Difference between revisions of "Brocade Fibre Channel zoning"

From FnordWiki
Jump to navigation Jump to search
Line 32: Line 32:
 
Switch:admin> '''switchEnable'''
 
Switch:admin> '''switchEnable'''
 
Switch:admin>
 
Switch:admin>
  +
At this point there is a switch, all the (licensed) ports are turned on, but no device can talk to any other device on the switch fabric. So it is good for turning electricity into heat and noise, but not too much else.
  +
  +
== Add some server HBAs ==
  +
Where "HBA" is "host bus adapter." An HBA has one or more ports. And each port has a WWPN or world wide port name. And for purposes of zoning, we will allow these WWPN-identified devices to talk to each other over the switch fabric. Remember, a zone allows traffic between switch ports that are members of that zone. In general, a single server HBA port should see only the storage device it is consuming storage from. This is the Fibre Channel version of the least privilege principal. And there are some fabric overhead reasons to do this as well.
  +
  +
=== Collect HBA WWPNs from a Linux host ===
  +
In these days of sysfs on Linux, an HBA port's WWPN can be found like so:
  +
adj@tanstaafl:~$ '''ls /sys/class/fc_host'''
  +
host4 host5 host6 host7
  +
adj@tanstaafl:~$ '''grep ^0x /sys/class/fc_host/host*/port_name'''
  +
/sys/class/fc_host/host4/port_name:0x50060b0000672cfc
  +
/sys/class/fc_host/host5/port_name:0x50060b0000672cfe
  +
/sys/class/fc_host/host6/port_name:0x50060b0000675338
  +
/sys/class/fc_host/host7/port_name:0x50060b000067533a
  +
adj@tanstaafl:~$
  +
Did it this way so that we get the HBA's name (host''N'') '''and''' the WWPN in the output.
  +
  +
=== Create some aliases on the FibreChannel switch ===
  +
Aliases are a way to give a human-friendly name to an 8-byte WWPN. These aliases will be used in following steps when zones are created.
  +
Switch:admin> '''aliCreate tanstaafl_host4, 50:06:0b:00:00:67:2c:fc'''
  +
Switch:admin> '''aliCreate tanstaafl_host5, 50:06:0b:00:00:67:2c:fe'''
  +
Switch:admin> '''aliCreate tanstaafl_host6, 50:06:0b:00:00:67:53:38'''
  +
Switch:admin> '''aliCreate tanstaafl_host7, 50:06:0b:00:00:67:53:3a'''
  +
Switch:admin>
  +
If you're reading the online help for the Brocade CLI, it shows all the the keywords and values wrapped in double quotes. If you know bash's quoting rules the double quotes are easy to avoid. The <code>alicreate</code> command takes 2 arguments: the alias name followed by a comma and the alias members, which may be WWPNs or actual port numbers.
  +
  +
Also important to note here, that with Linux especially, the name of the HBAs may well change. They are assigned sequentially as device driver modules are loaded. So perhaps it would be better to do these based on PCI-X/PCIe slot number as labelled on the server chassis instead. So instead of the above, let's do this instead:

Revision as of 19:13, 15 April 2025

Zoning? Forbidden zone? Neutral zone? End zone? What?

So, "zoning" is a way of limiting what devices on a Fibre Channel fabric (network) can talk to which other devices. In general, a zone will be very fine grained, allowing a single port on a server to talk to a single storage device (disk array host port, tape drive in a library, etc). These individual zones are combined into a "configuration." Multiple configurations may be defined, but only a single configuration can be activated at any given time. Some of this terminology is Brocade specific. Other manufaturers' (Cisco, Juniper, Qlogic, McDATA) management interfaces use different words, but mostly the concepts are the same.

For demonstration purposes, we're going to enable the Fibre Channel components of the Mad Cow Ceph-backed Fibre Channel target storage solution to communicate with each other.

Wipe all configurations, zones, aliases from the switch

Switch:admin> defZone --noaccess        # default to no access unless allowed
You are about to set the Default Zone access mode to No Access
Do you want to set the Default Zone access mode to No Access ? (yes, y, no, n): [no] y
Switch:admin> switchDisable             # Not strictly required.  Turns off all the ports while switch is being configured.
Switch:admin> cfgDisable
You are about to disable zoning configuration. This
action will disable any previous zoning configuration enabled.
Do you want to disable zoning configuration? (yes, y, no, n): [no] y
Updating flash ...
Effective configuration is empty. "No Access" default zone mode is ON.
Switch:admin> cfgClear
The Clear All action will clear all Aliases, Zones, FA Zones 
and configurations in the Defined configuration.
Run cfgSave to commit the transaction or cfgTransAbort to
cancel the transaction. 
Do you really want to clear all configurations?  (yes, y, no, n): [no] y
Switch:admin> cfgSave
You are about to save the Defined zoning configuration. This
action will only save the changes on Defined configuration.
If the update includes changes to one or more traffic isolation
zones, you must issue the 'cfgenable' command for the changes
to take effect.
Do you want to save the Defined zoning configuration only?  (yes, y, no, n): [no] y
Updating flash ...
Switch:admin> switchEnable
Switch:admin>

At this point there is a switch, all the (licensed) ports are turned on, but no device can talk to any other device on the switch fabric. So it is good for turning electricity into heat and noise, but not too much else.

Add some server HBAs

Where "HBA" is "host bus adapter." An HBA has one or more ports. And each port has a WWPN or world wide port name. And for purposes of zoning, we will allow these WWPN-identified devices to talk to each other over the switch fabric. Remember, a zone allows traffic between switch ports that are members of that zone. In general, a single server HBA port should see only the storage device it is consuming storage from. This is the Fibre Channel version of the least privilege principal. And there are some fabric overhead reasons to do this as well.

Collect HBA WWPNs from a Linux host

In these days of sysfs on Linux, an HBA port's WWPN can be found like so:

adj@tanstaafl:~$ ls /sys/class/fc_host
host4  host5  host6  host7
adj@tanstaafl:~$ grep ^0x /sys/class/fc_host/host*/port_name
/sys/class/fc_host/host4/port_name:0x50060b0000672cfc
/sys/class/fc_host/host5/port_name:0x50060b0000672cfe
/sys/class/fc_host/host6/port_name:0x50060b0000675338
/sys/class/fc_host/host7/port_name:0x50060b000067533a
adj@tanstaafl:~$ 

Did it this way so that we get the HBA's name (hostN) and the WWPN in the output.

Create some aliases on the FibreChannel switch

Aliases are a way to give a human-friendly name to an 8-byte WWPN. These aliases will be used in following steps when zones are created.

Switch:admin> aliCreate tanstaafl_host4, 50:06:0b:00:00:67:2c:fc      
Switch:admin> aliCreate tanstaafl_host5, 50:06:0b:00:00:67:2c:fe
Switch:admin> aliCreate tanstaafl_host6, 50:06:0b:00:00:67:53:38
Switch:admin> aliCreate tanstaafl_host7, 50:06:0b:00:00:67:53:3a
Switch:admin>

If you're reading the online help for the Brocade CLI, it shows all the the keywords and values wrapped in double quotes. If you know bash's quoting rules the double quotes are easy to avoid. The alicreate command takes 2 arguments: the alias name followed by a comma and the alias members, which may be WWPNs or actual port numbers.

Also important to note here, that with Linux especially, the name of the HBAs may well change. They are assigned sequentially as device driver modules are loaded. So perhaps it would be better to do these based on PCI-X/PCIe slot number as labelled on the server chassis instead. So instead of the above, let's do this instead: