Professional Documents
Culture Documents
UC434S F.00
Student guide
2 of 2
Use of this material to deliver training without prior written permission from HP is prohibited.
Student guide
2 of 2
Use of this material to deliver training without prior written permission from HP is prohibited.
Contents
Module 8 - iSCSI
Objectives ................................................................................................. 8 - 1
IP storage .................................................................................................. 8 - 2
IP storage protocols .................................................................................... 8 - 4
Overview of iSCSI protocol .......................................................................... 8 - 6
iSCSI maps SCSI onto a network ............................................................ 8 - 7
Overview of iSCSI protocol ................................................................... 8 - 8
iSCSI/FC SAN ..........................................................................................8 - 10
iSCSI Stack ...............................................................................................8 - 12
iSCSI encapsulation ................................................................................... 8 - 13
iSCSI Packet.............................................................................................. 8 - 14
iSCSI Host Driver ....................................................................................... 8 - 15
iSCSI initiators...........................................................................................8 - 16
iSCSI Name Support..................................................................................8 - 17
iSCSI Name Structure (1 of 2) .....................................................................8 - 19
iSCSI Name Structure (2 of 2) .....................................................................8 - 21
iSCSI name examples ............................................................................... 8 - 22
iSNS........................................................................................................8 - 23
iSCSI target discovery ............................................................................... 8 - 25
iSCSI target discovery example ...................................................................8 - 26
iSCSI operations........................................................................................8 - 27
iSCSI authentication .................................................................................. 8 - 28
iSCSI CHAP examples............................................................................... 8 - 29
IP Security ............................................................................................... 8 - 30
iSCSI advantages & disadvantages.............................................................. 8 - 31
P4000 HP StorageWorks iSCSI SAN .....................................................8 - 32
HP StorageWorks iSCSI SAN Recommended architecture........................ 8 - 33
Centralized Management Console (CMC) ............................................. 8 - 34
CMC Navigation ............................................................................... 8 - 35
Hierarchical Structure.......................................................................... 8 - 36
HP StorageWorks SAN Concepts ..........................................................8 - 37
Network RAID data mirroring .............................................................. 8 - 38
Configuring an HP StorageWorks SAN ................................................. 8 - 40
Discovering Storage Nodes ..................................................................8 - 41
Creating a Management Group............................................................8 - 42
Creating a Cluster .............................................................................. 8 - 43
Creating a Volume ............................................................................. 8 - 44
Creating a Server............................................................................ 8 - 45
Connecting a Volume to a Server ......................................................... 8 - 46
Final Result .........................................................................................8 - 47
Lab activity .............................................................................................. 8 - 48
UC434S F.00
ii
UC434S F.00
Contents
Module 10 - FCoE/CEE
Objectives ................................................................................................10 - 1
FCoE (Fibre Channel over Ethernet) .......................................................10 - 2
CEE (Converged Enhanced Ethernet ......................................................10 - 2
FCoE/CEE................................................................................................10 - 4
FCoE .......................................................................................................10 - 7
FcoE Terminology ......................................................................................10 - 9
FCoE integrated with FC San fabric ........................................................... 10 - 10
OSI, FCoE and FC stacks...........................................................................10 - 11
FCoE encapsulation ................................................................................. 10 - 12
Lossless Ethernet ...................................................................................... 10 - 14
HP Converged network switches offerings ................................................... 10 - 15
Converged Network Adapters (CANs) ....................................................... 10 - 18
Ethernet Overview ...................................................................................10 - 20
CEE Map ...............................................................................................10 - 22
DCBX (Data Center Bridging eXchange Protocol)......................................... 10 - 23
VLAN Membership ..................................................................................10 - 25
Minimum CEE configuration to allow FCoE traffic flow ................................. 10 - 27
FCIP, ISCSI & FCoE ..................................................................................10 - 29
Storage Support ...................................................................................... 10 - 31
Operating System Support ........................................................................ 10 - 32
iii
UC434S F.00
Contents
Module 14 - Performance
Objectives ................................................................................................ 14 - 1
SAN performance objectives....................................................................... 14 - 2
