iSCSI Network Design

Similar Questions

• How to segragate VM of each other AND Management & iSCSI network traffic?

  I want to test how I can keep VM isolated from each other AND the segments of iSCSI network and management... It's just a proof of concept, so I not be using redundant paths.  I want to know how I can keep all my shelter of the attackers 'would '?  that is if one of the virtual machines becomes "compromise" How could I isolate all "would be attackers" to travel to other virtual machines or networks of management/iSCSI?   Is there a way to create each virtual machine in a VIRTUAL LAN on the ESX host? Or is there a better way?

  For the installation of the physical hardware - sounds?

  TahoeTech wrote:

  "So, to make sure that I understand...". I'll install VMware ESX on

  the physical host machine and then create 3 vSwitches which will be

  related to 1 physical NETWORK card by vSwitch? "

  Since I only need to the DMZ network available to VMS - must - I still 3 vSwitches?

  Yes, one for virtual machines, one for management and one for iSCSI. You may combine up to vSwitches (2) combining management and iSCSI, but it is not recommended.

  The host machine does the iSCSI storage to virtual machines as a "disk"?

  More or less, Yes. When you create a virtual machine, you need to configure the disks for this virtual machine. You will be asked which data source to use, and you choose the iSCSI data store, that you create when you set up the data store and iSCSI.

  The host uses the vSwitches? I thought that the host machine could use physical NETWORK cards... i.e. Teddy 1 would be management and Teddy 2 would be iSCSI, Teddy 3 would be linked to a vSWITCH for virtual machines?

  Yes the host use the vSwitch, after all the console, etc. is a virtual machine its self

  Virtual machines will never see a teddy bear. You want to assign a vNIC to the virtual machine when you create the virtual machine. The vNIC is connected to a group of ports, which in turn is connected to a vSwitch, which in turn is connected to a teddy bear.

  The virtual machines do NOT need access to the networks of management or iSCSI (I don't think)?

  Fix.

  The management network connects to ESX physical HOST (Teddy 1) in order to control the accurate virtual machines?

  The management of the network give you access to control everything via vCenter or the VI client or the command line.

  And the iSCSI network connects to the physical ESX HOST (Teddy 2) where the ESX host will present data warehouses to virtual machines as 'physical' disks correct?

  Yes, it will look like just a physical disk to the VM operating system.

  I guess what I'm trying to understand, or how I see it is that the host ESX is the only machine that has 'see' the iSCSI network?

  The VMKernel manages iSCSI seamlessly. Guests don't need to know anything iSCSI.

  Virtual machines see drives that presents the ESX host? For the virtual machines do not need is access to the iSCSI network (unless I need to install additional storage or drive shared etc...)

  Fix.

  any idea when VI4 is scheduled to be released?

  Rumor is soon. But unless there is there a feature that radically changes your design I wouldn't get too worried about it.

• Hyper-V and iSCSI network

  Hello

  We evaluate a migration of vmware for hyperv.

  I try to understand best practices for networks iSCSI comments.

  I have physical 4ports 1GBit dedicated, on the host for iSCSI traffic.

  I like to use all 4 for iSCSI host (vhdx volumes) traffic.

  Now I thought to do 2 of them shared by creating 2 logical switches in VMM, adding 2 virtual network cards for the host to use.

  The new virtual network cards are 10 Gbit. I don't see an option to change them to 1GBit. To me it seems now that the system prefers the 10 GB adapters. My other two physical cards are no more used.

  I tried to do all 4 ports as virtual, but somehow the 4.7EPA ASM does not see virtual cards. He said only: "no network adapters don't find" at the opening of the MPIO settings.

  Should I just ignore this idea to share and use 2 for host and 2 for iSCSI hosts, or is it a medium work?

  It is recommended to devote at least 2 interfaces on the host iSCSI network.  In addition, you must install the Dell EqualLogic for Microsoft host integration tools and install the MPIO feature.  To enable the MPIO in the guest operating system, you must create at least two virtual switches that are related to the physical SAN on the Hyper-V host adatpers.  Virtual machines must be configured with at least two of these virtual switches.  Then, since the guest operating system, configure interfaces with IP iSCSI network, Subnet, etc...  You must also install the Dell EqualLogic for Microsoft host integration tools and functionality MPIO DSM in the guest operating system, if it is not running Windows.  If you use Jumbo frames, ensure that all NETWORK adapters used for iSCSI (NETWORK physical cards, NETWORK cards, Guest OS NICs) are enabled for frames.

