Cisco MDS zoning
Zones
and zone sets are the basic form of data path security within a Fibre
Channel environment. A zone set is a collection of zones which in turn
have individual members in them. Only those members within the same zone
can communicate with each other. A device can be a member of multiple
zones and those devices not in a zone are in the default zone. The
policy for the default zone can either be to permit devices to see each
other or to deny devices in the default zone from seeing each other.
Zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric.
Hard Zoning vs Soft Zoning:
Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning which is implemented in software.
Hard zoning physically blocks access to a zone from any device outside of the zone.
Soft
zoning uses filtering implemented in fibre channel switches to prevent
ports from being seen from outside of their assigned zones. The security
vulnerability in soft zoning is that the ports are still accessible if
the user in another zone correctly guesses the fibre channel address.
Soft Zoning utilizes World Wide Names to assign security permissions.
Port Zoning:
Port
zoning utilizes physical ports to define security zones. A users access
to data is determined by what physical port he or she is connected to.
With
port zoning, zone information must be updated every time a user changes
switch ports. In addition, port zoning does not allow zones to overlap.
Port zoning is normally implemented using hard zoning, but could also be implemented using soft zoning.
WWN Zoning:
WWN
zoning uses name servers in the switches to either allow or block
access to particular World Wide Names (WWNs) in the fabric.
A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information.
WWN
zoning is susceptible to unauthorized access, as the zone can be
bypassed if an attacker is able to spoof the World Wide Name of an
authorized HBA.
World Wide Name (WWN):
A
World Wide Name, or WWN, is a 64-bit address used in fibre channel
networks to uniquely identify each element in a Fibre Channel network.
The
use of World Wide Names for security purposes is inherently insecure,
because the World Wide Name of a device is a user-configurable
parameter.
For example, to change the World Wide Name (WWN) of an Emulex HBA, the users simply needs to run the `elxcfg` command.
VSAN overview:
A
VSAN is a logical fabric. Each VSAN has all the required fabric
services, independent of the other VSANs, configured on the same switch
or set of switches.
A VSAN provides:
• SAN island consolidation on a high-port-density physical switch
• Traffic isolation
• Increased security
• SAN island consolidation on a high-port-density physical switch
• Traffic isolation
• Increased security
VSANs
can be numbered from 1 to 4094. VSAN 1 and VSAN 4094 are predefined and
have very specific roles. VSAN 1 is the default VSAN which holds all
the ports by default and the VSAN 4094 is the isolated VSAN into which
orphaned ports are assigned.
The following shows the basic zoning example on Cisco MDS FC switch:
Assumptions:
==========
To zone ‘host’ and ‘vmax_3ab(existing member)’
vsan: 10
Zoneset name: zoneset1
To zone ‘host’ and ‘vmax_3ab(existing member)’
vsan: 10
Zoneset name: zoneset1
Prerequisites:
=============
Connect host to switch, if not choose a available ‘F’ port on switch and turn it on
=============
Connect host to switch, if not choose a available ‘F’ port on switch and turn it on
show interface brief
Select a interface that is in VSAN1 with admin mode F and turn it on, say fc1/1 for example
configure terminal
interface fc1/1
no shutdown
exit
interface fc1/1
no shutdown
exit
Check to see if ‘flogi’ is successful and get the port name (WWN) from it
show flogi database
Sample output
switch# show flogi database
| INTERFACE | VSAN | FCID | PORT NAME | NODE NAME |
| fc1/1 | 10 | 0x2800af | 10:00:00:00:d9:81:4f:ba | 20:00:00:00:d9:81:4f:ba |
Step: 1 Add interface to the target VSAN
vsan database
vsan 10 interface fc1/1
exit
vsan 10 interface fc1/1
exit
Step: 2 Create fcalias
fcalias name host vsan 10
member pwwn 10:00:00:00:d9:81:4f:ba
exit
member pwwn 10:00:00:00:d9:81:4f:ba
exit
Step: 3 Create Zone
Assuming we are zoning to a existing member, say ‘vmax_3ab’ for example
Assuming we are zoning to a existing member, say ‘vmax_3ab’ for example
zone name zn_host_vmzx_3ab vsan 10
member fcalias host
member fcalias vmax_3ab
exit
member fcalias host
member fcalias vmax_3ab
exit
Step: 4 Add zone to zoneset
zoneset name zoneset1 vsan 10
member zn_host_vmzx_3ab
exit
member zn_host_vmzx_3ab
exit
Step: 5 Activate zoneset
zoneset activate name zoneset1 vsan 10
Step: 6 Commit
zone commit vsan 10
end
end
Step: 7 Copy running config to start-up config
copy run start
Step: 8 Verification
show zone name zn_host_vmzx_3ab
Done!
0 comments:
Post a Comment