HP StorageWorks 1510i Modular Smart Array iSCSI concepts and deployment guide active/active firmware v2.
Legal and notice information © Copyright 2006, 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . Intended audience . . . . . . . . . . . Related documentation . . . . . . . . . Document conventions and symbols . . . HP technical support . . . . . . . . . . HP installation and configuration assistance Customer self repair . . . . . . . . . . Product warranties . . . . . . . . . . . Subscription service . . . . . . . . . . HP websites . . . . . . . . . . . . . . Documentation feedback . . . . . . . . . . . . . . . . . . . .
3 MSA1510i configuration options and samples . . . . . . . . . . . . Configuration options . . . . . . . Configuration rules . . . . . . . . . Configuration variables . . . . . . . Example configurations . . . . . . . Example basic configurations . . Basic configuration 1 . . . . Basic configuration 2 . . . . Example advanced configurations Advanced configuration 1 . Advanced configuration 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About this guide This document outlines some of the unique features and configuration options of the MSA1510i. While the installation documents describe some of the uses and features of the MSA1510i, this document provides detailed configuration examples, multipathing information, networking options, and troubleshooting information.
Document conventions and symbols Convention Element Blue text: Related documentation Cross-reference links and e-mail addresses Blue, underlined text: http://www.hp.
HP installation and configuration assistance Storage management and networking knowledge is required to successfully install this product. If you are not familiar with installing and configuring storage array systems, HP can install your system for you. For more information, access the HP Services website: http://www.hp.com/go/services. Under the Services Portfolio banner, select Infrastructure Services > Network Storage Services.
About this guide
1 iSCSI overview iSCSI is a transport protocol that operates over TCP/IP. The following sections define some industry-standard concepts: • iSCSI protocol overview • iSCSI PDU overview • iSCSI layering overview • iSCSI sessions and TCP connections overview • iSCSI login overview • iSCSI network entities, portals, and nodes overview iSCSI protocol overview NOTE: This section provides a brief, high-level overview of the iSCSI protocol as defined by the Internet Small Computer Systems Interface RFC 3720.
iSCSI PDU overview iSCSI initiators and targets communicate with messages known as iSCSI Protocol Data Units (PDU). An iSCSI PDU has a header and an optional data section. iSCSI PDUs are transported in the TCP segment data area of Ethernet frames. The size of an iSCSI PDU is not dictated by the capacity of the TCP segment data area and an iSCSI PDU does not need to begin at a specific offset within a TCP segment data area.
iSCSI sessions and TCP connections overview In an iSCSI session, communication between an initiator and a target occurs over one or more TCP connections. The TCP connections carry control messages, data digests, SCSI commands, parameters, and data, all encapsulated in iSCSI Protocol Data Units (iSCSI PDUs). The TCP connections that link an initiator with a target, forming an iSCSI session, are comparable to a SCSI I_T nexus.
iSCSI login overview The iSCSI login enables: • A TCP connection for iSCSI use • Authentication of the parties • Negotiation of the session’s parameters • Marking the connection as belonging to an iSCSI session An iSCSI session is established to identify all of the connections between an initiator and a target belonging to the same I_T nexus. Targets listen on a well-known TCP port (3260, as defined in the iSCSI Protocol Specification) or on a user configured TCP port, for incoming connections.
many login keys that are negotiated in the Operational Parameters Negotiation stage of the Login Phase are MaxRecvDataSegmentLength and FirstBurstLength. For example: key=value MaxRecvDataSegmentLength= MaxRecvDataSegmentLength defines the maximum data segment length an initiator or target can receive in an iSCSI PDU (in bytes).
Portal Groups — a set of network portals within a network entity that share network connections and can collectively coordinate an iSCSI session. Target Portal Group — Although iSCSI initiators and iSCSI targets use portal groups to coordinate iSCSI sessions, only target portal groups are used directly in the iSCSI protocol. Target Portal Group Tag (TPGT) — iSCSI portal groups that are associated with target nodes are identified by a numerical target portal group tag ranging from 0 to 65535.
2 MSA1510i overview The MSA1510i is an iSCSI storage target. Depending on the network, MSA1510i LUNs can be organized as one or as multiple virtual storage targets. For communication sessions to take place, identifying names and IP addresses must be defined for each initiator and target. By default, MSA firmware automatically assigns a unique name to each MSA storage target using an industry-standard format.
