-
Cisco Nexus 5500 Series NX-OS SAN Switching Configuration Guide, Release 7.x
-
Preface
-
Overview
-
Configuring Fibre Channel Interfaces
-
Configuring Fibre Channel Domain Parameters
-
Configuring N Port Virtualization
-
Configuring FCoE NPV
-
Configuring VSAN Trunking
-
Configuring SAN Port Channels
-
Configuring and Managing VSANs
-
Configuring and Managing Zones
-
Distributing Device Alias Services
-
Configuring Fibre Channel Routing Services and Protocols
-
Managing FLOGI, Name Server, FDMI, and RSCN Databases
-
Discovering SCSI Targets
-
Configuring iSCSI TLV
-
Advanced Fibre Channel Features
-
Configuring FC-SP and DHCHAP
-
Configuring Port Security
-
Configuring Fabric Binding
-
Configuring Fabric Configuration Servers
-
Configuring Port Tracking
-
Index
-
Feedback
Contents
- Configuring Fabric Binding
- Configuring Fabric Binding
- Information About Fabric Binding
- Licensing Requirements for Fabric Binding
- Port Security Versus Fabric Binding
- Fabric Binding Enforcement
- Configuring Fabric Binding
- Configuring Fabric Binding
- Enabling Fabric Binding
- Switch WWN Lists
- Configuring Switch WWN List
- Fabric Binding Activation and Deactivation
- Activating Fabric Binding
- Forcing Fabric Binding Activation
- Copying Fabric Binding Configurations
- Clearing the Fabric Binding Statistics
- Deleting the Fabric Binding Database
- Verifying the Fabric Binding Configuration
- Default Settings for Fabric Binding
Configuring Fabric Binding
This chapter describes how to configure fabric binding.
This chapter includes the following sections:
Configuring Fabric Binding
Information About Fabric Binding
Fabric binding ensures that Inter-Switch Links (ISLs) are only enabled between specified switches in the fabric. Fabric binding is configured on a per-VSAN basis.
This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.
- Licensing Requirements for Fabric Binding
- Port Security Versus Fabric Binding
- Fabric Binding Enforcement
Port Security Versus Fabric Binding
Port security and fabric binding are two independent features that can be configured to complement each other. The following table compares the two features.
Table 1 Fabric Binding and Port Security Comparison Fabric Binding
Port Security
Uses a set of sWWNs and a persistent domain ID.
Uses pWWNs/nWWNs or fWWNs/sWWNs.
Binds the fabric at the switch level.
Binds devices at the interface level.
Authorizes only the configured sWWN stored in the fabric binding database to participate in the fabric.
Allows a preconfigured set of Fibre Channel devices to logically connect to a SAN port. The switch port, identified by a WWN or interface number, connects to a Fibre Channel device (a host or another switch), also identified by a WWN. By binding these two devices, you lock these two ports into a group (or list).
Requires activation per VSAN.
Requires activation per VSAN.
Allows specific user-defined switches that are allowed to connect to the fabric, regardless of the physical port to which the peer switch is connected.
Allows specific user-defined physical ports to which another device can connect.
Does not learn about switches that are logging in.
Learns about switches or devices that are logging in if learning mode is enabled.
Cannot be distributed by Cisco Fabric Services (CFS) and must be configured manually on each switch in the fabric.
Can be distributed by CFS.
Port-level checking for xE ports is as follows:
- The switch login uses both port security binding and fabric binding for a given VSAN.
- Binding checks are performed on the port VSAN as follows:
While port security complements fabric binding, they are independent features and that you can enable or disable separately.
Fabric Binding Enforcement
You must enable fabric binding in each switch in the fabric that participates in the fabric binding. By default, this feature is disabled. The configuration and verification commands for the fabric binding feature are only available when fabric binding is enabled on a switch. When you disable this configuration, all related configurations are automatically discarded.
To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port connection for each switch. Enforcement of fabric binding policies are done on every activation and when the port tries to come up. For a Fibre Channel VSAN, the fabric binding feature requires all sWWNs connected to a switch to be part of the fabric binding active database.
