Disk Enclosures
1748157 Members
4123 Online
108758 Solutions
New Discussion юеВ

Mask EVA LUN 0 (CCL) at Cisco fabric level

 
SOLVED
Go to solution
scott haddow_1
Occasional Advisor

Mask EVA LUN 0 (CCL) at Cisco fabric level

A large deal has stalled because the customer is concerned that an internet facing server could be hacked and an illegal copy of Command View installed and used to destroy corporate data.
All other avenues have been tried and discarded, and the remaining possibility is to use the advanced security features on Cisco fabrics allowing for LUN's to be only presented to specific hba's - so the idea is to mask LUN 0 from all but the hba's in the CV server.
The environment is all windows.
It's clear that NT 4 needed to see LUN 0 to then be able to discover data LUN's on the target - but does anyone know if in Windows 2000 and 2003 are the same? I am reasonably sure that W2003 is SCSI-3 compliant which knows LUN 0 is assigned to the controller for management only - but in general, if LUN 0 is masked - can W2000 and 2003 go on to discover and use data LUNs on the EVA?
6 REPLIES 6
Uwe Zessin
Honored Contributor
Solution

Re: Mask EVA LUN 0 (CCL) at Cisco fabric level

It's been some time I've read that Windows 2000/2003 can detect LUN 1..7 without LUN 0 (perhaps by using an old-style SCSI 2 pool), but LUN 0 is required for detecting LUNs beyound 7. I have never tried this out, though.

Would password-protecting the HSV controllers be a valid workaround?
You can assign an 8 character password through the HSV's OPC and on Command-View EVA.
.
scott haddow_1
Occasional Advisor

Re: Mask EVA LUN 0 (CCL) at Cisco fabric level

Thanks Uwe - been through all that and finally got to the point that the customer is imagining all protection swept aside and concerned that there is no method to prevent a cracker being run against the OCP password - and for info, as of CV 6 we support a 16 character password - but not enough for this customer..
Uwe Zessin
Honored Contributor

Re: Mask EVA LUN 0 (CCL) at Cisco fabric level

Ah, interesting. I wonder how the customer manages his other passwords ;-)

Can you ask the guys in CXO to implement a manager access similar to what appeared on the HSG? Access to the controllers is granted through the WWPN.

Of course, you need an emergency fallback through the OPC or the serial maintenance port in case you lock-out your last CV-EVA server!
.
scott haddow_1
Occasional Advisor

Re: Mask EVA LUN 0 (CCL) at Cisco fabric level

..can I just check - when you say LUN's 1 to 7, that's at the EVA level? So out of the 1023 LUNs available for data on the EVA (minus LUN 0), anything numbered above 7 will not be discovered?
There will be a total of 54 internet facing servers through the lifetime of the solution, so although asking could be a short term fix for phase 1, it looks clear (assuming I've read this right) that the customer is going to look to 3rd party storage now as an XP is out of budget. :(
Stephen Kebbell
Honored Contributor

Re: Mask EVA LUN 0 (CCL) at Cisco fabric level

Hi Scott,

I would guess it means the Host level LUN, which is assigned when you present the Vdisk. For each host, it starts the LUN numbering at 1, and then counts up (unless you manually select one). So, if what Uwe is saying is correct (and it usually is!), each host could have up to 7 Vdisks presented.

Regards,
Stephen
Uwe Zessin
Honored Contributor

Re: Mask EVA LUN 0 (CCL) at Cisco fabric level

Yes, I meant host level. Remember that EVA's virtual disks are not implicitly associated with LUN address like on the HSG.

You can map 7 virtual disks to one host's LUN addresses 1..7 and then you can map 7 *other* virtual disks to a second host's LUN addresses 1..7.
.