Layer 2 Switching Configuration Guide, Cisco DCNM for LAN, Release 6.x
Configuring FIP Snooping
Downloads: This chapterpdf (PDF - 558.0KB) The complete bookPDF (PDF - 4.39MB) | The complete bookePub (ePub - 1.7MB) | Feedback

Configuring FIP Snooping

Contents

Configuring FIP Snooping

This chapter describes how to configure Fibre Channel over Ethernet (FCoE) on Cisco NX-OS devices using Cisco Data Center Network Manager (DCNM) for LAN.


Note


The Cisco NX-OS release that is running on a managed device may not support all the features or settings described in this chapter. For the latest feature information and caveats, see the documentation and release notes for your platform and software release.


This chapter includes the following sections:

Information About FCoE

This section describes FIP snooping and its benefits.


Note


System-message logging levels for the FIP snooping feature must meet or exceed Cisco DCNM requirements. During device discovery, Cisco DCNM detects inadequate logging levels and raises them to the minimum requirements. Cisco Nexus 7000 Series devices that run Cisco NX-OS Release 4.0 are an exception. For Cisco NX-OS Release 4.0, prior to device discovery, use the command-line interface to configure logging levels to meet or exceed Cisco DCNM requirements. See the .


FIP Snooping Overview

In Fibre Channel networks, Fibre Channel switches are considered to be trusted devices. Other Fibre Channel devices must log into the switch before they can communicate with the rest of the fabric. Given that Fibre Channel links are point-to-point, the Fibre Channel switch has complete control over the traffic that a device injects into the fabric or that is received from the fabric. As a result, the switch can ensure that devices are using their assigned addresses and prevent various types of anomalous behaviors that could be erroneous or malicious.

Figure 1. Fibre Channel over Ethernet Network Topology. This figure shows a sample FCoE topology.



FCoE provides increased flexibility. However, with this flexibility, new challenges arise in assuring highly robust fabrics. Specifically, if Ethernet bridges exist between an ENode and the FCF, the point-to-point assurance between ENode and FCF is lost, which means that the FCF does not have the complete authority that a Fibre Channel switch has.

You can achieve equivalent robustness between FCoE and Fibre Channel if you can ensure that all FCoE traffic to and from an ENode passes through an FCF and that multiple devices can access an FCF through a single physical FCF port. Doing so creates the equivalent of a point-to-point link between the ENode and FCF.

One possible method of accomplishing this robustness is to ensure that every ENode is physically connected to an FCF with no intervening Ethernet bridges. In many deployments, this situation would prove impractical. For example, in large scale blade or 1U server environments, deploying an FCF in each blade system or top-of-rack switch creates the same scaling limitations in FCoE that are well known today in comparably configured Fibre Channel fabrics.

Fiber Channel over Ethernet (FCoE) Initialization Protocol (FIP) is a Layer 2 protocol for end point discovery and fabric association. FIP has its own EtherType and uses its own frame formats.

FIP has two phases: discovery and login. Once the discovery of end nodes and login is complete, FCoE traffic can start flowing between the endpoints.

By snooping on FIP packets during the discovery and login phases, intermediary bridges can implement dynamic data integrity mechanisms using access control lists (ACLs) that permit only valid FCoE traffic between the ENode and the FCoE forwarder (FCF).

A bridge implementing the above functionality is a FIP Snooping Bridge. The process that implements this feature is called a FIP Snooping Manager (FIPSM). FIPSM is capable of supporting both Fabric Provided MAC Addresses (FPMAs) and Server Provided MAC Addresses (SPMAs).

FCoE Connectivity

This section describes options for FCoE connectivity.

Nonredundant FCoE Connectivity

The switch acts as a lossless Ethernet bridge that transparently forwards FCoE packets from the blade servers to a switch. The switch is a FIP snooping bridge. This figure shows a network configuration with nonredundant FCoE connectivity.

Figure 2. Nonredundant FCoE Connectivity



Redundant FCoE Connectivity

The switch acts as a lossless Ethernet bridge that transparently forwards FCoE packets from the blade servers to a switch.The switch is a FIP snooping bridge. Each blade server connects to two switches. Each FCF switch connects to a separate switc h. Each FCF switch and the LAN access or aggregation switch provides access to a different storage area network (SAN).

