Zone Enforcement; The Default Zone - Cisco DS-C9216I-K9 Configuration Manual

Zone Enforcement

Enter the VSAN ID where the zone set merge failure occurred, in the For Active Zoneset Merge
Step 4
Problems in VSAN field.
Click Analyze to analyze the zone merge. Click Clear to clear the analysis data from the Zone Merge
Step 5
Analysis window. If you click Analyze without clicking Clear, the new zone merge analysis data
displays below the old data.
Zone Enforcement
Zoning can be enforced in two ways—soft and hard. Each end device (N port or NL port) discovers other
devices in the fabric by querying the name server. When a device logs in to the name server, the name
server returns the list of other devices that can be accessed by the querying device. If an Nx port does
not know about the FC IDs of other devices outside its zone, it cannot access those devices.
In soft zoning, zoning restrictions are applied only during interaction between the name server and the
end device. If an end device somehow knows the FC ID of a device outside its zone, it can access that
device.
Hard zoning is enforced by the hardware on each frame sent by an Nx port. As frames enter the switch,
source-destination IDs are compared with permitted combinations to allow the frame at wirespeed. Hard
zoning is applied to all forms of zoning.
Hard zoning enforces zoning restrictions on every frame, and prevents unauthorized access.
Switches in the Cisco MDS 9000 Family support both hard and soft zoning.

The Default Zone

Each member of a fabric (in effect, a device attached to an Nx port) can belong to any zone. If a member
is not part of any active zone, it is considered to be part of the default zone. Therefore, if no zone set is
active in the fabric, all devices are considered to be in the default zone. Even though a member can
belong to multiple zones, a member that is part of the default zone cannot be part of any other zone. The
switch determines whether a port is a member of the default zone when the attached port comes up.
Unlike configured zones, default zone information is not distributed to the other switches in the fabric.
Traffic can either be permitted or denied amongst members of the default zone. This information is not
distributed to all switches; it must be configured in each switch.
When the switch is initialized for the first time, no zones are configured and all members are considered
to be part of the default zone. Members are not permitted to talk to each other.
Configure the default zone policy on each switch in the fabric. If you change the default zone policy on
one switch in a fabric, be sure to change it on all the other switches in the fabric. The default zone
members are explicitly listed when the default policy is configured as permit or when a zone set is active.
When the default policy is configured as deny, the members of this zone are not explicitly enumerated.
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
15-14
Chapter 15 Configuring and Managing Zones
OL-7753-01