-
Cisco Nexus 4001I and 4005I Switch Module for IBM BladeCenter NX-OS Configuration Guide
-
Index
-
Preface
-
Product Overview
-
Configuring the Switch
-
Using the Command-Line Interface
-
Managing Licenses
-
Configuring Ethernet Interfaces
-
Configuring VLANs
-
Configuring Private VLANs
-
Configuring Rapid PVST+
-
Configuring MST
-
Configuring STP Extensions
-
Configuring EtherChannels
-
Configuring Access and Trunk Interfaces
-
Configuring the MAC Address Table
-
Configuring IGMP Snooping
-
Configuring Traffic Storm Control
-
Configuring Link-State Tracking
-
Configuring AAA
-
Configuring RADIUS
-
Configuring TACACS+
-
Configuring SSH and Telnet
-
Configuring ACLs
-
Configuring User Accounts and RBAC
-
Configuring Session Manager
-
Configuring Online Diagnostics
-
Configuring System Message Logging
-
Configuring Call Home
-
Configuring SNMP
-
Configuring RMON
-
Configuring FCoE Initialization Protocol Snooping
-
Configuring Quality of Service
-
SoL Features and Concepts and Configuring CIN
-
Configuring Protected Mode
-
Wake on LAN Feature
-
Configuring SPAN
-
Troubleshooting
-
Configuration Limits
-
Feedback
Table Of Contents
Configuring FCoE Initialization Protocol Snooping
Information About FIP Snooping
Non-Redundant FCoE Connectivity
Configuring Port Identification
Verifying FIP Snooping Configuration
Configuring FCoE Initialization Protocol Snooping
This chapter describes how to configure the FIP snooping bridge feature and includes the following sections:
•
Information About FIP Snooping
•
Information About FIP Snooping
This section provides information about Fibre Channel over Ethernet (FCoE).
Note
FIP Snooping Overview
In Fibre Channel networks, Fibre Channel switches are generally considered trusted devices. Other Fibre Channel devices must log into the switch before they can communicate with the rest of the fabric. Given that Fibre Channel links are point-to-point, the Fibre Channel switch has complete control over the traffic that a device injects into the fabric or that is received from the fabric. As a result, the switch can ensure that devices are using their assigned addresses and prevent various types of anomalous behaviors that could be erroneous or malicious. See Figure 29-1.
Figure 29-1 Fibre Channel over Ethernet Network Topology
FCoE provides increased flexibility. However, with this flexibility new challenges arise in assuring highly robust fabrics. Specifically, if Ethernet bridges exist between an ENode and the Fibre Channel Forwarder (FCF), the point-to-point assurance between ENode and FCF is lost. Thus the FCF does not have the complete authority that a Fibre Channel switch has.
Equivalent robustness between FCoE and Fibre Channel is possible if one can ensure that all FCoE traffic to and from an ENode must pass through an FCF, and that if multiple devices can access an FCF through a single physical FCF port. Doing so, in effect, creates the equivalent of a point-to-point link between the ENode and FCF.
One possible method of accomplishing this is to ensure every ENode is physically connected to an FCF with no intervening Ethernet bridges. Unfortunately, in many deployments this would prove impractical. For example, in large scale blade or 1U server environments, deploying an FCF in each blade system or top-of-rack switch creates the same scaling limitations in FCoE that are well known today in comparably configured Fibre Channel fabrics.
Fibre channel Initialization Protocol (FIP) is an L2 protocol for end point discovery and fabric association. FIP has its own EtherType and uses its own frame formats. There are two phases to FIP, and they are discovery and login. Once the discovery of end nodes and login is complete, FCoE traffic can start flowing between the endpoints. By snooping on FIP packets during the discovery and login phases, intermediate bridges can implement dynamic data integrity mechanisms using ACLs that permit valid FCoE traffic between the ENode and FCF. Implementing such security mechanisms ensures that only valid FCoE traffic is allowed. This is FIP snooping. A bridge implementing the above functionality is what we refer to as the FIP Snooping Bridge. The process implementing this feature is called FIP Snooping Manager (FIPSM). FIPSM is capable of supporting both FPMA and SPMA.
FCoE Connectivity
This section describes options for FCoE connectivity (see Figure 29-2) and includes the following topics:
•
Non-Redundant FCoE Connectivity
The switch acts as a lossless Ethernet bridge transparently forwarding FCoE packets from the blade servers to a switch. The switch is a FIP snooping bridge.
Figure 29-2 Non-redundant FCoE Connectivity
Redundant FCoE Connectivity
The switch acts a lossless Ethernet bridge transparently forwarding FCoE packets from the blade servers to a switch. The switch is a FIP snooping bridge. Each blade server connects to two switches. Each FCF switch connects to a separate switch. Each FCF switch and the LAN Access or Aggregation Switch provides access to a different SAN. See Figure 29-3.
The FCoE Initialization Protocol defined by the T11 standards body enables the host to pick a particular FCF for the fabric login. By using the FIP protocol, the host determines all the available FCFs and then select one from among them.
Figure 29-3 Redundant FCoE Connectivity
Configuring FIP Snooping
When a switch boots up with an empty configuration, it asks the user for a specific configuration. It is also possible to auto-generate or deduce certain configuration, but the user is expected to configure this feature explicitly.
This section includes the following topics:
•
•
Enabling DCBXP and LLDP
The Data Center Ethernet Parameter Exchange (DCBXP) is enabled by default. DCBXP is a protocol used to negotiate the FCoE parameters so that the FCoE cloud has end to end auto-configuration for FCoE infrastructure and features. DCBXP uses the standard Link Level Discovery Protocol (LLDP) IEEE standard 802.1ab-2005 to create a bi-directional negotiation path between peer nodes to push FCoE configuration so that FCoE cloud is consistent end to end.
