In storage networking, Fibre Channel zoning is the partitioning of a Fibre Channel fabric into smaller subsets to restrict interference, add security, and to simplify management. While a SAN makes available several devices and/or ports to a single device, each system connected to the SAN should only be allowed access to a controlled subset of these devices/ports. Zoning applies only to the switched fabric topology (FC-SW), it does not exist in simpler Fibre Channel topologies.
|Layer 4. Protocol mapping|
|Layer 3. Common services|
|Layer 2. Network|
|Fibre Channel fabric|
Fibre Channel zoning
Registered State Change Notification
|Layer 1. Data link|
|Fibre Channel 8B/10B encoding|
|Layer 0. Physical|
Zoning is different from VSANs, in that each port can be a member of multiple zones, but only one VSAN. VSAN (similarly to VLAN) is in fact a separate network (separate sub-fabric), with its own fabric services[clarification needed] (including its own separate zoning).
There are two main methods of zoning, the two methods being hard and soft, that combine with two sets of attributes, name and port. More recently, the differences between the 2 have blurred. All modern SAN switches then enforce soft zoning in hardware.
Soft and hard zoningEdit
The fabric name service allows each device to query the addresses of all other devices. Soft zoning restricts only the fabric name service, to show only an allowed subset of devices. Therefore, when a server looks at the content of the fabric, it will only see the devices it is allowed to see. However, any server can still attempt to contact any device on the network by address. In this way, soft zoning is similar to the computing concept of security through obscurity.
In contrast, hard zoning restricts actual communication across a fabric. This requires efficient hardware implementation (frame filtering) in the fabric switches, but is much more secure. That stated, modern switches will employ hard zoning when you implement soft.
Port and WWN zoningEdit
Zoning can be applied to either the switch port a device is connected to OR the WWN World Wide Name on the host being connected. As port based zoning restricts traffic flow based on the specific switch port a device is connected to, if the device is moved, it will lose access. Furthermore, if a different device is connected to the port in question, it will gain access to any resources the previous host had access to. WWN zoning (also called name zoning) restricts access by a device's WWN. As the WWN is on the host, the port the host is connected to can be moved and access is still preserved. Connecting a new device into a port previously used by a WWN zone device will not convey any access to the previous device's resources.
In order to bring the created zones together for ease of deployment and management a zoneset is employed (also called zoning config). A zoneset is merely a logical container for the individual zones, that are designed to work at the same time. A zoneset can contain WWN zones, port zones, or a combination of both (hybrid zones). The zoneset must be activated within the fabric (i.e. distributed through all the switches and then simultaneously enforced). Switches may contain more than one zoneset, but only one zoneset can be active in the entire fabric.