We have a number of 6080's running OnTAP 8.1 in 7-mode, which we've been using exclusively for NFS sharing up to now. We're starting to have use cases for iSCSI LUNs, and I'm trying to work out how to restrict the target visibility based on the inbound VLAN of a request.
I know about iscsi interface accesslists -- but if an initiator is not present in any accesslist, it can see targets on all interfaces. Is there a "default invisible" setting?
If there are no iscsi interface accesslist settings, when I scan for targets on the filer I see:
hostname01# iscsiadm -m discovery -t sendtargets -p filername 10.1.1.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567 10.1.2.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567 10.1.3.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567
showing that the filer sends targets for all interfaces -- but hostname01 only has a storage interface in VLAN 13.
If I add an interface accesslist:
filer01> iscsi interface accesslist add iqn.2000-05.com.example:hostname01 mvif10gT-13
and then run the sendtargets again: I see just that interface, as expected:
hostname01# iscsiadm -m discovery -t sendtargets -p filername 10.1.2.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567
But what I would like is for the filer not to send any targets if the initiator isn't in any accesslist -- ie, a default deny. Is this possible?
We are not using any authentication mechanisms on iscsi.
I'd recommend you to use SnapDrive on the hosts to connect over iSCSI and manage their LUNs.
SnapDrive might provides you the feature you are looking for, with this the hsot onyl sees what he is supposed to see:
Hope this helps,
From the documentation:
SnapDrive provides support for storage system access control to separate server administrator and storage administrator functions, and to limit SnapDrive actions and operations that depend on the user. This feature is not supported with Data ONTAP 8.1 Cluster-Mode.
SnapDrive enables you to control storage system access by reading a file called AccessControl.xml that is created by the storage system administrator. The file is created in the /etc directory of the storage system root volume and lists the operations and storage resources that are allowed access by users who are assigned specific roles. The access control file associates access rights with specific storage resources. A tool called storacl.exe is used to edit the access control file.
SnapDrive uses the AccessControl.xml file on the storage system to determine what roles are assigned to a user and what operations are allowed for specific roles.
Ok, well thanks for the replies ...
What I'm going to do instead is to have the clients choose a target portal based on their local VLAN, and associate to it explicitly; I don't want iSCSI traffic going through a router. I'll let igroup membership sort the rest out.