Enabling hard zoning, Overview – H3C Technologies H3C S10500 Series Switches User Manual
Page 97
86
In enhanced zoning mode, the merge control mode affects the result of a merge operation. Also, a merge
operation is allowed only when the merge control mode is the same on both participating switches.
Otherwise, the merge operation fails, and the link connecting the participating switches is isolated.
This feature is supported only in enhanced zoning mode. To ensure a consistent merge control mode
across the fabric, use the zone activate or zone distribute command after you configure a merge control
mode.
To configure a merge control mode:
Step Command
Remarks
1.
Enter system view.
system-view N/A
2.
Enter VSAN view.
vsan vsan-id N/A
3.
Configure a merge control
mode.
•
Configure the merge control
mode as Restrict:
zone merge-control restrict
•
Configure the merge control
mode as Allow:
undo zone merge-control restrict
The default merge control mode is
Allow.
Enabling hard zoning
Overview
Switches implement zone access control in one of the following methods:
•
Soft zoning—When a registered node queries the nodes in the current fabric through generic
service packets, soft zoning filters the nodes based on zone rules and returns only the matching
nodes. Soft zoning is always in effect.
Because soft zoning is used only when a node accesses other nodes, it can restrict only the result
of queries that a node initiates to switches, and it cannot directly control the underlayer traffic.
When a node performs traffic attacks against the node that should be filtered by zone rules, soft
zoning cannot perform access control for the node.
•
Hard zoning—Hard zoning converts the zone configurations into lower-layer driver rules and
deploys the rules to the hardware to form hardware zone rules. Then, the traffic in the switch is
forwarded strictly based on hardware zone rules. Hard zoning takes effect only when the hardware
resources are sufficient for deploying zone rules.
When the underlayer resources are not sufficient for deploying the hardware zone rules of the
current VSAN, the system performs the following operations:
{
Clears all deployed hardware zone rules in order to keep the integrity of rules.
{
Automatically disables hard zoning.
To improve the security for a VSAN, you can enable hard zoning for the VSAN. After hard zoning
is enabled for a VSAN, the system triggers deploying all zone rules of the VSAN. After hard
zoning is manually disabled for a VSAN, the system clears the hardware zone rules already
deployed for the VSAN and stops deploying new zone rules for the VSAN.
The two methods can work separately and supplement each other. They work together to implement
node access control based on the zone configurations.