Cisco Systems MDS 9000 setup guide Enforcing Access Control

Page 22

Chapter 35 Configuring iSCSI

Configuring iSCSI

Enforcing Access Control

its login is rejected. If the iSCSI host is allowed, it validates if the virtual Fibre Channel N port used by the iSCSI host and the Fibre Channel target mapped to the static iSCSI virtual target are in the same Fibre Channel zone.

If the iSCSI target is an auto-generated iSCSI target, then the IPS module or MPS-14/2 module extracts the WWN of the Fibre Channel target from the iSCSI target name and verifies if the initiator and the Fibre Channel target is in the same Fibre Channel zone or not. If they are, then access is allowed.

The IPS module or MPS-14/2 module uses the Fibre Channel virtual N port of the iSCSI host and does a zone-enforced name server query for the Fibre Channel target WWN. If the FCID is returned by the name server, then the iSCSI session is accepted. Otherwise, the login request is rejected.

The IPS module or MPS-14/2 module supports iSCSI authentication mechanism to authenticate iSCSI hosts that request access to storage. By default, IPS module or MPS-14/2 modules allow CHAP or None authentication of iSCSI initiators. If authentication should always be used, you must configure the switch to allow only CHAP authentication.

For CHAP username or secret validation you can use any method supported and allowed by the Cisco MDS AAA infrastructure (see Chapter 28, “Configuring RADIUS and TACACS+”). AAA authentication supports RADIUS, TACACS+, or local authentication device.

The aaa authentication iscsi command enables aaa authentication for the iSCSI host and specifies the method to use.

Cisco MDS 9000 Family Configuration Guide

OL-6973-03, Cisco MDS SAN-OS Release 2.x

Page 21 Page 23
Image 22
Page 21 Page 23
Contents Configuring iSCSI 35-2 Fibre Channel SAN View-iSCSHI Host as an HBA ISCSI to FCP Fibre Channel RoutingEnabling iSCSI Creating iSCSI InterfacesPresenting Fibre Channel Targets as iSCSI Targets Dynamic MappingDynamic Target Mapping LUN2Static Mapping Statically Mapped iSCSI TargetsISCSI Virtual Target Configuration Examples Assigning iSCSI Node Names35-9 Presenting iSCSI Hosts as Virtual Fibre Channel Hosts Initiator IdentificationTransparent Initiator Mode Initiator Presentation Modes10 Virtual Host HBA Port Dynamic Mapping Making the Dynamic Initiator WWN Mapping Static Proxy-Initiator Mode Multiplexing IPS Ports Vsan Membership for iSCSI Example of Vsan membership for iSCSI devices Fibre Channel Zoning Based Access Control ISCSI Access ControlAdvanced Vsan membership for iSCSI hosts Enters configuration mode ISCSI ACL Based Access Control Enforcing Access Control Config t Iscsi authentication Chap Restricting iSCSI Initiator Authentication Mutual Chap AuthenticationISCSI Immediate Data and Unsolicited Data Features ISCSI Interface Advanced Features ISCSI Listener Port TCP Tuning ParametersQoS ISCSI Routing ModesPass -Thru Displaying iSCSI Interfaces Displaying iSCSI InformationExample 35-1 Displays the iSCSI Interface Information Data-in 0 pdus, 0 bytes Switch# Iscsi2/1 WWNs TMF REQ0NWWN Displaying Global iSCSI Information Bytes TX 8712, RX 0 Number of connection 1 Connection #1 Vsan ID 5, Fcid Vsan ID 1, Fcid 0x6c0203 Switch# ISCSI initiators IP address Switch# show iscsi initiator configured Displaying iSCSI Virtual Targets Transparent Target FailoverDisplaying iSCSI User Information Logical View ISCSI HA with Host Not Having Any Multi-Path Software Storage Port Failover LUN Trespass Multiple IPS Ports Connected to the Same IP Network Multiple Gigabit Ethernet Interfaces in the Same IP Network Lqn.com.cisco.mds.5-3.gw.p1 Lqn.com.cisco.mds.2-1.gw.p1VRRP-Based High Availability Network Lqn.com.cisco.mds.vr1.gw.p1ISCSI Authentication Setup Guidelines and Scenarios Ethernet PortChannel-Based High AvailabilityNo Authentication Chap with Local Password Database Chap with External Radius ServerISCSI Transparent Mode Initiator Host ISCSI-zone-1 10.11.1.10 Iscsi-zone-1 Iscsi-zone-2 Target Page IP address of the iSCSI Target Storage Device Requiring LUN Mapping Show iscsi initiator Configured nWWN ISCSI initiator in name server Initiator in name server Page About iSCSI Storage Name Services About iSNS Client Functionality Verifying iSNS Client Configuration Show isns profile counters Displays iSNS QueriesDiscover Example 35-22 Displays Tagged iSNS InterfacesConfiguring iSNS Servers Configuring the ESI Retry Count ISCSI Configuration DistributionEnabling the iSNS Server ISNS Client Registration and Deregistration Target Discovery Displays Explicitly Registered Objects Node Type Target1 Node Index Node type attribute in a compact format one per line Entity Index Node Type Target1 TCP Example 35-41and Example Default Settings Parameters Default
Related manuals
Manual 6 pages 47.1 Kb Manual 11 pages 5.62 Kb Manual 194 pages 60.55 Kb

MDS 9000 specifications

Cisco Systems MDS 9000 series is a line of storage networking switches designed to address the unique demands of enterprise-level data centers. These switches provide high-performance solutions for connecting various storage devices, including traditional disk arrays, solid-state drives, and tape libraries. The MDS 9000 series is built for scalability, high availability, and advanced security, making it an ideal choice for organizations looking to optimize their storage infrastructure.

One of the standout features of the MDS 9000 series is its support for Fibre Channel and FICON protocols, which enable seamless integration with various storage technologies. This versatility is crucial for organizations that may be using a mix of applications and storage performance requirements. The switches support multiple speeds, including 1G, 2G, 4G, 8G, and even 16G Fibre Channel rates, ensuring that they can adapt to evolving storage needs.

The MDS 9000 is known for its advanced features in terms of management and automation. Cisco provides intelligent automation capabilities to enhance operational efficiency. Features like Flow Vision and intelligent network services allow for deep visibility into storage environments, enabling administrators to monitor performance, troubleshoot issues, and optimize resource allocation effectively. This level of visibility helps organizations to mitigate risks and ensure data availability.

Security is another paramount consideration for the MDS 9000 series. The switches are equipped with a range of security features, including role-based access controls, encryption technologies, and zoning options. These capabilities help safeguard sensitive data and ensure compliance with industry regulations, making the MDS 9000 a trusted choice for enterprises dealing with critical data.

The architecture of the MDS 9000 series is designed for high availability and resiliency. With redundant power supplies and cooling systems, these switches minimize downtime and ensure continuous operation. Additionally, they offer advanced features like non-disruptive software upgrades, which eliminate the need for scheduled outages during firmware updates.

In summary, the Cisco Systems MDS 9000 series offers a robust set of features tailored for enterprise storage networking. Its support for various protocols, intelligent management capabilities, and high availability characteristics make it a preferred choice for organizations seeking to optimize their storage infrastructure for both current and future needs. By investing in the MDS 9000 series, businesses can enhance their operational efficiency, ensure data security, and maintain a competitive edge in today's data-driven landscape.
Top Page Image Contents