Performance factors ................................................................................... 14 - 4
Response time ........................................................................................... 14 - 7
Bus utilization............................................................................................ 14 - 8
Device utilization ....................................................................................... 14 - 9
SAN performance Considerations...............................................................14 - 11
UC434S F.00
Latencies ................................................................................................ 14 - 13
ISL oversubscription.................................................................................. 14 - 15
Hop latency............................................................................................ 14 - 17
Data Priority Quality of Service............................................................... 14 - 19
Device attachment points .......................................................................... 14 - 21
Place fastest switches in the core................................................................ 14 - 22
Distance considerations............................................................................ 14 - 24
Maintaining performance in an extended SAN beyond 5 or 10km ................ 14 - 25
Distributed fabrics.................................................................................... 14 - 26
Long distance link modes ......................................................................... 14 - 27
Extended distance topology ...................................................................... 14 - 28
Performance Guidelines within the SAN ..................................................... 14 - 29
Determining the required bandwidth .......................................................... 14 - 30
Drive selection and performance ............................................................... 14 - 32
RAID and RAID selection .......................................................................... 14 - 34
RAID level efficiency................................................................................. 14 - 36
Disk Performance..................................................................................... 14 - 37
Planning a disk system ............................................................................. 14 - 38
Data caching technologies ....................................................................... 14 - 41
Write-back caching ................................................................................. 14 - 43
Write-back cache benefits ........................................................................ 14 - 45
Effects of cache ....................................................................................... 14 - 47
Application effects on performance............................................................ 14 - 49
Environment profiling ............................................................................... 14 - 50
Large sequential read environment............................................................. 14 - 51
Server Application ................................................................................... 14 - 52
Improving performance ............................................................................ 14 - 56
Comparing VRAID1 and VRAID5 .............................................................. 14 - 57
Safe IOPs calculator for production disk group ............................................ 14 - 59
Safe IOPs calculator Microsoft version.................................................... 14 - 61
EVAPerf.................................................................................................. 14 - 62
End to End monitoring.............................................................................. 14 - 65
Top talker ............................................................................................... 14 - 66
Lab activity ............................................................................................. 14 - 68
vi
UC434S F.00
iSCSI
Module 8
Objectives
UC434S F.00
8 -1
IP storage
IP storage
IP storage can combine the following functions on a single
enterprise network:
Storage
Data sharing
Web access
Device management using SNMP
E-mail
Voice and video transmission
With many of the benefits that Fibre Channel SANs
already give to us.
The amount of data stored has been doubling every year and this has been
attributed to the phenomenal growth in software applications, such as on-line
transactions, e-mail, and the development of complex e-commerce applications. The
Internet and corporate intranets drive this growth to an extent where there is an
almost mandatory requirement for continuous availability of information in the
corporate e-business world. The net effect of this trend has been the duplication of
on-line copies of this monumental quantity of data. This increasing appetite to
consume disk storage has been met by the disk drive industry to double the capacity
of hard disk drives and to reduce the price of storage.
The pervasiveness of the Internet Protocol (IP) through the unprecedented growth of
the Internet and the increasing demand of disk storage has led to the question as to
whether or not it is possible to use TCP/IP, the networking technology of Ethernet
LANs and the Internet, for use in disk storage.
Such an approach can facilitate a single network:
Storage
Data sharing
Web access
Device management using SNMP
E-mail
8 -2
UC434S F.00
iSCSI
Benefits
IP storage has emerged in recent years as networked storage requirements have
grown and IP has become firmly established as the predominant general purpose
networking protocol. The following are some benefits provided by IP storage:
UC434S F.00
8 -3
IP storage protocols
IP storage protocols
iSCSI
iFCP
FCIP
Devices
Fabric
Services
UC434S F.00
iSCSI
iSCSI
iSCSI is defined as a SCSI network transport protocol that operates with TCP as the
underlying layer to provide a reliable transport with guaranteed in-order delivery.
iSCSI encapsulates SCSI protocols into a TCP/IP frame, so that storage controllers
can be attached to IP networks.
FCIP tunnels
FCIP tunnels are used to pass Fibre channel I/O through an IP network. FCIP tunnels
are built on a physical connection between two peer switches or blades.
UC434S F.00
8 -5
What is it?
iSCSI is an IETF SCSI transport protocol for mapping of
block-oriented storage data over TCP/IP networks.
The iSCSI protocol enables universal access to storage
devices and Storage Area Networks (SANs) over
standard Ethernet-based TCP/IP networks
These networks may be dedicated networks or may be
shared with traditional Ethernet applications.
What is it?
iSCSI is an IETF SCSI transport protocol for mapping of block-oriented storage data
over TCP/IP networks.
