FCoE ACL Rules
Optimized FCoE Traffic Flow
© Copyright Lenovo 2016
When FIP Snooping is enabled on a port, the switch automatically installs the
appropriate ACLs to enforce the following rules for FCoE traffic:
Ensure that FIP frames from ENodes may only be addressed to FCFs.
Flag important FIP packets for switch processing.
Ensure no end device uses an FCF MAC address as its source.
Each FCoE port is assumed to be connected to an ENode and include ENode‐spe‐
cific ACLs installed, until the port is either detected or configured to be con‐
nected to an FCF.
Ports that are configured to have FIP snooping disabled will not have any FIP or
FCoE related ACLs installed.
Prevent transmission of all FCoE frames from an ENode prior to its successful
completion of login (FLOGI) to the FCF.
After successful completion of FLOGI, ensure that the ENode uses only those
FCoE source addresses assigned to it by FCF.
After successful completion of FLOGI, ensure that all ENode FCoE source
addresses originate from or are destined to the appropriate ENode port.
After successful completion of each FLOGI, ensure that FCoE frames may only
be addressed to the FCFs that accept them.
Initially, a basic set of FCoE‐related ACLs will be installed on all ports where FIP
snooping is enabled. As the switch encounters FIP frames and learns about FCFs
and ENodes that are attached or disconnect, ACLs are dynamically installed or
expanded to provide appropriate security.
When an FCoE connection logs out, or times out (if ACL timeout is enabled), the
related ACLs will be automatically removed.
FCoE‐related ACLs are independent of manually configured ACLs used for
regular Ethernet purposes (see Chapter
generally have a higher priority over standard ACLs, and do not inhibit non‐FCoE
and non‐FIP traffic.
To optimize the FCoE traffic flow, ACL entries are installed by default. Only FCoE
to FCoE traffic is optimized. Traffic to and from Fibre Channel nodes is not
optimized.
If required, you can disable optimized traffic flow. However, you must first disable
FIP snooping. Use the following commands:
RS G8264(config)# no fcoe fips enable
RS G8264(config)# no fcoe optimizedforwarding enable
To re‐enable optimized traffic flow, use the following command sequence:
RS G8264(config)# no fcoe fips enable
RS G8264(config)# fcoe optimizedforwarding enable
RS G8264(config)# fcoe fips enable
7, "Access Control Lists"). FCoE ACLs
Chapter 21: FCoE and CEE
373