VMware Cloud Community
fallentree
Contributor
Contributor

How to restrict iscsi traffic to specfic vmk port

Hi,

My server have two eth port, I put them in a dvswitch, then I creat 3 vmkernel port :

vmk0 : management port, two uplinks

vmk1 , vmk2 are each in a port group that only have one uplink

Then I configured iscsi port binding on softwar iscsi port to vmk1 and vmk2,

BUT, the vmk0 still shows up as a valid path! how do I diable vmk0 in the iscsi ?

Cheers.

0 Kudos
9 Replies
vmwarefc
Contributor
Contributor

I feel you failed to use port binding properly.  Please refer to vmware SAN configuration.

correct port bindind shoud be vmk1<===> uplink1, vmk2<==>uplink2. There are two paths.

                ______

vmk1 ---- |            |

                |            |

                |            |---- pnic1

                |            |---- pnic2

vmk2 ----|             |

               |             |

               -----------

In you setting, just one uplink for iscsi.  As a result, there is only one path.

Zhifeng

Zhifeng
0 Kudos
fallentree
Contributor
Contributor

No, I said:

vmk1 and vmk2 are in two different port group that each port group has 1 uplink

vmk1 -> pnic1

vmk2-> pnic3

and my problem is:  I'm having 3 paths, where vmk0 is showing as a path to my iscsi store as well.

0 Kudos
vmwarefc
Contributor
Contributor

Yes,  I think it is reasonable if your mgmt port(vmk0) is pingable to iscsi target's IP address.

Zhifeng
0 Kudos
fallentree
Contributor
Contributor

Then what is the point of having iscsi port binding at all???

0 Kudos
vmwarefc
Contributor
Contributor

You is binding vmk1 and vmk2 and didn't bind the mgmt port.  So there are 3 paths.

one is vmk1---pnic1, the next is vmk2--pnic3 and the last is vmk0 ---- any one of the two uplinks on mgmt vswtich.

It is correct.

Zhifeng
0 Kudos
fallentree
Contributor
Contributor

I know why I will have 3 path, I am saying that this design is broken, because I have no way to "not bind" the port I don't want send iscsi.

at least there should be a check box saying "don't use non-binded port"

0 Kudos
Dave_Mishchenko
Immortal
Immortal

Where are you seeing the 3 paths?  Not an exact copy of your environment, but with a single vswitch, 3 vmk ports (all with IP connectivity to the iSCSI target), and only 2 bound to iSCSI I get two paths as expected and not 3.

0 Kudos
fallentree
Contributor
Contributor

do you have 3 eth port on the server? does each vmk bound to different port?

my configuration is:

vmk0 -> g-vmk (uplinks: vmnic0+vmnic1)

vmk1 -> g-iscsi1 (uplinks: vmnic0)

vmk2-> g-iscs2 (upliks: vmnic1)

vmk1 and vmk2 path only show up if I add iscsi port bind to it, but vmk0 path is always there.

0 Kudos
vmwarefc
Contributor
Contributor

I understand what you mean.  In fact, you don't use the iscsi path via mgmt port.   I think this is a good feature request.

You can set path policy to fix/mru and select the binded port as the active path as a workaround.

Zhifeng
0 Kudos