Supported Platforms
Related Documentation
- EX Series
- Example: Configuring an FCoE Transit Switch
- Understanding FIP Snooping
- QFabric System, QFX Series standalone switches
- Configuring an FCoE VLAN Interface on an FCoE-FC Gateway
- Configuring VLANs for FCoE Traffic on an FCoE Transit Switch
- Understanding VN_Port to VF_Port FIP Snooping on an FCoE Transit Switch
- QFabric System
- Configuring an FCoE LAG
- Disabling Enhanced FIP Snooping Scaling
- Understanding FCoE LAGs
Configuring VN2VF_Port FIP Snooping and FCoE Trusted Interfaces on an FCoE Transit Switch
VN_Port to VF_Port (VN2VF_Port) Fibre Channel over Ethernet (FCoE) Initialization Protocol (FIP) snooping uses information gathered during FIP discovery and login to create firewall filters that provide security against unauthorized access to the FC switch or FCoE forwarder (FCF) through the QFX Series or EX4500 when the switch is acting as an FCoE transit switch. The firewall filters allow only FCoE devices that successfully log in to the FC fabric to access the FCF through the transit switch. VN2VF_Port FIP snooping provides security for the point-to-point virtual links that connect host FCoE Nodes (ENodes) and FCFs in the FCoE VLAN by denying access to any device that does not successfully log in to the FCF.
VN2VF_Port FIP snooping is disabled by default. You enable VN2VF_Port FIP snooping on a per-VLAN basis for VLANs that carry FCoE traffic. Ensure that a VLAN that carries FCoE traffic carries only FCoE traffic, because enabling VN2VF_Port FIP snooping denies access for all other Ethernet traffic.
 | Note: All of the transit switch ports are untrusted by default. If an ENode on an FCoE device logs in to an FCF before you enable VN2VF_Port FIP snooping on the VLAN and you then enable VN2VF_Port FIP snooping, the transit switch denies traffic from the ENode because the transit switch has not snooped (learned) the ENode state. The following process automatically logs the ENode back in to the FCF to reestablish the connection:
|
Because the FCF is a trusted source, you configure interfaces that connect to the FCF as FCoE trusted interfaces. FCoE trusted interfaces do not filter traffic (FIP snooping filtering should occur only at the FCoE access edge), but VN2VF_Port FIP snooping continues to run on trusted interfaces so that the switch learns the FCF state.
| Note: Do not configure ENode-facing interfaces both with FIP snooping enabled and as trusted interfaces. FCoE VLANs with interfaces that are directly connected to FCoE hosts should be configured with FIP snooping enabled and the interfaces should not be trusted interfaces. Ethernet interfaces that are connected to an FCF should be configured as trusted interfaces and should not have FIP snooping enabled. Interfaces that are connected to a transit switch that is performing FIP snooping can be configured as trusted interfaces if the FCoE VLAN is not enabled for FIP snooping. |
Optionally, you can specify an FC-MAP value for each FCoE VLAN. On a given FCoE VLAN, the switch learns only FCFs that have a matching FC-MAP value. The default FC-MAP value is 0EFC00h for all FC devices. (Enter hexadecimal values for FC-MAP preceded by the hexadecimal indicator “0x”—for example, 0x0EFC00.) If you change the FC-MAP value of an FCF, change the FC-MAP value for the FCoE VLAN it belongs to on the switch and on the servers you want to communicate with the FCF. An FCoE VLAN can have one and only one FC-MAP value.
| Note: The default enhanced FIP snooping scaling supports 2,500 sessions. On QFabric systems, starting with Junos OS Release 13.2X52, you can disable enhanced FIP snooping scaling on a per-VLAN basis if you want to do so, but only 376 sessions are supported if you disable enhanced FIP snooping scaling. |
There are differences in the way you configure FIP snooping and FCoE trusted interfaces on a switch that depend on whether the switch uses the original QFX/QFabric CLI (for example, a standalone QFX3500 or QFX3600 switch or a QFabric system Node device) or the Enhanced Layer 2 Software (ELS) CLI (for example, a standalone QFX5100 switch). This topic includes two configuration procedures, one for switches that run the original CLI, and one for switches that run the ELS CLI.
Original CLI Configuration
To enable VN2VF_Port FIP snooping:
- To enable VN2VF_Port FIP snooping on a single VLAN and
specify the optional FC-MAP value:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan vlan-name examine-fip fc-map fc-map-valueFor example, to enable VN2VF_Port FIP snooping on a VLAN named san1_vlan and change the FC-MAP value to 0x0EFC03:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan san1_vlan examine-fip fc-map 0x0EFC03Note: Changing the FC-MAP value causes all logins to drop and forces ENodes to log in again.
- To enable VN2VF_Port FIP snooping on all VLANs and use
the default FC-MAP value:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all examine-fip
- To configure an interface as an FCoE trusted interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface interface-name fcoe-trustedFor example, to configure interface xe-0/0/30 as an FCoE trusted interface:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface xe-0/0/30 fcoe-trusted
ELS CLI Configuration
To enable VN2VF_Port FIP snooping:
- To enable VN2VF_Port FIP snooping on a VLAN and specify
the optional FC-MAP value:
[edit]
user@switch# set vlans vlan-name forwarding-options fip-security fc-map fc-map-value examine-vn2vfFor example, to enable VN2VF_Port FIP snooping on a VLAN named san1_vlan and change the FC-MAP value to 0x0EFC03:
[edit]
user@switch# set vlans san1_vlan forwarding-options fip-security fc-map 0x0EFC03 examine-vn2vfNote: Changing the FC-MAP value causes all logins to drop and forces ENodes to log in again.
- To configure an interface as an FCoE trusted interface:
[edit]
user@switch# set vlans vlan-name forwarding-options fip-security interface interface-name fcoe-trustedFor example, to configure interface xe-0/0/30 on VLAN named san1_vlan as an FCoE trusted interface:
[edit]
user@switch# set vlans san1_vlan forwarding-options fip-security interface xe-0/0/30 fcoe-trusted
Related Documentation
- EX Series
- Example: Configuring an FCoE Transit Switch
- Understanding FIP Snooping
- QFabric System, QFX Series standalone switches
- Configuring an FCoE VLAN Interface on an FCoE-FC Gateway
- Configuring VLANs for FCoE Traffic on an FCoE Transit Switch
- Understanding VN_Port to VF_Port FIP Snooping on an FCoE Transit Switch
- QFabric System
- Configuring an FCoE LAG
- Disabling Enhanced FIP Snooping Scaling
- Understanding FCoE LAGs
Published: 2014-06-30
Supported Platforms
Related Documentation
- EX Series
- Example: Configuring an FCoE Transit Switch
- Understanding FIP Snooping
- QFabric System, QFX Series standalone switches
- Configuring an FCoE VLAN Interface on an FCoE-FC Gateway
- Configuring VLANs for FCoE Traffic on an FCoE Transit Switch
- Understanding VN_Port to VF_Port FIP Snooping on an FCoE Transit Switch
- QFabric System
- Configuring an FCoE LAG
- Disabling Enhanced FIP Snooping Scaling
- Understanding FCoE LAGs
