I was under the impression that by having a separate VALN I would be able to accomplish the security that I need, and for bandwidth, we currently we are nowhere near the 65Gb/s that the backplane of the Cisco Switch can handle. Also, the VLAN will make a new broadcast domain, so my thinking is that I gain more from using the existing switch with redundant supervisors and power supplies than a new switch.

In the future I could see adding a second switch to do the primary iSCSI traffic and using the VLAN group on the existing Cisco as the redundant link.

That's a great idea!

Just to add a bit more info, I just pulled the SNMP info from the switch:

SysTraffic: SNMPv2-SMI::enterprises.9.5.1.1.8.0 = INTEGER: 0

sysPeakTraffic: SNMPv2-SMI::enterprises.9.5.1.1.19.0 = INTEGER: 13

as per: http://www.cisco.com/warp/public/477/SNMP/cat-switch_backplane_util.html

Handle iSCSI like you would handle FC.

Nobody tries to conect a FC card with a fiber switch even if the cables fit in the plugs. :smileygrin:

Even so there is going to be a bridge somewhere even if only for management. By the numbers, I still am not convinced that there is any overwhelming reason to try and separate everything. Remember that this is in part still a proof-of-concept for my organization.

I agree 100% that best practices would dictate using a completely separate, redundant, multi-path backbone for the iSCSI, and will make sure that it is in my proposal should \[when] our VM environment goes into full production, but for the time being, it is beyond my budget.

As long as its a proof-of-concept thats ok.

Remember - proof-of-concepts grow faster to production than you think and then its much harder to separate.

Regarding management - with iSCSI I tend to a separate management LAN.

Just to clarify (if I am thinking incorrectly) you eventually want your iSCSI to get network / internet resources so that it can send out alerts, call home to the vendor (for replacement parts) or be managed remotely. Plus if we happened to want to put in on-site replication in a different building we would then only have to configure up the proper VLAN to accomplish this, as opposed to running new dedicated wire & switches.

EqualLogic is excellent iSCSI box. We use PS300E SATA and performance is great. I don't know if SAS box co$t will be justified unless you are in a huge db or xactional environment.

We had very conservative consolidation projections at deployment and have been pleased with utilization numbers. Comfortably running HA and DRS on 3 2-CPU dual core hosts with 9 VMs. Three of the VMs are SQL boxes that get pounded on pretty good by 100 - 175 users per day. Most performance numbers are consistenly below 50%, so we feel like we could easily add more VMs if/when needed.

Good luck keeping the students from hacking into secret places.

1. For the time being, the VLAN that I will create will not be accessible on any switch except for the server room which has good physical security.

As a part of the VM initiative, I am writing new policies as to a specific approval process for any new virtual server so that we don't end up with a virtualization bloat.

Tyler -

I would be interested in looking at your white paper on iSCSI. I have read Equallogic's guide, but it is always good to have multiple perspectives.

As for VCB, I am hoping to use it, but have not had a chance to drive it hands on yet. Since it is my name on the line, and I am pushing the technology, I want to have a rock-solid DR plan to back it up.

I have not come across Vizioncore, but I will check it out.

AustinPowers-

I have purposefully gone for a conservative consolidation number so that we can take advantage of HA should a box fail.

Luckily our students (Medical) are usually too busy to cause problems but yes, security is my next initiative after the virtualization is implemented.

i would suggest that you check/test that you can apply jumbo frames to your specific iscsi storage vlan without it affecting the MTU's on the other vlans and L3 interfaces if you have them.