User`s guide
Chapter 3. Implementing the INRANGE FC/9000 Fibre Channel Director 243
3.4.4 Hard zones and name server zones together
Hard zoning can strictly separate port groups, and this can be seen as an
effective security feature.
Name server zoning allows us to further define the communication control on a
per port granularity.
When name server zones and hard zones are used in conjunction, we need to
consider the following principles:
If you have no hard zone(s) created at all, then all director ports are
considered as being part of one big default hard zone.
However, if at least one hard zone is implemented then this default hard zone
is not effective anymore. So, be aware of the fact, that if you add just one hard
zone all remaining ports must be added to a hard zone too. For instance you
could create a second hard zone containing all the remaining ports.
Multiple name server zones can exist within one hard zone.
Name server zones cannot cross the boundaries of hard zones
Using INRANGE we do not have to worry about zone sets or active and
inactive zones. Creation of zone sets or creation of passive zones is not
possible in INRANGE environment. Either a zone exists and is thereby active,
or it does not exist.
All nodes that are not part of any name server zone have unlimited access to
the name server table. This is also true if no name server zone is
implemented at all. Consequently, by default, all attached nodes have access
to the name server table. Only those nodes that are part of name server
zones will have limited access to this information
The only exception is a TL_Port Config list which explicitly allows access to
the specified TL_Port even if name server zones exist that normally would
imply otherwise.
So, we can see that we have several different ways to control actual node access
with INRANGE:
Hard zoning
Name server zoning
Translation Entries lists for TL_Ports