WO2000055750A1 - System and method of zoning and access control in a computer network - Google Patents

System and method of zoning and access control in a computer network Download PDF

Info

Publication number
WO2000055750A1
WO2000055750A1 PCT/US2000/006920 US0006920W WO0055750A1 WO 2000055750 A1 WO2000055750 A1 WO 2000055750A1 US 0006920 W US0006920 W US 0006920W WO 0055750 A1 WO0055750 A1 WO 0055750A1
Authority
WO
WIPO (PCT)
Prior art keywords
zone
network
mask
devices
access
Prior art date
Application number
PCT/US2000/006920
Other languages
French (fr)
Inventor
Kumar Gajjar
Mohm Ibrahim
Original Assignee
Smartsan Systems, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Smartsan Systems, Inc. filed Critical Smartsan Systems, Inc.
Priority to AU38893/00A priority Critical patent/AU3889300A/en
Publication of WO2000055750A1 publication Critical patent/WO2000055750A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Definitions

  • the present invention relates generally to zoning in a computer network, and more particularly to creating zones or virtual groups in a computer network such as a Storage Area Network (SAN).
  • SAN Storage Area Network
  • Fibre channel is an ANSI -standard, high-speed data communications technology providing gigabit-per-second transmission rates for storage /server and high-performance networking environments.
  • zoning is a way of partitioning a large set of objects into virtual groups.
  • the partitions are created between the devices connected to the SAN.
  • the prior art for zoning computer networks allows zoning only up to the port level.
  • FIG. 1 shows a general prior art network configuration 100 with a plurality of devices 101- 108 attached to a networking device 110, such as a router, bridge, hub, or switch.
  • a networking device 110 such as a router, bridge, hub, or switch.
  • Port A 112 and port B 114 are members of zone I 116; this indicates that all of the devices 101-104 connected to these two ports are members of zone I 116.
  • a device needs to be connected through port A 1 12 or port B 114.
  • device 107 must be disconnected from port C 1 18 and re-connected to port A 1 12 or to port B 114.
  • the device one must be disconnected from the port that is a member of zone I 1 16.
  • the present invention provides a system and method for computer network zoning up to the device level, including any logical devices.
  • the invention includes a zone configuration database which is created and managed by a program running on a device connected to the computer network, and is stored in a non-volatile memory on at least one network device such as a router, a bridge, a hub, a switch, or a network master connected to the computer network.
  • the zone configuration database lists each device connected to the computer network, allows access between devices that are members of the same zone, and denies access between devices that are not members of the same zone.
  • the zone configuration database includes a zone mask identifying zones of which each device is a member.
  • the zone mask includes a read mask and a write mask. If the read mask for a device is enabled in a particular zone then the device is granted read only access within that zone, and if the write mask for the device is enabled in the particular zone then the device is granted read and write access within that zone.
  • FIG. 1 is a block diagram illustrating prior art wherein zones are established at the port level
  • FIG. 2 is a block diagram illustrating how the present invention in one embodiment can establish zones at the device level
  • FIG. 3 is a block diagram illustrating how the invention in another embodiment can establish zones at the device level across multiple routers or network devices;
  • FIG. 4 is a block diagram illustrating how the invention in yet another embodiment can establish zones at the device level across multiple routers or network devices;
  • FIG. 5 is a block diagram of one embodiment of a network device according to the invention embodying a processor module for managing multiple zones in a computer network;
  • FIG. 6 is a diagram of one embodiment of the zone configuration database in the processor module of FIG. 5;
  • FIG. 7 is a block diagram of one embodiment of the device control blocks in the processor module of FIG. 5;
  • FIG. 8 is a diagram of one embodiment of the zone mask parameters used in the device control blocks of FIG. 7;
  • FIG. 9 is a block diagram of one embodiment of the zone control blocks in the processor module of FIG. 5;
  • FIG. 10 is a diagram of one embodiment of the zone mask used in the zone control blocks of FIG. 9;
  • FIG. 1 1 is a flowchart of a method for initializing and establishing zones in a computer network according to the invention.
  • the present invention relates to an improved system and method for providing zoning in a computer network that spans all the way up to the device level, including logical devices.
  • FIG. 2 is a block diagram of the invention in a network configuration 200 such as a storage-area network (SAN), wherein a plurality of physical or logical devices 201-208 are connected via a network box 210, such as a router, bridge, hub, or switch, having ports A-D, 212-215.
  • the devices can be zoned at the device level regardless of port location, and also can be members of multiple zones.
  • Device zoning is controlled through the network box 210 and is preferably configured by a program running on a master computer managing the computer network 200.
  • device 201 connected to port A 212, devices 202 and 203 connected to port B 213, and device 207 connected to port C 215 are all members of zone I 220, and device 201 is the initiating device controlling access in zone I.
  • the middle device 207 is the only member of zone I 220, even though device 207 connects through device 206.
  • FIG. 2 also shows a second zone II 222 which includes devices 204, 205, 206, 207 and 208, wherein device 205 is the initiating device controlling access in zone II.
  • Device 207 is a member of both zone I 220 and zone II 222, and illustrates how a device can be a member of multiple zones.
  • FIG. 3 is a block diagram of another computer network configuration 300 illustrating how device level zones can be established across multiple network boxes 310 and 312.
  • Devices 301-307 are all connected to both network boxes 310 and 312.
  • Device 301 is connected to both A ports 314 and 322; devices 302-304 are connected to both B ports 316 and 324; device 305 is connected to both D ports 320 and 328; and devices 306 and 307 are connected to both C ports 318 and 326.
  • the network boxes 310 and 312 control the zoning of these devices.
  • the FIG. 3 type of configuration allows using multiple boxes with redundant paths to access devices within a zone.
  • the zone configuration information is stored in both network boxes 310 and 312. After one of the network boxes has been programmed with a zoning configuration, and /or after an initialization phase has been conducted by either network box, the other network box, based on already- known information as to the location of the other network box, is automatically updated.
