Cisco MDS 9000 Family Fabric Manager Configuration Guide, Release 3.4(1a)
Configuring Fabric Binding
Download this chapter
Configuring Fabric BindingConfiguring Fabric Binding
Download the complete book
Cisco MDS 9000 Family Fabric Manager Configuration Guide, Release 3.xCisco MDS 9000 Family Fabric Manager Configuration Guide, Release 3.x (PDF - 35 MB)
 Feedback

Table Of Contents

Configuring Fabric Binding

About Fabric Binding

Licensing Requirements

Port Security Versus Fabric Binding

Fabric Binding Enforcement

Fabric Binding Configuration

Enabling Fabric Binding

Configuring Switch WWN List

Fabric Binding Activation

Forcing Fabric Binding Activation

Saving Fabric Binding Configurations

Clearing the Fabric Binding Statistics

Deleting the Fabric Binding Database

Verifying Fabric Binding Configurations

Default Settings


Configuring Fabric Binding

This chapter describes the fabric binding feature provided in the Cisco MDS 9000 Family of directors and switches. It includes the following sections:

About Fabric Binding

Fabric Binding Configuration

Default Settings

About Fabric Binding

The fabric binding feature ensures ISLs are only enabled between specified switches in the fabric binding configuration. Fabric binding is configured on a per-VSAN basis.

This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.

This section has the following topics:

Licensing Requirements

Port Security Versus Fabric Binding

Fabric Binding Enforcement

Licensing Requirements

Fabric binding requires that you install either the MAINFRAME_PKG license or the ENTERPRISE_PKG license on your switch.

See Chapter 10, "Obtaining and Installing Licenses," for more information on license feature support and installation.

Port Security Versus Fabric Binding

Port security and fabric binding are two independent features that can be configured to complement each other. Table 38-1 compares the two features.

Table 38-1 Fabric Binding and Port Security Comparison 

Fabric Binding
Port Security

Uses a set of sWWNs and a persistent domain ID.

Uses pWWNs/nWWNs or fWWNs/sWWNs.

Binds the fabric at the switch level.

Binds devices at the interface level.

Authorizes only the configured sWWN stored in the fabric binding database to participate in the fabric.

Allows a preconfigured set of Fibre Channel devices to logically connect to a SAN ports. The switch port, identified by a WWN or interface number, connects to a Fibre Channel device (a host or another switch), also identified by a WWN. By binding these two devices, you lock these two ports into a group (or list).

Requires activation on a per VSAN basis.

Requires activation on a per VSAN basis.

Allows specific user-defined switches that are allowed to connect to the fabric, regardless of the physical port to which the peer switch is connected.

Allows specific user-defined physical ports to which another device can connect.

Does not learn about switches that are logging in.

Learns about switches or devices that are logging in if learning mode is enabled.

Cannot be distributed by CFS and must be configured manually on each switch in the fabric.

Can be distributed by CFS.


Port-level checking for xE ports is as follows:

The switch login uses both port security binding and fabric binding for a given VSAN.

Binding checks are performed on the port VSAN as follows:

E port security binding check on port VSAN

TE port security binding check on each allowed VSAN

While port security complements fabric binding, they are independent features and can be enabled or disabled separately.

Fabric Binding Enforcement

To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port connection for each switch. Enforcement of fabric binding policies are done on every activation and when the port tries to come up. In a FICON VSAN, the fabric binding feature requires all sWWNs connected to a switch and their persistent domain IDs to be part of the fabric binding active database. In a Fibre Channel VSAN, only the sWWN is required; the domain ID is optional.

Note All switches in a Fibre Channel VSAN using fabric binding must be running Cisco MDS SAN-OS Release 3.0(1) or later.

Fabric Binding Configuration

To configure fabric binding in each switch in the fabric, follow these steps.

Step 1 Enable the fabric configuration feature.

Step 2 Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric.

Step 3 Activate the fabric binding database.

Step 4 Copy the fabric binding active database to the fabric binding config database.

Step 5 Save the fabric binding configuration.

