Security and zoning, Zone merging, Security and zoning zone merging – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual
Page 329
Security and zoning
Zones provide controlled access to fabric segments and establish barriers between operating
environments. They isolate systems with different uses, protecting individual systems in a
heterogeneous environment; for example, when zoning is in secure mode, no merge operations occur.
Brocade Advanced Zoning is configured on the primary fabric configuration server (FCS). The primary
FCS switch makes zoning changes and other security-related changes. The primary FCS switch also
distributes zoning to all other switches in the secure fabric. All existing interfaces can be used to
administer zoning.
You must perform zone management operations from the primary FCS switch using a zone
management interface, such as Telnet or Web Tools. You can alter a zone database, provided you are
connected to the primary FCS switch.
When two secure fabrics join, the traditional zone merge does not occur. Instead, a zone database is
downloaded from the primary FCS switch of the merged secure fabric. When E_Ports are active
between two switches, the name of the FCS server and a zoning policy set version identifier are
exchanged between the switches. If the views of the two secure fabrics are the same, the fabric’s
primary FCS server downloads the zone database and security policy sets to each switch in the fabric.
If there is a view conflict, the E_Ports are segmented due to incompatible security data.
All zones should use frame-based hardware enforcement; the best way to do this is to use WWN
identification exclusively for all zoning configurations.
Zone merging
When a new switch is added to the fabric, it automatically takes on the zone configuration information
from the fabric. You can verify the zone configuration on the switch using the procedure described in
Viewing the configuration in the effective zone database
on page 325.
If you are adding a switch that is already configured for zoning, clear the zone configuration on that
switch before connecting it to the zoned fabric. Refer to
Clearing all zone configurations
on page 326 for
instructions.
Adding a new fabric that has no zone configuration information to an existing fabric is very similar to
adding a new switch. All switches in the new fabric inherit the zone configuration data. If the existing
fabric has an effective zone configuration, then the same configuration becomes the effective
configuration for the new switches.
Before the new fabric can merge successfully, it must pass the following criteria:
• Before merging - To facilitate merging, check the following before merging switches or fabrics:
‐
Defaultzone: The switches must adhere to the default zone merge rules, as described in
‐
Effective and defined zone configuration match : Ensure that the effective and defined
zone configurations match. If they do not match, and you merge with another switch, the
merge may be successful, but unpredictable zoning and routing behavior can occur.
• Merging and segmentation
The fabric is checked for segmentation during power-up, when a switch is disabled or enabled, or when
a new switch is added.
The zone configuration database is stored in nonvolatile memory by the cfgSave command. All
switches in the fabric have a copy of this database. When a change is made to the defined
Security and zoning
Fabric OS Administrators Guide
329
53-1003130-01