HPE Community
StoreVirtual Storage
1752805 Members
5570 Online
108789 Solutions
New Discussion юеВ

Re: Lefthand CMC and SAN deployment best practice help

 
rhinkamper
Occasional Contributor

тАО02-27-2013 07:03 AM

тАО02-27-2013 07:03 AM

Lefthand CMC and SAN deployment best practice help

I am getting some flak from my peers about how I have CMC and our SANтАЩs setup. They would like the integrated NICтАЩs on the SANтАЩs active and plugged in and on our production network so they can use CMC to manage the SANтАЩs from any machine in the production network ( I feel this is a huge security risk). Right now I have the integrated NICтАЩs disabled, there are two 10GB fiber links active on the тАЬSAN VLANтАЭ, and the ILO ports for the SANтАЩs are on the production network.

 

 I have a physical server with two NICтАЩs, one plugged into the тАЬSAN VLANтАЭ and one plugged into the production network with CMC loaded to manage the SANтАЩs. My failover manager(s) also runs on this physical server.

 

I thought this was the most secure deployment I could implement, and was under the impression this was considered тАЬbest practiceтАЭ. Could anyone provide me with some insight?

0 Kudos
Reply
3 REPLIES 3
KurtG
Regular Advisor

тАО02-27-2013 01:06 PM

тАО02-27-2013 01:06 PM

Re: Lefthand CMC and SAN deployment best practice help

A CMC installation on several server/clients in the production environment would not make any sense to me. Much better to do a ts connection to you're cmc/fom server. That server could also be used for IRS (Insight Remote Support) if you choose so.

 

I would not not have liked to exposed my "disk-network" to other networks like that. Having access to the ip/nodes is a core requirement for managing the nodes so why have a "disk/network/vlan in the first place if "everyone" is going to connect from "everywhere"?

 

You're design is "better" and looks like a lot of installations I have seen out there. Never seen a implementation looking like what you're peers are suggesting!

 

KurtG

 

 

0 Kudos
Reply
5y53ng
Regular Advisor

тАО02-27-2013 01:41 PM

тАО02-27-2013 01:41 PM

Re: Lefthand CMC and SAN deployment best practice help

Keep your management separated like you have now. Even if an "attacker" did not have the CMC, they could SSH in to the storage nodes and perform management group operations. Granted there is authentication and specific ports to connect to, but isolated is still the best bet when you consider your business is riding on that SAN.

0 Kudos
Reply
oikjn
Honored Contributor

тАО02-27-2013 02:21 PM

тАО02-27-2013 02:21 PM

Re: Lefthand CMC and SAN deployment best practice help

I don't see why you can't give the other people access with the setup you have now.  You just have to have a router/gateway between your SAN and LAN.  I don't ever manage the network from my SAN since CMC and SAN/iq all route totally fine over the network as long as the gateways are configured.  You can then lock down access to the SAN however you like...  we just use our enterprise firewall with very restriced rules to allow access to those who need it.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.