Enabling hard zoning – H3C Technologies H3C S5830V2 Series Switches User Manual

98

Step Command

Remarks

3.

Copy an existing zone

alias to create a new zone
alias.

zone-alias clone src-name dest-name

The source zone alias must have
been created, and the destination
zone alias must not have been

created.

4.

Copy an existing zone to
create a new zone.

zone clone src-name dest-name

The source zone must have been
created, and the destination zone

must not have been created.

5.

Copy an existing zone set
to create a new zone set.

zoneset clone src-name dest-name

The source zone set must have
been created, and the destination

zone set must not have been
created.

Enabling hard zoning

Switches implement zone access control in one of the following methods:

•

Soft zoning—When a registered node queries the nodes in the current fabric through generic

service packets, the switch filters the nodes based on zone rules and returns only the nodes
matching the zone rules. Because soft zoning is an access control method used only when a node

accesses other nodes, it can restrict only the result of queries that a node initiate to switches, and it

cannot directly control the underlayer traffic. When a node performs traffic attacks against the node

that should be filtered by zone rules, soft zoning cannot perform access control for the node.

•

Hard zoning—Hard zoning converts the zone configurations into lower-layer driver rules and
deploys the rules to the hardware to form hardware zone rules. Hardware zone rules make sure the

traffic in the switch is forwarded strictly based on zone rules. This method is a strict control method.

The two methods are independent of each other and supplement each other. They work together to

implement node access control based on the zone configurations.
By default, the system automatically enables or disables hard zoning based on whether the resources for
enough for deploying zone rules, and soft zoning is always enabled.

•

When the underlayer resources are enough for deploying the hardware zone rules of the current
VSAN, hard zoning is enabled for the VSAN. In this case, both soft zoning and hard zoning take

effect in the VSAN.

•

When the underlayer resources are not enough for deploying the hardware zone rules of the current
VSAN, the system clears all deployed hardware zone rules in order to keep the integrity of rules,

and the system automatically disables hard zoning. In this case, only soft zoning takes effect.

To improve the security for a VSAN, you can enable hard zoning for the VSAN. When soft zoning is

enough for meeting the access control requirements of a VSAN, you can disable hard zoning for the

VSAN to save the hardware entry resources.
After hard zoning is enabled for a VSAN, the system triggers deploying all zone rules of the VSAN. After
hard zoning is disabled for a VSAN, the system clears the hardware zone rules already deployed for the

VSAN and stops deploying new zone rules for the VSAN.
You can use the display zone status command to view the hard zoning status.
Do not configure this command when the switch is merging or distributing zones.
To enable hard zoning: