VMware Cloud Community
snyderkv
Contributor
Contributor
Jump to solution

iSCSI initiator on Virtual Machine?

VMCommunities,

I'm having an issue initiating iSCSI on a virtual machine so I can connect to the shared storage.

Usually we do this on physical servers connected to the switch and it works no problem because we are able to ping those private IPs using the servers second NIC. But within the Virtual Machine, we can't ping those IPs therefore, cannot connect to the iSCSI shared storage.

When I add a new NIC in the VM and give it an IP Address of 192.168.x.x (same as iSCSI network) it does not ping.

What do I have to do to virtually connect to the iSCSI network so I can use the iSCSI initiator?

Thanks guys/gals Smiley Happy

0 Kudos
1 Solution

Accepted Solutions
golddiggie
Champion
Champion
Jump to solution

Security concerns would be the same as if the iSCSI target/LUN you're connecting was local storage... Typically you cannot present an iSCSI target/LUN to a server OS (like Windows) as well as present it to ESX/ESXi hosts... I would assume that you're following (as close as possible) smart security practices... Yes? In production environments, it's not uncommon to have iSCSI arrays (or SAN arrays) on their own IP range/subnet. Restricting traffic to just that subnet would help to eliminate unauthorized access... Even with the one VM (directly) connecting you should be fine... Just make sure you have the guest OS patched for security holes and such...

VMware VCP4

Consider awarding points for "helpful" and/or "correct" answers.

View solution in original post

0 Kudos
7 Replies
janardhanr
Enthusiast
Enthusiast
Jump to solution

I dont see any difference here Physical or virtual, Check if you have the the ports open for your virtual machines, Check if you have any security configured for your Virtaul Network like vShield, This is the only thing what I see.

Regards,

Jana.

NOTE: If your problem or questions has been resolved / answered, please mark this thread as answered and award points accordingly.

Regards, Jana. NOTE: If your problem or questions has been resolved / answered, please mark this thread as answered and award points accordingly.
0 Kudos
golddiggie
Champion
Champion
Jump to solution

Make sure your second NIC has the iSCSI port group selected (within the VM's configuration/settings)... If you're just adding a second NIC, it needs to be using the port group that has been configured for VM use with the iSCSI network... You need to add a VM port group to that vSwitch as well, if one doesn't already exist. Then it should be a simple matter of making sure the iSCSI initiator is installed within the VM, and all your security settings are set to allow it to communicate with that LUN... Typically, this LUN would be isolated for traffic from just that VM, not several (direct connect via the initiator)... You could share it from that VM for other VM's/systems to access (standard Windows/Linux share method)...

VMware VCP4

Consider awarding points for "helpful" and/or "correct" answers.

0 Kudos
snyderkv
Contributor
Contributor
Jump to solution

GoldDiggie,

Ah I see, so I do have to create a port group on the Vswitch containing the iSCSI? See I didn't know if that was the correct way to do things at first but it makes sense.

Any special security concerns or configurations I need to do after doing this?

I will try it out.

Thanks a million

0 Kudos
snyderkv
Contributor
Contributor
Jump to solution

GoldDiggie,

Cool it worked thanks a bunch man.

By the way, I used Virtual Machine for the new port group for the iSCSI connection. Should I have used VMKernal instead?

Thanks again.

0 Kudos
golddiggie
Champion
Champion
Jump to solution

With 4.x you shouldn't need to add more port kernel groups beyond what you already configured to get things working initially... Once the iSCSI network was configured, you just needed to add the virtual machine port group to that vSwitch (and the vSwitches on other hosts is advised, use the same port group name on all especially if you're using HA or vMotion VM's betweeen hosts)...

Sometimes things like this are an easy fix, or easily resolved once you get to think about it a bit. Or once you've had more time on the product...

VMware VCP4

Consider awarding points for "helpful" and/or "correct" answers.

0 Kudos
golddiggie
Champion
Champion
Jump to solution

Security concerns would be the same as if the iSCSI target/LUN you're connecting was local storage... Typically you cannot present an iSCSI target/LUN to a server OS (like Windows) as well as present it to ESX/ESXi hosts... I would assume that you're following (as close as possible) smart security practices... Yes? In production environments, it's not uncommon to have iSCSI arrays (or SAN arrays) on their own IP range/subnet. Restricting traffic to just that subnet would help to eliminate unauthorized access... Even with the one VM (directly) connecting you should be fine... Just make sure you have the guest OS patched for security holes and such...

VMware VCP4

Consider awarding points for "helpful" and/or "correct" answers.

0 Kudos
snyderkv
Contributor
Contributor
Jump to solution

Great point, we are clustered so I do need to add the same port group to the other ESX host incase the VM decides to failover to the other ESX host.

Ya the iSCSI storage is on a private and connected to a non routable VLAN. So I guess security is not a concern in my setup.

Thanks again.

0 Kudos