Cisco Nexus 4001I and 4005I Switch Module for IBM BladeCenter NX-OS Configuration Guide
Configuring FCoE Initialization Protocol Snooping
Downloads: This chapterpdf (PDF - 263.0KB) The complete bookPDF (PDF - 4.46MB) | Feedback

Configuring FCoE Initialization Protocol Snooping

Table Of Contents

Configuring FCoE Initialization Protocol Snooping

Information About FIP Snooping

FIP Snooping Overview

FCoE Connectivity

Non-Redundant FCoE Connectivity

Redundant FCoE Connectivity

Configuring FIP Snooping

Enabling DCBXP and LLDP

Configuring QoS

Enabling FIP Snooping Feature

Configuring VLAN

Configuring VLAN and FC-MAP

Configuring Port Identification

Verifying FIP Snooping Configuration


Configuring FCoE Initialization Protocol Snooping


This chapter describes how to configure the FIP snooping bridge feature and includes the following sections:

Information About FIP Snooping

Configuring FIP Snooping

Verifying FIP Snooping Configuration

Information About FIP Snooping

This section provides information about Fibre Channel over Ethernet (FCoE).


Note The BASIC_STORAGE_SERVICES_PKG includes the FIP snooping feature license. The licensing model for the Cisco NX-OS software is feature based. Feature-based licenses make features available to the entire physical switch.


FIP Snooping Overview

In Fibre Channel networks, Fibre Channel switches are generally considered trusted devices. Other Fibre Channel devices must log into the switch before they can communicate with the rest of the fabric. Given that Fibre Channel links are point-to-point, the Fibre Channel switch has complete control over the traffic that a device injects into the fabric or that is received from the fabric. As a result, the switch can ensure that devices are using their assigned addresses and prevent various types of anomalous behaviors that could be erroneous or malicious. See Figure 29-1.

Figure 29-1 Fibre Channel over Ethernet Network Topology

FCoE provides increased flexibility. However, with this flexibility new challenges arise in assuring highly robust fabrics. Specifically, if Ethernet bridges exist between an ENode and the Fibre Channel Forwarder (FCF), the point-to-point assurance between ENode and FCF is lost. Thus the FCF does not have the complete authority that a Fibre Channel switch has.

Equivalent robustness between FCoE and Fibre Channel is possible if one can ensure that all FCoE traffic to and from an ENode must pass through an FCF, and that if multiple devices can access an FCF through a single physical FCF port. Doing so, in effect, creates the equivalent of a point-to-point link between the ENode and FCF.

One possible method of accomplishing this is to ensure every ENode is physically connected to an FCF with no intervening Ethernet bridges. Unfortunately, in many deployments this would prove impractical. For example, in large scale blade or 1U server environments, deploying an FCF in each blade system or top-of-rack switch creates the same scaling limitations in FCoE that are well known today in comparably configured Fibre Channel fabrics.

Fibre channel Initialization Protocol (FIP) is an L2 protocol for end point discovery and fabric association. FIP has its own EtherType and uses its own frame formats. There are two phases to FIP, and they are discovery and login. Once the discovery of end nodes and login is complete, FCoE traffic can start flowing between the endpoints. By snooping on FIP packets during the discovery and login phases, intermediate bridges can implement dynamic data integrity mechanisms using ACLs that permit valid FCoE traffic between the ENode and FCF. Implementing such security mechanisms ensures that only valid FCoE traffic is allowed. This is FIP snooping. A bridge implementing the above functionality is what we refer to as the FIP Snooping Bridge. The process implementing this feature is called FIP Snooping Manager (FIPSM). FIPSM is capable of supporting both FPMA and SPMA.

FCoE Connectivity

This section describes options for FCoE connectivity (see Figure 29-2) and includes the following topics:

Non-Redundant FCoE Connectivity

Redundant FCoE Connectivity

Non-Redundant FCoE Connectivity

The switch acts as a lossless Ethernet bridge transparently forwarding FCoE packets from the blade servers to a switch. The switch is a FIP snooping bridge.

Figure 29-2 Non-redundant FCoE Connectivity

Redundant FCoE Connectivity

The switch acts a lossless Ethernet bridge transparently forwarding FCoE packets from the blade servers to a switch. The switch is a FIP snooping bridge. Each blade server connects to two switches. Each FCF switch connects to a separate switch. Each FCF switch and the LAN Access or Aggregation Switch provides access to a different SAN. See Figure 29-3.

The FCoE Initialization Protocol defined by the T11 standards body enables the host to pick a particular FCF for the fabric login. By using the FIP protocol, the host determines all the available FCFs and then select one from among them.

