ON THIS PAGE
Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)
This example shows how to configure VN_Port to VN_Port (VN2VN_Port) FIP snooping when the hosts are directly connected to the same FCoE transit switch.
This example uses the Junos OS Enhanced Layer 2 Software (ELS) configuration style for QFX Series switches. For ELS details, see Using the Enhanced Layer 2 Software CLI.
VN2VN_Port FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.
VN2VN_Port FIP snooping is conceptually similar to VN2VN_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through the transit switch on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.
To configure VN2VN_Port FIP snooping when the hosts are directly connected to the same FCoE transit switch, you must follow these configuration rules:
VN2VN_Port traffic must use a dedicated FCoE VLAN, and all ENodes that communicate using VN2VN_Port FIP snooping must use that FCoE VLAN. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.
Note:An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN_Port to VF_Port (FIP snooping) traffic is dropped.
ENode-facing ports must be set in
trunkinterface mode.ENode-facing ports must be untrusted ports.
Network-facing (switch-facing) ports must be set in
trunkinterface mode.Network-facing ports must be FCoE trusted ports.
Explicitly configure the beacon period. The beacon period is essentially a keepalive timer for virtual link maintenance.
When you enable VN2VF_Port FIP snooping, the system snoops VN_Port to VF_Port packets and enforces security only on VN_Port to VF_Port virtual links. When you enable VN2VN_Port FIP snooping, the system snoops VN_Port to VN_Port packets and enforces security only on VN_Port to VN_Port virtual links.
The transit switch applies VN2VN_Port FIP snooping filters at the ports associated with the FCoE VLANs on which you enable VN2VN FIP snooping.
This example describes how to configure VN2VN_Port FIP snooping when the FCoE hosts are directly connected to the same transit switch:
Requirements
This example uses the following hardware and software components:
One Juniper Networks QFX5100 Switch running the ELS CLI and used as a transit switch
Junos OS Release 13.2 or later for the QFX Series
Two FCoE hosts that have ENodes
Overview
This example shows you how to:
Set the correct interface mode on the transit switch.
Configure the interfaces to use the dedicated FCoE VLAN for VN2VN_Port FIP snooping.
Configure the dedicated FCoE VLAN for VN2VN_Port FIP snooping traffic.
Enable VN2VN_Port FIP snooping on the FCoE VLAN and configure the beacon period.
Topology
Table 1 shows the configuration components for this example.
Component |
Settings |
|---|---|
Hardware |
QFX5100 switch running the ELS CLI (FCoE transit switch TS1) Two FCoE hosts that have ENodes (ENode1 and ENode2, respectively) |
Interfaces and interface mode |
|
Interface VLAN membership |
Both interfaces use VLAN |
VN2VN_Port FIP snooping VLAN |
VLAN name— |
FIP snooping mode and beacon period |
Set |
Figure 1 shows the network topology for this example.
Configuration
- CLI Quick Configuration
- Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)
CLI Quick Configuration
To quickly configure VN2VN_Port FIP snooping for FCoE hosts connected directly to the same transit switch, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level:
set interfaces xe-0/0/20 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/21 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200 set vlans vlan200 vlan-id 200 set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)
Step-by-Step Procedure
To configure interface mode, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:
Configure the modes of the interfaces that connect directly to the FCoE host ENodes:
user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching interface-mode trunk set interfaces xe-0/0/21 unit 0 family ethernet-switching interface-mode trunk
Configure the interface VLAN membership so that the interfaces connected to theENodes are members of the dedicated VN2VN_Port VLAN (
vlan200):user@switch# set interfaces xe-0/0/20 unit 0 family ethernet-switching vlan members vlan200 set interfaces xe-0/0/21 unit 0 family ethernet-switching vlan members vlan200
Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:
user@switch# set vlans vlan200 vlan-id 200
Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:
user@switch# set vlans vlan200 forwarding-options fip-security examine-vn2vn beacon-period 90000
Verification
To verify that the VN2VN_Port FIP snooping configuration has been created and is operating properly, perform these tasks:
Verifying That VN2VN_Port FIP Snooping is Enabled on the FCoE VLAN
Purpose
Verify that VN2VN_Port FIP snooping is enabled on the
correct VLAN (vlan200), the beacon period is set to 90000 milliseconds, and the correct interfaces (xe-0/0/20 and xe-0/0/21) are members of the VLAN.
Action
List the FIP snooping information using the operational
mode command show fip snooping detail.
user@switch> show fip snooping detail
VLAN: vlan200, Mode: VN2VN Snooping
FC-MAP: 0e:fd:00
Beacon_Period: 90000
VN2VN Mode: Point-to-Point
Enode Information
Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/20
Active VN_Ports : 1
VN_Port Information
VN-Port MAC: 0e:fd:00:00:0a:01
Active Sessions : 1
Session Information
Vlink far-end VN-Port-MAC: 0e:fd:00:00:0b:01
Enode-MAC: 10:10:94:01:00:02, Interface: xe-0/0/21
Active VN_Ports : 1
VN_Port Information
VN-Port MAC: 0e:fd:00:00:0b:01
Active Sessions : 1
Session Information
Vlink far-end VN-Port-MAC: 0e:fd:00:0o:0a:01
Meaning
The show fip snooping detail command lists
all of the transit switch information about VN2VN_Port FIP snooping
and VN2VF_Port FIP snooping. The command shows that:
The VLAN is
vlan200.The mode is FIP snooping mode
VN2VN, for VN2VN_Port FIP snooping. (If the Mode field showsVN2VF, then the FIP snooping mode is VN2VF_Port FIP snooping.)The beacon period is
90000.The interfaces for the ENodes are
xe-0/0/20andxe-0/0/21.
In addition, this useful command shows information about the ENodes and the VN2VN_Port sessions.