FIP enables the host to pick a particular FCF for the fabric login. By using the FIP protocol, the host determines all the available FCFs and then selects one from among them.

This figure shows a network configuration with redundant FCoE connectivity.

Figure 3. Redundant FCoE Connectivity



Licensing Requirements for FIP Snooping

The following table shows the licensing requirements for this feature.

Product

License Requirement

Cisco DCNM

FIP snooping requires no license. Any feature not included in a license package is bundled with the Cisco DCNM and is provided at no charge to you.

Platform Support for FCoE Initialization Protocol Snooping

The following platform supports this feature. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation

Cisco Nexus 7000 Series switches

Cisco Nexus 7000 Series switch documentation

Cisco Nexus 4000 Series switches

Cisco Nexus 4000 Series switch documentation

Configuring FIP Snooping

This section discussess how to configure FIP snooping.

Enabling and Disabling FIP Snooping

FIP snooping is disabled by default. After you enable FIP snooping, the FIP-related commands under VLAN and interface modes are visible. The FIP-snoop process also starts after the feature is enabled. Until then, the FIP-related packets are treated as normal multicast Ethernet packets with a FIP/FCoE EtherType. FIP snooping is enabled only after a cross-check with the license manager. Once the feature is enabled, the FIP-snoop packets and FCoE packets are dropped, unless you explicitly enable them on a per-VLAN basis. If FIP snooping is enabled, all the FIP frames are snooped and security ACLs are added. FCoE traffic is blocked on all ports until the device reinitializes with FIP. A warning message for FCoE traffic disruption is issued when FIP snooping is enabled. If FIP snooping is disabled, snooping is removed and all programmed ACLs and internal data are cleaned up.

You can enable or disable the FIP Snooping feature.

Before You Begin

You must configure QoS, MTU, PFC, and ETS for FIP snooping. Because Cisco DCNM does not support QoS management, you must configure QoS using the command-line interface on the device.

If you want to change the default QoS configuration, you must configure QoS.

Procedure
    Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

    Devices that support this feature appear in the Summary pane.

    Step 2   From the Summary pane, choose the desired device.
    Step 3   From the menu bar, choose Actions > Enable FIP Snooping or Actions > Disable FIP Snooping.

    Configuring FIP Snooping Using a Wizard

    Instead of having to configure multiple components throughout the Cisco DCNM interface for FIP snooping, you can use a wizard to configure FIP snooping on VLANs and interfaces on multiple devices.

    Procedure
      Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

      Devices that support this feature appear in the Summary pane.

      Step 2   From the menu bar, choose Actions > Launch Wizard.
      Step 3   In the FIP Snooping Wizard introductory dialog box, click Next.
      Step 4   In the Device Selections and VLAN Settings dialog box, do the following:
      1. From the Available Devices field, choose the devices to be configured for FIP Snooping and click Add.

        The device(s) appear in the Selected Devices field.

      2. In the VLAN Settings field, enter the ID number of the FCoE VLAN to be snooped and the FC MAP value.
      3. Click Next.
      Step 5   In the Select ENode and FCF interfaces dialog box, do the following:
      1. In the Available Interfaces field, expand the desired device.
      2. Expand the desired slot or port channel.
      3. Do one of the following:
        • To add interfaces that are connected to ENodes, choose the desired interface or port channel, as appropriate, and click Add next to the Interfaces Connected to ENodes field.
        • To add interfaces that are connected to FCFs, choose the desired interface or port channel, as appropriate, and click Add next to the Interfaces Connected to FCFs field.
      4. Click Next.
      Step 6   Review the configuration information in the FIP snooping Summary dialog box.
      Step 7   If you are satisfied with the configuration, click Finish.

      FIP snooping is deployed and the status is displayed.

      Step 8   Click Done.

      Adding a VLAN

      You can add a VLAN to a device. When you do, FIP snooping is automatically enabled on the VLAN.

      Procedure
        Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

        Devices that support this feature appear in the Summary pane.

        Step 2   From the Summary pane, choose the desired device.
        Step 3   From the menu bar, choose Actions > Add VLAN.
        Step 4   From the Summary pane, enter an ID number for the VLAN.

        The VLAN is added to the device with FIP snooping enabled.