Rear view 1. 2–Port Ethernet iSCSI module (for the controller in slot 1) 2. Chassis slot diagram 3. Blank for optional 2–Port Ethernet iSCSI module (for the controller in slot 2) 4. Power supply module 2 5. Power supply module 1 6. SCSI I/O module (bus 0) 7. Blank for optional SCSI I/O module (bus 1) 8. Fan module 2 9. Fan module 1 10. Blank for optional SCSI I/O module (bus 2) 11. Blank for optional SCSI I/O module (bus 3) 12. Unused slot NOTE: Each MSA SCSI I/O module has two ports.
MSA1510i network connections Included in this section: • Ethernet ports • Port names • Management ports • Storage ports Ethernet ports The MSA1510i connects to the Ethernet network from its 2-Port Ethernet iSCSI module. There are two 1-Gb Ethernet ports on an Ethernet iSCSI module: • Each port has two Ethernet MAC addresses: one for management traffic and one for storage traffic.
IMPORTANT: Management traffic and iSCSI traffic are handled by separate functional blocks in the system, but HP recommends further isolating management traffic from iSCSI traffic by assigning IP addresses on different subnets and/or using VLAN tags. The following table describes the naming protocol for each Ethernet iSCSI port.
Service Telnet Default TCP port 23 Default state Description Disabled When enabled, any Telnet client can connect to this service to access the MSA1510i command line interface. It should be noted that a path or controller failure will disconnect the session and requires a reconnect by the client application. Note: Because Telnet passwords are not encrypted, this management service in not secure.
Storage ports Two storage ports are available on each MSA controller, for a total of four storage ports in a dual-controller configuration. In contrast with the management port, to which the MSA firmware automatically assigns an IP address, you must manually assign IP addresses to each available storage port. Network storage portals Each storage port may be configured with up to eight IP addresses.
1. Servers (initiators), showing the IP addresses (network portals) of the NICs 2. Ethernet network switch 3. MSA1510i, showing the IP addresses of a storage port 4. MSA1510i, showing the storage portals with their TCP assignments Storage port gateway support If your network uses routers, the MSA1510i can support digests. For more information about setting up the default gateway, see Gateways.
MSA1510i storage targets A storage target is a named iSCSI entity of configured LUNs. The following concepts are discussed in this section: • Recommended configuration sequence • Targets • Target portal groups • Storage LUNs • Mapped storage LUNs • Target security Recommended configuration sequence MSA1510i configuration sequence is important — HP recommends the following sequence: 1. Create one or more portals for each storage port. 2.
Target access A target is accessed through an iSCSI session originating from an iSCSI initiator, with the traffic passing through one or more MSA1510i storage portals. These storage portals are made visible to the available initiators through an iSCSI login discovery process. The MSA1510i supports the standard Send Targets discovery process, as well as SLP and iSNS.
• More complex configurations with multiple initiators need to control access to the storage and usually create multiple LUNs and multiple targets. Each initiator is then granted access to one or more specific targets. Targets may be shared among groups of initiators. For example, the following illustration demonstrates how physical drives might be configured into four LUNs, with three of the LUNs mapped to one target and the remaining LUN mapped, all by itself, to a separate target. 1.
Initiators In iSCSI networking, each server is called an initiator.
NOTE: HP strongly recommends enabling Spanning Tree on the switch ports as a means to identify and dynamically block certain switch ports that could create network loops. The following illustration shows using VLANs in a network with multiple servers to control access to an MSA1510i. A VLAN ID set to “0” or “none” (default) implies that untagged packets are generated by the MSA1510i, and, depending on how the switch is configured, untagged packets may be associated with a VLAN.
Gateways The MSA1510i supports the ability to enter gateway information for the storage ports. If you want to go outside your subnet, you must enter this information in the system route table — you specify the static IP address of the destination network for the storage port to use as a default gateway. With the default gateway, any packets that are going outside of the subnet will go out to the router.
Component MSA1510i Router IP address MA0 management port 192.168.2.1 (default gateway: 192.168.2.25) SA0 192.168.2.2 SA1 192.168.2.3 Port B1 192.168.2.25 Port B2 192.168.1.25 Host 192.168.1.101 MSA CLI commands: 28 nl MSA1510i overview route add sa0 192.168.1.0/255.255.255.0 192.168.2.25 — or — route add sa0 0.0.0.0/0.0.0.0 192.168.2.
3 MSA1510i configuration options and samples Included in this section: • Configuration options • Configuration rules • Configuration variables • Example configurations Configuration options Basic configurations Advanced configurations Number of MSA controllers One Dual Storage traffic On a single LAN segment. Separated into multiple LAN segments by using VLAN tags to isolate traffic.
