First thing, credit where due:
Cisco.com iSCSI Configuration Guide (Please read first!)
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/ipsvc/nxos/ipsvc/ciscsi.html
Peter Revill has some great posts on iSCSI (Thanks, Peter!)
http://www.ccierants.com/
Ben King has a good post on setting up iSCSI interfaces for ESXi in UCS (Thanks, Ben!)
http://benking84.wordpress.com/2013/06/05/adding-iscsi-storage-to-ucs-and-vmware/
For those looking for a quick reference, template is at the bottom of this post.
What is iSCSI?
iSCSI (Internet Small Computer Systems Interface) is a SCSI transport mechanism over IP. You take the SCSI payload (Reads/Writes), encapsulate it in TCP and send it over IP. This is a completely separate stack than FC, and does not rely on FC at all. You can, however, compare it to the same way that FCIP transports SCSI over IP. The differences can be seen in the packet:
FCIP is:
| SCSI | FC | FCIP | TCP | IP | Eth |
iSCSI is:
| SCSI | iSCSI | TCP | IP | Eth |
iSCSI works like any storage protocol, you have initiators and targets. When comparing to Fibre Channel, note these differences:
iSCSI uses IP where FC uses FCID
iSCSI uses IQN where FC uses WWN
What is an IQN?
IQN is an iSCSI Qualified Name, seen in the form of iqn.[Some form of 16 characters or more]. Often times you’ll see this as iqn.date.area.purpose.device-name, or whichever schema you choose. These IQNs can be statically created or dynamically assigned as we’ll see later on. Examples can be found in the RFC for iSCSI IQN: http://www.ietf.org/rfc/rfc3721.txt
What is the purpose of iSCSI in regards to CCIE Data Center?
iSCSI can run directly from server to a storage array, and most often is configured this way, with no real need from a network-perspective except for IP connectivity. MDS is the only Cisco IP storage platform, and really only comes into play if you need to translate iSCSI to Fibre Channel and vice versa. The MDS is an FC-to-iSCSI gateway. Most often used in niche cases, migrations or situations where maybe the storage array does not support iSCSI and the server does not have an FC HBA. The MDS will take iSCSI initiators and FC targets and create reverse mappings for each. As a CCIE Data Center, you need to know how to do this.
How do we map iSCSI to FC?
1. iSCSI initiators need nWWN and pWWN assignments to present to FC. This can be done dynamically or statically.
2. FC targets need to have an IQN to present to the iSCSI Initiator. This can be done dynamically or statically with a Virtual Target.
3. Allow the communications. You need to zone in FC, and you can also apply additional ACL-like controls with iSCSI Virtual Targets.
Example Dynamic:
Example Static:
Follow these steps to configure basic iSCSI
1. Enable iSCSI
2. Configure Zoning / Access Control
3. Point server at MDS’s IP address
Topology
Configure infrastructure
vsan database
vsan 101
vsan 101 interface fc1/13
interface g1/2
ip add 10.150.150.5/24
no shut
Verify IP connectivity to initiator:
MDS1(config-if)# ping 10.150.150.10
PING 10.150.150.10 (10.150.150.10) 56(84) bytes of data.
64 bytes from 10.150.150.10: icmp_seq=2 ttl=64 time=0.505 ms
64 bytes from 10.150.150.10: icmp_seq=3 ttl=64 time=0.445 ms
--- 10.150.150.10 ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2017ms
rtt min/avg/max/mdev = 0.445/0.475/0.505/0.030 ms
Enable iSCSI
Enable the iSCSI feature and configure the module it needs to run on:
feature iscsi
iscsi enable module 1
Notice that it automatically created one iSCSI virtual interface for each physical gigabit ethernet interface. These are one-to-one mappings. If you use sub-interfaces on your GigE’s (which is supported with iSCSI), note that only one iSCSI interface is created to represent all physical sub-interfaces.
MDS1(config)# show interface brief
-------------------------------------------------------------------------------
Interface Vsan Admin Admin Status SFP Oper Oper Port
Mode Trunk Mode Speed Channel
Mode (Gbps)
-------------------------------------------------------------------------------
fc1/1 1 E on trunking swl TE 2 --
fc1/2 1 E on down swl -- --
fc1/3 1 auto on sfpAbsent -- -- --
fc1/4 1 auto on sfpAbsent -- -- --
fc1/5 101 auto on down swl -- --
fc1/6 101 auto on down swl -- --
fc1/7 1 auto on down swl -- --
fc1/8 1 auto on down swl -- --
fc1/9 1 auto on down swl -- --
fc1/10 1 auto on down swl -- --
fc1/11 1 auto on down swl -- --
fc1/12 1 auto on down swl -- --
fc1/13 101 auto on up swl FL 2 --
fc1/14 101 auto on down swl -- --
-------------------------------------------------------------------------------
Interface Status Oper Mode Oper Speed
(Gbps)
-------------------------------------------------------------------------------
iscsi1/1 down --
iscsi1/2 down --
Configure iSCSI interface
Next, you have 2 modes you can configure your iSCSI interface in.
