Specifications
DATA CENTER BEST PRACTICES
SAN Design and Best Practices 63 of 84
SECURITY
There are many components to SAN security in relation to SAN design, and the decision to use them is greatly
dependent on installation requirements rather than network functionality or performance. One clear exception is
the zoning feature used to control device communication. The proper use of zoning is key to fabric functionality,
performance, and stability, especially in larger networks. Other security-related features are largely mechanisms
for limiting access and preventing attacks on the network (and are mandated by regulatory requirements), and
they are not required for normal fabric operation.
Zoning: Controlling Device Communication
The SAN is primarily responsible for the ow of data between devices. Managing this device communication is of
utmost importance for the effective, efcient, and also secure use of the storage network. Brocade Zoning plays
a key role in the management of device communication. Zoning is used to specify the devices in the fabric that
should be allowed to communicate with each other. If zoning is enforced, then devices that are not in the same
zone cannot communicate.
In addition, zoning provides protection from disruption in the fabric. Changes in the fabric result in notications
(RSCNs) being sent to switches and devices in the fabric. Zoning puts bounds on the scope of RSCN delivery
by limiting their delivery to devices when there is a change within their zone. (This also reduces the processing
overhead on the switch by reducing the number of RSCNs being delivered.) Thus, only devices in the zones
impacted by the change are disrupted. Based on this fact, the best practice is to create zones with one initiator
and one target with which it communicates, so that changes to initiators do not impact other initiators or other
targets, and disruptions are minimized (one initiator and one target device per zone). In addition, the default
zone setting (what happens when zoning is disabled) should be set to No Access, which means that devices are
isolated when zoning is disabled.
Zones can be dened by either switch port or device World Wide Name (WWN). While it takes a bit more effort to
use WWNs in zones, it provides greater exibility; if necessary, a device can be moved to anywhere in the fabric
and maintain valid zone membership.
Zone Management: Dynamic Fabric Provisioning (DFP)
The Brocade Gen 5 Fibre Channel SAN platforms provide an integrated switch and HBA solution that enables
customers to dynamically provision switch-generated virtual WWNs and create a fabric-wide zone database prior
to acquiring and connecting any Brocade HBAs to the switch. DFP enables SAN administrators to pre-provision
services like zoning, QoS, Device Connection Control (DCC), or any services that require port-level authentication
prior to servers arriving in the fabric. This enables a more secure and exible zoning scheme, since the fabric
assigns the WWN to use. The FA-WWN can be user-generated or fabric-assigned (FA-WWN). When an HBA is
replaced or a server is upgraded, zoning and LUN mapping does not have to be changed, since the new HBA is
assigned the same FA-WWN as before. DFP is supported on both switches with or without the Brocade Access
Gateway support. The switch automatically prevents assignment of duplicate WWNs by cross-referencing the
Name Server database, but the SAN Administrator has the ultimate responsibility to prevent duplicates from
being created when it is user-assigned.
Zone Management: Duplicate WWNs
In a virtual environment like VMware or HPs Virtual Connect, it is possible to encounter duplicate WWNs in
the fabric. This impacts the switch response to fabric services requests like “get port WWN,” resulting in
unpredictable behavior. The fabric’s handling of duplicate WWNs is not meant to be an intrusion detection tool
but a recovery mechanism. Prior to Brocade FOS v7.0, when a duplicate entry is detected, a warning message is
sent to the RAS log, but no effort is made to prevent the login of the second entry.
Starting with Brocade FOS v7.0, handling of duplicate WWNs is as follows:
•Same switch: The choice of which device stays in the fabric is congurable (default is to retain existing device)
•Local and remote switches: Remove both entries