ICSNS Implementing Cisco Storage Networking Solutions Volume 2 Version 40, Student Guide Tes Pot Numba: 97.25001cisco. ‘Seimocn ‘Shower nero eth Cie Yah wea coipntn Ooasseneraeen neers Sy asain aera aor |ncnros. ox anisNG PROM! A COURSE OF DEALING USAGEOR TRADE PRACTICE. Th arpa my soe et ee [nnd wie Cao bit ses ge he diner ‘Soca Gude ~ (©2090 Seco anor ain Agha renoned Printed inthe UKTable of Contents ‘Volume 2 Improving Mat 3.475 ‘Overvaw S75 Otjectves 3475 ‘Securing Management Ports 3478 ‘Secure Management Protocols Sarr ShMPV3 Secunty 3478 Pacts 3478 CoriguringIPvg ACLs 3.180 CofiguringIPv6 ACLs 3181 Configuring SSH 3182 ‘Generating an SSH Host Key Pair 318 Emble SSH and Disable Teint 3104 Using Digital Cotte 2185 ‘Configuring @ Puble Kay Certicate 286 Fole-Sased Access Conta S187 Implementing RBAC. 5-188 EAC Recommendations 3-190 Configuring Roles ana Users B81 CGenvalzing Securty Management 5.195 ‘Tocacse 3.196 ‘Sever Groups S97 ‘Spocthing the RADIUS Server Address 3.198 ‘Sting the RADIUS Pre-shared Koy 3.200 Cenfiguing Login Authentication 3.201 Enhansed AAA Services 3.202 {8A Server Monitoring 3.208 ‘Cenfiguing AAA Server Monitoring 3.204 Specifying an AAA Server at Login 3.205. Displaying RADIUS Server Stasis 3.208 ‘Sumerary 3207 References 3207 Implomenting Zones. 3.209 Overvaw 3-209 Orjectves 3.200 "Zare Membership a Zane Enforcement 3210 Coniiguring Zones and Zone Sets 32158 ‘Ceniguring Device Aliases 3216 (Ceriguing Zones 3218 CCeeiguing Zone Sets 3210 Aatvating Zone Sets 3220 Zane Confguration in Cisco Fabric Manager 3221 Zone Configuration Verticatin S222 ‘Stow Zone Analysis 3223. Displaying Zone Information in Cisco Fabre Manager 324 Configuring Zone Set Distibuton 3225 Mergirg Zones Without Disruption zr ‘Zone Merge Analysis 3229 Recovering fom Zone Merge Falls 320 Managing Zone Seis 32 “Zeno Set Recovery 3235 Renaming Zone Sats 38 ‘Chaning Zone Sets 3237 Copying Zone Sets EeEnhanced Zoning 32a Implementing Erhanced Zoning 3242 Enhanced Zoning with Cisco Fabric Manager 3244 Enhanced Zoning Commands 24 Moaifying the Enhansee Zone Database 3.248 Enhanced Zoniny Morge Behavior Sour Creating Attribute Groups 3289 Configuring Read-Ony Zones 5.251 Configuring LUN Zones 5.253 'SCSILUN Discovery 3.258 LUN Zoning Cortiguraton 3.255 Configuring Breadeast Zoning 3.256 ‘Broadeas! Zoning with Cisco Fabric Managor 3.259 Recommended Zoning Pracices 3.260 ‘Summary 2261 References 3.252 Module Summary 3268 References, 3264 Module Sef Chock 3.265 ‘Module Se-Check Answer Key 3272 Implementing FCIP 44 Overview “1 Module Objectios a ECIP Protocol Overview 43 Overview 43 ‘Opectives “3 FOIP Protocol “4 “The FOIP Protorl Stack 45 Flere Channa Frame Encapsulation 46 CIP Specifications 43 FC-B8-2: ANSI Specification 49 FCIP-IETE Speccaton an F.CIP Implementation onthe Cisco MDS 8000 413 ‘Tne Cisco FCIP Implementation 414 ‘The VE Port Model 415 CIP Topology Options 416 Cisco MDS £000 FCIP Connectivity Options ar IP Addressing per 14 Aeressing 420 IPv6 Adéressing 421 1P Routing Protocole 423 TTCPAP Proto! Headers 426 Summary 423 References 420 Configuring FIP 431 Overview 431 ‘Objectives an CIP Configuration Overview 32 CConfgirng Gigabit =themnet Interfaces 438 Creating State Routes, 437 Configuring FCIP Tunnels 438 Creating an FC Profle 439 Greating an FIP interface 440 \Veyng te FCIP Coniguraion tar Using the FCIP Wizard 448 Implant dss Strap Newonrg Salas (OSNS) iO 22010 Gan Se reUsing VLAN Subinisrfaces 451 "VLAN Subinerace Configuration 452 Displaying VLAN Subintrfaces 453 Ingrface Subnet Requrements 486 ‘summary 457 References 458 Configuring FCIP High Availability 4.59 ‘Overview 459 ‘Objectives “59 PortChannel Configuration Guidelines 420 Partchannels with PIP Tunnels 12 Portcnanrel Configuration Diagram £83 {Li Configuration Stops aoe “The Cisco Fabric Manager PortChannel Wizard 465 PortChannel Configuration Verification “er PortChannel Vrticaion in Ceca Fabre Manager 470 thar High-Avalbity Options an VRRP for High Availabilty an Ethemet PorChennels for High Avalaity 474 summary 476 References 476 Implementing IVR for SAN Extension 477 Overview “477 ‘Objectives an IR Overvew 478 IVR Contol Tate 473 IVR Terminology 480 IVR Implementation 482 IVR Autonomous Fabre 1D 233 IVR NAT: Autonomous Fabris and Overlapping VSAN IDs 434 Configuring Autonomous Fabre IDs £35 IR Zones and Zone Sole 498 ‘Automatic IVR Zone Creation 438 IVR Configuration 499 ‘The VR Zone Wizard 490 IVR Configuration Example aoe IVR Cenfiguraton Verteation| 4.95, IVR Recommended Practices sot Summary e102 References 102 ‘Tuning FCIP Performances. 4-103 ‘Overview 4103 ‘Objectives e103 Cover of ECIP Tuning Paramtars 108 The impact of TCP Congestion Avoidance 105, Configuring TOP Timeout, Retansmi, and Selective Acknowledgment aor ‘Configuring Keepalive Timeout 100, Tuning Minimum Retransmit Teo! e110. Tuning Maximum Retvansmissions ant Soloctve Ackrowledgment anz Enabling Selective Acknowledgment ans. Contiguring tne MTU ane ath MTU Discovery 415. FIP Flow Conra!, ane CIP Flow Control Challenges aur CIP Flow Conrol Design Fattre ane Roune-Trp Time ona ‘TEP Maximum Window Size e120 ‘Tin0 Ge Stora ne Tlanertra Osc Saye Nebera Sure POSNST WGTmplaratg Osc Saupe Newaig Salone (OBNS) wa Dynamic MWS Calculation ara Packet Shaping a1 Results of Packet Shaping 4123 TOP Maximum Bandwth 124 ‘TCP Minimum Avalable Bandwath 125 Packet-Snaping Configuration 4126 ‘Tuning Congestion Window Monitoring 4127 FCIP Compression ‘120 ‘When to Use Compression £130 Configting FCIP Compression 4131 CIP Write Acceleration 132 Resolving Proxy XID 2133 FIP We Flow Resolving a Changed RXID ans Configuring FCIP Wie Acceleration 135 Wirte Acceleration Configuration Issues 136 FCIP Tape Acceleration 137 ‘Configuring Tape Acceleration 13 {isco MDS SAN.OS 3 x FCIP Tape Read Acceleration 140 ‘Tape Acceleration Configuration Issues tat Cisco 10 Aeselerator 142 Basic Configuration Requirements aaa ‘Supported Giec 1OA Topologies 46 Configuring Cisco 10, 143 IP 008 Overview. 4155 Configuring Quay of Service e157 Using SAN Extension Tuner 158 SET Configuration 159 SET Guidelines 161 SAN Extonsion SCSI Tape ReadMrte Assignment 4163 SET Data Pattee 16 SET Verification 165 Summary 4167 References 168 Modula Summary 4169 References, 4169 Module Sef Check art ‘Modula Sel-Check Answer Key 4175 Troubleshooting Tools and Scenarios. St Overviow PI Module Objectives a Using Diagnostic Tools and Methodologies 53 Overview 53 ‘Objectives 33 ‘SAN Fault loltion Methedology 54 “Troublesheoting Metiodoiogy 55 Power Verifeaton 56 ‘Troubieshooting Interfaces 5a ‘Vey Physical Connectivity 59 Very Fabric Registration 510 Monitor Pots for Connectivity sat ‘Troubleshooting VANS 515 Flore Channel Png and Fre Channel Traceroute Usage 516 Flore Channa Ping sar Fibre Chane! Traceroute 518 ‘cisco Fabric Manager Troubleshooting Tod's 519 ‘Swen Health Analyse 520 Fabric Configuration Analysis, 521 FIP Troubleshooting Overview 522 3200 Caco SonMorils Status Verfestion 323 Cisco PS Interface Veroaton 526 Restart a Fale Line Card 527 Network Connectivity Verifeation 528 “he IP ping Command 529 ‘aastonal png Options 533 summary 535 Reforences, 536 (Capturing and Analyzing SAN Traffic 537 Overvow 537 ‘Objectives 537 SPANOverviow 538 ‘SPAN Session Sources 539 ‘SPAN Session Configuration 540 ‘SPAN Session Veriieaon 542 SPAN Overview 43 CiscoPAA Configuration as “Gsco PAA Truncate Mod 545, (Canfguring the Cisco PAA. 546 “Troubleshooting the Cisco PAA sar (scoFabrie Analyzer 548 ‘eanayzee Command: Local Capture 549 ‘eanalyzee Command: Remote Capture 550 ‘Wireshark Overview 551 Frame Captures in Wireshark 553 WeosharkFiters 554 ‘Summary 555 Reforences 555 h figuration 5.57 Overview S57 ‘Onjectves 557 Troubeshootng Hosl-1-Suitch Connectivity 5:58 ‘VSAN Membership by Deviee 559 Varty Active Zone Set 60 Host and Switch Connectivity 561 erty the Active Zone Set 585 Troubestootng SLs 5.65 E Port Troubleshooting Procedure 507 XE Por Isoiaton 5.68 Determine th Cause of E Port soation 570 ‘how felmer Command 571 E Ports on the 32-Por Line Card 37 Ports on Generation 2 Lina Cards 573 Troubleshooting PorChannels 575 stow interface por-channel Command 576 ‘how port-shannel database Command 577 ‘Troubleshooting Fabric Merges 578 ‘Very Swteto-Switch Connectivity 580 Domain 1D Overiap 58 Zone Merge Failure 582 ‘Mowes VSAN List Errors 583, FIP Troubleshooting 588 “Tioubleshooting Fated Tunnels 5.85 Crock he Firewall 587 Vary CIP Tunnel Operation 5.88 Information 5.92 5.92 504 5.06 SRO Gace re Teplarrig Gn Stage Neering Sabre SNS) wdReferences 5.96 Module Summary 597 References 5-88 Module Sett-Check 5.99 ‘Module Selleck Answer Key S108 (Configuring Dynamic VSANS. AAA Overview ‘Abel ‘Objectives ae Dynamic Port VSAN Membership Overview RZ (DPV Database axa CConfguring OPV Enos ARS ‘Contguring DPVM Databases axS ‘Acivaling DPVM Configuration Database AAT Using DPVM Auto-Learn axe Configuring OPVM Distbuton aaa Summary Ie Retorences an Improving Device Flexibility AB ‘Overview AB Odjectives 2B. SAN Device Vituatzation AB2 ‘SAN Device Viduatzation ABS ‘Configuring a Zona for a Vital Davie ABT SDV Requrements and Guidelioes ape Cisco FexAttach 439 [ContiguringFiexAttacn ant VVrtyng FlesAttach Viral pwvWN, 8-12 Diferenees Between SDV and FlaxAttach Port Virtualization Ae-13 summary A814 ‘References Aat4 ‘planing Cass Strge Hatting Sane (SSNS) AOLesson 7 Improving Management Security Overview This leson describes the different secure management protocols that are supported onthe Cisco MDS 9000 Series, slong with how to configure role-based access contol (RBAC). Objectives Upon completing this lesson, you will be able to configure secure management protocols and BAC. This ability include being able to meet these objectives: '= Describe the secure protocols that can be employed to provide secure access to Cisco MDS. ‘9000 Series management ports = Describe how to configure SSH services Explain how digital cetfcates can be use to enhance scalability nd management of SSH. Describe the use of RBAC for secure SAN management of the Cisco MDS 9000 Series ‘Multilayer Switches Describe the RBAC configuration steps Explein how to use RADIUS and TACACS servers to centralize management of security Explain how to use enhanced AAA services for monitoring, specifying login serves, and displaying AAA statisticsSecuring Management Ports “This topic desribes the secure protocols that you can employ to provide secure acess to Cisco MDS9000 Series management ports SAN Management Security + Unauthorized SAN management access poses serious risks toate stability, data ntagrty, and secrecy. + Witnout effective safeguards, a malicious user coulé ar the rnetwerk configuration, + Protocols suchas Tone, login, SNMPV1, SNMPY2, and FTP ar inherently insecure wht used i access management ports onthe MDS, or Unauthorized or unintentional access to SAN management can jeopardize the integrity and stability ofthe SAN infastructre. Traditional access protocols suchas Telnet, loin, Simple [Network Management Protocol version | (SNMPv1), SNMPV2, and FTPare inerenty insecure when used to aeess management pots on the Ciseo MDS 9000 Series switches ‘78 tnplarertig Caco Serpe Neorg Saar (CSNS) v0 (22010 sco Syston Ie‘Secure Management Protocols This subtopic deserbes how to use secure management protocols Secure Management Protocols ~ Sisco secuorancte acess eu hetston ad Srovton Hap ovr manne or ely stacks = RSAL.054 or RSA ‘Adbateate ott sap MOS MAC oe SHAMIAC ot ‘rd sept wt DER on ee eb boeeenoypeon a owe mae He Secure Shel version 2 ($SHV2) helps to prevent man-in-the-middleor replay atacks by providing an enerypted acces ink between the management client and the switch, SSHV2 encrypts traffic between the client and the Cisco MDS 9000 Series switch, authenticates communication between client and host, nd prevents unauthorized access, However, you must configure the SSH 20st key par before enabling the SSH service. ‘Thote are two key pats ‘= Digial Signature Algorithm (DSA) for SSHV2 protocol ‘= Rivout, Shamir and Adlemen (RSA) for SSH2 protocol With SSH, no password prompt is given. SSH is useful when running serps. You ned to first ‘Benerate the SSH lay pair onthe SSH client machine, and then configure the public Key onthe ‘Cisco MDS 9000 Series switch, You need to ereate a user account before you can configure an SSH key, SSNMPy3 uses eneryped gets, ses nd taps, Secure File Transfer Protocol (SFTP) isan interactive file transfer program like FTP that performs all operations over an encrypted SSH transport connection. ‘ro Gace sone he Bolera inal eTSNMPv3 Security This subtopic describes SNMPv3 security features, eee en ‘SNMPV3 Security 1 SNMPVS