Send documentation comments to mdsfeedback-doc@cisco.com
50-43
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-17256-03, Cisco MDS NX-OS Release 4.x
Chapter 50 Configuring iSCSI
Configuring iSLB
Choose IP > iSCSI iSLB in Device Manager and set the autoZoneName field to change the auto zone
name for an iSLB initiator.
See the “Configuring iSLB Using Device Manager” procedure on page 50-37.
Configuring iSLB Session Authentication
The IPS module and MPS-14/2 module support the iSLB authentication mechanism to authenticate iSLB
hosts that request access to storage. By default, the IPS module and MPS-14/2 module allow CHAP or
None authentication of iSCSI initiators. If authentication is always used, you must configure the switch
to allow only CHAP authentication.
For CHAP user name or secret validation you can use any method supported and allowed by the Cisco
MDS AAA infrastructure (see
Chapter 41, “Configuring RADIUS and TACACS+”). AAA
authentication supports RADIUS, TACACS+, or a local authentication device.
Note Specifying the iSLB session authentication is the same as for iSCSI. See the “iSCSI Session
Authentication” section on page 50-28.
Restricting iSLB Initiator Authentication
By default, the iSLB initiator can use any user name in the RADIUS or local AAA database in
authenticating itself to the IPS module or MPS-14/2 module (the CHAP user name is independent of the
iSLB initiator name). The IPS module or MPS-14/2 module allows the initiator to log in as long as it
provides a correct response to the CHAP challenge sent by the switch. This can be a problem if one
CHAP user name and password have been compromised.
Choose IP > iSCSI iSLB in Device Manager and set the AuthName field to restrict an initiator to use a
specific user name for CHAP authentication.
See the “Configuring iSLB Using Device Manager” procedure on page 50-37.
Mutual CHAP Authentication
In addition to the IPS module and MPS-14/2 module authentication of the iSLB initiator, the IPS module
and MPS-14/2 module also support a mechanism for the iSLB initiator to authenticate the Cisco MDS
switch’s initiator target during the iSCSI login phase. This authentication requires the user to configure
a user name and password for the switch to present to the iSLB initiator. The provided password is used
to calculate a CHAP response to a CHAP challenge sent to the IPS port by the initiator.
Choose IP > iSCSI iSLB in Device Manager and set the Target Username and Target Password fields to
configure a per-initiator user name and password used by the switch to authenticate itself to an initiator.
See the “Configuring iSLB Using Device Manager” procedure on page 50-37.
About Load Balancing Using VRRP
You can configure Virtual Router Redundancy Protocol (VRRP) load balancing for iSLB. Figure 50-33
shows an example of load balancing using iSLB.
To Next Page
Loading...
Need help?
General
