[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

How do I validate a 2008 R2 cluster that has an iSCSI network?

Posted on 2010-04-02
11
Medium Priority
?
1,345 Views
Last Modified: 2013-11-14
I am trying to build a 3 node 2008 R2 cluster.  Each node has (8) network ports.  (2) on the LAN, (2) dedicated to Hyper-V guests and hidden from the host OS, and (4) on an iSCSI SAN network.  To allow for iSCSI offload, the node's SAN ports are not firewalled at the host OS level.  For added security, the network switch on the SAN network has port isolation turned on so all server ports can talk to the SAN storage but the server ports cannot talk to each other.  This prevents a possibly compromised machine from attacking others across the SAN network.  The cluster nodes are not the only servers connected to the SAN network.  All SAN ports on the host nodes are using IPs on the same private subnet.  All LAN ports on the host nodes are using IPs on the same public subnet.

When I try to validate the cluster, it fails saying that the SAN ports are on the same subnet but cannot ping each other.  That is by our design.  We only want iSCSI traffic using those ports and we do not want servers communicating with each other on the SAN network.  The nodes can still reach each other on the LAN ports and that should be enough for validation.

Is there a way to exclude the node's SAN ports from the validation test?  Is there another way to pass validation?
0
Comment
Question by:CMES-IT
  • 6
  • 3
  • 2
11 Comments
 
LVL 5

Expert Comment

by:abelenkiy
ID: 29476893
change your binding order in advanced network settings.
also make sure you configure which network does what private/public access in the failover cluster manager
0
 

Author Comment

by:CMES-IT
ID: 29483501
I changed the order in the advanced settings but it did not change the validation results.  It may also be worth noting that I had already removed most of the bindings from the SAN iSCSI nics already.  SMB networking and such had already been removed.  The only bound protocols are those necessary to allow the iSCSI and MPIO to function.

Also, how would I change the settings in the cluster manager if it won't let me create the cluster until it validates?  Or will it?
0
 
LVL 5

Expert Comment

by:abelenkiy
ID: 29488251
What about adding additional nic that will go to a switch that only has the private networks of each node connected to it for heartbeat?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:CMES-IT
ID: 31190965
I am setting up an isolated, private network between the nodes to see if that helps.  I will report back.
0
 

Author Comment

by:CMES-IT
ID: 32357894
So, I setup an isolated network and, after struggling to get around the fact that 2008 will not let you choose the firewall profile for neworks that do not have a gateway (different story), I was able to set each node up on that network too.

It did not help though.  The new, isolated network passes validation but the SAN network still fails because of the ping.  That, in turn, causes the whole validation to be flagged as failed, even though everything else passes.
0
 
LVL 15

Expert Comment

by:msmamji
ID: 32574657
Can you temporarily allow communication between the iSCSI NIC ports and see if it passes?
0
 
LVL 15

Accepted Solution

by:
msmamji earned 1500 total points
ID: 32575076
Have you tried unchecking the "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" in the iSCSI NIC properties and check if validation passes?
0
 

Author Comment

by:CMES-IT
ID: 32593451
"Can you temporarily allow communication between the iSCSI NIC ports and see if it passes?"

I can and it does.  However, if I was to need support from Microsoft, I'm sure one of the first things they would want to do is run the validator.

"Have you tried unchecking the "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" in the iSCSI NIC properties and check if validation passes?"

All protocols that are not needed to support iSCSI have been disabled on the iSCSI NICs, including the SMB networking.
0
 
LVL 15

Expert Comment

by:msmamji
ID: 32631632
Can you just allow ICMP traffic on the iSCSI NIC b/w the servers and check?
I think you will have to make a trade off here as its seems to be a limitation you will have to abide by in order to have it the cluster validated.

Regards,
Shahid
0
 

Author Comment

by:CMES-IT
ID: 32631867
After opening a case with the storage vendor and reviewing as much MS documentation as possible, I'm presented with the only solution being to remove the port isolation from the SAN switches and allow the pings to pass.  My situation is identical in theory to this MS KB:  http://support.microsoft.com/kb/951434.

I would consider this a shortcoming in that validation process since, in the majority of scenarios, cluster traffic will not be passing across the SAN network and the only validation should be whether the nodes can connect to the storage.  Not whether the iSCSI NICs can ping each other.  The reference in the KB that paths to the storage should be on separate subnets if they cannot ping each other is an unrealistic solution in most scenarios since many storage vendors need the same subnet for MPIO.

So, the answer is to make sure all protocols other than TCP/IP are disabled on the SAN NICS, remove the port isolation from the switches, and hope we don't get caught by another "vulnerability in the TCP/IP stack could allow remote code execution."
0
 

Author Closing Comment

by:CMES-IT
ID: 32631900
This answer combined with removing the port isolation at the switches allowed validation.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The business world is becoming increasingly integrated with tech. It’s not just for a select few anymore — but what about if you have a small business? It may be easier than you think to integrate technology into your small business, and it’s likely…
A look at what happened in the Verizon cloud breach.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
Suggested Courses
Course of the Month8 days, 10 hours left to enroll

613 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question