  • FIG. 3 devices 301, 303 and 307 are members of zone I 320. Thus whichever network box handles a request, device 301 can access only devices 303 and 307. This feature allows users more control over access to their networked devices and allows network administrators the flexibility to configure networks without physically moving devices or changing ports.
  • FIG. 4 diagram illustrates how a more sophisticated network 400 can establish zones at the device level, or more generally, between multiple network routers or boxes 420 and 422 which are configured to control zoning.
  • a LAN/WAN 410 is connected through router 420 to a SAN 430, which in turn is connected to devices 441-443.
  • the LAN/WAN 410 is also connected through router 422 to a SAN 432, which in turn is connected to devices 444-446.
  • Zone I 450 is configured to include only devices 443 and 444, even though they are only connected through both SANs 430, 432, both routers 420, 422 and LAN/ WAN 410.
  • FIG. 5 is a block diagram illustrating one embodiment of a network device or router 500 embodying a processor module 510 for managing multiple zones in a computer network.
  • the router 500 has fibre channel input/ output ports 512 and 513, as well as generic input/ output ports 514, 515, 516 that can handle multiple networking protocols such as Gigabit-Ethernet (GE), ATM (Asynchronous Transfer Mode), and SCSI (Small Computer System Interface).
  • the input/ output ports 512-516 are interconnected with the processor module 510 and a cache /staging module 518.
  • the processor module 510 includes a processor 522, a RAM 524, a non-volatile memory 526, and a ROM 528.
  • the RAM 524 includes a set of device control blocks 530 and zone control blocks 532. More details of the device control blocks 530 and zone control blocks 532 are shown in, and described in conjunction with, FIGs. 7- 10.
  • the non-volatile memory 526 includes a zone configuration database 534 that stores all the information necessary to create and manage zones on a computer network (not shown) connected through the router 500.
  • FIG. 6 is a block diagram of one embodiment of the zone configuration database 534 in the processor module 510 of FIG. 5.
  • the zone configuration database 534 preferably includes a structure header 610, zone information 620, fibre channel (FC) device information 630, and SCSI/ other device information 640.
  • FC fibre channel
  • the structure header 610 includes standard information identifying the zone configuration database 534, including signature, checksum, version number and size.
  • the zone information 620 identifies each zone configured on the computer network from Zone ID 0 to Zone ID n; this identification can include an alias name for each zone, a zone ID, a zone mask number, and flags.
  • the FC device information 630 includes general and zone information on each connected FC device. The preferred embodiment has information for two ports, port 0 and port 1. The information for each port generally includes a port header with identifying information such as the port number, a checksum, flags, and a device count. The port information also includes a listing of each device connected through that port. An FC port can support up to 126 devices, indicated by device 0 to device 125.
  • the information includes the configuration of each connected FC device; in terms of for example a WWN, flags, a read/write mask, and a read-only mask.
  • the read/write mask and the read-only mask define the zones in which each device has read/write access, read only access, or no access.
  • the SCSI/ other device information 640 includes general and zone information on each of the other devices, such as SCSI, ATM, or Gigabit Ethernet devices, connected to the (FIG. 5) router 500.
  • the preferred embodiment has four ports or buses, indicated by bus 0 - bus 3.
  • the information for each bus generally includes a bus header, bus number, checksum, flags, device count, and a listing of the devices connected through the bus.
  • the information for each bus can also include a listing of each logical device associated, through a logical unit number (LUN), with each device.
  • LUN logical unit number
  • a SCSI bus can support up to 16 devices, indicated by device 0 to device 15, through each port. Each device can use logical unit numbers (LUN's) to identify up to 8 logical devices. Since zones can be specific to each physical and logical device as with the FC device information 630, SCSI/ other device information 640 includes the configuration of each device connected through its corresponding bus; a unique ID, flags, a read/write mask, and a read-only mask. The read/ write mask and the read-only mask define the zones in which each physical and logical device has read/write access, read-only access, or no access.
  • router 500 scans all enabled ports for connected devices and creates a device control block 530 and a zone control block 532, for creating and managing zones, including: port number, port type, port ID, device ID (SCSI ID or Fibre Channel WWN), device type, and any other information gathered by an inquiry command or other means.
  • a device control block 530 for creating and managing zones, including: port number, port type, port ID, device ID (SCSI ID or Fibre Channel WWN), device type, and any other information gathered by an inquiry command or other means.
  • zone control block 532 for creating and managing zones, including: port number, port type, port ID, device ID (SCSI ID or Fibre Channel WWN), device type, and any other information gathered by an inquiry command or other means.
  • FIG. 7 is a block diagram of an embodiment of the device control blocks 530 in processor module 510, which are created from information received from the devices and the zone configuration database 534.
  • Each device control block 530 corresponds to a respective physical or logical device connected to the router 500.
  • the device control blocks 530 include general information required for programming purposes, such as a structure header, ID, type, state, read capacity data, inquiry data, disconnect parameters, and statistical data, and also include zone mask parameters 700 for each connected device.
  • the zone mask parameters 700 for each physical or logical device define the zone or zones of which the device is a member, and what type of access each physical or logical device is granted.
  • the zone mask 700 preferably includes masks for up to 32 different zones 802 labeled from 0 to 31.
  • the zone mask 700 parameters include two vectors of binary numbers specifying whether the device has read only access 804, read/write access 806, or no access. Each vector is a 32 bit unsigned integer, although other length vectors may be used instead. Each bit of the vector corresponds to a particular zone. If bit 0 of the vector is set to 1 , then the device is a member of Zone ID 0, and so on.
  • a 32 bit mask can support 32 zones, any number of which a device can be a member of. For example, if the device has read-only access only in zones 0 and 4, then Is are written into the 0 th and 4 th positions of the read-only vector 804, and 0s are written into all remaining positions. If the device has read/write access only in zones 1 and 3, then Is are written into the 1 st and 3 rd positions of the read/write vector 806, and Os are written into all remaining positions of the vector.
  • the read-only mask 804 is only used on devices that are of a read- write type, i.e. disk drive. This mask 804 allows system administrators to dynamically control read/write access of a device.
  • FIG. 9 is a block diagram of an embodiment of the processor module 510 zone control blocks 532, which are created from information stored in zone configuration database 534 and in device control blocks 530.
  • Each zone control block 532 names all of the physical or logical devices that are members of a respective zone.
  • the zone control blocks 532 each include general information required for programming purposes, such as a structure header, alias name, ID, flags, state, FC device count, SCSI device count, pointers to FC device control blocks, pointers to SCSI device control blocks, and a zone mask 900 identifying the particular zone managed by the zone control block.
  • the zone mask 900 defines the members in the zone.
  • Zone mask 900 preferably covers up to 32 zones 1002 labeled from 0 to 31.
  • the zone mask 900 includes a 32 bit unsigned integer (although other length numbers could be used) specifying which zone is managed by the zone block 532.
  • Each bit of the array corresponds to a zone, but since each zone control block 532 manages only one zone, only one bit of the number is set to 1 while the remaining bits are set to 0.
  • the zone control block 532 stores the necessary information, such as pointers, to access all of the devices or logical devices identified in the zone control block 532 as members of that zone.
  • the read-only 804 and read/write 806 zone mask 700 of the initiating device are logically ORed and the sum is logically ANDed with the read-only 804 zone mask 700 of the target node. If the product is non-zero, then both nodes belong to at least one zone in common, and if the I/O request is a read request then access is allowed, otherwise the request is rejected. If the product is zero, then the readonly 804 and read/ write 806 zone mask 700 of the initiating device are logically ORed and the sum is ANDed with the read/write 806 zone mask 700 of the target node. If the product is non-zero, then both nodes belong to at least one zone in common and access is allowed, otherwise the request is rejected.
  • FIG. 11 is a flowchart of steps in a method for initializing and establishing zones in a computer network.
  • step 1 100 "discovers" all devices connected to the network and builds device control blocks (DCBs).
  • DCBs device control blocks
  • step 1102 the network box or router 500 (FIG. 5) starts zoning initialization.
  • the processor reads in the zone configuration database (ZCDB) from the non-volatile RAM into the RAM and verifies checksums.
  • Step 1106 then begins the process of building zone control blocks (ZCBs).
  • step 1108 locates a valid zone in the zone configuration database. If step 1 110 determines that a valid zone exists, then step 11 12 allocates a zone control block and includes necessary information from the zone configuration database in the zone control block.
  • step 1110 determines whether no valid zone exists. If step 1110 determines that no valid zone exists, then step 11 14 determines whether all the zones were checked. If not all of the zones were checked, then the process reverts to step 1108 to continue checking all of the zones. If step 1 1 14 determines that all of the zones were checked, then the process continues to step 1116 where each device control block is analyzed.
  • Step 1 1 18 begins analyzing a device control block by retrieving the device ID from the (next) device control block. Then, step 1 120 attempts to locate the device in the zone configuration database. If step 1 122 does not find the device in the zone configuration database, then step 1 124 sets the device to the default zone mask (preferably bit 31) in the device control block, adds information on the new device to the zone configuration database and the method proceeds to step 1 138. If in step 1 122 the device is found in the zone configuration database, then step 1 126 fills the zone mask's (the read mask and the write mask) information from the zone configuration database into the corresponding zone information fields in the device control block.
  • the zone mask's the read mask and the write mask
  • step 1 128 the zone control block zone mask is compared with the device control block's zone mask (logical OR comparison of the read mask with the write mask).
  • step 1130 if the zone mask of the zone control block is present in the zone masks of the device control block, then step 1 132 adds a pointer of the device control block to the member list of the zone control block.
  • step 1 134 determines whether all of the zone masks of the zone control blocks have been compared with the zone mask of the device control block; and if not, then step 1136 selects the next zone control block and returns the process to step 1130, which compares the next zone mask until the zone masks of all the zone control blocks have been compared with the zone mask of the current device control block.
  • step 1 138 determines whether all of the device control blocks have been analyzed; if not, then the process return to step 1 118 for the next device control block. After step 1138 determines that all of the device control blocks have been analyzed, then at step 1140 the zoning initialization is completed.
  • Zones are preferably configured using a GUI application which runs on a host PC. After every zone configuration change, the zone information is sent to all the necessary routers or boxes in the same redundancy group.
  • This feature allows users to configure networks using multiple routers with redundant paths to access their devices.
  • a special protocol can be implemented in the routers to allow the routers to communicate and exchange zone information with each other.
  • each router is made aware of the other routers (in a redundancy group) that are connected to the same (some or all) devices in the network. Whenever there is a change in the zone database, the information will be sent to all other routers in the same redundancy group.
  • the software used to manage the zoning of the network preferably provides for various types of commands that allow a network administrator to create and manage the zones on the computer network.
  • commands preferably include: create zone, add member to a zone, remove member from a zone, and delete zone.
  • Create zone is used for creating a zone in the computer network.
  • the parameters for this command include a list of members or devices to be included in the zone.
  • the new zone would then occupy an unused zone ID and set zone information in the zone configuration database.
  • the corresponding zone mask is then set in the device database.
  • Add member to a zone is used for adding member(s) to an already existing zone.
  • the parameters for this command include zone ID and a list of new members or devices to be added.
  • Remove member from a zone is used for removing member(s) from an already existing zone.
  • the parameters include zone ID and a list of members that are to be removed.
  • Delete zone is used for deleting an already existing zone.
  • the parameters for this command are the zone ID of the zone to be deleted.

