Configuring Fabric Binding

This chapter describes the fabric binding feature provided in the Cisco MDS 9000 Series Switches. It includes the following sections:

About Fabric Binding

The fabric binding feature ensures ISLs are only enabled between specified switches in the fabric binding configuration. It is set up separately for individual VSANs so you have the flexibility to enable it only where needed. Enabling fabric binding for some VSANs won’t affect the other VSANs. It gives you fine-grained control, which is especially useful in multi-tenant or secure environments. The VSANs without fabric binding behave normally, allowing ISLs with any switch, as long as other fabric policies (like zoning or domain ID checks) don't block them.

This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.

This section has the following topics:

Licensing Requirements

Fabric binding is an optional feature for Opens Systems VSANs while it is mandatory for FICON VSANs. Fabric binding requires Advantage or Premier tiers for Open Systems, while no license is needed for FICON VSANs with NX-OS 9.4(1a) release and later FICON qualified versions. Previously, Fabric binding would requir either the MAINFRAME_PKG license or the ENTERPRISE_PKG license on your switch depending the deployment needs.

See the Cisco MDS 9000 Family NX-OS Licensing Guide for more information on license feature support and installation.

Port Security Versus Fabric Binding

Port security and fabric binding are two independent features that can be configured to complement each other. The following table compares the two features.

Table 1. Fabric Binding and Port Security Comparison
Fabric Binding	Port Security
Binds the fabric at the switch level.	Binds devices at the interface level.
Authorizes only the configured sWWN stored in the fabric binding database to participate in the fabric.	Allows a preconfigured set of Fibre Channel devices to logically connect to a SAN ports. The switch port, identified by a WWN or interface number, connects to a Fibre Channel device (a host or another switch), also identified by a WWN. By binding these two devices, you lock these two ports into a group (or list).
Requires activation on a per VSAN basis.	Requires activation on a per VSAN basis.
Allows specific user-defined switches that are allowed to connect to the fabric, regardless of the physical port to which the peer switch is connected.	Lets you specify which physical ports can connect to other devices. This means that you can define which physical ports are permitted to connect to other devices, providing a layer of security by restricting connections to only those ports you have specified.
Does not learn about switches that are logging in.	Learns about switches or devices that are logging in if learning mode is enabled.
Cannot be distributed by CFS and must be configured manually on each switch in the fabric.	Can be distributed by CFS.
Uses a set of sWWNs and a persistent domain ID.	Uses pWWNs/nWWNs or fWWNs/sWWNs.
Ensures the fabric is safeguarded against unauthorized switches being connected.	Prevents unauthorized end nodes from being connected to switch ports.

Port-level checking for E/TE ports is as follows:

The switch login uses both port security binding and fabric binding for a given VSAN.
Binding checks are performed on the port VSAN as follows:
- E port security binding check on port VSAN
- TE port security binding check on each allowed VSAN

While port security complements fabric binding, they are independent features and can be enabled or disabled separately.

Fabric Binding Enforcement

To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port connection for each switch. Enforcement of fabric binding policies are done on every activation and when the port tries to come up. In a FICON VSAN, the fabric binding feature requires all sWWNs connected to a switch and their persistent domain IDs to be part of the fabric binding active database. In a Fibre Channel VSAN, only the sWWN is required; the domain ID is optional.

Fabric Binding Configuration

To configure fabric binding in each switch in the fabric, follow these steps:

Procedure

Step 1	Enable the fabric configuration feature.
Step 2	Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric.
Step 3	Activate the fabric binding database.
Step 4	Copy the fabric binding active database to the fabric binding config database.
Step 5	Save the fabric binding configuration.
Step 6	Verify the fabric binding configuration.

Enabling Fabric Binding

The fabric binding feature must be enabled in each switch in the fabric that participates in the fabric binding. By default, this feature is disabled in all switches in the Cisco MDS 9000 Family. The configuration and verification commands for the fabric binding feature are only available when fabric binding is enabled on a switch. When you disable this configuration, all related configurations are automatically discarded.

To enable fabric binding on any participating switch, follow these steps:

Procedure

Step 1

switch# configure terminal

Enters configuration mode.

Step 2

switch(config)# feature fabric-binding

Enables fabric binding on that switch.

Step 3

switch(config)# no feature fabric-binding

(Optional) Disables (default) fabric binding on that switch.

Example

View the status of the fabric binding feature of a fabric binding-enabled switch by issuing the show fabric-binding status command.

switch# show fabric-binding status

VSAN 1:Activated database
VSAN 4:No Active database

Configuring Switch WWN List for a FICON VSAN

A user-specified fabric binding list contains a list of switch WWNs (sWWNs) within a fabric. If an sWWN attempts to join the fabric, and that sWWN is not on the list or the sWWN is using a domain ID that differs from the one specified in the allowed list, the ISL between the switch and the fabric is automatically isolated in that VSAN and the switch is denied entry into the fabric.

The persistent domain ID can be specified along with the sWWN. Domain ID authorization is required in FICON VSANs where the domains are statically configured and the end devices reject a domain ID change in all switches in the fabric. Domain ID authorization is not required in Fibre Channel VSANs.

To configure a list of sWWNs and domain IDs for a FICON VSAN, follow these steps:

Procedure

Step 1	switch# configure terminal switch(config)# Enters configuration mode.
Step 2	switch(config)# fabric-binding database vsan 5 switch(config-fabric-binding)# Enters the fabric binding submode for the specified VSAN.
Step 3	switch(config)# no fabric-binding database vsan 5 (Optional) Deletes the fabric binding database for the specified VSAN.
Step 4	switch(config-fabric-binding)# swwn 21:00:05:30:23:11:11:11 domain 102 Adds the sWWN and domain ID of a switch to the configured database list.
Step 5	switch(config-fabric-binding)# swwn 21:00:05:30:23:1a:11:03 domain 101 Adds the sWWN and domain ID of another switch to the configured database list.
Step 6	switch(config-fabric-binding)# no swwn 21:00:15:30:23:1a:11:03 domain 101 (Optional) Deletes the sWWN and domain ID of a switch from the configured database list.
Step 7	switch(config-fabric-binding)# exit switch(config)# Exits the fabric binding submode.

Configuring Switch WWN List for a Fiber Channel VSAN

To configure a list of sWWNs and optional domain IDs for a Fibre Channel VSAN, follow these steps:

Procedure

Step 1	switch# configure terminal switch(config)# Enters configuration mode.
Step 2	switch(config)# fabric-binding database vsan 10 switch(config-fabric-binding)# Enters the fabric binding submode for the specified VSAN.
Step 3	switch(config)# no fabric-binding database vsan 10 (Optional) Deletes the fabric binding database for the specified VSAN.
Step 4	switch(config-fabric-binding)# swwn 21:00:05:30:23:11:11:11 Adds the sWWN of a switch for all domains to the configured database list.
Step 5	switch(config-fabric-binding)# no swwn 21:00:05:30:23:11:11:11 (Optional) Deletes the sWWN of a switch for all domains from the configured database list.
Step 6	switch(config-fabric-binding)# swwn 21:00:05:30:23:1a:11:03 domain 101 Adds the sWWN of another switch for a specific domain ID to the configured database list.
Step 7	switch(config-fabric-binding)# no swwn 21:00:15:30:23:1a:11:03 domain 101 (Optional) Deletes the sWWN and domain ID of a switch from the configured database list.
Step 8	switch(config-fabric-binding)# exit switch(config)# Exits the fabric binding submode.

Fabric Binding Activation

The fabric binding feature maintains a configuration database (config-database) and an active database. The config-database is a read-write database that collects the configurations you perform. These configurations are only enforced upon activation. This activation overwrites the active database with the contents of the config- database. The active database is read-only and is the database against which the checks happen for each switch attempting to log in.

By default, the fabric binding feature is not activated. You cannot activate the fabric binding database on the switch if entries existing in the configured database conflict with the current state of the fabric. For example, one of the already logged in switches may be denied login by the config-database. You can choose to forcefully override these situations.

Note

After activation, any switch that is already logged in and violates the current active database will be logged out, and all switches that were previously denied login due to fabric binding restrictions will be reset.

To activate the fabric binding feature, follow these steps:

Procedure

Step 1

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2

switch(config)# fabric-binding activate vsan 10

Activates the fabric binding database for the specified VSAN.

Step 3

switch(config)# no fabric-binding activate vsan 10

(Optional) Deactivates the fabric binding database for the specified VSAN.

Forcing Fabric Binding Activation

If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed with the activation by using the force option.

To forcefully activate the fabric binding database, follow these steps:

Procedure

Step 1

switch# configure terminal

switch(config)#

Enters configuration mode.

Step 2

switch(config)# fabric-binding activate vsan 3 force

Activates the fabric binding database for the specified VSAN forcefully—even if the configuration is not acceptable.

Step 3

switch(config)# no fabric-binding activate vsan 3 force

(Optional) Reverts to the previously configured state or to the factory default (if no state is configured).

Saving Fabric Binding Configurations

When you save the fabric binding configuration, the config database is saved to the running configuration.

Caution

You cannot disable fabric binding in a FICON-enabled VSAN.

Use the fabric-binding database copy vsan command to copy from the active database to the config database. If the active database is empty, this command is not accepted.


switch# fabric-binding database copy vsan 1

Use the fabric-binding database diff active vsan command to view the differences between the active database and the config database. This command can be used when resolving conflicts.


switch# fabric-binding database diff active vsan 1

Use the fabric-binding database diff config vsan command to obtain information on the differences between the config database and the active database.


switch# fabric-binding database diff config vsan 1

Use the copy running-config startup-config command to save the running configuration to the startup configuration so that the fabric binding config database is available after a reboot.


switch# copy running-config startup-config

Clearing the Fabric Binding Statistics

Use the clear fabric-binding statistics command to clear all existing statistics from the fabric binding database for a specified VSAN.


switch# clear fabric-binding statistics vsan 1

Deleting the Fabric Binding Database

Use the no fabric-binding command in configuration mode to delete the configured database for a specified VSAN.


switch(config)# no fabric-binding database vsan 10

Verifying Fabric Binding Configurations

Use the show commands to display all fabric binding information configured on this switch (see the following examples).

