Which of the following methods can be used to restrict which servers can connect to an iscsi target?
This article applies to Windows Server 2012, 2012R2, 2016, 2019, 2022 OverviewThe Pure Storage FlashArray supports the Internet Small Computer Systems Interface an Internet Protocol (IP) based storage networking standard for linking data storage facilities. Using iSCSI provides access to the Pure Storage FlashArray by issuing SCSI commands over the TCP/IP network. The screenshot below illustrates four connected Ethernet Ports (CT0.ETH6/ETH7 and CT1.ETH6/ETH7) in a Pure Storage FlashArray. These ports will be configured on the FlashArray and Windows Server for connectivity in Setup iSCSI Connectivity. The following steps will configure the MSiSCSI Initiator Service to connect to the Pure Storage FlashArray iSCSI ports using the Windows Server management tools. Setup Using Windows Server and FlashArray Management ToolsThis section walks through the steps for configuring MSiSCSI using the Graphical User Interface (GUI) tools provided by Windows Server and Pure Storage FlashArray management interface. Configure MSiSCSI (Part 1 of 2)
Write down or cut-and-paste the Initiator Name value. This step has started the Microsoft iSCSI Service so the Initiator Name could be retrieved which is required for the next section.
Configure FlashArray Host and VolumeConnecting a volume to a configured iSCSI host on the Pure Storage FlashArray is required before configuring MSiSCSI. if a volume is not connected, you will receive an Authorization Failure.
Configure MSiSCSI (Part 2 of 2)In this section the configuration of MSiSCSI will be continued using the iSCSI Initiator tool.
These are the iSCSI Services that were configured in the Setup iSCSI on the FlashArray topic. These need to be in place before proceeding. 4. Enter the IP Address or DNS name for the target ports on the Pure Storage FlashArray. Leave the Port default set to 3260. Repeat Step 4 for each iSCSI service you have configured on the FlashArray. In this example there are four iSCSI services set up on the FlashArray.
5. Once all of the Target Ports have been configured the Discovery tab Target portals list should look like the below example. This could differ based on the number of iSCSI initiators that are in the FlashArray.
6. Click on the Targets tab select the newly Discovered target and click the Connect button. This will establish a connection to the Pure Storage FlashArray iSCSI services. Before connecting the Status will show as Inactive. After connecting the Status will show as Connected.
If a FlashArray volume has not been connected to the host where the iSCSI Initiator Service is being set up you will see the error, Authorization Failure. This is the same FlashArray iSCSI Qualified Name (IQN) that can be seen from the FlashArray management interface.
7. Select the newly connected Discovered target and click the Properties... button to add sessions to the connection. 8. The Properties dialog will open. Click Add session, this will open up the Connect to Target dialog. Best Practice: For best performance out of a single host, eight (8) iSCSI sessions are recommended. A session is normally created for every target port where a host is connected. If the host is connected to less than eight (8) paths, additional sessions can be configured going to the same target ports. 9. Click Enable multi-path then click Advanced... button. 10. In the Advanced Settings dialog select the Microsoft iSCSI Initiator from the Local adapter dropdown. Select the appropriate IP Address from the Initiator IP dropdown. Select the Target portal IP from the dropdown that will map to the Initiator IP. Repeat Step 9 for all of the Initiator IPs and map to their appropriate Target portal IP.
11. After completing the setup of the Initiator IPs and Target Portal IPs, click the Favorite Targets tab and all of the configured paths should be visible. 12. Open up the FlashArray Management interface, click the System tab, click Connections, click Host Connections, and select the host that was just configured. The Host Port Connectivity should show Redundant connections. If the deployed switches in the fabric support changing the Maximum Transmission Unit (MTU) from 1500 to 9000 (referred to as Jumbo Frames), this can be accomplished using the FlashArray Management GUI, or by running the Windows PowerShell cmdlets from the Pure Storage PowerShell SDK. Using the FlashArray Management GUI
Using the PowerShell SDK PS >$FlashArray = New-PfaArray -EndPoint 10.21.201.57 -Credentials (Get-Credential) -IgnoreCertificateError PS >Get-PfaNetworkInterfaces -Array $FlashArray | Format-Table -AutoSize PS > Get-PfaNetworkInterfaces -Array $FlashArray | Format-Table -AutoSize subnet name enabled mtu services netmask slaves address hwaddr speed ------ ---- ------- --- -------- ------- ------ ------- ------ ----- ct0.eth0 True 1500 {management} 255.255.255.0 {} 10.21.201.55 24:a9:37:00:38:8f 1000000000 ct0.eth2 False 1500 {management} 64 {} 2620:125:9004:2021::200 24:a9:37:00:38:8e 1000000000 ct0.eth3 False 1500 {management} {} 24:a9:37:00:38:91 10000000000 ct0.eth6 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.59 90:e2:ba:4d:75:51 10000000000 ct0.eth7 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.61 90:e2:ba:4d:75:50 10000000000 ct1.eth0 True 1500 {management} 255.255.255.0 {} 10.21.201.56 24:a9:37:00:39:07 1000000000 ct1.eth2 False 1500 {management} 64 {} 2620:125:9004:2021::201 24:a9:37:00:39:06 1000000000 ct1.eth3 False 1500 {management} {} 24:a9:37:00:39:09 10000000000 ct1.eth6 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.60 90:e2:ba:53:ba:19 10000000000 ct1.eth7 True 9000 {iscsi} 255.255.255.0 {} 10.21.201.62 90:e2:ba:53:ba:18 10000000000 replbond True 1500 {replication} 255.255.255.0 {ct1.eth2, ct0.eth2} 10.21.201.58 92:76:9c:80:b9:77 0 vir0 True 1500 {management} 255.255.255.0 {} 10.21.201.57 8e:85:63:ff:fd:dd 1000000000 vir1 False 1500 {management} 64 {} 2620:125:9004:2021::202 ce:f6:e1:ed:26:ec 1000000000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct0.eth6' -Mtu 9000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct0.eth7' -Mtu 9000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct1.eth6' -Mtu 9000 PS >Set-PfaInterfaceMtu -Array $FlashArray -Name 'ct1.eth6' -Mtu 9000Using CHAP with iSCSIWhen using the Challenge Handshake Authentication Protocol (CHAP) with an iSCSI target, it can be a connection that is bi-directional (or "mutual"), which means that the initiator and target both do authentication. Alternatively, it can be a one-way connection which has only the target authenticating to the initiator. For more information on using CHAP with FlashArray, please see this article. Configure CHAP on the Windows host:For Windows Server 2008 R2: Administrative Tools > iSCSI Initiator > Discovery > Advanced Enter inbound values when adding a target portal. If using a bi-directional (mutual) connection, use the General > Secret area in the iSCSI Initiator Properties dialog to specify a value. For Windows Server 2012 and later: Server Manager > Dashboard > Tools > iSCSI Initiator > Targets > Discovery > Advanced Enter inbound values when adding a target portal. If using a bi-directional (mutual) connection, use the Configuration > CHAP area in the iSCSI Initiator Properties dialog to specify a value. As a best practice, you should not use a password for CHAP authentication that has hexadecimal characters. Configure CHAP using PowerShellCreate a iSCSI connection to a target with one-way authentication. Connect-IscsiTarget -NodeAddress iqn.1991-05.com.microsoft:rx-7-iscsitarget01-target -AuthenticationType ONEWAYCHAP -ChapUsername "username" -ChapSecret "123456789012345" -IsPersistent $TrueCreate a iSCSI connection to a target with bi-directional (mutual) authentication. Connect-IscsiTarget -NodeAddress iqn.1991-05.com.microsoft:rx-7-iscsitarget01-target -AuthenticationType MUTUALCHAP -ChapUsername "username" -ChapSecret "123456789012345" -IsPersistent $TrueOptimizing Latency on Windows HostsThe Windows operating system incorporates a setting for TCPIP called the Delayed Acknowledgement feature. By changing the default settings, you could possibly reduce the amount of overall network latency when using iSCSI connections. This is a recommended practice, however, the setting changes should be tested in your environment before altering a critical production system. Please refer to this iSCSI Best Practices article for settings and scripts to assist you with creating or changing these settings. Configuring Volumes with Windows Server Refer to the below article for configuring volumes with Windows Server.
Test ConnectivityTo test the connectivity from the host to the FlashArray, you can use DISKSPD for a basic plumbing test. DISKSPD is a storage load generator/performance test tool from the Microsoft Windows, Windows Server, and Cloud Server Infrastructure Engineering teams. DISKSPD is not recommended for performance testing. The use case mentioned here is to simply test the connectivity to the FlashArray. Running diskspd with the below example command line will generate I/O to evaluate connectivity. The The results of the plumbing test should generate similar output as below. The host can also be monitored using the Purity CLI with the below command. pureuser@myarray-ct0:~# purehost monitor --balance Name Time Initiator WWN Initiator IQN Target Target WWN Failover I/O Count I/O Relative to Max Server01 2017-06-07 09:30:06 PDT - iqn.1991-05.com.microsoft:server01 (primary) - - 500187 99% iqn.1991-05.com.microsoft:server01 (secondary) - 506741 100%What name format is used to specify the iSCSI targets that are permitted to connect to an iSCSI initiator?IQN: You can specify the IQN of the machine that has an iSCSI initiator. IQN is a qualified name of the iSCSI. The format of the IQN is “
What is the underlying network protocol used by iSCSI storage network?The SNIA dictionary defines Internet Small Computer Systems Interface (iSCSI) as a transport protocol that provides for the SCSI protocol to be carried over a TCP-based IP network, standardized by the Internet Engineering Task Force and described in RFC 3720.
What protocol can be used in Windows Server 2016 to discover network based iSCSI devices?4. What protocol can be used in Windows Server 2016 to discover network-based iSCSI devices? The iSNS protocol can be used in Windows Server 2016 to discover network-based iSCSI devices? 5.
How does the iSCSI target server make storage available to iSCSI initiators?How iSCSI works. ISCSI works by transporting block-level data between an iSCSI initiator on a server and an iSCSI target on a storage device. The iSCSI protocol encapsulates SCSI commands and assembles the data in packets for the TCP/IP layer. Packets are sent over the network using a point-to-point connection.
|