        Deleting a VLAN

        You can delete a VLAN from a device.

        Procedure
          Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

          Devices that support this feature appear in the Summary pane.

          Step 2   From the Summary pane, expand the desired device.
          Step 3   Choose the desired VLAN or VLANs.
          Step 4   From the menu bar, choose Actions > Delete.

          Enabling FIP Snooping on a VLAN

          After enabling FIP snooping on a VLAN, the FIP packets are snooped on the configured VLANs. FIP snooping is disabled on VLANs by default.

          You can enable FIP snooping on a VLAN.

          Before You Begin

          Create a VLAN or determine which existing VLAN that you will use.

          Procedure
            Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

            Devices that support this feature appear in the Summary pane.

            Step 2   From the Summary pane, expand the desired device.
            Step 3   Do one of the following:
            • Choose the desired VLAN or VLANs and, from the menu bar, choose Actions > Enable FIP Snooping.
            • If the desired VLAN is not in the list, select the device and from the menu bar, choose Actions > Add VLAN. The VLAN is added with FIP snooping enabled.
            Step 4   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

            Disabling FIP Snooping on a VLAN

            You can disable FIP snooping on a VLAN.

            Procedure
              Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

              Devices that support this feature appear in the Summary pane.

              Step 2   From the Summary pane, expand the desired device.
              Step 3   Choose the desired VLAN or VLANs.
              Step 4   From the menu bar, choose Actions > Disable FIP Snooping.

              FIP Snooping is disabled on the VLANs, and the VLANs are removed from the Summary pane.


              Configuring the FC-MAP Value on a VLAN

              The FC-MAP is configured on a per VLAN basis. This FC-MAP is verified with the FC-MAP received from the FCF, and if it does not match, the frames are rejected. Only frames that match the configured FC-MAP are allowed to go through and to establish a session between an ENode and FCF.

              You can configure an FC-MAP on a VLAN.

              Procedure
                Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

                Devices that support this feature appear in the Summary pane.

                Step 2   From the Summary pane, expand the desired device.
                Step 3   Choose the desired VLAN.
                Step 4   Click the Settings tab.
                Step 5   Expand the FCoE Settings content.
                Step 6   In the FC-Map field, enter the FC-Map value.
                Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                Adding Ports to a FIP Snooping VLAN

                You can add ports to a VLAN that has FIP Snooping enabled on it.

                Procedure
                  Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

                  Devices that support this feature appear in the Summary pane.

                  Step 2   From the Summary pane, expand the desired device.
                  Step 3   Choose the desired VLAN.

                  Choose the Interface associate pane located to the right of the Summary pane.

                  Step 4   Right-click the desired port and choose Add Port.
                  Step 5   If the port is in access mode, a message appears indicating that the port will be changed into trunk mode. Click OK to continue.

                  The port is added to the VLAN and displayed in the Settings tab in the Interfaces section.


                  Removing Ports from a FIP Snooping VLAN

                  You can remove ports from a FIP snooping VLAN.

                  Procedure
                    Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

                    Devices that support this feature appear in the Summary pane.

                    Step 2   From the Summary pane, expand the desired device.
                    Step 3   Choose the desired VLAN.
                    Step 4   In the Settings tab, expand the Interfaces section.
                    Step 5   Right-click the interface you want to remove and choose Remove Interface.

                    Displaying FIP Snooping Summary Information

                    You can display FIP snooping summary information for devices that support the FIP snooping feature. The summary information includes the FCoE VLAN ID, VLAN name, FC-Map, admin state, and admin status, FIP snooping status, and alarm status.

                    From the Feature Selector pane, choose FCoE > FIP Snooping. Devices that support this feature appear in the Summary pane.

                    Displaying Status Information

                    You can display status information about a selected device or VLAN.

                    Procedure
                      Step 1   From the Feature Selector pane, choose FCoE > FIP Snooping.

                      Devices that support this feature appear in the Summary pane.

                      Step 2   Do one of the following:
                      • To display status information about a device, from the Summary pane, choose the desired device.
                      • To display status information about a VLAN, from the Summary pane, expand the desired device and choose the desired VLAN.
                      Step 3   Click the Status tab.
                      Step 4   Do one of the following:
                      • To view status information about active ENodes, expand the Active ENodes content.
                      • To view status information about active FCFs, expand the Active FCFs content.
                      • For devices, to view status information about active snooped sessions, expand the Active Snooped Sessions content.

