zoning

Security and administration are two major points that come to my mind without EMC in mind at all. And it's not just EMC. If you worked with clustered solutions or mix of tape/disk environment or even mixed OS then zones are something you must think about.

Way do I need it with EMC?
because emc designs the systems for single intiator zoning (i believe since they push that requirement).
this also helps them troubleshoot the connectivity issues by isolating things. or maybe they just like it to be that way

zoning comes from the SCSI legacy.
SAN basically emulates a SCSI transport over fibre. old SCSI systems were used on a standalone machine where one SCSI controller would connect to many scsi devices (targets). This setup assumed that there would be only one controller on the bus to control the devices.as discussed somewhere on the forum earlier, this is referred to as single initiator zoning.

if you open all the connections, all HBAs (SCSI controllers) see all the targets and even HBAs...this can lead to connectivity issues if the HBA drivers or targets (sp ports) run into any logical semaphore whhich they havent been desinged to handle.

practically we have seen issues while detecting storage or intermittent connection issues.

to overcome this and to maintain the expected environment for eveything, zoning helps...even otherwise, this isolates traffic between irrelevent nodes.

to add on that, with help of zoning we can isolate host and arrays at switch level for more control over interconnection.

there is a logical limit to how many HBAs will login to a single storage port. by opening all the connections, all hbas try to login to available ports and chances are that you will run over the limits soon. zoning allows you to prevent that.

Zoning prevents aggresive initiator HBAs from trying to log into where they shouldn't. In other words, an FA port on a DMX should not login to another FA port. That would cause problems if that happens. Zoning keeps all the devices in line and seeing only what they are supposed to. Not to mention that there are numerous security issues this solves too.

All the replay here doesn¿t really justify zoning.
I have used HP EVA on the same SAN. And we haven¿t use ZONING. The overhead zoning is adding to the management task is tremendous.
What will happen if I simply allow all traffic on the FC-switch? Why masking isn¿t enough? Have anyone try it?
I have tape at the SAN and with it we are using switch port zoning.
I can argue a bought security and troubleshooting but I don¿t want to, at this thread.

I will give you an example why.

Take for example EMC Celerra. FA ports that are used for connecting Celerra to DMX do not have VCM bit enabled. That means that there is no masking done on those FA. I am sure you are familiar how windows tries to grab any disk it can and write its signature to it. So imagine without zoning, my windows boxes would start logging in to my FAs and starting corrupting my Celerra drives.

thats a perfect example...

here is one more...

imagine you have just a clariion/symmetrix and 16 hosts with 2 hbas each. in this case, every HBA will log in to each array port. i.e. 32 initiators on a single port from array view. i believe this is a upper limit.
now if you add one more host, it will not be able to register itself on the array.

this was specific to EMC in a very basic setup, but i am sure other vendors also have these limits set.

can someone post about non-EMC limits?

Ok. Celera is a good zoning needs, I don¿t have Celera. More over, I have another site with IBM DS-4300 (fast600) and EVA 3000, I don¿t use zoning on this site. It has 45 hosts and 70 HBA. I don¿t use zoning on it. I use windows and ESX 2.5.3. Every one (host and storage) ¿see¿ the others it¿s working ok for the last 15 months.

Why do I need zoning???

for a small setup like this where "Every one (admin) ¿know¿ the others", zoning may not be required. zoning is not a mandatory step but it is optional for tidy things in big shops.

My setup has few hundred hosts and more than two handful number of arrays...such setup cant rely on the zoneless approach...we need to limit who sees what and thereby reducing mess-up when someone accidently deletes or works on incorrect devices.

It's 32 initiators per port on CX600 and 64 initiators on CX700. But man ..i would hate to see 64 WWNs in Connectivity status on CX700 ..when i really only need 20 host connected. Just so much more confusing, harder to troubleshoot and just more prone to human error.


32 initiators on a

The 3 items that Jason mentions above are true.

4) Things will break.

I can tell you this from experience. Years and years ago when SANs were new, I was asking the same questions about zoning and did not have it implemeted. Then one day an HBA on a host went crazy and locked up everything on the enterprise. So then each node got one big zone. When the EMC arrays were added, being the aggressive initators they are, they logged into everything they could find, including the other vendor's arrays and locked things up. So now, every HBA gets a zone for each storage port connected. One node, one storage port per zone. Since then, no problems. It might seem like overkill but in the long run it helps keep things a lot more stable.

In any large environment you are crazy not to do zoning... it doesn't add that much overhead... easy to do after you have done it a couple of thousand times.

here's a couple reasons why:

most storage arrays have a finite limit of supported initiator logins. You can quickly go over this limit when not using zoning.

troubleshooting: when you quickly want to know which array a host is talking to, zoning gives you the gospel truth to what arrays a host can see. If you have a dinky environment you probably don't care, but when you have 10's or 100's or arrays and thousands of hosts, this matters.

Every once in a while an HBA will go bonkers. I have seen HBAs go crazy and do PLOGI storms to every target they can talk to, continuously. Zoning is cheap insurance to limit the damage.

RSCN's... already mentioned above I'm sure. Some hosts don't handle RSCN's as gracefully as others.

Windows - tends to grab whatever disks it can and write its signature over everything it can touch.

A second level of defense. With zoning, even if your masking is incorrect, you have one more defense mechanism that might prevent data being overwritten or corruption.


Bottom line is if you want to practice good practices, zoning is near the top of the list. I prefer single initiator zoning for its simplicity of management. Some people are more anal about it and put only one initiator and one target in a zone (single initiator/single target zoning). That is fine, a bit more work and harder to keep track of. Also switches have a finite limit of zones, and you can go over this limit much quicker by using single initiator/single target zoning vs. single initiator zoning.

The technical reasons have been addressed quite well above.

Here is another reason(s).

To provide auditing proof that the data is secure and can only be accessed by the sources that have rights to it. In service provider environments, or in large corporate environments, or govt. Zoning the HBA's provides proof that the hardware, hence the data behind it, it visible only to the prescribed parties. In govt you might have many different agencies' hardware being housed under "one roof". But when hardware is purchased for one agency to meet the needs a specifically funded job or project, this can not be shared with another. System auditing must prove that this hardware was used ONLY and available only by the proper agencie.

Zoning is time consuming and requires significant documention, if it is to be handled properly. It is a front line proof of security and it is much quicker to confirm that host can't see the disk - then to have to check every disk to see if it's masked !!

Rita you are right .. but someone may argument that -if properly implemented- masking gives the same proof ..

All the reasons stated above are good for me (but I'm a little biased as you may see ) .. But I also think that the world is beautiful since it's made of different heads ..
And someone may still think that zoning isn't really needed.

It's not wrong .. it's a different way of thinking.

Someone may also think that it's safe to keep data on a single hard disk and make backups every night with an USB disk .. is it wrong ?? No .. its' simply different .. It depends on your needs .. Someone needs a DMX4, someone else uses an USB disk ..

I do copy the pics I take with my Nikon on at LEAST 3 different disks .. and run backups on DLT .. and put them also on DVD+R .. Is it overkilling ?? No I don't think so .. I lost my pictures of a trip to Paris .. So I choose NOT to loose data anymore at home