- Index
- Preface
- Product Overview
-
- Configuring Ethernet Interfaces
- Configuring VLANs
- Configuring Private VLANs
- Configuring Rapid PVST+
- Configuring Multiple Spanning Tree
- Configuring STP Extensions
- Configuring Port Channels
- Configuring Access and Trunk Interfaces
- Configuring the MAC Address Table
- Configuring IGMP Snooping
- Configuring Traffic Storm Control
-
- Configuring Fibre Channel Interfaces
- Configuring Domain Parameters
- Configuring N-Port Virtualization
- Configuring VSAN Trunking
- Configuring SAN PortChannels
- Configuring and Managing VSANs
- Configuring and Managing Zones
- Distributing Device Alias Services
- Configuring Fibre Channel Routing Services and Protocols
- Managing FLOGI, Name Server, FDMI, and RSCN Databases
- Discovering SCSI Targets
- Advanced Features and Concepts
- Configuring FC-SP and DHCHAP
- Configuring Port Security
- Configuring Fabric Binding
- Configuring Fabric Configuration Servers
- Configuring Port Tracking
- Information About Fabric Binding
- Configuring Fabric Binding
- Configuring Fabric Binding
- Enabling Fabric Binding
- About Switch WWN Lists
- Configuring Switch WWN List
- About Fabric Binding Activation and Deactivation
- Activating Fabric Binding
- Forcing Fabric Binding Activation
- Copying Fabric Binding Configurations
- Clearing the Fabric Binding Statistics
- Deleting the Fabric Binding Database
- Verifying Fabric Binding Information
- Default Settings
Configuring Fabric Binding
This chapter describes the fabric binding feature provided in Cisco Nexus 5000 Series switches. It includes the following sections:
Information About Fabric Binding
The fabric binding feature ensures that ISLs are only enabled between specified switches in the fabric. Fabric binding is configured on a per-VSAN basis.
This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.
This section includes the following topics:
Licensing Requirements
Fabric Binding requires the Storage Protocol Services license. For additional information, see Chapter1, “Managing Licenses”.
Port Security Versus Fabric Binding
Port security and fabric binding are two independent features that can be configured to complement each other. Table 1-1 compares the two features.
Port-level checking for xE ports is as follows:
- The switch login uses both port security binding and fabric binding for a given VSAN.
- Binding checks are performed on the port VSAN as follows:
–
E port security binding check on port VSAN
– TE port security binding check on each allowed VSAN
While port security complements fabric binding, they are independent features and can be enabled or disabled separately.
Fabric Binding Enforcement
To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port connection for each switch. Enforcement of fabric binding policies are done on every activation and when the port tries to come up. For a Fibre Channel VSAN, the fabric binding feature requires all sWWNs connected to a switch to be part of the fabric binding active database.
Configuring Fabric Binding
The fabric binding feature ensures ISLs are only enabled between specified switches in the fabric binding configuration. Fabric binding is configured on a per-VSAN basis.
This section includes the following topics:
- Configuring Fabric Binding
- Enabling Fabric Binding
- About Switch WWN Lists
- Configuring Switch WWN List
- About Fabric Binding Activation and Deactivation
- Activating Fabric Binding
- Forcing Fabric Binding Activation
- Copying Fabric Binding Configurations
- Clearing the Fabric Binding Statistics
- Deleting the Fabric Binding Database
Configuring Fabric Binding
To configure fabric binding in each switch in the fabric, perform this task:
Step 1 Enable the fabric configuration feature.
Step 2 Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric.
Step 3 Activate the fabric binding database.
Step 4 Copy the fabric binding active database to the fabric binding configuration database.
Step 5 Save the fabric binding configuration.
Step 6 Verify the fabric binding configuration.
Enabling Fabric Binding
The fabric binding feature must be enabled in each switch in the fabric that participates in the fabric binding. By default, this feature is disabled in Cisco Nexus 5000 Series switches. The configuration and verification commands for the fabric binding feature are only available when fabric binding is enabled on a switch. When you disable this configuration, all related configurations are automatically discarded.
To enable fabric binding on any participating switch, perform this task:
|
|
|
|
|---|---|---|
Verify the status of the fabric binding feature of a fabric binding-enabled switch by entering the show fabric-binding status command:
About Switch WWN Lists
A user-specified fabric binding list contains a list of switch WWNs (sWWNs) within a fabric. If an sWWN attempts to join the fabric, and that sWWN is not on the list or the sWWN is using a domain ID that differs from the one specified in the allowed list, the ISL between the switch and the fabric is automatically isolated in that VSAN and the switch is denied entry into the fabric.
Configuring Switch WWN List
To configure a list of sWWNs and optional domain IDs for a Fibre Channel VSAN, perform this task:
This example configures the sWWN of another switch to the configured database list for domain ID 3:
About Fabric Binding Activation and Deactivation
The fabric binding feature maintains a configuration database (config database) and an active database. The config database is a read-write database that collects the configurations you perform. These configurations are only enforced upon activation. This activation overwrites the active database with the contents of the config database. The active database is read-only and is the database that checks each switch that attempts to log in.
By default, the fabric binding feature is not activated. You cannot activate the fabric binding database on the switch if entries existing in the config database conflict with the current state of the fabric. For example, one of the already logged in switches may be denied login by the config database. You can choose to forcefully override these situations.
Note After activation, any already logged in switch that violates the current active database will be logged out, and all switches that were previously denied login because of fabric binding restrictions are reinitialized.
Activating Fabric Binding
To activate the fabric binding feature, perform this task:
|
|
|
|
|---|---|---|
Activates the fabric binding database for the specified VSAN. |
||
Deactivates the fabric binding database for the specified VSAN. |
Forcing Fabric Binding Activation
If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed with the activation by using the force option.
To forcefully activate the fabric binding database, perform this task:
Copying Fabric Binding Configurations
When you copy the fabric binding configuration, the config database is saved to the running configuration.
You can use the following commands to copy to the config database:
- Use the fabric-binding database copy vsan command to copy from the active database to the config database. If the configured database is empty, this command is not accepted.
- Use the fabric-binding database diff active vsan command to view the differences between the active database and the config database. This command can be used when resolving conflicts.
- Use the fabric-binding database diff config vsan command to obtain information on the differences between the config database and the active database.
- Use the copy running-config startup-config command to save the running configuration to the startup configuration so that the fabric binding config database is available after a reboot.
Clearing the Fabric Binding Statistics
Use the clear fabric-binding statistics command to clear all existing statistics from the fabric binding database for a specified VSAN.
Deleting the Fabric Binding Database
Use the no fabric-binding command in configuration mode to delete the configured database for a specified VSAN.
Verifying Fabric Binding Information
To display fabric binding information, perform one of the following tasks:
The following example displays the active fabric binding information for VSAN 4:
The following example displays fabric binding violations:
Note In VSAN 3, the sWWN was not found in the list. In VSAN 2, the sWWN was found in the list, but has a domain ID mismatch.
The following example displays EFMD Statistics for VSAN 4:
Default Settings
Table 1-2 lists the default settings for the fabric binding feature.
|
|
|
|---|---|
Feedback