Abstract

A system and method for zoning devices (201-208) in a computer network (200), comprising a zone configuration database listing connected devices (201-208). The database includes for each device (201-208) an associated zone mask identifying specific zones (220, 222) of which each device (201-208) is a member. The database allows access between devices (201-208) that are members of the same zone, (220, 222) and denies access between devices (201-208) that are not members of the same zone (220, 222).

Description

SYSTEM AND METHOD OF ZONING AND ACCESS CONTROL IN A
COMPUTER NETWORK
CROSS-REFERENCE TO RELATED APPLICATIONS The present application is related to, and claims priority in, co- pending U.S. Provisional Patent Application Serial No. 60/ 124,494, entitled "System and Method for Zoning and Access Control, Event Management, and Network Management in a Computer Network," filed on March 15, 1999.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates generally to zoning in a computer network, and more particularly to creating zones or virtual groups in a computer network such as a Storage Area Network (SAN).
2. Description of the Background Art
The introduction of fibre channel has allowed greatly increasing network connectivity between servers and storage so that many more devices can be connected to a network. Fibre channel is an ANSI -standard, high-speed data communications technology providing gigabit-per-second transmission rates for storage /server and high-performance networking environments.
Increases in computer network connectivity generally require controlling access between various devices by a method such as zoning, which is a way of partitioning a large set of objects into virtual groups. In a SAN, the partitions are created between the devices connected to the SAN. The prior art for zoning computer networks allows zoning only up to the port level.
FIG. 1 shows a general prior art network configuration 100 with a plurality of devices 101- 108 attached to a networking device 110, such as a router, bridge, hub, or switch. Port A 112 and port B 114 are members of zone I 116; this indicates that all of the devices 101-104 connected to these two ports are members of zone I 116.
To be added to zone I 1 16, a device needs to be connected through port A 1 12 or port B 114. For example, to include device 107 in zone I 1 16, device 107 must be disconnected from port C 1 18 and re-connected to port A 1 12 or to port B 114. Similarly, to remove a device from zone I 116, the device one must be disconnected from the port that is a member of zone I 1 16.
Therefore, there remains a need for an improved system and method to provide a quick and easy way of zoning of devices across ports without physically moving the devices between ports.
SUMMARY OF THE INVENTION
The present invention provides a system and method for computer network zoning up to the device level, including any logical devices. The invention includes a zone configuration database which is created and managed by a program running on a device connected to the computer network, and is stored in a non-volatile memory on at least one network device such as a router, a bridge, a hub, a switch, or a network master connected to the computer network. The zone configuration database lists each device connected to the computer network, allows access between devices that are members of the same zone, and denies access between devices that are not members of the same zone. The zone configuration database includes a zone mask identifying zones of which each device is a member. The zone mask includes a read mask and a write mask. If the read mask for a device is enabled in a particular zone then the device is granted read only access within that zone, and if the write mask for the device is enabled in the particular zone then the device is granted read and write access within that zone.
Other advantages and features of the present invention will be apparent from the drawings and detailed description as set forth below.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram illustrating prior art wherein zones are established at the port level;
FIG. 2 is a block diagram illustrating how the present invention in one embodiment can establish zones at the device level;
FIG. 3 is a block diagram illustrating how the invention in another embodiment can establish zones at the device level across multiple routers or network devices;
FIG. 4 is a block diagram illustrating how the invention in yet another embodiment can establish zones at the device level across multiple routers or network devices;
FIG. 5 is a block diagram of one embodiment of a network device according to the invention embodying a processor module for managing multiple zones in a computer network;
FIG. 6 is a diagram of one embodiment of the zone configuration database in the processor module of FIG. 5;
FIG. 7 is a block diagram of one embodiment of the device control blocks in the processor module of FIG. 5;
FIG. 8 is a diagram of one embodiment of the zone mask parameters used in the device control blocks of FIG. 7;
FIG. 9 is a block diagram of one embodiment of the zone control blocks in the processor module of FIG. 5; FIG. 10 is a diagram of one embodiment of the zone mask used in the zone control blocks of FIG. 9; and
FIG. 1 1 is a flowchart of a method for initializing and establishing zones in a computer network according to the invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
The present invention relates to an improved system and method for providing zoning in a computer network that spans all the way up to the device level, including logical devices.
FIG. 2 is a block diagram of the invention in a network configuration 200 such as a storage-area network (SAN), wherein a plurality of physical or logical devices 201-208 are connected via a network box 210, such as a router, bridge, hub, or switch, having ports A-D, 212-215. The devices can be zoned at the device level regardless of port location, and also can be members of multiple zones. Device zoning is controlled through the network box 210 and is preferably configured by a program running on a master computer managing the computer network 200. In FIG. 2, device 201 connected to port A 212, devices 202 and 203 connected to port B 213, and device 207 connected to port C 215 are all members of zone I 220, and device 201 is the initiating device controlling access in zone I. Device 204, even though it is connected to port B, is not a member of zone I 220. Additionally, in the chain of devices connected to port C 215, the middle device 207 is the only member of zone I 220, even though device 207 connects through device 206.
FIG. 2 also shows a second zone II 222 which includes devices 204, 205, 206, 207 and 208, wherein device 205 is the initiating device controlling access in zone II. Device 207 is a member of both zone I 220 and zone II 222, and illustrates how a device can be a member of multiple zones.
It should be noted that if an initiating device is connected by a bus directly to another device then, regardless of zone membership, the two devices can communicate with each other. For example, in FIG. 2 if device 204 were an initiating device, then it could communicate with devices 202 and 203. FIG. 3 is a block diagram of another computer network configuration 300 illustrating how device level zones can be established across multiple network boxes 310 and 312. Devices 301-307 are all connected to both network boxes 310 and 312. Device 301 is connected to both A ports 314 and 322; devices 302-304 are connected to both B ports 316 and 324; device 305 is connected to both D ports 320 and 328; and devices 306 and 307 are connected to both C ports 318 and 326. The network boxes 310 and 312 control the zoning of these devices. The FIG. 3 type of configuration allows using multiple boxes with redundant paths to access devices within a zone.
