I was doing some reading this morning on the new switch and came across a feature I hadn’t heard of before. The feature is called “ ” and is a real godsend for SAN and data center administrators. Traditionally SAN admins that follow best practices follow the “single initiator”, “single target” rule for zoning FC fabrics. There are a couple reasons why this is a best practice:. Keep SAN traffic generated by devices in other zones isolated. Traffic like Registered State Change Notifications (RSCN).
FC switch hardware resources. For every 2 members in a zone that communicate with each other two ACEs (Access Control Entries) are created in the TCAM (Ternary Content Addressable Memory). One entry that permits the host to receive traffic from another host/target and another ACE for the opposite direction. The more members in a zone the more pairs of ACEs that are consumed in the TCAM. Smart Zoning allows the SAN admin to define which members are targets and which members are initiators. Since targets (SAN front-end ports) do not usually need to talk to targets and initiators (host HBAs) do not need to talk to initiators there isn’t a need for ACEs to get created for target-to-target and initiator-to-initiator. With Smart Zoning a host will only need a single zone in each fabric instead of the typical 2-4 zones per fabric.
The second option and my preferred route is to perform a code upgrade of the switch: Cisco MDS NX-OS Release 6.2(x) Maximum Configuration Limit FLOGIs per port channel = 256. Output after upgrading to 6.2: MDS-9K-A# show flogi database interface port-channel 10 Total number of flogi = 129. Cisco’s first 32Gb departmental switch released was the 9132T (capable of 32 ports), which was great for shops needing a smaller switch capable of doing 32Gb, but it left a gap for use cases needing more than 32 capable ports because the next sized switch, which was a director class switch, jumped up to 192 ports.
The number of zones a host needs depends on how many SAN front-end ports the host needs access to. Take for example 10 Cisco UCS ESXi hosts that need to access LUNs on an EMC VNX 5500. Each host will have 2 vHBAs; one in each SAN fabric. EMC VNX will have 4 SP front-end ports in each fabric.
Each host vHBA will need to communicate with 4 EMC VNX ports in each fabric Typically this configuration would look something like this for a single host. Multiple this out for 10 hosts and you have 40 zones needed in each FC fabric.
Zone name vnxspa0-esx01vmhba1 vsan 200 member device-alias vnxspa0 member device-alias esx01vmhba1 zone name vnxspa2-esx01vmhba1 vsan 200 member device-alias vnxspa2 member device-alias esx01vmhba1 zone name vnxspb1-esx01vmhba1 vsan 200 member device-alias vnxspb1 member device-alias esx01vmhba1 zone name vnxspb3-esx01vmhba1 vsan 200 member device-alias vnxspb3 member device-alias esx01vmhba1 With Smart Zoning the configuration would look like this. Note the keyword target or init after the device-alias name.
The number of ACEs consumed in the TCAM is the same but the administrative effort is dramatically reduced. The number of zones needed in each fabric goes from 40 to just 10. Zone name vnxspab-esx01vmhba1 vsan 200 member device-alias vnxspa0 target member device-alias vnxspa2 target member device-alias vnxspb1 target member device-alias vnxspb3 target member device-alias esx01vmhba1 init There are some requirements for Smart Zoning that should be verified before trying to use this feature:. NX-OS 5.2(6) or greater is required.
Only supported on MDS 9000/9500s or Nexus 7000 with NX-OS 6.1 or greater. Smart Zoning is not configurable on Nexus 5000/5500 series switches. I really don’t know why Cisco does things like this, I really wish they would make NX-OS for all devices parity with each other. For multi-switch fabrics every switch in the fabric must have NX-OS 5.2(6) or greater and support Smart Zoning.
This rules out Nexus 5500s unless they are in NPV mode. Here is a screen shot I got from someone at Cisco To enable the feature: switch# conf t switch(config)# zone smart-zoning enable vsan 200 or to enable it as the default zoning mode for all VSANs on the switch switch# conf t switch(config)# system default zone smart-zone enable Next for each zone define which members are targets and which members are initiators (see above zone example). Audiophiles may not find it a great mp3 player regarding sound, however for casual listeners and music lovers, the sound conduction through bone is really a perfectly effective method of listening to music under water. 50 for that life of one’s pool – regardless of whether you never run the heater. Also find the swimming jackets and air filled tubes for your children if they may be too keen on swimming and have not completed their swimming lessons yet. Bentonite gets the property of expanding rapidly and replenishing any pores or crevices in a earthen embankment. Inground pool area is harder to put together and takes longer time to install it.
I have heard some people argue a few years ago before SmartZoning, that single-initiator/multiple-target zoning works without SmartZoning. Because HBAs and storage ports are now “smart” enough to know which is initiator/target. However, as I understand it the ports will still “see” each other with non-SmartZoning but ignore the connections to itself. One issue that I have seen occur with single initiator/multiple target zones is with EMC SANcopy, the array will throw errors in Navisphere or Unisphere if it can see itself.
