Fibre Channel and Infiniband Access Management (LUN Masking)

The fcconfig tool allows for controlling access to a VTL over the FC interface. Using the fcconfig tool rules can added to specify the host WWPN or GUID that can or cannot access a VDisk.

To add a rule

/quadstorvtl/bin/fcconfig -a -v <VTL Name> -r <allow|disallow> -w <wwpn>

For example

/quadstorvtl/bin/fcconfig -a -v FOO -r allow -w f0:f1:f2:f3:f4:f5:f6:f7
/quadstorvtl/bin/fcconfig -a -v FOO -r allow -w fe80:0000:0000:0000:0002:c902:0025:7f89

In the above example VTL FOO (autoloader and drives) is allowed access for a host with WWPN f0:f1:f2:f3:f4:f5:f6:f7. The WWPN expected is a 23 character string. Similarly fe80:0000:0000:0000:0002:c902:0025:7f89 is the GUID of the SRP initiator.

To delete the above rule

/quadstorvtl/bin/fcconfig -x -v FOO -r allow -w f0:f1:f2:f3:f4:f5:f6:f7

To list all existing rules

/quadstorvtl/bin/fcconfig -l

Examples

/quadstorvtl/bin/fcconfig -a -r disallow : Disallow access to all VTLs over the FC interface
/quadstorvtl/bin/fcconfig -a -r allow : Allow access to all VTLs over the FC interface
/quadstorvtl/bin/fcconfig -a -r disallow -w f0:f1:f2:f3:f4:f5:f6:f7 : Disallow access to all VTLs for WWPN f0:f1:f2:f3:f4:f5:f6:f7
/quadstorvtl/bin/fcconfig -x -r disallow : Delete all disallow rules
/quadstorvtl/bin/fcconfig -x -w   f0:f1:f2:f3:f4:f5:f6:f7  : Delete all rules for  WWPN  f0:f1:f2:f3:f4:f5:f6:f7

Rules can be combined. For example

/quadstorvtl/bin/fcconfig -a -r disallow
/quadstorvtl/bin/fcconfig -a -r allow -v FOO

The above two rules combined specify that access to only VTL FOO is allowed over the FC interface. It should be noted that without an explicit disallow access isn't restricted. For example if '/quadstorvtl/bin/fcconfig -a -r disallow' is not specified, other VDisks are still accessible.

Rule priority

For a given client WWPN an exact rule match for that WWPN and the target VTL is searched. If found that rule applies. Else the following matches are searched for with the first match in the following order being the rule to apply

  1. Rule matching the client WWPN
  2. Rule matching the target VTL
  3. Rule which applies to any WWPN

Rule matching the client WWPN

Rule matching the target VTL

Rule which applies to any WWPN

Rule which applies to any VTL

If there is no rule matches then access to the VTL is considered allowed for that client WWPN