FC Access Control
Without any FC access control rules, all configured VTL devices are accessible over every available HBA port on the VTL system.
Access control rules can be used to restrict access to entire VTL instances or specific drives/medium changer within a VTL instance to specific Host HBA ports. Access control rules can be used to even specify the incoming HBA port through which access is allowed
Any rule contains the following
Host WWPN
Host WWPN is the WWPN of the host HBA port through which a SCSI command will be a sent. A WWPN is specified in the format f0:f1:f2:f3:f4:f5:f6:f7 in lower case. If no WWPN is specified then the rule implies any host WWPN
Target WWPN
Target WWPN is the WWPN of the VTL HBA port through which a SCSI command will be received. If no target WWPN is specified then the rule implies any target WWPN.
VTL Name
VTL Name is the VTL instance for which the rule is applicable to. If no VTL is specified then the rule implies any configured VTL.
Drive ID
Drive ID is the drive id of the VTL or a medium changer for which the rule is applicable to. Each drive in a VTL is assigned a drive ID starting from 1 (See "Virtual Drives" in an individual VTL configuration page). The medium changer device has an ID 65535. An ID of 0 or if no drive ID is specified the rule is applicable for all devices in the VTL
Access
Allow: Allow access to the specified device
Disallow/Deny: Disallow access to the specified device
Rule Prority
When a SCSI command is received for a VTL device, if there a rule which matches the sending host WWPN, the incoming target WWPN, the VTL name and the exact drive ID, then that rule is given the priority. If the rule allows for access the SCSI command is processed further else the command is rejected with a SCSI Check Condition, Sense Key Illegal Request, and a ASC/ASCQ LOGICAL UNIT NOT SUPPORTED ASC/ASCQ
If there is no exact rule then rules in the following order are given priority
- Host WWPN match, target WWPN match, VTL match, drive ID for the rule is 0 (entire VTL)
- Host WWPN match, any target WWPN rule, VTL match, drive ID match (Rule for a specific VTL device received through any VTL HBA port)
- Host WWPN match, any target WWPN rule, VTL match, any drive ID (drive ID 0, entire VTL)
- Any host WWPN, target WWPN match, VTL Match, drive ID match
- Any host WWPN, target WWPN match, VTL Match, any drive ID
- Any host WWPN, any target WWPN, VTL Match, drive ID match
- Any host WWPN, any target WWPN, VTL Match, any drive ID
Default Deny/Disallow Rule
If there is no rule which matches the combination of host WWPN, target WWPN, VTL and drive ID, access is allowed for further processing of the SCSI command. Therefore it is necessary to first change this behavior to disallow access by default and allow access only if a rule permits. To do this In the GUI, click on "Access Management" and click on "Add Rule" in the "FC Access Rules" section. In the next page as shown in the following figure select Rule as "Disallow" and click on Submit
After submit a rule as seen below is added
The same rule can be added at command line as
/quadstorvtl/bin/fcconfig -a -r disallow
With the above rule in place, any SCSI command received from any host WWPN and through any target WWPN for any VTL device is rejected by default. Then selectively access can be allowed based on the host WWPN, target WWPN etc.
FC access rule configuration
New rules can be added or deleted from the GUI. Click on "Access Management" and scroll to the "FC Access Rules" section. To add a rule add a rule click on "Add Rule". In the form shown in the next page
- WWPN: This is the incoming host port WWPN Target
- WWPN: Select "All" if the rule applies to all target ports (the HBA port on which the SCSI command will be received by the VTL) or select a specific WWPN from the list
- Rule: Allow or Disallow/Deny
- VTL Name: The name of the VTL
- Drive ID: Values are
- 0: The rule applies to the entire VTL, both medium changer and drives
- 65535: Rule applies to the medium changer only
- 1 onwards: Rule applies to the drive only. Drives are numbered starting from 1 for each VTL.
Click on Submit to add the rule. Click on the delete icon to delete an existing rule
Host alias
In order to identify hosts by name rather than by WWPN in a rule, an alias can be specified. To add an alias, click on "Add Host" and in the next page shown specify the WWPN of the incoming host and an alias for the host. The alias can contain only characters a-z or A-Z or 0-9
The fcconfig tool allows for controlling access to a VTL over the FC interface. Using the fcconfig tool rules can added to specify the host WWPN or GUID that can or cannot access a VDisk. Staring from 3.0.31 rules can be configured from the GUI described later in this document
To add a rule
/quadstorvtl/bin/fcconfig -a -v <VTL Name> -r <allow|disallow> -w <wwpn> -t <target wwpn>
For example
/quadstorvtl/bin/fcconfig -a -v FOO -r allow -w f0:f1:f2:f3:f4:f5:f6:f7 -t e0:e1:e2:e3:e4:e5:e6:e7
In the above example VTL FOO (autoloader and drives) is allowed access for a host with WWPN f0:f1:f2:f3:f4:f5:f6:f7 through the local HBA port e0:e1:e2:e3:e4:e5:e6:e7. The WWPN expected is a 23 character string. WWPN can be specified in upper case hexadecimal also. For example F0:F1:F2:F3:F4:F5:F6:F7
To delete the above rule
/quadstorvtl/bin/fcconfig -x -v FOO -r allow -w f0:f1:f2:f3:f4:f5:f6:f7 -t e0:e1:e2:e3:e4:e5:e6:e7
To list all existing rules
/quadstorvtl/bin/fcconfig -l
Examples
/quadstorvtl/bin/fcconfig -a -r disallow : Disallow access to all VTLs over the FC interface /quadstorvtl/bin/fcconfig -a -r allow : Allow access to all VTLs over the FC interface /quadstorvtl/bin/fcconfig -a -r disallow -w f0:f1:f2:f3:f4:f5:f6:f7 : Disallow access to all VTLs for WWPN f0:f1:f2:f3:f4:f5:f6:f7 /quadstorvtl/bin/fcconfig -x -r disallow : Delete all disallow rules /quadstorvtl/bin/fcconfig -x -w f0:f1:f2:f3:f4:f5:f6:f7 : Delete all rules for WWPN f0:f1:f2:f3:f4:f5:f6:f7 /quadstorvtl/bin/fcconfig -a -r allow -w f0:f1:f2:f3:f4:f5:f6:f7 -t e0:e1:e2:e3:e4:e5:e6:e7 -v FOO : Allow access to VTL FOO for host WWPN f0:f1:f2:f3:f4:f5:f6:f7 through incoming FC port e0:e1:e2:e3:e4:e5:e6:e7
Target Port Configuration
By default all HBA ports in the VTL have both initiator-mode and target-mode enabled. To change this click on "Access Management" All WWPNs detected for the HBA ports are show as seen in the figure below
Click on "Modify" for any port whose mode needs to be changed and in the next page show select the desired mode - Target, Initiator or Dual and click on Submit to change the mode