5 Replies Latest reply: Aug 8, 2012 3:44 PM by NONSPECIALIST RSS

Can I limit iscsi target visibility based on VLAN?

NONSPECIALIST
Currently Being Moderated

We have a number of 6080's running OnTAP 8.1 in 7-mode, which we've been using exclusively for NFS sharing up to now. We're starting to have use cases for iSCSI LUNs, and I'm trying to work out how to restrict the target visibility based on the inbound VLAN of a request.

 

I know about iscsi interface accesslists -- but if an initiator is not present in any accesslist, it can see targets on all interfaces. Is there a "default invisible" setting?

 

Example:

  • host with initiator name iqn.2000-05.com.example:hostname01 running CentOS 6 (equivalent to RHEL 6)
  • FAS6080 with 3 10G mvif trunked interfaces, seeing VLANs 11, 13, 17 (we like prime numbers):
    • mvif10gT-11
    • mvif10gT-13
    • mvif10gT-17

 

If there are no iscsi interface accesslist settings, when I scan for targets on the filer I see:

 

hostname01# iscsiadm -m discovery -t sendtargets -p filername
10.1.1.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567
10.1.2.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567
10.1.3.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567

 

showing that the filer sends targets for all interfaces -- but hostname01 only has a storage interface in VLAN 13.

 

If I add an interface accesslist:

 

filer01> iscsi interface accesslist add iqn.2000-05.com.example:hostname01 mvif10gT-13

 

and then run the sendtargets again: I see just that interface, as expected:

 

hostname01# iscsiadm -m discovery -t sendtargets -p filername
10.1.2.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567

 

But what I would like is for the filer not to send any targets if the initiator isn't in any accesslist -- ie, a default deny. Is this possible?

 

We are not using any authentication mechanisms on iscsi.

  • Re: Can I limit iscsi target visibility based on VLAN?
    aborzenkov
    Currently Being Moderated

    You can simply disable iSCSI on all interfaces except one. “iscsi interface disable …”. Is it what you want?

    • Re: Can I limit iscsi target visibility based on VLAN?
      NONSPECIALIST
      Currently Being Moderated

      Hmm, not really -- I want iscsi on all those three VLANs, but if someone provisions a system on one VLAN and goes a-probing, I would like for those systems not to be able to see any targets on the filer unless they're explicitly in an accesslist

      • Re: Can I limit iscsi target visibility based on VLAN?
        peter.lehmann
        Currently Being Moderated

        I'd recommend you to use SnapDrive on the hosts to connect over iSCSI and manage their LUNs.

         

        SnapDrive might provides you the feature you are looking for, with this the hsot onyl sees what he is supposed to see:

         

        Hope this helps,

        Peter

         

        From the documentation:

        Support for storage system access control

        SnapDrive provides support for storage system access control to separate server administrator and storage administrator functions, and to limit SnapDrive actions and operations that depend on the user. This feature is not supported with Data ONTAP 8.1 Cluster-Mode.

        SnapDrive enables you to control storage system access by reading a file called AccessControl.xml that is created by the storage system administrator. The file is created in the /etc directory of the storage system root volume and lists the operations and storage resources that are allowed access by users who are assigned specific roles. The access control file associates access rights with specific storage resources. A tool called storacl.exe is used to edit the access control file.

         

        Using storage system access control

        SnapDrive uses the AccessControl.xml file on the storage system to determine what roles are assigned to a user and what operations are allowed for specific roles.

        Before you begin

         

        • Install the storage access control (storacl.exe) tool on any Windows host to create and manage the AccessControl.xml file on your storage system in the /etc directory of the root volume. The executable is part of your SnapDrive installation and is located in the SnapDrive directory on your host.
        • HTTPS must be enabled using the options ssl.enable command and secureadmin setup ssl command on the storage system. HTTP is also supported for use with vFiler units when using the MultiStore feature of Data ONTAP software.
        • You must be logged in as root on the storage system.
  • Re: Can I limit iscsi target visibility based on VLAN?
    thomas.glodde
    Currently Being Moderated

    sorry peter, but currently this is not possible. the iscsi target will always at least answer, regardless if using accesslists, snapdrive or whatever. afterwards it might deny access due to authentication or there is simply no lun mapped for the system.

More Like This

  • Retrieving data ...