iSCSI implementation: How to design, deploy an iSCSI SAN

When approaching an iSCSI implementation, you'll need to carefully consider product selection, network design, TCP/IP offload, security/encryption and management.

An iSCSI SAN brings shared storage to businesses that need to keep an eye on cost and who can't necessarily afford the equipment and training involved with Fibre Channel. But while iSCSI can use existing IP networks and skills, its implementation is by no means a trivial matter and deployment calls for some serious decision making.

In this interview, Bureau Chief Antony Adshead speaks with consultant Chris Evans of Langton Blue about the key considerations involved in implementing an iSCSI SAN, such as product selection, network design, TCP offload and security.

Read the transcript or listen to the podcast as an MP3.

Play now:

You must have Adobe Flash Player 7 or above to view this content.See to download now.
Download for later:

Download the podcast with Chris Evans
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As What are the key steps in implementing an iSCSI SAN?

Evans: First of all you need to choose the product, and here you'll look at a number of parameters like performance, scalability, cost and maybe some other features like the ability to take snapshots or to do replication. There are lots of products on the market to choose from, and they all have their own benefits.

You will also want to connect your iSCSI SAN to hosts, and that will be part of your IP network. You need to sit down and decide how you want that to work; will you have a dedicated network or a separate network? What level of performance do you want; do you want 10 Gbps, or will you run at gigabit speeds?

You need to look at things from a design perspective and include things like availability because clearly at the SAN level you would traditionally want to make sure you had redundancy of connection, so you may have to look at having two sets of networks and maybe separately VLANning them to give you that level of multipathing and availability.

The next thing to look at is security. If you're going to put this sort of technology on an open network, you're going to secure it, and there's two methods you need to look at here. There's security of access, and there's encryption of data as the host is accessing it. On an open network, obviously, people can sniff traffic, and therefore you need to make sure it's correctly encrypted.

There are a couple of methods for doing encryption. There's a basic method using something called CHAP, or you can go a bit more detailed and use a RADIUS server to centralise security.

There are two other things that are quite related to each other: standards and management. You'll need to decide how you want to structure your environment, how you want to set it up, your naming standards, the size of the LUNs you're going to give out, and you'll want to look at the tools you'll use to manage this environment.

If you're going to come up with an environment that needs to grow, you'll need to make sure the management tools you're going to deploy are going to give you the level of detail you want and allow you to manage the environment effectively. What are the key pitfalls and challenges in implementing an iSCSI SAN and how can you avoid them?

Evans: We already touched on the network issue, and if you are on a shared network then you need first of all to make sure you're putting encryption in place. You need to also think about what happens on a shared network because there might be other devices on the network that can cause latency issues, so probably the best way to mitigate that would be to go with a dedicated network, dedicated infrastructure if you can afford it; if not, dedicated VLANs allow you to manage that traffic separately.

From the host perspective, clearly if you're looking to put in an environment where performance is an issue, the host itself would normally be performing the iSCSI work so you may want to put in a dedicated physical iSCSI host bus adapter (HBA). That might increase cost, but it would offload some of the IP traffic onto a dedicated piece of hardware.

You need to look at availability in detail, and we touched on that earlier with multipathing. In traditional Fibre Channel environments, people would normally put dual paths from host to server, and the reason for that is to allow either one path or the other to be taken offline or if there is a failure in any of those components it won't take the system down; therefore, in an iSCSI environment you'd want to get that to get that level of availability.

We also touched on security, which is an issue you really must take seriously. Therefore you need to sit down at the outset and decide what you think is the best route to implementing it.

Read more on Storage fabric, switches and networks