Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring VN2VF_Port FIP Snooping and FCoE Trusted Interfaces on an FCoE Transit Switch

 
Summary

On a Fibre Channel (FC) over Ethernet (FCoE) transit switch, VN_Port to VF_Port FCoE Initialization Protocol (FIP) snooping sets up firewall filters to prevent unauthorized access through the transit switch to an FC switch or FCoE forwarder (FCF). You configure FIP snooping using different commands on FCoE transit switches that use the Enhanced Layer 2 Software (ELS) configuration style than on switches that don’t use ELS.

Considerations When Configuring VN2VF_Port FIP Snooping

VN_Port to VF_Port (VN2VF_Port) Fibre Channel over Ethernet (FCoE) Initialization Protocol (FIP) snooping uses information gathered during FIP discovery and login to create firewall filters that provide security against unauthorized access to the FC switch or FCoE forwarder (FCF) through the switch when the switch is acting as an FCoE transit switch. The firewall filters allow only FCoE devices that successfully log in to the FC fabric to access the FCF through the transit switch. VN2VF_Port FIP snooping provides security for the point-to-point virtual links that connect host FCoE Nodes (ENodes) and FCFs in the FCoE VLAN by denying access to any device that does not successfully log in to the FCF.

VN2VF_Port FIP snooping is disabled by default. You enable VN2VF_Port FIP snooping on a per-VLAN basis for VLANs that carry FCoE traffic. Ensure that a VLAN that carries FCoE traffic carries only FCoE traffic, because enabling VN2VF_Port FIP snooping denies access for all other Ethernet traffic.

Note

All of the transit switch ports are untrusted by default. If an ENode on an FCoE device logs in to an FCF before you enable VN2VF_Port FIP snooping on the VLAN and you then enable VN2VF_Port FIP snooping, the transit switch denies traffic from the ENode because the transit switch has not snooped (learned) the ENode state. The following process automatically logs the ENode back in to the FCF to reestablish the connection:

  1. VN2VF_Port FIP snooping is enabled on an FCoE VLAN on the switch.
  2. The switch denies existing connections between servers and the FCF on the FCoE VLAN by filtering the FCoE traffic and FIP traffic, so no keepalive messages from the ENodes reach the FCF.
  3. The FCF port timer for each ENode and for each VN_Port on each ENode expires.
  4. The FCF sends each ENode whose port timer has expired a Clear Virtual LInks (CVL) message.
  5. The CVL message causes the ENode to log in again.

Because the FCF is a trusted source, you configure interfaces that connect to the FCF as FCoE trusted interfaces. FCoE trusted interfaces do not filter traffic (FIP snooping filtering should occur only at the FCoE access edge), but VN2VF_Port FIP snooping continues to run on trusted interfaces so that the switch learns the FCF state.

Note

Do not configure ENode-facing interfaces both with FIP snooping enabled and as trusted interfaces. FCoE VLANs with interfaces that are directly connected to FCoE hosts should be configured with FIP snooping enabled and the interfaces should not be trusted interfaces. Ethernet interfaces that are connected to an FCF should be configured as trusted interfaces and should not have FIP snooping enabled. Interfaces that are connected to a transit switch that is performing FIP snooping can be configured as trusted interfaces if the FCoE VLAN is not enabled for FIP snooping.

Optionally, you can specify an FC-MAP value for each FCoE VLAN. On a given FCoE VLAN, the switch learns only FCFs that have a matching FC-MAP value. The default FC-MAP value is 0EFC00h for all FC devices. (Enter hexadecimal values for FC-MAP preceded by the hexadecimal indicator “0x”—for example, 0x0EFC00.) If you change the FC-MAP value of an FCF, change the FC-MAP value for the FCoE VLAN it belongs to on the switch and on the servers you want to communicate with the FCF. An FCoE VLAN can have one and only one FC-MAP value.

Note

The default enhanced FIP snooping scaling supports 2,500 sessions. On QFabric systems, starting with Junos OS Release 13.2X52, you can disable enhanced FIP snooping scaling on a per-VLAN basis if you want to do so, but only 376 sessions are supported if you disable enhanced FIP snooping scaling.

There are some differences in the CLI commands you use to configure FIP snooping and FCoE trusted interfaces on a transit switch depending on whether the switch uses the Enhanced Layer 2 Software (ELS) configuration style or the original non-ELS CLI.

Configure VN2VF_Port FIP Snooping on ELS FCoE Transit Switches

Configure the following to enable VN2VF_Port FIP snooping on FCoE transit switches that run the Enhanced Layer 2 Software (ELS) CLI:

  • Enable VN2VF_Port FIP snooping on a VLAN and optionally specify the FC-MAP value:

    [edit]

    user@switch# set vlans vlan-name forwarding-options fip-security fc-map fc-map-value examine-vn2vf



    For example, to enable VN2VF_Port FIP snooping on a VLAN named san1_vlan and change the FC-MAP value to 0x0EFC03:

    [edit]

    user@switch# set vlans san1_vlan forwarding-options fip-security fc-map 0x0EFC03 examine-vn2vf
    Note

    Changing the FC-MAP value causes all logins to drop and forces ENodes to log in again.

  • Configure an interface as an FCoE trusted interface:

    [edit]

    user@switch# set vlans vlan-name forwarding-options fip-security interface interface-name fcoe-trusted



    For example, to configure interface xe-0/0/30 on VLAN named san1_vlan as an FCoE trusted interface:

    [edit]

    user@switch# set vlans san1_vlan forwarding-options fip-security interface xe-0/0/30 fcoe-trusted

Configure VN2VF_Port FIP Snooping on non-ELS FCoE Transit Switches

Configure either of the following to enable VN2VF_Port FIP snooping on FCoE transit switches that don’t use ELS, depending on whether you want to specify an FC-MAP value or use the default FC-MAP value:

  • To enable VN2VF_Port FIP snooping on a single VLAN and specify the optional FC-MAP value:

    [edit ethernet-switching-options secure-access-port]

    user@switch# set vlan vlan-name examine-fip fc-map fc-map-value



    For example, to enable VN2VF_Port FIP snooping on a VLAN named san1_vlan and change the FC-MAP value to 0x0EFC03:

    [edit ethernet-switching-options secure-access-port]

    user@switch# set vlan san1_vlan examine-fip fc-map 0x0EFC03
    Note

    Changing the FC-MAP value causes all logins to drop and forces ENodes to log in again.

  • To enable VN2VF_Port FIP snooping on all VLANs and use the default FC-MAP value:

    [edit ethernet-switching-options secure-access-port]

    user@switch# set vlan all examine-fip
  • Configure an interface as an FCoE trusted interface:

    [edit ethernet-switching-options secure-access-port]

    user@switch# set interface interface-name fcoe-trusted



    For example, to configure interface xe-0/0/30 as an FCoE trusted interface:

    [edit ethernet-switching-options secure-access-port]

    user@switch# set interface xe-0/0/30 fcoe-trusted