An FC SAN mainly includes nodes, such as servers and a storage devices, provided with a host bus adapter (HBA) card, and an FC Fabric, where the FC Fabric includes several FC switches in a standard mode, the server communicates with the storage device using an FC switch in the FC Fabric, a port through which the server or the storage device is connected to the FC switch is an N_port, and a port through which the FC switch is connected to the server or the storage device is an F_port. Security isolation of the FC SAN may be implemented using a zone technology and a logical unit number (LUN) masking technology, where LUN masking is used to establish a correspondence between a LUN and a world wide port name (WWPN) of the HBA card of the server, that is, a logical unit corresponding to the LUN may be bound to a WWPN of one HBA card or WWPNs of multiple HBA cards such that different servers can access different logical units in the storage device. Therefore, a server and a storage device that belong to a same zone may communicate with each other, and a server and a storage device in different zones cannot directly access each other using the FC Fabric, thereby implementing isolation between devices in the FC SAN.
However, the foregoing zone technology and the LUN masking are only limited to performing network security isolation using a server as a granularity. In a virtualization scenario, each server is loaded with multiple virtual machines (VM). To enable each VM to access a storage device, a WWPN is allocated to each VM, and each VM may be registered with an FC Fabric using an N_port of the server to obtain an N_port identifier (N_Port_ID). Therefore, each VM has an identifier different from that of another VM. With reference to the zone technology and LUN masking, network security isolation may be implemented using a VM as a granularity. However, in a hot migration process of a VM, the VM is required to be capable of accessing a same LUN at different locations before and after being migrated. For example, a VM on a server A (a WWPN of the VM is WWPN-A) needs to undergo hot migration to a server B, and a WWPN of the VM after the VM is migrated to the server B is WWPN-B. A zone configuration before the VM is migrated is performed by configuring WWPN-A and a WWPN of an HBA card of a storage device (designated as WWPN-S) in a same zone (such as ZoneA), and a correspondence between WWPN-A and an LUN of the storage device is set in the storage device. Before the VM is formally migrated, a network administrator configures WWPN-B and WWPN-S in another new zone (such as ZoneB) using a manual configuration. In addition, the storage device also needs to establish a correspondence between WWPN-B and an LUN of the storage device. Therefore, it may be kept that the VM may access an LUN of the storage device after hot migration.
In the prior art, in each migration process of the VM, the network administrator needs to manually configure a new Zone, and the storage device also needs to update a correspondence, causing cumbersome operations such that the VM is relatively low in migration efficiency and is relatively poor in flexibility.