The zone configuration information is stored in both network boxes 310 and 312. After one of the network boxes has been programmed with a zoning configuration, and /or after an initialization phase has been conducted by either network box, the other network box, based on already- known information as to the location of the other network box, is automatically updated.
FIG. 3 devices 301, 303 and 307 are members of zone I 320. Thus whichever network box handles a request, device 301 can access only devices 303 and 307. This feature allows users more control over access to their networked devices and allows network administrators the flexibility to configure networks without physically moving devices or changing ports.
The FIG. 4 diagram illustrates how a more sophisticated network 400 can establish zones at the device level, or more generally, between multiple network routers or boxes 420 and 422 which are configured to control zoning. A LAN/WAN 410 is connected through router 420 to a SAN 430, which in turn is connected to devices 441-443. The LAN/WAN 410 is also connected through router 422 to a SAN 432, which in turn is connected to devices 444-446. Zone I 450 is configured to include only devices 443 and 444, even though they are only connected through both SANs 430, 432, both routers 420, 422 and LAN/ WAN 410. FIG. 5 is a block diagram illustrating one embodiment of a network device or router 500 embodying a processor module 510 for managing multiple zones in a computer network. The router 500 has fibre channel input/ output ports 512 and 513, as well as generic input/ output ports 514, 515, 516 that can handle multiple networking protocols such as Gigabit-Ethernet (GE), ATM (Asynchronous Transfer Mode), and SCSI (Small Computer System Interface). The input/ output ports 512-516 are interconnected with the processor module 510 and a cache /staging module 518. The processor module 510 includes a processor 522, a RAM 524, a non-volatile memory 526, and a ROM 528. After initialization, the RAM 524 includes a set of device control blocks 530 and zone control blocks 532. More details of the device control blocks 530 and zone control blocks 532 are shown in, and described in conjunction with, FIGs. 7- 10. The non-volatile memory 526 includes a zone configuration database 534 that stores all the information necessary to create and manage zones on a computer network (not shown) connected through the router 500.
FIG. 6 is a block diagram of one embodiment of the zone configuration database 534 in the processor module 510 of FIG. 5. The zone configuration database 534 preferably includes a structure header 610, zone information 620, fibre channel (FC) device information 630, and SCSI/ other device information 640.
The structure header 610 includes standard information identifying the zone configuration database 534, including signature, checksum, version number and size.
The zone information 620 identifies each zone configured on the computer network from Zone ID 0 to Zone ID n; this identification can include an alias name for each zone, a zone ID, a zone mask number, and flags. The FC device information 630 includes general and zone information on each connected FC device. The preferred embodiment has information for two ports, port 0 and port 1. The information for each port generally includes a port header with identifying information such as the port number, a checksum, flags, and a device count. The port information also includes a listing of each device connected through that port. An FC port can support up to 126 devices, indicated by device 0 to device 125. Since zones can be on the level of devices, the information includes the configuration of each connected FC device; in terms of for example a WWN, flags, a read/write mask, and a read-only mask. The read/write mask and the read-only mask define the zones in which each device has read/write access, read only access, or no access. The SCSI/ other device information 640 includes general and zone information on each of the other devices, such as SCSI, ATM, or Gigabit Ethernet devices, connected to the (FIG. 5) router 500. The preferred embodiment has four ports or buses, indicated by bus 0 - bus 3. The information for each bus generally includes a bus header, bus number, checksum, flags, device count, and a listing of the devices connected through the bus. The information for each bus can also include a listing of each logical device associated, through a logical unit number (LUN), with each device. A SCSI bus can support up to 16 devices, indicated by device 0 to device 15, through each port. Each device can use logical unit numbers (LUN's) to identify up to 8 logical devices. Since zones can be specific to each physical and logical device as with the FC device information 630, SCSI/ other device information 640 includes the configuration of each device connected through its corresponding bus; a unique ID, flags, a read/write mask, and a read-only mask. The read/ write mask and the read-only mask define the zones in which each physical and logical device has read/write access, read-only access, or no access.
During initialization of the router 500, or if a user requests a rescan, router 500 scans all enabled ports for connected devices and creates a device control block 530 and a zone control block 532, for creating and managing zones, including: port number, port type, port ID, device ID (SCSI ID or Fibre Channel WWN), device type, and any other information gathered by an inquiry command or other means.
Every time a zone is created, the zone configuration database 534 information is updated in the non-volatile memory 526 (FIG. 5). This information includes the zone ID, zone mask information, and zone name. The network boot-up routine reads the zone configuration database 534 from the non-volatile memory 526 into the main memory 524 to set the zone mask in the device control blocks 530 and to create zone control blocks 532. FIG. 7 is a block diagram of an embodiment of the device control blocks 530 in processor module 510, which are created from information received from the devices and the zone configuration database 534. Each device control block 530 corresponds to a respective physical or logical device connected to the router 500. The device control blocks 530 include general information required for programming purposes, such as a structure header, ID, type, state, read capacity data, inquiry data, disconnect parameters, and statistical data, and also include zone mask parameters 700 for each connected device.
As shown in greater detail in FIG. 8, the zone mask parameters 700 for each physical or logical device define the zone or zones of which the device is a member, and what type of access each physical or logical device is granted. The zone mask 700 preferably includes masks for up to 32 different zones 802 labeled from 0 to 31. The zone mask 700 parameters include two vectors of binary numbers specifying whether the device has read only access 804, read/write access 806, or no access. Each vector is a 32 bit unsigned integer, although other length vectors may be used instead. Each bit of the vector corresponds to a particular zone. If bit 0 of the vector is set to 1 , then the device is a member of Zone ID 0, and so on. Thus, a 32 bit mask can support 32 zones, any number of which a device can be a member of. For example, if the device has read-only access only in zones 0 and 4, then Is are written into the 0th and 4th positions of the read-only vector 804, and 0s are written into all remaining positions. If the device has read/write access only in zones 1 and 3, then Is are written into the 1st and 3rd positions of the read/write vector 806, and Os are written into all remaining positions of the vector. The read-only mask 804 is only used on devices that are of a read- write type, i.e. disk drive. This mask 804 allows system administrators to dynamically control read/write access of a device. Mask 804 is also useful if