hit counter script

Enforcing Access Control - Cisco MDS 9000 series Configuration Manual

Nx-os ip services multilayer switches
Hide thumbs Also See for MDS 9000 series:
Table of Contents

Advertisement

Configuring iSCSI
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Command
Step 3
switch(config-iscsi-tgt)# pWWN
26:00:01:02:03:04:05:06
switch(config-iscsi-tgt)#
Step 4
switch(config-iscsi-tgt)# initiator
iqn.1987-02.com.cisco.initiator1 permit
switch(config-iscsi-tgt)# no initiator
iqn.1987-02.com.cisco.initiator1 permit
switch(config-iscsi-tgt)# initiator ip
address 10.50.1.1 permit
switch(config-iscsi-tgt)# no initiator ip
address 10.50.1.1 permit
switch(config-iscsi-tgt)# initiator ip
address 10.50.1.0 255.255.255.0 permit
switch(config-iscsi-tgt)# no initiator ip
address 10.50.1.0 255.255.255.0 permit
switch(config-iscsi-tgt)# initiator ip
address 2001:0DB8:800:200C::417A permit
switch(config-iscsi-tgt)# no initiator ip
address 2001:0DB8:800:200C::417A permit
switch(config-iscsi-tgt)# initiator ip
address 2001:0DB8:800:200C::/64 permit
switch(config-iscsi-tgt)# no initiator ip
address 2001:0DB8:800:200C::/64 permit
switch(config-iscsi-tgt)#
all-initiator-permit
switch(config-iscsi-tgt)# no
all-initiator-permit

Enforcing Access Control

IPS modules and MPS-14/2 modules use both iSCSI and Fibre Channel zoning-based access control lists
to enforce access control. Access control is enforced both during the iSCSI discovery phase and the
iSCSI session creation phase. Access control enforcement is not required during the I/O phase because
the IPS module or MPS-14/2 module is responsible for the routing of iSCSI traffic to Fibre Channel.
Cisco MDS 9000 Family NX-OS IP Services Configuration Guide
4-22
iSCSI discovery phase—When an iSCSI host creates an iSCSI discovery session and queries for all
iSCSI targets, the IPS module or MPS-14/2 module returns only the list of iSCSI targets this iSCSI
host is allowed to access based on the access control policies discussed in the previous section. The
IPS module or MPS-14/2 module does this by querying the Fibre Channel name server for all the
devices in the same zone as the initiator in all VSANs. It then filters out the devices that are initiators
by looking at the FC4-feature field of the FCNS entry. (If a device does not register as either initiator
or target in the FC4-feature field, the IPS module or MPS-14/2 module will advertise it). It then
Purpose
Maps a virtual target node to a Fibre Channel
target.
Allows the specified iSCSI initiator node to access
this virtual target. You can issue this command
multiple times to allow multiple initiators.
Prevents the specified initiator node from
accessing virtual targets.
Allows the specified IPv4 address to access this
virtual target. You can issue this command multiple
times to allow multiple initiators.
Prevents the specified IPv4 address from accessing
virtual targets.
Allows all initiators in this IPv4 subnetwork
(10.50.1/24) to access this virtual target.
Prevents all initiators in this IPv4 subnetwork from
accessing virtual targets.
Allows the specified IPv6 unicast address to access
this virtual target. You can issue this command
multiple times to allow multiple initiators.
Prevents the specified IPv6 address from accessing
virtual targets.
Allows all initiators in this IPv6 subnetwork
(2001:0DB8:800:200C::/64) to access this virtual
target.
Prevents all initiators in this IPv6 subnetwork from
accessing virtual targets.
Allows all initiator nodes to access this virtual
target.
Prevents any initiator from accessing virtual targets
(default).
OL-19525-01,Cisco MDS NX-OS Release 4.2(1)
Chapter 4
Configuring iSCSI

Advertisement

Table of Contents
loading

Table of Contents