Default mode – All initiators will need to have dedicated FLOGI, FCID, and WWNs
Proxy Initiator mode – All initiators from this interface will share a single FLOGI, FCID, pWWN.
We will configure this in the default mode:
int iscsi 1/2
no shut
# Proxy-initiator example:
int iscsi 1/2
switchport proxy-initiator
VSAN Membership
You have 2 options for configuring the VSAN membership for iSCSI. You can either configure the iscsi interface under the vsan database, or you can configure the vsan membership under the iscsi initiator.
Here I’m configuring the iscsi interface in VSAN101 under the vsan database:
conf t
vsan database
vsan 101 interface iscsi 1/2
Check the current status. We can see that we accept authentication or no authentication, and we allow dynamic iSCSI initiators.
MDS1(config)# show iscsi global
iSCSI/iSLB Global information (fabric-wide)
Authentication: CHAP, NONE
Initiator idle timeout: 300 seconds
Dynamic Initiator: iSCSI
iSLB Distribute: Disabled
iSLB CFS Session: Does not exist
Number of load balanced VRRP groups: 0
Number of load-balanced initiators: 0
iSCSI/iSLB Global information (local to this switch)
Import FC Target: Disabled
Initiator Plogi timeout: 2 seconds
Number of target node: 0
Number of portals: 2
Number of session: 0
Failed session: 0
Notice above that “Import FC Target” is set to disabled. There are two ways we can import FC targets into iSCSI targets. We can import all, or import statically on a pWWN-basis. To import all:
MDS1(config)# iscsi import target fc
MDS1(config)#
MDS1(config)# show iscsi global
iSCSI/iSLB Global information (fabric-wide)
Authentication: CHAP, NONE
Initiator idle timeout: 300 seconds
Dynamic Initiator: iSCSI
iSLB Distribute: Disabled
iSLB CFS Session: Does not exist
Number of load balanced VRRP groups: 0
Number of load-balanced initiators: 0
iSCSI/iSLB Global information (local to this switch)
Import FC Target: Enabled
Initiator Plogi timeout: 2 seconds
Number of target node: 0
Number of portals: 2
Number of session: 0
Failed session: 1
Dynamic iSCSI Initiator
Initiate an iSCSI discovery from the host. I’m using an ESXi host here in this example, and we’re trying to attach to remote storage.
We immediately get some output on our terminal; we can see the iSCSI initiator IQN, it’s IP address, and and attempt to create an iSCSI session.
MDS1(config)# 2014 Aug 31 02:12:11 MDS1 %IPS-SLOT1-5-ISCSI_CONN_UP: GigabitEthernet1/2: iSCSI session up from initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10 to target Discovery
2014 Aug 31 02:12:11 MDS1 %IPS-SLOT1-5-ISCSI_SB_GET_TGT: iSCSI SB get 0 targets, initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10
2014 Aug 31 02:12:11 MDS1 %IPS-SLOT1-5-ISCSI_CONN_DOWN: GigabitEthernet1/2: iSCSI session down from initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10 to target Discovery, reason: client send iscsi logout
2014 Aug 31 02:12:11 MDS1 %IPS-SLOT1-5-ISCSI_CONN_UP: GigabitEthernet1/2: iSCSI session up from initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10 to target Discovery
2014 Aug 31 02:12:11 MDS1 %IPS-SLOT1-5-ISCSI_SB_GET_TGT: iSCSI SB get 0 targets, initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10
2014 Aug 31 02:12:11 MDS1 %IPS-SLOT1-5-ISCSI_CONN_DOWN: GigabitEthernet1/2: iSCSI session down from initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10 to target Discovery, reason: client send iscsi logout
What happened? The initiator sent a discovery to the MDS IP. The MDS populated a dynamic iSCSI initiator entry and dynamically assigned it an nWWN and pWWN in the fabric, as well as an FCID.