  In regards to ASM v4.7 EPA you don't see not cards network for MPIO - there is a known ASM / ME v4.7 bug in Windows Server R2 2012 linked to the EPA.  It is likely that the configuration of MPIO is fine (you can check it out through the initiator Microsoft iSCSI MPIO EqualLogic tab - it's just that ASM / me has a problem of information display.)  This bug has been fixed in version recommended to v4.7 GA HIT/Microsoft - which is intended to be published very soon.

• Adding the iSCSI network switch

  Hello

  We have an iSCSI network for guests of vSphere 5.1 EQL boxes. The network is 192.168.0.0/24, we use the switches PC5548 and we have three groups EQL. Everything is configured following best practices from DELL, and everything is kind of okay job.

  Since we are affected by the poor performance of our SQL servers virtualized and troubleshooting led switches as a guilty suspect I want to try to use other switches to know.

  So I intend to add a pair of parallel to the PC5548 cisco switches and connect a host and a group of PS to those (where the SQL VM reside) and see the difference, but my question is that I can use the same network 192.168.0.0. / 24 although cisco and dell switches are not physically connected. VMotion work?

  You shouldn't use the entry level switches with 10 tables. The interlink trunk has 80% of eql bandwidh. You can consider buying Dell Force10 switches with buffers of large size and low latency.

  Kind regards

  Joerg

• What layer are FI in the Cisco hierarchical network design model?

  What layer are FI in the Cisco hierarchical network design model?

  Is this a straigh question? We have a Nexus 7 k for our heart and Port-channel of the FI for them. So for me it layer distribution.

  But when we attach to the NAS. Isilon devices we use between the FI and N7K N3K. This would make the N3K and FI both part of the Distribution layer? Would not be considered layer. However, it does not ACL etc. which usually belong to the Distribution layer.

  I was wondering thoughts people on it. Is the UCS FI and 'One Off' in the model of 3 layer?

  Thank you!

  Craig

  FI can sit to your dist layer. or access.  I've seen deployments where they are deployed at the same time, depending on the size of the cluster of the UCS and band network bandwidth. The distribution layer is usually to be where all the magic of layer 3 arrives (routing, ACL, QoS, FW, application of strategies etc.) and UCS being strictly Layer 2, it could be classified as a device to access-layer.

  Designs are flexible and as long that you consider oversubscription adjusted, you should be fine with the deployment option.

  I hope that others will share their ideas

  Kind regards

  Robert

• iSCSI networks

  I think I have what should be a relatively easy question to answer, im just a little confused right now:

  I created vSwitch1

  I created a group attached to port vmkernal vSwitch1

  I assigned an IP address

  the default gateway has been the default installation of the gateway of the network management

  I have configured VLAN 99 which is my VLAN ISCSI

  When I configure my switch for VLAN 99 ports I can not ping to the IP address of the vmkernel port

  If I change the swtich to the trunk w ports ports / VLAN 99 as well as the management VLAN then I can ping

  What is well configured?  the default gateway must be changed to the default ISCSI VLAN gateway?

  Thanks in advance for any idea!

  Cheers.

  Hello

  If you configure the switch trunk ports and configuring the VMkernel the right port VLAN, you shouldn't have any problem to communicate through this VLAN.

  If you configure the ports on the switch in the access mode, you must configure the VMkernel port without any VLAN in order to communicate through this VLAN.

  ISCSI VLANS must be an isolated network, the gateway is not important when you configure the iSCSI network.

  In any case, check out this link on the VLAN on VMware:

  http://www.VMware.com/PDF/esx3_vlan_wp.PDF

  Best wishes / Saludos

  -

• Question/security of network design

  I would like to get opinions on the design of a network of our ESX host.  We have a couple of the main areas of ESX, each with 10 physical network interface cards.  We have the following in our environment:

  -iSCSI and NAS storage (so two cards NETWORK is for IP storage)

  -2 separate networks for virtual machines - 1 for admin interfaces (not for users) and the other for servers in production (for users)

  Current configuration is:

  2 NICs (SC and admin VMs)

  2 NICs (IP storage)

  2 NICs (vMotion)

  3 NETWORK interface cards (Production Server virtual machines)

  I would like opinions on how course of a facility that is.  Is it a question of having the SC share a vSwitch with the VMs admin?  They are on the same VLAN physical.   We do not control the switches, is not really an option to configure the VLANS on switches.  Thank you.

