Damien Calvert
1 Nickel

ASM - iSCSI and network traffic segregation

Hi,

I use the Equallogic AutoSnapshot Manager to replication from my primary SAN to my secondary SAN.

Due to the nature of the network infrastructure, the iSCSI traffic has to traverse my core network switch to get accross the WAN to the secondary SAN.

The iSCSI traffic is VLANed on all the switches but is currently routable between network and iSCSI VLANS.

Is there any need for routing between these VLANS? Does the ASM require this? I'm just a little unclear as the communications path.
I'd like to completey isolate the iSCSI network for security and integrity.

Any comments, tips or pointers to articles I've missed would be appreciated.

Thanks

0 Kudos
5 Replies
Highlighted
Moderator
Moderator

Re: ASM - iSCSI and network traffic segregation

Yes, you would need to enable routing and open your firewall for replication regardless if using ASM or not.

The level of “lock down” depends on your specific situation; however, it’s typically beneficial to setup your rules for the entire iSCSI VLAN  subnet as opposed to setting for each individual IP (this would have to include not only the Group IP, but each Array ETH interfaces (all members) and all host IP’s on the iSCSI network VLAN).

MANDATORY PORTS AND PROTOCOLS

iSCSI protocol:

Type Port Protocol Access
TCP 3260 iSCSI To the group IP address and all individual member IP addresses

EqualLogic Internal Communication Protocols:
The members of a PS Series group communicate with one another using the following protocols.

EqualLogic Internal Protocols :
Type Port Protocol Used for
UDP 161 SNMP Management operations
TCP 9876 Internal iSCSI intra-system control (Mesh connection)
TCP 25555 Internal Group communication
TCP 20002 Internal Event logging
TCP 20003 Internal Internal event querying

There are additional ports you may want to open (management, CLI, syslog, etc.) see this solution for complete details: https://support.equallogic.com/support/solutions.aspx?id=1444 (support contract user account required).  Once on the page, search for “ports” in the KB, and look for the solution titled “ARRAY: Network ports used by a PS Series group”

-joe

-Joe

Social Media and Community Professional
#IWork4Dell
Get Support on Twitter - @dellcarespro

Follow me on Twitter: @joesatdell 

0 Kudos
Damien Calvert
1 Nickel

Re: ASM - iSCSI and network traffic segregation

Thanks Joe,

So I understand that I'd be routing traffic site to site for replication, but if I read this right, it's only iSCSI VLAN being routed to iSCSI VLAN.

ASM on the Server talks to the group ip of the SAN (on the iSCSI VLAN) through it's iSCSI nic not it's general traffic nic.

So there is no requirement for general traffic to be able get to the iSCSI VLAN.

Correct?

Damien

0 Kudos

Re: ASM - iSCSI and network traffic segregation

Correct, there's no requirement for ASM/ME to access the LAN subnet.  It will be talking to the array.  (Assuming you haven't created a dedicated Mgmt port on the LAN subnet)   Replication will always occur over the ISCSI network.  Since "replication" is an iSCSI session between the two groups.  

Regards,

Social Media and Community Professional
#IWork4Dell
Get Support on Twitter - @dellcarespro

Damien Calvert
1 Nickel

Re: ASM - iSCSI and network traffic segregation

Ah, but I do have a dedicated Mgmt port on the LAN subnet, but the Group Manager IP is on the iSCSI subnet.

0 Kudos

Re: ASM - iSCSI and network traffic segregation

ASM/ME will need access to the SAN side to log into the VSS control volume, so since you're running that on the server that has the data it will be fine.  All iSCSI related operation will occur on the SAN subnet so make sure your routing between all the interfaces on each side can reach all the other interfaces on the remote side.  Not just the Group IP.  So a NAT firewall can't be used between sites.

Regards,

Social Media and Community Professional
#IWork4Dell
Get Support on Twitter - @dellcarespro

0 Kudos