I've been working with the storage guy in our business and I'm trying to get up to speed on zoning, but I'm finding conflicting information. I'm confused about the relationship between hard and soft zones, and WWN and port-based zones.
Here's what I thought was correct:
- Hard zoning is done by the switches, disallowing certain WWNs (or ports) from talking by examining source and destination information, regardless of knowledge of one another's existence. I compare this to conventional IP firewalls (only certain IPs can talk to one another - I know Google's IP but I still cannot reach it).
- Soft zoning allows everything to reach everything else, but prevents discovery of everything in the fabric by limiting what information the name server will respond with when a new HBA wants to know what it can talk to. I compare this to a DNS server that provides different responses based on the querying host - hosts can still talk if they know one another's IP address.
- WWN and port-based zoning are unrelated to the above - they simply imply how you identify members of a zone.
Here are the sites I've looked at:
http://www.emcstorageinfo.com/2007/11/san-zoning-in-details.html
http://www.sanduel.com/SAN-Storage-FAQs/What-are-Hard-Zoning-and-Soft-Zoning.html
http://en.wikipedia.org/wiki/Fibre_Channel_zoning
(I know that none of these are particularly reputable - sue me :) )
Some of the sites above seem to say that hard zoning and port-based zoning are synonyms, as are soft zoning and WWN-based zoning.
tl;dr: Is there any fixed relationship between hard, soft, WWN, and port-based zoning in a SAN?
In case the answer is vendor-specific, we use HP SAN equipment, specifically HP HSV450 and HP XP12000 disk arrays, with (I think) Brocade switches.
Another bit of documentation from a more reputable vendor to help clarify things:
http://www.brocade.com/downloads/documents/white_papers/Zoning_Best_Practices_WP-00.pdf
To quote the key bit:
If your HP/Brocade switch is under current maintenance, it does hard zoning no matter what method you use for the zoning. I believe all of the 2GBit switches have been EOLed.
As for Cisco, they're tricksy and support both methods if you want.
So for both options of HP hardware, 'hard' zoning is probably the default. Definitely the default if you're using Brocade.
The zoning description method (port vs. wwn) does not automatically tell you whether the switch is beefy enough to handle 'hard' zoning.
Hard-Zoning is the common term for zoning access based on physical ports: switch X port N can talk to switch Z port Y.
Soft-Zoning defined access based on the WWPN (World Wide Port Name) of the devices which are permitted to talk to each other.
Soft-zoning tends to be either by WWN (WWPN preferred), or by alias of that WWPN. This means that a device with a vendor-applied unique WWPN is permitted to talk to another device with a different WWPN as defined in the zoning entry. This effectively extends by software definition the device's SCSI bus to include various SAN nodes. Realistically, this includes one or more servers with one or more storage targets: their SCSI bus extends to those storage devices.
Hard-zoning used to be considered more secure, but recently the "drawbacks" of soft zoning are reducing, and greatly bolstered by the idea of being able to move a device to different switch port while not affecting its ability to contact its storage. For example, the following zone:
In this case, I've defined the software zone, or Access-control List, to connect 10000000c9123456's SCSI bus to 50000972084e05ad. The Oracle server may now ask the VMAX storage for various blocks of storage, regardless if I move the server off to another switch, or behind an N-Port ID Virtualization, or however I want to connect. Indeed, I can give a Virtual WWPN to a virtual machine, and no matter where I vMotion that VM, its access is still based on the vWWPN that follows it, so it can always reach its storage, but no one else can without a zoning/ACL.
I see one case of hard-zoning per year, on average; typically, it is a user who is moving away from it, but hasn't yet fully moved off.