Managing and protecting all enterprise data


Bridging SAN islands

To help ensure that a change made to one part of the SAN doesn't interfere with the entire storage network, some new products claim to have developed a new switch-based intelligence that segregates the SAN and protects SAN data.

VSAN implementations
Brocade SilkWorm AP7420 LSAN technology is implemented on a standalone 16-port switch. It allows storage area networks (SANs) to share storage devices without merging the SAN fabrics. By deploying two AP7420s, the security and integrity of existing fabrics is maintained, the headaches of merging them is avoided and the benefits of gaining access to underutilized storage devices may be realized. Deploy this technology when looking to share resources while maintaining existing installations.
Cisco MDS 9000 series VSAN technology supports up to 256 VSANs on a single director, and any port can be assigned to any created VSAN. The switch also supports moving ports between VSANS, so when ports are freed up, they can be moved nondisruptively between VSANs. Consider deploying the MDS 9000 in environments that are consolidating to one director where resources may need to be shared and one administrator will manage the switch.
McData DS10000 Hard Partitioning technology is targeted at environments that are looking to eliminate multiple SAN islands while maintaining the independent administration of the different SAN fabrics. While no sharing of resources between the different partitions has yet been disclosed by McData, expect a competing technology to be announced to keep up with Brocade and Cisco. Consider the DS10000 when consolidating to one switch where resources will be kept isolated, and different administrators want to manage the different partitions.
As storage networks grow and merge, performing routine tasks such as zoning, LUN security changes or installing a host bus adapter (HBA) may unintentionally destroy data in the storage area network (SAN). To help insure that a change made to one part of the SAN doesn't wreak havoc throughout the whole storage network, some Fibre Channel (FC) switch vendors are offering new switch-based intelligence to segregate the SAN and help protect SAN data. With issues such as reliability and high availability largely resolved, features such as SAN isolation, interSAN connectivity, QoS and security will become increasingly important.

Emerging business needs such as off-site disaster recovery, storage consolidation and better sharing of existing resources are driving the impetus to keep SANs logically separate while physically connected. Storage routing products such as Cisco System Inc.'s SN 5428, Computer Network Technology Corp.'s UltraNet Edge, Crossroads Systems' 10000 and McData Corp.'s IPS 3300 enable users to choose between FC, FCIP, iFCP, IP, iSCSI and SCSI protocols to connect their existing storage islands to one central SAN.

The Virtual SAN (VSAN) technology offered in Cisco's MDS 9000 series of directors lets users partition SAN traffic. Brocade Communication Systems' Logical Storage Area Networks (LSANs) technology offers similar functionality; the SilkWorm Multiprotocol switch (AP7420) connects multiple fabrics without merging them (see "VSAN implementations"). McData's new DS10000 directors allow users to segregate functions within a SAN using hard partitioning.

SAN isolation
Technologies such as VSAN, hard partitioning and LSAN represent vendors' first attempts to isolate the traffic and data on a SAN. These technologies are modeled after Virtual LAN (VLAN) technology, which allows different devices on different LAN segments to communicate with one another as if they're on the same physical segment.

Users cite a variety of practical reasons for wanting to isolate their SANs, and VSANs offer effective methods to satisfy their needs. VSANs allow storage administrators to set up preproduction tests on the same SAN that hosts production applications and data. They also minimize the impact of fabric-wide disruptive events. But the greatest benefits of implementing VSAN technology are likely to be realized in large SAN deployments.

Larger environments tend to get more complex as SANs consolidate. While costs decrease and capacity utilization increases, management and administrative issues become thornier. For instance, individuals used to managing their own SAN islands prior to consolidation may need to still manage their piece of the consolidated SAN for administrative and security reasons, yet current SAN technology makes this almost impossible.

VSANs provide practical solutions. Technologies from both Cisco and McData allow users to create fabrics containing their own fabric services and management access within the SAN. Each VSAN fabric has its own name server, zone server and domain controller, so administrators can have the control they need and allow users attached to the SAN to experience the same level of services they had before.

This becomes especially relevant in storage environments with special requirements. For instance, administrators in production environments may need to limit the timeframes when changes are made in their switch environment. Other administrators working in test and development environments may need to make changes throughout the day to meet ever-changing testing demands.

But often test and development SANs are merged with production SANs and must adhere to the production SAN's more stringent requirements. Current SANs don't accommodate the coexistence of these two environments very well, with users on the development side often getting the short end of the stick by having to work within the confines of the more constraining production environment.

VSAN technology solves this. Cisco and McData allow users to create separate VSANs for different environments on the same switch. Brocade's AP7420 switch allows resources to be shared between the two storage fabrics while maintaining the integrity of each fabric.

