We do not recommend using a wild card when setting up the Access List. However, if you want to use the wild card it has to be the entire octet. The reason it is a bad idea to use the wild card is anything that gets put on to that subnet will try and access the SAN. I have seen this go bad more then a few times. What I would recommend that you do is set up the ACL using the IQN to specify what all gets access and you do not have to worry about system trying to access the SAN that should not be able to.
Thanks, does seem to beg the question why Dell implemented it this way. I did actually query at the time as it did seem somewhat onerous to have to put all they IP addresses into the ACL every time you create a volume.
Don, you seem to very authoritative in the EQL/Storage arena, so do you work for/with Dell and would you mind if I raised this with our Dell engineering support manager?
Sorry, also if I want to change to CHAP what is the best way to go about changing both ends (storage and esx hosts) without inerrupting connectivity/serv ice
For smaller environments, and those less familiar with some of these topics, I've found recommending ACLs based on IQN to be WAY easier for them to understand. And I've also seen some pretty messed up things by CHAP being implemented in the wrong way. So CHAP, while probably the best overall option, does have its downsides.
Thanks we only have 6 hosts each with 2 x 10GB NICs and there wont be any more, so the 16 entry limit wont be a problem. I just know that when creating I or someone else is going to omit/typo or cut/paste error and cause problems. Not sure what you mean by using IQN. Could you give an example
As soon as one adds the SW iSCSI adapter in vSphere, when you click on the properties of that iSCSI Initiator, you will see a name. It might look something like iqn.1998-01.com.vmware:host1-80a12345 Just copy and paste that into the ACL for each VMFS volume it should access.
Thanks for sharing Don. I've always been a bit curious to know how prevalent that was. ...I figured it was a lot.
I'll also say that the times I've seen it, it was almost always from a relatively new setup, in a smaller environment. And the end user was left asking why there are so many buttons that say CHAP, and what do they do. :-) In those cases, the end user was able to wrap their head around the ACL by iqn concept pretty easily.
Its not really technical issues with CHAP itself, or using it against vSphere hosts. It is simple in many respects, and can reduce connection counts, etc. But, there is a much higher likelihood of someone just starting out to be unclear in how to set it up. It can be confusing when a discoverable volume from the hosts perspective can or cannot be logged into. Before you know it, you have a thousand red alarm entries in the PS Group Manager Event logs. Again, its more a matter of ease of implementation, and odds of getting it right for the newer person, and for smaller environments.
Out in the field, I've seen what I've described at a number of locations that attempted to use CHAP. But you might be a better one to comment on how often that happens, as I'm sure Eql support is the first to hear about it.
"I'll also say that the times I've seen it, it was almost always from a relatively new setup, in a smaller environment. And the end user was left asking why there are so many buttons that say CHAP, and what do they do. :-) " Sketchy, you have just described me and my environment. After the help you guys have provided, I went back to look at CHAP and maybe I'm just a bit thick but I found the no of places it can be configured, the CHAP/MUTUAL CHAP difference (?) and the CHAP inheritence very confusing! As the site is now live I think its safer for a newbie like me to stick with iqn/IP ACLs. I was just looking for a way to have smaller ACLS and I'm sure I'll mess something up if I go about trying to implement a new regime without the level of understanding you guys have. I cannot thank you guys on forums like these enough. So many employers (mine anyway!) make no provision whatsoever for proper training in what is a such a complex technical arena where you can literally bring an environment to it's knees (or even destroy it) with the wrong click of a button. We are spending £450,000 on EQL kit and not a penny on training at all (: (: Without the user community who share their time, experience and expertise I and many like me I suspect would be struggling alone, so thanks again. G.
Good to hear. The IQN approach will be easiest to understand, but a WAY better option that IP based ACLs (no need for IP ACLs, and accidents can happen with them.)
Be sure to pay attention to the good input that Don is providing here. He's been a great resource, and provides a lot of really good information.
DELL-Kenny K
685 Posts
1
February 7th, 2013 13:00
Gerrybarnett,
We do not recommend using a wild card when setting up the Access List. However, if you want to use the wild card it has to be the entire octet. The reason it is a bad idea to use the wild card is anything that gets put on to that subnet will try and access the SAN. I have seen this go bad more then a few times. What I would recommend that you do is set up the ACL using the IQN to specify what all gets access and you do not have to worry about system trying to access the SAN that should not be able to.
gerrybarnett
129 Posts
0
February 8th, 2013 00:00
Don,
Thanks, does seem to beg the question why Dell implemented it this way. I did actually query at the time as it did seem somewhat onerous to have to put all they IP addresses into the ACL every time you create a volume.
