
Send documentation comments to mdsfeedback-doc@cisco.com.
20-17
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 20 iSCSI Configuration
Configuring iSCSI
Step 4 Click Close to close the dialog box.
iSCSI-Based Access Control
For static iSCSI targets, you can manually configure a list of iSCSI initiators that are allowed to access
the targets. The iSCSI initiator is identified by the iSCSI node name or the IP address of the iSCSI host.
By default, static virtual iSCSI targets are not accessible to any iSCSI host. You must explicitly configure
accessibility to allow a virtual iSCSI target to be accessed by all hosts. The initiator access list can
contain one or more initiators. Each initiator is identified by one of the following:
•iSCSI node names
•IP addresses
•IP subnets
See the “Creating a Static iSCSI Virtual Target” section on page 20-9 to configure access control using
a list of authorized initiators.
Enforcing Access Control
IPS modules use both iSCSI node name-based and Fibre Channel zoning-based access control lists to
enforce access control during iSCSI discovery and iSCSI session creation.
•iSCSI discovery—When an iSCSI host creates an iSCSI discovery session and queries for all iSCSI
targets, the IPS module returns only the list of iSCSI targets this iSCSI host is allowed to access
based on the access control policies discussed in the previous section.
•iSCSI session creation—When an IP host initiates an iSCSI session, the IPS module verifies if the
specified iSCSI target (in the session login request) is a static mapped target, and if true, verifies if
the IP host's iSCSI node name is allowed to access the target. If the IP host does not have access, its
login is rejected.
The IPS module then creates a Fibre Channel virtual N port (the N port may already exist) for this
IP host and does a Fibre Channel name server query for the FCID of the Fibre Channel target pWWN
that is being accessed by the IP host. It uses the IP host virtual N port's pWWN as the requester of
the name server query. Thus, the name server does a zone-enforced query for the pWWN and
responds to the query.
If the FCID is returned by the name server, then the iSCSI session is accepted. Otherwise, the login
request is rejected.
Note If you connect to the switch from an AIX or HP-UX host, be sure to enable the persistent FC ID
feature in the VSAN that connects these hosts. Refer to the Cisco MDS 9000 Family
Configuration Guide to configure persistent FC IDs.
iSCSI User Authentication
The IPS module supports the iSCSI authentication mechanism to authenticate iSCSI hosts that request
access to storage. When iSCSI authentication is enabled, the iSCSI hosts must provide user name and
password information each time an iSCSI session is established.