This post is more than 5 years old
11 Posts
0
16379
Hard & Soft Zoning
Hi,
I am totally confused with the difference between hard zoning and soft zoning, can someone explain?
Thanks
This post is more than 5 years old
11 Posts
0
16379
Hi,
I am totally confused with the difference between hard zoning and soft zoning, can someone explain?
Thanks
Top
Roger_Wu
2 Intern
2 Intern
•
4K Posts
1
December 11th, 2013 17:00
Please refer to the whitepaper "Building Secure SANs":
http://www.emc.com/collateral/hardware/technical-documentation/h8082-building-secure-sans-tb.pdf
Wide Name (nWWN) regardless of the physical port on the switch to which it is connected. Soft zoning does not perform any filtering of frames among zones; it merely restricts routing information from being passed to unauthorized zone members. One significant advantage of soft zoning is its flexibility and ease of management. For example, with soft zoning if a node must be physically moved and plugged in to a new port, its zone membership stays intact. A significant security disadvantage is that a malicious node could spoof any given nWWN on the fabric and access data located on a LUN to which it normally would not have access.
Hard zoning, using physical switch ports for zone membership, is a more secure zoning method. Not only is routing information not passed to unauthorized zone members, but frames are filtered to ensure only authorized zone members can communicate. WWN spoofing and route-based attacks would be defended. Hard zoning security benefits come at the cost of SAN management.
asceticenergy
80 Posts
1
December 11th, 2013 12:00
Hi Sampa ,
Hard Zoning - aka - Port Zoning - The switch ports are logically grouped into a zone to enable communication .
Soft Zoning - aka - WWNN Zoning - The node ports(HBA/Array) are logically grouped into a zone .
Jyothi_P_Bharat
317 Posts
3
December 12th, 2013 01:00
Hi Sampa,
Soft Zoning : Soft zoning uses the name server to enforce zoning. The World Wide Name (WWN) of the elements enforces the configuration policy.
Pros:
- Administrators can move devices to different switch ports without manually reconfiguring
zoning. This is major flexibility to administrator. You don't need to change once you create zone set for particular device connected on switch. You create a zone set on switch and allocate storage to host. You can change any port for device connectivity
Cons:
- Devices might be able to spoof the WWN and access otherwise restricted resources.
- Device WWN changes, such as the installation of a new Host Bus Adapter (HBA) card, require
policy modifications.
- Because the switch does not control data transfers, it cannot prevent incompatible HBA
devices from bypassing the Name Server and talking directly to hosts.
Hard Zoning: - Hard Zoning uses the physical fabric port number of a switch to create zones and enforce the policy.
Pros:
- This system is easier to create and manage than a long list of element WWNs.
- Switch hardware enforces data transfers and ensures that no traffic goes between
unauthorized zone members.
- Hard zoning provides stronger enforcement of the policy (assuming physical security on the
switch is well established).
Cons:
- Moving devices to different switch ports requires policy modifications.
Thanks
Jyothi
sampa1
11 Posts
0
December 12th, 2013 05:00
Hi asceticenergy/roger/jyothi,
thanks for your answers. It is really helpful.
Roger_Wu
2 Intern
2 Intern
•
4K Posts
0
December 12th, 2013 06:00
You are welcome.
Please mark our answers as correct/helpful if they can help you.
Jyothi_P_Bharat
317 Posts
0
December 12th, 2013 08:00
Hi Sampa,
You are welcome.
christopher_ime
2K Posts
0
December 12th, 2013 16:00
It is worth mentioning that EMC recommends: Soft/WWPN/pWWN zoning (over Hard/Port zoning).
EMC also does *not* recommend WWNN/nWWN (soft) zoning either (subtle but important distinction).
christopher_ime
2K Posts
1
December 12th, 2013 17:00
I also wanted to mention that sometimes you'll see reference to: "Hybrid" zoning. This is, as you probably already figured, a combination of the 2.
For instance, while not recommended by EMC for the reason mentioned above, you could have a zone that includes a WWPN/pWWN of one endpoint such as the host HBA + the physical switch port where the array SP port might be (physically) connected to.
sampa1
11 Posts
0
December 12th, 2013 20:00
Hi Chris,
I got your point, thanks chris