This chapter provides an overview of SAN switching for Cisco NX-OS devices. This chapter includes the following sections:
The Fibre Channel domain (fcdomain) feature performs principal
switch selection, domain ID distribution, FC ID allocation, and
fabric reconfiguration functions as described in the FC-SW-2
standards. The domains are configured per VSAN . If you
do not configure a domain ID, the local switch uses a random ID.
N Port Virtualization
Cisco NX-OS software supports industry-standard N port
identifier virtualization (NPIV), which allows multiple N port
fabric logins concurrently on a single physical Fibre Channel link.
HBAs that support NPIV can help improve SAN security by enabling
zoning and port security to be configured independently for each
virtual machine (OS partition) on a host. In addition to being
useful for server connections, NPIV is beneficial for connectivity
between core and edge SAN switches.
N port virtualizer (NPV) is a complementary feature that reduces
the number of Fibre Channel domain IDs in core-edge SANs. Cisco MDS
9000 family fabric switches operating in the NPV mode do not join a
fabric; they only pass traffic between core switch links and end
devices, which eliminates the domain IDs for these switches. NPIV
is used by edge switches in the NPV mode to log in to multiple end
devices that share a link to the core switch. This feature is
available only for Cisco MDS Blade Switch Series, the Cisco MDS
9124 Multilayer Fabric Switch, and the Cisco MDS 9134 Multilayer
Trunking, also known as VSAN trunking, enables
interconnect ports to transmit and receive frames in more than one
VSAN over the same physical link. Trunking is supported on E ports
and F ports.
SAN Port Channels
PortChannels aggregate multiple physical ISLs into one logical
link with higher bandwidth and port resiliency for both Fibre
Channel and FICON traffic. With this feature, up to 16 expansion
ports (E-ports) or trunking E-ports (TE-ports) can be bundled into
a PortChannel. ISL ports can reside on any switching module, and
they do not need a designated master port. If a port or a switching
module fails, the PortChannel continues to function properly
without requiring fabric reconfiguration.
Cisco NX-OS software uses a protocol to exchange PortChannel
configuration information between adjacent switches to simplify
PortChannel management, including misconfiguration detection and
autocreation of PortChannels among compatible ISLs. In the
autoconfigure mode, ISLs with compatible parameters automatically
form channel groups; no manual intervention is required.
PortChannels load balance Fibre Channel traffic using a hash of
source FC-ID and destination FC-ID, and optionally the exchange ID.
Load balancing using PortChannels is performed over both Fibre
Channel and FCIP links. Cisco NX-OS software also can be configured
to load balance across multiple same-cost FSPF routes.
Virtual SANs (VSANs) partition a single physical SAN
into multiple VSANs. VSANs allow the Cisco NX-OS software
to logically divide a large physical fabric into separate, isolated
environments to improve Fibre Channel SAN scalability,
availability, manageability, and network security.
For FICON, VSANs
facilitate hardware-based separation of FICON and open systems.
Each VSAN is a logically and functionally separate SAN with its
own set of Fibre Channel fabric services. This partitioning of
fabric services greatly reduces network instability by containing
fabric reconfiguration and error conditions within an individual
VSAN. The strict traffic segregation provided by VSANs can ensure
that the control and data traffic of a specified VSAN are confined
within the VSAN's own domain, which increases SAN security. VSANs can
reduce costs by facilitating consolidation of isolated SAN islands
into a common infrastructure without compromising availability.
You can create administrator roles that are limited in scope
to certain VSANs. For example, you can set up a network administrator role to allow configuration of all platform-specific
capabilities and other roles to allow
configuration and management only within specific VSANs. This
approach improves the manageability of large SANs and reduces
disruptions due to human error by isolating the effect of a user
action to a specific VSAN whose membership can be assigned based on
switch ports or the worldwide name (WWN) of attached devices.
VSANs are supported across Fibre Channel over IP (FCIP) links between SANs, which
extends VSANs to include devices at a remote location. The Cisco
SAN switches also implement trunking for VSANs.
Trunking allows Inter-Switch Links (ISLs) to carry traffic for
multiple VSANs on the same physical link.
Zoning provides access control for devices within a SAN. The Cisco
NX-OS software supports the following types of zoning:
N port zoning-Defines zone members based on
the end-device (host and storage) port.
