Enforcing Access Control - HP Cisco MDS 9216 - Fabric Switch Configuration Manual
Cisco mds 9000 family fabric manager configuration guide, release 3.x (ol-8222-10, april 2008)
Hide thumbs
Also See for Cisco MDS 9216 - Fabric Switch:
- Update manual (9 pages) ,
- Configuration manual (1444 pages)
Table of Contents
Advertisement
Chapter 50
Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
For a transparent mode iSCSI initiator, if both Fibre Channel zoning and iSCSI ACLs are used, then for
Note
every static iSCSI target that is accessible to the iSCSI host, the initiator's virtual N port should be in
the same Fibre Channel zone as the Fibre Channel target.
, To configure access control in iSCSI using Device Manager, follow these steps:
Select IP > iSCSI.
Step 1
You see the iSCSI configuration (see
Select the Targets tab.
Step 2
You see the iSCSI virtual targets.
Step 3
Uncheck the Initiators Access All check box if checked.
Step 4
Click Edit Access.
You see the Initiators Access dialog box.
Step 5
Click Create to add more initiators to the Initiator Access list.
You see the Create Initiators Access dialog box.
Step 6
Add the name or IP address for the initiator that you want to permit for this virtual target.
Click Create to add this initiator to the Initiator Access List.
Step 7
Enforcing Access Control
IPS modules and MPS-14/2 modules use both iSCSI and Fibre Channel zoning-based access control lists
to enforce access control. Access control is enforced both during the iSCSI discovery phase and the
iSCSI session creation phase. Access control enforcement is not required during the I/O phase because
the IPS module or MPS-14/2 module is responsible for the routing of iSCSI traffic to Fibre Channel.
•
•
OL-16184-01, Cisco MDS SAN-OS Release 3.x
iSCSI discovery phase—When an iSCSI host creates an iSCSI discovery session and queries for all
iSCSI targets, the IPS module or MPS-14/2 module returns only the list of iSCSI targets this iSCSI
host is allowed to access based on the access control policies discussed in the previous section. The
IPS module or MPS-14/2 module does this by querying the Fibre Channel name server for all the
devices in the same zone as the initiator in all VSANs. It then filters out the devices that are initiators
by looking at the FC4-feature field of the FCNS entry. (If a device does not register as either initiator
or target in the FC4-feature field, the IPS module or MPS-14/2 module will advertise it.) It then
responds to the iSCSI host with the list of targets. Each will have either a static iSCSI target name
that you configure or a dynamic iSCSI target name that the IPS module or MPS-14/2 module creates
for it (see the
"Dynamic Mapping" section on page
iSCSI session creation—When an IP host initiates an iSCSI session, the IPS module or MPS-14/2
module verifies if the specified iSCSI target (in the session login request) is allowed by both the
access control mechanisms described in the
If the iSCSI target is a static mapped target, the IPS module or MPS-14/2 module verifies if the
iSCSI host is allowed within the access list of the iSCSI target. If the IP host does not have access,
its login is rejected. If the iSCSI host is allowed, it validates if the virtual Fibre Channel N port used
by the iSCSI host and the Fibre Channel target mapped to the static iSCSI virtual target are in the
same Fibre Channel zone.
Figure
50-10).
50-8).
"iSCSI-Based Access Control" section on page
Cisco MDS 9000 Family CLI Configuration Guide
Configuring iSCSI
50-26.
50-27
Advertisement
Table of Contents
Troubleshooting
