Splitting a fabric, Using zoning to administer security – HP Brocade 4Gb SAN Switch for HP BladeSystem p-Class User Manual

Fabric OS 5.0.0 procedures user guide 139

NOTE:

If the zoneset members on two switches are not listed in the same order, the configuration is

considered a mismatch, which causes the switches to be segmented from the fabric. For example: cfg1 =

z1; z2 is different from cfg1 = z2; z1, even though members of the configuration are the same. If zoneset

members on two switches have the same names defined in the configuration, make sure zoneset members

are listed in the same order.

Splitting a fabric

If the connections between two fabrics are no longer available, the fabric will segment into two separate

fabrics. Each new fabric retains the same zone configuration.

If the connections between two fabrics are replaced and no changes have been made to the zone

configuration in either of the two fabrics, then the two fabrics merge back into one single fabric. If any

changes that cause a conflict have been made to either zone configuration, then the fabrics

might segment.

Using zoning to administer security

Zones provide controlled access to fabric segments and establish barriers between operating

environments. They isolate systems with different uses, protecting individual systems in a heterogeneous

environment; for example, when zoning is in secure mode, no merge operations occur.

HP Advanced Zoning is configured on the primary Fabric Configuration Server (FCS). The primary FCS

switch makes zoning changes and other security-related changes. The primary FCS switch also distributes

zoning to all other switches in the secure fabric. All existing interfaces can be used to administer zoning

(depending on the policies; refer to the HP StorageWorks Secure Fabric OS user guide for information

about security policies).

You must perform zone management operations from the primary FCS switch using a zone management

interface, such as telnet or Advanced Web Tools. You can alter a zoning database, provided you are

connected to the primary FCS switch.

When two secure fabrics join, the traditional zoning merge does not occur. Instead, a zoning database is

downloaded from the primary FCS switch of the merged secure fabric. When E_Ports are active between

two switches, the name of the FCS server and a zoning policy set version identifier are exchanged

between the switches. If the views of the two secure fabrics are the same, the fabric’s primary FCS server

downloads the zoning database and security policy sets to each switch in the fabric. If there is a view

conflict, the E_Ports are segmented due to incompatible security data.

As part of zoning architecture, you must determine which of the two basic zoning architectures (hard or

soft) works best for your fabric. With time and planning, the basic hard zone configuration works for

most sites. If a site has additional security needs, use the additional layer of Secure Fabric OS, apart from

the standard zoning architecture.

NOTE:

Secure Fabric OS requires the activation of a HP security license and an Advanced Zoning

license.