Fibre Channel identifier (FC-ID)
Fx port zoning-Defines zone members based
on the switch port.
WWN plus the interface index, or domain ID plus
the interface index
Domain ID and port number (for Brocade
iSCSI zoning-Defines zone members based on
the host zone.
LUN zoning-When combined with N port
zoning, logical unit number (LUN) zoning helps ensure that LUNs are accessible only by
specific hosts, providing a single point of control for managing
heterogeneous storage-subsystem access.
Read-only zones-An attribute can be set to
restrict I/O operations in any zone type to SCSI read-only
commands. This feature is useful for sharing volumes
across servers for backup, data warehousing, and so on.
Broadcast zones-An attribute can be set for
any zone type to restrict broadcast frames to members of the
To provide strict network security, zoning is always enforced
per frame using access control lists (ACLs) that are applied at the
ingress switch. All zoning polices are enforced in the hardware, and
none of them cause performance degradation. Enhanced zoning
session-management capabilities further enhance security by
allowing only one user at a time to modify zones.
Device Alias Services
The software supports
Device Alias Services (device alias) on per VSAN and
fabric wide. Device alias distribution allows you to move
host bus adapters (HBAs) between VSANs without manually reentering
Fibre Channel Routing
Fabric Shortest Path First (FSPF) is the protocol used by Fibre Channel fabrics. FSPF is enabled
by default on all Fibre Channel switches. You do not need to
configure any FSPF services except in configurations that require
special consideration. FSPF automatically calculates the best path
between any two switches in a fabric. Specifically, FSPF is used to
perform these functions:
- Dynamically compute routes throughout a
fabric by establishing the shortest and quickest path between any
- Select an alternative path if
a failure occurs on a given path. FSPF supports multiple paths and
automatically computes an alternative path around a failed link.
FSPF provides a preferred route when two equal paths are
Small Computer System Interface (SCSI) targets include disks,
tapes, and other storage devices. These targets do not register
logical unit numbers (LUNs) with the name server.
The SCSI LUN discovery feature is initiated on demand, through CLI
or SNMP. This information is also synchronized with neighboring
switches, if those switches belong to the
Cisco Nexus device.
Advanced Fibre Channel Features
You can configure Fibre Channel protocol-related timer values for distributed services, error detection, and resource allocation.
You must uniquely associate the WWN to a single switch. The
principal switch selection and the allocation of domain IDs rely on
the WWN. Cisco Nexus devices support three
network address authority (NAA) address formats.
Fibre Channel standards require that you allocate a unique FC ID to
an N port that is attached to an F port in any switch. To conserve the
number of FC IDs used,
Cisco Nexus devices use a special allocation scheme.
FC-SP and DHCHAP
The Fibre Channel Security Protocol (FC-SP) provides
switch-to-switch and hosts-to-switch authentication to overcome
security challenges for enterprise-wide fabrics. The Diffie-Hellman
Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP
protocol that provides authentication between Cisco SAN
switches and other devices. DHCHAP consists of the CHAP protocol
combined with the Diffie-Hellman exchange.
With FC-SP, switches, storage devices, and hosts can
prove their identity through a reliable and manageable
authentication mechanism. With FC-SP, Fibre Channel traffic can be
secured per frame to prevent snooping and
hijacking even over untrusted links. A consistent set of policies
and management actions are propagated through the fabric to provide
a uniform level of security across the entire fabric.
The port security feature prevents unauthorized access to a
switch port by binding specific world-wide names (WWNs) that have
access to one or more given switch ports.
When port security is enabled on a switch port, all devices
connecting to that port must be in the port security database and
must be listed in the database as bound to a given port. If both of
these criteria are not met, the port will not achieve an
operationally active state and the devices connected to the port
will be denied access to the SAN.
Fabric binding ensures Inter-Switch Links (ISLs) are enabled only between specified switches in the fabric binding configuration, which prevents unauthorized switches from joining the fabric or disrupting the current fabric operations. This feature uses the Exchange Fabric Membership Data (EEMD) protocol to ensure that the list of authorized switches is identical in all of the switches in a fabric.
Fabric Configuration Servers
The Fabric Configuration Server (FCS) provides discovery of topology attributes and maintains a repository of configuration information of fabric elements. A management application is usually connected to the FCS on the switch through an N port. Multiple VSANs constitute a fabric, where one instance of the FCS is present per VSAN.