Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation

Configuring VN2VF_Port FIP Snooping and FCoE Trusted Interfaces on an FCoE Transit Switch

VN_Port to VF_Port (VN2VF_Port) Fibre Channel over Ethernet (FCoE) Initialization Protocol (FIP) snooping uses information gathered during FIP discovery and login to create firewall filters that provide security against unauthorized access to the FC switch or FCoE forwarder (FCF) through the QFX Series or EX4500 when the switch is acting as an FCoE transit switch. The firewall filters allow only FCoE devices that successfully log in to the FC fabric to access the FCF through the transit switch. VN2VF_Port FIP snooping provides security for the point-to-point virtual links that connect host FCoE Nodes (ENodes) and FCFs in the FCoE VLAN by denying access to any device that does not successfully log in to the FCF.

VN2VF_Port FIP snooping is disabled by default. You enable VN2VF_Port FIP snooping on a per-VLAN basis for VLANs that carry FCoE traffic. Ensure that a VLAN that carries FCoE traffic carries only FCoE traffic, because enabling VN2VF_Port FIP snooping denies access for all other Ethernet traffic.

Note: All of the transit switch ports are untrusted by default. If an ENode on an FCoE device logs in to an FCF before you enable VN2VF_Port FIP snooping on the VLAN and you then enable VN2VF_Port FIP snooping, the transit switch denies traffic from the ENode because the transit switch has not snooped (learned) the ENode state. The following process automatically logs the ENode back in to the FCF to reestablish the connection:

  1. VN2VF_Port FIP snooping is enabled on an FCoE VLAN on the switch.
  2. The switch denies existing connections between servers and the FCF on the FCoE VLAN by filtering the FCoE traffic and FIP traffic, so no keepalive messages from the ENodes reach the FCF.
  3. The FCF port timer for each ENode and for each VN_Port on each ENode expires.
  4. The FCF sends each ENode whose port timer has expired a Clear Virtual LInks (CVL) message.
  5. The CVL message causes the ENode to log in again.

Because the FCF is a trusted source, you configure interfaces that connect to the FCF as FCoE trusted interfaces. FCoE trusted interfaces do not filter traffic (FIP snooping filtering should occur only at the FCoE access edge), but VN2VF_Port FIP snooping continues to run on trusted interfaces so that the switch learns the FCF state.

Note: Do not configure ENode-facing interfaces both with FIP snooping enabled and as trusted interfaces. FCoE VLANs with interfaces that are directly connected to FCoE hosts should be configured with FIP snooping enabled and the interfaces should not be trusted interfaces. Ethernet interfaces that are connected to an FCF should be configured as trusted interfaces and should not have FIP snooping enabled. Interfaces that are connected to a transit switch that is performing FIP snooping can be configured as trusted interfaces if the FCoE VLAN is not enabled for FIP snooping.

Optionally, you can specify an FC-MAP value for each FCoE VLAN. On a given FCoE VLAN, the switch learns only FCFs that have a matching FC-MAP value. The default FC-MAP value is 0EFC00h for all FC devices. (Enter hexadecimal values for FC-MAP preceded by the hexadecimal indicator “0x”—for example, 0x0EFC00.) If you change the FC-MAP value of an FCF, change the FC-MAP value for the FCoE VLAN it belongs to on the switch and on the servers you want to communicate with the FCF. An FCoE VLAN can have one and only one FC-MAP value.

Note: The default enhanced FIP snooping scaling supports 2,500 sessions. On QFabric systems, starting with Junos OS Release 13.2X52, you can disable enhanced FIP snooping scaling on a per-VLAN basis if you want to do so, but only 376 sessions are supported if you disable enhanced FIP snooping scaling.

There are differences in the way you configure FIP snooping and FCoE trusted interfaces on a switch that depend on whether the switch uses the original QFX/QFabric CLI (for example, a standalone QFX3500 or QFX3600 switch or a QFabric system Node device) or the Enhanced Layer 2 Software (ELS) CLI (for example, a standalone QFX5100 switch). This topic includes two configuration procedures, one for switches that run the original CLI, and one for switches that run the ELS CLI.

Original CLI Configuration

To enable VN2VF_Port FIP snooping:

  • To enable VN2VF_Port FIP snooping on a single VLAN and specify the optional FC-MAP value:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan vlan-name examine-fip fc-map fc-map-value


    For example, to enable VN2VF_Port FIP snooping on a VLAN named san1_vlan and change the FC-MAP value to 0x0EFC03:

    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan san1_vlan examine-fip fc-map 0x0EFC03

    Note: Changing the FC-MAP value causes all logins to drop and forces ENodes to log in again.

  • To enable VN2VF_Port FIP snooping on all VLANs and use the default FC-MAP value:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan all examine-fip
  • To configure an interface as an FCoE trusted interface:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface interface-name fcoe-trusted


    For example, to configure interface xe-0/0/30 as an FCoE trusted interface:

    [edit ethernet-switching-options secure-access-port]
    user@switch# set interface xe-0/0/30 fcoe-trusted

ELS CLI Configuration

To enable VN2VF_Port FIP snooping:

  • To enable VN2VF_Port FIP snooping on a VLAN and specify the optional FC-MAP value:
    [edit]
    user@switch# set vlans vlan-name forwarding-options fip-security fc-map fc-map-value examine-vn2vf


    For example, to enable VN2VF_Port FIP snooping on a VLAN named san1_vlan and change the FC-MAP value to 0x0EFC03:

    [edit]
    user@switch# set vlans san1_vlan forwarding-options fip-security fc-map 0x0EFC03 examine-vn2vf

    Note: Changing the FC-MAP value causes all logins to drop and forces ENodes to log in again.

  • To configure an interface as an FCoE trusted interface:
    [edit]
    user@switch# set vlans vlan-name forwarding-options fip-security interface interface-name fcoe-trusted


    For example, to configure interface xe-0/0/30 on VLAN named san1_vlan as an FCoE trusted interface:

    [edit]
    user@switch# set vlans san1_vlan forwarding-options fip-security interface xe-0/0/30 fcoe-trusted

Published: 2014-06-30