Configuration rules Rule Network switch • VLANs require support for 802.1q. Network cables • Use only category 5e Certified, or better. Network Interface Cards (NICs) • Use separate GigE NICs for each path; dual-port adapters do not count as separate adapters. • Use only standard GigE NICs. TCP Offload Enabled (TOE) NICs are not supported. If using the latest ProLiant G5 servers with TOE capability, the TOE option with iSCSI offload is currently not supported.
Configuration variables The MSA1510i offers a great deal of configuration flexibility, with different configuration options providing many possible configurations. For example: • Configure the MSA storage into ten LUNs, all mapped to one storage target, resulting in one target. • Configure the MSA storage into ten LUNs, each mapped to a separate target, resulting in ten targets. The following illustration demonstrates how iSCSI concepts pertain to their use on the MSA1510i.
Example configurations Example basic configurations The configurations outlined in the following table and illustrated in this section are examples of the basic capabilities of the standard-shipping, single-controller MSA1510i.
Port IP Address Portal Portal Alias Portal Group Target MA0 100.10.1.1 N/A N/A N/A N/A SA0 100.10.1.10 3260 SA0-3260 PG1-Target1 Target1 SA1 100.20.1.11 3260 SA1-3260 PG1-Target2 Target2 Server 1 NIC port 100.10.1.200 N/A N/A N/A N/A Server 2 NIC port 100.20.1.201 N/A N/A N/A N/A In this example, because only port A0 supports management (MA0), only Server 1 (which is connected to port A0) is able to perform management and configuration tasks.
ACLs are not defined (as in Basic configuration 1), all initiators connected to a port can access all storage targets (and their mapped LUNs) associated with that port. Port IP Address Portal Portal Alias Portal Group Target MA0 100.10.1.1 N/A N/A N/A N/A SA0 100.10.1.10 3260 SA0-3260 PG1-Target1 Target1 SA1 100.20.1.11 3260 SA1-3260 PG1-Target2 Target2 Server 1 NIC 100.10.1.200 N/A N/A N/A N/A Server 2 NIC 100.10.1.201 N/A N/A N/A N/A Server 3 NIC 100.20.1.
Advanced Configuration 1 Advanced Configuration 2 Number of MSA1510i controllers Dual Dual Number of active Ethernet iSCSI storage ports Two Two, with dedicated VLAN Connected to Gigabit Ethernet switch Yes, one per controller, possibly requiring Spanning Tree Protocol (STP) capability Yes, with VLAN capability Number of iSCSI initiators Three Three Number of configured MSA1510i iSCSI targets Two One Use of ACLs Yes Yes Use of VLANs No Yes iSCSI digests enabled No No Use of HP-SIM
Port IP Address Portal Portal Alias Portal Group Target MA0 100.10.1.1 N/A N/A N/A N/A SA0 100.10.1.10 3260 SA0-3260 PG1-Target1 Target1 SA1 100.30.1.10 3260 SA1-3260 PG1-Target2 Target2 MB0 100.20.1.1 N/A N/A N/A N/A SB0 100.20.1.10 3260 SB0-3260 PG2-Target1 Target1 SB1 100.40.1.10 3260 SB1-3260 PG2-Target2 Target2 Server 1 NIC 1 100.10.1.200 N/A N/A N/A N/A Server 1 NIC 2 100.20.1.200 N/A N/A N/A N/A Server 2 NIC 1 100.30.1.
Port IP Address VLAN ID Portal Portal Alias Portal Group Target MA0/MB0 100.50.1.10 2 N/A N/A N/A N/A SA0 100.10.1.10 3 3260 SA0-3260 PG1-Target1 Target1 SA1 100.20.1.10 3 3260 SA1-3260 PG1-Target2 Target2 SB0 100.30.1.10 3 3260 SB0–3260 PG2-Target1 Target1 SB1 100.40.1.10 3 3260 SB1-3260 PG2-Target2 Target2 100.10.1.200 100.30.1.200 3 N/A N/A N/A N/A 100.10.1.201 100.30.1.
authentication is used to verify a password (a shared secret). For more information about CHAP authentication, see Data security. • Access Control Lists (ACLs) should be enabled for the target’s mapped LUNs, with each server granted access to a specific LUN on the target.