The iSCSI protocol enables universal access to storage devices and Storage Area
Networks (SANs) over standard Ethernet-based TCP/IP networks
These networks may be dedicated networks or may be shared with traditional
Ethernet applications.
8 -6
UC434S F.00
iSCSI
UC434S F.00
8 -7
UC434S F.00
iSCSI
SAN products and storage subsystems. iSCSI became even more interesting once
Ethernet started to support higher speeds than Fibre Channel.
UC434S F.00
8 -9
iSCSI/FC SAN
iSCSI/FC SAN
Storage device
Server with IP
storage adapter
Server with IP
storage adapter
Server with FC
storage adapter
Storage device
Storage device
Server with IP
storage adapter
Storage device
Fibre Channel has provided the principal means for building SANs because of the
rich features of high performance, connectivity, and ability to support block-oriented
storage protocols. The high throughput is achieved by assigning much of the protocol
processing to hardware. Fibre Channel overcomes several scalability issues inherent
in SCSI by creating a switched network fabric infrastructure that extends Fibre
Channel operating distance between 10 and 20km and overcomes device count
limitations.
IT managers are concerned about sharing storage traffic and data traffic within a
common IP network backbone. The principal concern is that such sharing could lead
to congestion bottlenecks. While combining both messaging and storage traffic on a
single network is possible, a more practical solution is to segment the IP network
infrastructure and move storage and data traffic via different paths. This approach
enables customers to protect the investment in IP networking and maximize the
efficiencies of moving both types of traffic over a common infrastructure.
The common IP storage network technology for both iSCSI and Fibre Channel
connected devices provides the following capabilities and benefits:
8 -10
Use of Fibre Channel end systems with proven performance and relative stability
2010 Hewlett-Packard Development Company, L.P.
UC434S F.00
iSCSI
Pooling iSCSI SANs, Fibre Channel SANs, and network attached storage (NAS)
resources over a common IP network for a viable long-term storage strategy
Peer-to-peer copy.
UC434S F.00
8 -11
iSCSI Stack
iSCSI Stack
iSCSI
OSI Model
Application
Presentation
Session
SCSI Device-Type
Commands
SCSI Applications
(File Systems,
Databases)
SCSI Block
Commands
SCSI Generic
Commands
SCSI Commands,
Data, and Status
SCSI Transport
Protocols
iSCSI
Transport
TCP
Network
IP
Data Link
Physical
Ethernet
iSCSI uses TCP/IP for reliable data transmission over potentially unreliable networks.
The iSCSI layer interfaces to the operating system standard SCSI set and includes
encapsulated SCSI commands, data and status reporting capability. When the
operating system or application requires a data write operation, the SCSI CDB must
be encapsulated for transport over a serial gigabit link and delivered to the target.
The iSCSI protocol monitors the block data transfer and validates completion of the
I/O operation. This occurs over one or more TCP connections between initiator and
target. In practical applications, an initiator can have multiple target resources over
an IP network and consequently, multiple concurrent TCP connections are active.
The iSCSI protocol maps the SCSI Remote Procedure Call model to the TCP/IP
protocol and provides a conceptual layer completely independent of the SCSI CDB
information. SCSI commands are transported by iSCSI request and SCSI response
and status are handled by iSCSI responses. iSCSI protocol tasks are then carried by
this same iSCSI request and response mechanism. Following the pattern of the SCSI
protocol, iSCSI employs the concepts of initiator, target, and communication
messages called protocol data units (PDUs). Likewise, iSCSI transfer direction is
defined respectively to the initiator. As a means to improve performance, iSCSI
allows a phase collapse that provides a command or response and its associated
data to be sent in a single iSCSI PDU.
8 -12
UC434S F.00
iSCSI
iSCSI encapsulation
iSCSI encapsulation
Layer 2
(Ethernet)
Physical
addressing
information
IP
Header
TCP
Header
iSCSI
Header
Provides error-correction,
sequencing of packet, and
identifies application using the
service
The iSCSI standard stipulates that the protocol must not require modification to the
current IP and Ethernet infrastructure to support storage traffic. The iSCSI protocol
standard must allow implementations to equal or improve on the current state of the
art for SCSI interconnects. The iSCSI protocol:
Must have low host CPU utilizations, equal to or better than current technology.
Must be possible to build I/O adapters handling the entire SCSI task.
