Brocade Fibre Channel Networking Community

Expand all | Collapse all

Isolation zone question

Jump to Best Answer
  • 1.  Isolation zone question

    Posted 01-08-2014 11:05 AM

    I'll try to explain our setup as clearly as possible.

     

    We recently migrated to a new SAN, though still have some connections to the old for backups.

     

    Old SAN:  Discrete Servers, McData switches, default zoning access none;  all connections had unqiue zones.

    On the old SAN still is our ADIC Scalari2000 tape library...

     

    New SAN:  Hosts are on a Dell M1000 chassis, equipped with two M5424 fabric switches, which in turn have two connections each to a pair of Brocade 5100s, for two , redundant fabrics with failover.  (When we ordered all this, I didn't know about the M5424s, they were added later without my knowledge by the admin for these servers, and as far as I'm concerned, they're unnecessary because we have 48 ports each on the 5100s).

     

    Anyway, here's the thing.  For sake of simplicity, I left our Brocades in a zoning configuation of "Access All", as opposed to the way it worked with the McDatas;  security is physical, plus LUN and host mapping.    Most hosts have double HBAs, and they use dm-multipath for this.

     

    So far so good.. but now I need to move our Scalar i2000 tape library over to the new SAN fabric, and the problem is,  I'm trying to avoid the hosts from seeing duplicates of their LUN mapped tape drive due to the redundant paths;  since the hosts have two HBAs, and will go through both pairs of  m5424 switches (even if I just plug into only one Brocade).

     

    How do I isolate the Scalar's connections for the hosts?  If I create an explicit zone for each host, one HBA port to one port on the Scalar, will the other ports ignore it?  Or do I need to make an Isolation Zone?  

    I really don't want to have to change the default zoning configuration if I don't have to.

     

    Lastly, they screwed up on ISL licenses too, so the two pairs of switches are just cascaded (E ports).

     

    Hope that makes sense..


    #BrocadeFibreChannelNetworkingCommunity


  • 2.  Re: Isolation zone question

    Posted 01-08-2014 09:59 PM

    New SAN:  Hosts are on a Dell M1000 chassis, equipped with two M5424 fabric switches, which in turn have two connections each to a pair of Brocade 5100s, for two , redundant fabrics with failover.  (When we ordered all this, I didn't know about the M5424s, they were added later without my knowledge by the admin for these servers, and as far as I'm concerned, they're unnecessary because we have 48 ports each on the 5100s).

    Perhaps not on basis of ports available on the 5100, but unless Dell offers something similar as HP Virtual Connact, you would be using passthrough modules and run 2 FC cables per blade to get them to the 5100. Now you are using less. So less cables, the 5100 could be licensed for less ports, so you could end up with reduced CAPEX and OPEX.

     


    Anyway, here's the thing.  For sake of simplicity, I left our Brocades in a zoning configuation of "Access All", as opposed to the way it worked with the McDatas;  security is physical, plus LUN and host mapping.    Most hosts have double HBAs, and they use dm-multipath for this.

    This is not according the best pratices and really put you in a bad position to implement zoning for the tapelibrary.

    It's bad practice because with zoning you try to mimic a classic SCSI bus as closely as possible, 99% of the time this means ONE initiator ONE or MULTIPLE targets. In your case we have a couple of blades (say 9) in your chassis, with defzone all access you have 9 initiator who can see each other, producing unnecessary chatter. It's bad starting point because the moment you implement your first zoneset, only those devices which are zoned are able to talk to their targets. If you missed something, too bad, the device will lose connection to whatever it was suppose to talk to.

