Configuring Software iSCSI Adapters in the VMware Host Client

Setting Up Network for iSCSI and iSER with ESXi

Certain types of iSCSI adapters depend on the VMkernel networking. These adapters include the software or dependent hardware iSCSI adapters, and the VMware iSCSI over RDMA (iSER) adapter. If your ESXi environment includes any of these adapters, you must configure connections for the traffic between the iSCSI or iSER component and the physical network adapters.

Configuring the network connection involves creating a virtual VMkernel adapter for each physical network adapter. You use 1:1 mapping between each virtual and physical network adapter. You then associate the VMkernel adapter with an appropriate iSCSI or iSER adapter. This process is called port binding.

The image depicts an iSCSI or iSER adapter (vmhba) connected to a VMkernel adapter (vmk). A switch connects vmk with a physical NIC (vmnic).

Follow these rules when configuring the port binding:

You can connect the software iSCSI adapter with any physical NICs available on your host.
The dependent iSCSI adapters must be connected only to their own physical NICs.
You must connect the iSER adapter only to the RDMA-capable network adapter.

For specific considerations on when and how to use network connections with software iSCSI, see the VMware knowledge base article at http://kb.vmware.com/kb/2038869.

Enable iSCSI for an ESXi Host in the VMware Host Client

Enable iSCSI for your host in your VMware Host Client environment to configure storage adapters parameters, such as CHAP authentication, network port bindings, static and dynamic targets, and various advanced settings.

Procedure

Click Storage in the VMware Host Client inventory, click Adapters, and click Configure iSCSI.
Select the Enabled radio button.
(Optional) Configure the parameters and components that you want to change.
Click Save configuration.

Best Practices for Configuring Networking with Software iSCSI

When you configure networking with software iSCSI, consider several best practices.

Software iSCSI Port Binding

You can bind the software iSCSI initiator on the ESXi host to a single or multiple VMkernel ports, so that iSCSI traffic flows only through the bound ports. Unbound ports are not used for iSCSI traffic.

When port binding is configured, the iSCSI initiator creates iSCSI sessions from all bound ports to all configured target portals.

See the following examples.

VMkernel Ports	Target Portals	iSCSI Sessions
2 bound VMkernel ports	2 target portals	4 sessions (2 x 2)
4 bound VMkernel ports	1 target portal	4 sessions (4 x 1)
2 bound VMkernel ports	4 target portals	8 sessions (2 x 4)

Note: Make sure that all target portals are reachable from all VMkernel ports when port binding is used. Otherwise, iSCSI sessions might fail to create. As a result, the rescan operation might take longer than expected.

No Port Binding

If you do not use port binding, the ESXi networking layer selects the best VMkernel port based on its routing table. The host uses the port to create an iSCSI session with the target portal. Without the port binding, only one session per each target portal is created.

See the following examples.

VMkernel Ports	Target Portals	iSCSI Sessions
2 unbound VMkernel ports	2 target portals	2 sessions
4 unbound VMkernel ports	1 target portal	1 session
2 unbound VMkernel ports	4 target portals	4 sessions

Software iSCSI Multipathing

Example 1. Multiple paths for an iSCSI target with a single network portal

If your target has only one network portal, you can create multiple paths to the target by adding multiple VMkernel ports on your ESXi host and binding them to the iSCSI initiator.

The image shows VMkernel ports vmk1, vmk2, vmk3, and vmk4 connected to a single target. All initiator ports and the target are in the same subnet.

In this example, all initiator ports and the target portal are configured in the same subnet. The target is reachable through all bound ports. You have four VMkernel ports and one target portal, so total of four paths are created.

Without the port binding, only one path is created.

Example 2. Multiple paths with VMkernel ports in different subnets

You can create multiple paths by configuring multiple ports and target portals on different IP subnets. By keeping initiator and target ports in different subnets, you can force ESXi to create paths through specific ports. In this configuration, you do not use port binding because port binding requires that all initiator and target ports are on the same subnet.

The image shows multiple VMkernel ports and target portals on different IP subnets.

ESXi selects vmk1 when connecting to Port 0 of Controller A and Controller B because all three ports are on the same subnet. Similarly, vmk2 is selected when connecting to Port 1 of Controller A and B. You can use NIC teaming in this configuration.

Total of four paths are created.

Paths	Description
Path 1	vmk1 and Port0 of Controller A
Path 2	vmk1 and Port0 of Controller B
Path 3	vmk2 and Port1 of Controller A
Path 4	vmk2 and Port1 of Controller B

Routing with Software iSCSI

You can use the esxcli command to add static routes for your iSCSI traffic. After you configure static routes, initiator and target ports in different subnets can communicate with each other.

