Usually I use IP wildcard.

But I do not have a large configuration as yours.

In your case I think that a CLI procedure to build your Equallogic Volumes could be a good solution, so you can apply custom access rules.

Andre

"The problem: its a nightmare in management. What we have been doing is adding the iscsi iniator name of each esx host to each esx volume on the SAN. We have been doing this to ensure that no other iscsi host will ever see the esx san volumes (excluding our backup servers of course). Im sure you can all imagine how much work is involved in adding an additional host and mapping it to all available volumes. Likewise when adding a new volume to the SAN and having to map each host to that volume. Equallogic really needs a copy function where you can copy the access rights of one volume to another and make modifications as necessary. Its like 12 clicks per volume to add a host multiplied by 22 hosts. And we are growing constantly."

This is a huge PITA but I think you are on the right track based on your other comments (CHAP, wildcard, etc), just need some automation and you can choose between IP and initiator name. I hide all volumes from a given host (Windows/ESX) unless they specifically need access to those volumes.

• Adding a new volume and putting acls on these volumes. Maintain a list (or get one via PowerCli) of all the initiators. You can use ' show volume TEST-VOL1' to get an ugly output that includes the access lists (initiator or IP). Create a new volume and use the CLI to create the access lists. You can only have 16 IP or 16 initiator entries per volume so that is a limitation of how many hosts (8 hosts with dual-hba) can access a volume.

• As for adding a new host to existing volumes, you will need to maintain a list (or get one via PowerCli) of targets for a given group of hosts and then using the CLI add ACLs to those volumes.

• We have groups of ESX servers that mount similar volumes, the size of the group is limited to the number of ACLs we can have on a given volume.

Equallogic will have a more 'object oriented' approach to these volume operations in the near future (probably next few months).... I've said too much..

Ben

I hate to say it, but it sounds like you need to re-think your ESX & volume structure.

22 hosts and 41 volumes? There has to be a way to simplify that.

I know that Equallogic preaches "simple" VMFS (boot only, no data) with data volumes directly on the SAN (for Windows iSCSI mount or VMWare raw disk). They do this because many of the EQL features (snapshots, and to some extent replication) make little sense if the volume is abstracted a second time via VMFS.

IMHO, this leads to a lot of fragmentation on the SAN and a substantial volume management headache, not to mention lost space. Very large server volumes (eg, data warehouse, massive fileshare dump, etc) make sense as native SAN volumes but it usually seems simpler from a management perspective to keep fewer, large VMFS volumes with data/boot stored together.

With fewer, larger VMFS volumes and few-to-none native data SAN volumes you might be able to consolidate your hosts into clusters and limit access to a group of VMFS volumes per cluster.