-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I have configured two LUs following this guide: http://thegreyblog.blogspot.com/2010/02/setting-up-solaris-comstar-and.html Now I want each LU to be available to only one distinct client in the network. I found no easy guide how to accomplish the anywhere in the internet. Any hint? Martin -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJNBIw2AAoJEA6eiwqkMgR8vAcH/0jeBh0PvZdnjLK4FOY6/Xw1 JwAqdNbS5jvUn8pvYRxdA379gqyZNoFXMRTpPl5Xefw88rpXS+vqvDHoaM1A5Wov tTERXrh9DMACAswm4KYnA7lcWxEUJWBJ8LA870Sd6GVqPHbBnE+R+o2Op69XUy/g +sAa0f7MDHPJP46xad5/qweUVRNZ0C+Ka2YYqhWKvYTN2DEYmFfnem+c6Vna2TXv uOLoEeV+CHOI/BdrpcDaU8XQzAS5f1x/oTPhk56j0Uzm4q8+aKqc2YTccvGnRJCm 8F+/ZyZ40fy2TRLfhmZIGoL+y9nrJqUDm+K2jXkdH/55vzsk+EdhfZUlDYXsalo=NdL6 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I have configured two LUs following this guide: http://thegreyblog.blogspot.com/2010/02/setting-up-solaris-comstar-and.html Now I want each LU to be available to only one distinct client in the network. I found no easy guide how to accomplish the anywhere in the internet. Any hint? Martin -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJNBIzZAAoJEA6eiwqkMgR8NhYIALeIA7VTTSP3PkpN+GaIwQ/e Y5lVRTJCCY5jcj++g7WLniF9NmbrYrm/dGObXGL8WbkdsJSW1G0vUwVoW+lEYU9G wFbXRtny5uklb7N7coy25aPioSGdJGaIBFk+I7Taus1plc1hs0B0sJffBxNzF4lQ YfsyQxwd6kY9y4dc8+E41YPgeRojle96UDuJIEnjG4X4nii6VhlfCUOU7vlxvJli 64wB8cE6+4AS582M7/a7q+7+zU/uokTzeS3JAPY+uQEmSMp3COz9YsJSNiqvIiIm Op7XWeBzr7eDuK+0hrHRaXj/uxhIUfEY9Xci6hdYv2kldM0fD7Ds6fe84wAsHns=EB37 -----END PGP SIGNATURE-----
Hi Martin, Am 12.12.10 09:50, schrieb Martin Mundschenk:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi! > > I have configured two LUs following this guide: > > http://thegreyblog.blogspot.com/2010/02/setting-up-solaris-comstar-and.html > > Now I want each LU to be available to only one distinct client in the network. I found no easy guide how to accomplish the anywhere in the internet. Any hint? > > MartinYeah, this really seems a bit confusing. ;) You will basically have to manage this through host groups and target groups. The host group holds the initiator names that are associated with this group. This host group then becomes a member of the target group where a specific target is bound to. Afterwards you can create the necessary views where you assicoate a LUN, host group and target group with one another. Final step then is to create a target and have that target being bound to the target group of your choice, such as that only the hosts that belong to the host group that is associated with that target group are able to login to the target. Unfortuanetly this is not as easy as in iSCSI enterprise target on Linux where you can simply do this via the IP address of the initiator, but it works nonetheless. Cheers, budy
I have found this post from Mike La Spina to be very detailed covering this topic, yet I could not seem to get it to work right on my first hasty attempt a while back. Let me know if you have success, or adjustments that get this to work. http://blog.laspina.ca/ubiquitous/securing-comstar-and-vmware-iscsi-connections -Chris On Sun, Dec 12, 2010 at 12:47 AM, Martin Mundschenk < m.mundschenk at mundschenk.de> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi! > > I have configured two LUs following this guide: > > http://thegreyblog.blogspot.com/2010/02/setting-up-solaris-comstar-and.html > > Now I want each LU to be available to only one distinct client in the > network. I found no easy guide how to accomplish the anywhere in the > internet. Any hint? > > Martin > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.16 (Darwin) > > iQEcBAEBAgAGBQJNBIw2AAoJEA6eiwqkMgR8vAcH/0jeBh0PvZdnjLK4FOY6/Xw1 > JwAqdNbS5jvUn8pvYRxdA379gqyZNoFXMRTpPl5Xefw88rpXS+vqvDHoaM1A5Wov > tTERXrh9DMACAswm4KYnA7lcWxEUJWBJ8LA870Sd6GVqPHbBnE+R+o2Op69XUy/g > +sAa0f7MDHPJP46xad5/qweUVRNZ0C+Ka2YYqhWKvYTN2DEYmFfnem+c6Vna2TXv > uOLoEeV+CHOI/BdrpcDaU8XQzAS5f1x/oTPhk56j0Uzm4q8+aKqc2YTccvGnRJCm > 8F+/ZyZ40fy2TRLfhmZIGoL+y9nrJqUDm+K2jXkdH/55vzsk+EdhfZUlDYXsalo> =NdL6 > -----END PGP SIGNATURE----- > _______________________________________________ > zfs-discuss mailing list > zfs-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20101213/2c4fe6a1/attachment.html>