Example 1. Using static routes with port binding

In this example, you keep all bound VMkernel ports in one subnet (N1) and configure all target portals in another subnet (N2). You can then add a static route for the target subnet (N2).

The image shows two bound VMkernel ports in subnet N1 and the target portals in subnet N2.

Use the following command:

# esxcli network ip route ipv4 add -gateway 192.168.1.253 -network 10.115.179.0/24

Example 2. Using static routes to create multiple paths

In this configuration, you use static routing when using different subnets. You cannot use the port binding with this configuration.

The image shows vmk1 and vmk2 in separate subnets. The target portals are also in separate subnets.

You configure vmk1 and vmk2 in separate subnets, 192.168.1.0 and 192.168.2.0. Your target portals are also in separate subnets, 10.115.155.0 and 10.155.179.0.

You can add the static route for 10.115.155.0 from vmk1. Make sure that the gateway is reachable from vmk1.

# esxcli network ip route ipv4 add -gateway 192.168.1.253 -network 10.115.155.0/24

You then add static route for 10.115.179.0 from vmk2. Make sure that the gateway is reachable from vmk2.

# esxcli network ip route ipv4 add -gateway 192.168.2.253 -network 10.115.179.0/24

When connecting with Port 0 of Controller A, vmk1 is used.

When connecting with Port 0 of Controller B, vmk2 is used.

Example 3. Routing with a separate gateway per vmkernel port

Starting with vSphere 6.5, you can configure a separate gateway per VMkernel port. If you use DHCP to obtain IP configuration for a VMkernel port, gateway information can also be obtained using DHCP.

To see gateway information per VMkernel port, use the following command:

# esxcli network ip interface ipv4 address list

Name  IPv4 Address    IPv4 Netmask   IPv4 Broadcast  Address Type  Gateway         DHCP DNS
----  --------------  -------------  --------------  ------------  --------------  --------
vmk0  10.115.155.122  255.255.252.0  10.115.155.255  DHCP          10.115.155.253      true
vmk1  10.115.179.209  255.255.252.0  10.115.179.255  DHCP          10.115.179.253      true
vmk2  10.115.179.146  255.255.252.0  10.115.179.255  DHCP          10.115.179.253      true

With separate gateways per VMkernel port, you use port binding to reach targets in different subnets.

Add Port Binding in the VMware Host Client

Use the VMware Host Client to bind an iSCSI adapter with a VMkernel adapter on your host.

Prerequisites

Create a virtual VMkernel adapter for each physical network adapter on your host. If you use multiple VMkernel adapters, set up the correct network policy.
Required privilege:Host.Configuration.Storage Partition Configuration

Procedure

Click Storage in the VMware Host Client inventory, click Adapters, and click Configure iSCSI.
In the Network port bindings section, click Add port binding.
Select a VMkernel adapter to bind with the iSCSI adapter.

Note: Make sure that the network policy for the VMkernel adapter is compliant with the binding requirements.

You can bind the software iSCSI adapter to one or more VMkernel adapters. For a dependent hardware iSCSI adapter, only one VMkernel adapter associated with the correct physical NIC is available.
Click Select.
Click Save configuration.

Remove Port Binding in the VMware Host Client

Edit the iSCSI configuration on your host to remove a port binding.

Procedure

Click Storage in the VMware Host Client inventory, click Adapters, and click Configure iSCSI.
In the Network port bindings section, select a VMkernel NIC from the list.
Click Remove port binding.
Click Save configuration.

Set up a Dynamic Target in the VMware Host Client

You must set up target discovery addresses, so that the iSCSI adapter can determine which storage resource on the network is available for access. The ESXi host supports dynamic and static discovery methods. With Dynamic Discovery, each time the initiator contacts a particular iSCSI storage system, the initiator sends the SendTargets request to the iSCSI system. The iSCSI system responds by supplying a list of available targets to the initiator.

Also known as SendTargets discovery. Each time the initiator contacts a specified iSCSI server, the initiator sends the SendTargets request to the server. The server responds by supplying a list of available targets to the initiator. The names and IP addresses of these targets appear on the Static Discovery tab. If you remove a static target added by dynamic discovery, the target might be returned to the list the next time a rescan happens, the iSCSI adapter is reset, or the host is rebooted.

Note: With software and dependent hardware iSCSI, ESXi filters target addresses based on the IP family of the iSCSI server address specified. If the address is IPv4, IPv6 addresses that might come in the SendTargets response from the iSCSI server are filtered out. When DNS names are used to specify an iSCSI server, or when the SendTargets response from the iSCSI server has DNS names, ESXi relies on the IP family of the first resolved entry from DNS lookup.