Displays Configured Fabric Binding Database Information

switch# show fabric-binding database

--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
1      21:00:05:30:23:11:11:11   0x66(102)
1      21:00:05:30:23:1a:11:03    0x19(25)
1      20:00:00:05:30:00:2a:1e   0xea(234) [Local]
4      21:00:05:30:23:11:11:11         Any
4      21:00:05:30:23:1a:11:03         Any
4      20:00:00:05:30:00:2a:1e   0xea(234) [Local]
61     21:00:05:30:23:1a:11:03    0x19(25)
61     21:00:05:30:23:11:11:11   0x66(102)
61     20:00:00:05:30:00:2a:1e   0xea(234) [Local]
[Total 7 entries]

switch# show fabric-binding database active

--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
1      21:00:05:30:23:11:11:11   0x66(102)
1      21:00:05:30:23:1a:11:03    0x19(25)
1      20:00:00:05:30:00:2a:1e   0xea(234) [Local]
61     21:00:05:30:23:1a:11:03    0x19(25)
61     21:00:05:30:23:11:11:11   0x66(102)
61     20:00:00:05:30:00:2a:1e   0xef(239) [Local]

switch# show fabric-binding database vsan 4

--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
4      21:00:05:30:23:11:11:11          Any
4      21:00:05:30:23:1a:11:03          Any
4      20:00:00:05:30:00:2a:1e   0xea(234) [Local]
[Total 2 entries]

switch# show fabric-binding database active vsan 61

--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
61     21:00:05:30:23:1a:11:03    0x19(25)
61     21:00:05:30:23:11:11:11   0x66(102)
61     20:00:00:05:30:00:2a:1e   0xef(239) [Local]
[Total 3 entries]

switch# show fabric-binding statistics

Statistics For VSAN: 1
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 4
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 61
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 345
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 346
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 347
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 348
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 789
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0
Statistics For VSAN: 790
------------------------
Number of sWWN permit: 0
Number of sWWN deny  : 0
Total Logins permitted  : 0
Total Logins denied     : 0

switch# show fabric-binding status

VSAN 1 :Activated database
VSAN 4 :No Active database
VSAN 61 :Activated database
VSAN 345 :No Active database
VSAN 346 :No Active database
VSAN 347 :No Active database
VSAN 348 :No Active database
VSAN 789 :No Active database
VSAN 790 :No Active database

switch# show fabric-binding violations

------------------------------------------------------------------------------- 
VSAN Switch WWN [domain]     Last-Time             [Repeat count] Reason 
------------------------------------------------------------------------------- 
2    20:00:00:05:30:00:4a:1e [0xeb] Nov 25 05:46:14 2003   [2]    Domain mismatch 
3    20:00:00:05:30:00:4a:1e [*] Nov 25 05:44:58 2003      [2]    sWWN not found 
4    20:00:00:05:30:00:4a:1e [*] Nov 25 05:46:25 2003      [1]    Database mismatch

Note

In VSAN 3 the sWWN itself was not found in the list. In VSAN 2, the sWWN was found in the list, but has a domain ID mismatch.

switch# show fabric-binding efmd statistics

EFMD Protocol Statistics for VSAN 1
----------------------------------------
Merge Requests -> Transmitted : 0 , Received : 0
Merge Accepts  -> Transmitted : 0 , Received : 0
Merge Rejects  -> Transmitted : 0 , Received : 0
Merge Busy     -> Transmitted : 0 , Received : 0
Merge Errors   -> Transmitted : 0 , Received : 0
EFMD Protocol Statistics for VSAN 4
----------------------------------------
Merge Requests -> Transmitted : 0 , Received : 0
Merge Accepts  -> Transmitted : 0 , Received : 0
Merge Rejects  -> Transmitted : 0 , Received : 0
Merge Busy     -> Transmitted : 0 , Received : 0
Merge Errors   -> Transmitted : 0 , Received : 0
EFMD Protocol Statistics for VSAN 61
----------------------------------------
Merge Requests -> Transmitted : 0 , Received : 0
Merge Accepts  -> Transmitted : 0 , Received : 0
Merge Rejects  -> Transmitted : 0 , Received : 0
Merge Busy     -> Transmitted : 0 , Received : 0
Merge Errors   -> Transmitted : 0 , Received : 0

switch# show fabric-binding efmd statistics vsan 4

EFMD Protocol Statistics for VSAN 4
----------------------------------------
Merge Requests -> Transmitted : 0 , Received : 0
Merge Accepts  -> Transmitted : 0 , Received : 0
Merge Rejects  -> Transmitted : 0 , Received : 0
Merge Busy     -> Transmitted : 0 , Received : 0
Merge Errors   -> Transmitted : 0 , Received : 0

Default Settings

The following table lists the default settings for the fabric binding feature.

Table 2. Default Fabric Binding Settings
Parameters	Default
Fabric binding	Disabled

Cisco MDS 9000 Series Security Configuration Guide, Release 9.x

Bias-Free Language

Book Title