- Preface
- Product Overview
- Installing Cisco Fabric Manager
- Fabric Manager Server
- Authentication in Fabric Manager
- Fabric Manager Client
- Device Manager
- Using Cisco Fabric Services
- Configuring Ethernet Interfaces
- Configuring Virtual Interfaces
- Configuring Fibre Channel Interfaces
- Configuring N-Port Virtualization
- Configuring Domain Parameters
- Configuring VSAN Trunking
- Configuring and Managing VSANs
- Configuring and Managing Zones
- Distributing Device Alias Services
- Configuring Fibre Channel Routing Services and Protocols
- Managing FLOGI, Name Server, FDMI, and RSCN Databases
- Configuring SPAN
- Discovering SCSI Targets
- Configuring SAN PortChannels
- Advanced Features and Concepts
- Configuring FC-SP and DHCHAP
- Configuring Port Security
- Configuring Fabric Binding
- Configuring Fabric Configuration Servers
- Configuring Port Tracking
- Network Monitoring
- Performance Manager
- Nexus 5000 Management Software FAQ
- Troubleshooting Your Fabric
- Index
- Information About Fabric Binding
- Configuring Fabric Binding
- Configuring Fabric Binding
- Enabling Fabric Binding
- About Switch WWN Lists
- Configuring Switch WWN List
- About Fabric Binding Activation and Deactivation
- Activating Fabric Binding
- Forcing Fabric Binding Activation
- Copying Fabric Binding Configurations
- Creating a Fabric Binding Configuration
- Deleting a Fabric Binding Configuration
- Copying Fabric Binding to the Configuration File
- Viewing EFMD Statistics
- Viewing Fabric Binding Violations
- Viewing Fabric Binding Active Database
- Saving Fabric Binding Configurations
- Clearing the Fabric Binding Statistics
- Deleting the Fabric Binding Database
- Default Settings
Configuring Fabric Binding
This chapter describes the fabric binding feature provided in Cisco Nexus 5000 Series switches. It includes the following sections:
•
Information About Fabric Binding
Information About Fabric Binding
The fabric binding feature ensures that ISLs are only enabled between specified switches in the fabric. Fabric binding is configured on a per-VSAN basis.
This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.
This section includes the following topics:
•Port Security Versus Fabric Binding
Licensing Requirements
Fabric Binding requires the Storage Protocol Services license. For additional information, refer to the Nexus 5000 Series Switch CLI Software Configuration Guide.
Port Security Versus Fabric Binding
Port security and fabric binding are two independent features that can be configured to complement each other. Table 25-1 compares the two features.
Port-level checking for xE ports is as follows:
•The switch login uses both port security binding and fabric binding for a given VSAN.
•Binding checks are performed on the port VSAN as follows:
–E port security binding check on port VSAN
–TE port security binding check on each allowed VSAN
While port security complements fabric binding, they are independent features and can be enabled or disabled separately.
Fabric Binding Enforcement
To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port connection for each switch. Enforcement of fabric binding policies are done on every activation and when the port tries to come up. For a Fibre Channel VSAN, the fabric binding feature requires all sWWNs connected to a switch to be part of the fabric binding active database.
Configuring Fabric Binding
The fabric binding feature ensures ISLs are only enabled between specified switches in the fabric binding configuration. Fabric binding is configured on a per-VSAN basis.
This section includes the following topics:
•About Fabric Binding Activation and Deactivation
•Forcing Fabric Binding Activation
•Copying Fabric Binding Configurations
•Creating a Fabric Binding Configuration
•Deleting a Fabric Binding Configuration
•Copying Fabric Binding to the Configuration File
•Viewing Fabric Binding Violations
•Viewing Fabric Binding Active Database
•Saving Fabric Binding Configurations
•Clearing the Fabric Binding Statistics
•Deleting the Fabric Binding Database
Configuring Fabric Binding
To configure fabric binding in each switch in the fabric, perform this task:
Step 1 Enable the fabric configuration feature.
Step 2 Configure a list of sWWNs and their corresponding domain IDs for devices that are allowed to access the fabric.
Step 3 Activate the fabric binding database.
Step 4 Copy the fabric binding active database to the fabric binding configuration database.
Step 5 Save the fabric binding configuration.
Step 6 Verify the fabric binding configuration.
Enabling Fabric Binding
The fabric binding feature must be enabled in each switch in the fabric that participates in the fabric binding. By default, this feature is disabled in Cisco Nexus 5000 Series switches. The configuration and verification commands for the fabric binding feature are only available when fabric binding is enabled on a switch. When you disable this configuration, all related configurations are automatically discarded.
To enable fabric binding on any participating switch using Fabric Manager, perform this task:
Step 1 Expand the VSAN with the switches on which you want to enable fabric binding in the Logical Domains pane. Expand Fabric Binding (see Figure 25-1).
Figure 25-1 Fabric Binding Configuration
The Control tab is the default tab in the Information pane.
Step 2 From the Command drop-down list, choose enable or disable to enable or disable Fabric Binding on the switch.
Step 3 Click the Apply Changes icon to save your changes.
About Switch WWN Lists
A user-specified fabric binding list contains a list of switch WWNs (sWWNs) within a fabric. If an sWWN attempts to join the fabric, and that sWWN is not on the list or the sWWN is using a domain ID that differs from the one specified in the allowed list, the ISL between the switch and the fabric is automatically isolated in that VSAN and the switch is denied entry into the fabric.
Configuring Switch WWN List
To configure a list of sWWNs and domain IDs for a FICON VSAN using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding (see Figure 25-1).
Step 2 Ensure that fabric binding is enabled for the selected VSAN.
Step 3 Click the Config Database tab in the Information pane.
Step 4 Click Create Row.
You see the Create Config Database dialog box as shown in Figure 25-2.
Figure 25-2 Create Config Database Dialog Box
Step 5 Select the switches that you want to add.
Step 6 Add the sWWN and domain ID of a switch to the configured database list.
You can add the sWWN and the domain ID of more than one switches to the configured database list.
Step 7 Click Create.
About Fabric Binding Activation and Deactivation
The fabric binding feature maintains a configuration database (config database) and an active database. The config database is a read-write database that collects the configurations you perform. These configurations are only enforced upon activation. This activation overwrites the active database with the contents of the config database. The active database is read-only and is the database that checks each switch that attempts to log in.
By default, the fabric binding feature is not activated. You cannot activate the fabric binding database on the switch if entries existing in the config database conflict with the current state of the fabric. For example, one of the already logged in switches may be denied login by the config database. You can choose to forcefully override these situations.
Note After activation, any already logged in switch that violates the current active database will be logged out, and all switches that were previously denied login because of fabric binding restrictions are reinitialized.
Activating Fabric Binding
To activate, deactivate, or to force fabric bind using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Actions tab in the Information pane (see Figure 25-3).
Figure 25-3 Fabric Binding Actions Tab
Step 3 In the Action drop-down list, choose activate or deactivate or force activate for the Fabric Binding on the switch.
Step 4 Click the Apply Changes icon to save your changes.
The Enabled column for the switch now displays True.
Forcing Fabric Binding Activation
If the database activation is rejected due to one or more conflicts listed in the previous section, you may decide to proceed with the activation by using the force option.
To forcefully activate the fabric binding database using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Actions tab in the Information pane (see Figure 25-3).
Step 3 In the Action drop-down list, choose forceActivate for the VSAN(s) for which you want to activate fabric binding.
Step 4 Click Apply Changes to activate fabric binding.
The Enabled column for the switch now displays True.
Copying Fabric Binding Configurations
When you copy the fabric binding configuration, the config database is saved to the running configuration.
To copy the active database to the config database using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Actions tab in the Information pane.
Step 3 Check the Copy Active to Config check box.
Step 4 Click the Apply Changes icon to save your changes.
Creating a Fabric Binding Configuration
To create a fabric binding configuration using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Config Database tab in the Information pane.
You see the information as shown in Figure 25-4.
Figure 25-4 Fabric Binding Database Configuration
Step 3 Click Insert Row.
You see the Create Config Database dialog box (see Figure 25-2).
Step 4 Select switches, choose an index, and indicate the peer WWN and the Domain ID.
Step 5 Click Create to create the fabric binding database configuration.
When you save the fabric binding configuration, the config database and the active database are both saved to the startup configuration and are available after a reboot.
Deleting a Fabric Binding Configuration
To delete a fabric binding configuration using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Config Database tab in the Information pane.
You see the information shown in Figure 25-4.
Step 3 Click in the row for the VSAN for which you want to delete the fabric binding configuration.
Step 4 Click Delete Row to delete the fabric binding configuration.
Copying Fabric Binding to the Configuration File
To copy the active fabric binding to the configuration file using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Actions tab in the Information pane (see Figure 25-3).
Step 3 Check the CopyActive ToConfig check box for the VSAN(s) for which you want to copy fabric binding.
Step 4 Click the Apply Changes icon to copy the fabric binding.
You cannot deactivate or disable fabric binding in a FICON-enabled VSAN.
Viewing EFMD Statistics
To view EFMD statistics using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the EFMD Statistics tab.
You see the statistics information.
Viewing Fabric Binding Violations
To view fabric binding violations using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Violations tab.
You see the violations information.
Viewing Fabric Binding Active Database
To view the fabric binding active database using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Active Database tab.
You see the active database information as shown in Figure 25-5.
Figure 25-5 Fabric Binding Active Database
Saving Fabric Binding Configurations
When you save the fabric binding configuration, the config database and the active database are both saved to the startup configuration and are available after a reboot.
To save the fabric binding configuration using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Actions tab (see Figure 25-3).
Step 3 Check the Copy Active to Config check box to copy the active database to the config database.
If the configured database is empty, this action is not successful.
Step 4 Click the Database Differences tab to compare the database with the Config or Active database to view the differences between the active database and the config database.
Clearing the Fabric Binding Statistics
To clear all existing statistics from the fabric binding database for a specified VSAN using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Statistics tab in the Information pane.
You see the statistics in the Information pane.
Step 3 Check the Clear check box.
Step 4 Click the Apply Changes icon to save your changes.
Deleting the Fabric Binding Database
To delete the configured database for a specified VSAN using Fabric Manager, perform this task:
Step 1 Expand a VSAN with fabric binding in the Logical Domains pane. Expand Fabric Binding.
Step 2 Click the Config Database tab in the Information pane.
Step 3 Select the database that you want to delete.
Step 4 Click Delete Row.
Default Settings
Table 25-2 lists the default settings for the fabric binding feature.
|
|
|
|---|---|
Fabric binding |
Disabled |
Feedback