HPE Community
Disk Enclosures
1752295 Members
5015 Online
108786 Solutions
New Discussion юеВ

Re: Isolate a lun to one machine

 
SOLVED
Go to solution
Charles Holland
Trusted Contributor

тАО03-25-2009 06:58 AM

тАО03-25-2009 06:58 AM

Isolate a lun to one machine

Landscape is as follows
1 Va7110 with luns 0 - 5
6 HPUX servers

Lun 0 all servers see it
Lun 1&2 server H see (mirror of vg00 & vg01)
Lun 3 server TW sees it
Lun 4 server H sees it.
Lun 5 I am trying to isolate to server TH

Except for Lun 0 and 5 (just created and configured in secure manager in the VA to go to TH). Problem is that all servers can see it when you do an ioscan -fnCdisk.

It has been suggested that I do port isolation on the switches somehow to say Lun 5 is ONLY viewable by server TH and none others.

Do I need to user any of the arm commands also? It has only been 5 years since we last touched this and all memory is long gone.

Thanks in advance.
Chuck
"Not everything that can be counted counts, and not everything that counts can be counted" A. Einstein
0 Kudos
8 REPLIES 8
Torsten.
Acclaimed Contributor

тАО03-25-2009 07:10 AM

тАО03-25-2009 07:10 AM

Re: Isolate a lun to one machine

You need to configure the secure manager access table - most easy from the GUI of commandview sdm AFAIR.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Torsten.
Acclaimed Contributor

тАО03-25-2009 07:13 AM

тАО03-25-2009 07:13 AM

Re: Isolate a lun to one machine

Examples from the manual:

Read the current contents of the security table into file secure.txt on host with
alias green. The password is the default value, AUTORAID.

armsecure -r -f secure.txt -p AUTORAID green


Write the security table stored in file secure.txt to array alias green. The
password is s33k3r. Clear the exisitng table before writing the new one, and
re-enable Secure Manager.

armsecure ├в w -c ├в f secure.txt -p s33k3r green

armsecure ├в e -p s33k3r green

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Torsten.
Acclaimed Contributor

тАО03-25-2009 07:15 AM

тАО03-25-2009 07:15 AM

Re: Isolate a lun to one machine

Sorry bad format. again:

Write the security table stored in file secure.txt to array alias green. The
password is s33k3r. Clear the exisitng table before writing the new one, and
re-enable Secure Manager.

armsecure -w -c -f secure.txt -p s33k3r green

armsecure -e -p s33k3r green

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Charles Holland
Trusted Contributor

тАО03-25-2009 08:34 AM

тАО03-25-2009 08:34 AM

Re: Isolate a lun to one machine

Torsten,

The commands you suggest appear that your are going to unload the access table, wipe it out and then load it back. What kind of change can that cause?

from the command:
armsecure -r -f /tmp/stuff -p passw0rd va7110
I get
# more /tmp/stuff
DEFAULT 0 WC
NODEWWN 50060b0000236bc7 1 W
NODEWWN 50060b0000236bc7 2 W
NODEWWN 50060b0000236bc7 4 W
NODEWWN 50060b0000236c6b 3 W
NODEWWN 50060b000023b999 1 W
NODEWWN 50060b000023b999 2 W
NODEWWN 50060b000023b999 4 W
NODEWWN 50060b000023b9a5 5 W
NODEWWN 50060b000023b9e5 5 W
NODEWWN 50060b0000242599 3 W
DEFAULT 1 0
DEFAULT 2 0
DEFAULT 3 0
DEFAULT 4 0
DEFAULT 5 W

which pretty well matches what is in the attatched screen shot from the VA itself.
Item 5 to each of the two san swithches is how I have it. That part I feel I have right.

How do I set things up after that so that ONLY server TH can see the lun?
"Not everything that can be counted counts, and not everything that counts can be counted" A. Einstein
0 Kudos
Torsten.
Acclaimed Contributor

тАО03-25-2009 08:46 AM

тАО03-25-2009 08:46 AM

Solution

Re: Isolate a lun to one machine

If you download the file, modify it and load it back, it would be extend the existing entries if you don't clear the table first.


Can you see what is wrong?

DEFAULT 1 0
DEFAULT 2 0
DEFAULT 3 0
DEFAULT 4 0
DEFAULT 5 W

The default for LUN 5 is write access for all servers:

...Permissions

0 - No access. Denies all access to the LUN. By default each LUN (except
LUN 0) is assigned this permission when it is created. LUN 0 is assigned ├в CW├в
permission. If a host is denied access to a LUN, the host operating system will
not ├в see├в the LUN. This value is represented as ├в None├в in the GUI Secure
Manager table.
On versions of firmware prior to HP14, the default LUN table entries grant Write
access to all hosts.

W - Write access. Grants a host full access to all data on the LUN. With write
permission, a host can write data to the LUN, and read all data on the LUN. A table
entry granting a host write permission to a LUN overrides the No Access security
imposed by default on all other hosts.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Charles Holland
Trusted Contributor

тАО03-25-2009 09:17 AM

тАО03-25-2009 09:17 AM

Re: Isolate a lun to one machine

I see my mistake (I remember changing this to write) and have corrected it. But still on server H, that shouldn't see LUN 5 I have the following output from an IO scan:

disk 20 1/0/2/0/0.2.0.0.0.0.5 sdisk NO_HW DEVICE HP A6189B

From server M I have the following:
disk 26 0/2/0/0.1.0.0.0.0.5 sdisk NO_HW DEVICE HP A6189B
/dev/dsk/c6t0d5 /dev/rdsk/c6t0d5

Again I am trying to get only one server to see this Lun.
"Not everything that can be counted counts, and not everything that counts can be counted" A. Einstein
0 Kudos
Torsten.
Acclaimed Contributor

тАО03-25-2009 09:34 AM

тАО03-25-2009 09:34 AM

Re: Isolate a lun to one machine

Looks good now:

NO_HW indicates the server cannot access it any longer. This will disappear after a reboot (or use rmsf).

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Charles Holland
Trusted Contributor

тАО03-26-2009 04:31 AM

тАО03-26-2009 04:31 AM

Re: Isolate a lun to one machine

Torsten, thanks for the help, won't make that mistake on the next LUN creation.
Chuck
"Not everything that can be counted counts, and not everything that counts can be counted" A. Einstein
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.