ONTAP Discussions

Can I limit iscsi target visibility based on VLAN?

NONSPECIALIST
4,851 Views

We have a number of 6080's running OnTAP 8.1 in 7-mode, which we've been using exclusively for NFS sharing up to now. We're starting to have use cases for iSCSI LUNs, and I'm trying to work out how to restrict the target visibility based on the inbound VLAN of a request.

I know about iscsi interface accesslists -- but if an initiator is not present in any accesslist, it can see targets on all interfaces. Is there a "default invisible" setting?

Example:

  • host with initiator name iqn.2000-05.com.example:hostname01 running CentOS 6 (equivalent to RHEL 6)
  • FAS6080 with 3 10G mvif trunked interfaces, seeing VLANs 11, 13, 17 (we like prime numbers):
    • mvif10gT-11
    • mvif10gT-13
    • mvif10gT-17

If there are no iscsi interface accesslist settings, when I scan for targets on the filer I see:

hostname01# iscsiadm -m discovery -t sendtargets -p filername

10.1.1.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567

10.1.2.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567

10.1.3.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567

showing that the filer sends targets for all interfaces -- but hostname01 only has a storage interface in VLAN 13.

If I add an interface accesslist:

filer01> iscsi interface accesslist add iqn.2000-05.com.example:hostname01 mvif10gT-13

and then run the sendtargets again: I see just that interface, as expected:

hostname01# iscsiadm -m discovery -t sendtargets -p filername

10.1.2.1:3260,2000 iqn.1992-08.com.netapp:sn.1234567

But what I would like is for the filer not to send any targets if the initiator isn't in any accesslist -- ie, a default deny. Is this possible?

We are not using any authentication mechanisms on iscsi.

1 ACCEPTED SOLUTION

thomas_glodde
4,851 Views

sorry peter, but currently this is not possible. the iscsi target will always at least answer, regardless if using accesslists, snapdrive or whatever. afterwards it might deny access due to authentication or there is simply no lun mapped for the system.

View solution in original post

5 REPLIES 5

aborzenkov
4,851 Views

You can simply disable iSCSI on all interfaces except one. “iscsi interface disable …”. Is it what you want?

NONSPECIALIST
4,851 Views

Hmm, not really -- I want iscsi on all those three VLANs, but if someone provisions a system on one VLAN and goes a-probing, I would like for those systems not to be able to see any targets on the filer unless they're explicitly in an accesslist

peter_lehmann
4,851 Views

I'd recommend you to use SnapDrive on the hosts to connect over iSCSI and manage their LUNs.

SnapDrive might provides you the feature you are looking for, with this the hsot onyl sees what he is supposed to see:

Hope this helps,

Peter

From the documentation:

Support for storage system access control

SnapDrive provides support for storage system access control to separate server administrator and storage administrator functions, and to limit SnapDrive actions and operations that depend on the user. This feature is not supported with Data ONTAP 8.1 Cluster-Mode.

SnapDrive enables you to control storage system access by reading a file called AccessControl.xml that is created by the storage system administrator. The file is created in the /etc directory of the storage system root volume and lists the operations and storage resources that are allowed access by users who are assigned specific roles. The access control file associates access rights with specific storage resources. A tool called storacl.exe is used to edit the access control file.

Using storage system access control

SnapDrive uses the AccessControl.xml file on the storage system to determine what roles are assigned to a user and what operations are allowed for specific roles.

Before you begin

 

  • Install the storage access control (storacl.exe) tool on any Windows host to create and manage the AccessControl.xml file on your storage system in the /etc directory of the root volume. The executable is part of your SnapDrive installation and is located in the SnapDrive directory on your host.
  • HTTPS must be enabled using the options ssl.enable command and secureadmin setup ssl command on the storage system. HTTP is also supported for use with vFiler units when using the MultiStore feature of Data ONTAP software.
  • You must be logged in as root on the storage system.

thomas_glodde
4,852 Views

sorry peter, but currently this is not possible. the iscsi target will always at least answer, regardless if using accesslists, snapdrive or whatever. afterwards it might deny access due to authentication or there is simply no lun mapped for the system.

NONSPECIALIST
4,851 Views

Ok, well thanks for the replies ...

What I'm going to do instead is to have the clients choose a target portal based on their local VLAN, and associate to it explicitly; I don't want iSCSI traffic going through a router. I'll let igroup membership sort the rest out.

Thanks!

Public