Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Indirectly Connected Through an Aggregation Layer FCoE Transit Switch)

This example shows how to configure VN_Port to VN_Port (VN2VN_Port) FIP snooping when the hosts are indirectly connected through an aggregation layer FCoE transit switch. Each FCoE host ENode is directly connected to an FCoE transit switch, but the FCoE transit switches are not directly connected to each other. The FCoE transit switches are both connected to a third FCoE transit switch that acts as an aggregation layer switch.

Note: This example uses Junos OS without support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Indirectly Connected Through an Aggregation Layer FCoE Transit Switch).

VN2VN_Port FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.

VN2VN_Port FIP snooping is conceptually similar to VN2VN_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through one or more transit switches on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.

To configure VN2VN_Port FIP snooping when the hosts are indirectly connected, you must follow these configuration rules:

  • VN2VN_Port traffic must use a dedicated FCoE VLAN, and all ENodes that communicate using VN2VN_Port FIP snooping must use that FCoE VLAN. The FCoE VLAN must be configured on each transit switch. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.

    Note: An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN_Port to VF_Port traffic is dropped.

  • ENode-facing ports must be set in tagged-access port mode.
  • ENode-facing ports must be untrusted ports.
  • Network-facing (switch-facing) ports must be set in trunk port mode.
  • Network-facing ports must be FCoE trusted ports.
  • Explicitly configure the beacon period. The beacon period is essentially a keepalive timer for virtual link maintenance.

When you enable FIP snooping, the system snoops VN_Port to VF_Port packets and enforces security only on VN_Port to VF_Port virtual links. When you enable VN2VN_Port FIP snooping, the system snoops VN_Port to VN_Port packets and enforces security only on VN_Port to VN_Port virtual links.

The transit switch applies VN2VN_Port FIP snooping filters at the ports associated with the FCoE VLANs on which you enable VN2VN FIP snooping.

This example describes how to configure VN2VN_Port FIP snooping when the FCoE hosts are indirectly connected across an aggregation layer FCoE transit switch:

Requirements

This example uses the following hardware and software components:

  • Three Juniper Networks QFX3500 Switches used as transit switches
  • Junos OS Release 12.2 or later for the QFX Series
  • Two FCoE hosts that have ENodes

Overview

This example shows you how to:

  • Set the correct interface port modes on the transit switch.
  • Configure the interfaces to use the dedicated FCoE VLAN for VN2VN_Port FIP snooping.
  • Configure the network-facing interfaces as FCoE trusted interfaces.
  • Configure the dedicated FCoE VLAN for VN2VN_Port FIP snooping traffic.
  • Enable VN2VN_Port FIP snooping on the FCoE VLAN and configure the beacon period.

Topology

Table 1 shows the configuration components for this example.

Table 1: Components of the VN2VN_Port FIP Snooping Configuration Topology (FCoE Hosts Indirectly Connected Across an Aggregation Layer FCoE Transit Switch)

Component

Settings

Hardware

Three QFX3500 switches, two of which are FCoE transit switches that are directly attached to the FCoE hosts (transit switches TS1 and TS2) and one of which is an aggregation layer FCoE transit switch (TS3)

Two FCoE hosts that have ENodes (ENode1 and ENode2, respectively)

Interfaces and port modes

  • Interface xe-0/0/20, port mode tagged-access, connects directly from transit switch TS1 to the FCoE host with ENode1.
  • Interface xe-0/0/21, port mode trunk, connects directly from transit switch TS1 to aggregation layer transit switch TS2.
  • Interface xe-0/0/31, port mode trunk, connects directly from aggregation layer transit switch TS2 to transit switch TS1.
  • Interface xe-0/0/30, port mode trunk, connects directly from aggregation layer transit switch TS2 to transit switch TS3.
  • Interface xe-0/0/11, port mode trunk, connects directly from transit switch TS3 to aggregation layer transit switch TS2.
  • Interface xe-0/0/10, port mode tagged-access, connects directly from transit switch TS3 to the FCoE host with ENode2.

Interface VLAN membership

The interfaces on all three switches use VLAN vlan200.

VN2VN_Port FIP snooping VLAN

VLAN name (all three switches)—vlan200
VLAN ID—200

FIP snooping mode and beacon period

Set examine-vn2vn (VN2VN_Port FIP snooping)
Beacon period—90000 ms

Figure 1 shows the network topology for this example.

Figure 1: VN2VN_Port FIP Snooping (FCoE Hosts Indirectly Connected) Topology

VN2VN_Port FIP Snooping (FCoE Hosts Indirectly Connected) Topology

Configuration

To configure VN2VN_Port FIP snooping for VN_Ports that are indirectly connected across an aggregation layer FCoE transit switch, perform these tasks:

CLI Quick Configuration

The configuration for each FCoE transit switch is shown separately.

