIDs per VSAN:
VSAN 1 VSAN 2 VSAN 3
Host 010001 210001 550002
Target1 440002 360002 030001Note |
Domains 0x44 in VSAN 1, 0x21 and 0x36 in VSAN 2, and 0x55 in VSAN 3 are virtual domains created by IVR NAT. |
The following is the IVR zoning topology:
ivr zone zone1
member host vsan 1
member target1 vsan3The following is the ACL TCAM programming for the IVR zoning topology:
MDS9148S-1 fc1/1(Host) - VSAN 1
Entry# Source ID Mask Destination ID Mask Action
1 010001(host) ffffff 440002(target1) ffffff Permit
- Forward to fc1/2
- Rewrite the following information:
VSAN to 2
Source ID to 210001
Destination ID to 360002
2 000000 000000 000000 000000 Drop
MDS9148S-1 fc1/2(ISL) - VSAN 2
Entry# Source ID Mask Destination ID Mask Action
1 360002(Target1) ffffff 210001(host) ffffff Permit
- Forward to fc1/2
- Rewrite the following information:
VSAN to 1
Source ID to 440002
Destination ID to 010001
MDS9148S-2 fc1/2(ISL) - VSAN 2
Entry# Source ID Mask Destination ID Mask Action
1 210001(host) ffffff 360002(target1) ffffff Permit
- Forward to fc1/2
- Rewrite the following information:
VSAN to 3
Source ID to 550002
Destination ID to 030001
MDS9148S-2 fc1/1(Target1) - VSAN 3
Entry# Source ID Mask Destination ID Mask Action
1 030001(Target1) ffffff 550002(host) ffffff Permit
- Forward to fc1/2
- Rewrite the following information:
VSAN to 2
Source ID to 360002
Destination ID to 210001
2 000000 000000 000000 000000 DropNote |
Besides the entries in this example, there are other entries that IVR adds to capture important frames such as PLOGIs, PRILIs, and ABTS. |
The programming on the host and target1 ports is similar to the way it is without IVR, except that the FCIDs and VSANs are explicitly forwarded to an egress port and are rewritten to values that are appropriate for the transit VSAN (VSAN 2). These forwarding and rewrite entries are separate and are not included in the TCAM-usage values.
However, now, on the ISLs in both the switches, programming that did not exist earlier is present. When frames from Host to Target1 are received by Cisco MDS 9148S-2 fc1/2, they are rewritten to the values in VSAN 3 where the target resides. In the reverse direction, when frames from Target1 to the Host are received by Cisco MDS 9148S-1 fc1/2, they are rewritten to the values in VSAN 1 where the Host resides. Thus, for each VSAN transition on an ISL (that typically occurs across a transit VSAN) there will be TCAM programming for each device in the IVR zone set.
Consequently, most of the best practices followed for the F and TF port channels should be followed to ensure that TCAM is utilized as efficiently as possible for the following purposes:
Note |
Unlike F and TF port-channels, the ACLTCAM programming on ISLs will be the same quantity regardless if the ISLs are part of a port-channel or not. If there are "n" ISLs between two MDS switches, then it doesn't matter if they are in one port-channel, two port-channels or just individual links. The ACLTCAM programming will be the same. |
Distribute port-channel member interfaces into different forwarding engines, especially on fabric switches.
Distribute member interfaces into different linecards on director-class switches.
Distribute member interfaces into forwarding engines with lower TCAM zoning region usage.
Use single-initiator zones, single-target zones, or Smart Zoning.
This options provides a shared database for the Zone Server and the Fibre Channel Name Sever (FCNS) to interact with one another. Sharing a database reduces the dependency of the FCNS on the zone server to manage soft zoning.
Note |
By default, the Zone Server- FCNS Shared Database option is enabled. |
To enable the Zone Server-FCNS shared database, perform the following steps:
| Step 1 |
Enter the configuration mode: switch # configure terminal |
| Step 2 |
Enable database sharing for an active zone set in VSAN 1: switch(config)# zoneset capability active mode shared-db vsan 1 |
This example shows how to enable database sharing for the active zoneset in VSAN 1 only:
switch(config)# zoneset capability active mode shared-db vsan 1
SDB Activation success
To disable an active zone set in VSAN 1, perform the following step:
| Step 1 |
Enter global configuration mode: switch# configure terminal |
| Step 2 |
Disable an active zone set in VSAN 1: switch(config)# no zoneset capability active mode shared-db vsan 1 |
This example shows how to disable database sharing for the active zone set in VSAN 1:
switch(config)# no zoneset capability active mode shared-db vsan 1
SDB Deactivation success
This option enables zone server-scaling enhancements for Simple Network Management Protocol (SNMP) operations, such that the zone server is not utilized for every zone query issued by the SNMP.
Note |
By default, the Zone Server-SNMP Optimization option is enabled.. |
To enable zone server-scaling enhancements for SNMP operations, perform the following procedure:
| Step 1 |
Enter the configuration mode: switch # configure terminal |
| Step 2 |
Enable zone server-SNMP optimization: switch(config)# zone capability shared-db app snmp |
| Step 3 |
Display the status of the configuration: switch(config)# show running | i shared-db |
This example shows how to enable zone server-SNMP optimization:
switch(config)# zone capability shared-db app snmp
To disable zone server-SNMP optimizations, perform the following procedure:
| Step 1 |
Di the configuration mode: switch # configure terminal |
| Step 2 |
Disable the zone server-SNMP optimizations: switch(config)# no zone capability shared-db app snmp |
This example shows how to disable zone server-SNMP optimization:
switch(config)# no zone capability shared-db app snmp
This feature helps distribute the difference in the zone changes between the existing zone database and the updated zone database across all the switches in a fabric. This distribution of delta changes helps avoid large payload distribution across switches whenever a zone database in modified.
Note |
|
To enable the distribution of data changes in a zone server, perform the following procedure:
| Step 1 |
Enter the configuration mode: switch # configure terminal |
| Step 2 |
Enable the distribution of data changes in a zone in enhanced mode: switch(config)# zone capability mode enhanced distribution diffs-only |
| Step 3 |
Display the status of delta distribution (changes in data) in a fabric: switch(config)# show running | include diffs-only |
This example shows how to enable distribution of changes in data in a Zone Server:
switch(config)# zone capability mode enhanced distribution diffs-only
To disable the distribution of data changes in a zone server, perform the following procedure:
| Step 1 |
Enter the configuration mode: switch # configure terminal |
| Step 2 |
Disable the distribution of data changes in a zone: switch(config)# no zone capability mode enhanced distribution diffs-only |
This example shows how to disable distribution of changes in data in a Zone Server:
switch(config)# no zone capability mode enhanced distribution diffs-only
Table lists the default settings for basic zone parameters.
|
Parameter |
Default |
|---|---|
|
Default zone policy |
Denied to all members. |
|
Full zone set distribute |
The full zone set is not distributed. |
|
Zone-based traffic priority |
Low. |
|
Broadcast frames |
Unsupported. |
|
Enhanced zoning |
Disabled. |
|
Smart zoning |
Disabled. |
Feedback