High-volume backup traffic in a consolidated storage environment is best run on a separate fabric. Cisco's MDS 9000 and McData's DS10000 enable the segregation of backup traffic from other VSAN traffic. Users in Brocade environments can theoretically configure their AP7420 and partition the switch to separate the backup function as well, but because it's only a 16-port switch, it may make more sense to create a separate SAN dedicated to backup.

However, there are downsides to dividing up the resources of a switch. With VSANs, disk or tape resources allocated to one logical SAN can't be shared with another VSAN. Complementary technologies like Inter-VSAN Routing (IVR) from Cisco help overcome this problem. IVR is a standard part of Cisco's latest MDS 9000 SAN-OS 1.3. It enables the sharing of common storage resources such as FC tape drives and WAN links in Cisco VSAN networks. IVR examines data traffic on different VSANs and allows certain data packets access to devices on another VSAN. But IVR technology only became available with Cisco's November 2003 SAN-OS 1.3 release. Users of other FC switch vendors need to wait until a standard gets defined.

McData's new DS10000 switch features a competing technology called hard partitioning. It operates in a manner similar to Cisco's VSAN technology. Hard partitioning enables, for example, separate administrative logins, data isolation and even different versions of switch microcode to run on different partitions of the same switch. "But McData directors don't allow sharing of storage resources dedicated to one partition by another partition, as Cisco's IVR does.

Brocade's LSAN technology lets users create a VSAN. Rather than offering this feature as an option on its director-class 12000 switch, Brocade chose to deploy this technology on its SilkWorm Fabric AP7420 switch. The switch lets departments retain the management responsibility of their SAN and keep their servers and storage in their existing location. A department with excess capacity can share it with another group, and they can recover or replicate their data at another site.

The AP7420's EX_Port allows the sharing of resources between different fabrics. It acts like a Fibre Channel Network Address Translation (FC-NAT) engine by presenting a device on one SAN to the other SAN, only with a different FC address. So if Tape Drive 1 on SAN A needs to be shared on SAN B, the AP7420 could present it as Tape Drive 2 on SAN B, while protecting its identity of Tape Drive 1 on SAN A's fabric.

Yet Brocade's AP7420 implementation continues to reinforce user perceptions that almost every solution it introduces consumes more FC ports. For example, to achieve redundancy between two existing fabrics requires 16 FC ports: four on each existing SAN, plus four more on each of the two AP7420s. At a cost of $1,500 or more on the existing ports, this adds over $12,000 to the cost. Users should urge Brocade to implement back-end inter-switch links (ISLs) on their switches for these types of solutions.

Virtual SAN switches
Researched by Robin Raulf-Sager.
*Configuration of DS10000 is subject to change because it hasn't been released yet.

Startups' storage linking alternatives
Candera's SCE 510 cluster network storage controller comes in a configuration of two 16-port Fibre Channel (FC) switches, which provide virtualization services in an active-active failover configuration. The SCE 510 may also be configured as a 4TB ATA appliance starting at approximately $86,000 that scales up to 180TB.
LightSand Communications offers the i-8100A storage gateway that can interconnect SANs locally or remotely via FCIP. It allows SAN data to be moved between different vendors' SAN fabrics without requiring them to be merged.
Kashya's KBX4000 appliance connects to either an FC SAN or IP networks and provides bidirectional data replication across any distance for heterogeneous server and storage environments.
Maxxan's MXV320 director-class switch contains up to 320 FC 1Gb ports (160 2Gb ports) and ships with storage intelligence options. The switch accepts application cards that may be embedded with Windows 2000 Storage Server for file sharing or FalconStor's IPStor for volume management.
Maranti Networks' CoreStor 3000 is an intelligent director-class switch that includes virtualization on a per port basis and a Storage Quality of Service (SQoS) feature. The SQoS is able to provision and differentiate between the traffic of multiple applications, even if the applications reside on the same host.
Sandial purports to offer the industry's first backbone switch, the Shadow 14000, which is designed to dynamically load-balance traffic on the FC network as well as show traffic patterns and historical performance analysis.
Sanrad's V-Switch 3000 bridges FC and iSCSI SANS with a virtualization engine. It enables fast FC connectivity to existing storage arrays while meeting the IP connectivity needs of cost-conscious organizations.

VSANs not for novices
With all of the vendor VSAN implementations, users need to be cautious about how implementations and changes are done. Only certified storage administrators should be permitted to make changes regarding what resources are shared. Inexperienced administrators may find they can easily share a storage device with another VSAN. However, they may not understand the risk of sharing an array port dedicated to only Sun servers with a Windows server on the other VSAN, or the problems of exposing a tape drive owned by Veritas NetBackup to Tivoli Storage Manager on another VSAN. Sharing mistakes may cause data corruption on the array port, or result in the tape device becoming inaccessible to either product.

