Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to Different FCoE Transit Switches)

This example shows how to configure VN_Port to VN_Port (VN2VN_Port) FIP snooping when the hosts are directly connected to different FCoE transit switches, and the transit switches are directly connected to each other.

Note: This example uses Junos OS without support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to Different FCoE Transit Switches).

VN2VN_Port FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.

VN2VN_Port FIP snooping is conceptually similar to VN2VF_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through one or more transit switches on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.

To configure VN2VN_Port FIP snooping when the hosts are directly connected to different FCoE transit switches, and the transit switches are directly connected to each other, you must follow these configuration rules:

• VN2VN_Port traffic must use a dedicated FCoE VLAN, and all ENodes that communicate using VN2VN_Port FIP snooping must use that FCoE VLAN. The FCoE VLAN must be configured on each transit switch. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.

  Note: An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN2VF_Port traffic is dropped.

• ENode-facing ports must be set in tagged-access port mode.
• ENode-facing ports must be untrusted ports.
• Network-facing (switch-facing) ports must be set in trunk port mode.
• Network-facing ports must be FCoE trusted ports.
• Explicitly configure the beacon period. The beacon period is essentially a keepalive timer for virtual link maintenance.

When you enable VN2VF_Port FIP snooping, the system snoops VN_Port to VF_Port packets and enforces security only on VN_Port to VF_Port virtual links. When you enable VN2VN_Port FIP snooping, the system snoops VN_Port to VN_Port packets and enforces security only on VN_Port to VN_Port virtual links.

The transit switch applies VN2VN_Port FIP snooping filters at the ports associated with the FCoE VLANs on which you enable VN2VN FIP snooping.

This example describes how to configure VN2VN_Port FIP snooping when the FCoE hosts are directly connected to different transit switches, and the transit switches are directly connected to each other:

Requirements

• Two Juniper Networks QFX3500 Switches used as transit switches
• Junos OS Release 12.2 or later for the QFX Series
• Two FCoE hosts that have ENodes

Overview

This example shows you how to:

• Set the correct interface port modes on the transit switch.
• Configure the interfaces to use the dedicated FCoE VLAN for VN2VN_Port FIP snooping.
• Configure the network-facing interfaces as FCoE trusted interfaces.
• Configure the dedicated FCoE VLAN for VN2VN_Port FIP snooping traffic.
• Enable VN2VN_Port FIP snooping on the FCoE VLAN and configure the beacon period.

Topology

Table 1 shows the configuration components for this example.

Figure 1 shows the network topology for this example.

Figure 1: VN2VN_Port FIP Snooping (FCoE Hosts Connected to Different Transit Switches) Topology

Configuration

To configure VN2VN_Port FIP snooping for VN_Ports that are directly connected to different transit switches (and the transit switches are directly connected to each other), perform these tasks:

• Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS1
• Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS2

CLI Quick Configuration

The configuration for each FCoE transit switch is shown separately.

To quickly configure VN2VN_Port FIP snooping for FCoE hosts connected directly to different transit switches, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. To configure FCoE transit switch TS1:

To quickly configure VN2VN_Port FIP snooping for FCoE hosts connected directly to different transit switches, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level. To configure FCoE transit switch TS2:

Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS1

Step-by-Step Procedure

1. Configure the port modes of the interfaces that connect directly to the FCoE host with ENode1 (xe-0/0/20) and to FCoE transit switch TS2 (xe-0/0/21):
   user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching port-mode tagged-access
set interfaces xe-0/0/21 unit 0 family ethernet-switching port-mode trunk

   
   

2. Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (vlan200):
   user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200
set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200

   
   

3. Configure the network-facing port (xe-0/0/21) as an FCoE trusted port:
   user@switch# set ethernet-switching-options secure-access-port interface xe-0/0/21 fcoe-trusted

   
   

4. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
   user@switch# set vlans vlan200 vlan-id 200

   
   

5. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
   user@switch# set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS2

