Zoning, part 2: Hard zoning vs. soft zoning
Zoning is a fundamental management technique that basically controls who can see what in a storage area network (SAN). The following is part 2 of a three-part series on zoning.
There are a number of terms people use and abuse to identify different zoning approaches and demonstrate advanced functionality. The first thing I must highlight is that, using the definitions I am going to use, hard zoning is not the same as port zoning, and soft zoning is not the same as WWN zoning.
When configuring a zone, many storage area networks (SANs) will allow you to list the members in a zone using the port ID or 24-bit address. To be precise, the syntax is usually x,y where x is the domain ID of a switch and y is the port number on the switch. This method is nice and simple and easy to understand, similar to seeing how a cable comes from server 1 and is plugged into port 3 of switch 5. Of course, if you change the topology of the SAN and recable part of the SAN, you have to re-configure all your zones.
The other zone configuration approach is to list the members in a zone using their WWNs (it may be port WWN or node WWN). This has an advantage. If you change the domain ID of a switch, the topology of the SAN or where a device is plugged in, then the zone is still good. You may have to replace an HBA then you change the zones as the WWN is usually burnt into an HBA -- but this is a fairly simple change anyway.
What is hard zoning and soft zoning?
In essence, soft zoning is like being X directory. No one will tell me your telephone number, but if I guess it or misdial, your phone will ring anyway. The security of soft zoning is simply that you are not told things you do not need to know (though in fact any device is allowed to use an unzoned name server query if it wants to be nosey).
By comparison, hard zoning is like having a full call bar set up on your phone so that even if I guess your phone number, your phone does not ring and I can't get through. Instead of relying on all citizens being good citizens it actually provides real, solid security.
So why the confusion? Some switches could not do hard zoning at all. Some could sort of do it though not to the granularity of individual ports and with lots of restrictions. Others could only do hard zoning if all the zones were using the port-ID syntax, hence the assumption that port-ID zoning is the same as hard zoning. Yet some switches can now do hard zoning of zones that are using either port-ID or WWN syntax.
What is the difference between zones and VSANs?
Here is my view on how a VSAN (virtual SAN) may be different from a zone. As many of you know, the general recommendation (hot code activation or not) is to always run two separate fabrics with each device connected to both fabrics. There are a number of reasons for this, one of which is that services like the name server are running as a single distributed service within a fabric. Therefore, there is a small possibility -- and I mean small -- that a badly behaved device could disrupt the name service to the extent that all devices on the fabric, not just those in the same zone, are impacted.
As I understand the reasoning, the idea of a VSAN is to actually have a higher level construct with a totally separate name server database rather than one common to all zones. It may even run as a totally separate service within the switch, so the possibility of cross contamination is lower and problems are more highly localized.
Of course, we still have problems like if a device is connected to two separate VSANs and misbehaves, then it can potentially bring down both VSANs. Or, a standards-based management system might be using the Fibre Channel unzoned name server query in order to identify all the devices on the fabric, but how does this command map to VSANs which are not today a Fibre Channel standard?
About the author: Simon Gordon is a senior solution architect for McDATA based in the UK. Simon has been working as a European expert in storage networking technology for more than 5 years. He specializes in distance solutions and business continuity. Simon has been working in the IT industry for more than 20 years in a variety or technologies and business sectors including software development, systems integration, Unix and open systems, Microsoft infrastructure design as well as storage networking. He is also a contributor to and presenter for the SNIA IP-Storage Forum in Europe.
