ON THIS PAGE
Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Indirectly Connected Through an Aggregation Layer FCoE Transit Switch)
This example shows how to configure VN_Port to VN_Port (VN2VN_Port) FIP snooping when the hosts are indirectly connected through an aggregation layer FCoE transit switch. Each FCoE host ENode is directly connected to an FCoE transit switch, but the FCoE transit switches are not directly connected to each other. The FCoE transit switches are both connected to a third FCoE transit switch that acts as an aggregation layer switch.
This example uses the Junos OS Enhanced Layer 2 Software (ELS) configuration style for QFX Series switches. For ELS details, see Using the Enhanced Layer 2 Software CLI.
VN2VN_Port FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.
VN2VN_Port FIP snooping is conceptually similar to VN2VN_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through one or more transit switches on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.
To configure VN2VN_Port FIP snooping when the hosts are indirectly connected, you must follow these configuration rules:
VN2VN_Port traffic must use a dedicated FCoE VLAN, and all ENodes that communicate using VN2VN_Port FIP snooping must use that FCoE VLAN. The FCoE VLAN must be configured on each transit switch. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.
Note:An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN_Port to VF_Port traffic is dropped.
ENode-facing ports must be set in
trunk
interface mode.ENode-facing ports must be untrusted ports.
Network-facing (switch-facing) ports must be set in
trunk
interface mode.Network-facing ports must be FCoE trusted ports.
Explicitly configure the beacon period. The beacon period is essentially a keepalive timer for virtual link maintenance.
When you enable FIP snooping, the system snoops VN_Port to VF_Port packets and enforces security only on VN_Port to VF_Port virtual links. When you enable VN2VN_Port FIP snooping, the system snoops VN_Port to VN_Port packets and enforces security only on VN_Port to VN_Port virtual links.
The transit switch applies VN2VN_Port FIP snooping filters at the ports associated with the FCoE VLANs on which you enable VN2VN FIP snooping.
This example describes how to configure VN2VN_Port FIP snooping when the FCoE hosts are indirectly connected across an aggregation layer FCoE transit switch:
Requirements
This example uses the following hardware and software components:
Three Juniper Networks QFX5100 Switches running the ELS CLI and used as transit switches
Junos OS Release 13.2 or later for the QFX Series
Two FCoE hosts that have ENodes
Overview
This example shows you how to:
Set the correct interface mode on the transit switch.
Configure the interfaces to use the dedicated FCoE VLAN for VN2VN_Port FIP snooping.
Configure the network-facing interfaces as FCoE trusted interfaces.
Configure the dedicated FCoE VLAN for VN2VN_Port FIP snooping traffic.
Enable VN2VN_Port FIP snooping on the FCoE VLAN and configure the beacon period.
Topology
Table 1 shows the configuration components for this example.
Component |
Settings |
---|---|
Hardware |
Three QFX5100 switches running the ELS CLI, two of which are FCoE transit switches that are directly attached to the FCoE hosts (transit switches TS1 and TS2) and one of which is an aggregation layer FCoE transit switch (TS3) Two FCoE hosts that have ENodes (ENode1 and ENode2, respectively) |
Interfaces and interface mode |
|
Interface VLAN membership |
The interfaces on all three switches use VLAN |
VN2VN_Port FIP snooping VLAN |
VLAN name (all three switches)— |
FIP snooping mode and beacon period |
Set |
Figure 1 shows the network topology for this example.
Configuration
To configure VN2VN_Port FIP snooping for VN_Ports that are indirectly connected across an aggregation layer FCoE transit switch, perform these tasks:
- CLI Quick Configuration
- Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS1
- Configuring VN2VN_Port FIP Snooping on Aggregation Layer FCoE Transit Switch TS2
- Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS3
CLI Quick Configuration
To quickly configure VN2VN_Port FIP snooping for FCoE hosts that are indirectly connected across an aggregation layer FCoE transit switch, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
The configuration for each FCoE transit switch is shown separately.
To configure FCoE transit switch TS1:
set interfaces xe-0/0/20 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/21 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200 set vlans vlan200 vlan-id 200 set vlans vlan200 forwarding-options fip-security interface xe-0/0/21 fcoe-trusted set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
To configure FCoE transit switch TS2:
set interfaces xe-0/0/30 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/31 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/30 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/31 unit 0 family ethernet-switching vlan members vlan200 set vlans vlan200 vlan-id 200 set vlans vlan200 forwarding-options fip-security interface xe-0/0/30 fcoe-trusted set vlans vlan200 forwarding-options fip-security interface xe-0/0/31 fcoe-trusted set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
To configure FCoE transit switch TS3:
set interfaces xe-0/0/10 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/11 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/10 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/11 unit 0 family ethernet-switching vlan members vlan200 set vlans vlan200 vlan-id 200 set vlans vlan200 forwarding-options fip-security interface xe-0/0/11 fcoe-trusted set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS1
Step-by-Step Procedure
To configure interface mode, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing port as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:
Configure the modes of the interfaces that connect directly to the FCoE host with ENode1 (
xe-0/0/20
) and to aggregation layer FCoE transit switch TS2 (xe-0/0/21
):user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/21 unit 0 family ethernet-switching interface-mode trunk
Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (
vlan200
):user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200
Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
user@switch# set vlans vlan200 vlan-id 200
