vserver iscsi interface accesslist add
Add the iSCSI LIFs to the accesslist of the specified initiator
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command adds network interfaces to an access list for a specified initiator. An access list ensures that an initiator only logs in with IP addresses associated with the interfaces defined in the access list.
You can restrict an initiator to certain network interfaces to improve performance and security. Access lists are useful where a particular initiator cannot access all of the network interfaces on a node.
Access list policies are based on the interface name. The accesslist rules are:
-
If you disable the network interface for iSCSI through the vserver iscsi interface disable command, for example, the network interface is not accessible to any initiator regardless of any access lists in effect.
-
If an initiator does not have an access list, that initiator can access any iSCSI-enabled network interface.
-
If an initiator has an access list, that initiator can only login to network interfaces in its access list. Additionally, the initiator cannot discover any IP addresses that are not on this access list. If an initiator sends an iSCSI sendtargets request, the node responds with a list of IP addresses for iSCSI data logical interfaces that are in its access list.
-
If an initiator does not have an access list, you automatically create an access list when you issue the
vserver iscsi interface accesslist add
command. -
If you remove all the interfaces from the access list of an initiator with the vserver iscsi interface accesslist remove command, the accesslist is also deleted.
-
Creating or modifying access list requires that initiator log out and log back in before changes take effect.
When you use the add or remove commands, the system warns you if an iSCSI session could be affected.
You will not affect any iSCSI sessions if you use the -a parameter when adding or removing all interfaces. |
Parameters
-vserver <Vserver Name>
- Vserver-
Specifies the Vserver name.
-initiator-name <text>
- Initiator Name-
Specifies the initiator you want to add to the access list.
- {
-lif <lif-name>,…
- Logical Interface -
Specifies the lif you want to add to an access list.
- |
-a, -all <true>
- All } -
If you use this parameter without a value, it is set to true, and the command adds all iSCSI data logical interfaces for a vserver to an initiator's accesslist. If the initiator does not have an accesslist, the system creates a new accesslist.
[-f, -force <true>]
- Force-
If you use this parameter without a value, it is set to true, and the command does not prompt you when an active iSCSI service or any active iSCSI data logical interfaces could be affected. If you do not use this parameter, the command prompts for confirmation if the iSCSI service is active or if any active data logical interfaces would be affected.
Examples
cluster1::> vserver iscsi interface accesslist add -vserver vs_1 -initiator-name iqn.1992-08.com.example:abcdefg -a
Adds the initiator iqn.1992-08.com.example:abcdefg on Vserver vs_1 for all iSCSI data logical interfaces in vs_1.