Download FICON Planning and Implementation Guide

The management differences between the two protocols are not relevant unless you want to
control the scope of the switching through zoning or connectivity control. For example, FCP
devices use name server zoning as a way to provide fabric-wide connection control. FICON
devices can use the Prohibit Dynamic Connectivity Mask (PDCM) to provide Director-wide
connection control.
The PDCM is a vector-defined addressing system that establishes which addresses are
allowed to communicate with each other. The FICON Director is required to support hardware
enforcement of the connectivity control. In intermix environments, this is more restrictive than
the zoning information used by open systems devices.
It is also important to understand the implications of FICON port addressing versus port
numbering in FCP. FICON abstracts the concept of the port by creating an object known as
the port address. An association is then made between the port address and the port number.
This concept facilitates the ability to perform FICON port swaps for maintenance operations
without the need to regenerate the host configuration. The port address abstraction is not in
the Fibre Channel architecture and is foreign to FCP.
FCP communications are name-centric, discovery-oriented, and fabric-assigned, and they
use the Fibre Channel Name Server to determine device communication. When an FCP
device attaches to the fabric, it queries the Name Server for the zoning information. FICON
devices do not query because the allowable port and device relationships have been
previously defined.
FCP configurations support multiple fabrics and allow seven hops between source and target.
FCP port-to-port connectivity has traditionally been enforced through zoning, although other
techniques complementary to zoning (such as port, Director, and fabric binding) are used.
Binding helps alleviate the security concerns that are experienced in intermix installations,
because with FCP, any device in the fabric can access the ANSI standard FC management
server by logging into the fabric.
If you are implementing intermix, you must block the transfer of any and all frames from a
FICON Director port to all SAN connected ports and vice versa.
For more detailed information about these topics, refer to:
Implementing an IBM b-type SAN with 8 Gbps Directors and Switches, SG24-6116
IBM/Cisco Multiprotocol Routing: An Introduction and Implementation, SG24-7543
IBM System Storage b-type Multiprotocol Routing: An Introduction and Implementation,
SG24-7544
Implementing an IBM/Cisco SAN, SG24-7545
4.6.2 Fabric security
Best security practices typically address three main objectives: availability and destruction,
confidentiality and disclosure, and integrity and alteration of data.
However, it is important to remember that the majority of security threats are from insiders.
Therefore, any SAN security strategy must also include:
Restrict administrator privileges
Isolate sensitive environments
Audit SAN activities
All-level documentation
Chapter 4. Planning the FICON environment
91