I’ve been doing VMware Design Reviews lately and so are my colleagues of the PSO department. A Design Review is quick scan of your design documentation by a VMware consultant. The consultant will hold your docs against best practices and propose changes to the design.
One of the things we encounter on a regular base is that admins took the easy path for their Storage Design zoning. So what’s zoning? In short: a way to partition your fabric into smaller subsets. These small subsets provide you with a better security and less interference.
You can do zoning in two ways, Soft and Hard. With “soft zoning” you use the device WWN in a zone without any restrictions to what port this WWN is attached. With “hard zoning” you put the port into a specific zone. So what do I prefer? I would prefer “hard zoning” because you need to know how your devices are connected and it makes troubleshooting a lot easier.
So now I’ve chosen a way to zone I can just write down all my port numbers, create a zone and drop them in and I’m done… Well not so fast, that’s another choice one has to make before you start. How am I going to zone, single initiator zoning or multi initiator zoning? So what’s a single initiator zone: a single hba in a zone with the target device(s). And a multi initiator zone is all initiators that need to communicate with a device(s) in one zone. As one can imagine multi initiator zones are really easy to setup but definitely not my first choice.
Single initiator zones are the way to go. If there’s no need, and for ESX there isn’t, for initiators to be able to communicate with each other then they shouldn’t be able to. Not only is this more secure, because initiators can’t communicate with each other, it also cuts out a lot of rubbish on your fibre. Rubbish as for instance “Registered State Change Notifications”. Although RSCN storms don’t occur that often anymore as they used to it’s still a risk of contention and should be avoided when possible. So if you’re doing a design or preparing for one keep this in mind: Single Initiator Zones are the way to go!
There are a whole bunch of good articles on the net about zoning, read them you might learn a thing or two:
- TechTarget.com: part1, part2, part3
- Storage Networking 101: Understanding Fibre Channel Zones
- Single HBA Zoning
Have fun,
Hi Duncan,
I agree whole-heartily. Single initiator zoning ( or more specifically two-member zones, with one initiator and one target) is definitely the best way to go. I have had heated discussions with others claiming it is a waste of time, and to throw everything in one big zone. In my experience, this can cause issues if a HBA becomes faulty and bring down all the paths in a zone, eliminating the redundancy you are trying to gain from having multiple paths…..
I’m glad to see you bringing additional attention to this issue, Duncan, and I agree that single initiator zoning is considered a “best practice.” I don’t know that I necessarily agree with Wade with regards to two member zones (one initiator and one target) because I may want multiple storage targets accessible (multiple storage processors on a storage array, for example). But it looks like we all agree that just throwing everything into one big zone is definitely NOT the way to handle it.
Duncan – Summed it up well in your tweet – Real Men Do Single Initiator Zoning. If you don’t you end up with a big mess at some point. Single initiator zoning was absolutely critical to get things to work about 5-7 years ago, but I still think it is the best way to go (If you are doing fibre channel. iSCSI would of course not have this issue!)
Todd
Soft (WWPN) zoner here. With hard zoning, if I have a switch port go bad, I have to re-zone. If I want to test/troubleshoot another port for any reason, I have to re-zone. We can only zone during mainentance windows due to the potential impact to the shared prod/dev fabric when applying the active zone configuration. Not saying that’s right, but that’s the company policy right now.
“I don’t know that I necessarily agree with Wade with regards to two member zones (one initiator and one target) because I may want multiple storage targets accessible (multiple storage processors on a storage array, for example).”
I usually achieve this by creating a separate zone for each initiator/ target pair. Yes, this does double or quadruple the number of zones necessary (if you have two or four active storage processors), but I believe it is the most secure and fault tolerant zoning practice.
Wade is a hardcore guy! single initiator single target zoning! what a guy, don’t you just love ’em 🙂
Seriously, SI-ST is indeed the most secure, fault tolerant with 0 interference option. But it takes time to set it up. But I agree, it’s the best option. But if I can get people starting with a single initiator zone, than we’re half way there.
@Jason, if you got a good reason for it and know what you are actually doing and understand the importance then there’s no problem at all with doing things different. Most people I talk to never ever thought about these issues, just started out…
I agree with Jason on the Soft Zoning part. With soft zoning, replacing a defective HBA in a server would require a re-zone. But with hard zoning this would be nescessary when putting a server on a different fabic port. In the hard zoning configurations though, customers can run into trouble when tidying up their cabling and connecting servers to wrong ports on the fabric. I know, those customers should stay clear of this, but believe me: I know a few who have done this… So for me: Soft Zoning it is.
As for the Single Initiator, Single Target scenario. Couldn’t agree more: This is the way to go!
Here also. Yes, a bit more to set up, but well worth it. On the zoning, I’ll go with the 20% of the group that uses soft zoning, it’s just easier if something goes wrong to move it without rezoning.
Good afternoon Duncan,
I would like to speak with you about a potential partnership between ITKnowledgeExchange.com and Yellow-Bricks.com. I wasn’t sure where to e-mail, so I thought I’d post a comment. Could you e-mail me or give me a call at your earliest convenience?
Thank you,
Jenny
. . . . . . . . . . . . . . . . .
Jenny Mackintosh
Community Manager
ITKnowledgeExchange.com
jenny@itknowledgeexchange.com
781.657.1681 – desk
Hi Duncan,
I agree with the SI-ST zoning methodology 100%, but I really can’t agree with the Hard Zoning approach. In environments I’ve worked in, if we used hard zoning we’d be forever re-zoning.
Cheers
Dan
That’s why I said “prefer” and not “it’s a best practice” or “you must”… I prefer to, but it depends.
I agree that single initiator is the way to go, but I prefer soft zoning since it’s trivial to take care of a bad port or moving a host to another spot in your data center (and possibly a different switch in the same fabric).
As far as how to visualize single initiator zones just think pure old school and keep virtual 1-1 connections in mind.
I see both sides of soft vs hard, but I lean heavily toward soft since people do move things around.
I also strongly recommend single initiator zones, but multiple targets is usually fine, and leaves less chances for mistakes. If you replace an HBA, you change one or two zones (if using dual-port HBAs), or just the alias(es).
The things that misbehave the most or do stuff like bus resets are initiators and tape devices (or the traffic to them). So, keep tapes (or anything non-disk/LUN) off the disk zones, and use separate HBAs for tape connections, if you’re even using FC tape right off the ESX servers.
Wow, I’m glad I found this — great post.
Now, my question is…what do you use for a naming scheme for all those two member zones?
I currently use the following.
HOSTNAME_HBA1_SPA
HOSTNAME_HBA1_SPB
HOSTNAME_HBA2_SPA
HOSTNAME_HBA2_SPB
I just wanted to point out that you can zone by WWN and still get hardware enforcement. Most modern Brocades will allow you to zone by WWN and get hardware enforced zoning. Pretty sure Cisco supports this as well.
Zoning by WWN is nice since the SAN administrator can prepare each fabric ahead of time without necessarily knowing which switchports will be used.
That said, single initiator with either multiple target or single initiator single target is my preference.
(I just realized this post is a year old…)
Pretty good article.
Helps a lot.
Great post Duncan
It helped me clarifying the right way to go.
Can I ask you what is the best practice for zoning when you have 2 servers 1 HBA single port each, 1 fabric switch and 1 SAN with 1 controller and 2 connections. For example HP MSA 2000 single controller, or Fujitsu DX60 single controller?
I mean: can I use both fibre connection on the SAN controller. Is it technically multipathing?
Thanks
Luca