iSCSI endpoint isolation
Beginning in ONTAP 9.1 existing iSCSI security commands were enhanced to accept an IP address range, or multiple IP addresses.
All iSCSI initiators must provide origination IP addresses when establishing a session or connection with a target. This new functionality prevents an initiator from logging into the cluster if the origination IP address is unsupported or unknown, providing a unique identification scheme. Any initiator originating from an unsupported or unknown IP address will have their login rejected at the iSCSI session layer, preventing the initiator from accessing any LUN or volume within the cluster.
Implement this new functionality with two new commands to help manage pre-existing entries.
Add initiator address range
Improve iSCSI initiator security management by adding an IP address range, or multiple IP addresses with the
vserver iscsi security add-initiator-address-range command.
cluster1::> vserver iscsi security add-initiator-address-range
Remove initiator address range
Remove an IP address range, or multiple IP addresses, with the
vserver iscsi security remove-initiator-address-range command.
cluster1::> vserver iscsi security remove-initiator-address-range