MDS1(config)# show iscsi initiator
iSCSI Node name is iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7
Initiator ip addr (s): 10.150.150.10
iSCSI alias name:
Auto-created node (iSCSI)
Node WWN is 21:09:00:0d:ec:54:63:82 (dynamic)
Member of vsans: 101
Number of Virtual n_ports: 1
Virtual Port WWN is 21:0a:00:0d:ec:54:63:82 (dynamic)
Interface iSCSI 1/2, Portal group tag: 0x3001
VSAN ID 101, FCID 0x010104
We also now see that dynamically created WWN in our FLOGI database:
MDS1(config)# show flogi database
--------------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME
--------------------------------------------------------------------------------
fc1/13 101 0x0100da 21:00:00:1d:38:1c:79:0a 20:00:00:1d:38:1c:79:0a
fc1/13 101 0x0100dc 21:00:00:1d:38:1c:6f:24 20:00:00:1d:38:1c:6f:24
fc1/13 101 0x0100e0 21:00:00:1d:38:1c:78:fa 20:00:00:1d:38:1c:78:fa
fc1/13 101 0x0100e1 21:00:00:1d:38:1c:78:d9 20:00:00:1d:38:1c:78:d9
fc1/13 101 0x0100e2 21:00:00:1d:38:0e:d9:5e 20:00:00:1d:38:0e:d9:5e
fc1/13 101 0x0100e4 21:00:00:1d:38:1c:76:af 20:00:00:1d:38:1c:76:af
fc1/13 101 0x0100e8 21:00:00:1d:38:1c:77:04 20:00:00:1d:38:1c:77:04
fc1/13 101 0x0100ef 21:00:00:1d:38:1c:76:db 20:00:00:1d:38:1c:76:db
iscsi1/2 101 0x010104 21:0a:00:0d:ec:54:63:82 21:09:00:0d:ec:54:63:82
Total number of flogi = 9.
However, our initiator does not see any targets. This is because we have not configured any access control or zoning yet.
Access Control
Two methods to configure Access Control.
1. Zoning
2. Virtual Target ACL
Zoning
This is FC zoning, and is configured the same way, except we can now choose things like symbolic-nodename (aka IQN) and ip-address as our zone members. You must include the real FC target pWWN in the zone, not the virtual-target pWWN!
We’ll grab disk 2 from our JBOD and zone it to the iSCSI initiator.
MDS1(config)# show flogi database
--------------------------------------------------------------------------------
INTERFACE VSAN FCID PORT NAME NODE NAME
--------------------------------------------------------------------------------
fc1/13 101 0x0100da 21:00:00:1d:38:1c:79:0a 20:00:00:1d:38:1c:79:0a
fc1/13 101 0x0100dc 21:00:00:1d:38:1c:6f:24 20:00:00:1d:38:1c:6f:24
fc1/13 101 0x0100e0 21:00:00:1d:38:1c:78:fa 20:00:00:1d:38:1c:78:fa
fc1/13 101 0x0100e1 21:00:00:1d:38:1c:78:d9 20:00:00:1d:38:1c:78:d9
fc1/13 101 0x0100e2 21:00:00:1d:38:0e:d9:5e 20:00:00:1d:38:0e:d9:5e
fc1/13 101 0x0100e4 21:00:00:1d:38:1c:76:af 20:00:00:1d:38:1c:76:af
fc1/13 101 0x0100e8 21:00:00:1d:38:1c:77:04 20:00:00:1d:38:1c:77:04
fc1/13 101 0x0100ef 21:00:00:1d:38:1c:76:db 20:00:00:1d:38:1c:76:db
Total number of flogi = 8.
MDS1(config)# zoneset name VSAN101 vsan 101
MDS1(config-zoneset)# zone name ESXi-JBOD1-D2
Enhanced zone session has been created. Please 'commit' the changes when done.
MDS1(config-zoneset-zone)# member ?
device-alias Add device-alias member to zone
domain-id Add member based on domain-id,port-number
fcalias Add fcalias to zone
fcid Add FCID member to zone
fwwn Add Fabric Port WWN member to zone
interface Add member based on interface
ip-address Add IP address member to zone
pwwn Add Port WWN member to zone
symbolic-nodename Add Symbolic Node Name to zone
MDS1(config-zoneset-zone)# ! Configure the Target pWWN !
MDS1(config-zoneset-zone)# member pwwn 21:00:00:1d:38:1c:6f:24
MDS1(config-zoneset-zone)# ! AND !
MDS1(config-zoneset-zone)# member symbolic-nodename iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7
MDS1(config-zoneset-zone)# ! OR !
MDS1(config-zoneset-zone)# member ip-address 10.150.150.10
MDS1(config-zoneset-zone)# ! OR !
