FC Security for CCIE DC – Fabric Binding

Fabric binding ensures that switches configured in the fabric binding database are permitted to connect to the switch. If a switch tries to join the fabric, and that switch is not in the fabric binding database, access is denied.  Fabric binding is configured on a per-VSAN basis.

From Cisco, “This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.”

This is very similar to Port Security, except Fabric Binding is for switches only (not devices). Switches bind to the fabric instead of interfaces like in Port Security. Additionally, Fabric Binding is manually configured on each switch, it cannot be distributed through CFS.

More information can be found here:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/binding.html

Steps involved:

1. Enable the fabric binding feature
2. Configure a list of sWWNs and their corresponding domain IDs for devices permitted in the fabric
3. Active the fabric binding database
4. Copy the fabric binding database to the fabric binding config database

1. Enable the fabric binding feature

MDS1(config)# feature fabric-binding 

MDS2(config)# feature fabric-binding 

2. Configure a list of sWWNs for devices permitted in the fabric

First, let’s collect our sWWNs

MDS1(config)# show wwn switch 
Switch WWN is 20:00:00:0d:ec:54:63:80

MDS2(config)# show wwn switch 
Switch WWN is 20:00:00:0d:ec:27:4f:40

Add the other switches sWWN to your fabric binding database (Know you can add domain IDs as well, but this is only required for FICON)

MDS1(config)# fabric-binding database vsan 101
MDS1(config-fabric-binding)# swwn 20:00:00:0d:ec:27:4f:40

! Using a specific domain ID !
MDS2(config)# fabric-binding database vsan 101
MDS2(config-fabric-binding)# swwn 20:00:00:0d:ec:54:63:80 domain 1

There are two databases (configuration and active) similar to port security or device aliases.  Notice we have our local sWWN and the configured sWWN in our local “configuration” database.  

MDS1(config)# show fabric-binding database 
--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
101    20:00:00:0d:ec:54:63:80      0x1(1) [Local]
101    20:00:00:0d:ec:27:4f:40         Any
[Total 2 entries]

MDS2(config)# show fabric-binding database vsan 101
--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
101    20:00:00:0d:ec:27:4f:40      0x2(2) [Local]
101    20:00:00:0d:ec:54:63:80      0x1(1)
[Total 2 entries]

3. Active the fabric binding database

Now let’s activate our database to enforce fabric binding

MDS1(config)# fabric-binding activate vsan 101

MDS1(config)# show fabric-binding database active vsan 101
--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
101    20:00:00:0d:ec:54:63:80      0x1(1) [Local]
101    20:00:00:0d:ec:27:4f:40         Any
[Total 2 entries]

MDS2(config)# show fabric-binding database vsan 101
--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
101    20:00:00:0d:ec:27:4f:40      0x2(2) [Local]
101    20:00:00:0d:ec:54:63:80      0x1(1)
[Total 2 entries]

MDS2(config)# fabric-binding activate vsan 101

MDS2(config)# show fabric-binding database active vsan 101
--------------------------------------------------
Vsan   Logging-in Switch WWN     Domain-id
--------------------------------------------------
101    20:00:00:0d:ec:27:4f:40      0x2(2) [Local]
101    20:00:00:0d:ec:54:63:80      0x1(1)
[Total 2 entries]

If rejected, or you want to force activation regardless of conflicts:

fabric-binding activate vsan 101 force

4. Copy the fabric binding database to the fabric binding config database

Do this if your local configuration database is missing information that your active database has populated.

fabric-binding database copy vsan 101
fabric-binding database diff active vsan 101
fabric-binding database diff config vsan 101

Fabric-binding failure

Just to show you what happens when you don’t include a switche’s WWN in your database before activating:

MDS1(config)# fabric-binding database vsan 101
MDS1(config-fabric-binding)# no swwn 20:00:00:0d:ec:27:4f:40
MDS1(config)# fabric-binding activate vsan 101 force
2014 Aug 18 06:56:52 MDS1 %PORT-SECURITY-3-BINDING_CONFLICT: %$VSAN 101%$  
MDS1(config)# 2014 Aug 18 06:56:52 MDS1 %PORT-5-IF_TRUNK_DOWN: %$VSAN 101%$ Interface fc1/1, vsan 101 is down (Isolation due to fabric binding: peer switch WWN not found) 

There you have it, simple.

Quick Template

feature fabric-binding
fabric-binding database vsan 101
 swwn REMOTE-SWWN
fabric-binding activate vsan 101

Helpful Show Commands

show switch wwn
show fabric-binding database
show fabric-binding database vsan 101
show fabric-binding database active vsan 101

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s