  Hello

  Thank you.  I think that I can not have explained myself quite clearly.  I was not suggesting put Admin VMs and the connections on the same vSwitch as the Production Server VMs.  On the contrary, I was concerned by the SC being on the same vSwitch as the VMs Admin, I do not think that it is a good practice to.  In our environment, we have a single subnet for all virtual machines, separated into 2 subnets on the physical switches.  We do not use (or want to use) VLAN tagging on the vSwitches.  There is the firewall between each of our VLAN.  So, the admin VMs are separated from the VLAN Production by a firewall.  My real question is the size of a security problem for the SC and the admin virtual machines to share a vSwitch if they already share a physical network?  We do not have the ability to create a separate network or VLAN just for traffic SC.  Our environment now looks like this:

  Because they already share the same physical network sharing the same vSwitch is not a huge or any concerns. Consider the vSwitch another part of your administrative network. The best practice is to put all the management servers and virtualization workstations within the same firewall network. You have done this.

  -natachasery 2-SC & admin VM network (local network VIRTUAL 0 192.168.15.0/24)

  Works for me. I often use the Administrative VMS and place them on the vSwitch with the SC. After all they are using the same network and the vSwitch is just another part of the Web of network switch.

  -3 natachasery - Prod VM network (VLAN 1 192.168.15.0/24)

  Not sure I would use 3 but I leave that to you.

  -2 natachasery - VMKernel & SC (10.10.1.0/8)

  It passes through security zones. I would use rather your firewall administration to fill ports of CHAP protocol between IP storage network and the administrative network. What you have is a common, but not the safest practice you have now 2 attack points in the service console of administration network and from the network of IP storage. This could include the possibility of virtual computers that use iSCSI initiators. Because everything you need is to have the SC participate for CHAP (whether you use it or not), you can easily use your existing administrative firewall to do this. You may need to fix things up a bit to within your network to make this happen, but it would be how I would address this possible security problem.

  -2 natachasery-vMotion (172.16.32.0/16)

  Sounds good.

  It would be useful to create a fifth vSwitch just to house the VMs admin, so that they do not share a vSwitch and natachasery with SC?

  Not really. Same Security Zone.

  Best regards

  Edward L. Haletky

  VMware communities user moderator

  ====

  Author of the book "VMWare ESX Server in the enterprise: planning and securing virtualization servers, Copyright 2008 Pearson Education.»

  Blue gears and SearchVMware Pro Articles: http://www.astroarch.com/wiki/index.php/Blog_Roll

  Security Virtualization top of page links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

• Load pull to the output corresponding to network design

  Hello

  I tried to design the entrance and exit of the matching networks for a power amplifier using the traction load script and the elements of HBTUNER2. According to the contours of traction load, the optimal point impedance is 15.37 - j21.99 (I chose a compromise between EAP, DCRF and PGain). Now my question is when I use the wizard iMatch to convert this to a 50 ohm termination impedance, use 15.37 - j21.99 or the conjugate 15.37 + j21.99? Otherwise, what is the reason? I always thought that load a script pull gave the impedance looking into the port of the active peripheral side. How did the point impedance suggested by loading a script pull to interpret?

  Thank you much in advance.

  
  

• New AD Network Design

  Asked me to design a new network of Active Directory for my business. Where should I start?
  I am looking for a kind of map of Q and A questions about the types of users and of their functions, etc that I can use to make you to configuration etc group.
  Y at - it guides for this kind of thing?

  Hello Mark,

  Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the following forum:

  http://social.technet.Microsoft.com/forums/en-us/categories/

• install new PS6510e - no communication on Iscsi network

  Getting desperate here now.

  bought refurbished ps6510e of third-party reseller - have been categorically denied access to the site of dell for support on that basis.

  connected to 2 servers R720 via grouped 10 gb SFP + cables through a switch of 8024F to SAN with redundant connections of 10 GB on two controllers. configured on the private network for iscsi only traffic with addresses private to each server, switch, Saint Nic individual and the Group ip san.

  set up in business / management network for servers / san / management switch with works perfectly.

