Fibre Channel Zoning-Based Access Control - HP Cisco MDS 9020 - Fabric Switch Configuration Manual

Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Fibre Channel Zoning-Based Access Control

Cisco SAN-OS VSAN and zoning concepts have been extended to cover both Fibre Channel devices and
iSCSI devices. Zoning is the standard access control mechanism for Fibre Channel devices, which is
applied within the context of a VSAN. Fibre Channel zoning has been extended to support iSCSI
devices, and this extension has the advantage of having a uniform, flexible access control mechanism
across the whole SAN.
Common mechanisms for identifying members in a Fibre Channel zone are the following (see
Chapter 23, "Configuring and Managing Zones"
•
•
In the case of iSCSI, behind an iSCSI interface multiple iSCSI devices may be connected.
Interface-based zoning may not be useful because all the iSCSI devices behind the interface will
automatically be within the same zone.
In transparent initiator mode (where one Fibre Channel virtual N port is created for each iSCSI host as
described in the
mapping then the standard Fibre Channel device pWWN-based zoning membership mechanism can be
used.
Zoning membership mechanism has been enhanced to add iSCSI devices to zones based on the
following:
•
•
•
•
For iSCSI hosts that do not have a static WWN mapping, the feature allows the IP address or iSCSI node
name to be specified as zone members. Note that iSCSI hosts that have static WWN mapping can also
use these features. IP address based zone membership allows multiple devices to be specified in one
command by providing the subnet mask.
Note In proxy initiator mode, all iSCSI devices connecting to an IPS port gain access to the Fibre Channel
fabric through a single virtual Fibre Channel N port. Thus, zoning based on the iSCSI node name or IP
address will not have any effect. If zoning based on pWWN is used, then all iSCSI devices connecting
to that IPS port will be put in the same zone. To implement individual initiator access control in proxy
initiator mode, configure an iSCSI ACL on the virtual target (see the
section on page
Cisco MDS 9000 Family CLI Configuration Guide
42-20
Fibre Channel device pWWN.
Interface and switch WWN. Device connecting via that interface is within the zone.
"Transparent Initiator Mode" section on page
IPv4 address/subnet mask
IPv6 address/prefix length
iSCSI qualified name (IQN)
Symbolic-node-name (IQN)
42-21).
for details on Fibre Channel zoning):
42-11), if an iSCSI host has static WWN
"iSCSI-Based Access Control"
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Chapter 42 Configuring iSCSI