iSCSI Network seperation

VBN · 2 Feb 2010 at 12:50

I’ve been trying to separate out my iSCSI traffic on my NetApp san, but I’m having problems when I want to have a windows host that has a Nic for iSCSI and a Nic for normal network traffic and was hoping someone might be able to point me in the right direction.

Currently I have my SAN’s iSCSI Nic plugged into a separate switch which isn’t connected to the rest of the Network. My windows host has one nic plugged directly into this switch and the other plugged into the rest of the network

iSCSI Nic on windows host is set up 10.10.20.167/255.255.252.0 – Default Gateway 10.10.20.1
Network Nic on windows host is set up 10.10.20.67/255.255.252.0 – Default Gateway 10.10.20.1

When I enable the iSCSI Nic it connects to the filer fine, but I am no longer able to connect to the server via the Network.

Is there something in addition that I should be setting on the Nics or do I need to use a different subnet and IP Range for the iSCSI Nic on the filer and the host.

Thanks

Sin_Chase · 2 Feb 2010 at 14:05

Is there a reason why you are doing this?

Can you not run all your servers and storage resources on one switch with sufficient backplane and then up-link clients via another switch as normal?

oddjob62 · 2 Feb 2010 at 14:08

The iSCSI and Network traffic should be on different subnets. If they are connected to the same switch they should be on separate VLANs

bigredshark · 2 Feb 2010 at 14:32

oddjob62 said:
The iSCSI and Network traffic should be on different subnets. If they are connected to the same switch they should be on separate VLANs

Spot on, and some storage vendors will suggest dedicated switches (it varies as to how much this represents the official line). I'm not convinced but some do recommend it, depends on your switches really...

Sin_Chase · 2 Feb 2010 at 14:52

Not having looked into iSCSI much for SAN application what is the technical reason behind it?

Security or something more ominous?

bigredshark · 2 Feb 2010 at 15:04

Sin_Chase said:
Not having looked into iSCSI much for SAN application what is the technical reason behind it?

Security or something more ominous?

Performance is the stated, the only security issue with vlans is if you don't know what you're doing.

Obviously any switch doing iSCSI should be running private vlan or similar to avoid opening gaping security holes in your infrastructure...

Sin_Chase · 2 Feb 2010 at 15:46

The VLANs I get, was curious as to the isolated switch requirement though.

Surely thats down to the end user who ultimately will know his bandwidth requirements and capacity of his switching fabric!

oddjob62 · 2 Feb 2010 at 15:58

Sin_Chase said:
The VLANs I get, was curious as to the isolated switch requirement though.

That's how suppliers are sometimes. Like apps suppliers who won't support an app if it's not on its own dedicated server.

VBN · 2 Feb 2010 at 16:26

Thanks for the comments guys.

So I should use a different subnet and IP range?

The network range currently is 10.10.20.1-10.10.23.254 so I should maybe give the filer a an IP say of 10.10.24.2 with a subnet of 255.255.255.0?

Then give the windows host Nic that I want traffic to go over an IP in that new range?

Is there anything other than IP and subnet that I'll need to set on the actual windows TCP/IP settings of that Nic card?

Thanks

RSR · 2 Feb 2010 at 16:51

bigredshark said:
Performance is the stated, the only security issue with vlans is if you don't know what you're doing.

Obviously any switch doing iSCSI should be running private vlan or similar to avoid opening gaping security holes in your infrastructure...

I agree with bigredshark.

I moved our iSCSI data network off the core network switch on to its own dedicated switch about a year ago now and it seems to have benefited massively in terms of performance and security.

bigredshark · 3 Feb 2010 at 08:57

andyd said:
I agree with bigredshark.

I moved our iSCSI data network off the core network switch on to its own dedicated switch about a year ago now and it seems to have benefited massively in terms of performance and security.

I'm not actually sure if I recommend it myself, largely we switch iSCSI on our main switches (a mixture of various high end units - Cisco 6500s, Brocade RX and Juniper EX) and we don't see any issues with it.

If you're using cheap top of rack switches (even up to Cisco 2960s/3560s) then you're more likely to see a benefit from dedicated switching.

Then again I'm not an iSCSI fan for datacenter usage, platforms which need high uptime or high performance are almost always on fibre channel still.

RSR · 3 Feb 2010 at 09:27

We have a stacked pair of 3750-E as our mainsetup, although they are not top end ive seen a difference from removing the iSCSI traffic of these switches.

However, if budgets allow this year with a possable new SAN ill be pushing for FC over iSCSI.