84
This feature is supported only in enhanced zoning mode. To ensure a consistent merge control mode
across the fabric, use the zone activate or zone distribute command after you set a merge control mode.
To set a merge control mode:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VSAN view.
vsan vsan-id N/A
3. Set a merge control mode.
• Set the merge control mode to
Restrict:
zone merge-control restrict
• Set the merge control mode to
Allow:
undo zone merge-control restrict
The default setting is Allow.
Enabling hard zoning
Overview
Switches implement zone access control in one of the following methods:
• Soft zoning—When a registered node queries the nodes in the current fabric through generic
service packets, soft zoning filters the nodes based on zone rules and returns only the matching
nodes. Soft zoning is always in effect.
Because soft zoning is used only when a node accesses other nodes, it can restrict only the result
of queries that a node initiates to switches, and it cannot directly control the underlayer traffic.
When a node performs traffic attacks against the node that should be filtered by zone rules, soft
zoning cannot perform access control for the node.
• Hard zoning—Hard zoning converts the zone configurations into lower-layer driver rules and
deploys the rules to the hardware to form hardware zone rules. Then, the traffic in the switch is
forwarded strictly based on hardware zone rules. Hard zoning takes effect only when the hardware
resources are sufficient for deploying zone rules.
When the underlayer resources are not sufficient for deploying the hardware zone rules of the
current VSAN, the system performs the following operations:
{ Clears all deployed hardware zone rules in order to keep the integrity of rules.
{ Automatically disables hard zoning.
To improve the security for a VSAN, you can enable hard zoning for the VSAN. After hard zoning
is enabled for a VSAN, the system triggers deploying all zone rules of the VSAN. After hard
zoning is manually disabled for a VSAN, the system clears the hardware zone rules already
deployed for the VSAN and stops deploying new zone rules for the VSAN.
The two methods can work separately and supplement each other. They work together to implement
node access control based on the zone configurations.
Configuration restrictions and guidelines
When you configure hard zoning, follow these restrictions and guidelines:
To Next Page
Loading...
Need help?
General