provides secure access to vices by a combination authenticating and encrypting Fares over the omer Nessa oty “patente = npn + congue wig he MOS auerxion pol nd AES- Seer a w Su Rags (| (SNMPV3 isan interoperable standards-based protocol for network management. SNMPV3 provides secure accessto devices by a combination of authenticating and encrypting frames ‘over the network. The curity features provided in SNMDPVS are as follows Message integrity: Ensues that a packet has not been tampered with in-trasit 1 Authentication: Determine thatthe message is from a valid source '= Encryption: Scranbles the packst contents to prevent i from being soon by unauthorized 'SNMPy3 provides for both security models and security levels. A security mode is an suthentication strategy thats se up fora user and the role in which the user resides. security level sth permitted level of security within a security model. A combination ofa security model anda security level determines which security mechanism is employed when you are processing an SNMP pocket Tepionatg Cas Sarge Natatrg Satan POEMS) AO 010 Gass StenIP ACLs ‘This subtopic deserbes the TP access contol lists (ACLS). IPACLs IPACLS Hosta * Can be configured on mgmi0, VSAN, and Gigabit Ethemet inttaces + Pemit and deny condtions are ads to contr ist. + Mustbe apple to take effect + [Pvt and IPv8 suppor on the MCS 6000 Series IP ACLs provide basic network security tal switches in the Cisco MDS 9000 Series. P ‘ACLs restrict Plated Cisco MDS out-of-band management traffic and in-band traffic thats based on IP addresses (Layer 3 and Layer 4 informatio), You can use IP ACLs to contol transmissions on an interface. Follow thes guidelines when configuring IP ACL in any switch or director inthe Cisco MDS ‘9000 Family f= IP ACLs cannot be configured on Fibre Channel interfaces. ‘= IPACTs canbe configured only onthe management interface, virtual storage area network (VSAN) interfaces, and Gigabit Eteet interfaces ‘= AnIP ACL isa soquetial collection of permit and deny conditions that apply to IP flows. Each IP packet is tested against the conditions in thelist. The frst match determines whether te software accept o eject the rule. Because the software stops testing conditions ar the first match, the order of the conditions in thelist is ential, Ino ‘conditions mate, the software rejects that re '= An IP prowcol can be configured using an integer ranging from 0 o 255 to represent 2 particular P protocol Alteratively, you an specify the name of protocol: ICMP, TP, ‘TCP, ot LDP. IP includes TCP, Usee Datagram Protocol (UDP), Internet Contol Message Protocol (CMP), and othe protocols. ‘Boean non pee ing Vie 27Configuring IPv4 ACLs This subtopic deseribes how to configure IP version 4 (IPv4) ACL Configuring IPv4 ACLs Step 1: Define ACL rules: ‘Step 2: Apply ACLs: j IP ACLs can be uscd to restrict the hosts that are allowed to access mgt ‘To configure an IP ACL, you must complete the folowing tasks "= Create an IP ACL by specifying a name and aceess condition. All st use the source and Cestination addres for matching operations. You can configure finer granularity using «ptional keywords. 15 Apply the acess lst to specified interfaces, In hs figure, an ACL (List) is configured that wil allow only a single host (Host A) to access ‘the mgmt port ofthe switch, Fist the ACL. is constructed to permit wafic low fom Host A to gnt0; 10.0.172s the IP address ofthe hos, 100.17. isthe IP adress ofthe mgm inter‘ace, and 0.0.00 specifies 2ero-length subnet mask, The second command in Step 1 ‘prevents traffic fom all other sources; deny tep any any means “deny all TCP waffic from any Soure to any destination” ACLs are processed in order, from the top down, until a match i found When the switeh ‘detects a TCP packet that is coming from 10.0172 and is destined for 0.0.17, the packets ‘matched agains the frst ule, andthe packet is allowed to pass. TCP pockets that do not match ‘he Fre rule are compared again the second rule, which specifies hatthey should be dropped In Sep 2, the ACL List! i applied to ingress traffic on mem. Note Note thatthe souraaurce. widen and dostnatonidesinatonwiderd can be spectied nether of wo ways: = Using he 32:5 quanti fou pa, dood decimal format (10.1.1 20.0008 he same ‘ss host 104.42) = Using the any pt a an abbrevaton for a soucasaurcesaticaré oF Sestnatonldstnason ecard (0.000725 255286 255) ‘S60 tplanarny Go Stage Newrig Sears (SSNS) wd ‘B10 Geo Systane IeConfiguring IPv6 ACLs ‘This subtopic desribes how to configure IP version 6 (IPv6) ACL Configuring IPv6 ACLs Step 1: Define IPv6 ACL rules: itn contig grtact)t gamit. ip 200: 20820 £0 a0n/e8 rien ontig-ipvé-acl)¥ dony Apv6 any any ‘Stop 2: Apply IPV6 ACLs: oa [Pv ACLs can be used to restrict the host tha are allowed to acess mgmt. Traffic coming {tothe swite s compared to IPv6 ACL files that are based on the order in whic the fle ‘ccarin the switch. New fiers are added tothe end ofthe 1Pv6 ACL. The switch keops Tooking until it has a match. I'n0 matches are found when te switch reaches the end of the er the traffic is denied, For this reason, you should have the frequently hit filtesat the top ‘ofthe filter. Thre is an implied deny for traffic that is not permitted. A single-etry IPv6 ACL ‘with only one deny entry has the effect of denying all afc ‘To configure an IP¥6 ACL, you must complete the following tasks: Stop Create an IPV6 ACL by specifying a filter name ‘step2 Aad entries that contain the required source and destination addresses tomatch a ‘condition, Use optional keywords to configure finer granularity Not The ier enties ae executed in sequential err. You can 98 ania ony oe end ofthe lit Tak caro fo a the ona in the corect xe. Stop3__ Apply the acces filter o specified interfaces, ‘Sani0 Osco Sytana Bang vues S18‘Configuring SSH This topic describes how to configure SSH services Secure Shell Configuration Be sure to have an SSH hast key pair with the appropriate version before enabling the SSH service: * Key pair bitrange: 768-2048, * SSH service key pair types for SSHv2: = DSA key pal forthe SSH version 2 protocol ~ RSA kay pai forthe SSH version 2 protocol ‘SSH services provide a layer of access protection from a Tenet user. The Telnet service is enabled by default on all Cisco MDS 9000 Series switches, but the SSH sence is not. Before ‘enabling the SSH service on Cisco MDS 9000 Series switches, you need to generte a hast key pair To generate a host key, use the ssh key command, Be sure to have an SSH host key pair with the appropriate version before enabling the SSH. service. The SSH service accepts two types of key pars for use by SSHv2. Generate the SSH ‘host ley pair according to the SSH clint version that s used. The number af bits specified for ‘ach key pair anges from 768 to 2088: 1 Toeddsa option generates the DSA key ait for the SSHV2 protocol '= Tae rs option generates the RSA key pair forthe SSHv2 protocol “m2 tlanerng aco Stoage Nevaing Seuons (CSN) va (a0 Gass Satan re‘Generating an SSH Host Key Pair ¢ ‘This subtopie describes how to generate an SSH host key pat cal r Generating an SSH Host Key Pair ¢ Generate RSA key: c Seventy soe Arne Sis) ¢ ¢ Generate DSA key: a (ong ah ay Oe ( cerating an hey20R6 Biss) ¢ ¢ ‘The SSH service canbe configured during the initial installation setup script, or later manually. c ‘The first requirement ofthe manual option isto create a host key. To generate a host key, use the sh key commands as shown ee Generating an SSH Host Key Pair (Cont.) += Over the previously generated key pal € einen (eontigyd sah Ray Fen TOP Force ¢ ¢ ‘The SSH service canbe configured during te intial installation sep seit, o later manually. By « Implementing RBAC (Cont.) Roles can be restricted to ‘one or more VSANS: * Sot VSAN polly to deny, then Berit appropiate VSANs, + Requires Enterprise License Users assigned to such roles are “VSAN restricted": * Cannot mest E port configuations + Cangat execute commands that ‘ew, copy. compare, or madty the startup confi \VSAN-based access contol enables the deployment of VSANs tat fit existing operational models. Network administrators ean configure all platform-speifi capabilites, while VSAN ‘dninistrators can configure and manage their own VSANS independently. Basically, the ‘sting role definition i enhanced to inchude VSANS, Inthe figure, an administrator responsible for the email VSAN can acess only it and not the (CRM VSAN. The same goes forthe administrator of the CRM VSAN, who cannot acess of ‘control the email VSAN. This feature adds another layer of security to the network. Roles can be used to create VSAN administrators. You can configure a role so that itallows tauks to be performed only fora chosen st of VSANs. By default, the VSAN policy for any tale is permit. n order to selectively allow VSANS fora role, the VSAN policy needsto beset todeny, and then the appropriate VSANs need to be permite. ‘Ulers that are configured in roles where the VSAN policy is et to deny cannot modify the ‘configuration for expansion ports (E ports). They ean modity only the coafiguation fr fabric ‘pets (F ports) oF fabric lop parts (FL port), depending on whether the configured ries allow such configuration o be made. This sto prevent such users from modifying configurations that my affect the core topology of the fabric. Users belonging to roles in which the VSAN policy is setto deny are referred to as VSAN- restricted users. These users cannot perform commands that require the startup configuration to be viewed or modified. Such commands include the copy running startup, show startup, show running-confg diff, copy startup destination, nd copy source startup comands Neto The Eres cars required for par VSAN RAGRBAC Recommendations ‘This subtopic describes the RBAC recommendations. RBAC Recommendations + Use roles to give access o groups of commands + Deploy by department or administrative function * Match o operational structure + Limitreach of administrators + Unique usemame per user fr accounting! Aso reduces kohood of password sharing RBAC is recommended for increased SAN security. RBAC allows different sdministative users and groups to be granted different levels of access, as required by their function, ‘Some administrators might be given read-only accesso permit device monitoring, and others sight be given the ability to change port configurations, while only a few tsted administrators ae given the ability to change fabrie-wide parameters. With Cisco MDS SAN-OS Release 13.1 and higher, customers are able o define roles on er-VSAN bass. his enhanced granulanty allows diferent administrators tbe asigned to ‘manage different SAN domains, as defined by VANS. ‘A Network Administrator is responsible for overall configuration and management ofthe ‘network, including patform-speific configuration, configuration of roles, ard rle assignment “Matching the VSANs tothe existing operational structure allows for ease of matching user les to realistic groupings of operational esponsibility \VSAN-based roles both limit the reach of individual VSAN Administrators the resources ‘within their logical domain, In addition, eMiient grouping of commands int oles, and assignment of roles to users, allows mapping of user accounts to practical ros, which reduces the likelihood of password sharing among operational groups. ‘3390 tnlenerng sco Stage Nawrig Satine (OSHS) v4 (010 Gass Syne reConfiguring Roles and Users ‘This topic descrites how to configure RBAC. ae Configuring RBAC Step 1: Create 9 oe esten(contig-soie)4 ‘Stop 3: Configure access rules for the role (ordering mates) fvitehcentig-role)t rule 1 perait oreo witen(centig-role)t rule 2 deny ‘Step 4: Configure VSAN aceoss poly (oplonal Frian eentig-role}t vase polley Gen essen ccefig-role-van}t perast roan 2-5 ‘To create role use the role name roe-name command. This command creates the ole and ‘moves you to therole configuration submode. To create an optional description forthe role, use the description ne command, Upto L6rules canbe configured foreach role. The user-specified rule amber determines the corde in which the rules are applied. Rule | is epplied before rule 2, which s applied before rule 3, and o on If for example, rule {specifies that all elear commands are denied, and role 2 specifies thal clear commands are allowed, then all lear commands are allowed. ‘The rule command speifis operations that ean be performed by the roe, Each rle consists of ‘rule number, aul ype, permit or deny, a command type (for example, confi, clear, show, exec, or debug), and an optional feature name (for example, Fabri Shortest Path Ftst{FSPF, zone, VSAN, Fee Chantel ping, or interface). ‘When creating arule, exec commands refer to all commands inthe EXEC mode that donot fll inthe show, debug, and clear categories. ‘To configure a VSAN-restrcted rol, frst use the vsan policy deny command (which requires an Enterprise package license). This command dsallows all VSANS onthe role and moves you to the VSAN pote submode. ‘Then, tallow ove or more VSANS onthe role, use the permit vsam range command. Multiple entries are allowed. For example, consider the following configuration: awiten(config-role)# vean poliey deay aviten(config-role-vsan}# permit vi 2s 2 ‘suiten(config-role-vsan}# no permit v1 “The rtlting VSAN allow lit would inchide VBANs | and 2 ond VSANs 4 and 5, but not VSAN3, (32010 he Stns re ‘ang Val oe 0hConfiguring RBAC (Cont.) Roles are assigned to user accounts, Default role is network-operator: + Create ew wer unk wil aut ewrhcoperu oe + Create new user account with nondefelt role BeTen contig) 7 senane ove pasword anjiigar Fale sogrzoTe ~ Aad ao to an existing account ‘When custom roles have been ereated, they can then be assigned to user accounts. Ifa user account is ereaed without assigning a role, that user is given the network-operato oe ‘Tocreate a new user account with a password and defuul network-operatr role, us the "username user password password command. ‘Tocreatea new user account with anondefault role use the username user password password role role-name command, ‘Toadd a role to an exiting user account, use the username user role olesname command, ‘moleaning Cro Sage Nettig Saas (ESNS) od S210 Oem Sew reConfiguring RBAC (Cont.) Cisco Fabric Manager can create simple roles across ‘multiple switches: Limited granularity + VSAN scope can be configured Cisco Fabric Manager canbe used to create simple roles across multiple switches in the fabric, ‘To create a role using Cisco Fabric Manager, choose Security from the Physical Anributes pane, Click the Roles tab and then click the Create Row bation inthe toolbar. A eeation €ilog box wil appear lick the check boxes fo the switches where you want to configure the ‘ley and enter a name and description forthe role “The granularity ofthe roles that are created using Cisco Fabric Manager is limited. You ean check or uncheck the Has Config and Exec Permission check box. Ifyou uncheck the box, the ole will have read-only permissions. You can check the VSAN Seope Enable check box to restiet the ole to one or more VSANS. “©2010 Gio Spe, ne. ‘Baking Vieual SANS 3-185Configuring RBAC (Cont.) + Ceo Dove Manger can eeate ‘compen ois on ange sm Ee v0 Laer SRE So nanan eterna i i i ‘Cisco Device Manager canbe usd to create complex roles ona single switch. To create role using Cisco Device Manager, fist choose Roles from the Security mont, and ten click Create inthe dialog box displayed. Entra name and description forte role. You can check the \VSAN Scope Enable check box fo restrict the role tone or more VSANS. Click the Rules button to view the rules forthe ole, and choose the rules that you want to enable or disable. Click Apply to complete the configuration “iB prelerereg Caco Soaps Newcting Stone (CSN od (92010 Seco Stor >Centralizing Security Management ‘This topic provides information on how to configure RADIUS and TACACS+ centralized ‘management services forthe Cisco MDS 9000 Series RADIUS AAA + Authentication User access wih 1D and password + Authorization Role level or set of privileges + Accounting Log of management session ofthe user * Contraly stored access information * Covers AAA needs fr various applications CU login (TelneSSH/Console/Modem) SSNWP (accountng) iSCSI (CHAP authentication) Flore Channel Secutty Protocol (OH-CHAP authenicaton) ‘The authentication, authorization, and accounting (AAA) mechanism verifies the identity of, rans access to, and tracks the actions of users hat ae managing a switch, All Cisco MDS. 9000 Series switches use RADIUS and TACACS+ protocols to provide solutions using remote AAA servers ‘Based on the ute ID and password combination thai provided, switches perform local suthenication or authorization using the local database, or remote authentication oF authorization using AAA servers. A preshaed secret key provides security for communication ‘between the switch and AAA servers. Tis sceret key canbe configured forall AAA servers or for only a specific AA server. This security mechanism provides a central management capably for AAA serves ‘2 a10 Gee Sater dng Val SNe 3105TACACS+ This subtopic deseribes TACACSt C ——_—_— ¢ TACACS+ * Complements RADIUS server: Provides centralized AAA services + Reliable Uses TCP as opposed to UDP in RADIUS Noneed to configure a retry count ‘Secure connection between MDS and TACACS* server * Cisco MDS 9000 switch configured wit a shared key + TACACS feature must be explely enabed, ‘TACACS- isa client/server protocol that uses TCP (TCP port 49) for transport requirements Al switehes inthe Cisco MDS 9000 Family provide centralized authentiaton using the ‘TACACS® protocol. The addition of TACACS* support in Cisco MDS SAN.OS Release 1.360) enables the following advantages over RADIUS authentication: 1 Itprovides independent, modulae AAA facilites, Authorization can be done without suthentieston, '© The TCP transport protocol sends data between the AAA client and serve, using reliable transfers with coanecton-orented protocol ‘= Itencrypts the entire protocol payload between the switch and the AAA server to ensure ¢ higher data confidentiality. The RADIUS protocol encrypt ony passwords. Enabling TACACS+ By default, the TACACS- feature is disabled in all switches in the Cisco MDS 8000 Series. ‘You must explicitly enable the TACACS* feature to access the configuration and verification fe commands for fabric authentication. When you disable this feature, all related configurations : are automatically discarded, 34188 iploraning Geo Serene NeeringSalutons (GENS) v4 (B2010 Gass Syane re (Server Groups Ths stopc describes sever romp. ST Server Groups + Sel of servers used fora simlar purpose: ~ RADIUS or TACACS+ + Used for speciying AAA policies: ‘Alows usage of ferent RADIUS/TACACS* servars for Aiferent applications * Al servers in a server grou shoul be of one type (ether RADIUS or TACACS*) + Primary for faover purposes: MOS wit ty 1 tnd @ working sever. You can specify remote AAA servers for authentication, authorization, and accounting using sorver soups. A server group is set of remote AA servers that implement the same AAA protocol The purpose ofa server group is to provide fr fllover servers in ase a emote AAA Server fils to respond, If the fist emote server inthe group fils to respond, the next emte server in the group is red uni one ofthe servers sends a response [fall the AAA servers in the server group filo respond then that server group option considered a failure, If required, you can specify multiple server group. Ifthe Cisco MDS switch encounters eos from the servers inthe frst group, ites the server in the next server Op. ‘B10 Gee Satna re ing al eTSpecifying the RADIUS Server Address ‘This subtopic deseribes how 1 specify the RADIUS server address aT Specifying the RADIUS Server Address ‘Stop 1: Speoly a key forthe selected RADIUS server: ‘Step 2: Add sors to he RADIUS sever ‘Step 3 Specy a destination for RADIUS authentication inekeage Step 4 Spety a destraion fr RADIUS eccouning menage x a ‘You can add up o five RADIUS servers using the radus-server host command. A RADIUS server ean be configured to be a primary server, so that its always contacted first. IFyou have not configured a primary server, the RADIUS servers are tried in the order they were configured. RADIUS keys are always stored in enerypted form in persistent storage. The running configuration also displays encryptcd key. ‘To specify the RADIUS server address and the options follow these steps 1 Specify a key forthe selected RADIUS server. This key overrides the key that is assigned using the raius-server key command: switch (confis)# radius-server host 10.10.0.0 key Hostxey ‘stp2 Add 10.10.00 wsers to the RADIUS server list asthe primary server. Tis servers lays tried fist switeh(contig)# radius Jr host 10.10.0.0 primary Siop3 Specify the destination UDP port number to which the RADIUS authentication ‘messages should be sent awiteh(contight radius Step 4 Specify the destination UDP port number to which RADIUS accountng messages shouldbe sent, switen(contig)# radius jerver host 10.10.0.0 auth-port 2003 F host 10.10.0.0 acct-port 2008 13188 tnrlaretng Caco Scrape Nevarng Sars (ONS) oD ‘2200 Gaco Stans he—— Specifying the RADIUS Server Address. (Cont.) ‘tp pect ne saver ob ted oc sco urate: pritch oat ight todlapnerrar tort 10-10,0-0 sesoutiag ‘Stop 6: Spc th are using a DNS name Sup 7: Specty a claret key forte apsied sane Step 8: Specty a reversible encrypted key fer the speciid ‘step Specify this server tobe used for accounting purposes: switeh(contig}# radiue-server host 10.10.0.0 accounting Step 6 Specify this server using a DNS name: switeh(config)# radius-server tout radius Stop 7 Specify acleartext key forthe specified server. The key is esticted to 65 characters switch (config)# radius-server host radius? key 0 abed ‘Step 8 Specify a reversible encrypted key for the specified server, The key is restricted 10 (65 characters: awiten(config)# radiue-server tost radiues key 7 1234 (Ba010 Goes Sate re ing it Se 38Setting the RADIUS Pre-shared Key ‘This subtopic describes how to set the RADIUS pre-shared key (PSK). Setting the RADIUS Pre-Shared Key + Create & RADIUS cleartext re-shared ke: Bitch (conti) itch (contig) radio Greate « RADIUS encrypted txt pre-shared Key pitch (contig) vedi ey 7 public) ‘You need to configure the RADIUS PSK to authenticate the switch othe RADIUS server. The length ofthe key is restricted to 65 characters and can include any printable ASCII characters (ohite spaces ae nt allowed). You can configure a global key to be used for all RADIUS, Server configurations onthe switch. You can overid this global key assignment by explicitly using the key option inthe radius-server host command, To set the RADIUS PSK, follow these steps: Stop Configure a PSK (Any Word) o authenticate communication between the RADIUS. client and server, The default is cleartext switch (config)? radius-server key AnyWord Step2 Configure a PSK (AnyWord) specified in cleartext indicated by 0) to authenticate ‘communication between the RADIUS client and server: switch(contig)# radius-server key 0 Any¥ord ‘Step Configure a PSK (publi) speitied in encrypted text (indicated by 7) o authenticate commnication between the RADIUS client and server: auiten(contisy# redius. wer key 7 public Use the show radius-server command fo display configured RADIUS parameters. Note Only adrnistvatrs can view the RADIUS PSK. $200 Inplarening Css Straps NewarigSauons PESNS) v4 (22010 O5co Spans neConfiguring Login Authentication ‘Ths subi describes howto config the ogn utenti, >] ‘Configuring Login Authentication + Contigure Toot and SSH authentication EGER GenFiay¥ ane stbentestion Login GeZaTe oro [Seiten Gostig)4 stow asa autnentseetson «Configure console authentestion ‘ricoh configy¥ ea sutheativation login con Fadius iocst ‘You can set authentication options separately for remote (Telnet and SSH) versus console login using the aaa authentication login command. I authentication is not configured eal suthentiation is used by default ‘The following configures AAA authentication for Telnet and SSH: switen(config)# saa authentication login console group =: The following configures console authentication: hus 106% switch(confis)# aaa authentication login default group radius local Use the show aaa authentication command to verify your AA configuration, ‘Baor0 cis Syne he Sang rua SANSEnhanced AAA Services ‘This topic describes how to use enhanced AAA services fr monitoring, specifying login servers, and displaying AAA statistis. AAA Enhancements in SAN-OS 3.x Cisco MDS SAN-OS Release 3.x includes the following AAA server enhancements: * Monitoring and validating the avabily of remcle AAA + Allowing users to specify @ remote AAA server name at login + Displaying AAA server statistics Cisco MDS SAN-0S Release 3.x includes the following ANA server enhancements: ‘= Monitoring and validating the availa ty of emote AAA servers lowing users to specify a remote AAA server name login © Displaying AAA server statistics ‘ning Cn Senge Reneeing Se FESR (B10 eon amsAAA Server Monitoring ‘This slope describes the AA server mentoring. —_ EET AAA Server Monitoring + Prevents delayed processing of AAA requests thats caused by Unsponsive AAA servers * The monitoring interval for ave servers and