6

I have a single FC switch here that has a bunch of servers hanging off of it. Currently it is zoned (as per my previous question, Fibre Channel zoning best practices) by WWN, one zone for each pair of (server, disk array).

My question is, is there any reason I shouldn't do this zoning by port instead of WWN? The switch is already labeled with a server name per port, and I don't expect to do any moving of cables. I'm tending toward zoning by port because it allows me to replace an FC card without rezoning. That's not something you need to do often, you say? You're probably right, but I'm in the middle of a period where I have to do it a lot.

If it matters, it's a QLogic switch with QLogic or Brocade FC cards and a NetApp filer.

Community
  • 1
Bill Weiss
  • 10,782
  • 3
  • 37
  • 65

2 Answers2

3

If you ever foresee implementing NPIV, you'll need to be doing WWN zoning. We're currently doing port zoning on the SAN that I manage, but that's for no other reason than it's always been done like that here. Within the next few weeks, I'll be switching over to WWN zoning. There are significant pros and cons to both approaches, though there's a strong security argument to be made for doing WWN zoning. It's really just a matter of how your organization chooses to do things.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • I've never even heard of NPIV... from a quick Google, though, I don't think we'll be using it here. Can you give me an idea what the security argument is? – Bill Weiss Apr 21 '11 at 19:11
  • 1
    Well, the security argument lies in the fact that the data "behind" your FC switch port requires the correct WWN to get access to it. Yes, the WWN can be altered on the FC card, and if someone was after your data that wouldn't prove much of a barrier, but for me, it's comforting to know that I need to make an *intentional* action on the switch to allow any server access to disk. Likewise, with WWN zoning, you're not going to screw anything up by plugging a FC patch into the wrong switch port. – EEAA Apr 21 '11 at 19:14
  • Well, if your switches are behind locked doors, it's easier for someone to change their WWN than change their port :) That relies on one person (YT) managing all the machines on the switch though. In a multi-tenant system things might be different. – Bill Weiss Apr 21 '11 at 20:13
2

If it's that simple then no, I guess it'll be fine. I do mine WWN-to-host-ports simply because I have multiple hosts/ports, so a switch-port-to-host-port thang wouldn't work out but you should do whatever makes sense to your situation and what you've described doesn't set any alarms going :)

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • 1
    My "Oh, I'm going to regret this later" sense tingles a little bit when I say things like "oh, I won't expand past one switch", but for now? I'll ignore it :) Thanks for the answer! – Bill Weiss Apr 21 '11 at 20:12