Managing storage networks for services like iSCSI is relatively new in network architectures. iSCSI storage systems have been very popular in the small and midsize business space, as their cost is generally low and the ease of setup is high.
Traditionally, for organizations that are large enough to have distinct groups responsible for servers, storage, and networking, full separation of networks for storage seems the natural way to go. But iSCSI is unique in that the storage protocol runs over TCP/IP and traditional switch gear.
iSCSI networks need to be free of unnecessary traffic to keep performance optimized--that is the easy part. But how do we go about implementing this from the network architecture perspective?
Here are a few approaches that can be taken:
Storage systems and clients only--This would be where the disk system and the clients are the only nodes connected to the iSCSI network. There are no IP routes out or into this configuration, so the risk is removed of traffic from sources other than the required nodes. This can create an island effect and make the management tools (disk system and network) a little difficult to access. Dedicated switching gear could also be implemented for this configuration.
Isolated with firewall rules for management--Depending on the storage system, some management tools may need to occur directly on the iSCSI network. If the iSCSI segment is fully isolated with the only traffic into the segment being destined to the management interfaces over the specified ports, which can protect it well and avoid contention to the data traffic.
Dedicated VLAN and fully routed--This configuration would assign a dedicated VLAN over existing network gear, and it would be routed as any other VLAN in the environment. This configuration would permit other traffic to potentially access the network, and it may increase the risk of latency.
iSCSI traffic shared on other networks--This would allow the storage protocol to share the same segments as regular server traffic over the same IP networks. This configuration allows the most risk of performance issues.
Of these four general configurations, my preference is for the first two configurations. There are other ways of architecting the IP part of iSCSI networks, such as using virtual machine consoles or dual-homed systems to administer the management nodes while isolating the segments. Please share your approach to how you build iSCSI networks.