Layer 2 Switching Configuration Guide, Cisco DCNM for LAN, Release 5.x
Configuring FCoE Initialization Protocol Snooping
Downloads: This chapterpdf (PDF - 544.0KB) The complete bookPDF (PDF - 4.22MB) | Feedback

Configuring FIP Snooping

Contents

Configuring FIP Snooping

This chapter describes how to configure Fibre Channel over Ethernet (FCoE) on Cisco NX-OS devices using Cisco Data Center Network Manager (DCNM) for LAN.


Note


The Cisco NX-OS release that is running on a managed device may not support all the features or settings described in this chapter. For the latest feature information and caveats, see the documentation and release notes for your platform and software release.


This chapter includes the following sections:

Information About FCoE

This section describes FIP snooping and its benefits.


Note


System-message logging levels for the FIP snooping feature must meet or exceed Cisco DCNM requirements. During device discovery, Cisco DCNM detects inadequate logging levels and raises them to the minimum requirements. Cisco Nexus 7000 Series devices that run Cisco NX-OS Release 4.0 are an exception. For Cisco NX-OS Release 4.0, prior to device discovery, use the command-line interface to configure logging levels to meet or exceed Cisco DCNM requirements. See the .


FIP Snooping Overview

In Fibre Channel networks, Fibre Channel switches are considered to be trusted devices. Other Fibre Channel devices must log into the switch before they can communicate with the rest of the fabric. Given that Fibre Channel links are point-to-point, the Fibre Channel switch has complete control over the traffic that a device injects into the fabric or that is received from the fabric. As a result, the switch can ensure that devices are using their assigned addresses and prevent various types of anomalous behaviors that could be erroneous or malicious.

This figure shows a sample FCoE topology.
Figure 1. Fibre Channel over Ethernet Network Topology



FCoE provides increased flexibility. However, with this flexibility, new challenges arise in assuring highly robust fabrics. Specifically, if Ethernet bridges exist between an ENode and the FCF, the point-to-point assurance between ENode and FCF is lost, which means that the FCF does not have the complete authority that a Fibre Channel switch has.

You can achieve equivalent robustness between FCoE and Fibre Channel if you can ensure that all FCoE traffic to and from an ENode passes through an FCF and that multiple devices can access an FCF through a single physical FCF port. Doing so creates the equivalent of a point-to-point link between the ENode and FCF.

One possible method of accomplishing this robustness is to ensure that every ENode is physically connected to an FCF with no intervening Ethernet bridges. In many deployments, this situation would prove impractical. For example, in large scale blade or 1U server environments, deploying an FCF in each blade system or top-of-rack switch creates the same scaling limitations in FCoE that are well known today in comparably configured Fibre Channel fabrics.

Fiber Channel over Ethernet (FCoE) Initialization Protocol (FIP) is a Layer 2 protocol for end point discovery and fabric association. FIP has its own EtherType and uses its own frame formats.

FIP has two phases: discovery and login. Once the discovery of end nodes and login is complete, FCoE traffic can start flowing between the endpoints.

By snooping on FIP packets during the discovery and login phases, intermediary bridges can implement dynamic data integrity mechanisms using access control lists (ACLs) that permit only valid FCoE traffic between the ENode and the FCoE forwarder (FCF).

A bridge implementing the above functionality is a FIP Snooping Bridge. The process that implements this feature is called a FIP Snooping Manager (FIPSM). FIPSM is capable of supporting both Fabric Provided MAC Addresses (FPMAs) and Server Provided MAC Addresses (SPMAs).

FCoE Connectivity

This section describes options for FCoE connectivity.

Nonredundant FCoE Connectivity

The switch acts as a lossless Ethernet bridge that transparently forwards FCoE packets from the blade servers to a switch. The switch is a FIP snooping bridge. This figure shows a network configuration with nonredundant FCoE connectivity.

Figure 2. Nonredundant FCoE Connectivity



Redundant FCoE Connectivity

The switch acts as a lossless Ethernet bridge that transparently forwards FCoE packets from the blade servers to a switch.The switch is a FIP snooping bridge. Each blade server connects to two switches. Each FCF switch connects to a separate switc h. Each FCF switch and the LAN access or aggregation switch provides access to a different storage area network (SAN).

FIP enables the host to pick a particular FCF for the fabric login. By using the FIP protocol, the host determines all the available FCFs and then selects one from among them.

This figure shows a network configuration with redundant FCoE connectivity.

Figure 3. Redundant FCoE Connectivity



Licensing Requirements for FIP Snooping

The following table shows the licensing requirements for this feature.

Product

License Requirement

Cisco DCNM

FIP snooping requires no license. Any feature not included in a license package is bundled with the Cisco DCNM and is provided at no charge to you.

Platform Support for FCoE Initialization Protocol Snooping

The following platform supports this feature. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation

Cisco Nexus 7000 Series switches

Cisco Nexus 7000 Series switch documentation

Cisco Nexus 4000 Series switches

Cisco Nexus 4000 Series switch documentation

Configuring FIP Snooping

This section discussess how to configure FIP snooping.

