900 likes | 1.43k Views
iSCSI Overview. Evolution of iSCSI. What is iSCSI? “Pronounced eye skuzzy. Short for Internet SCSI , an IP-based standard for linking data storage devices over a network and transferring data by carrying SCSI commands over IP networks.“ www.webopedia.com , 2004
E N D
Evolution of iSCSI • What is iSCSI? “Pronounced eye skuzzy. Short for Internet SCSI, an IP-based standard for linking data storage devices over a network and transferring data by carrying SCSI commands over IP networks.“ www.webopedia.com, 2004 • SAN (block networking) over Ethernet • Lower cost than FC infrastructure • Less complex than FC SAN • IETF standard (RFC 3720) • Ratified Feb 2003
What is iSCSI? • iSCSI is nothing more than SCSI-3 command frames encapsulated in IP packets • Uses TCP port 3260 • IETF standard documented RFC3720 http://www.ietf.org/rfc/rfc3720.txt?number=3720 • The iSCSI standard specifies: • Connection negotiation • Authentication methods • Device discovery • iSCSI and IP SAN: what’s the difference?
What is iSCSI? • HOST / INITIATOR • iSCSI Software Initiator • TCP Off-load Engine (TOE) • iSCSI Host Bus Adapter (HBA) • STORAGE SYSTEM / TARGET • Currently handled by Data ONTAP • ISWT – iSCSI Software Target driver • Standard NIC • Basic Unit of Communication • Protocol Data Unit (PDU)
iSCSI Host iSCSI Device iSCSI Initiator iSCSI Target iSCSI Target What is iSCSI iSCSI Session TCP Connection TCP Connection TCP Connection iSCSI Session IP Header TCP Header iSCSI Header SCSI-3 commands and data Explains how to extract SCSI commands and data Contains “routing” information so that the message can find its way through the network Provides information necessary to guarantee delivery
NIC, TOE, iSCSI HBA: Why All of the Choices? NIC & iSCSI Software Initiator TOE & iSCSI Software Initiator iSCSI HBA Application Application Application ServerProcessing SCSI SCSI SCSI OtherProtocols iSCSI OtherProtocols iSCSI iSCSI TCP TCP TCP NIC/HBAProcessing IP IP IP Network Interface Network Interface Network Interface • TOE and iSCSI HBA goals: Offload IP and iSCSI activities from the host processor • Additionally, some iSCSI HBAs offer remote boot capabilities
iSCSI – SAN without complexity • Over 7,000 iSCSI Solutions in Production TODAY! • Complimentary solution to Fibre Channel • iSCSI performs significantly faster than direct attached storage • iSCSI provides quick and easy setup and ongoing operations • Leverage existing knowledge • Deploy over existing GigE networks • Microsoft recommended for Exchange environments • NetApp is the iSCSI leader
Where iSCSI Fits LAN WAN Core Production: Bus. Critical, some Bus. Operations Test/ Dev D/D Backup & DR Networked Storage in remote offices Primary Storage Storage Network Secondary Storage DR Network Secondary Storage Layered Production Bus. Internal, some Bus. Operations Remote Offices Storage Network Storage Network Infrastructure Ethernet FC Mostly Ethernet Lots of both
Associated iSCSI Protocols & Processes • Boot process & Error Recovery • Discovery processAn initiator can obtain target IP address, port and LUN info via: • Administrator control • SLP (Service Location Protocol) • iSNS (Internet Storage Naming Service) • Implemented by Microsoft (iSNS Server) • Supported by NetApp • Security • CHAP • IPSec
iSCSI Boot • Boot can be configured static or dynamic • Static Configuration for iSCSI Boot: • Admin configure authorized iSCSI Node Name and iSCSI Address • Dynamic Config with DHCP or SLP (Service Location Protocol) • DHCP assign the Host a IP Address • DHCP get the option iSCSI Boot Service (Admin Set) – include iSCSI Target node name • SLP can be used for searching the Boot Service without DHCP • Alternative: • emBoot is now supported for Software-iSCSI Boot • BootP is possible for Software-iSCSI Software and Hardware • Old not really used anymore • iSCSI HBA like a SCSI Adapter and doing (BIOS-Boot or INT13) • Qlogic Has it Today, but most iSCSI HBAs have this support on their roadmap