MDS1(config-zoneset-zone)# member pwwn 21:0a:00:0d:ec:54:63:82
MDS1(config-zoneset-zone)# zoneset activate name VSAN101 vsan 101
MDS1(config)# zone commit vsan 101
Notice the three options above. If we were to choose the pWWN approach, remember that our pWWN is currently dynamically assigned. Because these are dynamically assigned WWNs, upon a switch reboot, these WWNs could change. If we plan to zone any of these, we’ll want to make sure they do not change. To do this, we can create a static iscsi initiator entry on the fly.
First, notice we have no initiators in our config
MDS1(config)# show run | sec iscsi
feature iscsi
iscsi enable module 1
vsan 101 interface iscsi1/2
iscsi import target fc
interface iscsi1/1
interface iscsi1/2
no shutdown
Create the static entry
MDS1(config)# iscsi save-initiator
Please execute "copy run start" to keep the WWNs persistent across switch reboots
Now check out our config, we have a static initiator created with static n/pWWN assignments:
MDS1(config)# sh run | sec iscsi
feature iscsi
iscsi enable module 1
vsan 101 interface iscsi1/2
iscsi import target fc
iscsi initiator name iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7
static nWWN 21:09:00:0d:ec:54:63:82
static pWWN 21:0a:00:0d:ec:54:63:82
interface iscsi1/1
interface iscsi1/2
no shutdown
Rescan for storage
2014 Aug 31 04:01:40 MDS1 %IPS-SLOT1-5-ISCSI_CONN_UP: %$VSAN 101%$ GigabitEthernet1/2: iSCSI session up from initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10 to target iqn.1987-05.com.cisco:05.mds1.01-02.2100001d381c6f24
We should now have an iscsi session built, notice the auto-generated IQN for the disk:
MDS1(config)# show iscsi session
Initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7
Initiator ip addr (s): 10.150.150.10
Session #1
Target iqn.1987-05.com.cisco:05.mds1.01-02.2100001d381c6f24
VSAN 101, ISID 00023d000001, Status active, no reservation
Re-cap so far
We have an iSCSI initiator talking to an FC target via our iSCSI/FC Gateway. This is accomplished via zoning based on dynamic learning of iscsi initiators, and dynamic import of all of our FC targets into iSCSI. Say we didn’t want to import all our FC disks into iSCSI (rightfull so!). In this case, we have no other option but to configure virtual targets.
Virtual Targets
We’ll perform some clean-up first. Remove default import of all FC targets
MDS1(config)# no iscsi import target fc
MDS1(config)# 2014 Aug 31 04:21:13 MDS1 %IPS-SLOT1-5-ISCSI_CONN_DOWN: %$VSAN 101%$ GigabitEthernet1/2: iSCSI session down from initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10 to target iqn.1987-05.com.cisco:05.mds1.01-02.2100001d381c6f24, reason: iscsi import fc targe
Notice this immediately disconnected our initiator from it’s target. The host may continue to attempt a connection, make sure you clear that on the initiator side under the static discovery:
Remove zoning
MDS1(config)# no zone name ESXi-JBOD1-D2 vsan 101
Enhanced zone session has been created. Please 'commit' the changes when done.
MDS1(config)# zoneset activate name VSAN101 vsan 101
MDS1(config)# zone commit vsan 101
Commit operation initiated. Check zone status
Create Virtual Target
MDS1(config)# iscsi virtual-target name iqn.2014-08.lab.mds1:jbod1-d3
MDS1(config-iscsi-tgt)# pwwn 21:00:00:1d:38:1c:78:fa
Which initiator can talk to this target? You have 2 options, configure the initiator IP address or IQN.
MDS1(config-iscsi-tgt)# initiator ?
WORD Enter iSCSI initiator name (Max Size 223)
ip Allow iSCSI initiator access to this target by ip address
MDS1(config-iscsi-tgt)# initiator ip address 10.150.150.10 255.255.255.255 permit
MDS1(config-iscsi-tgt)# ! OR !
MDS1(config-iscsi-tgt)# initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 permit
If we have multiple physical interfaces, where to we advertise this? (Optional)
MDS1(config-iscsi-tgt)# advertise interface g1/2
So far we’ve essentially configured an ACL, we still need to configure zoning! In this example, I’ll configure zoning to all disks on the JBOD from the IP of the Initiator:
MDS1(config)# zoneset name VSAN101 vsan 101
MDS1(config-zoneset)# zone name ESXi-ALL
Enhanced zone session has been created. Please 'commit' the changes when done.
