Comware Based
1748182 Members
3429 Online
108759 Solutions
New Discussion юеВ

Re: HPE 5820 - IRF feature and SAN/data traffic isolation

 
nmsden
Occasional Contributor

HPE 5820 - IRF feature and SAN/data traffic isolation

Hello,

I'm new to HPE networking products, and have som questions regarding the HP 5820-24XG-SFP+ and IRF feature.

First of all. Is there any difference between the JC102A and the JC102B. As far as I can see both products run Comware 7. Maybe JC102B is a HP produced unit, while JC102A is from H3C fabric, as I can see no difference?

Second question. Both VMware hosts and SAN will be connected to the same switches and I want to make a multihomed redundant design using a L2 network. The guests on the VMware host will have public IP addresses and could be target for DDoS attacks which overloads switch uplinks and interconnections interrupting SAN traffic (iSCSI). Therefor I want to isolate VMware guest data traffic and SAN traffic not to use the same uplinks/interconnects, but reading about IRF I find this a challange if I understand It correctly.

I attached a topology of how I would make it without IRF technology (see attachment to the right).
The basic Idea is simple - double interconnects between switches at the same site (each dedicated for SAN and DATA), and one interconnect between the sites for each switch. Spanning tree is blocking SAN and DATA traffic asynchronous between the sites, so the only scenario where SAN and DATA traffic would share the same interconnect between sites is when a switch malfunctions or the fiber link goes down.

If I should migrate this setup to a 4 member IRF I think the traffic isolation becomes a problem. As I understand IRF creates LACP like groups between IRF peers, so looking at my topology the double interconnects between switch 1+3 and 2+4 would be load balanced across all VLANS making SAN and DATA traffic share the links. 

Is it possible to configure IRF interconnects/groups to dedicate links for certain vlans? If not I think there is some solutions:
1. Configure QoS to prioritize SAN iSCSI traffic highest and use strict priority queing. I'm not a fan of that.
2. Use RRPP (Rapid Ring Protection Protocol) for SAN traffic.
Can RRPP be configured on a IRF member port? If not I would need 2 extra interconnects between the sites to make a dedicated RRPP ring for SAN traffic, and dedicated IRF ring for data traffic and IRF High-availability features?

All input is appriciated!

Thanks.

 

5 REPLIES 5
Mike79
Advisor

Re: HPE 5820 - IRF feature and SAN/data traffic isolation

Hi,

I would rather use MSTP with vlan instances for DATA/iSCSI traffic separation and keep redundancy.

This way you will have two STP Root/Backup Root switches - one for SAN, other for DATA.

Mike

nmsden
Occasional Contributor

Re: HPE 5820 - IRF feature and SAN/data traffic isolation

So you would not use IRF feature at all in this case, but rather stick to MSTP and VRRP for redundancy?

Another potential problem. Does the HP 5820 support LACP groups from the same server/storage connected to 2 different switches, without IRF configured?
With SAN and VMware hosts this would not be a big problem, as they both support another failover mechanism, but for other connected devices such as physical servers this could be a potential problem.

spgsitsupport
Regular Advisor

Re: HPE 5820 - IRF feature and SAN/data traffic isolation

When you think of it logically you will see that: IRF should NOT be involved in data traffic at ALL if you have multipath from server(s) to iSCSI storage AND each connection(s) from a server going to different IRF stack member It is multipath driver on the server that does the "clever" bit of pushing data one way or another (depending on its policy) and NO data travels via IRF link Seb
nmsden
Occasional Contributor

Re: HPE 5820 - IRF feature and SAN/data traffic isolation

I find it confusing neither of you recommends IRF stacking for this small datacenter setup, as IRF should be intended to improve convergence times in redundant switch setup for both Layer2 and Layer3..
- IRF Brief: https://h17007.www1.hpe.com/docs/reports/irf.pdf

One point we can agree on though is that LACP should not be used for iSCSI SAN or the NICs dedicted for storage connection on the VM hosts, as MPIO will outperform it. However we do not only have VMware host and SANs connected, and some of the other servers will benefit from LACP for redundancy which is why IRF is interesting as it makes it possible to form a LACP group across 2 switches.

Do anyone have a best practices document for IRF? I also have a lot of questions using the switches as gateways with IRF (replacing VRRP), and how the topology should be designed for the switches to distribute routing information correctly to the IP core.

All I can find on IRF online is how to configure a stack, but I would like to find a document that shows a full featured configuration for redundancy in both layer2 and layer3. This would probaply answer a lot of my questions..

spgsitsupport
Regular Advisor

Re: HPE 5820 - IRF feature and SAN/data traffic isolation

Ofcourse you DO USE IRF It is just that it will never be used for any data travel