Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)

    This example shows how to configure VN_Port to VN_Port (VN2VN_Port) FIP snooping when the hosts are directly connected to the same FCoE transit switch.

    VN2VN_Port FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.

    VN2VN_Port FIP snooping is conceptually similar to VN2VN_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through the transit switch on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.

    To configure VN2VN_Port FIP snooping when the hosts are directly connected to the same FCoE transit switch, you must follow these configuration rules:

    • VN2VN_Port traffic must use a dedicated FCoE VLAN, and all ENodes that communicate using VN2VN_Port FIP snooping must use that FCoE VLAN. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.

      Note: An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN_Port to VF_Port (FIP snooping) traffic is dropped.

    • ENode-facing ports must be set in tagged-access port mode.
    • ENode-facing ports must be untrusted ports.
    • Network-facing (switch-facing) ports must be set in trunk port mode.
    • Network-facing ports must be FCoE trusted ports.
    • Explicitly configure the beacon period. The beacon period is essentially a keepalive timer for virtual link maintenance.

    When you enable VN2VF_Port FIP snooping, the system snoops VN_Port to VF_Port packets and enforces security only on VN_Port to VF_Port virtual links. When you enable VN2VN_Port FIP snooping, the system snoops VN_Port to VN_Port packets and enforces security only on VN_Port to VN_Port virtual links.

    The transit switch applies VN2VN_Port FIP snooping filters at the ports associated with the FCoE VLANs on which you enable VN2VN FIP snooping.

    This example describes how to configure VN2VN_Port FIP snooping when the FCoE hosts are directly connected to the same transit switch:

    Requirements

    This example uses the following hardware and software components:

    • One Juniper Networks QFX3500 Switch used as a transit switch
    • Junos OS Release 12.2 or later for the QFX Series
    • Two FCoE hosts that have ENodes

    Overview

    This example shows you how to:

    • Set the correct interface port modes on the transit switch.
    • Configure the interfaces to use the dedicated FCoE VLAN for VN2VN_Port FIP snooping.
    • Configure the dedicated FCoE VLAN for VN2VN_Port FIP snooping traffic.
    • Enable VN2VN_Port FIP snooping on the FCoE VLAN and configure the beacon period.

    Topology

    Table 1 shows the configuration components for this example.

    Table 1: Components of the VN2VN_Port FIP Snooping Configuration Topology (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)

    Component

    Settings

    Hardware

    QFX3500 switch (FCoE transit switch TS1)

    Two FCoE hosts that have ENodes (ENode1 and ENode2, respectively)

    Interfaces and port modes

    • Interface xe-0/0/20, port mode tagged-access, connects directly to the FCoE host with ENode1.
    • Interface xe-0/0/21, port mode tagged-access, connects directly to the FCoE host with ENode2.

    Interface VLAN membership

    Both interfaces use VLAN vlan200.

    VN2VN_Port FIP snooping VLAN

    VLAN name—vlan200
    VLAN ID—200

    FIP snooping mode and beacon period

    Set examine-vn2vn (VN2VN_Port FIP snooping)
    Beacon period—90000 ms

    Figure 1 shows the network topology for this example.

    Figure 1: VN2VN_Port FIP Snooping (FCoE Hosts Connected to Same Transit Switch) Topology

    VN2VN_Port FIP Snooping (FCoE Hosts Connected to Same Transit Switch) Topology

    Configuration

    CLI Quick Configuration

    To quickly configure VN2VN_Port FIP snooping for FCoE hosts connected directly to the same transit switch, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level:

    set interfaces xe-0/0/20 unit 0 family ethernet-switching port-mode tagged-access
    set interfaces xe-0/0/21 unit 0 family ethernet-switching port-mode tagged-access
    set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200
    set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200
    set vlans vlan200 vlan-id 200
    set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

    Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)

    Step-by-Step Procedure

    To configure interface port modes, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:

    1. Configure the port modes of the interfaces that connect directly to the FCoE host ENodes:
      user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching port-mode tagged-access
      set interfaces xe-0/0/21 unit 0 family ethernet-switching port-mode tagged-access


    2. Configure the interface VLAN membership so that the interfaces connected to theENodes are members of the dedicated VN2VN_Port VLAN (vlan200):
      user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200
      set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200


    3. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
      user@switch# set vlans vlan200 vlan-id 200


    4. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
      user@switch# set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

    Verification

    To verify that the VN2VN_Port FIP snooping configuration has been created and is operating properly, perform these tasks:

    Verifying That VN2VN_Port FIP Snooping is Enabled on the FCoE VLAN

    Purpose

    Verify that VN2VN_Port FIP snooping is enabled on the correct VLAN (vlan200), the beacon period is set to 90000 milliseconds, and the correct interfaces (xe-0/0/20 and xe-0/0/21) are members of the VLAN.

    Action

    List the FIP snooping information using the operational mode command show fip snooping detail.

    user@switch> show fip snooping detail
    VLAN: vlan200,  Mode: VN2VN Snooping
  FC-MAP: 0e:fd:00   
  Beacon_Period:  90000
  VN2VN Mode: Point-to-Point
    Enode Information
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/20
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0a:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/21
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0b:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0a:01

    Meaning

    The show fip snooping detail command lists all of the transit switch information about VN2VN_Port FIP snooping and VN2VF_Port FIP snooping. The command shows that:

    • The VLAN is vlan200.
    • The mode is FIP snooping mode VN2VN, for VN2VN_Port FIP snooping. (If the Mode field shows VN2VF, then the FIP snooping mode is VN2VF_Port FIP snooping.)
    • The beacon period is 90000.
    • The interfaces for the ENodes are xe-0/0/20 and xe-0/0/21.

    In addition, this useful command shows information about the ENodes and the VN2VN_Port sessions.

    Verifying the Interface Port Mode

    Purpose

    Verify that the interface port modes are tagged-access.

    Action

    List the Ethernet switching interfaces to confirm the port mode using the show ethernet-switching interfaces detail operational command.

    Use the operational mode commands show ethernet-switching interfaces xe-0/0/20.0 detail and show ethernet-switching interfaces xe-0/0/21.0 detail to list the Ethernet switching interface information. The output is truncated to show only the relevant portions:

    user@switch> show ethernet-switching interfaces xe-0/0/20.0 detail
    Interface: xe-0/0/20.0, Index: 75, State: up, Port mode: Tagged-Access
.
.
.

    user@switch> show ethernet-switching interfaces xe-0/0/21.0 detail
    Interface: xe-0/0/21.0, Index: 83, State: up, Port mode: Tagged-Access
.
.
.

    Meaning

    The show ethernet-switching interfaces detail command lists the port mode as tagged-access for both interfaces.

     

    Related Documentation

     

    Published: 2013-11-19

    Previous Page Next Page