SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Selectively exposing Porgal Groups to Initiators



    Hi John,
    
    In your configuration examples, in the slide about SCSI nexi, Model 3,
    entries 3 and 5 would form a parallel nexus, so as entries 4 and 6. The
    entries instead should have been :
    
    3) iqn.1999-12.com.ajax.os1
        + VID=2 + ISID=3 and
       eui.02004567A425678A+1
    4) iqn.1999-12.com.ajax.os1
        + VID=5 + ISID=1 and
       eui.02004567A425678A+2
    ****** *************
    5) iqn.1992-12.com.ajax.os1
        + VID=2 + ISID=3 and
       eui.02004567A425678A+2
    6) iqn.1999-12.com.ajax.os1
        + VID=5 + ISID=1 and
       eui.02004567A425678A+1
    ****** *************
    Right ?
    
    Regards,
    Shailesh Manjrekar
    Aarohi Communications.  
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu] On Behalf Of
    John Hufferd
    Sent: Wednesday, November 21, 2001 12:43 PM
    To: 'Rahul Bhagwat'
    Cc: ips@ece.cmu.edu; KRUEGER,MARJORIE (HP-Roseville,ex1)
    Subject: RE: Selectively exposing Porgal Groups to Initiators
    
    
    Rahul,
    Marjorie's answers are correct, but you might want to be very careful
    with
    your terms.  Your point three talks about limiting Portal Groups to
    specific Initiators.  I am concerned about your use of the words iSCSI
    Target, which could apply to a couple of different things.
    
    In a Target Network Entity there can be more then one iSCSI Target Node
    (SCSI Device).  Each Target Node can have more then one iSCSI (SCSI)
    Target
    Port connected to it.  Part of the name of this iSCSI (SCSI) Target Port
    includes the Portal Group Tag.  So if, in your point 3, the term iSCSI
    Target meant iSCSI Target Node, then you would be able to set up
    different
    iSCSI (SCSI) Target Ports (each with different Portal Group Tags) that
    can
    access the resources at the same iSCSI Target Node.  The ACL would then
    probably be applied at the iSCSI (SCSI) Target Port.
    
    To be sure we are on the same page here, please reference the charts
    that
    have been placed at:
    
    http://www.haifa.il.ibm.com/satran/ips/iSCSIConfigurationExamples.pdf
    
    (Note: I use the term iSCSI (SCSI) Port to represent the concept of
    "SCSI
    Port" within the context of iSCSI.)
    
    .
    .
    .
    John L. Hufferd
    Senior Technical Staff Member (STSM)
    IBM/SSG San Jose Ca
    Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
    Home Office (408) 997-6136, Cell: (408) 499-9702
    Internet address: hufferd@us.ibm.com
    
    
    "KRUEGER,MARJORIE (HP-Roseville,ex1)"
    <marjorie_krueger@hp.com>@ece.cmu.edu
    on 11/21/2001 11:11:45 AM
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   "'Rahul Bhagwat'" <rahulb@veritas.com>, ips@ece.cmu.edu
    cc:
    Subject:  RE: Selectively exposing Porgal Groups to Initiators
    
    
    
    > 1. Is it required that TargetAddresses of an iSCSI target advertised
    to a
    >    directory service include portal group tag ?
    
    Yes, information is necessary to communicate to the initiator which
    target
    addresses can be used to form a multi-connection session.
    
    > 2. Is it mandatory for an Initiator to use "SendTargets" to discover
    >    TargetAddress for an iSCSI target (even if if has a set of
    addresses
    >    either statically configured or found through a directory service)?
    
    To my knowledge no iSCSI document has declared it mandatory, but it's
    recommended to ensure the initiator has current addressing information
    for
    this target.
    
    > 3. Is it okay to restrict access to an Initiator (based on it's iSCSI
    name)
    >    to only a subset of total Target Portal Groups supported by the
    iSCSI
    >    target?
    
    Yes
    
    >
    > In this scenario, an Initiator may find out the TargetAddresses for an
    iSCSI
    > target using a directory service, and try to connect a normal
    operational
    > session to any of these addresses without using SendTargets. The
    > iSCSI target can return an error code for login as "Initiator not
    Authorized"
    > which in fact is not
    > completely true. Initiator is authorized to only use a subset
    > of portal groups.
    
    Correct, although "not completely true" is subjective.  Another
    perspective
    is that this initiator is not authorized to use this *target port*,
    which
    is
    completely true.
    
    Marjorie
    
    
    


Home

Last updated: Mon Nov 26 22:17:43 2001
7913 messages in chronological order