FIPSM interacts with peer using DCBXP to negotiate the following key parameters:
•
•
•
There is no specific CLI to enable or disable the DCBXP feature.
LLDP is implemented as part of DCBXP. It is enabled by default. The user can disable it using the no lldp command.
Note
To enable or disable LLDP, perform these tasks:
The following example shows how to enable LLDP transmission on interface:
switch# configure terminal
switch(config)# interface ethernet 1/20
switch(config-if)# lldp transmit
To display LLDP configuration information on the interface, perform this task:
switch # show lldp [interface type slot/port | neighbors | timers | traffic]
Displays the LLDP configuration information.
The following example shows how to display the LLDP configuration information for an Ethernet interface:
switch# show lldp interface ethernet 1/20Configuring QoS
QoS must be configured for FCoE before FIP snooping is enabled. MTU, PFC, and ETS are required for FIP snooping. During initial configuration of the switch, QoS is configured by default if you configure FCoE at the time. If you want to change the default QoS configuration, you should configure QoS.
Enabling FIP Snooping Feature
The FIP snooping feature is disabled by default. Only after enabling it, are the FIP related CLIs under VLAN and interface mode visible. The FIP-snoop process also starts after the feature is enabled. Until then, the FIP-related packets are treated as normal multicast Ethernet packets with FIP/FcoE EtherType. The CLI is successful only after a cross-check with the license manager. Once the feature is enabled, the FIP-snoop packets and FCoE packets are dropped, unless explicitly enabled on a per-VLAN basis. If FIP snooping is enabled, all the FIP frames are snooped and security ACLs are added. FCoE traffic is blocked on all ports until the device re-initializes with FIP. A warning message for FCoE traffic disruption is issued when enabled. If the feature is disabled, snooping is removed and all programmed ACLs and internal data are cleaned up.
To enable or disable the FIP snooping feature, perform these tasks:
switch(config)# feature fip-snoopingEnables FIP snooping.
switch(config)# no feature fip-snoopingDisables FIP snooping.
The following example shows how to enable the FIP snooping feature:
switch# configure terminalswitch(config)# feature fip-snoopingConfiguring VLAN
VLAN must be configured before it can be used. Once VLAN is enabled, the FIP packets will be snooped only on the configured VLANs. FIP snooping is disabled on VLANs by default.
To enable or disable FIP snooping on a VLAN, perform this task:
The following example shows how to enable FIP snooping for VLAN ID 1-7:
switch# configure terminalswitch(config)# vlan 1-7switch(config-vlan)# fip-snooping enableConfiguring VLAN and FC-MAP
The FC-MAP is configured on a per VLAN basis. This FC-MAP is verified with the FC-MAP received from the FCF and if it does not match, the frames are rejected. Only frames that match the configured FC-MAP are allowed to go through and to establish a session between an ENode and FCF. The FC-MAP value is 0x0efc00 by default.
To configure the VLAN and the FC-MAP, perform this task:
The following example shows how to configure a VLAN and FC-MAP:
switch# configure terminalswitch(config)# vlan 101switch(config-vlan)# fip-snooping enableswitch(config-vlan)# fip-snooping fc-map 0x0efc00Configuring Port Identification
If the FIP snooping feature is enabled and in order to relay the FIP packets from the host to the FCF, the switch needs to know to what interfaces the FCFs are connected. Therefore, the user must specify what is connected to an interface. The FIP Manager keeps track of all interfaces that have FCFs connected, to relay the FIP packets from the hosts. If there is no specific connection information provided, the FIP discovery packets received trigger an identification of the peers connected to the interface. The port is assumed to be in host mode if no user configuration is present.
Note
To configure port identification, perform this task:
The following example shows how to configure the FCF for the Ethernet interface slot 1 port 20:
switch# configure terminalswitch(config)# feature fip-snoopingswitch(config)# interface ethernet 1/20switch(config-if)# fip-snooping port-mode fcfTo configure VLAN characteristics when the interface is in trunking mode, perform this task:
The following example shows how to set allowed VLANs when the interface is in trunking mode:
switch # configure terminalswitch(config)# interface ethernet 1/20switch(config-if)# switchport mode trunkswitch(config-if)# switchport trunk allowed vlan 101Verifying FIP Snooping Configuration
To display FIP snooping configuration, perform one of these tasks:
The following example shows all the FIP snooping sessions:
switch# show fip-snooping sessionsLegend:-------------------------------------------------------------------------------FCF MAC ENode MAC VLAN FCoE MAC FC ID-------------------------------------------------------------------------------00:0d:ec:b2:2c:80 00:0c:29:65:82:bc 1 0e:fc:00:ad:00:00 0x380fdbThe following example shows to what interfaces the FCFs are connected:
Note
switch# show fip-snooping fcfLegend:-------------------------------------------------------------------------------Interface VLAN No of FPMA/ FCMAP FCF-MAC NameID Fabric NameEnodes SPMA-------------------------------------------------------------------------------Eth1/9 1 1 FPMA 0x000000 00:0d:ec:b2:2c:80 00000000 00000000The following example shows the ENode connections:
switch# show fip-snooping enodeLegend:-------------------------------------------------------------------------------Interface VLAN Name ID FIP MAC FCID-------------------------------------------------------------------------------Eth1/7 1 00000000 00:0c:29:65:82:bc 0x000000