Don, you seem to very authoritative in the EQL/Storage arena, so do you work for/with Dell and would you mind if I raised this with our Dell engineering support manager?
gerrybarnett
129 Posts
0
February 8th, 2013 00:00
Sorry, also if I want to change to CHAP what is the best way to go about changing both ends (storage and esx hosts) without inerrupting connectivity/serv ice
sketchy00
203 Posts
0
February 8th, 2013 07:00
For smaller environments, and those less familiar with some of these topics, I've found recommending ACLs based on IQN to be WAY easier for them to understand. And I've also seen some pretty messed up things by CHAP being implemented in the wrong way. So CHAP, while probably the best overall option, does have its downsides.
gerrybarnett
129 Posts
0
February 8th, 2013 07:00
Sketchy,
Thanks we only have 6 hosts each with 2 x 10GB NICs and there wont be any more, so the 16 entry limit wont be a problem. I just know that when creating I or someone else is going to omit/typo or cut/paste error and cause problems. Not sure what you mean by using IQN. Could you give an example
thx
sketchy00
203 Posts
0
February 8th, 2013 08:00
As soon as one adds the SW iSCSI adapter in vSphere, when you click on the properties of that iSCSI Initiator, you will see a name. It might look something like iqn.1998-01.com.vmware:host1-80a12345 Just copy and paste that into the ACL for each VMFS volume it should access.
sketchy00
203 Posts
0
February 8th, 2013 10:00
Thanks for sharing Don. I've always been a bit curious to know how prevalent that was. ...I figured it was a lot.
I'll also say that the times I've seen it, it was almost always from a relatively new setup, in a smaller environment. And the end user was left asking why there are so many buttons that say CHAP, and what do they do. :-) In those cases, the end user was able to wrap their head around the ACL by iqn concept pretty easily.
sketchy00
203 Posts
0
February 8th, 2013 10:00
Its not really technical issues with CHAP itself, or using it against vSphere hosts. It is simple in many respects, and can reduce connection counts, etc. But, there is a much higher likelihood of someone just starting out to be unclear in how to set it up. It can be confusing when a discoverable volume from the hosts perspective can or cannot be logged into. Before you know it, you have a thousand red alarm entries in the PS Group Manager Event logs. Again, its more a matter of ease of implementation, and odds of getting it right for the newer person, and for smaller environments.
Out in the field, I've seen what I've described at a number of locations that attempted to use CHAP. But you might be a better one to comment on how often that happens, as I'm sure Eql support is the first to hear about it.
gerrybarnett
129 Posts
0
February 9th, 2013 06:00
"I'll also say that the times I've seen it, it was almost always from a relatively new setup, in a smaller environment. And the end user was left asking why there are so many buttons that say CHAP, and what do they do. :-) " Sketchy, you have just described me and my environment. After the help you guys have provided, I went back to look at CHAP and maybe I'm just a bit thick but I found the no of places it can be configured, the CHAP/MUTUAL CHAP difference (?) and the CHAP inheritence very confusing! As the site is now live I think its safer for a newbie like me to stick with iqn/IP ACLs. I was just looking for a way to have smaller ACLS and I'm sure I'll mess something up if I go about trying to implement a new regime without the level of understanding you guys have. I cannot thank you guys on forums like these enough. So many employers (mine anyway!) make no provision whatsoever for proper training in what is a such a complex technical arena where you can literally bring an environment to it's knees (or even destroy it) with the wrong click of a button. We are spending £450,000 on EQL kit and not a penny on training at all (: (: Without the user community who share their time, experience and expertise I and many like me I suspect would be struggling alone, so thanks again. G.
sketchy00
203 Posts
0
February 9th, 2013 10:00
Good to hear. The IQN approach will be easiest to understand, but a WAY better option that IP based ACLs (no need for IP ACLs, and accidents can happen with them.)
Be sure to pay attention to the good input that Don is providing here. He's been a great resource, and provides a lot of really good information.