Equallogic + Force10 + DCB + pVlan

I wouldn't configure a PVLAN, PVLANs use a different packet tag, I believe.  I'm not sure the array will respond appropriately.  Since the array will only listen on the one defined VLAN, you have effectively created a private VLAN.

hee don, long time no speak... no it wont work, with pvlan's you'll a double vlan tag. as you might remember we host customer enviroments which we want completely seperated. thats not possible in one vlan. so we can only use vlan routing or pvlan. Pvlan is the best fit, but i cant use it with dcb or you guys have to put in the next firmware (its a small change i thnink;))

Hello,

If you are virtualizing the storage, then the customers don't see each others space.  It's PVLANs on their production LAN side you have to segrate to keep their data segregated.

well, then i cant give them access to the windows hitkit. As some customers also have devolopement enviroments is very handy if they can make snapshots....

Hi Hdejongh.

Im not exactly a hosting guy myself, but i dont see why you could not present volumes via the hitkit to your customers. Its all down to the ACLs you make on each volume. The initiator you give each virtual host will be unique, so unless your running several customers on the same virtual box, it should be a non issue.

Only if you do not have ACLs on your volumes, would they be able to see each other. Which under any circumstance is not recommended, since you risk volume corruption if another machine connects and tries to write to another machines volume.

VMware is the exception, since it uses a clustered filesystem (VMFS), and it can handle multiple host connects to a volume.

Hope it makes sense!

@DarkingDK,

i dont care about the iscsi traffic it self, its more the fact that i create on big network in which all my customer servers (windows servers) are connect without a proper firewall between each other. So customer a can reach the vm of customer b. The only "real" line of defense is the windows firewall (do i need to say more? :) ). So that is not acceptable.. With pVlan's or vlan routing i can isolate a customer.

I could also see if i can "fix" it with switch acl's but the problem then is that i'm using NPAR so the acl's will be on all my partitions..

Btw, iscsi traffic is unencrypted a iscsiacl will fix the authentication but not the traffic itself.

Regards

Hans

What you need is "protected/unprocted" ports on the Virtual switch.  With the servers being on protected ports and arrays unprotected.  Servers can't see each other but can see array.

yeah ok but that is exactly what pvlans do;)

Not familiar with "vshield".  On a physical switch when I wanted to isolate ports, I would set the servers ports to protected and array ports to unprotected.  So all servers can see storage but not each other.

Doesn't work with virtualization environments though.

don do you mean with vshield or something? wouldnt that give to much overhead?