Configuring Fabric Binding
- Configuring Fabric Binding
- Enabling Fabric Binding
- Switch WWN Lists
- Configuring Switch WWN List
- Fabric Binding Activation and Deactivation
- Activating Fabric Binding
- Forcing Fabric Binding Activation
- Copying Fabric Binding Configurations
- Clearing the Fabric Binding Statistics
- Deleting the Fabric Binding Database
Configuring Fabric Binding
Procedure
Enabling Fabric Binding
ProcedureSwitch WWN Lists
A user-specified fabric binding list contains a list of switch WWNs (sWWNs) within a fabric. If an sWWN attempts to join the fabric, and that sWWN is not on the list or the sWWN is using a domain ID that differs from the one specified in the allowed list, the ISL between the switch and the fabric is automatically isolated in that VSAN and the switch is denied entry into the fabric.
Configuring Switch WWN List
ProcedureFabric Binding Activation and Deactivation
Fabric binding maintains a configuration database (config database) and an active database. The config database is a read-write database that collects the configurations that you perform. These configurations are only enforced upon activation. This activation overwrites the active database with the contents of the config database. The active database is read-only and is the database that checks each switch that attempts to log in.
By default, the fabric binding feature is not activated. You cannot activate the fabric binding database on the switch if entries existing in the config database conflict with the current state of the fabric. For example, one of the already logged in switches might be denied login by the config database. You can choose to forcefully override these situations.
Note
After activation, any already logged in switch that violates the current active database will be logged out, and all switches that were previously denied login because of fabric binding restrictions are reinitialized.
Activating Fabric Binding
ProcedureForcing Fabric Binding Activation
ProcedureYou can forcefully activate the fabric binding database.
If the database activation is rejected due to one or more conflicts listed in the previous section, you might decide to proceed with the activation by using the force option.
Copying Fabric Binding Configurations
When you copy the fabric binding configuration, the config database is saved to the running configuration.
You can use the following commands to copy to the config database:
- Use the fabric-binding database copy vsan command to copy from the active database to the config database. If the configured database is empty, this command is not accepted.
switch# fabric-binding database copy vsan 1- Use the fabric-binding database diff active vsan command to view the differences between the active database and the config database. This command can be used when resolving conflicts.
switch# fabric-binding database diff active vsan 1- Use the fabric-binding database diff config vsan command to obtain information on the differences between the config database and the active database.
switch# fabric-binding database diff config vsan 1- Use the copy running-config startup-config command to save the running configuration to the startup configuration so that the fabric binding config database is available after a reboot.
switch# copy running-config startup-configVerifying the Fabric Binding Configuration
To display fabric binding information, perform one of the following tasks:
Command show fabric-binding database [active]
Displays the configured fabric binding database. You can add the active keyword to display only the active fabric binding database.
show fabric-binding database [active] [vsan vsan-id]
Displays the configured fabric binding database for the specified VSAN.
show fabric-binding statistics
Displays statistics for the fabric binding database.
show fabric-binding status
Displays fabric binding status for all VSANs.
show fabric-binding violations
Displays fabric binding violations.
show fabric-binding efmd [vsan vsan-id]
Displays the configured fabric binding database for the specified VSAN.
This example shows how to display the active fabric binding information for VSAN 4:
switch# show fabric-binding database active vsan 4This example shows how to display fabric binding violations:
switch# show fabric-binding violations-------------------------------------------------------------------------------VSAN Switch WWN [domain] Last-Time [Repeat count] Reason-------------------------------------------------------------------------------2 20:00:00:05:30:00:4a:1e [0xeb] Nov 25 05:46:14 2003 [2] Domain mismatch3 20:00:00:05:30:00:4a:1e [*] Nov 25 05:44:58 2003 [2] sWWN not found4 20:00:00:05:30:00:4a:1e [*] Nov 25 05:46:25 2003 [1] Database mismatch
Note
In VSAN 3, the sWWN was not found in the list. In VSAN 2, the sWWN was found in the list, but has a domain ID mismatch.
This example shows how to display EFMD Statistics for VSAN 4:
switch# show fabric-binding efmd statistics vsan 4
