Lets discuss about most important thing in SAN environment ZONING.

Zoning is the only way to

restrict access for storage to all the host. We will be discussing about Zoning in details.

There are two type of Zoning basically : Hard Zoning and Soft Zoning. Lets first define what is
Zoning??

Zoning is nothing but map of host to device to device connectivity is overlaid on the storage
networking fabric, reducing the risk of unauthorized access.Zoning supports the grouping of hosts,
switches, and storage on the SAN, limiting access between members of one zone and resources in
another.

Zoning also restricts the damage from unintentional errors that can corrupt storage allocations or
destabilize the network. For example, if a Microsoft Windows server is mistakenly connected to a
fabric dedicated to UNIX applications, the Windows server will write header information to each visible
LUN, corrupting the storage for the UNIX servers. Similarly, Fibre Channel register state change
notifications (RSCN) that keep SAN entities apprised of configuration changes, can
sometimes destabilize the fabric. Under certain circumstances, an RSCN storm will overwhelm a
switch’s ability to process configuration changes, affecting SAN performance and availability for
all users. Zoning can limit RSCN messages to the zone affected by the change, improving overall
SAN availability.

By segregating the SAN, zoning protects applications against data corruption, accidental access,
and instability. However, zoning has several drawbacks that constrain large-scale consolidated
infrastructures.

Lets first discuss what are type of Zoning and pro and cos:

As I have mentioned earlier that Zoning got two types basically you can say three but only 2 types
popular in industry.

1) Soft Zoning 2) Hard Zoning 3) Broadcast Zoning

Soft Zoning : Soft zoning uses the name server to enforce zoning. The World Wide Name (WWN) of
the elements enforces the configuration policy.
Pros:
- Administrators can move devices to different switch ports without manually reconfiguring
zoning. This is major flexibility to administrator. You don't need to change once you create zone set
for particular device connected on switch. You create a zone set on switch and allocate storage to
host. You can change any port for device connectivity

Cons:
- Devices might be able to spoof the WWN and access otherwise restricted resources.
- Device WWN changes, such as the installation of a new Host Bus Adapter (HBA) card, require
policy modifications.
- Because the switch does not control data transfers, it cannot prevent incompatible HBA
devices from bypassing the Name Server and talking directly to hosts.

Hard Zoning: - Hard Zoning uses the physical fabric port number of a switch to create zones and
enforce the policy.

Pros:
- This system is easier to create and manage than a long list of element WWNs.
- Switch hardware enforces data transfers and ensures that no traffic goes between
unauthorized zone members.
- Hard zoning provides stronger enforcement of the policy (assuming physical security on the
switch is well established).

Cons:
- Moving devices to different switch ports requires policy modifications.

Broadcast Zoning: · Broadcast Zoning has many unique characteristics:

- This traffic allows only one broadcast zone per fabric.
- It isolates broadcast traffic.
- It is hardware-enforced.

If you ask me how to choose the zoning type then it is based on SAN requirement in your data center
environment. But port zoning is more secure but you have to be sure that device is not going to
change otherwise every time you change in storage allocation you have to modify your zoning.

Generally use in industry is soft zoning but as i have mentioned soft zoning has many cos. So, it is
hard to say which one you should use always. So, analyze your datacenter environment and use
proper zoning.

Broadcast zoning uses in large environment where are various fabric domain.

Having said that Zoning can be enforced either port number or WWN number but not both. When
both port number and WWN specify a zone, it is a software-enforced zone. Hardware-enforced zoning
is enforced at the Name Server level and in the ASIC. Each ASIC maintains a list of source port IDs
that have permission to access any of the ports on that ASIC. Software-enforced zoning is exclusively
enforced through selective information presented to end nodes through the fabric Simple Name Sever
(SNS).

If you know about switch then you must notice that in Cisco we have FCNS database and Brocade
Name Server. Both are for same purpose to store all the information about port and other. FCNS is
stand for Fibre Channel Name Server.
There are plenty of thing on Switch itself to protect your SAN environment. Each vendor comes with
different security policy. Zoning is the basic thing in order to secure your data access.

Hope this info will be useful for beginner. Please raise a comment if you want to know specific things.