dead servers {diferent and can bs confgure. * ARA server monitoring is performed by sending atest ‘authentication request othe AAA server: ‘An unresponsive AAA server introduces delay in processing of AAA requests. A Cisco MDS ‘switch can periodically monitor an AAA server to check whether iis responding (or alive) © ‘sive time in proazssing AAA requests. The Cisco MDS 9000 Series switch marks unresponsive "AAA servers as dead and does not send AAA requests to any dead AAA servers. A Cisco MDS ‘witch periodically monitors dead AAA servers and brings them to the alive state once they ate responding. This monitoring process verifies that an AA sorver is in a working sate before ‘eal AAA requests are sent its way. Whenever an AAA server changes to the dead or alive state, an SNMP apis generated, and the Cisco MDS switch wars the administrator that a failure taking plac before it can affect performance {2210 Caco sjera re Buldna via sae 9208Configuring AAA Server Monitoring ‘This subtopic describes how to configure AAA server monitoring Configuring AAA Server Monitoring Cosi the st teeta valu nines: pcane RABIN a aang? Pees tener Ge a den nr al abe has aT angeTs To + Retna cig! wh ostrre ne ne e ‘You can manual sendtst messages to montors RADIUS sever. “To sonnets message tthe RADIUS sone fallow thi sop: ‘To configure AAA server monitoring, follow these steps: Stop 1 Configure the test idle time interval value in minutes switch (config)# radius-server host 10.1.1.1 test idle-time 20 Stop 2 Configure an optional usemame (testusr) and password (test) sore status testing: for periodic RADIUS aviteh(config)# radiue-server host 10.1.1.1 test usernane ‘tep3 Configure the dead timer interval value in minutes; the valid ange i | to 1440: aviten(contig)# radius-server deadtine 30 ithe dead mer of dead RADIUS server expres before scent @ RADIUS test message, ‘hat srveris marked ae alve again even itis i not responding. Atost usr shuld be ‘configu wih a horrid tne tan the deus tinar tine Step 4 Manually send test messages to monitor a RADIUS server: aviten# test ana server radiue 10.10.1.1 teat aH soponering Seco Serge Nearing Soutore (ORNS) HD {9201 Gee Sons >‘Specifying an AAA Server at Login This suotopie deseribes how to specify an AAA server at login. Specifying an AAA Server at Logi Directed request to AAA server: * User can specify usemame@servername during login. * Username ie sent o servarname for authentication, + Useful when there i no single AAA infrastructure, but rather several domains in an enterprise: + Disatied by detaut Allow users to specify a RADIUS server to send the authentication request to when logging By deft Cisco MDS 900 Series wich forwards an authentication rogues othe fst ¢ serverin the RADIUS server group. You ca config the swich to allow the we specify ‘hich BADIUS server to snd the authentication equs toby enabling the directed request option. you enable his opin, the use at 1ogin as usemame@osmame, where the C ‘ownone ale the rae of configured RADIUS server.isplaying RADIUS Server Statistics ‘This subtopic describes how to display RADIUS server statistics Displaying RADIUS Server Statistics Display RADIUS server statistics using show radius server statistics: switch? show radius Server is not monitored Server is not monitored Authentication Statistica tu) transaction requests sont: 0 requests timed out: 0 responses with no matching requesta: 0 responses containing errors: Accounting Statistics successful transactions: 0 requests sont: 0 requests timed out: 0 responses with no matching requests: 0 responses not processed: 0 responses containing errors: “Fane walang Caco Serge Naweing Suns SNS) wD (2010 Gace FeSummary “This toi umamarizes the key pons that were discussed in this eson. oa | ‘Summary + Secure management protocols such as SSH2 and SNMPYS provide secure CU and SNMP remate accers 1 MDS Fanagement ports. + Tha recommended practic iso configure SSH and disable Toho. * RGAC ie utes to coat diferent pridege levels at reused to ‘ant acess to CL! commands «There ate two predefined rol: netwek-operalor and network 26min “The stops ivoted in eeating @ RBAC role ae to create arte ‘heats enh congress semis fr the rte; and eonigure VSAN actos poly. + AAA mecha aerate users gant cea end ck tho selene of users manaping &swich using the RADIUS sn TReACSr potocos. i + ANA server montring prvents delayed processing of AAA ‘requests thal fs caused by unresponsive ANA serves, References For aditonal information, refer to this resource '% Cisco MDS 9000 Family N¥-O8 Security Configuration Guide (Release 5x) at Iw isc comen/US docs switches daracenterds9000/sw 5_O'confgurtion/guid ex¥ecinxosisee hl ‘Seow oma re Binary ase“32a8 _inlorerng Osco Seraye wong Saore FONG) "92010 Osco Sons FeLesson 8 Implementing Zones ‘Overview ‘This lesson explains the differences besween basic and enbanced zoning, hw to configure soning, and how to manage zone sets, What causes zone merge conflicts wil be discussed, slong withthe tols available onthe Cisco MDS 9000 Series Multilayer Switches to identify ‘nd resolve cont inthe SAN, {Upon completing this lesson, you will be able to explain the iferences between basic and ‘ahanced zoning and how to configure zoning, This ability includes being able to meet these sbjectives 1» Describe the purpose and use of zoning within Fibre Channel SANS 1 Describe the zone configuration process '= Explain how to verify the zone configuration 1» Describe how to configure zone set distribution Explain how to merge zones and zone configurations without causing fabric disruption 1 Explain how to recover fom zone merge fire 1 Describe how to rename, clone, copy, backup, and restore a zone set, 1» Describe the enhanced zoning feature and configuration requirements 1 Describe the process of commiting configuration changes to the zone database in enanced mode 1 Describe how to configure and use zone atibute groups 1 Describe read-only zone features and configu 1» Describe LUN zoning features and configuration 1» Describe how fo configure and use Fibre Channel broadcast zoning 1 Describe recommended zoning practicesZoning Overview Zoning is @ security mechanism within Fibre Channel thats used to reset communication between devies with the same Fibre Channel fabric, Zoning carves a Fibre Channel fibre into ‘ulipe partitions. Devices in one one cannot lean ofthe existence of devies in other zones, ‘This opie explains how zone membership is used to uniquely identify adevice or devices that are tobe included in a zone, Zoning Overview ( + Zones rest communication between devices inthe same Fie Channel fabric “Zones consist of one or more zone members Zone sets consis of one er more zones + Most management rfc fs lcalized within @ zone, ‘With many diferent ypes of servers and storage devies on the network, the need fr security is critical. For example ifa host were to gain acess toa dik being used by anosher hos, potentially witha different operating system, the data on this disk could become corupted. To avoid any compromise of ertical data within the SAN, zoning allows the use to overlay a security map that Aitates which devies, namely hosts, can see which targets, thus reducing te risk of data os, ‘As shown inthe figure, a zone set consists of one or more zones ‘Azone set canbe activated or deactivated asa single entity across al switches in the fab ‘Only one 2one se can be activated at any time, {A zone can bea member of more than ane zane set ‘A zone consists of multiple zone members. Members in a zone ean access each othe; ‘members in different zones cannot access each other Uses for Zoning “Typical uses for zoning inlude the following |= Separating initiators fom ther targets. Frequently each initiator pot will belong in 8 separate zone with its targets 1 Scparating devices that use different operating systems. This practice is wef to protect some operating systems fom treating disks tht are formatted by other operating systems lank disks and potentially taking over and overwriting ther storage, ‘Yai0_tlanaring Cac Serpe Netwoting Sars (GENS) 0 (92010 Osc Sons ne‘= Separating devices that have no need to communicate with other devices in the fabric or tha: have classified dats 1 Separating devices into departmental, administrative, or other functional groupings. ‘= Localizing management traffic. Most management trai doesnot cross zone boundaries. C ‘Zones hep to reduce the impact of management trafic onthe fabric. : Zone Membership “Thin mbtopic dexter me membership. Zone Membership Zone membership types include: pW ran FC “Interface an ewww * Domain ID and port umber IP scans + Symbolic node name (such as SCSl. qualified name) + Fibre Channel afias Device ans L Beak Srahic Wiaximon Zones per Swi + 2000} SANS 1xand 2x +000 wih SANS 3x ¢ ¢ ‘A sre romberi wed to uigy Westy a evo or device there tbe ince in ze nite io MDS 900 Sars riche sone mens canbe ted ying ny ie posse meee C Device ort world wide name (pWWN): Zoning tts esd on ec WN meas thane menbershpiseemaned singe dove pO of «node pr (Np) tts ¢ Sched othe bre Chanel witch 1 Fabrie world wide name (FWWN): Zoning that is based on {WWN means that zone smembershp is determined using the pWWN of the fabric port (F port) of th Fibre Channel ¢ ‘switch to which the device is attached. In this case, zone membership is associated with a ‘Bien port ona given ine card in a given Fibre Channel site, [ ‘= Fibre Channel 1D (FC-1D): Zoning that is based on the FC-D of an N por thats atichea to the switch means that 2one membership is determined by the FC-ID that is assigned toa device by the fabric domain controller. ‘Note ForFO%0 zoning tobe sel you soul use statis FCI assignee ¢ ‘Sc Symes we aay wea 9a1 Interface and switch world wide name (sWWN): Zoning thats based onthe swith porto ‘whic the device attached is typically refered ts interfaced zoning. Ths form of _zoning allows zone membership tobe globally specified based ona given sWWN and interface ‘on that switch; fr example, member interface 310 swum 20:00 00:05:30.00:91:9e ‘Note _etrace- ond efit ased oning i no ye part a any ANS ire Chanel stant 0 this form f zing canot be used in ntoroperabity vival rage are nator (SANS) ‘© Domain 1D and port number: Zoning membership can be based onthe domain ID ofthe ‘witch and the port number on the switch to which the device is attached. Because domain IDs canbe allocated dynamically, the use of static domain ID clloatin is recommended, “The port number is specified asa por index between 0 and 255 It canbe dificult to associate a port number to given module slat and port combination soi i ecommended that you use zoning based on interface and sWWN rather than domain ID and port number, DDomsin ID and por number-based zoning is specified inthe ANSI Fibre Channel standards, but Fibre Chanel vendors can number ports in diffrent ways. Therefore, tis form of zoning isnot recommended for multvendor fabrics and is unavailable for standards-based interoperability mode. W address: Zoning membership can be based on device IP adress. This form of zoning ‘an be used for Internet Small Compter Systems Interface ((SCSI) devies. ‘Symbolic node name: Symbolic node name zoning allows zone members to be defined using their unique symbolic node name, sch as the SCST-qualied name or IP address that is astociated with iSCSI device. In this manne, iSCSI devices zan have dynamic pWWN and node world wie names (nWWNs) associated with ther, but they can continu to make tse of zoning membership using their globally unique iSCSI Qualified Name (IN). Now Symbolcnode name-bared zoning na yet pat of any ANG: Five Chanel stand 50 ts form of zing ie unavalate fr mathender fabrics ‘= Fibre Channe! alias: This is zoning membership that is based on a previously defined Fibre Channel alias (falias command), Weis Inthe Caco Fabric Manager, he nly alae zone membre are WWNS However, the commands intriace (CL) tee allows yu tous the cmp sat of meme pes. In Cisco MDS SAN-0S Release 3 or later, the maximum number of zones pe switch (eluding all VSANs) was inereased from 2000 to 8000. 