[c-nsp] Securing a shared IP SAN

Robert Blayzor rblayzor.bulk at inoc.net
Wed Jan 14 08:58:58 EST 2009 

I have a project where I need to implement a shared IP SAN (ISCSI)  
network of about a dozen users with various clients.

Since everything is in one colo, I'd like to keep this simple by  
keeping it layer2 as much as possible and not get into the mess of  
having the client have to use routes to get our our IP SAN targets.

Both the ISCSI SAN targets and all the initiators will be connected  
via our 6509's.

Initially the idea was to just put each user into their own VLAN and  
just trunk up to the ISCSI SAN targets and just multi-home the IP SAN  
box.  Since then, I've learned that the IP SAN boxes do not support  
VLAN tagging. (long story).

It was suggested to me to then just setup everything as routed L3 in a  
VRF and just control access with everything via ACL's.  While I can do  
this, I don't want to get into the complexity of having the users have  
to setup routes to get to the SAN, etc.  I also have a concern of IP  
routing performance vs L2 switching performance.

The other idea I had was to create one VLAN, and one larger subnet and  
designate IP blocks within that subnet to the clients.  I could easily  
throw ACL's on the ingress switchports to limit access via a extended  
IP ACL, but I had an issue of limiting invalid ARP's for IP's from the  
clients.  ie: clients doing ARP spoofing or poisoning if they get pwnd.

I know you can do ARP filtering on the VLAN level, but how can I  
accomplish limiting ARP for only certain ranges of IP's on a per  
interface level, while still maintaining the ability to do the L3 ACL  
on the ingress?  I'm not overly concerned what mac-addresses are  
ARPing for IP's on the switchport, I can control that with port- 
security, but I'm concerned with them sending arps for ranges of IP's  
they're not allowed to use.

Of course I'm open to any other suggestions on securing this at L2,  
keeping in mind two things.  The ISCSI target cannot talk VLANing and  
cannot be multihomed.  (I guess it makes best use via MPIO in the  
ISCSI protocol)  It would of been a lot easier if it just supported  
802.3ad and VLANing, but I don't have that option.  Also there may be  
just one or more than one client behind each switch port, (ie: servers  
from another switch may be connected to the 6509).


TIA

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/

More information about the cisco-nsp mailing list