vserver iscsi interface accesslist add

Add the iSCSI LIFs to the accesslist of the specified initiator

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command adds network interfaces to an access list for a specified initiator. An access list ensures that an initiator only logs in with IP addresses associated with the interfaces defined in the access list.

You can restrict an initiator to certain network interfaces to improve performance and security. Access lists are useful where a particular initiator cannot access all of the network interfaces on a node.

Access list policies are based on the interface name. The accesslist rules are:
  • If you disable the network interface for iSCSI through the vserver iscsi interface disable command, for example, the network interface is not accessible to any initiator regardless of any access lists in effect.
  • If an initiator does not have an access list, that initiator can access any iSCSI-enabled network interface.
  • If an initiator has an access list, that initiator can only login to network interfaces in its access list. Additionally, the initiator cannot discover any IP addresses that are not on this access list. If an initiator sends an iSCSI sendtargets request, the node responds with a list of IP addresses for iSCSI data logical interfaces that are in its access list.
  • If an initiator does not have an access list, you automatically create an access list when you issue the vserver iscsi interface accesslist add command.
  • If you remove all the interfaces from the access list of an initiator with the vserver iscsi interface accesslist remove command, the accesslist is also deleted.
  • Creating or modifying access list requires that initiator log out and log back in before changes take effect.

When you use the add or remove commands, the system warns you if an iSCSI session could be affected.

Note: You will not affect any iSCSI sessions if you use the -a parameter when adding or removing all interfaces.

Parameters

-vserver <Vserver Name> - Vserver
Specifies the Vserver name.
-initiator-name <text> - Initiator Name
Specifies the initiator you want to add to the access list.
{ -lif <lif-name>, ... - Logical Interface
Specifies the lif you want to add to an access list.
| -all | -a [true]} - All
If you use this parameter without a value, it is set to true, and the command adds all iSCSI data logical interfaces for a vserver to an initiator's accesslist. If the initiator does not have an accesslist, the system creates a new accesslist.
[-force | -f [true]] - Force
If you use this parameter without a value, it is set to true, and the command does not prompt you when an active iSCSI service or any active iSCSI data logical interfaces could be affected. If you do not use this parameter, the command prompts for confirmation if the iSCSI service is active or if any active data logical interfaces would be affected.

Examples

cluster1::> vserver iscsi interface accesslist add -vserver vs_1 -initiator-name iqn.1992-08.com.example:abcdefg -a