Você está na página 1de 4

Cisco MDS zoning

By Ravikiran Paladugu



Zones and zone sets are the basic form of data path security within a Fibre Channel
environment. A zone set is a collection of zones which in turn have individual
members in them. Only those members within the same zone can communicate with
each other. A device can be a member of multiple zones and those devices not in a
zone are in the default zone. The policy for the default zone can either be to permit
devices to see each other or to deny devices in the default zone from seeing each
other.
Zoning is a method of arranging Fibre Channel devices into logical groups over the
physical configuration of the fabric.
Hard Zoning vs Soft Zoning:
Hard zoning is zoning which is implemented in hardware. oft zoning is zoning
which is implemented in software.
Hard zoning physically bloc!s access to a zone from any device outside of the zone.
oft zoning uses filtering implemented in fibre channel switches to prevent ports
from being seen from outside of their assigned zones. The security vulnerability in
soft zoning is that the ports are still accessible if the user in another zone correctly
guesses the fibre channel address.
oft Zoning utilizes "orld "ide #ames to assign security permissions.
Port Zoning:
$ort zoning utilizes physical ports to define security zones. A users access to data is
determined by what physical port he or she is connected to.
"ith port zoning% zone information must be updated every time a user changes
switch ports. &n addition% port zoning does not allow zones to overlap.
$ort zoning is normally implemented using hard zoning% but could also be
implemented using soft zoning.
WWN Zoning:
""# zoning uses name servers in the switches to either allow or bloc! access to
particular "orld "ide #ames '""#s( in the fabric.
A ma)or advantage of ""# zoning is the ability to recable the fabric without having
to redo the zone information.
""# zoning is susceptible to unauthorized access% as the zone can be bypassed if an
attac!er is able to spoof the "orld "ide #ame of an authorized H*A.
World Wide Name (WWN):
A "orld "ide #ame% or ""#% is a +,-bit address used in fibre channel networ!s to
uni.uely identify each element in a Fibre Channel networ!.
The use of "orld "ide #ames for security purposes is inherently insecure% because
the "orld "ide #ame of a device is a user-configurable parameter.
For e/ample% to change the "orld "ide #ame '""#( of an 0mule/ H*A% the users
simply needs to run the 1el/cfg1 command.
VSAN overview:
A 2A# is a logical fabric. 0ach 2A# has all the re.uired fabric services%
independent of the other 2A#s% configured on the same switch or set of switches.
A 2A# provides3
4 A# island consolidation on a high-port-density physical switch
4 Traffic isolation
4 &ncreased security
2A#s can be numbered from 5 to ,67,. 2A# 5 and 2A# ,67, are predefined and
have very specific roles. 2A# 5 is the default 2A# which holds all the ports by
default and the 2A# ,67, is the isolated 2A# into which orphaned ports are
assigned.
The following shows the basic oning e!am"le on #isco $%S &# switch:
Assumptions3
8888888888
To zone 9host: and 9vma/;<ab'e/isting member(:
vsan3 56
Zoneset name3 zoneset5
$rere.uisites3
8888888888888
Connect host to switch% if not choose a available 9F: port on switch and turn it on
show interface brief
elect a interface that is in 2A#5 with admin mode F and turn it on% say fc5=5 for
e/ample
configure terminal
interface fc1/1
no shutdown
exit
Check to see if flogi is successful and get the port name (WWN) from it
show flogi database
ample output
switch> show flogi database

&#T0?FAC0 2A# FC&@ $O?T #AA0 #O@0 #AA0
fc5=5 56 6/BC66af 563663663663d73C53,f3ba B63663663663d73C53,f3ba

tep3 5 Add interface to the target 2A#
san database
san 1! interface fc1/1
exit
tep3 B Create fcalias
fcalias name host san 1!
member pwwn 1!"!!"!!"!!"d#"$1"%f"ba
exit
tep3 < Create Zone
Assuming we are zoning to a e/isting member% say 9vma/;<ab: for e/ample
&one name &n'host'm&x'(ab san 1!
member fcalias host
member fcalias max'(ab
exit
tep3 , Add zone to zoneset
&oneset name &oneset1 san 1!
member &n'host'm&x'(ab
exit
tep3 D Activate zoneset
&oneset actiate name &oneset1 san 1!
tep3 + Commit
&one commit san 1!
end
tep3 E Copy running config to start-up config
cop) run start
tep3 C 2erification
show &one name &n'host'm&x'(ab
@oneF

Você também pode gostar