Emerging business needs such as off-site disaster recovery, storage consolidation and better sharing of existing resources are driving the impetus to keep SANs logically separate while physically connected. Storage routing products such as Cisco System Inc.'s SN 5428, Computer Network Technology Corp.'s UltraNet Edge, Crossroads Systems' 10000 and McData Corp.'s IPS 3300 enable users to choose between FC, FCIP, iFCP, IP, iSCSI and SCSI protocols to connect their existing storage islands to one central SAN.
The Virtual SAN (VSAN) technology offered in Cisco's MDS 9000 series of directors lets users partition SAN traffic. Brocade Communication Systems' Logical Storage Area Networks (LSANs) technology offers similar functionality; the SilkWorm Multiprotocol switch (AP7420) connects multiple fabrics without merging them (see "VSAN implementations"). McData's new DS10000 directors allow users to segregate functions within a SAN using hard partitioning.
Technologies such as VSAN, hard partitioning and LSAN represent vendors' first attempts to isolate the traffic and data on a SAN. These technologies are modeled after Virtual LAN (VLAN) technology, which allows different devices on different LAN segments to communicate with one another as if they're on the same physical segment.
Users cite a variety of practical reasons for wanting to isolate their SANs, and VSANs offer effective methods to satisfy their needs. VSANs allow storage administrators to set up preproduction tests on the same SAN that hosts production applications and data. They also minimize the impact of fabric-wide disruptive events. But the greatest benefits of implementing VSAN technology are likely to be realized in large SAN deployments.
Larger environments tend to get more complex as SANs consolidate. While costs decrease and capacity utilization increases, management and administrative issues become thornier. For instance, individuals used to managing their own SAN islands prior to consolidation may need to still manage their piece of the consolidated SAN for administrative and security reasons, yet current SAN technology makes this almost impossible.
VSANs provide practical solutions. Technologies from both Cisco and McData allow users to create fabrics containing their own fabric services and management access within the SAN. Each VSAN fabric has its own name server, zone server and domain controller, so administrators can have the control they need and allow users attached to the SAN to experience the same level of services they had before.
This becomes especially relevant in storage environments with special requirements. For instance, administrators in production environments may need to limit the timeframes when changes are made in their switch environment. Other administrators working in test and development environments may need to make changes throughout the day to meet ever-changing testing demands.
But often test and development SANs are merged with production SANs and must adhere to the production SAN's more stringent requirements. Current SANs don't accommodate the coexistence of these two environments very well, with users on the development side often getting the short end of the stick by having to work within the confines of the more constraining production environment.
VSAN technology solves this. Cisco and McData allow users to create separate VSANs for different environments on the same switch. Brocade's AP7420 switch allows resources to be shared between the two storage fabrics while maintaining the integrity of each fabric.
High-volume backup traffic in a consolidated storage environment is best run on a separate fabric. Cisco's MDS 9000 and McData's DS10000 enable the segregation of backup traffic from other VSAN traffic. Users in Brocade environments can theoretically configure their AP7420 and partition the switch to separate the backup function as well, but because it's only a 16-port switch, it may make more sense to create a separate SAN dedicated to backup.
However, there are downsides to dividing up the resources of a switch. With VSANs, disk or tape resources allocated to one logical SAN can't be shared with another VSAN. Complementary technologies like Inter-VSAN Routing (IVR) from Cisco help overcome this problem. IVR is a standard part of Cisco's latest MDS 9000 SAN-OS 1.3. It enables the sharing of common storage resources such as FC tape drives and WAN links in Cisco VSAN networks. IVR examines data traffic on different VSANs and allows certain data packets access to devices on another VSAN. But IVR technology only became available with Cisco's November 2003 SAN-OS 1.3 release. Users of other FC switch vendors need to wait until a standard gets defined.
McData's new DS10000 switch features a competing technology called hard partitioning. It operates in a manner similar to Cisco's VSAN technology. Hard partitioning enables, for example, separate administrative logins, data isolation and even different versions of switch microcode to run on different partitions of the same switch. "But McData directors don't allow sharing of storage resources dedicated to one partition by another partition, as Cisco's IVR does.
Brocade's LSAN technology lets users create a VSAN. Rather than offering this feature as an option on its director-class 12000 switch, Brocade chose to deploy this technology on its SilkWorm Fabric AP7420 switch. The switch lets departments retain the management responsibility of their SAN and keep their servers and storage in their existing location. A department with excess capacity can share it with another group, and they can recover or replicate their data at another site.
The AP7420's EX_Port allows the sharing of resources between different fabrics. It acts like a Fibre Channel Network Address Translation (FC-NAT) engine by presenting a device on one SAN to the other SAN, only with a different FC address. So if Tape Drive 1 on SAN A needs to be shared on SAN B, the AP7420 could present it as Tape Drive 2 on SAN B, while protecting its identity of Tape Drive 1 on SAN A's fabric.
Yet Brocade's AP7420 implementation continues to reinforce user perceptions that almost every solution it introduces consumes more FC ports. For example, to achieve redundancy between two existing fabrics requires 16 FC ports: four on each existing SAN, plus four more on each of the two AP7420s. At a cost of $1,500 or more on the existing ports, this adds over $12,000 to the cost. Users should urge Brocade to implement back-end inter-switch links (ISLs) on their switches for these types of solutions.
|Virtual SAN switches|
|Researched by Robin Raulf-Sager.