Step 6 Verify the fabric binding configuration.

Enabling Fabric Binding

The fabric binding feature must be enabled in each switch in the fabric that participates in the fabric binding. By default, this feature is disabled in all switches in the Cisco MDS 9000 Family. The configuration and verification commands for the fabric binding feature are only available when fabric binding is enabled on a switch. When you disable this configuration, all related configurations are automatically discarded.

To enable fabric binding on any participating switch, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

Enters configuration mode.

Step 2 

switch(config)# fabric-binding enable

Enables fabric binding on that switch.

switch(config)# no fabric-binding enable

Disables (default) fabric binding on that switch.

View the status of the fabric binding feature of a fabric binding-enabled switch by issuing the show fabric-binding status command. 

switch# show fabric-binding status

VSAN 1:Activated database

VSAN 4:No Active database

Configuring Switch WWN List

A user-specified fabric binding list contains a list of switch WWNs (sWWNs) within a fabric. If an sWWN attempts to join the fabric, and that sWWN is not on the list or the sWWN is using a domain ID that differs from the one specified in the allowed list, the ISL between the switch and the fabric is automatically isolated in that VSAN and the switch is denied entry into the fabric.

The persistent domain ID can be specified along with the sWWN. Domain ID authorization is required in FICON VSANs where the domains are statically configured and the end devices reject a domain ID change in all switches in the fabric. Domain ID authorization is not required in Fibre Channel VSANs.

To configure a list of sWWNs and domain IDs for a FICON VSAN, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

switch(config)# fabric-binding database vsan 5

switch(config-fabric-binding)#

Enters the fabric binding submode for the specified VSAN.

switch(config)# no fabric-binding database vsan 5

Deletes the fabric binding database for the specified VSAN.

Step 3 

switch(config-fabric-binding)# swwn 21:00:05:30:23:11:11:11 domain 102

Adds the sWWN and domain ID of a switch to the configured database list.

switch(config-fabric-binding)# swwn 21:00:05:30:23:1a:11:03 domain 101

Adds the sWWN and domain ID of another switch to the configured database list.

switch(config-fabric-binding)# no swwn 21:00:15:30:23:1a:11:03 domain 101

Deletes the sWWN and domain ID of a switch from the configured database list.

Step 4 

switch(config-fabric-binding)# exit

switch(config)#

Exits the fabric binding submode.

To configure a list of sWWNs and optional domain IDs for a Fibre Channel VSAN, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

switch(config)# fabric-binding database vsan 10

switch(config-fabric-binding)#

Enters the fabric binding submode for the specified VSAN.

switch(config)# no fabric-binding database vsan 10

Deletes the fabric binding database for the specified VSAN.

Step 3 

switch(config-fabric-binding)# swwn 21:00:05:30:23:11:11:11

Adds the sWWN of a switch for all domains to the configured database list.

switch(config-fabric-binding)# no swwn 21:00:05:30:23:11:11:11

Deletes the sWWN of a switch for all domains from the configured database list.

switch(config-fabric-binding)# swwn 21:00:05:30:23:1a:11:03 domain 101

Adds the sWWN of another switch for a specific domain ID to the configured database list.

switch(config-fabric-binding)# no swwn 21:00:15:30:23:1a:11:03 domain 101

Deletes the sWWN and domain ID of a switch from the configured database list.

Step 4 

switch(config-fabric-binding)# exit

switch(config)#

Exits the fabric binding submode.

Fabric Binding Activation

The fabric binding feature maintains a configuration database (config-database) and an active database. The config-database is a read-write database that collects the configurations you perform. These configurations are only enforced upon activation. This activation overwrites the active database with the contents of the config- database. The active database is read-only and is the database that checks each switch that attempts to log in.

By default, the fabric binding feature is not activated. You cannot activate the fabric binding database on the switch if entries existing in the configured database conflict with the current state of the fabric. For example, one of the already logged in switches may be denied login by the config-database. You can choose to forcefully override these situations.

