LUN access modes for fibre-channel attachment

This section describes two LUN fibre-channel access modes: access-any and access-restricted. As well, an overview of access profiles and anonymous hosts is provided.

Fibre-channel access modes

The fibre channel architecture allows any fibre-channel initiator to access any fibre-channel device, without access restrictions. However, in some environments this kind of flexibility can represent a security exposure. Therefore, the IBM^® System Storage™ DS6000™ allows you to restrict this type of access when IBM sets the access mode for your storage unit during initial configuration. There are two types of LUN access modes:

Access-any mode
The access-any mode allows all fibre-channel attached host systems that do not have an access profile to access all non-iSeries open system logical volumes that you have defined in the storage unit.

Note: If you connect the storage unit to more than one host system with multiple platforms and use the access-any mode without setting up an access profile for the hosts, the data in the LUN used by one open-systems host might be inadvertently corrupted by a second open-systems host. Certain host operating systems insist on overwriting specific LUN tracks during the LUN discovery phase of the operating system start process.
Access-restricted mode
The access-restricted mode prevents all fibre-channel-attached host systems that do not have an access profile to access volumes that you defined in the storage unit. This is the default mode.

Your IBM service support representative (SSR) can change the logical unit number (LUN) access mode. Changing the access mode is a disruptive process. Shut down and restart both clusters of the storage unit.

Access profiles

Any fibre-channel-attached host system that has an access profile can access only those volumes that are defined in the profile. Depending on the capability of the particular host system, an access profile can contain up to 256 or up to 4096 volumes.

The setup of an access profile is transparent to you when you use the IBM System Storage™ DS Storage Manager to configure the hosts and volumes in the storage unit. Configuration actions that affect the access profile are as follows:

When you define a new fibre-channel-attached host system in the IBM System Storage DS Storage Manager by specifying its worldwide port name (WWPN), the access profile for that host system is automatically created. Initially the profile is empty. That is, it contains no volumes. In this state, the host cannot access any logical volumes that are already defined in the storage unit.
When you add new logical volumes to the storage unit, the new volumes are assigned to the host. The new volumes are created and automatically added to the access profile.
When you assign volumes to fibre-channel-attached hosts, the volumes are added to the access profile.
When you remove a fibre-channel-attached host system from the IBM System Storage DS Storage Manager, you delete the host and its access profile.

The anonymous host

When you run the storage unit in access-any mode, the IBM System Storage DS Storage Manager displays a dynamically created pseudo-host called anonymous. This is not a real host system connected to the storage server. It is intended to represent all fibre-channel-attached host systems that are connected to the storage unit that do not have an access profile defined. This is a reminder that logical volumes defined in the storage unit can be accessed by hosts which have not been identified to the storage unit.