iSCSI Network Ranges (SBS 2011)

We are running SBS 2011 Server, patched and up-to-date.
The server have five NICs board.

The internal network is running on 192.168.1.X
We have a iSCSI Drobo that is used for backups.
Ideally I'd like to have it on a different range so that is not visible from the rest of the network.

But if I put it on 10.0.0.Y the network starts to slow down and I have to disable the iSCSI NIC, whence it regains speed.

Can anyone point me towards best practice and how to successfully install such a device?
LVL 1
edhastedAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrej PirmanCommented:
Aha...I think SBS might be a problem! SBS does NOT support 2 NICs, that's your problem. Sorry I missed that in your other post.

Instead, configure 2 IP subnets on single NIC adapter, put iSCSI Drobo in 10.0.0.x range and the rest of the network will not see it by default. It's kinda lousy security, but better than nothing.
edhastedAuthor Commented:
This has always confused me. I believe that I have had more than one NIC working in SBS 2008 and this has thrown me in 2011.

"Lousy security" - what would you recommend in this configuration.
Andrej PirmanCommented:
Well, if you want to totally isolate iSCSI Drobo from the rest of the world, then with SBS 2011 (which only allows 1 NIC) the best security is to use VLANs, but as Windows natively do not support that, you are left with possible driver option, if NIC manufacturer supports VLANs.
But all those depends on iSCSI Drobo, switch and server's NIC possibilities and involves precise configuration.

By "lousy security" I meant, that if anybody knows the other IP segment, he/she can see you iSCSI Drobo and possibly also connect to iSCSI target, which will render your iSCSI drive useless (two or more connections to it will try to lock the drive at the same time, causing sharing violation).

So to prevent that, do at least on iSCSI Drobo:
- good admin password
- lock iSCSI target via ACL to only allow Read/Write access for your server's iSCSI initiator, while Denying access to any other.
To accomplish that, run iSCSI initiator interface on your Windows Server, go to "Configuration" tab and copy initiator name (something like iqn.1991-05.com.microsoft:yourServerName).
Then go to your iSCSI Drobo and find under iSCSI configuration, if you can create access policy for this iSCSI target. For example, in QNAP it looks like this, initiator name (server's iSCSI initiator) on top, then iSCSI target on bottom:
iSCSI masking ACL
So even if someone will try playing with iSCSI, he/she will not be able to connect to iSCSI Drobo target and ruin things.

The other methods are CHAP authentication, which is just additional password authentication and also serves its purpose.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
edhastedAuthor Commented:
Very many thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.