MDS1(config-zoneset-zone)# member ip-address 10.150.150.10
MDS1(config-zoneset-zone)# member interface fc1/13
MDS1(config-zoneset-zone)# zoneset activate name VSAN101 vsan 101
MDS1(config)# zone commit vsan 101
Commit operation initiated. Check zone status
MDS1(config)# show zoneset active vsan 101
zoneset name VSAN101 vsan 101
zone name ESXi-ALL vsan 101
* fcid 0x010104 [ip-address 10.150.150.10]
* fcid 0x0100ef [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
* fcid 0x0100e8 [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
* fcid 0x0100e4 [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
* fcid 0x0100e2 [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
* fcid 0x0100e1 [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
* fcid 0x0100e0 [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
* fcid 0x0100dc [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
* fcid 0x0100da [interface fc1/13 swwn 20:00:00:0d:ec:54:63:80]
Let’s rescan from the host.
We have a new session!
2014 Aug 31 04:34:35 MDS1 %IPS-SLOT1-5-ISCSI_CONN_UP: %$VSAN 101%$ GigabitEthernet1/2: iSCSI session up from initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7 alias ip 10.150.150.10 to target iqn.2014-08.lab.mds1:jbod1-d3
MDS1(config)# show iscsi session
Initiator iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7
Initiator ip addr (s): 10.150.150.10
Session #1
Target iqn.2014-08.lab.mds1:jbod1-d3
VSAN 101, ISID 00023d000001, Status active, no reservation
Even though we are zoned to all disks, our virtual-target says that we can only talk to a single disk (jbod1-d3)
Authentication
Authentication can be configured as well, but I’m not going to dive into that. From a high level, you can configure CHAP authentication using local credentials on the MDS, or remote via RADIUS. A quick example:
Configure a username, and specify “iscsi” at the end of the command:
username iscsiuser password abc123 iscsi
Configure authentication under the iscsi initiator:
iscsi initiator name iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7
username iscsiuser
Example Template
Enable iSCSI
feature iscsi
iscsi enable module 1
!
int g1/2
ip address 10.150.150.5
!
int iscsi 1/2
no shut
# If asked to reduce FLOGIs and FCIDs to a minimum
switchport proxy-initiator
Configure Initiator
iscsi initiator name iqn.this-is-the-initiator-iqn
# (Optional) Configure VSAN association
vsan 101
# (Optional) Configure static nWWN
static nWWN system-assign
# (Optional) Configure static pWWN
static pWWN system-assign [1-64]
# (Optional) Configure Authentication
username iscsiuser
Import all FC targets into iSCSI
iscsi import target fc
Or – Configure Virtual Target
iscsi virtual-target name iqn.this-is-the-target-iqn
# Configure the real pWWN of the Target
pwwn 11:11:11:11:11:11:11:11
# (Optional) Configure LUN Masking
pwwn 11:11:11:11:11:11:11:11 fc-lun 5 iscsi 0
Configure Access Control via “ACL”
iscsi virtual-target name iqn.this-is-the-target-iqn
# 2 options
initiator iqn.this-is-the-initiator-iqn permit
-or-
initiator ip address 10.150.150.10 255.255.255.255 permit
# (Optional) Configure specific interface to advertise
advertise interface g1/2
Configure Zoning
zoneset name VSAN101 vsan 101
zone name Initiator-Target
# Configure the Target pWWN !
member pwwn 21:00:00:1d:38:1c:6f:24
# Configure one of these 3 options (Initiator IQN, IP address, or pWWN)
member symbolic-nodename iqn.1998-01.com.vmware:53de1d20-106c-8c14-070d-0025b500010d-612838b7
member ip-address 10.150.150.10
member pwwn 21:0a:00:0d:ec:54:63:82
zoneset activate name VSAN101 vsan 101
zone commit vsan 101
In part 2 of this series I’ll be configuring iSLB, so stay tuned.
Saved aas a favorite, I love your site!
I was curious if yoս evcer thought of changiing the layout
of your blog? Its ѵerʏ well written; I love what youve ցot to sɑy.
But maybe yoս cold a little more in the way of content
so peoplе could conneect with it better. Ƴouve got an awful lot
of texct for only having 1 or two pictures. Maybe yօu
could space it out better?
Hello, for all time i used to check webpage posts here early in the
dawn, because i love to learn more and more.
One of the best!!
Easy to understand language with all E_2_E details of a given topic! Wow… My hat is off! :))
I humbly request you to write more blogs please!!
Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog
https://goo.gl/yBfX29