                      Field Descriptions for Configuring FIP Snooping

                      FIP Snooping: Status: Active ENodes Section

                      Table 1 FIP Snooping: Status: Active ENodes Section

                      Field

                      Description

                      Interface

                      Display only. Name of the interface to which the ENode is connected.

                      VLAN

                      Display only. ID number of the VLAN to which the ENode belongs.

                      Node Name

                      Display only. Name of the ENode.

                      FIP MAC Address

                      Display only. MAC address of the ENode.

                      FCoE MAC Address

                      Display only.FCoE MAC address that is used to send the FCoE packets.

                      FIP Snooping: Status: Active FCFs Section

                      Table 2 FIP Snooping: Status: Active FCFs Section

                      Field

                      Description

                      Interface

                      Display only. Name of the interface to which the FCoE Forwarder (FCF) is connected.

                      VLAN

                      Display only. ID number of the VLAN to which the FCF belongs.

                      Fabric Name

                      Display only. Name of the FCF.

                      Priority

                      Display only. Priority flow control mode. Valid values are as follows:

                      Switch WWN

                      Display only. World Wide Name (WWN) of the FCF.

                      FCF MAC Address

                      Display only. MAC address of the FCF.

                      No. of ENodes

                      Display only. Total number of ENodes that are connected to the FCF.

                      FIP Snooping: Status: Active Snooped Sessions Section

                      Table 3 FIP Snooping: Status: Active Snooped Sessions Section

                      Field

                      Description

                      Refresh Frequency

                      Interval when the display is updated. Valid choices are 30 seconds and from 1 to 5 minutes.

                      FCF MAC Address

                      Display only.MAC address of the FCF that is a part of the session.

                      ENode MAC Address

                      Display only.MAC address of the ENode that is part of the session.

                      VLAN

                      Display only. ID number of the VLAN that contains the session.

                      FCoE MAC Address

                      Display only. FCoE MAC address of the FCoE packets that are part of the session.

                      N Port ID

                      Display only. ID number of the virtual port that was created by the FCF when the ENode logged into the network.

                      FIP Snooping: Settings: VLAN Settings

                      Table 4 FIP Snooping: Settings: VLAN Settings

                      Field

                      Description

                      VLAN ID

                      Display only. ID number of the VLAN.

                      Name

                      Display only. Name of the VLAN.

                      Admin State

                      Display only. State of the VLAN. Valid values are as follows:

                      Admin Status

                      Display only. Status of the VLAN. Valid values are as follows:
                      • Enabled
                      • Disabled

                      You can edit these fields in the Switching > VLAN > VLAN Details > VLAN Settings section.

                      FIP Snooping: Settings: FCoE Settings

                      Table 5 FIP Snooping: Settings: FCoE Settings

                      Field

                      Description

                      FC-Map

                      FC-Map value used by the FCF. The default value is 0xEFC00.

                      FIP Snooping: Settings: Interfaces Section

                      Table 6 FIP Snooping: Settings: Interfaces Section

                      Field

                      Description

                      Name

                      Display only. Name of the interface that belongs to the selected VLAN.

                      Port Type

                      FIP snooping port mode of the interface. Valid values are as follows:
                      • ENode
                      • FCF

                      Mode

                      Display only. Mode of the interface. Valid values are as follows:
                      • Access
                      • Trunk

                      Oper Status

                      Display only. Operational status of the interface. Valid values are as follows:

                      Additional References for FIP Snooping

                      Related Documents

                      Related Topic

                      Document Title

                      Configuration guide

                      Cisco Nexus 4001I and 4005I Switch Module for IBM BladeCenter NX-OS Configuration Guide

                      Standards

                      Standards

                      Title

                      No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                      Feature History for FIP Snooping

                      This table lists the release history for this feature.

                      Table 7 Feature History for FIP Snooping Parameters

                      Feature Name

                      Releases

                      Feature Information

                      FIP Snooping

                      5.0

                      This feature was introduced.

                      FIP Snooping

                      4.1(2)E1(1)

                      This feature was introduced.