Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
6
Replies

WS-C3750G config for SAN-to-SAN connectivity

bberry
Level 1
Level 1

‎06-01-2009 05:55 AM

I am looking for documentation or recommendations for configuration on my LAN to support SAN-to-SAN connectivity. We are in the process of replacing our SAN and adding a new DR SAN at a remote location. We have two (2) 3750Gs supporting redundant iSCSI connectivity between the servers and the SAN. The 3750s are interconnected via the stack cable with one being designated controller A connectivity and the other controller B. All servers have two connections one to controller A and the other to controller B. The controllers from the SAN are connected to the appropiate 3750 as well. All the SAN hardware is configured for a unique network and been completely independent of the LAN.

They now want to start implementing phase 2 where the production SAN talks to a second remote SAN (DR SAN).

My question starts with is there more to it than simply adding the dedicated SAN networks to the LANs as a VLAN? This makes the traffic routable but also seeable by they rest of the company. I am thinking that I also need an access list so these two networks cannot be access by anyother network in the company?

I have never done anythig with SANs and the tech we have from the vendor is not a network / switch expert. He just knows he needs the equivalent of a cable run between the two SANs. I also have to figure this out within the next week or so.

Anyone know of or have a reference to documentation that can get me and keep me on the right path? I have reached through the vendor to a different Tech to see if I can get better information. Connectivity between the two SANs will eventually be across an MPLS network but for initial setup and config connectivity will be through the core.

Thanks in advance ....

Brent

Labels:
0 Helpful
6 Replies 6

Michael Brown
Cisco Employee
Cisco Employee

‎06-02-2009 02:21 AM

Not sure there is such a paper with details specific to your scenario.

Here is a link to a white paper detailing the security issued between SAN and LAN that might be of some help. It details ways to secure both sides.

We wrote a white paper on iSCSI high availability, but it appears to have been removed from the CCO MDS Whitepaper index. If you search on 'iscsi high availability' you can see the link, but it leads to an index where the paper is no listed. I will try to locate a valid link and post back.

- Mike

0 Helpful

bberry
Level 1
Level 1
In response to Michael Brown

‎06-02-2009 05:08 AM

Thanks, I will give this a read. Not knowing anything about supporting the SAN any information will be a start.

Brent

0 Helpful

Michael Brown
Cisco Employee
Cisco Employee
In response to bberry

‎06-02-2009 05:23 AM

I found the iSCSI high availability document but it is to large to attach here. The file size is about 9 meg. Email if you want a copy.

Thanks,

Mike

0 Helpful

inch
Level 3
Level 3

‎06-02-2009 03:32 PM

G'day,

iSCSI is a pretty simple transport - You should really just treat this network in the same way as any other business critical network.

Make it redundant, make it fast :)

I'm guessing you have two vlans/networks? vlan A and vlan b?

What is configured at the remote site? a/b again? different numbers? will it be routed? is spanning tree configured? etc etc

:)

0 Helpful

bberry
Level 1
Level 1
In response to inch

‎06-03-2009 05:41 AM

G'day,

It will be as redundant and as fast as I can make it given the second SAN will be placed in a location that currently has a single T1 for access.

Both locations are campus enviroments with multiple VLANS, routing, spannig-tree, etc. I have 4506s with Sup IV as the core in both.

The production SAN was setup using 10.99.x.x for its needed IP addresses and has been in production for over a month now. It has been completely isolated from the LAN except for connectivity through a 2950 for the management ports. The basic setup in the rack is a 2950 for management access to the swtches in the SAN and te only connection back to the core. There are two (2) 3750Gs stack connected and supporting the iSCSI connectivity and two (2) MDS9124 interconnected to support all the fiber channel connectivity. This is all connected to an EDS TRPE supporting three (3) drive drawers. Both controllers in the TRPE are connected to the 3750Gs with each controller going into a single 3750G. Each iSCSI attached server is also dual attached with a connection into each 3750G.

The DR SAN is the same EDS TRPE but only has a single 3750G because there are no fiber channel attached servers at the DR location. Both controllers in the TRPE are connected to this single 3750G as will be all iSCSI attached servers.

All the addressing for the production SAN is 10.99.x.x and the DR SAN has everything configured in the 10.98.x.x space. I created a vlan 99 for the 10.99.0.0 and a VLAN 98 for the 10.98.x.x and will place all the iSCSI production ports in their VLAN and the iSCSI DR ports into their VLAN. Setup and configuration will be completed here at corporate and then pack up the DR SAN and reconnet it at the DR location. I would then remove the 10.98.x.x vlan from corporate and add it to the DR site. I am thinking ACLs would then be put into place to only allow these two VLANS be seen at these two locations and no where else inthe company. It is this security that I am concerned about with this type of implementation. It works but is it the best practice solution?

Brent

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents