Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)

This example shows how to configure VN_Port to VN_Port (VN2VN_Port) FIP snooping when the hosts are directly connected to the same FCoE transit switch.

Note:

This example uses the Junos OS Enhanced Layer 2 Software (ELS) configuration style for QFX Series switches. For ELS details, see Using the Enhanced Layer 2 Software CLI.

VN2VN_Port FIP snooping on an FCoE transit switch provides security to help prevent unauthorized access and data transmission on a bridge that connects ENodes in the Ethernet network. VN2VN_Port FIP snooping provides security for virtual links by creating filters based on information gathered (snooped) about FCoE devices during FIP transactions.

VN2VN_Port FIP snooping is conceptually similar to VN2VN_Port FIP snooping between VN_Ports and VF_Ports, but VN2VN_Port FIP snooping does not require traffic between VN_Ports to traverse the Fibre Channel (FC) switch or FCoE forwarder (FCF). Instead, a VN_Port communicates transparently through the transit switch on a virtual link that emulates a direct connection to the VN_Port at the other end of the virtual link.

To configure VN2VN_Port FIP snooping when the hosts are directly connected to the same FCoE transit switch, you must follow these configuration rules:

  • VN2VN_Port traffic must use a dedicated FCoE VLAN, and all ENodes that communicate using VN2VN_Port FIP snooping must use that FCoE VLAN. You cannot mix VN2VN_Port FIP snooping traffic with VN2VF_Port FIP snooping traffic in the same FCoE VLAN.

    Note:

    An FCoE VLAN can support either VN2VF_Port FIP snooping or VN2VN_Port FIP snooping, but not both. Configure separate FCoE VLANs for VN2VF_Port FIP snooping traffic and for VN2VN_Port FIP snooping traffic. On FCoE VLANs that are configured as VN2VN_Port FIP snooping VLANs, VN_Port to VF_Port (FIP snooping) traffic is dropped.

  • ENode-facing ports must be set in trunk interface mode.

  • ENode-facing ports must be untrusted ports.

  • Network-facing (switch-facing) ports must be set in trunk interface mode.

  • Network-facing ports must be FCoE trusted ports.

  • Explicitly configure the beacon period. The beacon period is essentially a keepalive timer for virtual link maintenance.

When you enable VN2VF_Port FIP snooping, the system snoops VN_Port to VF_Port packets and enforces security only on VN_Port to VF_Port virtual links. When you enable VN2VN_Port FIP snooping, the system snoops VN_Port to VN_Port packets and enforces security only on VN_Port to VN_Port virtual links.

The transit switch applies VN2VN_Port FIP snooping filters at the ports associated with the FCoE VLANs on which you enable VN2VN FIP snooping.

This example describes how to configure VN2VN_Port FIP snooping when the FCoE hosts are directly connected to the same transit switch:

Requirements

This example uses the following hardware and software components:

  • One Juniper Networks QFX5100 Switch running the ELS CLI and used as a transit switch

  • Junos OS Release 13.2 or later for the QFX Series

  • Two FCoE hosts that have ENodes

Overview

This example shows you how to:

  • Set the correct interface mode on the transit switch.

  • Configure the interfaces to use the dedicated FCoE VLAN for VN2VN_Port FIP snooping.

  • Configure the dedicated FCoE VLAN for VN2VN_Port FIP snooping traffic.

  • Enable VN2VN_Port FIP snooping on the FCoE VLAN and configure the beacon period.

Topology

Table 1 shows the configuration components for this example.

Table 1: Components of the VN2VN_Port FIP Snooping Configuration Topology (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)

Component

Settings

Hardware

QFX5100 switch running the ELS CLI (FCoE transit switch TS1)

Two FCoE hosts that have ENodes (ENode1 and ENode2, respectively)

Interfaces and interface mode

  • Interface xe-0/0/20, interface mode trunk, connects directly to the FCoE host with ENode1.

  • Interface xe-0/0/21, interface mode trunk, connects directly to the FCoE host with ENode2.

Interface VLAN membership

Both interfaces use VLAN vlan200.

VN2VN_Port FIP snooping VLAN

VLAN name—vlan200VLAN ID—200

FIP snooping mode and beacon period

Set examine-vn2vn (VN2VN_Port FIP snooping)Beacon period—90000 ms

Figure 1 shows the network topology for this example.

Figure 1: VN2VN_Port FIP Snooping (FCoE Hosts Connected to Same Transit Switch) Topology VN2VN_Port FIP Snooping (FCoE Hosts Connected to Same Transit Switch) Topology

Configuration

CLI Quick Configuration

To quickly configure VN2VN_Port FIP snooping for FCoE hosts connected directly to the same transit switch, copy the following commands, paste them in a text file, remove line breaks, change variables and details to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level:

Configuring VN2VN_Port FIP Snooping (FCoE Hosts Directly Connected to the Same FCoE Transit Switch)

Step-by-Step Procedure

To configure interface mode, configure interface VLAN membership in the FCoE VLAN dedicated to VN2VN_Port traffic, configure the VLAN, set the beacon period, and enable VN2VN_Port FIP snooping:

  1. Configure the modes of the interfaces that connect directly to the FCoE host ENodes:

  2. Configure the interface VLAN membership so that the interfaces connected to theENodes are members of the dedicated VN2VN_Port VLAN (vlan200):

  3. Configure the FCoE VLAN dedicated to VN2VN_Port FIP snooping:

  4. Enable VN2VN_Port FIP snooping on the VLAN and configure the beacon period:

Verification

To verify that the VN2VN_Port FIP snooping configuration has been created and is operating properly, perform these tasks:

Verifying That VN2VN_Port FIP Snooping is Enabled on the FCoE VLAN

Purpose

Verify that VN2VN_Port FIP snooping is enabled on the correct VLAN (vlan200), the beacon period is set to 90000 milliseconds, and the correct interfaces (xe-0/0/20 and xe-0/0/21) are members of the VLAN.

Action

List the FIP snooping information using the operational mode command show fip snooping detail.

Meaning

The show fip snooping detail command lists all of the transit switch information about VN2VN_Port FIP snooping and VN2VF_Port FIP snooping. The command shows that:

  • The VLAN is vlan200.

  • The mode is FIP snooping mode VN2VN, for VN2VN_Port FIP snooping. (If the Mode field shows VN2VF, then the FIP snooping mode is VN2VF_Port FIP snooping.)

  • The beacon period is 90000.

  • The interfaces for the ENodes are xe-0/0/20 and xe-0/0/21.

In addition, this useful command shows information about the ENodes and the VN2VN_Port sessions.