Storage Boards Cleanup
To make it easier to find information about HPE Storage products and solutions, we are doing spring cleaning. This includes consolidation of some older boards, and a simpler structure that more accurately reflects how people use HPE Storage.
HPE StoreVirtual Storage / LeftHand
cancel
Showing results for 
Search instead for 
Did you mean: 

Lefthand CMC and SAN deployment best practice help

rhinkamper
Occasional Contributor

Lefthand CMC and SAN deployment best practice help

I am getting some flak from my peers about how I have CMC and our SAN’s setup. They would like the integrated NIC’s on the SAN’s active and plugged in and on our production network so they can use CMC to manage the SAN’s from any machine in the production network ( I feel this is a huge security risk). Right now I have the integrated NIC’s disabled, there are two 10GB fiber links active on the “SAN VLAN”, and the ILO ports for the SAN’s are on the production network.

 

 I have a physical server with two NIC’s, one plugged into the “SAN VLAN” and one plugged into the production network with CMC loaded to manage the SAN’s. My failover manager(s) also runs on this physical server.

 

I thought this was the most secure deployment I could implement, and was under the impression this was considered “best practice”. Could anyone provide me with some insight?

3 REPLIES
KurtG
Regular Advisor

Re: Lefthand CMC and SAN deployment best practice help

A CMC installation on several server/clients in the production environment would not make any sense to me. Much better to do a ts connection to you're cmc/fom server. That server could also be used for IRS (Insight Remote Support) if you choose so.

 

I would not not have liked to exposed my "disk-network" to other networks like that. Having access to the ip/nodes is a core requirement for managing the nodes so why have a "disk/network/vlan in the first place if "everyone" is going to connect from "everywhere"?

 

You're design is "better" and looks like a lot of installations I have seen out there. Never seen a implementation looking like what you're peers are suggesting!

 

KurtG

 

 

5y53ng
Regular Advisor

Re: Lefthand CMC and SAN deployment best practice help

Keep your management separated like you have now. Even if an "attacker" did not have the CMC, they could SSH in to the storage nodes and perform management group operations. Granted there is authentication and specific ports to connect to, but isolated is still the best bet when you consider your business is riding on that SAN.

oikjn
Honored Contributor

Re: Lefthand CMC and SAN deployment best practice help

I don't see why you can't give the other people access with the setup you have now.  You just have to have a router/gateway between your SAN and LAN.  I don't ever manage the network from my SAN since CMC and SAN/iq all route totally fine over the network as long as the gateways are configured.  You can then lock down access to the SAN however you like...  we just use our enterprise firewall with very restriced rules to allow access to those who need it.