*Configuration of DS10000 is subject to change because it hasn't been released yet.
|Startups' storage linking alternatives|
VSANs not for novices
With all of the vendor VSAN implementations, users need to be cautious about how implementations and changes are done. Only certified storage administrators should be permitted to make changes regarding what resources are shared. Inexperienced administrators may find they can easily share a storage device with another VSAN. However, they may not understand the risk of sharing an array port dedicated to only Sun servers with a Windows server on the other VSAN, or the problems of exposing a tape drive owned by Veritas NetBackup to Tivoli Storage Manager on another VSAN. Sharing mistakes may cause data corruption on the array port, or result in the tape device becoming inaccessible to either product.
Managing VSANs is an issue, too. For now, users are essentially forced back to Excel spreadsheets to track how devices are used on their assigned VSAN. And it gets even more complicated if devices are shared across multiple VSANs. Because few, if any, storage resource management (SRM) tools can track either the VSAN configuration or how the device gets shared between the VSANs, users need to understand the ramifications of device sharing using VSAN technology before using it.
VSAN technology is relatively new, so users should only logically segregate their SANs when there's a real business need. Consider Cisco's MDS 9000 or McData's DS10000 if the goal is to consolidate all of the servers and storage in one location.
For now, Cisco has an advantage because its switch has been on the market longer--administrators are certified on its switches and the technologies deployed resemble utilities in their networking switches. Brocade's AP7420 is a more viable option for sharing resources between two vendors' fabrics without compromising the integrity of either one. Regardless of the product chosen, users will be locked into a vendor's product until a standard is released in a year or so.
Bridges and routers
Not all users want to consolidate their SANs, but need to connect legacy storage devices and servers to their FC SAN. Others need to connect with off-site locations for resource sharing, disaster recovery or business continuance purposes. Storage bridges and routers can be used to satisfy these needs.
Standalone bridge and router products allow users to keep their existing technologies while connecting to their budding FC infrastructure. Cisco's SN 5428 router supports two Gigabit Ethernet ports and eight FC ports. By supporting both the iSCSI and FC protocols, users can gain access to FC-attached storage devices using low-cost Ethernet technologies. The SN 5428 also offers management features found in both the IP and FC spaces, including SNMP and VLANS for IP networks, and LUN masking and zoning on the FC side.
The Crossroads 10000 router offers users a way to extend the life of their existing SCSI-attached storage devices. In addition, Crossroads has advanced its SCSI-to-FC bridge product, the SA40, which allows users to take their legacy SCSI-attached servers and connect them to a SAN. The SA40 also offers LUN masking capabilities and the unique ability to connect AS/400s to SANs.
In addition to just connecting existing devices to SANs, products from companies such as CNT and McData allow users to connect different SANs at different geographic sites. CNT's UltraNet Edge Storage router supports FC and Ethernet interfaces; the IPS 3300 Multi-Protocol IP Switch from McData supports FC, Gigabit Ethernet, iSCSI and iFCP protocols. Both offer bandwidth management, and their routers can interoperate with any E_port-capable FC switch. This permits users to connect different brands of switches at different sites to allow procedures such as asynchronous mirroring and sharing storage between sites.
QoS and security
David Stevens, CTO of Brocade's Transport Systems Group, says, "Quality of service in the network only matters when it costs money, otherwise users don't care." With 2Gb FC already commonplace, bandwidth plentiful in most environments and 4GB and 10Gb FC just around the corner, most storage managers place a low priority on the ability to route and manage traffic on their FC infrastructure. However, QoS becomes an important consideration when managers start to move data between geographically dispersed SANs. Users should view the ability to monitor and maintain QoS as absolutely essential on any storage routers they deploy.
Security is the other feature that often falls below users' radar. With one person managing the switches and storage in many environments and SANs deployed in physically secure environments, security often gets scant attention. But with the introduction of iSCSI SANs--along with consolidated servers and storage--the odds increase that the storage network will be compromised, either accidentally or intentionally.
To fortify against possible security intrusions, users can adopt a three-phase plan to protect their storage infrastructure. The first step is to develop and implement role-based user logins. Configuring the zoning, setting up VSANs, updating the code on the switches and managing VM functionality all may require different user permissions. Cisco offers up to 64 different types of user roles on its OS to help ensure sufficient access security.
Authenticating servers as they log onto the FC fabric still receives little attention from users, but is on the road map of every switch vendor. Brocade and Cisco already support basic authentication methods like DHCHAP, but the next generation of security will expand to include RADIUS authentication. DHCHAP is a mandatory password-based, key-exchange authentication protocol that supports both switch-to-switch and host-to-switch authentication. RADIUS provides a higher level of security by maintaining a database of hosts authorized to log onto the SAN and what storage resources the hosts are authorized to access.
VSANs give users a glimpse into what their SAN infrastructures will transform into over the next couple of years. As different departments and even different companies look to share resources for purposes such as cost control and disaster recovery, this technology will gradually move up in importance. For now, users should keep abreast of this technology and look to incorporate it into their SAN infrastructure in 2005.
|Researched by Robin Raulf-Sager.|