Fibre Channel Zoning-Based Access Control - Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual

Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Fibre Channel Zoning-Based Access Control

Cisco SAN-OS and NX-OS 4.1(1b) VSAN and zoning concepts have been extended to cover both Fibre
Channel devices and iSCSI devices. Zoning is the standard access control mechanism for Fibre Channel
devices, which is applied within the context of a VSAN. Fibre Channel zoning has been extended to
support iSCSI devices, and this extension has the advantage of having a uniform, flexible access control
mechanism across the whole SAN.
Common mechanisms for identifying members in a Fibre Channel zone are the following (see
Chapter 24, "Configuring and Managing Zones"
•
•
In the case of iSCSI, behind an iSCSI interface multiple iSCSI devices may be connected.
Interface-based zoning may not be useful because all the iSCSI devices behind the interface will
automatically be within the same zone.
In transparent initiator mode (where one Fibre Channel virtual N port is created for each iSCSI host as
described in the
mapping then the standard Fibre Channel device pWWN-based zoning membership mechanism can be
used.
Zoning membership mechanism has been enhanced to add iSCSI devices to zones based on the
following:
•
•
•
•
For iSCSI hosts that do not have a static WWN mapping, the feature allows the IP address or iSCSI node
name to be specified as zone members. Note that iSCSI hosts that have static WWN mapping can also
use these features. IP address based zone membership allows multiple devices to be specified in one
command by providing the subnet mask.
In proxy initiator mode, all iSCSI devices connecting to an IPS port gain access to the Fibre Channel
Note
fabric through a single virtual Fibre Channel N port. Thus, zoning based on the iSCSI node name or IP
address will not have any effect. If zoning based on pWWN is used, then all iSCSI devices connecting
to that IPS port will be put in the same zone. To implement individual initiator access control in proxy
initiator mode, configure an iSCSI ACL on the virtual target (see the
section on page
Cisco MDS 9000 Family CLI Configuration Guide
43-20
Fibre Channel device pWWN.
Interface and switch WWN. Device connecting via that interface is within the zone.
"Transparent Initiator Mode" section on page
IPv4 address/subnet mask
IPv6 address/prefix length
iSCSI qualified name (IQN)
Symbolic-node-name (IQN)
43-21).
for details on Fibre Channel zoning):
43-11), if an iSCSI host has static WWN
"iSCSI-Based Access Control"
OL-18084-01, Cisco MDS NX-OS Release 4.x
Chapter 43 Configuring iSCSI