Fip Snooping Implementation; Server Enode-Facing Interfaces; Fcf-Facing Interfaces; Fcoe Mapped Address Prefix - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

FIP Snooping Implementation

Copyright © 2010, Juniper Networks, Inc.
You enable FIP snooping on a per-VLAN basis. The FCoE transit switch snoops FIP frames
at the access ports associated with the FIP snooping-enabled VLANs, then installs the
resulting firewall filters on the access ports to ensure that all snooping occurs on the
FCoE transit switch network edge.
FCoE VLANs can include both access ports and trunk ports. Access ports face the hosts
(FCoE servers and other FCoE initiators), and trunk ports face the FCF. When FIP snooping
is enabled, the FCoE transit switch inspects both FIP frames and FCoE frames.
The FIP snooping implementation includes these considerations:
Server ENode-Facing Interfaces on page 3581
FCF-Facing Interfaces on page 3581
FCoE Mapped Address Prefix on page 3581

Server ENode-Facing Interfaces

We recommend that you enable FIP snooping on all FCoE access ports to ensure secure
connections to FCFs. After you enable FIP snooping on an FCoE VLAN, the transit switch
denies FCoE traffic from any server on that VLAN until the server performs a valid fabric
login with an FCF.

FCF-Facing Interfaces

You must configure the interface that you are using to connect to an FCF as FCoE trusted
interface, and it must be a 10 Gigabit Ethernet interface.
An FCoE trusted interface receives FCoE traffic only from an FCF. The following conditions
apply to FCFs and FCF-facing interfaces:
By default, FCFs are trusted entities.
The FCoE transit switch always processes FCF frames because they come from a
trusted source.

FCoE Mapped Address Prefix

When you enable FIP snooping on a VLAN, optionally you can specify the FCoE Mapped
Address Prefix (FC-MAP) value for that VLAN if the network uses the fabric-provided
MAC address (FPMA) addressing scheme. The FC-MAP value is a 24-bit value that
identifies the FCF. The FCF combines the FC-MAP value with a unique 24-bit Fibre Channel
ID (FCID) value for the server during the fabric login process, creating a unique 48-bit
identifier. The FCF assigns the 48-bit value to the server ENode as its MAC address and
unique identifier for the session. Each server session the ENode establishes with the FCF
receives a unique FCID, so a server can host multiple virtual links to an FCF, each with a
unique 48-bit address identifier.
The FIP snooping filter compares the configured FC-MAP value with the FC-MAP value
in the header of frames coming from the server. If the values do not match, the FCoE
transit switch denies access.
Chapter 127: Fibre Channel over Ethernet (FCoE)—Overview
3581