Fabric binding ensures that switches configured in the fabric binding database are permitted to connect to the switch. If a switch tries to join the fabric, and that switch is not in the fabric binding database, access is denied. Fabric binding is configured on a per-VSAN basis.
From Cisco, “This feature helps prevent unauthorized switches from joining the fabric or disrupting current fabric operations. It uses the Exchange Fabric Membership Data (EFMD) protocol to ensure that the list of authorized switches is identical in all switches in the fabric.”
This is very similar to Port Security, except Fabric Binding is for switches only (not devices). Switches bind to the fabric instead of interfaces like in Port Security. Additionally, Fabric Binding is manually configured on each switch, it cannot be distributed through CFS.
More information can be found here:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/6_2/configuration/guides/security/nx-os/sec_cli_6-x/binding.html
Steps involved:
1. Enable the fabric binding feature
2. Configure a list of sWWNs and their corresponding domain IDs for devices permitted in the fabric
3. Active the fabric binding database
4. Copy the fabric binding database to the fabric binding config database
1. Enable the fabric binding feature
MDS1(config)# feature fabric-binding
MDS2(config)# feature fabric-binding
2. Configure a list of sWWNs for devices permitted in the fabric
First, let’s collect our sWWNs
MDS1(config)# show wwn switch
Switch WWN is 20:00:00:0d:ec:54:63:80
MDS2(config)# show wwn switch
Switch WWN is 20:00:00:0d:ec:27:4f:40
Add the other switches sWWN to your fabric binding database (Know you can add domain IDs as well, but this is only required for FICON)
MDS1(config)# fabric-binding database vsan 101
MDS1(config-fabric-binding)# swwn 20:00:00:0d:ec:27:4f:40
! Using a specific domain ID !
MDS2(config)# fabric-binding database vsan 101
MDS2(config-fabric-binding)# swwn 20:00:00:0d:ec:54:63:80 domain 1
There are two databases (configuration and active) similar to port security or device aliases. Notice we have our local sWWN and the configured sWWN in our local “configuration” database.
MDS1(config)# show fabric-binding database
--------------------------------------------------
Vsan Logging-in Switch WWN Domain-id
--------------------------------------------------
101 20:00:00:0d:ec:54:63:80 0x1(1) [Local]
101 20:00:00:0d:ec:27:4f:40 Any
[Total 2 entries]
MDS2(config)# show fabric-binding database vsan 101
--------------------------------------------------
Vsan Logging-in Switch WWN Domain-id
--------------------------------------------------
101 20:00:00:0d:ec:27:4f:40 0x2(2) [Local]
101 20:00:00:0d:ec:54:63:80 0x1(1)
[Total 2 entries]
3. Active the fabric binding database
Now let’s activate our database to enforce fabric binding
MDS1(config)# fabric-binding activate vsan 101
MDS1(config)# show fabric-binding database active vsan 101
--------------------------------------------------
Vsan Logging-in Switch WWN Domain-id
--------------------------------------------------
101 20:00:00:0d:ec:54:63:80 0x1(1) [Local]
101 20:00:00:0d:ec:27:4f:40 Any
[Total 2 entries]
MDS2(config)# show fabric-binding database vsan 101
--------------------------------------------------
Vsan Logging-in Switch WWN Domain-id
--------------------------------------------------
101 20:00:00:0d:ec:27:4f:40 0x2(2) [Local]
101 20:00:00:0d:ec:54:63:80 0x1(1)
[Total 2 entries]
MDS2(config)# fabric-binding activate vsan 101
MDS2(config)# show fabric-binding database active vsan 101
--------------------------------------------------
Vsan Logging-in Switch WWN Domain-id
--------------------------------------------------
101 20:00:00:0d:ec:27:4f:40 0x2(2) [Local]
101 20:00:00:0d:ec:54:63:80 0x1(1)
[Total 2 entries]
If rejected, or you want to force activation regardless of conflicts:
fabric-binding activate vsan 101 force
4. Copy the fabric binding database to the fabric binding config database
Do this if your local configuration database is missing information that your active database has populated.
fabric-binding database copy vsan 101
fabric-binding database diff active vsan 101
fabric-binding database diff config vsan 101
Fabric-binding failure
Just to show you what happens when you don’t include a switche’s WWN in your database before activating:
MDS1(config)# fabric-binding database vsan 101
MDS1(config-fabric-binding)# no swwn 20:00:00:0d:ec:27:4f:40
MDS1(config)# fabric-binding activate vsan 101 force
2014 Aug 18 06:56:52 MDS1 %PORT-SECURITY-3-BINDING_CONFLICT: %$VSAN 101%$
MDS1(config)# 2014 Aug 18 06:56:52 MDS1 %PORT-5-IF_TRUNK_DOWN: %$VSAN 101%$ Interface fc1/1, vsan 101 is down (Isolation due to fabric binding: peer switch WWN not found)
There you have it, simple.
Quick Template
feature fabric-binding
fabric-binding database vsan 101
swwn REMOTE-SWWN
fabric-binding activate vsan 101
Helpful Show Commands
show switch wwn
show fabric-binding database
show fabric-binding database vsan 101
show fabric-binding database active vsan 101
