Explanation

If it is required to restrict/allow access to the some specific StarWind VSAN target(s), it is possible to set access rights for them. The access rights configuration can be done in the StarWind Management Console, in the Access Rights tab.

It is possible to configure access rules to StarWind targets by specifying iSCSI initiators by IQN, IP address or DNS name, as well as IP address of StarWind VSAN server interfaces.

Adding a new access rule:

Right-click in the Access Rights tab and select Add Rule from the dropdown list.

Access Rights tab

In the popup window, specify the settings described below.

New Access Rule

Rule Name: name for a rule;

Source: server(s) with ISCSI initiator that should have access to the targets or should be restricted to have it. It could be the server’s IP address, DNS name or unique IQN of the server’s ISCSI initiator.

Destination: one or several StarWind targets that source can access/should not be able to access.

Interfaces: the StarWind server’s IP addresses, which can be used to discover the targets and connect to them. Interfaces can be added from the drop-down list.

Check the Set to Allow checkbox to allow access to the targets or uncheck it to restrict access.

NOTE: By design, StarWind VSAN creates DefaultAccessPolicy, which is set to allow. In case when only specific initiators should be allowed and all others should be restricted, the DefaultAccessPolicy should be set to Deny.

Example:

In the screenshot below, access from the specified initiators (Microsoft and ESXi) is allowed by initiator’s IP address. For all other initiators, access is restricted.

Rules Example

Description of rule #4 (Allow by initiator IP addess – ESXi):

ESXi server with IP address (172.16.10.1) is allowed to discover and connect to target CSV2 on the SW-SAN-01 server only via network interface 172.16.10.12 on the StarWind server.

Description of rule #5 (Allow by initiator IP addess – MS):

Microsoft server with IP-address (172.16.10.20) is allowed to discover and connect to the several targets (Witness, CSV1) on SW-SAN-01 via all interfaces available on the StarWind VSAN server.

Request a Product Feature

To request a new product feature or to provide a feedback about StarWind product, please email our support at support@starwind.com and put “Request a Product Feature” as the subject.

Back to blog