To quickly configure VN2VN_Port FIP snooping for FCoE hosts that are indirectly connected across an aggregation layer FCoE transit switch, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. To configure FCoE transit switch TS1:

set interfaces xe-0/0/20 unit 0 family ethernet-switching port-mode tagged-access
set interfaces xe-0/0/21 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200
set ethernet-switching-options secure-access-port interface xe-0/0/21 fcoe-trusted
set vlans vlan200 vlan-id 200
set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

To quickly configure VN2VN_Port FIP snooping for FCoE hosts that are indirectly connected across an aggregation layer FCoE transit switch, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. To configure FCoE transit switch TS2:

set interfaces xe-0/0/30 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/31 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/30 unit 0 family ethernet-switching vlan members vlan200
set interfaces xe-0/0/31 unit 0 family ethernet-switching vlan members vlan200
set vlans vlan200 vlan-id 200
set ethernet-switching-options secure-access-port interface xe-0/0/30 fcoe-trusted
set ethernet-switching-options secure-access-port interface xe-0/0/31 fcoe-trusted
set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

To quickly configure VN2VN_Port FIP snooping for FCoE hosts that are indirectly connected across an aggregation layer FCoE transit switch, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. To configure FCoE transit switch TS3:

set interfaces xe-0/0/10 unit 0 family ethernet-switching port-mode tagged-access
set interfaces xe-0/0/11 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/10 unit 0 family ethernet-switching vlan members vlan200
set interfaces xe-0/0/11 unit 0 family ethernet-switching vlan members vlan200
set vlans vlan200 vlan-id 200
set ethernet-switching-options secure-access-port interface xe-0/0/11 fcoe-trusted
set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS1

Step-by-Step Procedure

To configure interface port modes, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing port as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:

  1. Configure the port modes of the interfaces that connect directly to the FCoE host with ENode1 (xe-0/0/20) and to aggregation layer FCoE transit switch TS2 (xe-0/0/21):
    user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching port-mode tagged-access
    set interfaces xe-0/0/21 unit 0 family ethernet-switching port-mode trunk


  2. Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (vlan200):
    user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200
    set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200


  3. Configure the network-facing port (xe-0/0/21) as an FCoE trusted port:
    user@switch# set ethernet-switching-options secure-access-port interface xe-0/0/21 fcoe-trusted


  4. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
    user@switch# set vlans vlan200 vlan-id 200


  5. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
    user@switch# set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

Configuring VN2VN_Port FIP Snooping on Aggregation Layer FCoE Transit Switch TS2

Step-by-Step Procedure

To configure interface port modes, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing ports as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:

  1. Configure the port modes of the interfaces that connect directly to FCoE transit switches TS1 (xe-0/0/31) and TS3 (xe-0/0/30). Both interfaces are network-facing and must be configured as trunk interfaces:
    user@switch# set interfaces xe-0/0/30 unit 0 family ethernet-switching port-mode trunk
    set interfaces xe-0/0/31 unit 0 family ethernet-switching port-mode trunk


  2. Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (vlan200):
    user@switch# set interfaces xe-0/0/30 unit 0 family ethernet-switching vlan members vlan200
    set interfaces xe-0/0/31 unit 0 family ethernet-switching vlan members vlan200


  3. Configure the network-facing ports (xe-0/0/30 and xe-0/0/31) as FCoE trusted ports:
    user@switch# set ethernet-switching-options secure-access-port interface xe-0/0/30 fcoe-trusted
    user@switch# set ethernet-switching-options secure-access-port interface xe-0/0/31 fcoe-trusted


  4. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
    user@switch# set vlans vlan200 vlan-id 200


  5. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
    user@switch# set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS3

Step-by-Step Procedure

To configure interface port modes, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing port as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:

  1. Configure the port modes of the interfaces that connect directly to the FCoE host with ENode2 (xe-0/0/10) and to aggregation layer FCoE transit switch TS2 (xe-0/0/11):
    user@switch# set interfaces xe-0/0/10 unit 0 family ethernet-switching port-mode tagged-access
    set interfaces xe-0/0/11 unit 0 family ethernet-switching port-mode trunk


  2. Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (vlan200):
    user@switch# set interfaces xe-0/0/10 unit 0 family ethernet-switching vlan members vlan200
    set interfaces xe-0/0/11 unit 0 family ethernet-switching vlan members vlan200


  3. Configure the network-facing port (xe-0/0/11) as an FCoE trusted port:
    user@switch# set ethernet-switching-options secure-access-port interface xe-0/0/11 fcoe-trusted


  4. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
    user@switch# set vlans vlan200 vlan-id 200


  5. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
    user@switch# set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

Verification

To verify that the VN2VN_Port FIP snooping configuration has been created and is operating properly on all three switches, perform these tasks:

Verifying That VN2VN_Port FIP Snooping Is Enabled on the FCoE VLAN (All Three Transit Switches)

Purpose

Verify that VN2VN_Port FIP snooping is enabled on the correct VLAN (vlan200), the beacon period is set to 90000 milliseconds, and that the correct interfaces (xe-0/0/20 and xe-0/0/21 on TS1, xe-0/0/30 and xe-0/0/31 aggregation layer TS2, and xe-0/0/10 and xe-0/0/11 on TS3) are members of the VLAN.

