[c-nsp] Securing a shared IP SAN
Robert Blayzor
rblayzor.bulk at inoc.net
Wed Jan 14 08:58:58 EST 2009
I have a project where I need to implement a shared IP SAN (ISCSI)
network of about a dozen users with various clients.
Since everything is in one colo, I'd like to keep this simple by
keeping it layer2 as much as possible and not get into the mess of
having the client have to use routes to get our our IP SAN targets.
Both the ISCSI SAN targets and all the initiators will be connected
via our 6509's.
Initially the idea was to just put each user into their own VLAN and
just trunk up to the ISCSI SAN targets and just multi-home the IP SAN
box. Since then, I've learned that the IP SAN boxes do not support
VLAN tagging. (long story).
It was suggested to me to then just setup everything as routed L3 in a
VRF and just control access with everything via ACL's. While I can do
this, I don't want to get into the complexity of having the users have
to setup routes to get to the SAN, etc. I also have a concern of IP
routing performance vs L2 switching performance.
The other idea I had was to create one VLAN, and one larger subnet and
designate IP blocks within that subnet to the clients. I could easily
throw ACL's on the ingress switchports to limit access via a extended
IP ACL, but I had an issue of limiting invalid ARP's for IP's from the
clients. ie: clients doing ARP spoofing or poisoning if they get pwnd.
I know you can do ARP filtering on the VLAN level, but how can I
accomplish limiting ARP for only certain ranges of IP's on a per
interface level, while still maintaining the ability to do the L3 ACL
on the ingress? I'm not overly concerned what mac-addresses are
ARPing for IP's on the switchport, I can control that with port-
security, but I'm concerned with them sending arps for ranges of IP's
they're not allowed to use.
Of course I'm open to any other suggestions on securing this at L2,
keeping in mind two things. The ISCSI target cannot talk VLANing and
cannot be multihomed. (I guess it makes best use via MPIO in the
ISCSI protocol) It would of been a lot easier if it just supported
802.3ad and VLANing, but I don't have that option. Also there may be
just one or more than one client behind each switch port, (ie: servers
from another switch may be connected to the 6509).
TIA
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
More information about the cisco-nsp
mailing list