Ok, so this isn’t really UCS related. Just a random thought I had today while working on a lab project… why don’t we have Private VSANs? As in, the same type of technology as Private VLANs (PVLANs)?
First, some background. Standard SAN best practice for access control is to use single-initiator/single-target zoning. This means that there’s one zone for each combination of host and storage, tape, virtualization platform, etc port. Some administrators think this is overkill, and create just a few zones of lots of initiators to single targets, but this is overall a bad idea. The purpose of this post is not to argue for single-initiator zoning, since it’s accepted recommended practice.
Private VLANs provide a method for simplifying access control within a L2 Ethernet domain, restricting access between nodes. Community PVLANs allow communication only between members of the same community, and the promiscuous port(s). This is actually fairly close to the idea of a fibre channel zone, with the distinction that fibre channel doesn’t have promiscuous ports. Isolated PVLANs allow communication only between each individual node and the promiscuous port(s). In a way, you could compare this to having a lot of nodes (initiators) zoned only to a single target node (target) in fibre channel – but without the administrative overhead of zoning.
So, why not combine these approaches? Having the concept of an Isolated Private VSAN would simplify some types of fibre channel deployments, by enforcing recommended practices around access control without the administrative overhead. In a smaller environment, you could simply create an Isolated Private VSAN to contain the ports for a given fabric – set the storage ports as promiscuous, and all node ports would be restricted to connecting only to the storage ports – and prevented from communicating with each other. In fact, I’d imagine that this would be enforced with standard FC zoning (since that’s the hosts are expecting when they query the name server anyway) – really we’d just be automating the creation of the zones. Cisco already does something similar by automatically creating zones when doing Inter-VSAN Routing (IVR).
For slightly larger environments, I could even see adding in the idea of Community Private VSANs – whereby you group initiators and specify specific target (promiscuous) ports per community – without having to add additional VSANs.
Now that I’m thinking out-loud, why not have isolated zones instead? Mark a zone as “isolated”, and tag any necessary WWNs/ports/etc as promiscuous, and enforce the traditional zoning behind the scenes.
True, this approach wouldn’t accomplish anything that traditional VSANs and zoning do not. The implementation would likely have to use traditional zoning behind the scenes. Just as PVLANs aren’t used in every situation, nor would PVSANs, but I could definitely see some use cases here. So what do you think? Am I completely insane? Thoughts, comments, rebukes are all welcome.