Action

List the FIP snooping information on transit switch TS1 using the operational mode command show fip snooping detail

user@switch> show fip snooping detail
VLAN: vlan200,  Mode: VN2VN Snooping
  FC-MAP: 0e:fd:00   
  Beacon_Period:  90000
  VN2VN Mode: Point-to-Point
    Enode Information
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/20
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0a:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/21
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0b:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0a:01

List the FIP snooping information on aggregation layer transit switch TS2 using the operational mode command show fip snooping detail

user@switch> show fip snooping detail
VLAN: vlan200,  Mode: VN2VN Snooping
  FC-MAP: 0e:fd:00   
  Beacon_Period:  90000
  VN2VN Mode: Point-to-Point
    Enode Information
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/30
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0b:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0a:01
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/31
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0a:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01

List the FIP snooping information on transit switch TS3 using the operational mode command show fip snooping detail

user@switch> show fip snooping detail
VLAN: vlan200,  Mode: VN2VN Snooping
  FC-MAP: 0e:fd:00   
  Beacon_Period:  90000
  VN2VN Mode: Point-to-Point
    Enode Information
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/10
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0b:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0a:01
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/11
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0a:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01

Meaning

The show fip snooping detail command lists all of the transit switch information about VN2VN_Port FIP snooping and VN2VF_Port FIP snooping on each transit switch. The command shows that:

  • The VLAN is vlan200.
  • The mode is FIP snooping mode VN2VN, for VN2VN_Port FIP snooping. (If the Mode field shows VN2VF, then the FIP snooping mode is VN2VF_Port FIP snooping.)
  • The beacon period is 90000.
  • The interfaces connected to the ENodes are xe-0/0/20 and xe-0/0/21 on transit switch TS1, xe-0/0/30 and xe-0/0/31 on aggregation layer transit switch TS2, and xe-0/0/10 and xe-0/0/11 on transit switch TS3. Because the transit switches are transparent passthrough switches, the network-facing trunk ports “see” the FCoE host ENodes at the far end of the VN2VN_Port virtual link.

In addition, this useful command shows information about the ENodes and the VN2VN_Port sessions.

Verifying the Interface Port Mode

Purpose

Verify that the interface port modes are tagged-access for ENode-facing ports and trunk for network-facing ports on each transit switch.

Action

List the Ethernet switching interfaces to confirm the port mode using the show ethernet-switching interfaces detail operational command for each interface. The output is truncated to show only the relevant portions.

List the Ethernet switching interface information on FCoE transit switch TS1 using the operational mode commands show ethernet-switching interfaces xe-0/0/20.0 detail and show ethernet-switching interfaces xe-0/0/21.0 detail:

user@switch> show ethernet-switching interfaces xe-0/0/20.0 detail
Interface: xe-0/0/20.0, Index: 75, State: up, Port mode: Tagged-Access
.
.
.

user@switch> show ethernet-switching interfaces xe-0/0/21.0 detail
Interface: xe-0/0/21.0, Index: 83, State: up, Port mode: Trunk
.
.
.

List the Ethernet switching interface information on aggregation layer FCoE transit switch TS2 using the operational mode commands show ethernet-switching interfaces xe-0/0/30.0 detail and show ethernet-switching interfaces xe-0/0/31.0 detail:

user@switch> show ethernet-switching interfaces xe-0/0/30.0 detail
Interface: xe-0/0/30.0, Index: 71, State: up, Port mode: Trunk
.
.
.

user@switch> show ethernet-switching interfaces xe-0/0/31.0 detail
Interface: xe-0/0/31.0, Index: 73, State: up, Port mode: Trunk
.
.
.

List the Ethernet switching interface information on FCoE transit switch TS3 using the operational mode commands show ethernet-switching interfaces xe-0/0/10.0 detail and show ethernet-switching interfaces xe-0/0/11.0 detail:

user@switch> show ethernet-switching interfaces xe-0/0/10.0 detail
Interface: xe-0/0/10.0, Index: 56, State: up, Port mode: Tagged-Access
.
.
.

user@switch> show ethernet-switching interfaces xe-0/0/11.0 detail
Interface: xe-0/0/11.0, Index: 59, State: up, Port mode: Trunk
.
.
.
 

Related Documentation

 

Published: 2013-11-08

Previous Page Next Page