  2 (2012r2) servers can communicate with each other via the links of 20 GB. No communication with san via ping or connecting iscsi connectors at all. servers can ping each other and switch, not san. CLI in san - cannot ping anything - not even his own individual ip addresses. SAN web interface reports that snap ports (15 + 16), it is plugged into the switch so that he knows that she is and that she connects to her apparently happy.

  configured according to the guidelines of dell white papers, frames, LAG switch. I swapped 10 GB connections between servers and san groups, and regardless of the combination of connections, servers talk, san does not work.

  interface Web and SAN HQ all report everything is hunky dory. one mistake is on the free space that we have configured volumes while.

  bright ideas about what was fundamentally wrong very favorably received.

  Hello

  Re: refurbished.  Sorry, but Dell does not offer without PS Series in this way.  Dell partners cannot provide these services either.  Support requires the table under warranty or support contract access to firmware, and other downloads.  In addition, the license to use the table is maintained in the contract, not the hardware.  This license may not be transferred or resold.

  Re: is associated. PS Do not support series without grouping at all.  You need to configure MPIO on servers instead.  Almost sure that tagging VLAN is not in use, or stripped of all PS Series ports.

  In the GUI, network ports show online?

  On the switch, make sure that you have the current firmware, and data center bridging (DCB) is disabled.

  Given you cannot ping anything, I suspect the cable or switch configuration.  If you use TWINAX cables be PASSIVE, Active cables are not supported.

  Kind regards

  Don

• Helps the FS7610 PS Series SAN, 10Gb network design

  Hi, we have currently a square of infrastructure EqualLogic SAN and NAS (2 x PS6510E, FS7500), a stack of two PC8024F 10 GB switches, 2 envelopes chassis m1000e blade with the A1 being a set of switches 1 GB m6220 fabric (fabric A2 a battery of the same thing), the tissue being a pile of m8024k B1 10 GB passes, (fabric B2 a battery of the same thing) and a stack of PC6224 two 1 GB (top of the grid GigE) switches.

  We all have this connected to the 10 GB being its own private network 10.1.0.x SAN network and vlan, nice and isolated from all the rest.  The blades can access the iSCSI shares via their network cards of 10 GB which is all on this network 10.1.0.x.  The NIC 1 GB on the blades are on a public network, and the FS7500 of the customer ports are on this network too via the 6224, so NFS connections are established via the public network to 1 GB.

  We intend to invest in an additional PS Series array to the host to a backup site, for replication.  At the same time, we plan to buy a FS7610 to our main site to take advantage of our 10 GB infrastructure and move the FS7500 existing to our backup site, so we can replicate iSCSI and NAS container volumes.

  That's where we could use some help, because now many things have changed.  Now, the SAN must be on the public network for replication to succeed, AND to take advantage of the connectivity of 10 GB and sharing NFS mount of the FS7610 through 10 Gbit, we need to use network cards 10 Gbit and switches in the network of the client NAS, that are already used for iSCSI traffic (and will in the future be used for connections to SAN vmware hypervisor).  In the FS7610 install and set up the guide, it says

  • Use the switches for network client and for the internal network and the SAN.
  • Use separate subnets for network client and for the internal network and the SAN.

  We can move the SAN and it is a dedicated subnet network and VLAN that is on the public network without problem, but my main concern is to be able to satisfy the recommendations/network configurations required for the FS7610 and avoid the local SAN/NAS traffic through a router to ensure connections of 10 GB.  Advice or tips are appreciated!

  It is the same thing that you are dealing with Linux, but TCP/IP standard routing.   You cannot route private subnets directly on the internet.  We need to create a "Wan".   Do not directly routed on the internet.

  Your WAN will create a private network and a tunnel over the Internet.   OpenVPN is a possible solution.

  A very widespread scenario might be:

  Once you have put WAN in place, on the internet of these routers would be a true internet address (e.g., 62.x.x.x.x) so the two WAN devices can communicate with each other.   They create a VPN tunnel with a new subnet, say 10.3.0.x.

  The WAN router primary side would have a leg on the subnet 10.1.0.x, say with 10.1.0.10 IP address as your default route on the side of EQL SAN 10.1.0.10.

  On the side of the DR this router would have a leg on the 10.2.0.x subnet, say 10.2.0.10.  The default GW on the side DR would be 10.2.0.10.   The router knows how to move packets between networks using the standard range.

  Looks like all you're missing is the "WAN" VPN tunnel between sites.  You want something that will encrypt traffic between the sites anyway.

  Who help me?

  Kind regards

• DMZ virtualization and network design. UCS + VMWARE

  Until now, we had a network physically segmented with internal and external vtp different areas/zones. Keys "inner area" hear a VLAN and keys "outer zone" along a VLAN different. VLANs are not propagated between different areas for security reasons, are isolated.

  Currently, we started to work with UCS + VMWARE, and we are facing difficulties. According to the previous model, if virtualize us servers within the internal battery of the UCS area, we cannot not virtualize servers within the outer external in the same UCS, since I wish to propagate VLAN switches area internal as well as for the farm of the UCS, mix. As a result, the isolation would be lost.

  I'm reviewing my network base, in order to adapt current infrastructure to the new with UCS + VMWARE, without missing any point security.

  My main point, is whether it is possible to virtualize external virtual machines and internal area in the same UCS, without compromising the security of my network.

  Could you give me some advice or design guide?

  Kind regards

  Hello-

  You are right that upward through UCS 1.4 all them VLAN should be available on the switches upstream.  However, UCS 2.x introduced a feature named "Disjoint L2."  By using this feature, you will be able to connect interconnect fabric to your internal network and the DMZ, then configure the VLANs to blades.

  http://www.Cisco.com/en/us/docs/unified_computing/UCS/SW/GUI/config/Guide/2.0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_010101.html

  Matthew

• How to use 4 x 1 GB for software iSCSI NETWORK interface card.

  Hello. I have a HP P2000 G3, with iSCSI connections 4 x 1 GB. I have 4 free 1 GB NIC on my 5.5 esxi server. IM wondering how I could put things upwards, so it would use iSCSI 4x1Go at the same time, so I would get a 4 Gbps to my SAN connection. Is this possible? I read something about iSCSI multi-trip and Port binding, but is all a bit confusing. It seems to me which is used for failover? I tried to put in place using a multipathing guide and got to the top and his display I 8 paths to my SAN, but it seems that a NETWORK adapter is used when considering my switch activity.

  Any help would be appreciated.

  Take a look at this blog post: http://www.virtualtothecore.com/en/howto-configure-a-small-redundant-iscsi-infrastructure-for-vmware/

• iSCSI network configuration

  Hello world

  I did two configured 5.1 esxi hosts with iSCSI SAN and they work very well. In fact, the configuration of the network is as below:

  MD3200i: 4 of the 8 ports configured on both controllers. two on a subnet on VLAN x and two on another subnet on VLAN y.

  ESX HOSTS: two different vSwitches with a vmnic and a vmkernel on each host.

  Everything works well, with configured multipath.

  So now: I want to improve the performance of storage using the last four ports on the md3200i and the two NICs per host.

  My question is do I have to create new vmkernel for each nic 'new' or do I just add nics on my vSwitches?

  Maybe I misunderstood the documentation I've read, but the portbinding is not improve performance but only HA feature?

  

  Thanks in advance

  Martin

  Unless there is something that has changed lately, you need a one-to-one relationship between groups of VMkernel ports and vmnic. Actually regardless if configure you this in a single vSwitch - with setting the vmnic as assets/Unused - or by using a vSwitch by group of VMkernel ports.

  André

• iSCSI network problem

  I have simply attach an iscsi storage to ESXI and then allocate space on the storage to a virtual machine. In the virtual machine I copy a large file (about 4G) to this disc, in the process, it's always happened that adaptation procedure does not.

  I tried iStorage server and Starwind. iStorage server is a little better than Starwind in performance.

  Without details about your configuration, it is difficult to say what the problem is. Please provide as much detail as possible about your test environment, the versions that you are using and the configuration of the network (especially the iSCSI configuration).

  Best bet is usually to use the vendor's documentation best practices. On the site of Starwind you find these resources, Kernsafe site is not easy to find documentation and what I've found, it's a little outdated (configurations for ESX 4.0), but maybe I missed something. However, given that you work for Kernsafe I am sure that you have access to the documentation.

  André