a device is member of multiple zones and allows only some zones to have full (read/write) access while the rest of the zones have only read access. FIG. 9 is a block diagram of an embodiment of the processor module 510 zone control blocks 532, which are created from information stored in zone configuration database 534 and in device control blocks 530. Each zone control block 532 names all of the physical or logical devices that are members of a respective zone. The zone control blocks 532 each include general information required for programming purposes, such as a structure header, alias name, ID, flags, state, FC device count, SCSI device count, pointers to FC device control blocks, pointers to SCSI device control blocks, and a zone mask 900 identifying the particular zone managed by the zone control block. As shown in greater detail in FIG. 10, the zone mask 900 defines the members in the zone. Zone mask 900 preferably covers up to 32 zones 1002 labeled from 0 to 31. The zone mask 900 includes a 32 bit unsigned integer (although other length numbers could be used) specifying which zone is managed by the zone block 532. Each bit of the array corresponds to a zone, but since each zone control block 532 manages only one zone, only one bit of the number is set to 1 while the remaining bits are set to 0. For whichever zone has its bit set to 1 in zone mask 900, the zone control block 532 stores the necessary information, such as pointers, to access all of the devices or logical devices identified in the zone control block 532 as members of that zone.
During operation, when a zone-managing router or network box receives an I/O request, the read-only 804 and read/write 806 zone mask 700 of the initiating device are logically ORed and the sum is logically ANDed with the read-only 804 zone mask 700 of the target node. If the product is non-zero, then both nodes belong to at least one zone in common, and if the I/O request is a read request then access is allowed, otherwise the request is rejected. If the product is zero, then the readonly 804 and read/ write 806 zone mask 700 of the initiating device are logically ORed and the sum is ANDed with the read/write 806 zone mask 700 of the target node. If the product is non-zero, then both nodes belong to at least one zone in common and access is allowed, otherwise the request is rejected.
FIG. 11 is a flowchart of steps in a method for initializing and establishing zones in a computer network. Prior to initialization, step 1 100 "discovers" all devices connected to the network and builds device control blocks (DCBs). At step 1102 the network box or router 500 (FIG. 5) starts zoning initialization. At step 1 104, the processor reads in the zone configuration database (ZCDB) from the non-volatile RAM into the RAM and verifies checksums. Step 1106 then begins the process of building zone control blocks (ZCBs). First, step 1108 locates a valid zone in the zone configuration database. If step 1 110 determines that a valid zone exists, then step 11 12 allocates a zone control block and includes necessary information from the zone configuration database in the zone control block. Then the process reverts to step 1 108 to build more zone control blocks. If step 1110 determines that no valid zone exists, then step 11 14 determines whether all the zones were checked. If not all of the zones were checked, then the process reverts to step 1108 to continue checking all of the zones. If step 1 1 14 determines that all of the zones were checked, then the process continues to step 1116 where each device control block is analyzed.
Step 1 1 18 begins analyzing a device control block by retrieving the device ID from the (next) device control block. Then, step 1 120 attempts to locate the device in the zone configuration database. If step 1 122 does not find the device in the zone configuration database, then step 1 124 sets the device to the default zone mask (preferably bit 31) in the device control block, adds information on the new device to the zone configuration database and the method proceeds to step 1 138. If in step 1 122 the device is found in the zone configuration database, then step 1 126 fills the zone mask's (the read mask and the write mask) information from the zone configuration database into the corresponding zone information fields in the device control block. In order to fill in a list of members in the zone control block, at step 1 128 the zone control block zone mask is compared with the device control block's zone mask (logical OR comparison of the read mask with the write mask). At step 1130 if the zone mask of the zone control block is present in the zone masks of the device control block, then step 1 132 adds a pointer of the device control block to the member list of the zone control block. Whether or not the masks match in step 1130, next, step 1 134 determines whether all of the zone masks of the zone control blocks have been compared with the zone mask of the device control block; and if not, then step 1136 selects the next zone control block and returns the process to step 1130, which compares the next zone mask until the zone masks of all the zone control blocks have been compared with the zone mask of the current device control block.
Once all the zone control blocks have been done in step 1 134, next, step 1 138 determines whether all of the device control blocks have been analyzed; if not, then the process return to step 1 118 for the next device control block. After step 1138 determines that all of the device control blocks have been analyzed, then at step 1140 the zoning initialization is completed.
The zoning features of this invention can span multiple boxes. Zones are preferably configured using a GUI application which runs on a host PC. After every zone configuration change, the zone information is sent to all the necessary routers or boxes in the same redundancy group. This feature allows users to configure networks using multiple routers with redundant paths to access their devices. A special protocol can be implemented in the routers to allow the routers to communicate and exchange zone information with each other. At configuration time, each router is made aware of the other routers (in a redundancy group) that are connected to the same (some or all) devices in the network. Whenever there is a change in the zone database, the information will be sent to all other routers in the same redundancy group.
The software used to manage the zoning of the network preferably provides for various types of commands that allow a network administrator to create and manage the zones on the computer network. Such commands preferably include: create zone, add member to a zone, remove member from a zone, and delete zone.
Create zone is used for creating a zone in the computer network. The parameters for this command include a list of members or devices to be included in the zone. The new zone would then occupy an unused zone ID and set zone information in the zone configuration database. The corresponding zone mask is then set in the device database.
Add member to a zone is used for adding member(s) to an already existing zone. The parameters for this command include zone ID and a list of new members or devices to be added.
Remove member from a zone is used for removing member(s) from an already existing zone. The parameters include zone ID and a list of members that are to be removed.
Delete zone is used for deleting an already existing zone. The parameters for this command are the zone ID of the zone to be deleted. The invention has been explained above with reference to a preferred embodiment. Other embodiments will be apparent to those skilled in the art in light of this disclosure. For example, the invention may be implemented in other configurations and/ or used with other systems. Therefore, these and other variations upon the preferred embodiments are intended to be covered by the appended claims.

