Users Guide
Fabric OS Administrator’s Guide 371
53-1002920-02
Security and zoning
12
Security and zoning
Zones provide controlled access to fabric segments and establish barriers between operating
environments. They isolate systems with different uses, protecting individual systems in a
heterogeneous environment; for example, when zoning is in secure mode, no merge operations
occur.
Brocade Advanced Zoning is configured on the primary fabric configuration server (FCS). The
primary FCS switch makes zoning changes and other security-related changes. The primary FCS
switch also distributes zoning to all other switches in the secure fabric. All existing interfaces can
be used to administer zoning.
You must perform zone management operations from the primary FCS switch using a zone
management interface, such as Telnet or Web Tools. You can alter a zone database, provided you
are connected to the primary FCS switch.
When two secure fabrics join, the traditional zone merge does not occur. Instead, a zone database
is downloaded from the primary FCS switch of the merged secure fabric. When E_Ports are active
between two switches, the name of the FCS server and a zoning policy set version identifier are
exchanged between the switches. If the views of the two secure fabrics are the same, the fabric’s
primary FCS server downloads the zone database and security policy sets to each switch in the
fabric. If there is a view conflict, the E_Ports are segmented due to incompatible security data.
All zones should use frame-based hardware enforcement; the best way to do this is to use WWN
identification exclusively for all zoning configurations.
Zone merging
When a new switch is added to the fabric, it automatically takes on the zone configuration
information from the fabric. You can verify the zone configuration on the switch using the procedure
described in “Viewing the configuration in the effective zone database” on page 367.
If you are adding a switch that is already configured for zoning, clear the zone configuration on that
switch before connecting it to the zoned fabric. Refer to “Clearing all zone configurations” on
page 367 for instructions.
Adding a new fabric that has no zone configuration information to an existing fabric is very similar
to adding a new switch. All switches in the new fabric inherit the zone configuration data. If the
existing fabric has an effective zone configuration, then the same configuration becomes the
effective configuration for the new switches.
Before the new fabric can merge successfully, it must pass the following criteria:
• Before merging
To facilitate merging, check the following before merging switches or fabrics:
- Defaultzone: The switches must adhere to the default zone merge rules, as described in
“Zone merging scenarios” on page 373.
- Effective and defined zone configuration match: Ensure that the effective and defined
zone configurations match. If they do not match, and you merge with another switch, the
merge may be successful, but unpredictable zoning and routing behavior can occur.