    How do I isolate the Scalar's connections for the hosts? If I create an explicit zone for each host, one HBA port to one port on the Scalar, will the other ports ignore it? Or do I need to make an Isolation Zone? I really don't want to have to change the default zoning configuration if I don't have to.
    I don't know the iscalar at all to give you an answer. Something that might point you in a direction though, in general tapelibraries do understand the concept of LUN masking. Sometimes you may need an additional license to enable the feature, read the admin manual for your system to find out if the feature is there and then try it. On the part of zoning, regardless of what yourtapelibrary will support, I strongly advise you to implement zoning. Here's Brocades view on the subject, pag 9 is of interest to you http://www.brocade.com/downloads/documents/white_papers/Zoning_Best_Practices_WP-00.pdf

    Lastly, they screwed up on ISL licenses too, so the two pairs of switches are just cascaded (E ports).
    What's the screwup with ISL licenses? All switches can produce E ports, or so I understood from your text, so license wise you should be good. Can you draw a schema of how it currently is and how you expected it to be and attach it pls?
    #BrocadeFibreChannelNetworkingCommunity


  • 3.  Re: Isolation zone question

    Posted 01-09-2014 08:43 AM

    Perhaps not on basis of ports available on the 5100, but unless Dell offers something similar as HP Virtual Connact, you would be using passthrough modules and run 2 FC cables per blade to get them to the 5100. Now you are using less.

     

    I agree.  They decided to minimze the number of cable run for clutter's sake I guess, but they really reduced their bandwidth and increased the complexity of the setup.

     

    This is not according the best pratices and really put you in a bad position to implement zoning for the tapelibrary.

    It's bad practice because with zoning you try to mimic a classic SCSI bus as closely as possible, 99% of the time this means ONE initiator ONE or MULTIPLE targets. In your case we have a couple of blades (say 9) in your chassis, with defzone all access you have 9 initiator who can see each other, producing unnecessary chatter. It's bad starting point because the moment you implement your first zoneset, only those devices which are zoned are able to talk to their targets. If you missed something, too bad, the device will lose connection to whatever it was suppose to talk to.

     

    I realize it's not optimal, but being as I'm stretched between so many duties and specialties, I'm forced to be a jack of all trades and master of none.  That's State employment for you. 

    The hosts are managed by a unit other than my own (I'm the SAN admin yet oddly my own unit's servers are not on the SAN);  they were hooking things up and wanted LUNs quickly as possible, so I did what I could with the time I had.

    On the plus side, it's not a particularly large SAN, there are maybe 9 servers on it, not that many more to be added.  (Famous last words, right?)

     

    But.. I can create the zones "off to the side" so to speak,  while the switches still run in default open mode in the meantime, then switch over to the new configuration all at once, correct?  

    So, it won't create outages to switch the default config? A s there's not that many connections yet, I'm not likely to miss any.  This is still pretty new.

     

    I don't know the iscalar at all to give you an answer. Something that might point you in a direction though, in general tape libraries do understand the concept of LUN masking. Sometimes you may need an additional license to enable the feature, read the admin manual for your system to find out if the feature is there and then try it.

     

    D'oh!  Yes, I overlooked that.  I can LUN map the Scalar to a single WWN, not a single host.  Non-issue then, from that perspective. Okay, for now, that gets me around the zoning/dupe issue.

     

    What's the screwup with ISL licenses? All switches can produce E ports, or so I understood from your text, so license wise you should be good. Can you draw a schema of how it currently is and how you expected it to be and attach it pls?

     

    I'm not very versed in ISL, but I understood that was the proper way to link multiple switches, which leads to improved bandwidth..

    as it is, everything is now choked through one 8GB port per switch..


    #BrocadeFibreChannelNetworkingCommunity


  • 4.  Re: Isolation zone question
    Best Answer

    Posted 01-10-2014 06:35 AM

    But.. I can create the zones "off to the side" so to speak,  while the switches still run in default open mode in the meantime, then switch over to the new configuration all at once, correct?  

    So, it won't create outages to switch the default config? A s there's not that many connections yet, I'm not likely to miss any.  This is still pretty new.

     

     

    Yes you should be able to create zones(et) as long you don't cfgenable a config.

    Once you are done cfgenable the complete zoneset, still any errors might brake something, so better check carefully before you proceed.

     

     

    I'm not very versed in ISL, but I understood that was the proper way to link multiple switches, which leads to improved bandwidth..

    as it is, everything is now choked through one 8GB port per switch

     

    Ok so if you suspect a bottleneck then add additional ISL's (perhaps even trunk them (requires a license)).

