WS-C3750G config for SAN-to-SAN connectivity

Unanswered Question
Jun 1st, 2009

I am looking for documentation or recommendations for configuration on my LAN to support SAN-to-SAN connectivity. We are in the process of replacing our SAN and adding a new DR SAN at a remote location. We have two (2) 3750Gs supporting redundant iSCSI connectivity between the servers and the SAN. The 3750s are interconnected via the stack cable with one being designated controller A connectivity and the other controller B. All servers have two connections one to controller A and the other to controller B. The controllers from the SAN are connected to the appropiate 3750 as well. All the SAN hardware is configured for a unique network and been completely independent of the LAN.

They now want to start implementing phase 2 where the production SAN talks to a second remote SAN (DR SAN).

My question starts with is there more to it than simply adding the dedicated SAN networks to the LANs as a VLAN? This makes the traffic routable but also seeable by they rest of the company. I am thinking that I also need an access list so these two networks cannot be access by anyother network in the company?

I have never done anythig with SANs and the tech we have from the vendor is not a network / switch expert. He just knows he needs the equivalent of a cable run between the two SANs. I also have to figure this out within the next week or so.

Anyone know of or have a reference to documentation that can get me and keep me on the right path? I have reached through the vendor to a different Tech to see if I can get better information. Connectivity between the two SANs will eventually be across an MPLS network but for initial setup and config connectivity will be through the core.

Thanks in advance ....


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Michael Brown Tue, 06/02/2009 - 02:21

Not sure there is such a paper with details specific to your scenario.

Here is a link to a white paper detailing the security issued between SAN and LAN that might be of some help. It details ways to secure both sides.

We wrote a white paper on iSCSI high availability, but it appears to have been removed from the CCO MDS Whitepaper index. If you search on 'iscsi high availability' you can see the link, but it leads to an index where the paper is no listed. I will try to locate a valid link and post back.

- Mike

bberry Tue, 06/02/2009 - 05:08

Thanks, I will give this a read. Not knowing anything about supporting the SAN any information will be a start.


Michael Brown Tue, 06/02/2009 - 05:23

I found the iSCSI high availability document but it is to large to attach here. The file size is about 9 meg. Email if you want a copy.



inch Tue, 06/02/2009 - 15:32


iSCSI is a pretty simple transport - You should really just treat this network in the same way as any other business critical network.

Make it redundant, make it fast :)

I'm guessing you have two vlans/networks? vlan A and vlan b?

What is configured at the remote site? a/b again? different numbers? will it be routed? is spanning tree configured? etc etc


bberry Wed, 06/03/2009 - 05:41


It will be as redundant and as fast as I can make it given the second SAN will be placed in a location that currently has a single T1 for access.

Both locations are campus enviroments with multiple VLANS, routing, spannig-tree, etc. I have 4506s with Sup IV as the core in both.

The production SAN was setup using 10.99.x.x for its needed IP addresses and has been in production for over a month now. It has been completely isolated from the LAN except for connectivity through a 2950 for the management ports. The basic setup in the rack is a 2950 for management access to the swtches in the SAN and te only connection back to the core. There are two (2) 3750Gs stack connected and supporting the iSCSI connectivity and two (2) MDS9124 interconnected to support all the fiber channel connectivity. This is all connected to an EDS TRPE supporting three (3) drive drawers. Both controllers in the TRPE are connected to the 3750Gs with each controller going into a single 3750G. Each iSCSI attached server is also dual attached with a connection into each 3750G.

The DR SAN is the same EDS TRPE but only has a single 3750G because there are no fiber channel attached servers at the DR location. Both controllers in the TRPE are connected to this single 3750G as will be all iSCSI attached servers.

All the addressing for the production SAN is 10.99.x.x and the DR SAN has everything configured in the 10.98.x.x space. I created a vlan 99 for the and a VLAN 98 for the 10.98.x.x and will place all the iSCSI production ports in their VLAN and the iSCSI DR ports into their VLAN. Setup and configuration will be completed here at corporate and then pack up the DR SAN and reconnet it at the DR location. I would then remove the 10.98.x.x vlan from corporate and add it to the DR site. I am thinking ACLs would then be put into place to only allow these two VLANS be seen at these two locations and no where else inthe company. It is this security that I am concerned about with this type of implementation. It works but is it the best practice solution?



This Discussion



Trending Topics: Storage Networking