iSCSI SAN Booting • HW initiators require int 13 support • Initiator interrupts the boot process • Attaches to LUN • Boots from the LUN • Done! • Windows • SAN boot possible with SW initiator today • Check out Product Bulletin on emBoot Support • SAN boot possible with HW initiators
Discovery by Administrator configuration • Currently the most common • Requires no external server or services • Requires Administrator configuration • LUNs are configured on the target • Parameters are set at the initiator • Initiator logs into the target • Initiator requests list of LUNs • Initiator requests attachment to LUN(s) • I/O begins • Works just fine for small, static environments
Discovery Using iSNS • Targets register with iSNS Server • Initiators get iSNS server info: • Via multicast • Via DHCP • Administrator configuration • Via SLP • iSNS heartbeat notifies initiators and backup servers of its location • Allows management domains (including access controls)
Security Considerations • iSCSI Dedicated vs. Existing Network Infrastructure • VLAN’s • LUN Masking • Initiator Security Settings on NetApp Storage System • CHAP • IPSec
iSCSI Dedicated vs. Existing Network Infrastructure • Direct Attach • Network Security really not an issue • No cluster capabilities • Dedicated Ethernet Network • Network Security still really not an issue • Like Fibre Channel • Cost • “Shared/Mixed” Ethernet Network • Security is now an issue • Throughput
VLAN’s • Why VLAN’s? • Most useful with large dedicated IP SAN or when “sharing” Networking Ethernet Environment • Security: VLAN’s used to limit access among nodes in an IP SAN or existing infrastructure. • Problem Isolation/Resolution: Reduces “space” in which IP SAN operates. • Path Limits: The tool of choice to reduce the number of available paths from host to iSCSI target port.
HOST A iqn.2001-01.com.sysvendor:sn.2626 HOST B iqn.1998-12.com.sysvendor:sn.1234 HOST B iqn.2001-01.com.sysvendor:sn.2626 LUN XYZ iqn.2001-01.com.sysvendor:sn.2626 LUN Masking – “Not A High Wall” LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts based on the host’s initiator node name(s). Mapping: LUN ID 4 NetAppStorageSystem igroup: abc
CHAP • iSCSI Initiator and Target authentication • Prevents unauthorized access • Permits only trustworthy nodes • Reasons to use: • Network is not isolated • iSCSI name is just a string in the packet and WWNN is programmed in the hardware • Impact: • No performance impact since this is only done at connection time. • Security is physical and logical • Port 3260 • Firewall • Access Control-Separate network
iqn.1998-12.com.sysvendor:sn.1234 CHAP USERNAME: A26t43LrP PW/Shared Secret: abcdefghijklm iqn.2001-10.com.sysvendor:sn.2626 CHAP USERNAME: BlahBlah PW/Shared Secret: cdehajkslsp iqn. 1996-10.com.bigvendor:luciana CHAP USERNAME: RoastBeef PW/Shared Secret: 0Xdf611243aaab CHAP – “Three Way Handshake” The Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol that is used to authenticate iSCSI initiators at target login and at various random times during a connection. CHAP Challenge: Is it the correct CHAP Secret? Yes or No? iSCSI Login NetApp Storage System CHAP Request HOST A 128-bit MD-5 hash value based on CHAP Secret Host Initiator iqn.1998-12.com.sysvendor:sn.1234 CHAP USERNAME: A26t43LrP PW/Shared Secret: abcdefghijklm
Challenge Handshake Authentication Protocol • CHAP Best Practices • When assigning CHAP passwords to initiators, it is important to record the passwords for use when configuring the iSCSI host systems. The username and password used on the NetApp Storage System must match those used on the host initiator(s). • Also note that each initiator vendor may have different rules regarding usernames and passwords! CHAP provides SESSION AUTHENTICATION not ENCRYPTION
IPSec • Encrypts ALL packets including data • Encryption • Provides privacy • Prevents eavesdropping • Reasons to use: • Data is traveling over public networks that you want to protect • C2 government security • Will affect performance because it touches every data packet • Transport Mode vs. Tunneling Mode • Microsoft Software Initiator is “IPSec aware” Best Practice: Only if absolutely necessary
Unsecure intranet or Internet Unsecure intranet or Internet IPSec: Transport Mode vs. Tunneling Mode IPSec Processing IPSec Processing NetApp Storage System HOST A Transport Mode IPSec Processing IPSec Processing IPSec Router/GW IPSec Router/GW NetApp Storage System HOST A Tunneling Mode
iSCSI Digests • The iSCSI spec defines a checksum mechanism called Digests • This was done since the TCP checksum is not full proof • The iSCSI Digests can be used on headers only, data only or both • The Filer supports this since it is required • Reason to use: • The network that is having a lot of issues and errors • Impact: • Header only is not too bad (10 to 20%) • Data only or both is much higher (30% or more) • Performance penalty is on both the Initiator and Target
iSCSI Device Target iSCSI Host iSCSI Initiator iSCSI Session TCP Connection TCP Connection Server GigE NIC(Network Interface Card) iSCSI Sessions • Security Negotiation Phase • Login Phase • enable one or more TCP connections for iSCSI use • negotiation of the session's parameters • Used for LUN Masking and LUN Mapping • Number of parallel TCP connections to a iSCSI Session • Authentication Method and Encryption • Full Feature Phase • Exchanging Data (Read and Writes ..) • TCP Connections are open through the complete Session • Single Connections or Sessions can be ended
Server 1 iqn.2003-02.com.example:iscsi.server1 10.2.1.3:3260 10.2.1.4:3260 iqn..:arraya.target1 iqn..:arraya.target1 iqn..:arraya.target1 iSCSI Address and Naming Convention iSCSI node (initiator) has iSCSI name, alias and network portals (i.e. IP address and TCP Port) • iSCSI Node Name • iqn.1992-08.com.netapp:sn.35780522 • iqn.<date company obtained domain name>.<reserved domain name>:hostname • Encoded in the UTF8 character set • Max size is 223 bytes • No white space is allowed • Upper case characters are converted to lower case • Valid characters are : • ASCII dash ('-') , dot('.'), colon (':') • ASCII lower-case characters • ('a' through 'z‘, ('0' through '9')) • Extended Unique Identifier (EUI) – • “eui” + “.”+ 16 hexadecimal digits • eui.1234567890123456 IP Network Portal group 10.2.1.1:3260 10.2.1.2:3260 Network EntityDisk Array A(iSCSI server) iSCSI nodes (targets) have iSCSI names, alias and network portals (i.e. IP address and TCP Port)
Error Recovery Levels • Three classes of errors • Protocol error (iSCSI) • CRC error • TCP/IP & Link failure (who pulled the plug!?!) • Errors are handled at several layers • Ethernet Error Recovery • TCP Error Recovery • iSCSI Error Recovery • Level 2 • Level 1 • Level 0 • iSCSI Error Levels must support the level below
iSCSI Error Recovery Level 2 • Level 2 • Connection failure recovery • Optional, vendors can choose to implement • Least disruptive to applications • Recovers session, connection, and tasks Level 2 Level 1 Level 0
iSCSI Error Recovery Level 1 • Level 1 • Based on Header Digest or Data Digest • Targets should not retransmit data or status except upon request of the initiator Level 2 Level 1 Level 0
iSCSI Error Recovery Level 0 • Level 0 • Connection failure recovery • Used when all other recovery levels fail or are not implemented • All tasks are aborted, session is closed • Session restarted by the initiator Level 2 Level 1 Level 0
iSCSI Summary • iSCSI controls SCSI Block-Level Data Transferbetween Initiator (Client) and Target (Storage) • iSCSI Address and Naming Convention • iSCSI Session Management • iSCSI Error Handling • iSCSI Security • iSCSI is a additional Transport for SCSI Commands • iSCSI can be implemented on Desktops, Laptops and Servers • iSCSI can be implemented with current TCP/IP Stacks • iSCSI can be implemented completely in Software or Hardware (HBA) • iSCSI Transport includes Security • IPSec Connection Security • iSCSI Authentication for Access Control • iSCSI defines Discovery as a basic element • iSCSI define process for remote Boot • iSCSI defines MIB standards as a basic element
iSCSI Sessions • iSCSI Session: • Communications path between initiator and target • 1 or more TCP connections • If multiple TCP connections supported, these connections may use different network data paths • Session lifetime not directly tied to TCP connection lifetime • Connections can be added and removed • To set the iscsi.max_connections_per_session to a higher value than the default of 1 use options iscsi.max_connections_per_session X Where X is the maximum number of conections per session NOTE: Default value for iscsi.max_connections_per_session is 4 in DataONTAP 7.2.1 or higher
SESSION64 CONN 64/1 SESSION65 CONN 65/1 SESSION66 CONN 66/1 SESSION67 CONN 67/1 CONN 68/3 CONN 68/1 SESSION68 CONN 68/4 CONN 68/2 Session vs. Connection Four Sessions with One Connection Each One Session with Four Connections
Windows MPIO Example - START Four Sessions with One Connection Each LUN: EX-LOG1 Ethernet Switch 1 SD 3.2 DSM Data ONTAP 6.5.4 + Windows 2000 Server or Windows Server 2003 (32-bit) NIC’s Ethernet Switch 2 NIC’s LUN: EX-DB1
ACTIVE PASSIVE DISABLED Windows MPIO Example – “DB LUN” One Active and One Passive Session from HOST to LUN: EX-DB1 LUN: EX-LOG1 SD 3.2 DSM Data ONTAP 6.5.4 + LUN: EX-DB1
ACTIVE PASSIVE DISABLED Windows MPIO Example – “LOG LUN” One Active and Two Passive Sessions from HOST to LUN: EX-LOG1 LUN: EX-LOG1 SD 3.2 DSM Data ONTAP 6.5.4 + LUN: EX-DB1
ACTIVE PASSIVE DISABLED Windows MPIO Example – “LOG LUN” FAILURE: Loss of HOST NIC or HBA on Primary Session LUN: EX-LOG1 SD 3.2 DSM Data ONTAP 6.5.4 + LUN: EX-DB1
ACTIVE PASSIVE DISABLED Windows MPIO Example – “LOG LUN” FAILOVER: Standby Session becomes Primary Session LUN: EX-LOG1 SD 3.2 DSM Data ONTAP 6.5.4 + LUN: EX-DB1
Multiple Connections per Session Example One Session with Four Connections Activity on connections is dependent on session load balancing policy LUN: EX-LOG1 TPG 26 Data ONTAP 7.1 TPG 1000 LUN: EX-DB1
Microsoft iSCSI Software Initiators • What’s new with Microsoft iSCSI SWI 2.03? • Quick Fix Engineering (QFE) update release • Available since late Nov 2006 • MPIO Binaries updated to 1.17 • Microsoft iSCSI Device Specific Module (DSM) • See relnotes.txt from SWI download for details • Re-written Users Guide • Data ONTAP7.0.5, 7.1.X, 7.2.X • Recent NetApp iSCSI Support Additions • Support for all Microsoft MCS algorithms with iSCSI SWI 2.03