Figure 29-3 Redundant FCoE Connectivity

Configuring FIP Snooping

When a switch boots up with an empty configuration, it asks the user for a specific configuration. It is also possible to auto-generate or deduce certain configuration, but the user is expected to configure this feature explicitly.

This section includes the following topics:

Enabling DCBXP and LLDP

Configuring QoS

Enabling FIP Snooping Feature

Configuring VLAN

Configuring VLAN and FC-MAP

Configuring Port Identification

Enabling DCBXP and LLDP

The Data Center Ethernet Parameter Exchange (DCBXP) is enabled by default. DCBXP is a protocol used to negotiate the FCoE parameters so that the FCoE cloud has end to end auto-configuration for FCoE infrastructure and features. DCBXP uses the standard Link Level Discovery Protocol (LLDP) IEEE standard 802.1ab-2005 to create a bi-directional negotiation path between peer nodes to push FCoE configuration so that FCoE cloud is consistent end to end.

FIPSM interacts with peer using DCBXP to negotiate the following key parameters:

Priority Flow Control - to exchange per-VL PAUSE configurations

Priority Scheduling - to exchange bandwidth scheduling and configuration related to priority groups

FCoE - to exchange FCoE parameters and to determine which VLs should be used by FCoE traffic

There is no specific CLI to enable or disable the DCBXP feature.

LLDP is implemented as part of DCBXP. It is enabled by default. The user can disable it using the no lldp command.


Note Disabling the transmit and receive functions of LLDP has a direct impact on the functioning of DCBXP.


To enable or disable LLDP, perform these tasks:

Command
Purpose

switch(config)# interface type slot/port

switch(config-if)# lldp [transmit | receive]

Enters interface configuration mode for the specified interface.

Enables LLDP.

switch(config)#

switch(config-if)# no lldp [transmit | receive]

Enters interface configuration mode for the specified interface.

Disables LLDP.


The following example shows how to enable LLDP transmission on interface:

switch# configure terminal

switch(config)# interface ethernet 1/20

switch(config-if)# lldp transmit

To display LLDP configuration information on the interface, perform this task:

Command
Purpose

switch # show lldp [interface type slot/port | neighbors | timers | traffic]

Displays the LLDP configuration information.


The following example shows how to display the LLDP configuration information for an Ethernet interface:

switch# show lldp interface ethernet 1/20

Configuring QoS

QoS must be configured for FCoE before FIP snooping is enabled. MTU, PFC, and ETS are required for FIP snooping. During initial configuration of the switch, QoS is configured by default if you configure FCoE at the time. If you want to change the default QoS configuration, you should configure QoS.

Enabling FIP Snooping Feature

The FIP snooping feature is disabled by default. Only after enabling it, are the FIP related CLIs under VLAN and interface mode visible. The FIP-snoop process also starts after the feature is enabled. Until then, the FIP-related packets are treated as normal multicast Ethernet packets with FIP/FcoE EtherType. The CLI is successful only after a cross-check with the license manager. Once the feature is enabled, the FIP-snoop packets and FCoE packets are dropped, unless explicitly enabled on a per-VLAN basis. If FIP snooping is enabled, all the FIP frames are snooped and security ACLs are added. FCoE traffic is blocked on all ports until the device re-initializes with FIP. A warning message for FCoE traffic disruption is issued when enabled. If the feature is disabled, snooping is removed and all programmed ACLs and internal data are cleaned up.

To enable or disable the FIP snooping feature, perform these tasks:

Command
Purpose
switch(config)# feature fip-snooping

Enables FIP snooping.

switch(config)# no feature fip-snooping

Disables FIP snooping.


The following example shows how to enable the FIP snooping feature:

switch# configure terminal
switch(config)# feature fip-snooping

Configuring VLAN

VLAN must be configured before it can be used. Once VLAN is enabled, the FIP packets will be snooped only on the configured VLANs. FIP snooping is disabled on VLANs by default.

To enable or disable FIP snooping on a VLAN, perform this task:

 
Command
Purpose

Step 1 

switch # configure terminal

Enters configuration mode.

Step 2 

switch(config)# vlan vlan-id

Configures specific VLAN port. The range is 1-4095.

Step 3 

switch(config-vlan)# fip-snooping enable

Enables FIP snooping on a VLAN.

Step 4 

switch(config-vlan)# no fip-snooping enable

Removes FIP snooping from the VLAN.

