Re: VLAN Isolation for iSCSI Network

doug.dockter · ‎09-14-2007

I have set up a VLAN on a Catalyst 3560 for an iSCSI network. I would like to isolate this traffic from the rest of the LAN. As presently configured, I can ping a device on the iSCSI VLAN from a device connected to a port not part of that VLAN. What configuration change do I need to make to prevent this?

Jon Marshall · ‎09-14-2007

Hi Doug

If you want to totally isolate this traffic from the rest of the LAN you can simply remove the Layer 3 SVI for that vlan. Without a layer 3 interface nothing will be able to communicate with this vlan from any other vlan.

if you need the layer 3 SVI you could look to use access-lists eg

Lets say the rest of your LAN =

192.168.5.0/24

192.168.6.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 any

access-list 101 deny ip 192.168.6.0 0.0.0.255 any

...

any traffic, if there is any, from other networks to your iSCSI network you can add here to the access-list.

interface vlan 10 (assuming this is iSCSI vlan interface)

ip access-group 101 out

HTH

Jon

doug.dockter · ‎09-17-2007

Hi Jon,

Please pardon my limited knowledge, but can you tell me how I can go about removing Layer 3 SVI from a VLAN. I'm most familiar configuring my switch using Network Assistant.

Doug

Jon Marshall · ‎09-17-2007

Doug

Do you have command line access to the switch. Sorry as i have never used Network Assistant.

If you do have CLI access you need to dtermine which vlan is the iSCSI vlan, lets says it's vlan 10.

From enable mode

switch# sh ip interface brief

This will list all the interfaces on the switch. You are looking for a vlan10 interface.

Assuming there is one

switch# conf t

switch(config)# no interface vlan 10

switch# wr mem

By removing layer 3 interface nothing on vlan 10 can talk to any other vlan and no other vlan can talk to anything on vlan 10.

Be sure that is what you want.

HTH

Jon

doug.dockter · ‎09-18-2007

Jon,

When I issue the sh ip interface command, the vlan I have defined for iscsi traffic does not show on the list. It does show with a sh vlan command.

Doug

Jon Marshall · ‎09-18-2007

Doug

If you do not see the vlan interface then you don't have a layer 3 interface on that switch. However you are saying that you can ping a device on the iSCSI vlan from a device on another vlan so

1) You have a lyer 3 interface for the iSCSI vlan, just not on that switch.

2) Your vlan allocation and ports within that vlan are slightly off.

Could you post configs of switch. Can you confirm that only the switch you are on would have layer 3 interfaces for the vlans ?

Jon

doug.dockter · ‎09-18-2007

Jon,

Attached is the config file.

Doug

Jon Marshall · ‎09-18-2007

Doug

Is vlan 2 the iSCSI vlan ?

Which vlan is the device connected into that can ping one of the iSCSI devices ?

Jon

doug.dockter · ‎09-18-2007

Jon,

1st thanks so much for you patience with me! Yes vlan 2 is the iSCSI vlan. I can successfully ping from a server connected to vlan 1. I can also ping from my workstation which is not physically connected to that switch.

Doug

Jon Marshall · ‎09-18-2007

Doug

Could you provide

1) the ip address of your workstation, the subnet mask and the default-gateway

2) The same for one of the iSCSI devices that you can ping.

Jon

doug.dockter · ‎09-18-2007

Jon,

I finally figured out what is going on here, and should have sooner so as to waste less of your time. The NetApp has two interfaces - one connected to vlan 1 and the other to the iSCSI vlan. Apparently the NetApp does some internal routing of traffic from one interface to the other. That's why I was always able to ping from my LAN to the NetApp iSCSI interface. I connected a PC to a port on the iSCSI vlan and was not able to ping any addresses on my lan. The only address I could ping was the ip address of the NetApp connected to the iSCSI vlan. This is what I want. Hope that all made sense, and again thanks much for all your time.

Jon Marshall · ‎09-18-2007

Doug

No problem. Thanks for getting back and letting me know what was happening.

Jon

corey · ‎09-14-2007

If the iSCSI is not for VMware you can isolate it. If it is for VMware the Service Console must have access to the storage. If all the iSCSI devices can support Jumbo frames on this separate VLAN, performance generally improves and overhead decreases.