As they say behind every great implementation there is a great design! Unfortunately many of the poor implementations are due to a poor or even lack of planning. Storage is a key component that is the heart of a virtual data center. So in this post I will share a use case scenario based on a real life project focusing on translating storage requirements into the design.
Company ABC just adopted virtualization (greenfield implementation) and are looking to invest in a new storage array to replace their older SAN.The IT Director wants to go with a storage that will utilize their current Ethernet network to keep cost of infrastructure down.
The Director also asked for a block based storage for some of their mission critical workloads. Also data metrics collected showed heavy traffic at certain peak times. The client also need high availability built in. Finally, the security officer has concerns about security of this new virtual infrastructure and wants assurance it will be as secure as possible.
The above scenario is fairly typical so lets look for the requirements within those words!
– “Block based storage that will utilize their current Ethernet infrastructure”. This is more of constraint than a requirement as it restricts your choice as an Architect in the type of storage you adopt in your design. The choice here is iSCSI storage (or FCoE but for cost reasons we are going ahead with iSCSI).
– “High availability built in”. From a storage aspect that means multiple paths built into the design to mitigate the risk of a path failure from host server to SAN. Also alarms need to be set up to be triggered when the Storage Path Redundancy or storage connectivity is lost.
– “Heavy storage traffic”. I often see vLANs used to address heavy traffic. This will not help. Instead you need to explore a few options:
a) Enable Jumbo frames for iSCSI traffic to increase storage traffic efficiency.
b) 10Gb Ethernet is another option in dealing with heavy iSCSI traffic.
c) Use switches with a better backplane I/O capacity is another possibility.
As an Architect, you want to discuss these options with the client to get their buy-in. Some clients might resist jumbo frames use. Others might pause at the cost of upgrading infrastructure (costly switches, NICs, and upgraded cabling) to support 10Gb network.Also buying more capable switches will require a bigger investment Getting the buy-in from stakeholders is a key to avoid “misunderstandings” down the road.
– “As Secure as possible”. iSCSI traffic is not encrypted so it is vital to secure it to avoid a bad day at the office! There are different ways to secure it:
i) Virtual isolation through a separate vLAN for the iSCSI traffic. This way the traffic will be isolated and not get routed.
ii) Use CHAP Authentication. Use Challenge Handshake Authentication Protocol “CHAP” for authentication between iSCSI initiators and targets. However although CHAP is secure, it is subject to offline dictionary attacks using brute force.This leads to the next option IPSec.
iii) IPSec. When we say IPsec we could be refering to two possible areas: AUthentication and Encryption. On the authentication side, IPsec is another option for securing iSCSI traffic. This is done by authentication using per-shared keys (similar to CHAP). The major difference between IPsec and CHAP is IPsec provides the advantage of support of stronger authentications such Kerberos and certificate-based authentications. The downside of IPSec is it is not as widely supported by storage vendors as CHAP is. However, in this case IPsec Authentication will be used once the support by storage vendor has been confirmed to provide the highest level of security requested by client. IPsec authentication authenticates the integrity for data communication but does not provide any type of encryption.
IPsec encryption, although it does encrypt the traffic it does come with an overhead that could lead to degradation in performance.It is needed if your iSCSI traffic is going through unsecured networks but in our scenario, this is not the case, therefore encryption is not needed.
iv) Use dedicated storage switches that exclusively handle iSCSI traffic to secure storage transport.
This was just a quick high level view of translating business requirements into technical requirements in the design.
Thank you for reading.