22 mpleering Oso Sane Nering Sars (OSHS) v0 (92010 GeetaZone Enforcement This subtopic describes 2one enforcement —— Zone Enforcement + Soft sonig Inplementesin swt sofware end eforcedby nameserver ~ Name server esponds a cacovary queries ony wih devices feandinroquestorszote or zones, + Hardzong Enforced byACLs in pot ASIC opie ol data pat ate + Termnoogy has evlvad ~ Satzcrngfrmery synonymous wih WWN zoring Hird zoning formerly synonymous wt ort zing NOS ewienesenoree WW zone a Nardare ~ Cine vendors hve ao adopted tis improvement ‘There are two basic ways to enforce 2oning: software-based (sot) zoning and hardwar-based, (ard) zoning: ‘= Soft zoning: Enforced bythe Fibre Channel name server (FNS) serve, When devices ‘connect 3 Fibre Channel fabri, they use the FCNS to correlate WW to FC-IDs and to discover devices on the fabric. With soft zoning a Fibre Channel switch responding toa ‘name server query fom a device will espond with a ist of only those devices thal are registered inthe same zane or ones as that of the querying device. ‘= Hard zoning: Enforced through acces contr! lists (ACL) that are applied by the switch port ASIC w every Fibre Channel frame that is sited, Because soft zoning doesnot enforce ACL ona per-rame basis, sft zoning is nt assecue as hard zoning. Set zoning does not prevent a rogue device from attaching tothe Cisco Fabric Manager Service and obtaining a ist ofall FC-1Ds Until recently, ost Fibre Channel switches enforced interface-based zone membershipin hardware, so the term hard zoning as often been used synonymous with “pre 20g” Similarly, WW-based 2one members were enforced only by the name server, so the tem “soft zoning” has bes used synonymously with "WWN zoning,” However, hiss no longer he case. ‘Ba010 Gee Sere Sacra waaione 320‘Cisco MDS 9000 Series switches support hard zoning for 8000 zones aud 20,000 zone members, as well as supporting soft zoning. On the Cisco MDS 9000 Series switches, soft zoning information is downloaded to a hardware ternary content addressable memory (TCAM) ¢ ‘module that enforces soft zoning in the port ASIC. Therefore ll zone memberships on the Cisco MDS 9000 Series switches are hardwareenforced Other switch vendors are also begining to enforce WWN zone membeship at the hardware level. There is no longer a one-to-one relationship between zone membership type (interface or |WWwn) and enforcement method (son or nad). ( "Note The haré zoning tor same vendor reves So zoning when #Breshod ruber of zone members ae eroseded ¢ ¢ 1514 implanting Goo age Netaang Gators (GENE) A {$200 Goo terse‘S010 Caco Spans be Butera roan 9 iguring Zones and Zone Sets This topic covers the configuration process for eeating zones and zone sets and activating sone et, cc] Active and Full Zone Sets Full ] Zone Set | Active Zone Set When you create a zone St, that zone St becomes a part of the complete 2one set, which is 8 Aatabase of all zone sets, Only one zone set canbe ative ata time. When you activate a zone set, the switch makes a copy of that zone se. The copy becomes the active one St. The active zone set cannot be modified, When you need to modify the active zone, you modify the original copy ofthe zone st inthe complete zone set database. When you want the changes to tak effect, you then reactivate the 0ne st. ‘When the activation is dane, the active one sts automatically stored in persistent Configuration. This enables the switch to preserve the active 2one set information across switch reses, The active zone set is also propagtted tll ater switches in the fabric so tat they can enforce zoning in their respective switches.Configuring Device Aliases Tht sbope deere how o configu device lass ST Configuring Device Aliases Configure device aliases: Fadtek contig) device ala ioe-aliat nane bost2-p2 pam 21011001001 Very device aliases {As of Cisco MDS SAN-0S Release 2.0 al switches inthe Cisco MDS 9000 Series offer a new alias distribution feature called Distributed Device lias Services (DDAS). ln Cisco MDS SAN-OS Release I.3 and carir, aliases were distributed on eper-VSAN basis. Using this new, enhanced service, you now can distribute device alias names on a fabric-wide bass To configure a device alias, fellow these steps: ‘Sep Enter the device-allas database global configuration command. ‘step2 Enter one or more devlee-allas name siring pawn pwn subcommands. ‘When you perform the frst device alias task (regardless of which device alias tsk is), the fabric is automatically locked forthe device alia feature Once locked, no other user can make ‘canfguration changes to ths feature. A copy of the active device alias database ii exists) is ‘obtained and used asthe pending database. Modifications from this point on are made tothe pending database, The pending database remain in effet until you commit the modifications tothe pending database or discard (abort) the changes tothe pending database, ‘To.commit the pending changes, use the device-allas commit command. When you commit the pending database, its contents overwrite the current active database, the pending database is ‘emptied, and the fabric lok is released for his feature “To verify the device alias configuration use the show deviee-allas database command {Ee inplaraning so Gioage Netwating Esatore (SENS) wh ‘B2010 Gace StaConfiguring Fibre Channel Aliases Create Fibre Channe aliases fora speciod VSAN, ‘Verity Fire Channel aliases: ( ‘euilas sume Mhdiskt wean 100 ‘To.configurea Fibre Channel alias, follow these steps Step 1 Enter the feallas name global configuration command, Step2 Enter one member pwn punin subeommand,Configuring Zones ‘This subtopic describes how to configure zones, Configuring Zones Zoning examples: Recommended practoe: Zone using device aliases. For configuration purposes, a zone is made up of a zone nameand members. The zone name is ‘an alphanumeric string tht gives information about the zone contents. Zones canbe configured ‘sing the Cisco Fabric Manager Zone Member wizard or the CL. To configure zone using the CLI, se these commands switent contig switeh(config)# zone name zonel vsan 2 auiteh(config-zone) # member pwn 10:00:00:23+45:67:09 ral auiten(contig-zone) # member finn 10:01:10:01:10:abredvet suiteh(config-zone) # member fold oxctoodi switeh(contig-zone) # member fealias IRdisk1 auiteh(config-zone) # member donain-i4 2 portaumber 23 switen(contig-zone) # member ipaddress 10.15.0.0 255.255.0.0 Uses relevant display command like show interface or show Mog database to obtain the equred value in hexadecimal format, Interface-based zoning works only with Cisco MDS. 900 Series switches. Interface-based zoning doesnot work if interoperability mode is configured in the particular VSAN. Use the show ww switch command to revive the SWWN. Ifyou donot provide a sWWN, the software automatically uses the local sWWN. te inplonsing Gos Sage Neaing Satara (GENE) we "2250 Gace tansConfiguring Zone Sets “This subtopic describes how to configure zone set — Configuring Zone Sets CConfgure a zone set and add proveusly created zones: seiteh(contig)# toneet sane toneast vaen 3 Configure a one set and create and add new zones: owiten (contig) sonaet sane foneast wasn 3 ewsten(contig-aoneee)4 sone naan tevtona! witch contig-sonenet-sne)t eaabar device wsten(contig-sonenst-sns)) sous thew tevtoned swine contig-toneee-sone)¥ saabar dovice-aliat ERPIOSE2 Zones provice a mechanism fr specifying acess contol, while zone sets are groupings of zones to enfarce acces control in the abe. Zone sets ae configured using a zone set name and the members ofthe zone set. Ifthe zone Sts ina configured VSAN, the VSAN i also specified, The alphanumeric ame of the zone sets used for identification purpose and should carry meaning within the fabric, The members ofa zone stare zones, and they are configured ‘using the nares of the inavidual zone. Zone ses lie zones, can be configured ffom the CLI or the Cisco Fabric Manager GUI. To ‘configure a 2one set using the CLI, use these commands: vite? contig ovitch(config)# zonesat name toneset 1 vean 3 ‘svitch(config-roneset}# sone name Mewfone! ‘svitch(contig-roneset-zone)# member device-alts All Cisco MDS 9000 Series switches distribute ative zone sets when new expansion port (E or) links come up or when a new zone sets activated in a VSAN. The zoneset distribute full ‘san command distributes the complete zoe st along with the active zone set Distribution takes effect while sending merge request othe adjacent switch or while activating a 2one Set ‘Zone Set Geidelines ‘Before configuring zone set, consider the following guidelines: ‘= Bach VSAN can have multiple zone sts, but only one zone set canbe ative at any given time. ‘= When yeu crete a zone st, that zone set becomes a part ofthe complete zone se ‘= When yeu activate a zone set, «copy ofthe Zone set from the complete zone set sured to enforce zoning and is calle the active zone set. An active zone set cannot be modified. A zope tha is pat ofan active zone sti ealed an ative zone, You can activate a one set using the zonesetaetivate mame command, ‘DwI0 Ge Sener FEHEEEEEEE EEE Bling vinwiame 281 The administrator can modify the complete zone set even ifa zone set withthe same name is active. The changes donot take effect until the 2one sti activated withthe zoneset activate name command. ‘When the activation is finished, the active zone set is automatically stored in persistent configuration. This enables the switch fo preserve the active one set information across switch resets, You do not have issue the eopy running-confg startup-config command to store the active zane set. However, you need to issue the copy running-confg startup- config command to explicitly store complet zone sets. It isnot availabe across switch resets All other switches inthe fabric receive the active zone set so they can enforce zoning in ‘heir respective switches Hard and soft zoning are implemented using the active zone set. Modifications take effect ‘daring zane set activation ‘An FUAD oF Nx port that snot par ofthe active zone set Belongs othe default zone, and the default zone information ie not distributed o other switches '= tone zone sts active and you activate another zone set, the curently active zoe sts automatically deactivate. You do not need to explicitly deactivate the curently active one set before activating a nev zone set Activating Zone Sets ‘This subtopic describes how to activate zone se, ST Activating Zone Sets Aetvate a zone set Deactivate a zone set [itch confignt no ‘The zoneset activate command setivates the zone set named Zoneset! in VSAN 3. The activation will automatically deactivate any curently active 2one set. ‘melanin Geo Skane Newaring Salons (CSNS) vé ($201 Caco orsZone Configuration in Cisco Fabric Manager ‘This subtopic describes the zone configuration in Cisco Fabrie Manage, Zone Configuration in Cisco Fabric Manager Ezlt full zone database * Corigure 2ring acta on ctu one set * Compt zone Sataane Cisco Fabric Manager provides an easy tool forall zone configuration tasks. Right lick the SAN folder it the Logical Domains pan to create and edit zone sets. The pop-up menu ispays several options, including the fellowing: 1 Edit Full Zone Database: Choose this to create and edit Pre Channel aliases, zones, and one ses 1 Deactivate Zoneset: Choose this option to deactivate the curently active zone set = Copy Fall Zone Databas VSAN toany switch ‘© Bait Full Zone Database: This dialog allows complet Fibre Channel alas, zone, and zone set cosfguration. hoose this option to propagate the configured zone stn the ‘= Left pane: Displays Fibre Channel alas names, zone, and zone st folders, ‘= Bottom-right pane: Displays all nameserver entries forthe VSAN. ‘© Top-right pane: Displays the configuration of the Fibre Channel ais, zone, or zone set ‘hat you select inthe let pane. = Add zones: To add a new zone or zone st, select the folder and click the Blue arrow, ‘= Delete zones: To delete any zone or zoe set thats selected in the lft pane or selected items inthe topright pane, click the red arow. '= Bottom menu: Provides options to activate, deactivate, and distribute zone sets ‘Santo heaton oe Bina NeZone Configuration Veri ication ‘This topic explains the basic procedures tha are used to verify the zone configuration. Verifying Zone Configuration Imoet2-921 ‘To display the cutent zoning configuration onthe local swith, in EXEC mode use the command show zoneset. ‘To verify the current active one set, use show zoneset active from EXEC mode. The asterisks indicate that a device is visible (online). A missing asterisk may indieate an fine device or an incomctly configured zone, possibly a mistyped pWWN. ‘plating io orayeNewaing Stone (ORNS) v4 (S2010 am Systane reshow zone analysis Command Cisco MDS SAN-OS 3.0 or later adds the show zone. analysis command: + show zote analysis vsan 10 * show zone analysis ative vean 10 «show zone analysis zoneset 2st vsan 10 oomatces titer co bya / 2068 ‘Zoning Enhancements in Cisco MDS SAN-OS 3.x ‘To etter manage the Zones and zone sets on your switch, Cisco MDS SAN-OS Release 3.0 or late provides anew way to display zone and zone se information; the show zone analysis command. switcht show sone analysis vsan 10 toning database analysis vean 10 Pall zoning database Lact updated ats 16:57:06 UNC Mar 04 2010 Lact updated by: Local ( CLI | on sonesets: 1 won tones! 