Claims

What is claimed is:
1. A method of zoning devices in a computer network, comprising the steps of: providing a zone configuration database identifying zones of which each device is a member; and allowing zone access between devices if and only if they are members of the same zone.
2. The method of claim 1 wherein said zone configuration database includes a zone mask identifying the zones of which each said device is a member.
3. The method of claim 2 wherein said zone mask comprises: a read mask which, if enabled for a specific device in a particular zone, grants read-only access for said specific device within said particular zone; and a write mask which, if enabled for said specific device in said particular zone grants read and write access for said specific device within said particular zone.
4. The method of claim 1 , further including the step of storing said zone configuration database in a memory in at least one network device connected to the computer network.
5. The method of claim 4, wherein said network device is selected from the group consisting of: a router, a bridge, a hub, a switch, and a network master.
6. The method of claim 4 wherein said memory is non-volatile.
7. The method of claim 1, further including the step of using a software program running on a device connected to the computer network to create and manage said zone configuration database.
8. The method of claim 1, wherein said zone configuration database includes a zone mask associated with each logical unit number in a device.
9. The method of claim 1 wherein zone access is controlled by selected network devices through redundant paths in a redundancy group.
10. The method of claim 1 further including the step of, during an initialization phase, storing, in a memory, unique device ID information for each device.
1 1. A system for zoning devices in a computer network, comprising a zone configuration database which lists each device connected to the computer network, and which allows zone access between devices if and only if they are members of the same zone.
12. The system of claim 11 , wherein said zone configuration database includes a zone mask identifying zones of which each device is a member.
13. The system of claim 12 wherein said zone mask comprises: a read mask which, if enabled for a specific device in a particular zone, grants read-only access for said specific device within said particular zone; and a write mask which, if enabled for said specific device in said particular zone grants read and write access for said specific device within said particular zone.
14. The system of claim 11 wherein said zone configuration database is stored in a memory in at least one network device connected to the computer network.
15. The system of claim 14, wherein said network device is selected from the group consisting of: a router, a bridge, a hub, a switch, and a network master.
16. The system of claim 14 wherein said memory is non- volatile.
17. The system of claim 11 , wherein said zone configuration database is created and managed by a software program running on a device connected to the computer network.
18. The system of claim 11, wherein said zone configuration database includes a zone mask associated with each logical unit number in a device.
19. The system of claim 11 wherein zone access is controlled by selected network devices through redundant paths in a redundancy group.
20. A system for zoning devices connected to a computer network, comprising: zoning means which identify zones of which each device is a member, and which allows zone access between devices if and only if they are members of the same zone.
21. The system of claim 20, wherein said zoning means includes masking means identifying at least one zone of which each device is a member.
22. The system of claim 21 , wherein said masking means comprises: a read mask which, if enabled for a specific device in a particular zone, grants read-only access for said specific device within said particular zone; and a write mask which, if enabled for said specific device in said particular zone grants read and write access for said specific device within said particular zone.
23. The system of claim 20 wherein said zoning means is stored in a memory in at least one network device connected to the computer network.
24. The system of claim 23, wherein said network device is selected from the group consisting of: a router, a bridge, a hub, a switch, and a network master.
25. The system of claim 23 wherein said memory is non-volatile.
26. The system of claim 20 wherein said zoning means is created and managed by a software program running on a device connected to the computer network.
27. The system of claim 20, wherein said zoning means includes masking means associated with each logical unit number in a device.
28. The system of claim 20 wherein zone access is controlled by selected network devices through redundant paths in a redundancy group.
PCT/US2000/006920 1999-03-15 2000-03-15 System and method of zoning and access control in a computer network WO2000055750A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU38893/00A AU3889300A (en) 1999-03-15 2000-03-15 System and method of zoning and access control in a computer network

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US12449499P 1999-03-15 1999-03-15
US60/124,494 1999-03-15
US35741299A 1999-07-20 1999-07-20
US09/357,412 1999-07-20

Publications (1)

Publication Number Publication Date
WO2000055750A1 true WO2000055750A1 (en) 2000-09-21

Family

ID=26822660

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/006920 WO2000055750A1 (en) 1999-03-15 2000-03-15 System and method of zoning and access control in a computer network

Country Status (2)

Country Link
AU (1) AU3889300A (en)
WO (1) WO2000055750A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002073398A2 (en) * 2001-03-08 2002-09-19 Sun Microsystems, Inc. Method, system, and program for determining system configuration information
WO2003005209A2 (en) * 2001-06-14 2003-01-16 Cable & Wireless Internet Services, Inc. Secured shared storage architecture
WO2003088050A1 (en) 2002-04-05 2003-10-23 Cisco Technology, Inc. Apparatus and method for defining a static fibre channel fabric
EP1374056A1 (en) * 2001-03-01 2004-01-02 Storeage Networking Technologies Storage area network (san) security
US6941357B2 (en) 2001-07-18 2005-09-06 Dell Products L.P. Fibre channel switching appliance
US7428642B2 (en) 2004-10-15 2008-09-23 Hitachi, Ltd. Method and apparatus for data storage
CN1778076B (en) * 2003-06-26 2010-05-26 思科技术公司 Fibre channel switch that enables end devices in different fabrics to communicate with one another while retaining their unique fibre channel domain-ID
US7734781B2 (en) 2001-07-09 2010-06-08 Savvis Communications Corporation Methods and systems for shared storage virtualization
US7792966B2 (en) 2007-06-26 2010-09-07 International Business Machines Corporation Zone control weights
US7827260B2 (en) 2004-10-12 2010-11-02 International Business Machines Corporation Apparatus, system, and method for configuring zone control of a network feature in a heterogeneous network
WO2013169654A1 (en) * 2012-05-07 2013-11-14 Cisco Technology, Inc. Smart zoning using device alias database