Note After activation, any already logged in switch that violates the current active database will be logged out, and all switches that were previously denied login because of fabric binding restrictions are reinitialized.

To activate the fabric binding feature, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

switch(config)# fabric-binding activate vsan 10

Activates the fabric binding database for the specified VSAN.

switch(config)# no fabric-binding activate vsan 10

Deactivates the fabric binding database for the specified VSAN.

Forcing Fabric Binding Activation

If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed with the activation by using the force option.

To forcefully activate the fabric binding database, follow these steps:

 
Command
Purpose

Step 1 

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

switch(config)# fabric-binding activate vsan 3 force

Activates the fabric binding database for the specified VSAN forcefully—even if the configuration is not acceptable.

switch(config)# no fabric-binding activate vsan 3 force

Reverts to the previously configured state or to the factory default (if no state is configured).

Saving Fabric Binding Configurations

When you save the fabric binding configuration, the config database is saved to the running configuration.

Caution You cannot disable fabric binding in a FICON-enabled VSAN.

Use the fabric-binding database copy vsan command to copy from the active database to the config database. If the configured database is empty, this command is not accepted. 

switch# fabric-binding database copy vsan 1

Use the fabric-binding database diff active vsan command to view the differences between the active database and the config database. This command can be used when resolving conflicts. 

switch# fabric-binding database diff active vsan 1

Use the fabric-binding database diff config vsan command to obtain information on the differences between the config database and the active database. 

switch# fabric-binding database diff config vsan 1

Use the copy running-config startup-config command to save the running configuration to the startup configuration so that the fabric binding config database is available after a reboot. 

switch# copy running-config startup-config

Clearing the Fabric Binding Statistics

Use the clear fabric-binding statistics command to clear all existing statistics from the fabric binding database for a specified VSAN. 

switch# clear fabric-binding statistics vsan 1

Deleting the Fabric Binding Database

Use the no fabric-binding command in configuration mode to delete the configured database for a specified VSAN. 

switch(config)# no fabric-binding database vsan 10

Verifying Fabric Binding Configurations

Use the show commands to display all fabric binding information configured on this switch (see Examples 38-1 to 38-9).

Example 38-1 Displays Configured Fabric Binding Database Information 

switch# show fabric-binding database

--------------------------------------------------

Vsan   Logging-in Switch WWN     Domain-id

--------------------------------------------------

1      21:00:05:30:23:11:11:11   0x66(102)

1      21:00:05:30:23:1a:11:03    0x19(25)

1      20:00:00:05:30:00:2a:1e   0xea(234) [Local]

4      21:00:05:30:23:11:11:11         Any

4      21:00:05:30:23:1a:11:03         Any

4      20:00:00:05:30:00:2a:1e   0xea(234) [Local]

61     21:00:05:30:23:1a:11:03    0x19(25)

61     21:00:05:30:23:11:11:11   0x66(102)

61     20:00:00:05:30:00:2a:1e   0xea(234) [Local]

[Total 7 entries]

Example 38-2 Displays Active Fabric Binding Information 

switch# show fabric-binding database active

--------------------------------------------------

Vsan   Logging-in Switch WWN     Domain-id

--------------------------------------------------

1      21:00:05:30:23:11:11:11   0x66(102)

1      21:00:05:30:23:1a:11:03    0x19(25)

1      20:00:00:05:30:00:2a:1e   0xea(234) [Local]

61     21:00:05:30:23:1a:11:03    0x19(25)

61     21:00:05:30:23:11:11:11   0x66(102)

61     20:00:00:05:30:00:2a:1e   0xef(239) [Local]

Example 38-3 Displays Configured VSAN-Specific Fabric Binding Information 

switch# show fabric-binding database vsan 4

--------------------------------------------------

Vsan   Logging-in Switch WWN     Domain-id

--------------------------------------------------

4      21:00:05:30:23:11:11:11          Any

4      21:00:05:30:23:1a:11:03          Any

4      20:00:00:05:30:00:2a:1e   0xea(234) [Local]

