This chapter provides
an overview of SAN switching for Cisco NX-OS devices. This chapter includes the
The Fibre Channel
domain (fcdomain) feature performs principal switch selection, domain ID
distribution, FC ID allocation, and fabric reconfiguration functions as
described in the FC-SW-2 standards. The domains are configured per VSAN . If
you do not configure a domain ID, the local switch uses a random ID.
N Port Virtualization
Cisco NX-OS software supports industry-standard N port
identifier virtualization (NPIV), which allows multiple N port fabric logins
concurrently on a single physical Fibre Channel link. HBAs that support NPIV
can help improve SAN security by enabling zoning and port security to be
configured independently for each virtual machine (OS partition) on a host. In
addition to being useful for server connections, NPIV is beneficial for
connectivity between core and edge SAN switches.
N port virtualizer (NPV) is a complementary feature that reduces
the number of Fibre Channel domain IDs in core-edge SANs. Cisco MDS 9000 family
fabric switches operating in the NPV mode do not join a fabric; they only pass
traffic between core switch links and end devices, which eliminates the domain
IDs for these switches. NPIV is used by edge switches in the NPV mode to log in
to multiple end devices that share a link to the core switch. This feature is
available only for Cisco MDS Blade Switch Series, the Cisco MDS 9124 Multilayer
Fabric Switch, and the Cisco MDS 9134 Multilayer Fabric Switch.
Trunking, also known
as VSAN trunking, enables interconnect ports to transmit and receive frames in
more than one VSAN over the same physical link. Trunking is supported on E
ports and F ports.
SAN Port Channels
PortChannels aggregate multiple physical ISLs into one logical
link with higher bandwidth and port resiliency for Fibre Channel traffic. With
this feature, up to 16 expansion ports (E-ports) or trunking E-ports (TE-ports)
can be bundled into a PortChannel. ISL ports can reside on any switching
module, and they do not need a designated master port. If a port or a switching
module fails, the PortChannel continues to function properly without requiring
Cisco NX-OS software uses a protocol to exchange PortChannel
configuration information between adjacent switches to simplify PortChannel
management, including misconfiguration detection and autocreation of
PortChannels among compatible ISLs. In the autoconfigure mode, ISLs with
compatible parameters automatically form channel groups; no manual intervention
PortChannels load balance Fibre Channel traffic using a hash of
source FC-ID and destination FC-ID, and optionally the exchange ID. Load
balancing using PortChannels is performed over both Fibre Channel and FCIP
links. Cisco NX-OS software also can be configured to load balance across
multiple same-cost FSPF routes.
Virtual SANs (VSANs)
partition a single physical SAN into multiple VSANs. VSANs allow the Cisco
NX-OS software to logically divide a large physical fabric into separate,
isolated environments to improve Fibre Channel SAN scalability, availability,
manageability, and network security.
Each VSAN is a
logically and functionally separate SAN with its own set of Fibre Channel
fabric services. This partitioning of fabric services greatly reduces network
instability by containing fabric reconfiguration and error conditions within an
individual VSAN. The strict traffic segregation provided by VSANs can ensure
that the control and data traffic of a specified VSAN are confined within the
VSAN's own domain, which increases SAN security. VSANs can reduce costs by
facilitating consolidation of isolated SAN islands into a common infrastructure
without compromising availability.
You can create
administrator roles that are limited in scope to certain VSANs. For example,
you can set up a network administrator role to allow configuration of all
platform-specific capabilities and other roles to allow configuration and
management only within specific VSANs. This approach improves the manageability
of large SANs and reduces disruptions due to human error by isolating the
effect of a user action to a specific VSAN whose membership can be assigned
based on switch ports or the worldwide name (WWN) of attached devices.
VSANs are supported
across Fibre Channel over IP (FCIP) links between SANs, which extends VSANs to
include devices at a remote location. The Cisco SAN switches also implement
trunking for VSANs. Trunking allows Inter-Switch Links (ISLs) to carry traffic
for multiple VSANs on the same physical link.
