Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to Different FCoE Transit Switches)

This example shows how to configure VN_Port to VN_Port (VN2VN_Port) FIP snooping when the hosts are directly connected to different FCoE transit switches, and the transit switches are directly connected to each other.

Note:

This example uses the Junos OS Enhanced Layer 2 Software (ELS) configuration style for QFX Series switches. For ELS details, see Using the Enhanced Layer 2 Software CLI.

VN2VN_Port FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.

VN2VN_Port FIP snooping is conceptually similar to VN2VF_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through one or more transit switches on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.

To configure VN2VN_Port FIP snooping when the hosts are directly connected to different FCoE transit switches, and the transit switches are directly connected to each other, you must follow these configuration rules:

  • VN2VN_Port traffic must use a dedicated FCoE VLAN, and all ENodes that communicate using VN2VN_Port FIP snooping must use that FCoE VLAN. The FCoE VLAN must be configured on each transit switch. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.

    Note:

    An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN2VF_Port traffic is dropped.

  • ENode-facing ports must be set in trunk interface mode.

  • ENode-facing ports must be untrusted ports.

  • Network-facing (switch-facing) ports must be set in trunk interface mode.

  • Network-facing ports must be FCoE trusted ports.

  • Explicitly configure the beacon period. The beacon period is essentially a keepalive timer for virtual link maintenance.

When you enable VN2VF_Port FIP snooping, the system snoops VN_Port to VF_Port packets and enforces security only on VN_Port to VF_Port virtual links. When you enable VN2VN_Port FIP snooping, the system snoops VN_Port to VN_Port packets and enforces security only on VN_Port to VN_Port virtual links.

The transit switch applies VN2VN_Port FIP snooping filters at the ports associated with the FCoE VLANs on which you enable VN2VN FIP snooping.

This example describes how to configure VN2VN_Port FIP snooping when the FCoE hosts are directly connected to different transit switches, and the transit switches are directly connected to each other:

Requirements

This example uses the following hardware and software components:

  • Two Juniper Networks QFX5100 Switches running the ELS CLI and used as transit switches

  • Junos OS Release 13.2 or later for the QFX Series

  • Two FCoE hosts that have ENodes

Overview

This example shows you how to:

  • Set the correct interface mode on the transit switch.

  • Configure the interfaces to use the dedicated FCoE VLAN for VN2VN_Port FIP snooping.

  • Configure the network-facing interfaces as FCoE trusted interfaces.

  • Configure the dedicated FCoE VLAN for VN2VN_Port FIP snooping traffic.

  • Enable VN2VN_Port FIP snooping on the FCoE VLAN and configure the beacon period.

Topology

Table 1 shows the configuration components for this example.

Table 1: Components of the VN2VN_Port FIP Snooping Configuration Topology (FCoE Hosts Directly Connected to Different FCoE Transit Switches)

Component

Settings

Hardware

Two QFX5100 switches running the ELS CLI (FCoE transit switch TS1 and FCoE transit switch TS2)

Two FCoE hosts that have ENodes (ENode1 and ENode2, respectively)

Interfaces and interface mode

  • Interface xe-0/0/20, interface mode trunk, connects directly from transit switch TS1 to the FCoE host with ENode1.

  • Interface xe-0/0/21, interface mode trunk, connects directly from transit switch TS1 to transit switch TS2.

  • Interface xe-0/0/31, interface mode trunk, connects directly from transit switch TS2 to transit switch TS1.

  • Interface xe-0/0/30, interface mode trunk, connects directly from transit switch TS2 to the FCoE host with ENode2.

Interface VLAN membership

The interfaces on both transit switches use VLAN vlan200.

VN2VN_Port FIP snooping VLAN

VLAN name (both transit switches)—vlan200

VLAN ID—200

FIP snooping mode and beacon period

Set examine-vn2vn (VN2VN_Port FIP snooping)

Beacon period—90000 ms

Figure 1 shows the network topology for this example.

Figure 1: VN2VN_Port FIP Snooping (FCoE Hosts Connected to Different Transit Switches) Topology VN2VN_Port FIP Snooping (FCoE Hosts Connected to Different Transit Switches) Topology

Configuration

To configure VN2VN_Port FIP snooping for VN_Ports that are directly connected to different transit switches (and the transit switches are directly connected to each other), perform these tasks:

CLI Quick Configuration

To quickly configure VN2VN_Port FIP snooping for FCoE hosts connected directly to different transit switches, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

The configuration for each FCoE transit switch is shown separately.

To configure FCoE transit switch TS1:

To configure FCoE transit switch TS2:

Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS1

Step-by-Step Procedure

To configure interface mode, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing port as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:

  1. Configure the modes of the interfaces that connect directly to the FCoE host with ENode1 (xe-0/0/20) and to FCoE transit switch TS2 (xe-0/0/21):

  2. Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (vlan200):

  3. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:

  4. Configure the network-facing port (xe-0/0/21) as an FCoE trusted port:

  5. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:

Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS2

Step-by-Step Procedure

To configure interface mode, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing port as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:

  1. Configure the modes of the interfaces that connect directly to the FCoE host with ENode2 (xe-0/0/30) and to FCoE transit switch TS1 (xe-0/0/31):

  2. Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (vlan200):

  3. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:

  4. Configure the network-facing port (xe-0/0/31) as an FCoE trusted port:

  5. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:

Verification

To verify that the VN2VN_Port FIP snooping configuration has been created and is operating properly on both switches, perform these tasks:

Verifying That VN2VN_Port FIP Snooping is Enabled on the FCoE VLAN (Transit Switches TS1 and TS2)

Purpose

Verify that VN2VN_Port FIP snooping is enabled on the correct VLAN (vlan200), the beacon period is set to 90000 milliseconds, and that the correct interfaces (xe-0/0/20 and xe-0/0/21 on TS1, and xe-0/0/30and xe-0/0/31 on TS2) are members of the VLAN.

Action

List the FIP snooping information on transit switch TS1 using the operational mode command show fip snooping detail

List the FIP snooping information on transit switch TS2 using the operational mode command show fip snooping detail

Meaning

The show fip snooping detail command lists all of the transit switch information about VN2VN_Port FIP snooping and VN2VF_Port FIP snooping on each transit switch. The command shows that:

  • The VLAN is vlan200.

  • The mode is FIP snooping mode VN2VN, for VN2VN_Port FIP snooping. (If the Mode field shows VN2VF, then the FIP snooping mode is VN2VF_Port FIP snooping.)

  • The beacon period is 90000.

  • The interfaces connected to the ENodes are xe-0/0/20 and xe-0/0/21 on transit switch TS1, and xe-0/0/30 and xe-0/0/31 on transit switch TS2. Because the transit switches are transparent passthrough switches, the network-facing trunk ports “see” the FCoE host ENodes at the far end of the VN2VN_Port virtual link.

In addition, this useful command shows information about the ENodes and the VN2VN_Port sessions.