Step-by-Step Procedure

1. Configure the port modes of the interfaces that connect directly to the FCoE host with ENode2 (xe-0/0/30) and to FCoE transit switch TS1 (xe-0/0/31):
   user@switch# set interfaces xe-0/0/30 unit 0 family ethernet-switching port-mode tagged-access
set interfaces xe-0/0/31 unit 0 family ethernet-switching port-mode trunk

   
   

2. Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (vlan200):
   user@switch# set interfaces xe-0/0/30 unit 0 family ethernet-switching vlan members vlan200
set interfaces xe-0/0/31 unit 0 family ethernet-switching vlan members vlan200

   
   

3. Configure the network-facing port (xe-0/0/31) as an FCoE trusted port:
   user@switch# set ethernet-switching-options secure-access-port interface xe-0/0/31 fcoe-trusted

   
   

4. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
   user@switch# set vlans vlan200 vlan-id 200

   
   

5. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
   user@switch# set ethernet-switching-options secure-access-port vlan vlan200 examine-fip examine-vn2v2 beacon-period 90000

Verification

To verify that the VN2VN_Port FIP snooping configuration has been created and is operating properly on both switches, perform these tasks:

• Verifying That VN2VN_Port FIP Snooping is Enabled on the FCoE VLAN (Transit Switches TS1 and TS2)
• Verifying the Interface Port Mode

Verifying That VN2VN_Port FIP Snooping is Enabled on the FCoE VLAN (Transit Switches TS1 and TS2)

Purpose

Verify that VN2VN_Port FIP snooping is enabled on the correct VLAN (vlan200), the beacon period is set to 90000 milliseconds, and that the correct interfaces (xe-0/0/20 and xe-0/0/21 on TS1, and xe-0/0/30and xe-0/0/31 on TS2) are members of the VLAN.

Action

VLAN: vlan200,  Mode: VN2VN Snooping
  FC-MAP: 0e:fd:00   
  Beacon_Period:  90000
  VN2VN Mode: Point-to-Point
    Enode Information
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/20
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0a:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/21
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0b:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0a:01

VLAN: vlan200,  Mode: VN2VN Snooping
  FC-MAP: 0e:fd:00   
  Beacon_Period:  90000
  VN2VN Mode: Point-to-Point
    Enode Information
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/30
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0b:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0a:01
    Enode-MAC: 10:10:94:01:00:02,       Interface: xe-0/0/31
      Active VN_Ports : 1
      VN_Port Information
      VN-Port MAC: 0e:fd:00:00:0a:01
         Active Sessions    : 1
         Session Information
	    Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01

Meaning

The show fip snooping detail command lists all of the transit switch information about VN2VN_Port FIP snooping and VN2VF_Port FIP snooping on each transit switch. The command shows that:

• The VLAN is vlan200.
• The mode is FIP snooping mode VN2VN, for VN2VN_Port FIP snooping. (If the Mode field shows VN2VF, then the FIP snooping mode is VN2VF_Port FIP snooping.)
• The beacon period is 90000.
• The interfaces connected to the ENodes are xe-0/0/20 and xe-0/0/21 on transit switch TS1, and xe-0/0/30 and xe-0/0/31 on transit switch TS2. Because the transit switches are transparent passthrough switches, the network-facing trunk ports “see” the FCoE host ENodes at the far end of the VN2VN_Port virtual link.

In addition, this useful command shows information about the ENodes and the VN2VN_Port sessions.

Verifying the Interface Port Mode

Purpose

Verify that the interface port modes are tagged-access for ENode-facing ports and trunk for network-facing ports on each transit switch.

Action

List the Ethernet switching interfaces to confirm the port mode using the show ethernet-switching interfaces detail operational command.

Interface: xe-0/0/20.0, Index: 75, State: up, Port mode: Tagged-Access
.
.
.

Interface: xe-0/0/21.0, Index: 83, State: up, Port mode: Trunk
.
.
.

Interface: xe-0/0/30.0, Index: 56, State: up, Port mode: Tagged-Access
.
.
.

Interface: xe-0/0/31.0, Index: 59, State: up, Port mode: Trunk
.
.
.