In Fibre Channel networks, Fibre Channel switches are considered to be trusted devices. Other Fibre Channel devices must log into the switch before they can communicate with the rest of the fabric. Given that Fibre Channel links are point-to-point, the Fibre Channel switch has complete control over the traffic that a device injects into the fabric or that is received from the fabric. As a result, the switch can ensure that devices are using their assigned addresses and prevent various types of anomalous behaviors that could be erroneous or malicious.
This figure shows a sample FCoE topology.
Figure 1. Fibre Channel over Ethernet Network Topology
FCoE provides increased flexibility. However, with this flexibility, new challenges arise in assuring highly robust fabrics. Specifically, if Ethernet bridges exist between an ENode and the FCF, the point-to-point assurance between ENode and FCF is lost, which means that the FCF does not have the complete authority that a Fibre Channel switch has.
You can achieve equivalent robustness between FCoE and Fibre Channel if you can ensure that all FCoE traffic to and from an ENode passes through an FCF and that multiple devices can access an FCF through a single physical FCF port. Doing so creates the equivalent of a point-to-point link between the ENode and FCF.
One possible method of accomplishing this robustness is to ensure that every ENode is physically connected to an FCF with no intervening Ethernet bridges. In many deployments, this situation would prove impractical. For example, in large scale blade or 1U server environments, deploying an FCF in each blade system or top-of-rack switch creates the same scaling limitations in FCoE that are well known today in comparably configured Fibre Channel fabrics.
Fiber Channel over Ethernet (FCoE) Initialization Protocol (FIP) is a Layer 2 protocol for end point discovery and fabric association. FIP has its own EtherType and uses its own frame formats.
FIP has two phases: discovery and login. Once the discovery of end nodes and login is complete, FCoE traffic can start flowing between the endpoints.
By snooping on FIP packets during the discovery and login phases, intermediary bridges can implement dynamic data integrity mechanisms using access control lists (ACLs) that permit only valid FCoE traffic between the ENode and the FCoE forwarder (FCF).
A bridge implementing the above functionality is a FIP Snooping Bridge. The process that implements this feature is called a FIP Snooping Manager (FIPSM). FIPSM is capable of supporting both Fabric Provided MAC Addresses (FPMAs) and Server Provided MAC Addresses (SPMAs).