1 Mun aliases: 0 Mun attribute groupe: 0 Formatted size: 112 byte / 2048 xb switché show zone analysis active vean 1 oning database analysis vssn 10 Active zoneset: roneset Activated att 16:57:22 UTC Mar 04 2010 activated ay: Local | cht J Default zone policy: Deny Nonber of devices zoned in vsat Nunber of zone menbers resolv 2/4 (Unzoneds 2) 2/2 (Unresolved: 0) Munber of IVR zones: 0 Nonber of IPS zones: 0 ‘Baio Geco Stans, ‘ang Vos oe 9208Fornatted size: 60 bytes / 2048 xb switch? show zone analysis zoneset zoneseti vsan 10, Zoning database analysis vsan 10 Yoneset ansiysie: zosesetl Num aliases: 0 um attribute groups: 0 Formatted size: 112 bytes / 2048 Kb. Displaying Zone Information In Cisco Fabric Manager ‘Tis subtopic describes how to display zone information in Cisco Fabric Manager Displaying Zone Information in Cisco Fabric Manager Zone sets, zones, and zone member information can be displayed by expanding the one st folder for the VSAN in question, Selecting a 2one of zone set will highlight member devices in the zone inthe Cisco Fabric Manager topology map. Zone configuration changes can be made fiom the Zone> Edit Full Local Zone Database mens, [204mg Cen Senge Nareing Se OOSNS) ‘Bonin Harm Syme neConfiguring Zone Set Distribution ‘Thistopic describes how to configure zone set distribution. Zone Set Distribution * By dtaut, ony the active zone an | satis dstictod aa 1+ The ul zone database is [are | resident on a single swich ony when two fibres merge. Therefore, the full zone database is resident o singles Zone Set Distribution Zoneset command (configuration mode): + diatibute full enabies fl zoe set propagation on Sctvaton net fawiten(configy# soneset distribute full vean 3 [switen(contigh# soneset activate nane Sotz vsan 3 -zoneset command (EXEC mode}: * distbute merges zoneset databases; use the zonesot tistnbute command m EXEC mode faviteht soneeat distribute st distribution initiated. check zone status Recommended practice: Manage zoning froma single switch. By default, only the ative zone sets distributed when the zone configuration is changed or tc oly. You can distribute fll zone sets using one of two methods: a the execative mode level or at ‘he configuration mode level. ‘S010 Cac Sstera me ‘ar va SANEnabling Full Zone Set Distribution All switches inthe Cisco MDS 9000 Series disteibueactve-2one sts when new Inter-Switch Links (Sts) come up ot when anew zone sets activated in a VSAN. The zone set distribution takes effect while sending merge requests to the adjacent switch or while activating a one set One-Time Distribution ‘You can pertorm a one-time distribution of inactive, unmodified zoe sts throughout the abe Use the zoneset dlstibute vsan ysa-id command in EXEC mode to perform this distribution switch# sonoset distribute vean 2 Zonesat distribution initiated. check zone status ‘This command ony distributes the fll zone st information; it does not save the information fo the startup configuration. You must explicitly issue the eopy running start command to save the full 20e st information tothe startup configuration Note The zoneset detibute wean vean.i command is spporedinhleopertly 2 ana inarperbity 3 modes, notin nteroperabity$ mod “The zoneset distribute vsan command (rn in EXEC mode) ‘= Distributes the full one set immediately. 1 Does not dsebute the fll 20 st information along withthe active one set during activation, deactivation, or merge process '= The zoneset distribute fll ysan command (run in configuration mode): '= Does not distribute the Full 20 set immediately. '= Remembers to distribute the fll zone set information along with the active zone set during sctivation, deactivation, and merge processes. ‘The commended practice isto avoid distributing the fill zone set and manage zoning from a single switch ‘relenenng ns Stange Neha Se GOSNS) wk onto carn SyneMerging Zones Without Disruption “This topic describes how to merge zones and zone configurations without causing fabric disruption, ST Merging Zones + Zone sor inact ini coe eo + Change ng mage sole toured syreronce the ong abn, + change ported io amma cnangee + Merge rtcalisuedto ame Imergedlosees toerate at ‘ewsonng anabass, ee ‘becomes wolsed members leaage sewn Tare beween te swchos BE Vvaavanr | _c7 Ba “The zone server is a distributed feature on all switches. The high-avalabilty ature for zoning ‘emits stateful restartabilty and switchablty. Activating a zone set will automatically replace ‘the currently active zone se. A copy ofthe ative 2one se is maintained to allow modlfistions to the original one set. Always compare the ative zone set withthe proposed zone set changes carly before making changes ‘Adding or deleting a member toa zone or adding or deleting zone toa zone set can be ‘accomplished nondsruptvely by imply modifying the stored copy ofthe active zone set and then eeactivating i. There is no need to deactivate and then reactivate a zone se, and doing 0s disnptive ‘When a zone set is activated and the fabric is configured for a fll zone database update, then the fll database wil be sent to all switches; otherwise, only the active zone set willbe sent tall switches. I'you are in a homogeneous Cisco MDS fabric and you plano manage zones from all switches in the fabric, fll zone database updates are recommended. More ‘commonly a single switch wil be used fo administer zones, in which case only propagating the active 2one set is appropriate ‘Azone merge occurs when an ISL siniilized. Ifthe ISL isan Enhanced Ine-Switch Link (EISL), then zone merge is done per VSAN, The merge process stops when the zoning database does nat change, because of updates from all II. ports out of every switch ‘Pi Gam Sens Bitina ieee 927Each zone server interacts with other zone servers inthe fabric to maintain consisent zoning, information across the fbr, ‘Change and merge protocols are used to synchronize the database among zone se-vers. The cchange protocol is used to communicate any changes in the database. The merge protocols ‘used whenever an ISL between two switches becomes operational. The merge prtocl wil ‘merge the two databases to create a new zoning database. If the members ofa zore between {two switches are not identical, te ISL becomes isolated. Implant Cine Starage Neer Slane (GENS) vd {82010 so Stone.¢ Zone Merge Analysis ‘This subtopic desribes the 2one merge analysis Zene Merge Analysis ee ‘Ifa zone merge filure occurs, you can conduct a merge analysis by using Cisco Fabre Manage. ‘To performa zone merge analysis from the Cisco Fabric Manager, follow these steps. ‘Step1 Choose Zone > Merge Analysis from the Cisco Fabric ManagerZone menu, The Zone Merge Analysis window is displayed. ‘Stpp2 Select the fist switch tobe analyzed fom the Cheek Switeh 1 dop-down ist ‘tep3 Select the second switch o be analyzed from the And Switeh 2 drop-down lst, ‘Step¢ Enter the VSAN ID where the zne set merge flue occured inthe For Active Zonesot Merge Problems in VSAN field ‘Step$ Clik the Analyze button to analyze the zone merge. Click the Clear button to clear the analysis data from the Zone Merge Analysis window. If you cick Analyze without licking Clear, the new zone merge analysis datas displayed below the old dat. In this example, a zone merge analysis was conducted between switch MDS-I and switch ‘MDS-2 on VSAN 1. The results that a VSAN I zone set (zoneset!) merge will succeed, becaste al ofthe necessary configuration criteria fora zone merge between the two switches Ihavebeen met for that VSAN, a zone merge fils, you can als resolve the merger withthe CLI by issuing a show interface ‘cominand for the E porto determine the isolated VSAN and by comparing ative zone ses on both switches (show zoneset active) Ifyou prefer the database for one swith ove the othe, ieruoa zone merge interface fel/1 (import | export) [vean =] command “The import option ofthe command will overwrite the configuration of thecal switch with that ofthe remote switch. The export command would overwrite the 2oning configuration of the emote switch withthe zoning configuration ofthe local switch S51 Gace Spaone agin SanRecovering from Zone Merge Failures “This topic desribes how to recover from zone merge failures. ¢ ; Zone Set Import and Export EES ESE orgy es Trt ety ome se ON ce: = wo SE | = eat cou Lali senreeronimarece tne in ee epee renee: Toasts 0 deters pre stiaioerevem tan ey ie ge essen Sy So ETE RES eae rene ae aaa sean ‘ ‘ io iplorning Gas Stags Noting SaatneFESNE] ot ‘pai Gace heZone Set Import and Export (Cont.) import the 20 eam the adacent switch connec trough he 13 ‘tera or VEAN 200 (fvitent conerot inport iaterface fei/3 veun 00 Expat the zone sto he acon stn connec tough VSAN 200: c fitch soneeet export vean 700 ¢ [An E ports segmented (ioltion due to zone merge failure) if the following condition are tue: ‘= The active zone ses on the two svitches die from each other in tems of zone membership (provided there are zones at ether side with idemtial names) ‘= The active zone set on both switches contains @2one wth the same name but with diferent ¢ one members. “To resolve the link isolation because ofa filed zone merge using the CLI, follow these steps ¢ Stop Use the show interface command to confirm thatthe pots slated because of zone merge fie. € switent show interface £01/3 Fe1/3 is dovn (Isolation due to zone merge failure) Hardware is Fibre Channel, Wit ia 20:4@+00+05:30:00:63296 € vean is 200 ( 40 franes input, 1086 bytes, 0 discards 0 runts, 0 jabber, 0 too long, 0 too short 0 input errors, 0 CRC, 3 iavelid trenaniseion words ¢ 0 address ia, 0 detiniver 0 FOF abort, 0 fragmented, 0 unknown class ¢ 79 franes output, 1234 bytes, 16777216 discaras Received 23 O18, 14 LAR, 13 105, 39 loop inite Transmitted 50 OLS, 16 LRR, 21 NOS, 25 loop inits ¢ ‘stsp2 Verify the zoning information, using te fellowing commands on each switch = show zone vsan vaanid = show zoneset vsam vsar-id ¢ (©2019 Cxco Sore, Bang ve eTStep} You can use two different approaches to resolve a zone merge failure by overwriting the zoning configuration of one switch withthe configuration ofthe other switch. ‘This canbe done wih either ofthe following commands: ‘= zoneset import interface interfaced vsanvsamsid ‘5 zoneset export vsan ysa-id ‘The import option ofthe command overwrites the active 2one set ofthe local switch with that ofthe emote switch. The export option overwrites the active zone st ofthe remote switch ‘with that ofthe local site ‘Note te zoning diabetes bevean th wo svihes ar verter you canoe use the import ‘ton. To wok rund ths, yeu can manual change the conan of he zone daabase cn ‘eter of he sites, nd then sue a ahudownine shutdown command sequence on he ‘ciated pr. It vaio spect o ona VSAN and nat cn an E pot, th croc way tissue the se own eto emo ha VAN tom tht a alowed VAN onal nk pot and renga Zone Set Import and Export (Cont.) Inte import or export an active zone set rom Cisco Fabric Manager by choosing Zane > Merge Fall Recovery ‘Zone Set import and Export in Cisco Fabrie Manager Note Importing fem one eich and exporting fom anchor eich can ead ebaton again, ‘Youcan impor active zone ses (do a merge fil recovery ifthe caus ofan ISL. failure is zone merge failure ‘To impor an active zone se, follow these steps: ‘Step1 From Cisco Fabre Manager, choose Zone > Merge Fall Recovery. You will ee the ‘Zone Merge Failure Recovery dialog box. ‘stsp2 Select the Import Zoneset radi buton. ‘S252 mpeg Caco Serge Netwaing Sans (CSN) 40 (2010 Geo tanssteps supe Select the switch fom which to import the zone set information from the drop- down ls. Select the VSAN fom which to import the zone set information fom te drop- ‘down ls. Select the interface to use forthe import process. Click the OK buten to import the ative zone se, or lick the Clase button to close the dialog box witout importing te ative zone set. Exporting Active Zone Sets You can export sctve zone sas (do a merge fil recovery) ithe cause ofan ISL failure is a zone merge fil ‘To expor an active zone set, follow these steps: ‘step step2 ‘steps Step 4 Step 5 steps ‘Pano ose Se, me From Cisco Fabric Manage, choose Zone > Merge Fa “Zane Merge Faure Kecovery dialog box Select the Export Zoneset radio button, Select the switch to which to export the zane set information from the drop-down, lst Select the VSAN to which to export the zone set information from the drop-down list Select the interface to use for the export process Click the OK buton to expor the active zone st, or click the Close button to close the dialog box without