Understanding FCoE Transit Switch Functionality
A Fibre Channel over Ethernet (FCoE) transit switch is a Layer 2 data center bridging (DCB) switch that can transport FCoE frames. When used as an access switch for FCoE devices, the FCoE transit switch implements FCoE Initialization Protocol (FIP) snooping. A DCB switch transports both FCoE and Ethernet LAN traffic over the same network infrastructure while preserving the class of service (CoS) treatment that Fibre Channel (FC) traffic requires.
Starting in Junos OS Release 20.1R1, EX4650-48Y and QFX5120-48Y switches support FIP snooping. In prior releases, EX4650 and QFX5120 switches that don’t support FIP snooping can act as FCoE transit switches, but the FCoE gateway or converged network adapter (CNA) should take care of filtering non-FCoE traffic to FCoE nodes.
QFX10000 switches do not support FIP snooping. You don’t need to enable FIP snooping on aggregation devices because FIP snooping is performed at the FCoE access edge.
Benefits of an FCoE Transit Switch
Supports both storage network and traditional IP-based data communications, transporting both FCoE and Ethernet LAN traffic on the same switch without additional cost of powering, cooling, provisioning, maintaining, and managing your network.
Provides the class of service that Fibre Channel traffic requires.
How FCoE Transit Switches Work
An FCoE transit switch does not encapsulate or de-encapsulate FC frames in Ethernet. It transports FC frames that have already been encapsulated in Ethernet between FCoE initiators such as servers and a storage area network (SAN) FC switch that supports both Ethernet and native FC traffic on its interfaces. The transit switch acts as a pass-through switch and is transparent to the FC switch, which detects each connection to an FCoE device as a direct point-to-point link.
FCoE traffic should use a VLAN dedicated only to FCoE traffic. The Ethernet interfaces that connect to FCoE devices must include a native VLAN to transport FIP traffic, because devices exchange FIP VLAN discovery and notification frames as untagged packets. As a result, we recommend that you keep the native VLAN separate from the VLANs that carry the FCoE traffic. Other types of untagged traffic might use the native VLAN.
Keep the following in mind when setting up FCoE VLANs on FCoE transit switches:
When a switch acts as a transit switch, the VLANs you configure for FCoE traffic can use any of the switch ports because the traffic in both directions is standard Ethernet traffic, not native FC traffic.
On switches and QFabric system Node devices that do not use Enhanced Layer 2 software (ELS), you use only one CLI command to configure the native VLAN on the FCoE interfaces that belong to the FCoE VLAN:
set interfaces interface-name unit unit family ethernet-switching native-vlan-id native-vlan-id
On switches that use ELS software, you use two CLI commands to configure a native VLAN on FCoE interfaces:
Configure the native VLAN on the interface: set interfaces interface-name native-vlan-id vlan-id
Configure the port as a member of the native VLAN: set interfaces interface-name unit unit family ethernet-switching native-vlan-id vlan-id
An FCoE VLAN (any VLAN that carries FCoE traffic) supports only Spanning Tree Protocol (STP) and link aggregation group (LAG) Layer 2 features.
FCoE traffic cannot use a standard LAG because traffic might be hashed to different physical LAG links on different transmissions. This breaks the (virtual) point-to-point link that Fibre Channel traffic requires. If you configure a standard LAG interface for FCoE traffic, FCoE traffic might be rejected by the FC SAN.
QFabric systems support a special LAG called an FCoE LAG, which you can use to transport FCoE traffic and regular Ethernet traffic (traffic that is not FCoE traffic) across the same link aggregation bundle. Standard LAGs use a hashing algorithm to determine which physical link in the LAG is used for a transmission, so communication between two devices might use different physical links in the LAG for different transmissions. An FCoE LAG ensures that FCoE traffic uses the same physical link in the LAG for requests and replies in order to preserve the virtual point-to-point link between the FCoE device converged network adapter (CNA) and the FC SAN switch across the QFabric system Node device. An FCoE LAG does not provide load balancing or link redundancy for FCoE traffic. However, regular Ethernet traffic uses the standard hashing algorithm and receives the usual LAG benefits of load balancing and link redundancy in an FCoE LAG.
IGMP snooping is enabled by default on all VLANs in all software versions before Junos OS Release 13.2. You must disable IGMP snooping on FCoE VLANs if you are using software that is older than Junos OS Release 13.2.