Enabling and Disabling FIP Snooping

FIP snooping is disabled by default. After you enable FIP snooping, the FIP-related commands under VLAN and interface modes are visible. The FIP-snoop process also starts after the feature is enabled. Until then, the FIP-related packets are treated as normal multicast Ethernet packets with a FIP/FCoE EtherType. FIP snooping is enabled only after a cross-check with the license manager. Once the feature is enabled, the FIP-snoop packets and FCoE packets are dropped, unless you explicitly enable them on a per-VLAN basis. If FIP snooping is enabled, all the FIP frames are snooped and security ACLs are added. FCoE traffic is blocked on all ports until the device reinitializes with FIP. A warning message for FCoE traffic disruption is issued when FIP snooping is enabled. If FIP snooping is disabled, snooping is removed and all programmed ACLs and internal data are cleaned up.

You can enable or disable the FIP Snooping feature.

Before You Begin

You must configure QoS, MTU, PFC, and ETS for FIP snooping. Because Cisco DCNM does not support QoS management, you must configure QoS using the command-line interface on the device.

If you want to change the default QoS configuration, you must configure QoS.


Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, choose the desired device.
Step 3   From the menu bar, choose Actions > Enable FIP Snooping or Actions > Disable FIP Snooping.

Configuring FIP Snooping Using a Wizard

Instead of having to configure multiple components throughout the Cisco DCNM interface for FIP snooping, you can use a wizard to configure FIP snooping on VLANs and interfaces on multiple devices.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the menu bar, choose Actions > Launch Wizard.
Step 3   In the FIP Snooping Wizard introductory dialog box, click Next.
Step 4   In the Device Selections and VLAN Settings dialog box, do the following:
  1. From the Available Devices field, choose the devices to be configured for FIP Snooping and click Add.

    The device(s) appear in the Selected Devices field.

  2. In the VLAN Settings field, enter the ID number of the FCoE VLAN to be snooped and the FC MAP value.
  3. Click Next.
Step 5   In the Select ENode and FCF interfaces dialog box, do the following:
  1. In the Available Interfaces field, expand the desired device.
  2. Expand the desired slot or port channel.
  3. Do one of the following:
    • To add interfaces that are connected to ENodes, choose the desired interface or port channel, as appropriate, and click Add next to the Interfaces Connected to ENodes field.

    • To add interfaces that are connected to FCFs, choose the desired interface or port channel, as appropriate, and click Add next to the Interfaces Connected to FCFs field.

  4. Click Next.
Step 6   Review the configuration information in the FIP snooping Summary dialog box.
Step 7   If you are satisfied with the configuration, click Finish.

FIP snooping is deployed and the status is displayed.

Step 8   Click Done.

Adding a VLAN

You can add a VLAN to a device. When you do, FIP snooping is automatically enabled on the VLAN.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, choose the desired device.
Step 3   From the menu bar, choose Actions > Add VLAN.
Step 4   From the Summary pane, enter an ID number for the VLAN.

The VLAN is added to the device with FIP snooping enabled.


Deleting a VLAN

You can delete a VLAN from a device.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, expand the desired device.
Step 3   Choose the desired VLAN or VLANs.
Step 4   From the menu bar, choose Actions > Delete.

Enabling FIP Snooping on a VLAN

After enabling FIP snooping on a VLAN, the FIP packets are snooped on the configured VLANs. FIP snooping is disabled on VLANs by default.

You can enable FIP snooping on a VLAN.

Before You Begin

Create a VLAN or determine which existing VLAN that you will use.


Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, expand the desired device.
Step 3   Do one of the following:
  • Choose the desired VLAN or VLANs and, from the menu bar, choose Actions > Enable FIP Snooping.
  • If the desired VLAN is not in the list, select the device and from the menu bar, choose Actions > Add VLAN. The VLAN is added with FIP snooping enabled.
Step 4   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

Disabling FIP Snooping on a VLAN

You can disable FIP snooping on a VLAN.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, expand the desired device.
Step 3   Choose the desired VLAN or VLANs.
Step 4   From the menu bar, choose Actions > Disable FIP Snooping.

FIP Snooping is disabled on the VLANs, and the VLANs are removed from the Summary pane.


Configuring the FC-MAP Value on a VLAN

The FC-MAP is configured on a per VLAN basis. This FC-MAP is verified with the FC-MAP received from the FCF, and if it does not match, the frames are rejected. Only frames that match the configured FC-MAP are allowed to go through and to establish a session between an ENode and FCF.

You can configure an FC-MAP on a VLAN.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, expand the desired device.
Step 3   Choose the desired VLAN.
Step 4   Click the Settings tab.
Step 5   Expand the FCoE Settings content.
Step 6   In the FC-Map field, enter the FC-Map value.
Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

Adding Ports to a FIP Snooping VLAN

You can add ports to a VLAN that has FIP Snooping enabled on it.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, expand the desired device.
Step 3   Choose the desired VLAN.

Choose the Interface associate pane located to the right of the Summary pane.

