About Fabric Binding
The fabric binding feature ensures ISLs are only enabled between specified switches in the fabric binding configuration. Fabric binding is configured on a per-VSAN basis.
This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.
This section has the following topics:
Licensing Requirements
Fabric binding requires that you install either the MAINFRAME_PKG license or the ENTERPRISE_PKG license on your switch.
See the Cisco MDS 9000 Family NX-OS Licensing Guide for more information on license feature support and installation.
Port Security Versus Fabric Binding
Port security and fabric binding are two independent features that can be configured to complement each other. The following table compares the two features.
Fabric Binding |
Port Security |
---|---|
Binds the fabric at the switch level. |
Binds devices at the interface level. |
Authorizes only the configured sWWN stored in the fabric binding database to participate in the fabric. |
Allows a preconfigured set of Fibre Channel devices to logically connect to a SAN ports. The switch port, identified by a WWN or interface number, connects to a Fibre Channel device (a host or another switch), also identified by a WWN. By binding these two devices, you lock these two ports into a group (or list). |
Requires activation on a per VSAN basis. |
Requires activation on a per VSAN basis. |
Allows specific user-defined switches that are allowed to connect to the fabric, regardless of the physical port to which the peer switch is connected. |
Allows specific user-defined physical ports to which another device can connect. |
Does not learn about switches that are logging in. |
Learns about switches or devices that are logging in if learning mode is enabled. |
Cannot be distributed by CFS and must be configured manually on each switch in the fabric. |
Can be distributed by CFS. |
Uses a set of sWWNs and a persistent domain ID. |
Uses pWWNs/nWWNs or fWWNs/sWWNs. |
Port-level checking for xE ports is as follows:
- The switch login uses both port security binding and fabric binding for a given VSAN.
- Binding checks are
performed on the port VSAN as follows:
- E port security binding check on port VSAN
- TE port security binding check on each allowed VSAN
While port security complements fabric binding, they are independent features and can be enabled or disabled separately.
Fabric Binding Enforcement
To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port connection for each switch. Enforcement of fabric binding policies are done on every activation and when the port tries to come up. In a FICON VSAN, the fabric binding feature requires all sWWNs connected to a switch and their persistent domain IDs to be part of the fabric binding active database. In a Fibre Channel VSAN, only the sWWN is required; the domain ID is optional.
Note |
All switches in a Fibre Channel VSAN using fabric binding must be running Cisco MDS SAN-OS Release 3.0(1) and NX-OS Release 4.1(1b) or later. |