[Total 2 entries]

Example 38-4 Displays Active VSAN-Specific Fabric Binding Information 

switch# show fabric-binding database active vsan 61

--------------------------------------------------

Vsan   Logging-in Switch WWN     Domain-id

--------------------------------------------------

61     21:00:05:30:23:1a:11:03    0x19(25)

61     21:00:05:30:23:11:11:11   0x66(102)

61     20:00:00:05:30:00:2a:1e   0xef(239) [Local]

[Total 3 entries]

Example 38-5 Displays Fabric Binding Statistics 

switch# show fabric-binding statistics

Statistics For VSAN: 1

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 4

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 61

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 345

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 346

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 347

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 348

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 789

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Statistics For VSAN: 790

------------------------

Number of sWWN permit: 0

Number of sWWN deny  : 0


Total Logins permitted  : 0

Total Logins denied     : 0

Example 38-6 Displays Fabric Binding Status for Each VSAN 

switch# show fabric-binding status

VSAN 1 :Activated database

VSAN 4 :No Active database

VSAN 61 :Activated database

VSAN 345 :No Active database

VSAN 346 :No Active database

VSAN 347 :No Active database

VSAN 348 :No Active database

VSAN 789 :No Active database

VSAN 790 :No Active database

Example 38-7 Displays Fabric Binding Violations 

switch# show fabric-binding violations

------------------------------------------------------------------------------- 

VSAN Switch WWN [domain]     Last-Time             [Repeat count] Reason 

------------------------------------------------------------------------------- 

2    20:00:00:05:30:00:4a:1e [0xeb] Nov 25 05:46:14 2003   [2]    Domain mismatch 

3    20:00:00:05:30:00:4a:1e [*] Nov 25 05:44:58 2003      [2]    sWWN not found 

4    20:00:00:05:30:00:4a:1e [*] Nov 25 05:46:25 2003      [1]    Database mismatch

Note In VSAN 3 the sWWN itself was not found in the list. In VSAN 2, the sWWN was found in the list, but has a domain ID mismatch.

Example 38-8 Displays EFMD Statistics 

switch# show fabric-binding efmd statistics


EFMD Protocol Statistics for VSAN 1

----------------------------------------

Merge Requests -> Transmitted : 0 , Received : 0

Merge Accepts  -> Transmitted : 0 , Received : 0

Merge Rejects  -> Transmitted : 0 , Received : 0

Merge Busy     -> Transmitted : 0 , Received : 0

Merge Errors   -> Transmitted : 0 , Received : 0


EFMD Protocol Statistics for VSAN 4

----------------------------------------

Merge Requests -> Transmitted : 0 , Received : 0

Merge Accepts  -> Transmitted : 0 , Received : 0

Merge Rejects  -> Transmitted : 0 , Received : 0

Merge Busy     -> Transmitted : 0 , Received : 0

Merge Errors   -> Transmitted : 0 , Received : 0


EFMD Protocol Statistics for VSAN 61

----------------------------------------

Merge Requests -> Transmitted : 0 , Received : 0

Merge Accepts  -> Transmitted : 0 , Received : 0

Merge Rejects  -> Transmitted : 0 , Received : 0

Merge Busy     -> Transmitted : 0 , Received : 0

Merge Errors   -> Transmitted : 0 , Received : 0

Example 38-9 Displays EFMD Statistics for a Specified VSAN 

switch# show fabric-binding efmd statistics vsan 4


EFMD Protocol Statistics for VSAN 4

----------------------------------------

Merge Requests -> Transmitted : 0 , Received : 0

Merge Accepts  -> Transmitted : 0 , Received : 0

Merge Rejects  -> Transmitted : 0 , Received : 0

Merge Busy     -> Transmitted : 0 , Received : 0

Merge Errors   -> Transmitted : 0 , Received : 0

Default Settings

Table 38-2 lists the default settings for the fabric binding feature.

Table 38-2 Default Fabric Binding Settings 

Parameters
Default

Fabric binding

Disabled.