exporting the active zone set Recovery. You will ee the ‘Burana Wenal Sate 3Managing Zone Sets ‘This topic describes how to rename, clone, copy, bac up, and restore a zone set when ‘managing zone sets, _——S—S>S——————— Zone Set Backup Use he File menu Backup option to rete a backup of a VSAN zones trom Cla Faoec Manager Eat Local Ful Zone Database i" = al se raten aes [ioeeereeh —— a ee | ae ‘You ean back up the zone configuration toa workstation using TFTP. This zone backup fle «an then be used to restore the 2one configuration ona switch, Restoring thezone configuration ‘overwrites any existing one configuration ona switch. ‘To backup te fll zone configuration using Cisco Fabric Manager, follow tes steps ‘step From Cisco Fabrie Manager, choose Zone > Edit Local Full Zone Database, or rightclick » VSAN folder in the Logical ab and choose Rait Local Full Zone Database from the pop-up menu Stop2 Ifyou chose Zone> Fit Local Full Zone Database, then you secthe Select VSAN dialog box. Select the VSAN, ‘Step 3 Click the OK button. You should se the Edit Loal Full Zone Dusbese window for the VSAN you selected. ‘ep 4 Choose File> Backup to back up the ex using TFT, 1 zone configuration oa workstation {3234 nplnaing Ceo StxapeNevatigSlutnsYOSNS) v4 (©2010 Osco Sons heZone Set Recovery ‘This subtopie describes zone set recovery. Zone Set Recovery Use he File menu Restore option to rstre a backup of at VSAN Zone tom les Fabre anaper> El cal Ful Zane Database i C 3 IE ee | — h nl 2 —s | ¢ eee | me | ‘You can back up the zone configuration ta workstation using TFTP. This zone backup file an then be used to estore the one configuration ona switch. Restoring the zone configuration ¢ ‘overvtites any existing zone configuration on a switch “To estore the fll zone configuration using Cisco Fabric Manager, follow these steps \ ‘tep1 From Cisco Fabric Manager, choose Zone> Edit Local Full Zone Database, o¢ rightclick a VSAN folder i the Logical tab and choose Edit Local Full Zone ( Database from the pop-up menu, ‘step2 Ifyou chose Zone> Edit Local Full Zone Database, then you se the Select VSAN alg box. Select the VSAN, Step 3 Click the OK button. You should se the Edit Local Full Zone Database window for the VSAN you selected. ¢ Step 4 Choose File> Restore to restore a saved zone configuration, You can optonally ‘edit this configuration bofore restoring it tothe switch ‘Ba010 Gam Saree Basra wenal Sie 35Renaming Zone Sets ‘This subtopic describes how to rename zone st ¢ _— Renaming Zone Sets Use the CL! zonesot rename command o rename a zoneset from configuration mode + zones ename curantname nowname vetn wean is ¢ ‘Rename zones and zone sel rom Fabric Manager > Edt Local Full Zone Database. ‘To rename a zone set, zane, or Fibre Channel lis, use these commands: = switch contig ¢ = switccontigh zoneset rename oldname newname ‘= swite(contigh zone rename oldname newname 1 switch(configy#feallas rename oldname newname {3236 bnlorerng Osco Serge Newaing Saers (ONS) 40 (22010 Grea Stans, FeCloning Zone Sets ‘This subtopic desribes how to clone zone sts Cloning Zone Sets + You can clone a zone, zone set, Fibre Channel aia, oF zone atoute group ~ For example, you can create a special zone set thats ‘ctvated ding backup windows. + Use the zoneset clone commando ciane a zone sat: “Toclone a zone or zone se rom the Edit Local Full Zone Database window, fllow these steps: ‘step ‘Step 2 Step 3 Select the Zones or Zonesets folder, right-click the folder forthe zone or zone set that you want to clone, and choose Clone ftom the pop-up menu Enter the nime ofthe cloned zone or zone set. By default, the dialog box displays the selected zone name by repending the orginal zone name with Cloned tor ‘example, ClonedZonel) and selects the read-oly zone state o match the cloned Click te OK button to add the cloned zone fo the zone database, ‘You might want to clone zone sets and zones if you want to ereate multiple zone set configuations—for example, i you need to create a special zone set that is activated during backup windows. ‘2701006 Sere neCopying Zone Sets This subtopic deserts how to copy zoe sts Copying Zone Sets You can copy an active zone set to: + The full zone set + Aremote location (sing FTP, SOP, SFTP, or TFTP) This can be helpful i the full zone set is lost: + You cannot et the active zone set cecty the full zone sets lost, you can copy the active zone set to the ful zone set one sas can be copied o allow for editing ofthe zoe set without alteration of the active one ‘ct. Copy the active zane set either to the fl zone stort a remote locaton before making eis ‘The fl zone set must exist and be propagated in orer for this method to succeed. Use care when using this method to ensure that you donot averviteexisting common zones inthe fll zone set “This feature may be helpflifthe fll zne sets lost Because you cannot edt the ative zone set directly, you eannot change zone configurations if te full one sets lost. To Tx this ‘problem, you can copy the active zone et to the fll zone set using the zone copy command: switch? zone copy active-zoneset full-soneset v E58 inplarang Saco Sage Netarng Sane (ONG) wd (2250 Geeo plansCopying Zone Sets (Cont.) Use the Copy option rom Cisco Fabric Manager » Edt Local Full Zone Database: ¢ = [9 =) eae = ¢ aS Bao : Get | | . ¢ ‘You can eovera database by copying the ative zone database rhe ill ne datas. “To copy a zone set, follow these steps: ‘stop From Cisco Fabric Manager, select a VSAN and right-click to select Edit Local Full Zone Database, ¢ ‘Step2 Highligh the zone set tobe copie, rghtlick, and select Cop: ‘step Enrthe tag and select the Prepend or Append ati button. ce Stop 4 Clckthe OK baton to creat the copy. ‘010 Gaco Sa e ‘larg Vi Sane 38Migrating a Non-MDS Database “Migrating a Nom-MDS Database ‘To use the Zone Migration wizard to migrate a non-MDS database, follow these steps Step 1 From Cisco Fabric Manager, choose Zone > Migrate Non-MDS Database. You shouldsee the Zone Migration wizard, ‘Step2 Enter ie IP address, login ID, and password of the Brocade or MeData switch that you will be migrating the zone database from. ‘stp Selectthe VSAN ID forthe destination of the migrated zone database and the switch platfonn that the zone database wil be migrated fom, The migration tol requires [TP connectivity from both the Cisco Fabre Manager management workstation and the Cisco MDS that will receive the zone database copy. Step 4 Click he Next button, Step Transitepor-based zones tothe new Cisco MDS domain and por offset information by selecting the drop-down menus inthe To Domain and Port Offset fields, Step 6 Click he Next buton Step7 Use the Resolve Zone Members dialog to resolve zone membership as cither (WWN ‘or pWWN. Click Next. Review the script that wil be mun on the Cisco MDS to migrate the zone database infoation. Optionally, soloct locaton to which to save the script as text fle, of rake any necessary cits cretly tthe displayed serie. ‘stp Click he Next button. ‘stp 10. Selectthe Cisco MDS switch tha the zone database isto be migrated to, ‘stp 11 Click the Finish button o apply the new zone configuration. ‘3240 tlarering Oro Sarge Newari Sons (ONS) v0 (92010 GecoSlans FeEnhanced Zoning “This opi introduces the benefits ofthe Ciseoenanced zoning Features and their configuration Enhanced Zoning Overview + Based on FC-GS-4 and FC-SW.3 standards, + Faby is locked during ‘configuration changes to feneure consistency + Reduced database size bri wide zone policy cenorcement C + Enhanced eror reporting + Support for atbuts, {As of Cisco MDS SAN-OS Release 2.0, Cisco became te fist vendor to offer enhanoed zoning, compliant with the Fibre Channel-Generie Services-4 (FC-GS-4) and Fibre Channs!- Switch Fabric (FC-SW-3) standards specifications. These standards support basic zoning as ‘wells enhanced zoning functionalities. ‘With base zoning, two of more administrators can make simultaneous configuration changes ‘Upon activation, oe administrator can overwrite another administrator's changes. With ‘enhanced zoning, al configurations are performed within a single configuration session. When 4 sestion begins, the switch locks the entire fabric to implement the change, ensuring ‘consistency within the fabric. In basi zoning, even with distribute fll enabled, itis possible that the full ne database is different betweea switches. In enhanced zoning, iti nt possible to change only the local full zoning database In basic zoning, if one is member of multiple zone sts, an instanceof the zone is eeatd in each zone se, With enhanced zoning, once a zone is defined, zone sets use references othe zone as requifed. Ths results ina reduced database payload size. The savings are more pronounced with larger databases In basie zoning, the default zone policy of permit or deny is defined per switch, To ensure proper fibre operation all sites in the aie must hve the same default one seting. Enhanced zoning ‘enfores consistent policies forthe default zone and default merge contol stings throughoutthe fabric. Tis fibric-vide policy enforcement reduces the potential for zoning problems In basic zoning, troubleshooting ued zonset activations must be done on per switch basis ‘The switch initiating the stivation proves a combined status regarding the failure, but it does ‘ot identify the switch thai responsible forthe failure. Enhanced zoning identifies the nature ‘ofthe problem and te responsible switch. This enhanced error reporting eases the troubleshooting process. Siei0Gam Sere he ‘Baarg vel Sae 3268In basic zoning, the Cisco MDS specific anvibutes (quality of sevice QS], broadcast, read only and zone member types (IP address, symbole node name, and soon) may be used only aniong Cisco MDS 9000 Series switches, The Cisco MDS-spcifc attributes and types canbe ( misunderstood by switches that are not Cisco switches, Enhanced zoning provides suppor for stsibuts and for pessing a vendor ID along with a vendorspecfic type value to uniquely iemtifya member type. ¢ Inbasc zoning, (WWN-based zone membership is supported only among Cisco MDS switches in native Cisco interoperability mode. Enhanced zoning supports FWWN-based ( membership in the default interop mode, The FWWN-based member type is now standardized by FC-GS-4 and FSW, Enhanced 2oing provides locking and isibuton capabilities ike thse provided by Cisco Fabeie Services. However, whereas Cisco Fabric Services provides a generalized infastuctr that can be sed for many applications, enhanced 2ning has ben standardized specfaly fr zoning ( Implementing Enhanced Zoning This subtopic desertes hw to implementenkanced ong. Implementing Enhanced Zoning + Autos in the SAN must supper enhanced ong + Enable enhanced mado zoning en VSAN tom any switch ~ Fabricwide locks acquired on speed VSAN, ‘Active andl ong databases ar distibuted ~ Zoning policies ae ders. ¢ Al sien in VSAN moe o enhanced zoning + erty nat he operation was suceast By default, the enhanced zoning feature is disabled inal switches inthe Cisco MDS 9000 Series. To enable enhanced zoning on a VSAN, you should perform the following steps: ¢ ‘top Verify thal switches inthe fabricar capable of working in enkunced mode Ione more switches are not capable of working in enhanced mode, then your request fo move to enhanced mode is rejected, The Cisco MDS 9000 Family of switches supports ‘enhanced zoning a of Cisco MDS SAN-OS Release 2.0. Note thats permissible to ave one VSAN in baie mode and anther VSAN in enhanced mode ¢ ‘stpp2 Use the zone mode enhanced vsan command to set the operation mde to enhanced zoning. By doing so, you will automatically start session, acquire a fabricowide lock, distribute the active and fll zoning database using the enhanced zoning data structures, distibute zoning policies, and then release the lock. All switches inthe SAN then move tothe enhanced zoning made. 35242 icloenting Osco Storage Nowahing Sars VOBNS) 40 (22010608sup 3 step Use the show zone status comand to verify thatthe operation was sucessful ‘After moving from basi zoning to enhanced zoning, Cisco recommends that you save the running configuration so thatthe sting wil persis ithe switch should reset The Fare Channel stan 60 nt alow you 6 move Back Base ong. HOME Cisco nos 9000 Series ates allow ts capably to enable youto downgrade oF upgrade to cna isco NXOS roses, ‘To change tothe base zoning mode from the enhanced mode, follow these steps: step ‘step? ‘BaDI0 Ge Same, ne Verify thatthe ative and ll zone set do not contain say eontiguraton tha is specific tothe enhanced zoning mode (such as an atte group). If such configurations exist, delew them before proceeding. Ifyou donot delete the exis