The following example shows how to enable FIP snooping for VLAN ID 1-7:

switch# configure terminal
switch(config)# vlan 1-7
switch(config-vlan)# fip-snooping enable

Configuring VLAN and FC-MAP

The FC-MAP is configured on a per VLAN basis. This FC-MAP is verified with the FC-MAP received from the FCF and if it does not match, the frames are rejected. Only frames that match the configured FC-MAP are allowed to go through and to establish a session between an ENode and FCF. The FC-MAP value is 0x0efc00 by default.

To configure the VLAN and the FC-MAP, perform this task:

 
Command
Purpose

Step 1 

switch # configure terminal

Enters configuration mode.

Step 2 

switch(config)# vlan vlan-id

Creates a specific VLAN. The range is 1-4095.

Step 3 

switch(config-vlan)# fip-snooping enable

Enables the FIP snooping feature.

Step 4 

switch(config-vlan)# fip-snooping fc-map 
<0x0-0xffffff>

Configures FC-MAP.

Note If the FC-MAP is not known, configure it to a definite FC-MAP value of 0x0efc00.

The following example shows how to configure a VLAN and FC-MAP:

switch# configure terminal
switch(config)# vlan 101
switch(config-vlan)# fip-snooping enable
switch(config-vlan)# fip-snooping fc-map 0x0efc00

Configuring Port Identification

If the FIP snooping feature is enabled and in order to relay the FIP packets from the host to the FCF, the switch needs to know to what interfaces the FCFs are connected. Therefore, the user must specify what is connected to an interface. The FIP Manager keeps track of all interfaces that have FCFs connected, to relay the FIP packets from the hosts. If there is no specific connection information provided, the FIP discovery packets received trigger an identification of the peers connected to the interface. The port is assumed to be in host mode if no user configuration is present.


Note Verify that all the FCoE supporting links to the host or to the FCF are of type trunk and all the FCoE are VLANs.


To configure port identification, perform this task:

 
Command
Purpose

Step 1 

switch # configure terminal

Enters configuration mode.

Step 2 

switch(config)# feature fip-snooping

Enables FIP-snooping.

Step 3 

switch(config)# interface type slot/port

Enters interface configuration mode for the specified interface.

Step 4 

switch(config-if)# fip-snooping 
port-mode fcf

Specifies what is connected to the interface.

The following example shows how to configure the FCF for the Ethernet interface slot 1 port 20:

switch# configure terminal
switch(config)# feature fip-snooping
switch(config)# interface ethernet 1/20
switch(config-if)# fip-snooping port-mode fcf
 
   

To configure VLAN characteristics when the interface is in trunking mode, perform this task:

 
Command
Purpose

Step 1 

switch # configure terminal

Enters configuration mode.

Step 2 

switch(config)# interface type slot/port

Enters interface configuration mode for the specified interface.

Step 3 

switch(config-if)# switchport mode trunk

Configures the switchport mode trunking parameters.

Step 4 

switch(config-if)# switchport trunk allowed vlan 101

Sets the allowed VLANs when the interface is in trunking mode.

The following example shows how to set allowed VLANs when the interface is in trunking mode:

switch # configure terminal
switch(config)# interface ethernet 1/20
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk allowed vlan 101

Verifying FIP Snooping Configuration

To display FIP snooping configuration, perform one of these tasks:

Command
Purpose
switch# show fip-snooping sessions

Displays all FIP snooping sessions.

switch# show fip-snooping fcf

Displays to what interfaces the FCFs are connected.

switch# show fip-snooping enode

Displays the ENode connections.


The following example shows all the FIP snooping sessions:

switch# show fip-snooping sessions
 
   
  Legend:
-------------------------------------------------------------------------------
 FCF MAC                ENode MAC       VLAN      FCoE MAC         FC ID
 
   
-------------------------------------------------------------------------------
00:0d:ec:b2:2c:80    00:0c:29:65:82:bc    1     0e:fc:00:ad:00:00  0x380fdb
 
   

The following example shows to what interfaces the FCFs are connected:


Note This command must be run for only FCF connected port/s.


switch# show fip-snooping fcf
 
   
  Legend:
-------------------------------------------------------------------------------
Interface VLAN   No of   FPMA/  FCMAP       FCF-MAC         NameID  Fabric Name
                Enodes   SPMA
-------------------------------------------------------------------------------
Eth1/9    1       1      FPMA  0x000000  00:0d:ec:b2:2c:80 00000000  00000000
 
   

The following example shows the ENode connections:

switch# show fip-snooping enode
 
   
  Legend:
-------------------------------------------------------------------------------
Interface   VLAN     Name ID        FIP MAC           FCID
 
   
-------------------------------------------------------------------------------
Eth1/7      1       00000000   00:0c:29:65:82:bc    0x000000