Lun Masking vs Zoning
March 12, 2012Zoning and Lun Masking are often confused for each other, probably because both of them are used to restrict access to storage. They should both be used to secure the storage network and reduce unnecessary traffic.
Zoning
If you want to specify only certain hosts from accessing a storage device then you would want to setup zoning. For instance, in the example below, you can see that the two servers on the right can access three of the four storage devices, whereas the two on the left can only access two of the SANs. This configuration is done on the Fibre Channel switch. iSCSI, NFS, and FCoE can also be segmented, but they would use typical TCPIP segmentation methods like setting up a VLAN.
There are two type of zoning techniques: Hard Zoning and Soft Zoning.
Soft zoning filters one device from seeing another device. However, if the ports are manually setup, the switch will not stop the devices from communicating. Hard zoning by comparison prevents one port from sending traffic to the other port and is more secure.
Zoning can also be setup based off the port or the World Wide Name (WWN). Port zoning grants access from one port on a switch to another port on a switch. This would require physical security to be setup around the Fibre Switch, because the zones could be changed around simply by moving the cables in the switch. This also makes it more of a struggle for management if switches need to be moved or re-cabled. WWN zoning is setup by allowing access between two WWNs which makes management a little easier, but also is susceptible to WWN spoofing which could allow access to the storage device.
LUN Masking
Once the zoning is done, we can further lock down access to the storage by setting up LUN (Logical Unit Number) Masking on the storage device. The SAN would prevent certain devices from seeing a specific LUN that it is hosting. This may be used more to keep a misbehaving server from accessing a LUN that it doesn’t need access to more than it is a security concern.
In the Example below we have taken a small subset of servers that are accessing one storage device. The SAN is presenting four LUNs to the server on the right side (with the red arrows) but it is only presenting two LUNs to the server on the left (with the green arrows).
Great and useful information for me.
If I refer to Soft and Hard zoning as “techniques”, how can I call Port and WWN zoning?
Might I divide the LUNs types like this?
LUN:
ZONING
SOFT
Port
WWN
HARD
Port
WWN
MASKING
I am sure, I will follow your blog for long time. Thanks.
Your diagrams are confusing at first your servers look like switches, the switch looks like an array and the blue thing wtf is that.
I could see how that might be confusing. I’ll do a better job on future posts.
The servers are rackmounts and are at the top. A single switch in the middle, and then Netapp filers at the bottom (the blue thing)
i think you did an amazing job. Keep it up. I loved this posting. Very clear.
You should have a donate button. The post is priceless and “explains it like I’m five”. Thank you!
Haha, I will accept money if someone is throwing it at me! 🙂 But honestly, the best thing is hearing that it helped someone understand or learn something new. Nice comments and tweets are a good enough payment for me. Thanks for reading and tell your friends.
Very Well done Eric.
I need to knw a variant of LUN masking which is more secure than just a plain masking.
I think you can help me with that.
Thanks for reading, I hope it’s been helpful.
One thing you could look into for additional authentication is using CHAP. When your initiators connect to the targets they’ll use an additional level of authentication to also login. This makes it more difficult for an attacker to spoof an iqn or WWN.
Very Good Post with Diagrams, very much helpful to understand the concepts. Thanks for posting
nice document, helped me to clear my confusion b/w zoning and masking.
thank you.
Good post but seriously you need some better icons 🙂 I thought the blue things were servers first! WTF!
Just today I got doubt on this, nice documentation it has helped me to understand the concept Zoning masking and LUN. Thank you .. Eric na
nice explanation
Thanks for a great post, I am a veteran of 10 years in netapp and I always direct people who are confused about this to your page. The person who’s complaining about the blue thing I’d say everyone whoever worked or even bothered to see the netapp filers pictures will know they are the storage devices “filers”.
Once again thanks.
I have to agree with Aadir. I was having problems distinguishing between the two and your description and diagrams made things clear.
Cheers!
Thanks a lot for this post.
I figure out the difference between the confusing 2 stuff.
One important thing is that we should not say zoning and LUN masking instead of zoning and masking. The object is different.
Handy and useful. I was confused between the two, but not anymore.
Very well explained. Thanks for the post.
Hi,
What is fc san zoning …
Please help me out..
Very nice explanation!!!! First time i could able to understand fully about Zoning…Thanks a lot…
Thanks for really helpful post 🙂 .
nice info
I am very clear about masking and zoning after reading this post…. Thanks much…Very well done 🙂