What is ISCSI and How iSCSI Works:

iSCSI stands for internet SCSI, or internet Small Computer Systems Interface. iSCSI is the transmission of SCSI commands and data over IP (Internet Protocol) Networks. How iSCSI Works: When an end user or application sends a request, the operating system generates the appropriate SCSI commands and data request, which then go through encapsulation and, if necessary, encryption procedures. A packet header is added before the resulting IP packets are transmitted over an Ethernet connection. When a packet is received, it is decrypted (if it was encrypted before transmission), and disassembled, separating the SCSI commands and request. The SCSI commands are sent on to the SCSI controller, and from there to the SCSI storage device. Because iSCSI is bi-directional, the protocol can also be used to return data in response to the original request. iSCSI is one of two main approaches to storage data transmission over IP networks; the other method, Fibre Channel over IP (FCIP), translates Fibre Channel control codes and data into IP packets for transmission between geographically distant Fibre Channel SANs. FCIP (also known as Fibre Channel tunneling or storage tunneling) can only be used in conjunction with Fibre Channel technology; in comparison, iSCSI can run over existing Ethernet networks. A number of vendors, including Cisco, IBM, and Nishan have introduced iSCSI-based products (such as switches and routers).

How iSCSI authentication works

During the initial stage of an iSCSI session, the initiator sends a login request to the storage system to begin an iSCSI session. The storage system will then either permit or deny the login request, or determine that a login is not required.
iSCSI authentication methods are:

Challenge Handshake Authentication Protocol (CHAP)The initiator logs in using a CHAP user name and password. You can specify a CHAP password or generate a random password. There are two types of CHAP user names and passwords:
o

InboundThe storage system authenticates the initiator.

Inbound settings are required if you are using CHAP authentication.

o

OutboundThis is an optional setting to enable the initiator to authenticate the storage system.

You can use outbound settings only if you defined an inbound user name and password on the storage system.

denyThe initiator is denied access to the storage system. noneThe storage system does not require authentication for the initiator.

You can define a list of initiators and their authentication methods. You can also define a default authentication method that applies to initiators that are not on this list. The default iSCSI authentication method is none, which means any initiator not in the authentication list can log in to the storage system without authentication. However, you can change the default method to deny or CHAP. If you use iSCSI with vFiler units, the CHAP authentication settings are configured separately for each vFiler unit. Each vFiler unit has its own default authentication mode and list of initiators and passwords.
You are here: Home / Quick and Dirty Guide to iSCSI Implementation

Quick and Dirty Guide to iSCSI Implementation

A Quick and Dirty Guide to iSCSI Implementation -Rajeev Karamchedu

Introduction How does it work? Implementation Environment Target Setup on the Filer Initiator Setup Automounting iSCSI How Fast Is It ? Implementing iSCSI Security iSNS, Internet Storage Name Service References

Introduction iSCSI (Internet Small Computer System Interface), an IP-based storage networking standard for connecting data storage entities, developed by the Internet Engineering Task Force (IETF). Essentially a protocol carrying SCSI commands over IP networks, iSCSI can be a cheap and effective alternative for storage administrators who are otherwise struggling to strike a balance between the high-cost and complex implementations of FC-SAN (Fibre Channel Storage Area Networks) and the performance limitations and overhead of NAS (Network Attached Storage).

For the sake of completeness, it should be noted that there are TWO other protocols similar to iSCSI where IP networks are used to move data packets. iFCP and FCIP. Both of those protocols are NOT implemented on a server but are rather used to connect remote SANs together. iFCP translates a Fibre Channel frame to IP and then translates it back after it reaches the destination. FCIP is a tunneling protocol to send FC frames in tact over IP.

How does it work? iSCSI is a Client-Server based protocol, except that the client process requesting data is called an initiator and the server process serving the data is called a target. In an iSCSI implementation, the storage that is offered by the target appears as local disk to the initiator. The client can make block-based operations on that storage. Since this involves formatting the disk, partitioning, creating a file system on the disk, no more than one initiator can have read/write access to the specific iSCSI device at a time. However, it is possible that you can mount a iSCSI device as read-only on multiple initiators.
When the initiator (client) receives request for a piece of data on the server, it translates that request into pure SCSI commands and assembles that into an IP packet (additionally performing encapsulation and/or encryption). Using the IP networks, then that packet can be sent to the target (server), without any distance limitations that traditional SCSI suffers. On the target, the iSCSI protocol extracts the SCSI commands (performing de-capsulation and/or de-cryption in the process) and sends the SCSI commands to the SCSI controller. The protocol is also bi-directional so the data can be sent back as a reply to the request. The downside of iSCSI is that all this processing can be a burden on the clients cpu. That can be solved by using iSCSI-HBAs which are much like Fibre Channel HBAs but for iSCSI. iSCSI-HBAs are used to offload the processing overhead from the primary CPU(s) to the dedicated HBA. iSCSI HBAs are relatively much cheaper than the FC-HBAs, at the time of this writing. iSCSI-HBAs are referred to as hardware initiators. Software Initiators are simply drivers loaded into the OS that will enable iSCSI communications. Currently, we can use the following software initiators for free: the iSCSI Microsoft Windows Initiator software, the iSCSI Linux Initiator software and the iSCSI NetWare Initiator software. Those who have accounts with Cisco can also download the Cisco iSCSI driver for Linux, HPUX, Windows and Solaris. Implementation Environment This document reflects the following environment-specific implementation details and command sets. Consult the Resources section for links to other implementations. Target: Network Appliance Filer running Initiator: Intel P4 Desktop running Suse 9.2 (2.6.8-24.14-smp) Data ONTAP 6.5.x

Fibre Channel implementation uses WWPN (World Wide Port Names) and WWNN (World Wide Node Names) to identify devices. iSCSI uses iSCSI addresses. Once all the targets and initiators are assigned and configured with iSCSI addresses, these nodes need to know about each other, akin to the DNS resolution. Once they are aware of each other, they can

communicate and the initiator can access the storage from the target. Details of how this is accomplished is discussed later in this document.
iSCSI addresses come in two formats: iSCSI Qualified Name (iqn) or IEEE EUI-64 (eui) format. A (very) brief discussion of the two formats is below.

iqn Format: iqn.yyyy-mm.backward_naming_authority:unique_device_name For e.g. on a linux box, the iSCSI initiator address may look like his: iqn.1987-05.com.cisco:01.12a14c2dcab9 eui Format: eui.nnnnnnnnnnnnnnnn eui Format is used when a manufacturer is already registered with the IEEE Registration Authority and uses EUI-64 formatted worldwide unique names for its products

The iscsi driver/initiator software found in todays Linux distributions is a open-source version of the one Cisco provides and uses the iqn format. The Network Appliance file servers also use an iqn format for target addressing.