On Mon, Dec 13, 2010 at 5:30 PM, Chris Mosetick <cmosetick at gmail.com> wrote:> I have found this post from Mike La Spina to be very detailed covering this > topic, yet I could not seem to get it to work right on my first hasty > attempt a while back. Let me know if you have success, or adjustments that > get this to work. > > > http://blog.laspina.ca/ubiquitous/securing-comstar-and-vmware-iscsi-connections > > -Chris > > > On Sun, Dec 12, 2010 at 12:47 AM, Martin Mundschenk < > m.mundschenk at mundschenk.de> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi! >> >> I have configured two LUs following this guide: >> >> >> http://thegreyblog.blogspot.com/2010/02/setting-up-solaris-comstar-and.html >> >> Now I want each LU to be available to only one distinct client in the >> network. I found no easy guide how to accomplish the anywhere in the >> internet. Any hint? >> >> Martin >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG/MacGPG2 v2.0.16 (Darwin) >> >> iQEcBAEBAgAGBQJNBIw2AAoJEA6eiwqkMgR8vAcH/0jeBh0PvZdnjLK4FOY6/Xw1 >> JwAqdNbS5jvUn8pvYRxdA379gqyZNoFXMRTpPl5Xefw88rpXS+vqvDHoaM1A5Wov >> tTERXrh9DMACAswm4KYnA7lcWxEUJWBJ8LA870Sd6GVqPHbBnE+R+o2Op69XUy/g >> +sAa0f7MDHPJP46xad5/qweUVRNZ0C+Ka2YYqhWKvYTN2DEYmFfnem+c6Vna2TXv >> uOLoEeV+CHOI/BdrpcDaU8XQzAS5f1x/oTPhk56j0Uzm4q8+aKqc2YTccvGnRJCm >> 8F+/ZyZ40fy2TRLfhmZIGoL+y9nrJqUDm+K2jXkdH/55vzsk+EdhfZUlDYXsalo>> =NdL6 >> -----END PGP SIGNATURE----- >> > >Looking at that, the one comment I''d make is that I''d strongly suggest avoiding CHAP. It really provides nothing in the way of security, and simply adds more complexity. If you''re doing iSCSI across a WAN (I really hope you aren''t), you''d be better served using a VPN. If you''re doing it on a LAN and you''re concerned about security, use VLAN''s. It''s generally a good idea to dedicate a VLAN to vmware storage traffic anyways (whether it be iSCSI or NFS) if your infrastructure can handle VLAN''s. --Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20101213/9577ae1b/attachment.html>
Hi Chris, I have attempted to document the steps to restrict LUN access, here: http://docs.sun.com/app/docs/doc/821-1459/gkgnr?l=en&a=view Please see if this info helps. If it doesn''t, let me know the errors. Thanks, Cindy On 12/13/10 16:30, Chris Mosetick wrote:> I have found this post from Mike La Spina to be very detailed covering > this topic, yet I could not seem to get it to work right on my first > hasty attempt a while back. Let me know if you have success, or > adjustments that get this to work. > > http://blog.laspina.ca/ubiquitous/securing-comstar-and-vmware-iscsi-connections > > -Chris > > On Sun, Dec 12, 2010 at 12:47 AM, Martin Mundschenk > <m.mundschenk at mundschenk.de <mailto:m.mundschenk at mundschenk.de>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi! > > I have configured two LUs following this guide: > > http://thegreyblog.blogspot.com/2010/02/setting-up-solaris-comstar-and.html > > Now I want each LU to be available to only one distinct client in > the network. I found no easy guide how to accomplish the anywhere in > the internet. Any hint? > > Martin > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.16 (Darwin) > > iQEcBAEBAgAGBQJNBIw2AAoJEA6eiwqkMgR8vAcH/0jeBh0PvZdnjLK4FOY6/Xw1 > JwAqdNbS5jvUn8pvYRxdA379gqyZNoFXMRTpPl5Xefw88rpXS+vqvDHoaM1A5Wov > tTERXrh9DMACAswm4KYnA7lcWxEUJWBJ8LA870Sd6GVqPHbBnE+R+o2Op69XUy/g > +sAa0f7MDHPJP46xad5/qweUVRNZ0C+Ka2YYqhWKvYTN2DEYmFfnem+c6Vna2TXv > uOLoEeV+CHOI/BdrpcDaU8XQzAS5f1x/oTPhk56j0Uzm4q8+aKqc2YTccvGnRJCm > 8F+/ZyZ40fy2TRLfhmZIGoL+y9nrJqUDm+K2jXkdH/55vzsk+EdhfZUlDYXsalo> =NdL6 > -----END PGP SIGNATURE----- > _______________________________________________ > zfs-discuss mailing list > zfs-discuss at opensolaris.org <mailto:zfs-discuss at opensolaris.org> > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss > > > > ------------------------------------------------------------------------ > > _______________________________________________ > zfs-discuss mailing list > zfs-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss