Enabling VN2VN_Port FIP Snooping and Configuring the Beacon Period on an FCoE Transit Switch
VN_Port to VN_Port (VN2VN_Port) FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.
VN2VN_Port FIP snooping is conceptually similar to VN2VF_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through the transit switch on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.
VN2VN_Port FIP snooping is disabled by default. You enable VN2VN_Port FIP snooping on a per-VLAN basis on VLANs that carry VN2VN_Port FCoE traffic. Ensure that the VLAN carries only FCoE traffic between VN_Ports, because enabling VN2VN_Port FIP snooping denies access for all other traffic, including VN2VF_Port FIP snooping traffic.
All ENodes that you want to communicate using VN2VN_Port FIP snooping must use an FCoE VLAN dedicated to VN2VN_Port traffic. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.
An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN2VF_Port traffic is dropped.
The beacon period is conceptually similar to the FIP keepalive period (timer) for VN2VF_Port FIP snooping virtual link maintenance. The beacon period performs virtual link maintenance for VN2VN_Port FIP snooping. It is the time interval between messages that verify the connection is still valid and the device at the other end of the virtual link is still reachable. You set the beacon period value for each FCoE VLAN that you configure to do VN2VN_Port FIP snooping.
In addition to enabling VN2VN_Port FIP snooping and configuring the beacon period, you must also configure a dedicated FCoE VLAN for the VN2VN_Port traffic, and set the FCoE transit switch ports in the proper port mode and trusted or untrusted state (interfaces are untrusted by default). See the VN2VN_Port FIP snooping configuration example topics for complete configurations of several common network topologies.
There are differences in the way you configure a native VLAN on an interface that depend on whether the switch uses the original CLI or the Enhanced Layer 2 Software (ELS) CLI. This topic includes two configuration procedures, one for switches that run the original CLI, and one for switches that run the ELS CLI.
Original CLI Configuration
To enable VN2VN_Port FIP snooping and set the beacon period on an FCoE VLAN that is dedicated to VN2VN_Port traffic:
[edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan-name examine-fip examine-vn2vn beacon-period milliseconds
For example, to enable VN2VN_Port FIP snooping on a VLAN named
vlan200and set the beacon period to90000milliseconds:[edit ethernet-switching-options secure-access-port] user@switch# set vlan vlan200 examine-fip examine-vn2vn beacon-period 90000
ELS CLI Configuration
To enable VN2VN_Port FIP snooping and set the beacon period on an FCoE VLAN that is dedicated to VN2VN_Port traffic:
[edit] user@switch# set vlans vlan-name forwarding-options fip-security examine-vn2vn beacon-period milliseconds
For example, to enable VN2VN_Port FIP snooping on a VLAN named
vlan200and set the beacon period to90000milliseconds:[edit] user@switch# set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000