Information About Fabric Binding
Fabric binding ensures that Inter-Switch Links (ISLs) are only enabled between specified switches in the fabric. Fabric binding is configured on a per-VSAN basis.
This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.
Port Security Versus Fabric Binding
Port security and fabric binding are two independent features that can be configured to complement each other. The following table compares the two features.
Fabric Binding |
Port Security |
---|---|
Uses a set of sWWNs and a persistent domain ID. |
Uses pWWNs/nWWNs or fWWNs/sWWNs. |
Binds the fabric at the switch level. |
Binds devices at the interface level. |
Authorizes only the configured sWWN stored in the fabric binding database to participate in the fabric. |
Allows a preconfigured set of Fibre Channel devices to logically connect to a SAN port. The switch port, identified by a WWN or interface number, connects to a Fibre Channel device (a host or another switch), also identified by a WWN. By binding these two devices, you lock these two ports into a group (or list). |
Requires activation per VSAN. |
Requires activation per VSAN. |
Allows specific user-defined switches that are allowed to connect to the fabric, regardless of the physical port to which the peer switch is connected. |
Allows specific user-defined physical ports to which another device can connect. |
Does not learn about switches that are logging in. |
Learns about switches or devices that are logging in if learning mode is enabled. |
Cannot be distributed by Cisco Fabric Services (CFS) and must be configured manually on each switch in the fabric. |
Can be distributed by CFS. |
Port-level checking for xE ports is as follows:
-
The switch login uses both port security binding and fabric binding for a given VSAN.
-
Binding checks are performed on the port VSAN as follows:
-
E port security binding check on the port VSAN
-
TE port security binding check on each allowed VSAN
-
While port security complements fabric binding, they are independent features and that you can enable or disable separately.
Fabric Binding Enforcement
You must enable fabric binding in each switch in the fabric that participates in the fabric binding. By default, this feature is disabled. The configuration and verification commands for the fabric binding feature are only available when fabric binding is enabled on a switch. When you disable this configuration, all related configurations are automatically discarded.
To enforce fabric binding, configure the switch world wide name (sWWN) to specify the xE port connection for each switch. Enforcement of fabric binding policies are done on every activation and when the port tries to come up. For a Fibre Channel VSAN, the fabric binding feature requires all sWWNs connected to a switch to be part of the fabric binding active database.