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5282270A (en) * 1990-06-06 1994-01-25 Apple Computer, Inc. Network device location using multicast
US5515376A (en) * 1993-07-19 1996-05-07 Alantec, Inc. Communication apparatus and methods
US5548649A (en) * 1995-03-28 1996-08-20 Iowa State University Research Foundation Network security bridge and associated method
US5845087A (en) * 1996-03-04 1998-12-01 Telebit Corporation Internetwork zone name filtering with selective placebo zone name substitution in a response to a request for zone name information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5282270A (en) * 1990-06-06 1994-01-25 Apple Computer, Inc. Network device location using multicast
US5515376A (en) * 1993-07-19 1996-05-07 Alantec, Inc. Communication apparatus and methods
US5548649A (en) * 1995-03-28 1996-08-20 Iowa State University Research Foundation Network security bridge and associated method
US5845087A (en) * 1996-03-04 1998-12-01 Telebit Corporation Internetwork zone name filtering with selective placebo zone name substitution in a response to a request for zone name information

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7437753B2 (en) 2001-03-01 2008-10-14 Lsi Technologies Israel Ltd. Storage area network (SAN) security
EP1374056A4 (en) * 2001-03-01 2005-07-27 Storeage Networking Technologi Storage area network (san) security
EP1374056A1 (en) * 2001-03-01 2004-01-02 Storeage Networking Technologies Storage area network (san) security
WO2002073398A2 (en) * 2001-03-08 2002-09-19 Sun Microsystems, Inc. Method, system, and program for determining system configuration information
WO2002073398A3 (en) * 2001-03-08 2003-09-12 Sun Microsystems Inc Method, system, and program for determining system configuration information
WO2003005209A3 (en) * 2001-06-14 2004-02-12 Cable & Wireless Internet Serv Secured shared storage architecture
WO2003005209A2 (en) * 2001-06-14 2003-01-16 Cable & Wireless Internet Services, Inc. Secured shared storage architecture
US7693970B2 (en) 2001-06-14 2010-04-06 Savvis Communications Corporation Secured shared storage architecture
US7734781B2 (en) 2001-07-09 2010-06-08 Savvis Communications Corporation Methods and systems for shared storage virtualization
US6941357B2 (en) 2001-07-18 2005-09-06 Dell Products L.P. Fibre channel switching appliance
US8098595B2 (en) 2002-04-05 2012-01-17 Cisco Technology, Inc. Apparatus and method for defining a static fibre channel fabric
CN1317647C (en) * 2002-04-05 2007-05-23 思科技术公司 Apparatus and method for defining a static fibre channel fabric
WO2003088050A1 (en) 2002-04-05 2003-10-23 Cisco Technology, Inc. Apparatus and method for defining a static fibre channel fabric
US7606167B1 (en) 2002-04-05 2009-10-20 Cisco Technology, Inc. Apparatus and method for defining a static fibre channel fabric
KR101121249B1 (en) 2002-04-05 2012-03-23 씨스코 테크놀러지, 인코포레이티드 Apparatus and method for defining a static fibre channel fabric
CN1778076B (en) * 2003-06-26 2010-05-26 思科技术公司 Fibre channel switch that enables end devices in different fabrics to communicate with one another while retaining their unique fibre channel domain-ID
US7827260B2 (en) 2004-10-12 2010-11-02 International Business Machines Corporation Apparatus, system, and method for configuring zone control of a network feature in a heterogeneous network
US7428642B2 (en) 2004-10-15 2008-09-23 Hitachi, Ltd. Method and apparatus for data storage
US7792966B2 (en) 2007-06-26 2010-09-07 International Business Machines Corporation Zone control weights
WO2013169654A1 (en) * 2012-05-07 2013-11-14 Cisco Technology, Inc. Smart zoning using device alias database
US8837315B2 (en) 2012-05-07 2014-09-16 Cisco Technology, Inc. Smart zoning using device alias database

Also Published As

Publication number Publication date
AU3889300A (en) 2000-10-04

Similar Documents

Publication Publication Date Title
US7437462B2 (en) Method for zoning data storage network using SAS addressing
CN110177059B (en) System and method for storing data
US6877042B2 (en) System and method for generating world wide names
US7657613B1 (en) Host-centric storage provisioner in a managed SAN
US7353353B2 (en) File security management
US7216148B2 (en) Storage system having a plurality of controllers
US6643748B1 (en) Programmatic masking of storage units
JP3895677B2 (en) System for managing movable media libraries using library partitioning
US6119121A (en) Method of maintaining login service parameters
US6209023B1 (en) Supporting a SCSI device on a non-SCSI transport medium of a network
US20020103913A1 (en) System and method for host based target device masking based on unique hardware addresses
US7222176B1 (en) Apparatus and method for using storage domains for controlling data in storage area networks
EP1755309A2 (en) Dynamic configuration updating in a storage area network
KR101454954B1 (en) Storage area network configuration
US20090089462A1 (en) Optimisation of the selection of storage device ports
US20070079098A1 (en) Automatic allocation of volumes in storage area networks
US20090083423A1 (en) System and Computer Program Product for Zoning of Devices in a Storage Area Network
EP1324183A2 (en) System and method for intermediating communication with a moveable media library utilizing a plurality of partitions
JP2004005381A (en) System for partitioning storage area network related to data library
WO2008103302A1 (en) Method and apparatus for flexible access to storage facilities
WO2006063959A9 (en) Operating system migration with minimal storage area network reconfiguration
US7617349B2 (en) Initiating and using information used for a host, control unit, and logical device connections
US6769021B1 (en) Methods for partitioning end nodes in a network fabric
US20030195956A1 (en) System and method for allocating unique zone membership
US7523176B2 (en) Method, apparatus, and computer program product for reconfiguring a storage area network to support the execution of an application automatically upon execution of the application

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase