Posted by: Anonymous Coward
on July 04, 2006 08:55 AM
Just thought about this more. In practice, you'd definitely want to be using a switch that supports port-based VLANs. Hopefully all data centers that are even contemplating something like a SAN are doing this already. If not, that should be their first upgrade, just to be able to keep things straight on the enterprise network.<nobr> <wbr></nobr>:-)
Now, for the AoE specifics. You would set up your array of disks in one part of the data center, and you'd put your servers which need to access those arrays in another part of the data center. You'd have a mondo-sized server with, say, three or four multilinked Gig-E interfaces (Cisco switches, among others, support this, as does Linux) or a single 10Gbps link, and this mondo-sized server would have all the physical disk arrays attached to it via several hardware RAID cards. Note that the physical disk arrays themselves could be SCSI, ATA, or whatever. On this mondo server, make one logical array (I'll use RAID5 as an example here) per AoE client (application server, Samba server, Samba/LDAP domain controller, whatever) that you're planning to stand up and have use this SAN.
Now, export all of those RAID5 logical arrays, remember, one per AoE client. The AoE clients will attach to each exported RAID5 (remember that we're assuming physical security here) and treat it as local disk. Of course, we still have the problem of a sysadmin who isn't careful and does mkfs all over another AoE client's disk space.
Here's where things get interesting. If both your mondo server and your SAN Ethernet switch support 802.1Q VLAN trunking on the MultiLink, then you can go a step further in preventing the AoE clients from stepping on each others' arrays. Just tell the mondo server's MultiLink to be an 802.1Q VLAN trunk, and do the same on the other side (the Ethernet switch). For those using Cisco Catalyst switches, the commands are as follows.
switchport trunk encapsulation dot1q
switchport mode trunk
Now, when you export each RAID5 array, do so on a VLAN subinterface on the mondo server, one VLAN for each AoE client (e. g. VLAN 11). Then, when you stand up your AoE client (e. g. a Samba/LDAP domain controller), you simply put that AoE client's switch port in that corresponding VLAN (in this example, VLAN 11). Remember that we are setting up our AoE clients with two NICs--one pointing to the enterprise LAN, and the other pointing to our shiny, new AoE SAN. Of course, you could scale this by having more than one combination of mondo server and Ethernet switch; just as a gut feeling, I wouldn't put more than ten AoE clients on a mondo server without further testing, assuming that each uses a 1Gbps SAN link.
If this sounds a little complicated and involved, well, yes, it would be. However, any SAN solution is complicated and involved, if you actually plan it out and do it right. This SAN type appears to be no different that way.
Learn about Linux
Download Linux
Get Linux help
Re:Security?
Posted by: Anonymous Coward on July 04, 2006 08:55 AMNow, for the AoE specifics. You would set up your array of disks in one part of the data center, and you'd put your servers which need to access those arrays in another part of the data center. You'd have a mondo-sized server with, say, three or four multilinked Gig-E interfaces (Cisco switches, among others, support this, as does Linux) or a single 10Gbps link, and this mondo-sized server would have all the physical disk arrays attached to it via several hardware RAID cards. Note that the physical disk arrays themselves could be SCSI, ATA, or whatever. On this mondo server, make one logical array (I'll use RAID5 as an example here) per AoE client (application server, Samba server, Samba/LDAP domain controller, whatever) that you're planning to stand up and have use this SAN.
Now, export all of those RAID5 logical arrays, remember, one per AoE client. The AoE clients will attach to each exported RAID5 (remember that we're assuming physical security here) and treat it as local disk. Of course, we still have the problem of a sysadmin who isn't careful and does mkfs all over another AoE client's disk space.
Here's where things get interesting. If both your mondo server and your SAN Ethernet switch support 802.1Q VLAN trunking on the MultiLink, then you can go a step further in preventing the AoE clients from stepping on each others' arrays. Just tell the mondo server's MultiLink to be an 802.1Q VLAN trunk, and do the same on the other side (the Ethernet switch). For those using Cisco Catalyst switches, the commands are as follows.
switchport trunk encapsulation dot1q
switchport mode trunk
Now, when you export each RAID5 array, do so on a VLAN subinterface on the mondo server, one VLAN for each AoE client (e. g. VLAN 11). Then, when you stand up your AoE client (e. g. a Samba/LDAP domain controller), you simply put that AoE client's switch port in that corresponding VLAN (in this example, VLAN 11). Remember that we are setting up our AoE clients with two NICs--one pointing to the enterprise LAN, and the other pointing to our shiny, new AoE SAN. Of course, you could scale this by having more than one combination of mondo server and Ethernet switch; just as a gut feeling, I wouldn't put more than ten AoE clients on a mondo server without further testing, assuming that each uses a 1Gbps SAN link.
If this sounds a little complicated and involved, well, yes, it would be. However, any SAN solution is complicated and involved, if you actually plan it out and do it right. This SAN type appears to be no different that way.
#