[c-nsp] Securing a shared IP SAN
Ross Vandegrift
ross at kallisti.us
Wed Jan 14 10:14:07 EST 2009
On Wed, Jan 14, 2009 at 08:58:58AM -0500, Robert Blayzor wrote:
> Of course I'm open to any other suggestions on securing this at L2,
> keeping in mind two things. The ISCSI target cannot talk VLANing and
> cannot be multihomed. (I guess it makes best use via MPIO in the
> ISCSI protocol) It would of been a lot easier if it just supported
> 802.3ad and VLANing, but I don't have that option. Also there may be
> just one or more than one client behind each switch port, (ie: servers
> from another switch may be connected to the 6509).
I realize that I'm not answering your question, but...
I'd strongly suggest you reconsider the bias against L3 serperation.
It's vastly simpler and, so long as you are doing hardware forwarding
on the 6500, it has no performance impact. I've got a few VLANs of
iSCSI installations that work like this and it's great. Once the
server guys know they'll need a static route for the iSCSI storage,
you're done with that difficulty.
You may find that you need multiple VLANs anyhow, depending on the
storage system's requirements for iSCSI multipath and redundant
storage gateways. You may not be using these features now, but you
will probably want them in the future.
Your performance issues are going to be from saturating links anyway.
Make sure you don't have traffic boomeranging up and down the same
link. The easiest way to insure this is either to cable the storage
system directly to the 6500, or cable it to a dedicated access-layer
switch that has a port-channel back to the 6500.
--
Ross Vandegrift
ross at kallisti.us
"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie
More information about the cisco-nsp
mailing list