Configure the network-facing port (
xe-0/0/21
) as an FCoE trusted port:user@switch# set vlans vlan200 forwarding-options fip-security interface xe-0/0/21 fcoe-trusted
Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
user@switch# set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
Configuring VN2VN_Port FIP Snooping on Aggregation Layer FCoE Transit Switch TS2
Step-by-Step Procedure
To configure interface mode, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing ports as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:
Configure the mode of the interfaces that connect directly to FCoE transit switches TS1 (
xe-0/0/31
) and TS3 (xe-0/0/30
). Both interfaces are network-facing and must be configured as trunk interfaces:user@switch# set interfaces xe-0/0/30 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/31 unit 0 family ethernet-switching interface-mode trunk
Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (
vlan200
):user@switch# set interfaces xe-0/0/30 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/31 unit 0 family ethernet-switching vlan members vlan200
Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
user@switch# set vlans vlan200 vlan-id 200
Configure the network-facing ports (
xe-0/0/30
andxe-0/0/31
) as FCoE trusted ports:user@switch# set vlans vlan200 forwarding-options fip-security interface xe-0/0/30 fcoe-trusted user@switch# set vlans vlan200 forwarding-options fip-security interface xe-0/0/31 fcoe-trusted
Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
user@switch# set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
Configuring VN2VN_Port FIP Snooping on FCoE Transit Switch TS3
Step-by-Step Procedure
To configure interface mode, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, set the network-facing port as FCoE trusted, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:
Configure the mode of the interfaces that connect directly to the FCoE host with ENode2 (
xe-0/0/10
) and to aggregation layer FCoE transit switch TS2 (xe-0/0/11
):user@switch# set interfaces xe-0/0/10 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/11 unit 0 family ethernet-switching interface-mode trunk
Configure the interface VLAN membership so that the interfaces are members of the dedicated VN2VN_Port VLAN (
vlan200
):user@switch# set interfaces xe-0/0/10 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/11 unit 0 family ethernet-switching vlan members vlan200
Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
user@switch# set vlans vlan200 vlan-id 200
Configure the network-facing port (
xe-0/0/11
) as an FCoE trusted port:user@switch# set vlans vlan200 forwarding-options fip-security interface xe-0/0/11 fcoe-trusted
Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
user@switch# set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
Verification
To verify that the VN2VN_Port FIP snooping configuration has been created and is operating properly on all three switches, perform these tasks:
Verifying That VN2VN_Port FIP Snooping Is Enabled on the FCoE VLAN (All Three Transit Switches)
Purpose
Verify that VN2VN_Port FIP snooping is enabled on the
correct VLAN (vlan200
), the beacon period is set to 90000
milliseconds, and that the correct interfaces (xe-0/0/20
and xe-0/0/21
on TS1, xe-0/0/30
and xe-0/0/31
aggregation layer TS2, and xe-0/0/10
and xe-0/0/11
on TS3) are members of the VLAN.
Action
List the FIP snooping information on transit switch
TS1 using the operational mode command show fip snooping detail
user@switch> show fip snooping detail VLAN: vlan200, Mode: VN2VN Snooping FC-MAP: 0e:fc:00 Beacon_Period: 90000 VN2VN Mode: Point-to-Point Enode Information Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/20 Active VN_Ports : 1 VN_Port Information VN-Port MAC: 0e:fc:00:01:0a:01 Active Sessions : 1 Session Information Vlink far-end VN-Port-MAC: 0e:fc:00:01:0b:01 Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/21 Active VN_Ports : 1 VN_Port Information VN-Port MAC: 0e:fc:00:01:0b:01 Active Sessions : 1 Session Information Vlink far-end VN-Port-MAC: 0e:fc:00:01:0a:01
List the FIP snooping information on aggregation layer
transit switch TS2 using the operational mode command show fip
snooping detail
user@switch> show fip snooping detail VLAN: vlan200, Mode: VN2VN Snooping FC-MAP: 0e:fc:00 Beacon_Period: 90000 VN2VN Mode: Point-to-Point Enode Information Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/30 Active VN_Ports : 1 VN_Port Information VN-Port MAC: 0e:fc:00:01:0b:01 Active Sessions : 1 Session Information Vlink far-end VN-Port-MAC: 0e:fc:00:01:0a:01 Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/31 Active VN_Ports : 1 VN_Port Information VN-Port MAC: 0e:fc:00:01:0a:01 Active Sessions : 1 Session Information Vlink far-end VN-Port-MAC: 0e:fc:00:01:0b:01
List the FIP snooping information on transit switch
TS3 using the operational mode command show fip snooping detail
user@switch> show fip snooping detail VLAN: vlan200, Mode: VN2VN Snooping FC-MAP: 0e:fd:00 Beacon_Period: 90000 VN2VN Mode: Point-to-Point Enode Information Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/10 Active VN_Ports : 1 VN_Port Information VN-Port MAC: 0e:fd:00:00:0b:01 Active Sessions : 1 Session Information Vlink far-end VN-Port-MAC: 0e:fd:00:00:0a:01 Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/11 Active VN_Ports : 1 VN_Port Information VN-Port MAC: 0e:fd:00:00:0a:01 Active Sessions : 1 Session Information Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01
Meaning
The show fip snooping detail
command lists
all of the transit switch information about VN2VN_Port FIP snooping
and VN2VF_Port FIP snooping on each transit switch. The command shows
that:
The VLAN is
vlan200
.The mode is FIP snooping mode
VN2VN
, for VN2VN_Port FIP snooping. (If the Mode field showsVN2VF
, then the FIP snooping mode is VN2VF_Port FIP snooping.)The beacon period is
90000
.The interfaces connected to the ENodes are
xe-0/0/20
andxe-0/0/21
on transit switch TS1,xe-0/0/30
andxe-0/0/31
on aggregation layer transit switch TS2, andxe-0/0/10
andxe-0/0/11
on transit switch TS3. Because the transit switches are transparent passthrough switches, the network-facing trunk ports “see” the FCoE host ENodes at the far end of the VN2VN_Port virtual link.
In addition, this useful command shows information about the ENodes and the VN2VN_Port sessions.