I am trying to build a 3 node 2008 R2 cluster. Each node has (8) network ports. (2) on the LAN, (2) dedicated to Hyper-V guests and hidden from the host OS, and (4) on an iSCSI SAN network. To allow for iSCSI offload, the node's SAN ports are not firewalled at the host OS level. For added security, the network switch on the SAN network has port isolation turned on so all server ports can talk to the SAN storage but the server ports cannot talk to each other. This prevents a possibly compromised machine from attacking others across the SAN network. The cluster nodes are not the only servers connected to the SAN network. All SAN ports on the host nodes are using IPs on the same private subnet. All LAN ports on the host nodes are using IPs on the same public subnet.
When I try to validate the cluster, it fails saying that the SAN ports are on the same subnet but cannot ping each other. That is by our design. We only want iSCSI traffic using those ports and we do not want servers communicating with each other on the SAN network. The nodes can still reach each other on the LAN ports and that should be enough for validation.
Is there a way to exclude the node's SAN ports from the validation test? Is there another way to pass validation?