Replacing the Dead IPOD, SAN Bit the Dust

dafyre

Can the SANs fire off email alerts or SNMP traps or anything?

NerdyDad

@dafyre Typically yes, but the storage consultant advised that we not connect the storage to the house network as it posses a security issue. My thought process is that if they are already within the network then they are going to get to the data, then they are going to get through to the virtual environment anyways. If they are already in your network, then they are probably using either an admin account or a service account. Either way, they're getting in.

dafyre

@NerdyDad said in Replacing the Dead IPOD, SAN Bit the Dust:

@dafyre Typically yes, but the storage consultant advised that we not connect the storage to the house network as it posses a security issue. My thought process is that if they are already within the network then they are going to get to the data, then they are going to get through to the virtual environment anyways. If they are already in your network, then they are probably using either an admin account or a service account. Either way, they're getting in.

Typical recommendations I've seen are for there to be a management VLAN, and a separate VLAN for the actual storage traffic... But as you say, when hackers get in, you have bigger problems anyhow.

My 2c worth would be to set up the email alerts anyway... it will save you this pain later on down the road. I'd set it up on any SAN you have that has the option, lol.

StrongBad

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

Can the SANs fire off email alerts or SNMP traps or anything?

Pretty much any device can do that.

StrongBad

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

Typical recommendations I've seen are for there to be a management VLAN, and a separate VLAN for the actual storage traffic... But as you say, when hackers get in, you have bigger problems anyhow.

Storage should always be a true physical SAN, not a VLAN SAN. VLAN is fine for security, but you want a physically separate SAN to make sure that the backplane does not get overloaded. It's performance and reliability why you keep the SAN separate physically.

dafyre

@StrongBad said in Replacing the Dead IPOD, SAN Bit the Dust:

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

Typical recommendations I've seen are for there to be a management VLAN, and a separate VLAN for the actual storage traffic... But as you say, when hackers get in, you have bigger problems anyhow.

Storage should always be a true physical SAN, not a VLAN SAN. VLAN is fine for security, but you want a physically separate SAN to make sure that the backplane does not get overloaded. It's performance and reliability why you keep the SAN separate physically.

The recommendations I saw were to keep the actual SAN storage traffic separate from the rest of the network to improve performance and security.

Dashrender

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

@StrongBad said in Replacing the Dead IPOD, SAN Bit the Dust:

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

Typical recommendations I've seen are for there to be a management VLAN, and a separate VLAN for the actual storage traffic... But as you say, when hackers get in, you have bigger problems anyhow.

Storage should always be a true physical SAN, not a VLAN SAN. VLAN is fine for security, but you want a physically separate SAN to make sure that the backplane does not get overloaded. It's performance and reliability why you keep the SAN separate physically.

The recommendations I saw were to keep the actual SAN storage traffic separate from the rest of the network to improve performance and security.

I've seen this too, mostly here and SW. And by separate, I've read that to mean, it's own equipment with no VLANing. Heck, I'm pretty sure I've seen @scottalanmiller suggest Netgear layer 2 equipment because it's fast, cheap and no bells and whistles to get in the way.

scottalanmiller

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

@StrongBad said in Replacing the Dead IPOD, SAN Bit the Dust:

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

Typical recommendations I've seen are for there to be a management VLAN, and a separate VLAN for the actual storage traffic... But as you say, when hackers get in, you have bigger problems anyhow.

Storage should always be a true physical SAN, not a VLAN SAN. VLAN is fine for security, but you want a physically separate SAN to make sure that the backplane does not get overloaded. It's performance and reliability why you keep the SAN separate physically.

The recommendations I saw were to keep the actual SAN storage traffic separate from the rest of the network to improve performance and security.

Really separate, not VLAN separate. VLAN traffic is comingled.

scottalanmiller

@Dashrender said in Replacing the Dead IPOD, SAN Bit the Dust:

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

@StrongBad said in Replacing the Dead IPOD, SAN Bit the Dust:

@dafyre said in Replacing the Dead IPOD, SAN Bit the Dust:

Typical recommendations I've seen are for there to be a management VLAN, and a separate VLAN for the actual storage traffic... But as you say, when hackers get in, you have bigger problems anyhow.

Storage should always be a true physical SAN, not a VLAN SAN. VLAN is fine for security, but you want a physically separate SAN to make sure that the backplane does not get overloaded. It's performance and reliability why you keep the SAN separate physically.

The recommendations I saw were to keep the actual SAN storage traffic separate from the rest of the network to improve performance and security.

I've seen this too, mostly here and SW. And by separate, I've read that to mean, it's own equipment with no VLANing. Heck, I'm pretty sure I've seen @scottalanmiller suggest Netgear layer 2 equipment because it's fast, cheap and no bells and whistles to get in the way.

Yes, it's been a long time, but Netgear Prosafe unmanaged in lab tests was the fastest on the market like six or seven years ago. $300 switches outperforming $10,000 switches.

scottalanmiller

Also the needs of a SAN are different than the needs of a LAN. So you likely want different switches. I'd love Netgear Prosafe unmanaged on my SAN but would generally prefer Ubiquiti EdgeSwitches on my LAN.

Dashrender

@scottalanmiller said in Replacing the Dead IPOD, SAN Bit the Dust:

Also the needs of a SAN are different than the needs of a LAN. So you likely want different switches. I'd love Netgear Prosafe unmanaged on my SAN but would generally prefer Ubiquiti EdgeSwitches on my LAN.

Any opinion on Unifi Switches yet?

scottalanmiller

@Dashrender said in Replacing the Dead IPOD, SAN Bit the Dust:

@scottalanmiller said in Replacing the Dead IPOD, SAN Bit the Dust:

Also the needs of a SAN are different than the needs of a LAN. So you likely want different switches. I'd love Netgear Prosafe unmanaged on my SAN but would generally prefer Ubiquiti EdgeSwitches on my LAN.

Any opinion on Unifi Switches yet?

We use one in the lab and it's been great, but we aren't pushing its limits or anything.