Zoning

######

- Controls which initiators can talk to which targets

- Zoing in required, not optional

- Default zone policy is to deny everything in Data Plane

- Default zone policy can be changed per VSAN or for entire system but not
recommended

> zone default-zone permit vsan 1

> system default zone

# Soft Zoning
=============

- Initiator registers with FCNS to get zoning

- Zoning enforced in the control plane but not data plane

- Initiator could manually mount the wrong target if Target FCID is known in prior

# Hard Zoning
=============

- Initiator registers with FCNS to get zoning

- Zoning enforced in the control plane & data plane

- Initiator cannot manually mount the wrong target if Target FCID is known in prior

Hard Zoning is default in NX-OS and SAN-OS

# Zone Vs Zoneset
=================

- Zone is used to create a mapping for access based upon WWPNs, FCIDs, Aliases,
Interface, Domain-ID etc

- Zones are then grouped together in a Zoneset

> Zoneset is overall ACL and Zone is an Access Control Entry

- Zones are applied to VSAN and then activated

# If zone is just configured and not activated - it's called a Zone Set. But when
activated
it's called Active Zone Set. So this is how Zone set Vs Active zone set could
be different

# Any changes made into Zoning doesn't go into affect unless Zoneset is re-
activated
- Only one zoneset per VSAN can be "Active" in the fabric at a time

- By default only Active Zone set is advertised into the fabric not the full zone
set which
can cause Isolation between Switches because of having different copies of
zone sets.

- sh zone status vsan 1

- sh zone

- sh zone active

- sh zoneset

- sh zoneset active

- clear zone database vsan 1

- zoneset distribute full vsan 1 ( Global mode)

- zoneset distribute vsan 1 (Exec Mode)

# Zone Config
==============

zone name ABC vsan 30 < Create Zone

attribute read-only < Only Supported on MDS
member pwnn
member pwnn
exit

zoneset name XYZ vsan 30 < Create Zoneset

member ABC
exit

zoneset activate name XYZ vsan 30 < Activate ZoneSet

Sample SAN Port Channel Config

==============================

interface san-port-channel 1 >> In Nexus # in MDS >> interface port-channel

channel mode active
switchport mode E
swithcport trunk allowed vsan 1
switchport trunk allowed vsan add 10
switchport speed 4000

!
int x/x
channel-group 1 > Static port channel
channel-group 1 foce > To add any link later into functional San Port Channel
channel-mode active > To enable port channel protocol
Verification
============

sh port-channel summary

sh san-port-channel summary

sh port-channel internal info interface po1

sh interface san-port-channel 1 trunk vsan

=============================================================================

This is order of operations for E/TE:

1. Go to the MDS physical interfaces, shut them down

2. Need to ensure the individual ports are dedicated - 'switchport rate mode
dedicated'
otherwise will error out on port-channel configuration. Can also configure
'switchport mode e'
3. Add ports to port-channel - 'channel-group X'
4. Go to the port-channel, apply the configuration ('switchport mode e' and
'switchport rate mode dedicated'.
5. If required, restrict the port-channel with the only the necessary VSANs
6. Add the port-channel to the VSAN database (optional - again depends on
requirements)
7. No shut the port-channel and then physical ports

* Make use of 'show interface fc x/y' and verify config - look at: Admin port mode,

trunk mode, port mode, port vsan, VSANs allowed (if trunking).
* Ensure that these settings match on both sides (either MDS to N5K or UCS)

For F/TF port-channel, steps that are slightly different from above:

1. Enable MDS features (such as npiv / fport-channel-trunk - if making a TF port-

channel)
2. For F ports, can leave in either shared or dedicated mode. Additionally,
configure the
physical interfaces as 'switchport mode f', otherwise will error out as
generally
they default to FX ports
3. Instead of 'switchport mode e' on the port-channel, obviously make it an F port

If link fails to come up and using NPV-NPiV, useful to make use of 'show npv
status',
will also identify if you've forgotten to enable NPiV upstream, etc.

Principle Switch (PS) Election

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# Election starts when E port between two or more switches comes up

# Assign Domain IDs automatically but can be assigned manually as well

 with - ( fcdomain domain 0x51 vsan )

- Preferred > Switch asks principal switch if it can use static domain id, if PS
says "Yes" than fine, If "NO" it uses Domain ID given by PS

- Static > Same theory as above but if PS says NO, the switch gets isolated from
the FC network

Election based on
++++++++++++

- Lowest priority ( fcdomain priority 1 vsan 1)

- Lowest WWN ( sh wwn switch)

* sh fcdomain (vsan)
* sh fcdomain domain-list (vsan)

FC Domain Services Restart

+++++++++++++++++++

- Graceful - fcdomain restart vsan 1

- Forced - fcdomain restart disruptive vsan 1 < Hidden command

Everytime we make changes into FC Services, the services must be restarted

==============================================================

# Note: One copy of FC services runs on per VSAN basis which means One
domain id can be used for multiple VSANs but it doesn't affect the design.
It's more like using one OSPF router id for multiple ospf processes. But each
process populates a separate Datbase which is completely unrelated from each
other.

==============================================================

Fabric Shortest Path First (FSPF)

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- Used to build an SPT through the fabric

- Domain ID is the Node ID in the SPT calculation

- FSPF runs automatically on per VSAN basis

- FSPF perameters can be manually modified in global config mode with

"fspf config vsan 1" or on interface level like
" fspf [cost|dead-interval|hello-interval|passive|retransmit-interval]

Verification
++++++++++++

- sh fspf [database|interface] [vsan]

- sh fcroute unicast vsan

==============================================================
Fabric Login (FLOGI)
^^^^^^^^^^^^^^^^^^^^

- All initiators and targets must FLOGI before sending any data into the fabric

- Verification - sh flogi database vsan

- No configuration required

- No FLOGI indicates a basic link-level negotiation problem

- The FLOGI database is local to switch which means only directly connected devices

will show up, It's FCNS job to progpogate this information to entire fabric

==============================================================

Fiber Channel Name Services

^^^^^^^^^^^^^^^^^^^^^^^^^^^

- FCNS (AKA Directory Services) keeps a mapping of FCIDs to WWPNs

- Analogous to IP ARP Cache in ethernet

- End devices register with the FCNS after FLOGI

- sh fcns database

- If Node did FLOGI but is not in everyone's FCNS, it indicates the Fabric is
broken

> E.g. VSAN is isolated, EISL allowed list is wrong etc