[c-nsp] Securing a shared IP SAN

Robert Blayzor rblayzor.bulk at inoc.net
Wed Jan 14 10:30:51 EST 2009

On Jan 14, 2009, at 10:14 AM, Ross Vandegrift wrote:
> I'd strongly suggest you reconsider the bias against L3 serperation.
> It's vastly simpler and, so long as you are doing hardware forwarding
> on the 6500, it has no performance impact.  I've got a few VLANs of
> iSCSI installations that work like this and it's great.  Once the
> server guys know they'll need a static route for the iSCSI storage,
> you're done with that difficulty.

I do realize that L3 in the grand scheme of things makes security  
easier (at least on the network side), it does come with  more admin  
overhead.  Where we may have the routing capacity today, we may not  
tomorrow.  We're actually looking at pvlans for this now.  That would  
prevent the customers from only seeing each other, and only being able  
to access the targets on the promiscuous ports.  We would then be able  
to use arp inspection and arp ACL's to limit the IP address they can  
arp for, and we'd also be able to ACL their ingress.

Doing L3 routing is not out of the question.  Something we can easily  
do with a VRF.  We just want to remove the extra step of having them  
have to add the routes on each device to access the SAN.

Robert Blayzor, BOFH
rblayzor at inoc.net

More information about the cisco-nsp mailing list