Managing VSANs is an issue, too. For now, users are essentially forced back to Excel spreadsheets to track how devices are used on their assigned VSAN. And it gets even more complicated if devices are shared across multiple VSANs. Because few, if any, storage resource management (SRM) tools can track either the VSAN configuration or how the device gets shared between the VSANs, users need to understand the ramifications of device sharing using VSAN technology before using it.

VSAN technology is relatively new, so users should only logically segregate their SANs when there's a real business need. Consider Cisco's MDS 9000 or McData's DS10000 if the goal is to consolidate all of the servers and storage in one location.

For now, Cisco has an advantage because its switch has been on the market longer--administrators are certified on its switches and the technologies deployed resemble utilities in their networking switches. Brocade's AP7420 is a more viable option for sharing resources between two vendors' fabrics without compromising the integrity of either one. Regardless of the product chosen, users will be locked into a vendor's product until a standard is released in a year or so.

Bridges and routers
Not all users want to consolidate their SANs, but need to connect legacy storage devices and servers to their FC SAN. Others need to connect with off-site locations for resource sharing, disaster recovery or business continuance purposes. Storage bridges and routers can be used to satisfy these needs.

Standalone bridge and router products allow users to keep their existing technologies while connecting to their budding FC infrastructure. Cisco's SN 5428 router supports two Gigabit Ethernet ports and eight FC ports. By supporting both the iSCSI and FC protocols, users can gain access to FC-attached storage devices using low-cost Ethernet technologies. The SN 5428 also offers management features found in both the IP and FC spaces, including SNMP and VLANS for IP networks, and LUN masking and zoning on the FC side.

The Crossroads 10000 router offers users a way to extend the life of their existing SCSI-attached storage devices. In addition, Crossroads has advanced its SCSI-to-FC bridge product, the SA40, which allows users to take their legacy SCSI-attached servers and connect them to a SAN. The SA40 also offers LUN masking capabilities and the unique ability to connect AS/400s to SANs.

In addition to just connecting existing devices to SANs, products from companies such as CNT and McData allow users to connect different SANs at different geographic sites. CNT's UltraNet Edge Storage router supports FC and Ethernet interfaces; the IPS 3300 Multi-Protocol IP Switch from McData supports FC, Gigabit Ethernet, iSCSI and iFCP protocols. Both offer bandwidth management, and their routers can interoperate with any E_port-capable FC switch. This permits users to connect different brands of switches at different sites to allow procedures such as asynchronous mirroring and sharing storage between sites.

QoS and security
David Stevens, CTO of Brocade's Transport Systems Group, says, "Quality of service in the network only matters when it costs money, otherwise users don't care." With 2Gb FC already commonplace, bandwidth plentiful in most environments and 4GB and 10Gb FC just around the corner, most storage managers place a low priority on the ability to route and manage traffic on their FC infrastructure. However, QoS becomes an important consideration when managers start to move data between geographically dispersed SANs. Users should view the ability to monitor and maintain QoS as absolutely essential on any storage routers they deploy.

Security is the other feature that often falls below users' radar. With one person managing the switches and storage in many environments and SANs deployed in physically secure environments, security often gets scant attention. But with the introduction of iSCSI SANs--along with consolidated servers and storage--the odds increase that the storage network will be compromised, either accidentally or intentionally.

To fortify against possible security intrusions, users can adopt a three-phase plan to protect their storage infrastructure. The first step is to develop and implement role-based user logins. Configuring the zoning, setting up VSANs, updating the code on the switches and managing VM functionality all may require different user permissions. Cisco offers up to 64 different types of user roles on its OS to help ensure sufficient access security.

Authenticating servers as they log onto the FC fabric still receives little attention from users, but is on the road map of every switch vendor. Brocade and Cisco already support basic authentication methods like DHCHAP, but the next generation of security will expand to include RADIUS authentication. DHCHAP is a mandatory password-based, key-exchange authentication protocol that supports both switch-to-switch and host-to-switch authentication. RADIUS provides a higher level of security by maintaining a database of hosts authorized to log onto the SAN and what storage resources the hosts are authorized to access.

VSANs give users a glimpse into what their SAN infrastructures will transform into over the next couple of years. As different departments and even different companies look to share resources for purposes such as cost control and disaster recovery, this technology will gradually move up in importance. For now, users should keep abreast of this technology and look to incorporate it into their SAN infrastructure in 2005.

Storage routers
Researched by Robin Raulf-Sager.
Article 2 of 18

Dig Deeper on SAN technology and arrays

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Storage

Access to all of our back issues View All