    Better still start measuring the switches to make sure you have a bottleneck some were, and what kind of bottleneck it is.

    Bandwitdh, bb credits etc, once that has been determined add resources were they are needed.


    #BrocadeFibreChannelNetworkingCommunity


  • 5.  Re: Isolation zone question

    Posted 01-10-2014 08:06 AM

    Ok so if you suspect a bottleneck then add additional ISL's (perhaps even trunk them (requires a license)).

    Better still start measuring the switches to make sure you have a bottleneck some were, and what kind of bottleneck it is.

    Bandwitdh, bb credits etc, once that has been determined add resources were they are needed.

     

    I don't really suspect a bottleneck at this point, but I prefer maximum bandwidth and throughput when possible on general principle  :manhappy:

    But I think you just explained something to me.  The license we don't  have is to trunk multiple ISL ports; as is, we have just the one.

    I think we're okay for now at least, there have been errors or warnings, no complaints of poor performance either.. and our F port connections are 4GB.. I think the ISL E port is 8GB.. but as I'm not in today, I'll have to double check that Monday.

    Or..   someone told me that 8GB means 4 GB receive, 4GB transmit.. I didn't think that was right though.) (

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 6.  Re: Isolation zone question

    Posted 01-10-2014 10:50 AM
    8Gb means simultaneous rx and tx 8Gb, ie full duplex
    #BrocadeFibreChannelNetworkingCommunity


  • 7.  Re: Isolation zone question

    Posted 01-13-2014 10:18 AM

    Yes you should be able to create zones(et) as long you don't cfgenable a config.

    Once you are done cfgenable the complete zoneset, still any errors might brake something, so better check carefully before you proceed.

     

    Lastly,  In the odd event I somehow miss something bad, going back to the default config (I assume this terminology is the same as "zone set")  -which is "all access"-   should be an option...until I create the error... yes?

    Sorry I'm inundating you with questions. I wish I had a development environ to test on but that'll never happen. 


    #BrocadeFibreChannelNetworkingCommunity


  • 8.  Re: Isolation zone question

    Posted 01-13-2014 12:46 PM

    cfgdisable will disable the zoneset and should restore te defzone all access  mode


    #BrocadeFibreChannelNetworkingCommunity


  • 9.  Re: Isolation zone question

    Posted 01-14-2014 07:28 AM

     

    I forgot one other thing.. I'm fairly certain that if I create the zones in the 5100s, the m5424s will pick them up automatically  (master - surrogate), but since I never conf'd the M5424 I'm not 100% sure. The M5424s were bought by the unit who own the servers, for which I have no to limited access.  They're most likely at whatever the default settings would be.  (another reason it irked me that they went and  bought them without consulting me)

     

    In the Switch Explorer console for the 5100s, the m5424s do in fact show up as part of the fabric, but I can't get to their web console .. it appears that other unit either did actually put an IP on them but it's one that is an inaccessible VLAN (not routed), or, it's a default IP from Dell (10.8.192.x), that either way, is currently inaccessible.


    #BrocadeFibreChannelNetworkingCommunity


  • 10.  Re: Isolation zone question

    Posted 01-14-2014 11:30 AM

    As they are part of the fabric zones propagate to them without any problem.

     

     

    As they are part of the fabric YOU need access to those switches.

    It's not good practice (IMHO) to divide reasonsibiltities over one common thing (being the fabrics) without either one having access to all gear  comprising said fabrics.

    So if the other unit is unwilling to give you access, force them into using the AG mode, in which the switch is no longer participating in the fabric. Or other way around, hand them over management of the other FC switches.

     

     

     

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 11.  Re: Isolation zone question

    Posted 01-14-2014 02:16 PM

    As they are part of the fabric zones propagate to them without any problem.

     

    As they are part of the fabric YOU need access to those switches.

    It's not good practice (IMHO) to divide reasonsibiltities over one common thing (being the fabrics) without either one having access to all gear  comprising said fabrics.

