Hard and soft zoning vs. port and WWN zoning

Question

I've been working with the storage guy in our business and I'm trying to get up to speed on zoning, but I'm finding conflicting information. I'm confused about the relationship between hard and soft zones, and WWN and port-based zones.

Here's what I thought was correct:

Hard zoning is done by the switches, disallowing certain WWNs (or ports) from talking by examining source and destination information, regardless of knowledge of one another's existence. I compare this to conventional IP firewalls (only certain IPs can talk to one another - I know Google's IP but I still cannot reach it).
Soft zoning allows everything to reach everything else, but prevents discovery of everything in the fabric by limiting what information the name server will respond with when a new HBA wants to know what it can talk to. I compare this to a DNS server that provides different responses based on the querying host - hosts can still talk if they know one another's IP address.
WWN and port-based zoning are unrelated to the above - they simply imply how you identify members of a zone.

Here are the sites I've looked at:

http://www.emcstorageinfo.com/2007/11/san-zoning-in-details.html

http://www.sanduel.com/SAN-Storage-FAQs/What-are-Hard-Zoning-and-Soft-Zoning.html

http://www.enterprisestorageforum.com/sans/features/article.php/3710231/Storage-Basics-Understanding-Fibre-Channel-Zones.htm

http://en.wikipedia.org/wiki/Fibre_Channel_zoning

(I know that none of these are particularly reputable - sue me :) )

Some of the sites above seem to say that hard zoning and port-based zoning are synonyms, as are soft zoning and WWN-based zoning.

tl;dr: Is there any fixed relationship between hard, soft, WWN, and port-based zoning in a SAN?

In case the answer is vendor-specific, we use HP SAN equipment, specifically HP HSV450 and HP XP12000 disk arrays, with (I think) Brocade switches.

Heh. HP uses both Brocade and Cisco parts, so that doesn't narrow it down all that much. But thanks for mentioning it! — sysadmin1138, Mar 12 '12 at 20:32
Oh, now that you mention it, I'm fairly certain that we use Brocade switches, and I knmow that we have an XP12000 and an HSV450. I'll edit the question to reflect that. — , Mar 12 '12 at 20:39

score 1 · Accepted Answer · edited Jun 11 '20 at 10:02

Another bit of documentation from a more reputable vendor to help clarify things:

http://www.brocade.com/downloads/documents/white_papers/Zoning_Best_Practices_WP-00.pdf

To quote the key bit:

p.8

Over the years, may terms have evolved to describe Zoning, some of which confuse the true nature of the Zoning method in duestion and lead to incorrect beliefs about how Zoning actually works. the most significant error made in describing Zoning is associating the identification method with how Zoning is enforced. With Brocade 1Gbit/sec Fabric OS switches, only [port based] identification was hardware enforced. This lead to the term "hard zoning" being associated with [port based] zoning.

[...]

Once Brocade released 2 GBit/sec FOS switches, [WWN zoning] became hardware enforced...

If your HP/Brocade switch is under current maintenance, it does hard zoning no matter what method you use for the zoning. I believe all of the 2GBit switches have been EOLed.

As for Cisco, they're tricksy and support both methods if you want.

So for both options of HP hardware, 'hard' zoning is probably the default. Definitely the default if you're using Brocade.

The zoning description method (port vs. wwn) does not automatically tell you whether the switch is beefy enough to handle 'hard' zoning.

Thanks for the great answer! So, hard zoning really is a packet-by-packet enforcement then? — , Mar 14 '12 at 14:23
@AlexWebr Yes, same as what's done in Ethernet switches as I understand it. — sysadmin1138, Mar 14 '12 at 17:23

chickenandporn · Answer 2 · 2014-04-18T16:41:59.607

Hard-Zoning is the common term for zoning access based on physical ports: switch X port N can talk to switch Z port Y.

Soft-Zoning defined access based on the WWPN (World Wide Port Name) of the devices which are permitted to talk to each other.

Soft-zoning tends to be either by WWN (WWPN preferred), or by alias of that WWPN. This means that a device with a vendor-applied unique WWPN is permitted to talk to another device with a different WWPN as defined in the zoning entry. This effectively extends by software definition the device's SCSI bus to include various SAN nodes. Realistically, this includes one or more servers with one or more storage targets: their SCSI bus extends to those storage devices.

Hard-zoning used to be considered more secure, but recently the "drawbacks" of soft zoning are reducing, and greatly bolstered by the idea of being able to move a device to different switch port while not affecting its ability to contact its storage. For example, the following zone:

zone Z1_Oracle14_HBA0_VMAX4993_FA12gB
   pwwn 10000000c9123456
   pwwn 50000972084e05ad

In this case, I've defined the software zone, or Access-control List, to connect 10000000c9123456's SCSI bus to 50000972084e05ad. The Oracle server may now ask the VMAX storage for various blocks of storage, regardless if I move the server off to another switch, or behind an N-Port ID Virtualization, or however I want to connect. Indeed, I can give a Virtual WWPN to a virtual machine, and no matter where I vMotion that VM, its access is still based on the vWWPN that follows it, so it can always reach its storage, but no one else can without a zoning/ACL.

I see one case of hard-zoning per year, on average; typically, it is a user who is moving away from it, but hasn't yet fully moved off.

This seems to be counter to what @sysadmin1138 has said. It seems that hard vs. soft refers to the method of enforcement of as opposed to the way zones are defined. — , Apr 17 '14 at 18:38
Soft-vs-Hard differs in both enforcement and definition. Officially, Soft-zoning is a case of restricting name server responses to those the node is permitted to communicate with, whereas hard-zoning is defined as topology-based blocking, but in practice (i.e. 3Par devices trying to "ping" the servers they knew of) some devices try to contact the devices no longer in their zones, and are blocked from contacting as solidly as if they are hard-zoned (Class3Discard on errant frame entering switch) — chickenandporn, Apr 18 '14 at 17:01
Hmm. Sorry AlexWebr. @sysadmin1139's article does indicate that "Hard" and "Soft" are traditionally associated with WWPN/D,P zoning definition, but now soft-zoning (name-server) is uncommon, and hard enforcement exists in either WWPN-based or D,P -based zoning definition. That would be why I see hard-enforcement in cases where WWPNs are used in definition. I regret that I skimmed when RTFAing, I've seen the first portion of that article a bazillion times, but not well enough apparently. — chickenandporn, Apr 18 '14 at 17:32
Not related to the answer, but port zoning is the best practice for FICON fabrics — Basil, Apr 18 '14 at 20:53

Hard and soft zoning vs. port and WWN zoning

2 Answers2