When you set up Dynamic Discovery, you can only add a new iSCSI system. You cannot change the IP address, DNS name, or port number of an existing iSCSI system. To modify the parameters, delete the existing system and add a new one.

Prerequisites

Required privilege: Host.Configuration.Storage Partition Configuration

Procedure

Click Storage in the VMware Host Client inventory, click Adapters, and click Configure iSCSI.
Click Add dynamic target.
The new dynamic target appears in the list.
To add an address for the new dynamic target, click the target in the list and enter the address .
(Optional) To change the port number of the new dynamic target, click the target Port text box and enter the new port number.
(Optional) To edit the dynamic target settings, select the new target from the list of available targets, click Edit settings, configure the parameters that you want to change, and click Save.
(Optional) To delete a specific target, select the target and click Remove dynamic target.
The target no longer appears in the list of existing dynamic targets.
Click Save configuration.

Set Up a Static Target in the VMware Host Client

With iSCSI initiators, you can use static discovery to manually enter information for the targets.

When you set up Static Discovery, you can only add new iSCSI targets. You cannot change the IP address, DNS name, iSCSI target name, or port number of an existing target. To make changes, remove the existing target and add a new one.

In addition to the dynamic discovery method, you can use static discovery and manually enter information for the targets. The iSCSI adapter uses a list of targets that you provide to contact and communicate with the iSCSI servers.

Prerequisites

Required privileges: Host.Configuration.Storage Partition Configuration

Procedure

Click Storage in the VMware Host Client inventory, click Adapters, and click Configure iSCSI.
Click Add static target.
The new static target appears in the list.
To add a name for the new static target, click the target in the list and enter the name.
To add an address for the new static target, click the target in the list and type the address.
(Optional) To change the port number of the new static target, click the target Port text box and type the new port number.
(Optional) To edit the static target settings, select the new target from the list of available targets, click Edit settings, configure the parameters that you want to change, and click Save.
(Optional) To delete a specific target, select the target and click Remove static target.
The target no longer appears in the list of existing static targets.
Click Save configuration.

Edit Advanced Settings for iSCSI in the VMware Host Client

The advanced iSCSI settings control such parameters as header and data digest, ARP redirection, delayed ACK, and so on. Generally, you do not need to change these settings because your host works with the assigned predefined values.

Caution: Do not change the advanced iSCSI settings unless you are working with the VMware support team or otherwise have thorough information about the values to provide for the settings modification.

Prerequisites

Required privilege: Host.Configuration.Storage Partition Configuration

Procedure

Click Storage in the VMware Host Client inventory, click Adapters, and click Configure iSCSI.
Click Advanced settings to display the entire list of settings.
Edit the parameters that you want to change and click Save configuration.

Set Up CHAP Authentication for an iSCSI Adapter in the VMware Host Client

You can set up all targets to receive the same CHAP name and secret from the iSCSI initiator at the initiator level. By default, all discovery addresses or static targets inherit the CHAP parameters that you set up at the initiator level.

The CHAP name must be fewer than 511 alphanumeric characters and the CHAP secret must be fewer than 255 alphanumeric characters. Some adapters, for example the QLogic adapter, might have lower limits, 255 for the CHAP name and 100 for the CHAP secret.

Prerequisites

Before you set up CHAP parameters for software or dependent hardware iSCSI, determine whether to configure one-way, also known as normal, or mutual CHAP. Independent hardware iSCSI adapters do not support mutual CHAP.
- In one-way CHAP, the target authenticates the initiator.
- In mutual CHAP, both the target and the initiator authenticate each other. Use different secrets for CHAP and mutual CHAP.
When you configure CHAP parameters, verify that they match the parameters on the storage side.
Required privileges: Host.Configuration.Storage Partition Configuration

Procedure

Click Storage in the VMware Host Client inventory, click Adapters, and click Configure iSCSI.
To configure one-way CHAP, expand CHAP authentication to display all parameters.
1. Select the CHAP security level.
2. Enter the CHAP name.
  
  Make sure that the name you enter matches the name configured on the storage side.
3. Enter a one-way CHAP secret to use for authentication. Use the same secret that you enter on the storage side.
To configure mutual CHAP, select Use CHAP as an option for one-way CHAP. Expand Mutual CHAP authentication to display all parameters.
1. Select Use CHAP.
2. Enter the mutual CHAP name.
3. Enter the mutual CHAP secret.
  Use different secrets for the one-way CHAP and the mutual CHAP.
Click Save configuration.

Results

If you change the authentication settings for an iSCSI adapter, you only use the updated credentials for new iSCSI sessions. Existing sessions persist until either the connection is lost due to some outside factor, such as force re-authentication, or you remove and add the adapter iSCSI targets.