While discussing about SAN topologies and switches, many of you might have come across the term ‘SAN Zoning’. This particular term turns critical when a Storage Area Network layout is filled with more than a couple of dozen devices. In early days of its existence, SAN Zoning did not get its due share of importance, as many cited that it was not a Fibre Channel SAN Standard. But now it is very much an evolving area in standards and implementation. In order to know more about this technical term, let us take a closer look at it.
It is a fact that unlike a NAS, SAN restricts its user access to a specific storage application space. That is, like in a Network Attached Storage, SAN users cannot access every file on the centralized storage. It restricts the file access of users intended for a specific application. So, here comes Zoning, whose primary function is to control who can see what in the SAN. In every server, there are various mechanisms where server applications are allowed to see and talk to other devices.
At the low level, an HBA’s firmware and/or driver can have the control of masking the server from other devices. Additionally, the Operating System will have the configuration ability to control the devices it tries to mount as a storage volume. So, extra-layered software is used by many IT people for volume management, clustering and file system sharing, which will also help in controlling application access.
In case of Storage Zoning, if we can ignore RAID subsystems and JBOD, then there is a form of selective presentation on most disk arrays. The array is configured in such a way that the list of servers accessing LUNs and their service requests and denials can be traced out. In switch zooming, most of the FC switches support zoning in order to control devices and their access to ports.
Functioning of San Zoning
In order to understand functioning of SAN Zoning, let us get into it in a technically precise way. As soon as a node connects with a fabric, it does a fabric logon. By doing so, the device gets a 24-bit address allocation useful for routing in the fabric. The device has a World Wide Name programmed in its hardware as per its unique port. The node WWN also identifies the node or device and will show up the same on each port.
As soon as a device logs on to the name server services in SAN environment, it registers itself. This allows the SAN to build up database of all the devices in the fabric, with the use of mapping of node and port WWN. This will also include the FCP device which talks with SCSI Commands over Fibre Channel.
This makes the server to ask the name server the list of the FCP devices seen on the fabric and this is how zoning comes into affect. The name server responds with the list of FCP devices which are in the same zone, i.e. it traces out only those devices which it is supposed to know.
As a result the list of all the 24-bit addresses will be available with the server, which in-turn does a logon to each one and finds out what the device is all about (FCP/SCSI) and thus constitutes to Zoning.
What type of SAN Zoning should be used?
Going with little of each of the following approaches may prove beneficial
- By utilizing the capability of operating system or software for controlling of devices/LUNS mounted on the server.
- Using Zoning on fabric and selective presentation on storage array, isolation of a PC using network analogy to hack the files in the corporate system is possible. For preventing such incidents, having an access control list on files in the file system will be advantageous.
- In addition to it, firewalls, security gateways and packet filtering will also be helpful in protecting the data.