Citation :
When FIP Snooping is enabled on a port, the switch automatically installs the appropriate ACLs to
enforce the following rules for FCoE traffic:
Ensure that FIP frames from ENodes may only be addressed to FCFs.
Flag important FIP packets for switch processing.
Ensure no end device uses an FCF MAC address as its source.
Each FCoE port is assumed to be connected to an ENode and include ENode-specific ACLs
installed, until the port is either detected or configured to be connected to an FCF.
Ports that are configured to have FIP snooping disabled will not have any FIP or FCoE related
ACLs installed.
Prevent transmission of all FCoE frames from an ENode prior to its successful completion of
login (FLOGI) to the FCF.
After successful completion of FLOGI, ensure that the ENode uses only those FCoE source
addresses assigned to it by FCF.
After successful completion of FLOGI, ensure that all ENode FCoE source addresses originate
from or are destined to the appropriate ENode port.
After successful completion of each FLOGI, ensure that FCoE frames may only be addressed to
the FCFs that accept them.
Initially, a basic set of FCoE-related ACLs will be installed on all ports where FIP snooping is
enabled. As the switch encounters FIP frames and learns about FCFs and ENodes that are attached
or disconnect, ACLs are dynamically installed or expanded to provide appropriate security.
When an FCoE connection logs out, or times out (if ACL timeout is enabled), the related ACLs will
be automatically removed.
FCoE-related ACLs are independent of manually configured ACLs used for regular Ethernet
purposes (see “Access Control Lists” on page 93). FCoE ACLs generally have a higher prior
|