S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
42-22
Cisco MDS 9000 Family CLI Configuration Guide
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Chapter 42 Configuring iSCSI
Configuring iSCSI
Enforcing Access Control
IPS modules and MPS-14/2 modules use both iSCSI and Fibre Channel zoning-based access control lists
to enforce access control. Access control is enforced both during the iSCSI discovery phase and the
iSCSI session creation phase. Access control enforcement is not required during the I/O phase because
the IPS module or MPS-14/2 module is responsible for the routing of iSCSI traffic to Fibre Channel.
•
iSCSI discovery phase—When an iSCSI host creates an iSCSI discovery session and queries for all
iSCSI targets, the IPS module or MPS-14/2 module returns only the list of iSCSI targets this iSCSI
host is allowed to access based on the access control policies discussed in the previous section. The
IPS module or MPS-14/2 module does this by querying the Fibre Channel name server for all the
devices in the same zone as the initiator in all VSANs. It then filters out the devices that are initiators
by looking at the FC4-feature field of the FCNS entry. (If a device does not register as either initiator
or target in the FC4-feature field, the IPS module or MPS-14/2 module will advertise it.) It then
Step 3
switch(config-iscsi-tgt)#
pWWN
26:00:01:02:03:04:05:06
switch(config-iscsi-tgt)#
Maps a virtual target node to a Fibre Channel
target.
Step 4
switch(config-iscsi-tgt)#
initiator
iqn.1987-02.com.cisco.initiator1 permit
Allows the specified iSCSI initiator node to access
this virtual target. You can issue this command
multiple times to allow multiple initiators.
switch(config-iscsi-tgt)#
no initiator
iqn.1987-02.com.cisco.initiator1 permit
Prevents the specified initiator node from
accessing virtual targets.
switch(config-iscsi-tgt)#
initiator ip
address 10.50.1.1 permit
Allows the specified IPv4 address to access this
virtual target. You can issue this command multiple
times to allow multiple initiators.
switch(config-iscsi-tgt)#
no initiator ip
address 10.50.1.1 permit
Prevents the specified IPv4 address from accessing
virtual targets.
switch(config-iscsi-tgt)#
initiator ip
address 10.50.1.0 255.255.255.0 permit
Allows all initiators in this IPv4 subnetwork
(10.50.1/24) to access this virtual target.
switch(config-iscsi-tgt)#
no initiator ip
address 10.50.1.0 255.255.255.0 permit
Prevents all initiators in this IPv4 subnetwork from
accessing virtual targets.
switch(config-iscsi-tgt)#
initiator ip
address 2001:0DB8:800:200C::417A permit
Allows the specified IPv6 unicast address to access
this virtual target. You can issue this command
multiple times to allow multiple initiators.
switch(config-iscsi-tgt)#
no initiator ip
address 2001:0DB8:800:200C::417A permit
Prevents the specified IPv6 address from accessing
virtual targets.
switch(config-iscsi-tgt)#
initiator ip
address 2001:0DB8:800:200C::/64 permit
Allows all initiators in this IPv6 subnetwork
(2001:0DB8:800:200C::/64) to access this virtual
target.
switch(config-iscsi-tgt)#
no initiator ip
address 2001:0DB8:800:200C::/64 permit
Prevents all initiators in this IPv6 subnetwork from
accessing virtual targets.
switch(config-iscsi-tgt)#
all-initiator-permit
Allows all initiator nodes to access this virtual
target.
switch(config-iscsi-tgt)#
no
all-initiator-permit
Prevents any initiator from accessing virtual targets
(default).
Command
Purpose