Step 4   Right-click the desired port and choose Add Port.
Step 5   If the port is in access mode, a message appears indicating that the port will be changed into trunk mode. Click OK to continue.

The port is added to the VLAN and displayed in the Settings tab in the Interfaces section.


Removing Ports from a FIP Snooping VLAN

You can remove ports from a FIP snooping VLAN.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   From the Summary pane, expand the desired device.
Step 3   Choose the desired VLAN.
Step 4   In the Settings tab, expand the Interfaces section.
Step 5   Right-click the interface you want to remove and choose Remove Interface.

Displaying FIP Snooping Summary Information

You can display FIP snooping summary information for devices that support the FIP snooping feature. The summary information includes the FCoE VLAN ID, VLAN name, FC-Map, admin state, and admin status, FIP snooping status, and alarm status.

From the Feature Selector pane, choose FCoE > FIP Snooping. Devices that support this feature appear in the Summary pane.

Displaying Status Information

You can display status information about a selected device or VLAN.

Procedure
Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

Devices that support this feature appear in the Summary pane.

Step 2   Do one of the following:
  • To display status information about a device, from the Summary pane, choose the desired device.
  • To display status information about a VLAN, from the Summary pane, expand the desired device and choose the desired VLAN.
Step 3   Click the Status tab.
Step 4   Do one of the following:
  • To view status information about active ENodes, expand the Active ENodes content.
  • To view status information about active FCFs, expand the Active FCFs content.
  • For devices, to view status information about active snooped sessions, expand the Active Snooped Sessions content.

Field Descriptions for Configuring FIP Snooping

FIP Snooping: Status: Active ENodes Section

Table 1 FIP Snooping: Status: Active ENodes Section

Field

Description

Interface

Display only. Name of the interface to which the ENode is connected.

VLAN

Display only. ID number of the VLAN to which the ENode belongs.

Node Name

Display only. Name of the ENode.

FIP MAC Address

Display only. MAC address of the ENode.

FCoE MAC Address

Display only.FCoE MAC address that is used to send the FCoE packets.

FIP Snooping: Status: Active FCFs Section

Table 2 FIP Snooping: Status: Active FCFs Section

Field

Description

Interface

Display only. Name of the interface to which the FCoE Forwarder (FCF) is connected.

VLAN

Display only. ID number of the VLAN to which the FCF belongs.

Fabric Name

Display only. Name of the FCF.

Priority

Display only. Priority flow control mode. Valid values are as follows:


Switch WWN

Display only. World Wide Name (WWN) of the FCF.

FCF MAC Address

Display only. MAC address of the FCF.

No. of ENodes

Display only. Total number of ENodes that are connected to the FCF.

FIP Snooping: Status: Active Snooped Sessions Section

Table 3 FIP Snooping: Status: Active Snooped Sessions Section

Field

Description

Refresh Frequency

Interval when the display is updated. Valid choices are 30 seconds and from 1 to 5 minutes.

FCF MAC Address

Display only.MAC address of the FCF that is a part of the session.

ENode MAC Address

Display only.MAC address of the ENode that is part of the session.

VLAN

Display only. ID number of the VLAN that contains the session.

FCoE MAC Address

Display only. FCoE MAC address of the FCoE packets that are part of the session.

N Port ID

Display only. ID number of the virtual port that was created by the FCF when the ENode logged into the network.

FIP Snooping: Settings: VLAN Settings

Table 4 FIP Snooping: Settings: VLAN Settings

Field

Description

VLAN ID

Display only. ID number of the VLAN.

Name

Display only. Name of the VLAN.

Admin State

Display only. State of the VLAN. Valid values are as follows:

Admin Status

Display only. Status of the VLAN. Valid values are as follows:
  • Enabled

  • Disabled

You can edit these fields in the Switching > VLAN > VLAN Details > VLAN Settings section.

FIP Snooping: Settings: FCoE Settings

Table 5 FIP Snooping: Settings: FCoE Settings

Field

Description

FC-Map

FC-Map value used by the FCF. The default value is 0xEFC00.

FIP Snooping: Settings: Interfaces Section

Table 6 FIP Snooping: Settings: Interfaces Section

Field

Description

Name

Display only. Name of the interface that belongs to the selected VLAN.

Port Type

FIP snooping port mode of the interface. Valid values are as follows:
  • ENode

  • FCF

Mode

Display only. Mode of the interface. Valid values are as follows:
  • Access

  • Trunk

Oper Status

Display only. Operational status of the interface. Valid values are as follows:

Additional References for FIP Snooping

Related Documents

Related Topic

Document Title

Configuration guide

Cisco Nexus 4001I and 4005I Switch Module for IBM BladeCenter NX-OS Configuration Guide

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

Feature History for FIP Snooping

This table lists the release history for this feature.

Table 7 Feature History for FIP Snooping Parameters

Feature Name

Releases

Feature Information

FIP Snooping

5.0

This feature was introduced.

FIP Snooping

4.1(2)E1(1)

This feature was introduced.