    So if the other unit is unwilling to give you access, force them into using the AG mode, in which the switch is no longer participating in the fabric. Or other way around, hand them over management of the other FC switches.

     

    Well, that's good news.  I just now figured out that my 5100s are surrogates, the 5424s must be the principals.  Not huge, but not cool either IMO.  I'm going to want to promote my 5100s.  (fabricprincipal command) 

    Im learning!

     

    My 5100s are the largest,beefiest switches, so.. I think they'll have to work a lot closer with me.  I agree with you, it really is a poor setup. (Same thing with the backups too, I'm the backend for this unit,  they install and conf their backup clients)

    I read up on the AG mode earlier today, that sounds enticing, except that it would cause a reboot of the switch.  But, if I do only one at a time.. and they have true redundancy, that shouldn't hurt.  

    From the docs, it looked like AG mode is for use between two swtiches, if this were enabled on the 5424s, wouldn't I still have the issue with traffic on all it's ports, or would it force it to work like a passthrough?  The fact that m5424s are part of a chassis muddles things a bit for me.

     

    We have another Dell M1000 chassis equipped with m5424s coming up soon, so I'll have to get familiar with them.

     


    #BrocadeFibreChannelNetworkingCommunity


  • 12.  Re: Isolation zone question

    Posted 01-14-2014 11:34 PM

     

    Well, that's good news.  I just now figured out that my 5100s are surrogates, the 5424s must be the principals.  Not huge, but not cool either IMO.  I'm going to want to promote my 5100s.  (fabricprincipal command) 

    Im learning!


    Must be, the fabricshow command lists this as > in fron of the line with the principal switch.

    Also switchshow will show the role of the switch.

    Indeed with fabricprincipal you can overrule or adjust the default behaviour in principal selection.


    My 5100s are the largest,beefiest switches, so.. I think they'll have to work a lot closer with me.  I agree with you, it really is a poor setup. (Same thing with the backups too, I'm the backend for this unit,  they install and conf their backup clients)

    I read up on the AG mode earlier today, that sounds enticing, except that it would cause a reboot of the switch.  But, if I do only one at a time.. and they have true redundancy, that shouldn't hurt.  

    From the docs, it looked like AG mode is for use between two swtiches, if this were enabled on the 5424s, wouldn't I still have the issue with traffic on all it's ports, or would it force it to work like a passthrough?  The fact that m5424s are part of a chassis muddles things a bit for me.

     

    We have another Dell M1000 chassis equipped with m5424s coming up soon, so I'll have to get familiar with them.

     


    Well if you got more incoming blade chassis and they are to be connected to the same set of 5100's, you sure need to set up zoning.

     

    AG mode disables al Fabric services on that particular switch, but it does not become a passthrough module.

    Passthrough modules create an external facing interface which you can patch, they typically do not contain any logic.

     

    AG mode is a Brocade term, but you still need to configure (usually once) and manage it (not often).

    The/A admin guide is found >> http://www.brocade.com/downloads/documents/product_manuals/B_SAN/AccessGateway_AdminGd_v700.pdf

    With just one ISL you must create a custom port map as the default map maps two internal ports to one external port.

    You do need to have all ports licensed on the embedded switches before you can proceed (again access is required),

    You still have the issue of the ISL oversubscription as all blades go through that ISL.

    Again you can cable additional links, and decide whether you want to map individual internal ports to external ports or to use F-port trunking (trunking license applies) > http://www.brocade.com/downloads/documents/html_product_manuals/AG_AG_701/wwhelp/wwhimpl/common/html/wwhelp.htm#href=AG_Policies.7.10.html&single=true

     

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 13.  Re: Isolation zone question

    Posted 02-06-2014 12:54 PM

    Revisiting this again..

     

    This had to be put aside due to other emerencies that popped up.

     

    The more I look at this situation, the more lost I feel.   Our old SAN was simple:  just two switches, each it's own fabric;  zoning was unique to each switch,  paths were straightforward from host hba to swtich to array or tape library.