On a QFX3500 switch or on a QFabric system Node device, you can’t use the same VLAN in both transit switch mode and FCoE-FC gateway mode. (You can configure QFX3500 switches only in FCoE-FC gateway mode.) If you configure both a transit switch and an FCoE-FC gateway on the same QFX3500 switch or QFabric system Node device, then you must configure different FCoE VLANs for the transit switch and the FCoE-FC gateway.
DCB Lossless Transport on FCoE Transit Switches
To support FCoE traffic, transit switches require DCB configuration to implement the lossless transport of FCoE traffic across the Ethernet portion of the network. On transit switches at the access edge, you enable FIP snooping on the FCoE access ports.
With the exception of Virtual Chassis and mixed-mode Virtual Chassis Fabric (VCF) configurations, switches support the DCB standards for ensuring lossless transport and low latency, and provide 10-Gbps ports for FCoE traffic. VCF configurations that use only QFX5100 switches support DCB standards. For lossless transport to function correctly, you must use priority-based flow control (PFC, described in IEEE 802.1Qbb) to prevent FCoE packet loss during periods of congestion and ensure proper CoS for FCoE traffic.
To accommodate the larger size of Ethernet-encapsulated frames, configure FCoE interfaces with a maximum transmission unit (MTU) size of at least 2180 bytes.
FIP Snooping for Filtering at the FCoE Access Edge
At the FCoE access edge, FIP snooping adds security by filtering access. Only traffic from servers that have successfully logged in to the FC network can pass through the transit switch and reach the FC network. TheTechnical Committee T11 organization specifications describe two types of FIP snooping:
The FC-BB-5 specification describes virtual node port (VN_Port) to virtual fabric port (VF_Port) FIP snooping, which provides security for communication between FCoE device VN_Ports on the Ethernet network and FCoE forwarder or FC switch VF_Ports.
The FC-BB-6 specification describes VN_Port to VN_Port FIP snooping, which provides security for communication between FCoE device VN_Ports on the Ethernet network.
At the access edge, a transit switch transparently connects FCoE-capable devices such as servers in an Ethernet LAN to an FC switch or to a gateway switch (hereafter referred to as the FC switch), as shown in Figure 1. The transit switch acts as a transparent DCB access layer between FCoE servers and the FC switch.
The transit switch performs FIP snooping at the ports connected to the FCoE devices. For VN_Port to VF_Port FIP snooping, at the SAN edge, the FC switch must be able to convert the FCoE traffic to native FC traffic. (VN_Port to VN_Port FIP snooping switches traffic between VN_Ports directly through the transit switch, without going through the FC switch, so no conversion of FCoE traffic to native FC traffic is needed.)
Encapsulated FCoE traffic flows through the transit switch to the FCoE ports on the FC switch. The FC switch removes the Ethernet encapsulation from the FCoE frames to restore the native FC frames. Native FC traffic travels out native FC ports to storage devices in the FC SAN.
Native FC traffic from storage devices flows to the FC switch FC ports, and the FC switch encapsulates that traffic in Ethernet as FCoE traffic. The FCoE traffic flows through the transit switch to the appropriate FCoE device.
The FC switch and FC fabric apply appropriate zoning checks on traffic to and from each FCoE node and provide FC services (for example, name server, fabric login server, or event server).
VN_Port to VN_Port FIP snooping is supported to allow FCoE initiators and targets to communicate directly through the switch without going through an FCoE forwarder or an FC switch. An FCoE VLAN can support either VN_Port to VF_Port FIP snooping (FC-BB-5) or VN_Port to VN_Port FIP snooping (FC-BB-6), but not both. The same switch can have multiple FCoE VLANs configured—some FCoE VLANs for VN_Port to VF_Port FIP snooping traffic and others for VN_Port to VN_Port FIP snooping traffic.
FCoE Transit Switch Between FC Access Edge and FC Switch (FIP Snooping Not Required)
Transit switches don’t need to be FCoE access edge switches. Transit switches can be intermediate switches between a transit switch at the FCoE access edge and the FC switch. In this case, intermediate transit switches don’t need to perform FIP snooping because only the access edge transit switch needs to filter traffic between the FCoE device and the FC network. After processing the traffic once, the FIP snooping filters don't need to filter it again. However, intermediate transit switches must support DCB standards to preserve the lossless transport and other CoS characteristics required for FC traffic.