StoreVirtual Storage
1748179 Members
4142 Online
108758 Solutions
New Discussion юеВ

Re: Installing Storevirtual VSA cluster

 
giladzzz
Honored Contributor

Installing Storevirtual VSA cluster

Hi

Has anyone installed a VSA cluster separating management and ISCSI

networks. that is having the CMC connected through a management network

and leaving the ISCSI network a closed network.

can this be done by assigning one network card of the VSA to management

and the other to ISCSI

any comments appreciated

Thanks

9 REPLIES 9
Bart_Heungens
Honored Contributor

Re: Installing Storevirtual VSA cluster

Hi,

Yes this is perfectly possible, did it several times already...

The easiest is to connect iniitally the mgmt PC with CMC installed on the iSCSI network, and then inside CMC you can go to the Communications tab of every VSA and select there the correct managament interface NIC...

 

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
giladzzz
Honored Contributor

Re: Installing Storevirtual VSA cluster

Hi

thanks for your advice.

is it important to have the first nic as  ISCSI and the second as managment

and can this be done from the VSA console.

Regards

 

 

Bart_Heungens
Honored Contributor

Re: Installing Storevirtual VSA cluster

Hi,

The order as such is lnot so important, just be sure the storage network has 10Gb and the management network the 1Gb speed...

This must be configured ideally from the CMC console...

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
oikjn
Honored Contributor

Re: Installing Storevirtual VSA cluster

Is there an external force requiring you to split management to a 2nd network?  There is really a ralther limited practical benefit to this for VSAs... hardware maybe, but not the VMs.  This just adds one more potential configuration mistake you can make at a later date.

Bart_Heungens
Honored Contributor

Re: Installing Storevirtual VSA cluster

Hi,

No this is just a best practice... As long as you have a routed network between your iSCSI network and the network where your mgmt PC is connected with CMC running you should be OK...

In large environments I create separate networks, in smaller environments I keep it simple and use separate IP subnets with routing in between to make life easy...

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
oikjn
Honored Contributor

Re: Installing Storevirtual VSA cluster

not sure I follow.  I do 100% agree that the iscsi data should be on its own network/vlan, but is there really any benefit to having a 2nd vNIC setup just for management (assuming the iSCSI VLan is routable to the production/management network).

A seporate management network might be best practice for physical devices, but it seems out of step with the VSA setup.

I can see it for hardware devices that you want to get OOB access or otherwise isolate to ensure management can be accessed in the event of an issue, but on a pure VSA setup that is really not an issue/option anyway.  Add to that the fact that adding a 2nd vNIC to each VSA just puts more overhead to the VM and host, why bother?  

Bart_Heungens
Honored Contributor

Re: Installing Storevirtual VSA cluster

Hi,

Don't look too far, you are right... In a virtualized environment less people seems to have the need for a separate network compared to a physical one...

But know that it is possible just like in the physical world that it is possible to have a separate network... And like mentioned before it is not always possible to have routed network between the VLAN's and so at that moment you might have an alternative...

Technically the option is there since the code on the VSA and the physical nodes is the same, so you just needed a second virtual NIC...

Kr,

Bart

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
giladzzz
Honored Contributor

Re: Installing Storevirtual VSA cluster

Hi

the main advantage of separating management and data is because the you can install the CMC outside the virtual environment because usually ISCSI network is non-routeable if it must be routable it is not a good solution.

usually I install a VM on the host and give it access to ISCSI network and install CMC on that VM another problem is 

getting SMTP mail because you need to create an SMTP forwarding from your ISCSI environment

from what I understand if ISCSI network is non-routable it is best to create only one network

Regards

 

oikjn
Honored Contributor

Re: Installing Storevirtual VSA cluster

by default it IS routeable.  Multi-site clusters can't exist without this.  Just because it is routeable doesn't mean that you can't lock down access through a firewall or other method.  If you look at the default settings, most are assuming and relying on the fact that the iSCSI network is routed.

The default install for the VSA is a SINGLE vNIC that has a defined and functioning gateway.  This allows, SNMP/NTP/SMTP/management to be located outside of the dedicated iSCSI network without all the arbitrary trouble you have to deal with when you try and make the iSCSI network 100% isolated.  

 

I don't follow how a 2nd vNIC on a VSA is "outside the virtual enviropnment" nor how multi-homing the MGT section is effectively any more secure for the appliances in most applications.  Setup your VLANs correctly and setup your firewall/gateway with whatever restrictions you think are appropriate and then you don't have to worry about putting a SNMP/SMTP/NTP/CMC or any other dedicated server inside the iSCSI network and you don't have to worry about outside sources becoming a significant threat to the iSCSI network.

 

iSCSI is best on its own dedicated network so that the network doesn't get excessive traffic and can easily have QoS policies applied, but attempting to create an ultra-isolated network on a converged/hyper-converged infrastructure is adding a layer of complexity to a solve a problem that simply doesn't exist without some other external driver.  If a company policy or outside auditor requires iSCSI traffic to be isolated and non-routed, then you need to comply, but otherwise, you are just adding extra complexity to a system and in general more complex=less reliable.