Zoning; Zoning Enforcement; Zoning Guidelines - HP StorageWorks 4000/6000/8000 - Enterprise Virtual Arrays Reference Manual

and returns the LUNs assigned to the WWN. Any other LUNs on that storage port are not available
to the server.

Zoning

This section describes configuration recommendations for:
Zoning enforcement, page 421
Zoning guidelines, page 421
EBS zoning, page 423
Zone naming, page 423

Zoning enforcement

To protect against unauthorized access, Fibre Channel switches provide three types of zoning
enforcement (listed here in order of enforcement):
Access authorization
Access authorization provides frame-level access control in hardware and verifies the SID-DID
combination of each frame. The frame is delivered to the destination only if specified as a valid
combination in the zone definition. This method offers a high level of security and is classified as
hard zoning because it requires hardware resources at the ASIC level.
Discovery authentication
Discovery authentication occurs during access to the NS) directory. The fabric presents only a
partial list of authorized devices from the NS directory. This method may be enforced by software
or hardware, depending on the switch model. When enforced by software, this method is suscept-
ible to security threats from unauthorized devices that violate Fibre Channel protocols.
Soft-plus zoning by login authentication
In addition to discovery authentication, some switches enforce authentication at the Fibre Channel
protocol login frame level. For example, if a host sends a PLOGI frame to a device that is not a
member of its zone, the frame is dropped. Login authentication provides more protection than
discovery authentication but is not as secure as access authorization.
The zone configuration and the switch model determine the type of zoning enforcement you can
implement in your SAN fabric. For information about the relationship of zone configuration with
zoning enforcement, see the following tables:
Table 17 on page 91 (H-series)
Table 35, page 128 (B-series)
Table 53, page 150 (C-series)
Table 70, page 165 (M-series)
Some system restrictions affect the movement of devices within the fabric, regardless of zoning type.
For example, some operating systems, such as HP-UX, create device file names based on the 24-bit
fabric address and do not allow moving the device to a different port. A change in the address causes
the device to be treated as a different device.

Zoning guidelines

Use one of the following zoning methods:
Operating system (minimum level required)
SAN Design Reference Guide 421