The SAN switching features documented in this guide are described below.
Fibre Channel Interfaces
Fibre Channel ports are optional on the Cisco Nexus 5000 Series
switch. When you use expansion modules up to 8 Fibre Channel ports
are available on the Cisco Nexus 5010 switch and up to 16 Fibre
Channel ports are available on the Cisco Nexus 5020 switch.
Each Fibre Channel port can be used as a downlink (connected to
a server) or as an uplink (to the data center SAN fabric).
Domain Parameters
The Fibre Channel domain (fcdomain) feature performs principal
switch selection, domain ID distribution, FC ID allocation, and
fabric reconfiguration functions as described in the FC-SW-2
standards. The domains are configured on a per-VSAN basis. If you
do not configure a domain ID, the local switch uses a random ID.
N Port Virtualization
Cisco NX-OS software supports industry-standard N port
identifier virtualization (NPIV), which allows multiple N port
fabric logins concurrently on a single physical Fibre Channel link.
HBAs that support NPIV can help improve SAN security by enabling
zoning and port security to be configured independently for each
virtual machine (OS partition) on a host. In addition to being
useful for server connections, NPIV is beneficial for connectivity
between core and edge SAN switches.
N port virtualizer (NPV) is a complementary feature that reduces
the number of Fibre Channel domain IDs in core-edge SANs. Cisco MDS
9000 family fabric switches operating in the NPV mode do not join a
fabric; they only pass traffic between core switch links and end
devices, which eliminates the domain IDs for these switches. NPIV
is used by edge switches in the NPV mode to log in to multiple end
devices that share a link to the core switch. This feature is
available only for Cisco MDS Blade Switch Series, the Cisco MDS
9124 Multilayer Fabric Switch, and the Cisco MDS 9134 Multilayer
Fabric Switch.
VSAN Trunking
Trunking, also known as VSAN trunking, is a feature specific to
switches in the Cisco MDS 9000 Family. Trunking enables
interconnect ports to transmit and receive frames in more than one
VSAN, over the same physical link. Trunking is supported on E ports
and F ports.
SAN Port Channels
PortChannels aggregate multiple physical ISLs into one logical
link with higher bandwidth and port resiliency for both Fibre
Channel and FICON traffic. With this feature, up to 16 expansion
ports (E-ports) or trunking E-ports (TE-ports) can be bundled into
a PortChannel. ISL ports can reside on any switching module, and
they do not need a designated master port. If a port or a switching
module fails, the PortChannel continues to function properly
without requiring fabric reconfiguration.
Cisco NX-OS software uses a protocol to exchange PortChannel
configuration information between adjacent switches to simplify
PortChannel management, including misconfiguration detection and
autocreation of PortChannels among compatible ISLs. In the
autoconfigure mode, ISLs with compatible parameters automatically
form channel groups; no manual intervention is required.
PortChannels load balance Fibre Channel traffic using a hash of
source FC-ID and destination FC-ID, and optionally the exchange ID.
Load balancing using PortChannels is performed over both Fibre
Channel and FCIP links. Cisco NX-OS software also can be configured
to load balance across multiple same-cost FSPF routes.
Virtual SANs
Virtual SAN (VSAN) technology partitions a single physical SAN
into multiple VSANs. VSAN capabilities allow Cisco NX-OS software
to logically divide a large physical fabric into separate, isolated
environments to improve Fibre Channel SAN scalability,
availability, manageability, and network security. For FICON, VSANs
facilitate hardware-based separation of FICON and open systems.
Each VSAN is a logically and functionally separate SAN with its
own set of Fibre Channel fabric services. This partitioning of
fabric services greatly reduces network instability by containing
fabric reconfigurations and error conditions within an individual
VSAN. The strict traffic segregation provided by VSANs helps ensure
that the control and data traffic of a specified VSAN are confined
within the VSAN's own domain, increasing SAN security. VSANs help
reduce costs by facilitating consolidation of isolated SAN islands
into a common infrastructure without compromising availability.
Users can create administrator roles that are limited in scope
to certain VSANs. For example, a network administrator role can be
set up to allow configuration of all platform-specific
capabilities, while other roles can be set up to allow
configuration and management only within specific VSANs. This
approach improves the manageability of large SANs and reduces
disruptions due to human error by isolating the effect of a user
action to a specific VSAN whose membership can be assigned based on
switch ports or the worldwide name (WWN) of attached devices.
VSANs are supported across FCIP links between SANs, which
extends VSANs to include devices at a remote location. The Cisco
MDS 9000 Family switches also implement trunking for VSANs.
Trunking allows Inter-Switch Links (ISLs) to carry traffic for
multiple VSANs on the same physical link.
Zoning
Zoning provides access control for devices within a SAN. Cisco
NX-OS software supports the following types of zoning:
-
N port zoning-Defines zone members based on
the end-device (host and storage) port.