You might also like

• Fear: Trump in the White House

  

  From Everand

  Fear: Trump in the White House

  Bob Woodward

  Rating: 3.5 out of 5 stars

  3.5/5 (738)
• The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  

  From Everand

  The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  Viet Thanh Nguyen

  Rating: 4.5 out of 5 stars

  4.5/5 (122)
• A Man Called Ove: A Novel

  

  From Everand

  A Man Called Ove: A Novel

  Fredrik Backman

  Rating: 4.5 out of 5 stars

  4.5/5 (4610)
• • Magazines
  • Podcasts
  • Sheet music
• Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  

  From Everand

  Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  Gilbert King

  Rating: 4.5 out of 5 stars

  4.5/5 (266)
• A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  

  From Everand

  A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  Dave Eggers

  Rating: 3.5 out of 5 stars

  3.5/5 (231)
• Grit: The Power of Passion and Perseverance

  

  From Everand

  Grit: The Power of Passion and Perseverance

  Angela Duckworth

  Rating: 4 out of 5 stars

  4/5 (590)
• Never Split the Difference: Negotiating As If Your Life Depended On It

  

  From Everand

  Never Split the Difference: Negotiating As If Your Life Depended On It

  Chris Voss

  Rating: 4.5 out of 5 stars

  4.5/5 (842)
• The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  

  From Everand

  The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  Mark Manson

  Rating: 4 out of 5 stars

  4/5 (5807)
• The World Is Flat 3.0: A Brief History of the Twenty-first Century

  

  From Everand

  The World Is Flat 3.0: A Brief History of the Twenty-first Century

  Thomas L. Friedman

  Rating: 3.5 out of 5 stars

  3.5/5 (2259)
• Principles: Life and Work

  

  From Everand

  Principles: Life and Work

  Ray Dalio

  Rating: 4 out of 5 stars

  4/5 (599)
• Her Body and Other Parties: Stories

  

  From Everand

  Her Body and Other Parties: Stories

  Carmen Maria Machado

  Rating: 4 out of 5 stars

  4/5 (821)
• The Emperor of All Maladies: A Biography of Cancer

  

  From Everand

  The Emperor of All Maladies: A Biography of Cancer

  Siddhartha Mukherjee

  Rating: 4.5 out of 5 stars

  4.5/5 (271)
• The Little Book of Hygge: Danish Secrets to Happy Living

  

  From Everand

  The Little Book of Hygge: Danish Secrets to Happy Living

  Meik Wiking

  Rating: 3.5 out of 5 stars

  3.5/5 (401)
• Team of Rivals: The Political Genius of Abraham Lincoln

  

  From Everand

  Team of Rivals: The Political Genius of Abraham Lincoln

  Doris Kearns Goodwin

  Rating: 4.5 out of 5 stars

  4.5/5 (234)
• Rise of ISIS: A Threat We Can't Ignore

  

  From Everand

  Rise of ISIS: A Threat We Can't Ignore

  Jay Sekulow

  Rating: 3.5 out of 5 stars

  3.5/5 (137)
• Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  

  From Everand

  Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  Margot Lee Shetterly

  Rating: 4 out of 5 stars

  4/5 (897)
• Shoe Dog: A Memoir by the Creator of Nike

  

  From Everand

  Shoe Dog: A Memoir by the Creator of Nike

  Phil Knight

  Rating: 4.5 out of 5 stars

  4.5/5 (537)
• The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  

  From Everand

  The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  Brene Brown

  Rating: 4 out of 5 stars

  4/5 (1091)
• John Adams

  

  From Everand

  John Adams

  David McCullough

  Rating: 4.5 out of 5 stars

  4.5/5 (2409)
• The Glass Castle: A Memoir

  

  From Everand

  The Glass Castle: A Memoir

  Jeannette Walls

  Rating: 4.5 out of 5 stars

  4.5/5 (1716)
• The Art of Racing in the Rain: A Novel

  

  From Everand

  The Art of Racing in the Rain: A Novel

  Garth Stein

  Rating: 4 out of 5 stars

  4/5 (4203)
• A Tree Grows in Brooklyn

  

  From Everand

  A Tree Grows in Brooklyn

  Betty Smith

  Rating: 4.5 out of 5 stars

  4.5/5 (1929)
• The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  

  From Everand

  The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  Ben Horowitz

  Rating: 4.5 out of 5 stars

  4.5/5 (345)
• The Light Between Oceans: A Novel

  

  From Everand

  The Light Between Oceans: A Novel

  M.L. Stedman

  Rating: 4.5 out of 5 stars

  4.5/5 (789)
• Yes Please

  

  From Everand

  Yes Please

  Amy Poehler

  Rating: 4 out of 5 stars

  4/5 (1898)
• Angela's Ashes: A Memoir

  

  From Everand

  Angela's Ashes: A Memoir

  Frank McCourt

  Rating: 4.5 out of 5 stars

  4.5/5 (440)
• Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  

  From Everand

  Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  Ashlee Vance

  Rating: 4.5 out of 5 stars

  4.5/5 (474)
• Wolf Hall: A Novel

  

  From Everand

  Wolf Hall: A Novel

  Hilary Mantel

  Rating: 4 out of 5 stars

  4/5 (3811)
• The Perks of Being a Wallflower

  

  From Everand

  The Perks of Being a Wallflower

  Stephen Chbosky

  Rating: 4.5 out of 5 stars

  4.5/5 (2104)
• The Woman in Cabin 10

  

  From Everand

  The Woman in Cabin 10

  Ruth Ware

  Rating: 3.5 out of 5 stars

  3.5/5 (2520)
• On Fire: The (Burning) Case for a Green New Deal

  

  From Everand

  On Fire: The (Burning) Case for a Green New Deal

  Naomi Klein

  Rating: 4 out of 5 stars

  4/5 (74)
• The Yellow House: A Memoir (2019 National Book Award Winner)

  

  From Everand

  The Yellow House: A Memoir (2019 National Book Award Winner)

  Sarah M. Broom

  Rating: 4 out of 5 stars

  4/5 (98)
• Sing, Unburied, Sing: A Novel

  

  From Everand

  Sing, Unburied, Sing: A Novel

  Jesmyn Ward

  Rating: 4 out of 5 stars

  4/5 (1104)
• Brooklyn: A Novel

  

  From Everand

  Brooklyn: A Novel

  Colm Toibin

  Rating: 3.5 out of 5 stars

  3.5/5 (1946)
• The Unwinding: An Inner History of the New America

  

  From Everand

  The Unwinding: An Inner History of the New America

  George Packer

  Rating: 4 out of 5 stars

  4/5 (45)
• The Outsider: A Novel

  

  From Everand

  The Outsider: A Novel

  Stephen King

  Rating: 4 out of 5 stars

  4/5 (1850)
• The Constant Gardener: A Novel

  

  From Everand

  The Constant Gardener: A Novel

  John le Carré

  Rating: 3.5 out of 5 stars

  3.5/5 (104)
• Little Women

  

  From Everand

  Little Women

  Louisa May Alcott

  Rating: 4 out of 5 stars

  4/5 (104)
• Manhattan Beach: A Novel

  

  From Everand

  Manhattan Beach: A Novel

  Jennifer Egan

  Rating: 3.5 out of 5 stars

  3.5/5 (792)
• Steve Jobs

  

  From Everand

  Steve Jobs

  Walter Isaacson

  Rating: 4.5 out of 5 stars

  4.5/5 (806)
• Bad Feminist: Essays

  

  From Everand

  Bad Feminist: Essays

  Roxane Gay

  Rating: 4 out of 5 stars

  4/5 (1016)
• Data Center Unified Computing Implementation: Dcuci

  

  Document313 pages

  Data Center Unified Computing Implementation: Dcuci

  roland dubois

  No ratings yet
• Nexus 7000 NX-OS CLI Primer 5.x

  

  Document186 pages

  Nexus 7000 NX-OS CLI Primer 5.x

  roland dubois

  No ratings yet
• Network Virtuliazation, by Aditya Gaur

  

  Document13 pages

  Network Virtuliazation, by Aditya Gaur

  roland dubois

  No ratings yet
• Asr 9000 Series

  

  Document604 pages

  Asr 9000 Series

  roland dubois

  No ratings yet