4 Multipathing In an iSCSI network, there is the possibility that any component between the server (initiator) and the MSA1510i (target) might fail. These components include Ethernet NICs, switches, cables, and MSA storage ports. To guarantee uninterrupted access to the storage in the event of a failure, a redundant path must exist.
In a failed path scenario, Device Manager will display an odd number of physical devices present in Box 1 while maintaining the same number of multipath devices in Box 2. (Assuming that all multipath devices were intended to have two paths to the physical device.
Port SA0 Port SA1 Port SB0 Port SB1 Target1 Failover to SB0 -------------------------- Failover to SA0 ----------------------- Target2 -------------------------- Failover to SB1 -------------------------- Failover to SB0 The following table describes some additional possibilities: Port SA0 Port SA1 Port SB0 Port SB1 Target3 No failover support No failover support -—----------------------- -------------------------- Target4 -------------------------- -------------------------- No fa
Multipathing
5 Available monitoring tools The MSA1510i is unique in the MSA product family with its integrated configuration utilities and management agents. This section describes the configuration options of these integrated utilities and agents, including: • HP Systems Insight Manager (HP-SIM) • SNMP service settings • Ethernet network traffic or protocol analyzer HP Systems Insight Manager HP Systems Insight Manager (HP-SIM) is useful for managing and monitoring a large number of systems.
Ethernet network traffic or protocol analyzer Free tools are available that can be used to monitor network traffic. Available on the Internet and downloaded to servers in the network, some of these tools have iSCSI support and are useful for troubleshooting simple issues, such as login negotiations.
6 Security Several types of security should be considered when establishing any system. The lack of any one level of security could lead to a failure in the data security of the system. Types of security include: • Physical security • Network security • System security • Data security Each type of security should be used when establishing the network topology of the MSA1510i.
The serial port on the front of the MSA controller does not require an account login to gain access to the administrative command line interface (CLI). If physical security measures limiting physical access to the network devices are not maintained, the MSA and other network devices are open to compromise. In addition, there is only a single account for accessing the SMU, so segmentation among different individuals is not possible.
7 Troubleshooting Problem Cannot connect to SMU management page Cannot connect to the CLI via Secure Shell or Telnet Cannot connect to the CLI via the front serial port Possible cause / solution • • • • • • • • • • Management port is not connected to the network. Wrong IP address or VLAN tag. No IP route from browser to MSA1510i. No IP route from MSA1510i back to browser Browser is on a different VLAN than the MSA1510i management port. HTTP is disabled on the MSA1510i.
Microsoft iSCSI initiator cannot connect to target portal Microsoft iSCSI initiator connects to target portal but does not report any targets • • • • • • • Storage port with target portal is not connected to the network. Wrong IP address or TCP port number. No IP route from the initiator to the MSA1510i target portal. No IP route from the MSA1510i target portal back to the initiator. Initiator is on a different VLAN than the MSA1510i target portal. Bad cable connected to the network.
Network Time Protocol (NTP) is not working • No route to NTP server from MSA1510i management port. • Wrong IP address entered for NTP server. • NTP is not enabled on the Windows Server via the group policy editor. Error message on the front panel LCD • See the MSA1510i Maintenance and Service Guide. Graphics in the Storage Management Utility are not animated • Enable animations to play in Internet Explorer’s Internet Options. Poor performance • Degraded mode arrays or array rebuild.
Troubleshooting
Glossary Alias A user-defined name associated with the iSCSI initiator or target. The alias allows an organization to associate a user-friendly name with the iSCSI Name. However, the alias string is not a substitute for the iSCSI Name. The MSA1510i CLI and SMU generate Aliases for several object, including portals, portal groups, and mapped LUNs. Challenge Handshake Authentication Protocol (CHAP) An authentication technique for confirming the identity of one computer to another.
iSCSI Node A single iSCSI initiator or iSCSI target. There are one or more iSCSI nodes within a network entity. The iSCSI node is accessible via one or more network portals. An iSCSI node is identified by its iSCSI name. The separation of the iSCSI name from the addresses used by and for the iSCSI node allows multiple iSCSI nodes to use the same address, and the same iSCSI node to use multiple addresses. iSCSI Qualified Name (IQN) A name format for iSCSI.
Portal group A group of network portals that may be used together in a session. Protocol Data Unit (PDU) Initiator and targets divide their communications into messages. The term PDU is used for these messages. Session A group of TCP connections that link an initiator with a target. Storage Area Network (SAN) A network of host computers and mass storage devices. Used to share disks and tapes with multiple hosts. SANs move stored data at the block level and have no awareness of file structure.