     

    Now all four switches show as one single fabric, and the unit is not using multipathing, so my two main switches (the 5100s) do not have the same connections.  

     

    If I create a zone on one, doesn't that try to propagate to the others? If a switch doesn't see that WWN, will it just ignore the zone?

     

    Also, I had made 3 test zones 3 weeks ago, and saved (but not enabled!) the config..  now I go back and look, and they're gone.

    Wondering if that's because the switch was not a principal and got it's info overwritten.

    I've since enabled one of my 5100s as principle.   Can more than one switch be principle?

     


    #BrocadeFibreChannelNetworkingCommunity


  • 14.  Re: Isolation zone question

    Posted 02-06-2014 01:06 PM

    --->>>Now all four switches show as one single fabric,...

     

    --->>>If I create a zone on one, doesn't that try to propagate to the others?

     

    if all switch are in the same Fabric,  ISL  the one to another one, then when you create a config or whatever this wil lbe propagate on all switch in the Fabric.

     

    the same if you, remove one Alias, Config Zone or made change on a Swictch, the same happened fabric Wide,

     

    -->>I've since enabled one of my 5100s as principle.   Can more than one switch be principle?

    No. in the same fabric only One switch can become as Principal, all other are subordinate

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 15.  Re: Isolation zone question

    Posted 02-07-2014 08:18 AM

    This is becoming a real nightmare.

     

    The way they set this up, I'm the "SAN admin", but the hosts are not mine and I don't have access, they just wanted me to manage the "back end", which really doesn't work in the real world.

     

    Problem number one:  the unit running the hosts isn't running multipathing.  It's not my place to dictate their practices to them, though they know that's how it should be.  They claim issues with the operating system or databases when they do it.

     

    A member of the unit that owns the server blade chassis which houses the m5425s also manages the datacenter, and did the cable hookup for me.

     

    Here's the layout:

     

    A Dell m1000e chassis with two m5424s:  both of these switches connect to both of my 5100s, in a cross matrix style redundant hookup. 

    However, only one 5100 each is connected to an SP port in our array, which is an EMC CX-4  (SP-A and SP-B)

    5100A  <--> SPA

    5100B  <--> SPB

     

    (logical because the CX-4 has only two input fibre ports)

     

    The cross redundant cabling of the 5424s with the 5100s is what, if I'm not mistaken, is causing the switches to be all part of the same fabric.

    I'd prefer two separate fabrics (which we had before and was far more simple) where:

    * one m5424 is connected to 5100  "A"

    * the other m5424 is connected to the other 5100 "B". 

     

    From there, each of the 5100s has a single connection to the CX-4, as it does currently.

    That way, I can hopefully create zones in totally separate paths.

     

    If I were to eliminate the cross-over cabling between the 5424s and the 5100s, would that essentially split the fabric, or do I need to learn all about the AD commands.. because I've never received training and it's all over my head. 

     

    I also have to check with the CX-4, I don't think the input ports A and B are locked into SPA and SPB but I might be wrong, in which case, none of this will work.  (I can't check on the CX-4 docs because of a current snafu between Dell and EMC, I don't have access to EMC's KB because we bought it through Dell and someone got the serial number wrong).

     

     

     


    #BrocadeFibreChannelNetworkingCommunity


  • 16.  Re: Isolation zone question

    Posted 02-07-2014 09:50 AM

    I just checked deeper and it seems the inputs for SPA and SPB are in fact dedicated, from what I can tell.

     

    There are also servers they connected that are not part of the blade chassis and are plugged right into the second 5100 ("B") but not the first.  ("A")

     

    So, separating the fabrics like this:

     

    • Fabric 1:  m5424A  <---> 5100A  <---> SPA
    • Fabric 2:  m5424B  <---> 5100B <---> SPB

     

    Would mean any servers plugged into only the 5100B  but had LUNs owned by SPA would get cut off from it's data, from what I gather.   Greaaat. 


    #BrocadeFibreChannelNetworkingCommunity