Unsolved
This post is more than 5 years old
17 Posts
0
1572
Customer concern: Mgmt port access to WAN ports?
Isilon LAN ports will be connected to the local management network and
the WAN ports will be connected to the production CustomerNetwork.
If someone is logged into the Isilon (i.e. ESRS) can they access both
networks, or is there anything that will prevent accessing the production customer network on the
Isilon.
crklosterman
450 Posts
1
December 9th, 2014 13:00
Wschemel,
It sounds like there are a few misunderstandings here.
1. Isilon doesn't have Management ports, Isilon management is all done in-band with user data traffic. Trying to connect any 1 single node to more than 1 subnet(where each subnet has a different gateway) is going to be very problematic, unless you're running the latest GA release (OneFS 7.2) with Source-Based-Routing (SBR) enabled. There have been a number of discussion threads on ECN to that effect if you wonder why.
2. When EMC Support logs in through ESRS to a node, they use a service account called 'remotesupport', which has very limited abilities. Specifically the account is only allowed to run pre-configured scripts installed on the cluster and that's it. If support needs a greater level of access than this to help you as the customer troubleshoot a problem, they will have to call you and either conduct a webex, or you'll need to give them credentials to an account with greater than access.
Now let's examine why many customers try and connect their 1Gbe interfaces for Mgmt, and it doesn't necessarily help.
1. Does it increase total network throughput to the cluster?
No, normally disks are the bottleneck, of just about all workflows, not the 2x10Gbe NICs.
2. Does it give you out-of-band access to the cluster?
No, there is no IPMI or Power Control like you might see on a server with a DRAC or an iLO.
3. Does it minimize the impact of mgmt. traffic on user traffic?
No, it’s the same spindles underneath the hood in the end, so whether mgmt trafic traverses a 10Gbe link or a 1Gbe link the effect is the same.
4. Security: Can we shut-off mgmt. on the 10Gbe’s so that it acts like a VNX datamover, and let the 1Gbe in effect be our Control Station?
No, there are hacks to block SSH and HTTP in older versions of OneFS (6.5) by editing sshd and apache2 config files, but they are not supported, and will likely not persist across upgrades.
5. Does it add extra network complexity?
Yes
6. Does it add additional cost in the form of optics, cables, and configuration?
Yes
The point being that it adds complexity, but no value.
I hope this helps,
Chris Klosterman
Senior Solution Architect
EMC Isilon Offer & Enablement Team
chris.klosterman@emc.com
twitter: @croaking
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
December 9th, 2014 14:00
if they login via ESRS to the cluster, they have access to every interface on isilon
AndrewChung
132 Posts
0
December 9th, 2014 18:00
One situation where it may be useful to limit management works only if you firewall the Isilon.
If you have a firewall between your clients and the Isilon then you can block any management traffic. Then on a physically separate network you run management. The customer that I worked with on this had a requirement that management had to be on its own subnet and management must initiate from that subnet. So you essentially have to RDP or SSH into a management jump station and from that jump station you can do your management. This actually worked well with Isilon as the management subnet was always local to the Isilon so no routing issues came up.