Table of Contents
Advertisement
Chapter 24
Configuring IP Storage
By default, static virtual iSCSI targets are not accessible to any iSCSI host. You must explicitly configure
accessibility to allow a virtual iSCSI target to be accessed by all hosts. The initiator access list can
contain one or more initiators. Each initiator is identified by one of the following:
•
•
•
Enforcing Access Control
IPS modules use both iSCSI node name-based and Fibre Channel zoning-based access control lists to
enforce access control during iSCSI discovery and iSCSI session creation.
•
•
The IPS module, then creates a Fibre Channel virtual N port (the N port may already exist) for this IP
host and does a Fibre Channel name server query for the FCID of the Fibre Channel target pWWN that
is being accessed by the IP host. It uses the IP host virtual N port's pWWN as the requester of the name
server query. Thus, the name server does a zone-enforced query for the pWWN and responds to the
query.
If the FCID is returned by the name server, then the iSCSI session is accepted. Otherwise, the login
request is rejected.
iSCSI User Authentication
The IPS module supports the iSCSI authentication mechanism to authenticate iSCSI hosts that request
access to storage. When iSCSI authentication is enabled, the iSCSI hosts must provide user name and
password information each time an iSCSI session is established.
Only the Challenge Handshake Authentication Protocol (CHAP) authentication method is supported.If
no authentication is configured, local authentication is used. You can use RADIUS authentication or
TACACS+ authentication.
Configuring an Authentication Mechanism
During an iSCSI login, both the iSCSI initiator and target have the option to authenticate each other. By
default, the IPS module allows either CHAP authentication or no authentication from iSCSI hosts.
The authentication for a Gigabit Ethernet interface or subinterface configuration overrides the
Note
authentication for the global interface configuration.
To configure an authentication method for iSCSI, follow these steps:
OL-7753-01
iSCSI node names
IP addresses
IP subnets
iSCSI discovery--When an iSCSI host creates an iSCSI discovery session and queries for all iSCSI
targets, the IPS module returns only the list of iSCSI targets this iSCSI host is allowed to access
based on the access control policies discussed in the previous section.
iSCSI session creation--When an IP host initiates an iSCSI session, the IPS module verifies if the
specified iSCSI target (in the session login request) is a static mapped target, and if true, verifies if
the IP host's iSCSI node name is allowed to access the target. If the IP host does not have access, its
login is rejected.
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
Configuring iSCSI
24-37
Advertisement
Chapters
Table of Contents
Troubleshooting
