[c-nsp] Securing a shared IP SAN
Robert Blayzor
rblayzor.bulk at inoc.net
Wed Jan 14 10:30:51 EST 2009
On Jan 14, 2009, at 10:14 AM, Ross Vandegrift wrote:
> I'd strongly suggest you reconsider the bias against L3 serperation.
> It's vastly simpler and, so long as you are doing hardware forwarding
> on the 6500, it has no performance impact. I've got a few VLANs of
> iSCSI installations that work like this and it's great. Once the
> server guys know they'll need a static route for the iSCSI storage,
> you're done with that difficulty.
I do realize that L3 in the grand scheme of things makes security
easier (at least on the network side), it does come with more admin
overhead. Where we may have the routing capacity today, we may not
tomorrow. We're actually looking at pvlans for this now. That would
prevent the customers from only seeing each other, and only being able
to access the targets on the promiscuous ports. We would then be able
to use arp inspection and arp ACL's to limit the IP address they can
arp for, and we'd also be able to ACL their ingress.
Doing L3 routing is not out of the question. Something we can easily
do with a VRF. We just want to remove the extra step of having them
have to add the routes on each device to access the SAN.
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
More information about the cisco-nsp
mailing list