-
Fx port zoning-Defines zone members based
on the switch port.
-
Domain ID and port number (for Brocade
interoperability)
-
iSCSI zoning-Defines zone members based on
the host zone.
-
LUN zoning-When combined with N port
zoning, LUN zoning helps ensure that LUNs are accessible only by
specific hosts, providing a single point of control for managing
heterogeneous storage-subsystem access.
-
Read-only zones-An attribute can be set to
restrict I/O operations in any zone type to SCSI read-only
commands. This feature is especially useful for sharing volumes
across servers for backup, data warehousing, etc.
-
Broadcast zones-An attribute can be set for
any zone type to restrict broadcast frames to members of the
specific zone.
To provide strict network security, zoning is always enforced
per frame using access control lists (ACLs) that are applied at the
ingress switch. All zoning polices are enforced in hardware, and
none of them cause performance degradation. Enhanced zoning
session-management capabilities further enhance security by
allowing only one user at a time to modify zones.
Device Alias Services
All switches in the Cisco MDS 9000 Family support
Device Alias Services (device alias) on a per-VSAN basis and on a
fabric-wide basis. Device alias distribution allows you to move
host bus adapters (HBAs) between VSANs without manually reentering
alias names.
Fibre Channel Routing
Fabric Shortest Path First (FSPF) is the standard path selection
protocol used by Fibre Channel fabrics. The FSPF feature is enabled
by default on all Fibre Channel switches. You do not need to
configure any FSPF services except in configurations that require
special consideration. FSPF automatically calculates the best path
between any two switches in a fabric. Specifically, FSPF is used to
perform these functions:
Dynamically compute routes throughout a
fabric by establishing the shortest and quickest path between any
two switches.
Select an alternative path in the event of
the failure of a given path. FSPF supports multiple paths and
automatically computes an alternative path around a failed link.
FSPF provides a preferred route when two equal paths are
available.
SCSI Targets
Small Computer System Interface (SCSI) targets include disks,
tapes, and other storage devices. These targets do not register
logical unit numbers (LUNs) with the name server.
The SCSI LUN discovery feature is initiated on demand, through CLI
or SNMP. This information is also synchronized with neighboring
switches, if those switches belong to the
Cisco Nexus 5000 Series.
Advanced Fibre Channel Features
Fibre Channel protocol-related timer values can be configured for distributed services, error detection, and resource allocation.
You must uniquely associate the WWN to a single switch. The
principal switch selection and the allocation of domain IDs rely on
the WWN. Cisco Nexus 5000 Series switches support three
network address authority (NAA) address formats
Fibre Channel standards require a unique FC ID to be allocated to
an N port attached to an F port in any switch. To conserve the
number of FC IDs used,
Cisco Nexus 5000 Series
switches use a special allocation scheme.
FC-SP and DHCHAP
Fibre Channel Security Protocol (FC-SP) capabilities provide
switch to switch and hosts to switch authentication to overcome
security challenges for enterprise-wide fabrics. Diffie-Hellman
Challenge Handshake Authentication Protocol (DHCHAP) is an FC-SP
protocol that provides authentication between Cisco MDS 9000 Family
switches and other devices. DHCHAP consists of the CHAP protocol
combined with the Diffie-Hellman exchange.
With FC-SP, switches, storage devices, and hosts are able to
prove their identity through a reliable and manageable
authentication mechanism. With FC-SP, Fibre Channel traffic can be
secured on a frame-by-frame basis to prevent snooping and
hijacking, even over untrusted links. A consistent set of policies
and management actions are propagated through the fabric to provide
a uniform level of security across the entire fabric.
Port Security
The port security feature prevents unauthorized access to a
switch port by binding specific world-wide names (WWNs) that have
access to one or more given switch ports.
When port security is enabled on a switch port, all devices
connecting to that port must be in the port security database and
must be listed in the database as bound to a given port. If both of
these criteria are not met, the port will not achieve an
operationally active state and the devices connected to the port
will be denied access to the SAN.
Fabric Binding
The fabric binding feature ensures Inter-Switch Links (ISLs) are enabled only between specified switches in the fabric binding configuration. This feature helps prevent unauthorized switches from joining the fabric or disrupting the current fabric operations. This feature uses the Exchange Fabric Membership Data (EEMD) protocol to ensure that the list of authorized switches is identical in all of the switches in a fabric.
Fabric Configuration Servers
The Fabric Configuration Server (FCS) provides discovery of topology attributes and maintains a repository of configuration information of fabric elements. A management application is usually connected to the FCS on the switch through an N port. In the Cisco MDS 9000 Family switch environment, multiple VSANs constitute a fabric, where one instance of the FCS is present per VSAN.