Something to the effect of “SANcopy zoning is not configured properly”. I wonder if SmartZoning solves this issue.
However, lack of support for Nexus 5K is a show-stopper as FCOE is around the corner. Yes, with Smart Zoning all hosts that need access to the same SAN target ports can be in the same zone. Here is an example zone, notice the keyword target or init after each. Only the init members are zoned to the target members and none of the targets are zoned together and none of the init are zoned together. Behind the scenes nxos creates ACLs for these mappings. Zone name fcntapesxhosts vsan 603 member device-alias ntap-020e target member device-alias ntap-020g target member device-alias ntap-019a target member device-alias ntap-019c target member device-alias esx15 init member device-alias esx16 init member device-alias esx17 init member device-alias esx18 init member device-alias esx19 init member device-alias esx20 init.
One of our customer has issues on his switch and their TCAM entries look some thing like below.What do you suggest. Region 3 doesn’t look good.
Also we are thinking of enabling smart zoning. But what could we benefit after enabling smart zoning.
TCAM Entries: Region1 Region2 Region3 Region4 Region5 Region6 Mod Fwd Dir TOP SYS SECURITY ZONING BOTTOM FCC DIS FCC ENA Eng Use/Total Use/Total Use/Total Use/Total Use/Total Use/Total — — —— ———- ——— ———— ——— ——— ——— 1 1 INPUT 19/407 1/407 138/2852. 4/407 0/0 0/0 1 1 OUTPUT 0/25 0/25 0/140 0/25 0/12 1/25 1 2 INPUT 19/407 1/407 2444/2852. 4/407 0/0 0/0 1 2 OUTPUT 0/25 0/25 0/140 0/25 0/12 1/25 1 3 INPUT 19/407 1/407 2072/2852.
4/407 0/0 0/0 1 3 OUTPUT 0/25 0/25 0/140 0/25 0/12 1/25 —————————————————.
One really annoying thing is there is a slight change from sanos 1,2 and sanos 3. Console access via a local account had two diff aaa configs (ignore the radius part). Sanos 1 & 2: aaa authentication login default group radius local aaa accounting default group radius local sanos 3: aaa authentication login default group radius local aaa authentication login console local aaa accounting default group radius Only slight changes and sanos 3 is the 'real' way of doing it. It could catch people out during an upgrade if they are unaware! Cherers Andrew. You have two options. Configure an 'admin' user in AD.
(note that you don't have to use the account named admin, you can just as easily assign a local user with the network-admin role).One thing to note, is that you normally use this local account in case the tacacs+ or radius authentication server goes down. You can have users configured locally and AD at the same time. If you are running AAA the default config is to check your AAA servers first, if they are not available, then to default to a local account 2. Configure your local network-admin role user and then specify that say console access is authenticated locally, while ssh and telnet is authenticated through tacacs. This will allow you to always get in with a local account through the console, while it will force SSH and Telnet connections to authenticate through the AAA servers.
You can find this option in Device Manager Security AAA Applications If you found this helpful, please give it a rating. Option 1:- I have already configured AD user with netwok-admin role who are able to login after successfull authentication by TACACS. It is ben configured to check TACACS first and then local. I just want to be able to login as default 'admin' user via telnet.
I am able to login as 'admin' via FM/DM Option 2:- I need to have telnet/ssh access uaing locally residing and default user 'admin'. I am able to login as other locally created users with 'network-admin' role. Since the switches are located 1000's of miles away, I need telnet access for admin in case tacacs server goes down. I am stilll confused why the default 'admin' user is not woking via telnet but everything else whether local/tacacs user. Your configuration says that only console access is configured to check local. The first method is only configured to use the Tacacs+ group. If you add a local statement to end of the first line, it will allow you to get in ONLY if the tacacs+ server is down.
Try to keep in mind that AAA groups are processed in the same config line. If you don't have a valid auth method by the end of the line, you are out of luck. Well, the thing about the AAA order is that you only go and check the next resource in the event your primary resource is unavailable.
It is likely since you do not have the 'admin' account in your AD that the TACACS+ server is returning a message to deny access. When the MDS observes the message to deny access to a user, then that is that. It will not go further down the list to say its local database. One really annoying thing is there is a slight change from sanos 1,2 and sanos 3. Console access via a local account had two diff aaa configs (ignore the radius part). Sanos 1 & 2: aaa authentication login default group radius local aaa accounting default group radius local sanos 3: aaa authentication login default group radius local aaa authentication login console local aaa accounting default group radius Only slight changes and sanos 3 is the 'real' way of doing it. It could catch people out during an upgrade if they are unaware!
Cherers Andrew.