Zoning provides access
control for devices within a SAN. The Cisco NX-OS software supports the
following types of zoning:
zoning-Defines zone members based on the end-device (host and storage) port.
zoning-Defines zone members based on the switch port.
Domain ID and port
number (for Brocade interoperability)
zoning-Defines zone members based on the host zone.
combined with N port zoning, logical unit number (LUN) zoning helps ensure that
LUNs are accessible only by specific hosts, providing a single point of control
for managing heterogeneous storage-subsystem access.
attribute can be set to restrict I/O operations in any zone type to SCSI
read-only commands. This feature is useful for sharing volumes across servers
for backup, data warehousing, and so on.
attribute can be set for any zone type to restrict broadcast frames to members
of the specific zone.
To provide strict
network security, zoning is always enforced per frame using access control
lists (ACLs) that are applied at the ingress switch. All zoning polices are
enforced in the hardware, and none of them cause performance degradation.
Enhanced zoning session-management capabilities further enhance security by
allowing only one user at a time to modify zones.
Device Alias Services
The software supports
Device Alias Services (device alias) on per VSAN and fabric wide. Device alias
distribution allows you to move host bus adapters (HBAs) between VSANs without
manually reentering alias names.
Fibre Channel Routing
Fabric Shortest Path
First (FSPF) is the protocol used by Fibre Channel fabrics. FSPF is enabled by
default on all Fibre Channel switches. You do not need to configure any FSPF
services except in configurations that require special consideration. FSPF
automatically calculates the best path between any two switches in a fabric.
Specifically, FSPF is used to perform these functions:
- Dynamically compute routes
throughout a fabric by establishing the shortest and quickest path between any
- Select an alternative path if
a failure occurs on a given path. FSPF supports multiple paths and
automatically computes an alternative path around a failed link. FSPF provides
a preferred route when two equal paths are available.
Small Computer System Interface (SCSI) targets include disks,
tapes, and other storage devices. These targets do not register logical unit
numbers (LUNs) with the name server. The SCSI LUN discovery feature is
initiated on demand, through CLI or SNMP. This information is also synchronized
with neighboring switches, if those switches belong to the
Cisco Nexus device.
Advanced Fibre Channel Features
You can configure
Fibre Channel protocol-related timer values for distributed services, error
detection, and resource allocation.
You must uniquely
associate the WWN to a single switch. The principal switch selection and the
allocation of domain IDs rely on the WWN.
standards require that you allocate a unique FC ID to an N port that is
attached to an F port in any switch.
FC-SP and DHCHAP
The Fibre Channel
Security Protocol (FC-SP) provides switch-to-switch and hosts-to-switch
authentication to overcome security challenges for enterprise-wide fabrics. The
Diffie-Hellman Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP
protocol that provides authentication between Cisco SAN switches and other
devices. DHCHAP consists of the CHAP protocol combined with the Diffie-Hellman
With FC-SP, switches,
storage devices, and hosts can prove their identity through a reliable and
manageable authentication mechanism. With FC-SP, Fibre Channel traffic can be
secured per frame to prevent snooping and hijacking even over untrusted links.
A consistent set of policies and management actions are propagated through the
fabric to provide a uniform level of security across the entire fabric.
The port security feature prevents unauthorized access to a
switch port by binding specific world-wide names (WWNs) that have access to one
or more given switch ports.
When port security is enabled on a switch port, all devices
connecting to that port must be in the port security database and must be
listed in the database as bound to a given port. If both of these criteria are
not met, the port will not achieve an operationally active state and the
devices connected to the port will be denied access to the SAN.
Fabric binding ensures
Inter-Switch Links (ISLs) are enabled only between specified switches in the
fabric binding configuration, which prevents unauthorized switches from joining
the fabric or disrupting the current fabric operations. This feature uses the
Exchange Fabric Membership Data (EEMD) protocol to ensure that the list of
authorized switches is identical in all of the switches in a fabric.
Fabric Configuration Servers
Configuration Server (FCS) provides discovery of topology attributes and
maintains a repository of configuration information of fabric elements. A
management application is usually connected to the FCS on the switch through an
N port. Multiple VSANs constitute a fabric, where one instance of the FCS is
present per VSAN.