Windows Multi-pathing Update: NIC Teaming • Host-side NIC Teaming between host and NetApp Storage System support status • NetApp does NOT support host-side NIC teaming with Microsoft iSCSI SWI 2.0 or higher • NetApp offers “best effort” support for host-side NIC teaming with Microsoft iSCSI SWI 1.05a and 1.06 for existing customers/installs. • Target-side VIF’s were and are still supported with Microsoft iSCSI SWI’s (1.05a/1.06/2.0/2.01/2.02/2.03/2.04) including MPIO and MCS • The above only applies to host-side NIC teaming in conjunction with the Microsoft iSCSI SWI on a Windows host
Windows Multi-pathing Update: iSCSI DSM • NetApp support for Microsoft iSCSI DSM with iSCSI SWI 2.04 • Works with ONTAP DSM 3.1 • Host CPU: X86, X64 (AMD64, EM64T), IA64 • Data ONTAP7.0.5, 7.1.X, 7.2.X • QLogic QLA405x iSCSI HBA support • Supported with SnapDrive 4.2 or higher. • Support for SnapManager tied to SnapDrive. • Use MPIO/NTAP DSM from SDW 3.2/4.0/4.1 • NTAP or Data ONTAP DSM simultaneously loaded with the Microsoft iSCSI DSM simultaneous load is NOT supported by NetApp • Supported MPIO Load Balancing Policies: • Active/Passive: Failover Only • Active/Active: Round-Robin and Weighted Path
Windows Multi-pathing Update: NTAP DSM • NTAP DSM • Supports iSCSI and FCP MPIO (not to same LUN) • Available via SnapDrive 3.2/4.0/4.1 for Windows • SnapDrive 4.1 is last release with support for NTAP DSM • Supported MPIO Load Balancing Policies: • Active/Passive: Failover Only • Separation of DSM from SnapDrive for Windows and IA64 support was added in SDW 4.2 • Please see the following matrices for support info: NetApp iSCSI Support Matrix http://now.netapp.com/NOW/knowledge/docs/san/fcp_iscsi_config/iscsi_support_matrix.shtml SnapDrive/Data ONTAP Compatibility Matrix http://now.netapp.com/NOW/knowledge/docs/olio/guides/snapmanager_snapdrive_compatibility/snapdrive.shtml
Windows MPIO – Which DSM? – NTAP DSM • Delivered with SDW 4.1 (and earlier) • FC and iSCSI NTAP DSM SDW MPIO FC / iSCSI FC / iSCSI Network
Windows MPIO – Which DSM? – ONTAP DSM • Delivered separately from SDW • FC Only • ONTAP DSM 3.1 can co-exist with the MS DSM ONTAP DSM MS DSM SDW MPIO FC / iSCSI FC / iSCSI Network
iSCSI Target Adapter Card (HBA) Quick Update • PCI-X Card (Data ONTAP 7.1.1) • FAS900, FAS3020, FAS3050 and FAS6000 • Availability: Currently available for Data ONTAP 7.1.1 or higher & 7.2 or higher • PCIe Card • Same chip, f/w & feature set as PCI-X iSCSI Target Adapter Card Requires PCIe slot • FAS6000, FAS3070, FAS3040 • Availability: Currently available for Data ONTAP 7.1.1 or higher & 7.2 or higher
UNIX / Linux iSCSI Host Support Update • Sun Solaris Native iSCSI Software Initiator • iSCSI Solaris Host Utilities 3.0 for Native OS • Solaris 10 Update 2 • SPARC and AMD64 • MPxIO Solaris Native Multipathing A/A (Round-Robin) only • Solaris IPMP Network IP Multipathing (Host NIC Teaming) • HPUX iSCSI Software Initiator version 03e • AIX 5.3 iSCSI Software Initiator • Linux iSCSI Native Software Initiator Updates • iSCSI Linux Host Utilities 3.0 for RHEL and SLES • Red Hat Enterprise Linux 4 Update 3 native iSCSI initiator • SUSE Linux Enterprise Server 9 native iSCSI initiator • Native Device-mapper multipath (DM-multipath) support for both RHEL4 U3 and SLES9 • Host clustering for RHEL (RHCS, Oracle Clusterware) and SLES (Oracle Clusterware) • Support for Oracle Enterprise Linux
Windows iSCSI Multipathing “Best Practices” • Microsoft MPIO is the Best Option • Mature, Proven, Stable • Works with Data ONTAP 6.5.4 and higher • MCS requires Data ONTAP 7.1 or higher • Per-LUN Path Management • Per-LUN Load Balancing Policies • Nothing to configure in Data ONTAP • Works with Microsoft iSCSI SW Initiator v2.0 and higher, and iSCSI HBA’s • MCS is currently Microsoft iSCSI Initiator v2.0 and higher only