UC434S F.00
8 -13
iSCSI Packet
iSCSI Packet
46 1500 bytes
Ethernet header
Preamble
Destination
Source
Type
IP
TCP
Data
CRC
ftp
23
telnet
25
smtp
80
http
3260
iSCSI
I Opcode
Header
Length
LUN
Source Port
Destination Port
Sequence Number
Reserved
Checksum
or Opcode-specific fields
Initiator
Opcode
Acknowledgment Number
Offset
Window
Task Tag
Specific Fields
Data
Field
Urgent pointer
The basic system model for iSCSI is that of an extended virtual cable, connecting a
SCSI initiator device to a SCSI target device. Both the iSCSI initiator and iSCSI target
are identified by their IP addresses which are carried within the iSCSI packet header.
8 -14
UC434S F.00
iSCSI
Applications
File System
Block Device
SCSI Generic
iSCSI
Driver
TCP/IP Stack
NIC Driver Adapter Driver
NIC Adapter
FC/iSCSI bridge
ARRAY
Direct
connect
or
SAN
SCSI/TCP Server
SCSI Driver TCP/IP Driver
FC HBA
GigE NIC
IP Network
SCSI Adapter
(HBA)
Direct
Attached
Storage
Array
Uses the hosts existing TCP/IP stack, network drivers and network interface
card(s) (NIC) to provide the same functions as native SCSI drivers and Host Bus
Adapter (HBA) cards
Functions as a transport for SCSI commands and responses between the host
and the iSCSI target on an IP network.
UC434S F.00
8 -15
iSCSI initiators
iSCSI initiators
Good
8 -16
Better
Best
The IP host or iSCSI Initiator uses an iSCSI Driver to enable target resource
recognition & attachment to the iSCSI target over IP.
The iSCSI initiator is configured with the Gigabit Ethernet IP address of the iSCSI
port on the iSCSI target to transport SCSI requests and responses.
The iSCSI initiator sees the storage resources (LUNs) as if they were local blocklevel drives attached directly to the server.
UC434S F.00
iSCSI
UC434S F.00
8 -17
Each iSCSI initiator (and iSCSI target) must have an iSCSI name.
iSCSI names:
8 -18
UC434S F.00
iSCSI
UC434S F.00
8 -19
T he iS CS I name s tructure is fairly rigid and contains two parts : a type des ignation
followed by a unique name s tring.
T he two type des ignators for iS CS I are:
iqn.
eui.
iqn: specifies the use of the iSCSI qualified name as the authority.
Date Code: 2003-02 is the year and month on which the naming authority
acquired the domain name used in this iSCSI name. This is used to ensure that when
domain names are sold or transferred to another organization, iSCSI names
generated by these organizations will be unique.
com.hp is a reversed DNS name, and defines the organizational naming authority.
The owner of the DNS name hp.com has the sole right of use of this name as this
part of an iSCSI name, as well as the responsibility to keep the remainder of the
iSCSI name unique.
server3 was picked arbitrarily by hp.com to identify the server hosting the iSCSI
device. The owner of "hp.com" is responsible for keeping this structure unique
8 -20
UC434S F.00
iSCSI
No special characters, other than ASCII colons, dots and dashes, or white spaces
are allowed. The fully qualified name format enables storage administrators to assign
meaningful names to storage devices and manage devices more easily. The unique
identifier component can be a combination of department, application, manufacturer
name, serial number, asset number, and any tag useful for recognizing and
managing a storage resource.
UC434S F.00
8 -21
# cat /etc/initiatorname.iscsi
## DO NOT EDIT OR REMOVE THIS FILE!
## If you remove this file, the iSCSI daemon will not start.
## If you change the InitiatorName, existing access control lists
## may reject this initiator. The InitiatorName must be unique
## for each iSCSI initiator. Do NOT duplicate iSCSI
InitiatorNames.
## InitiatorName=iqn.1987-05.com.cisco:01.4f38fd6e357
InitiatorName=iqn.1987-05.com.cisco:01.rh3u5.Rack20-02
8 -22
UC434S F.00
iSCSI
iSNS
iSNS
iSNS
Discovery using iSCSI names can be performed using the Internet Storage Name
Service (iSNS) or other resource locator. As implied by the structure of iSCSI names,
either a distributed or centralized DNS-type look up facilitates mapping of iSCSI
names required for iSCSI log in to actual iSCSI network addresses.
8 -23
8 -24
UC434S F.00
iSCSI
Discovery Methods
iSCSI targets are configured on the initiator
Initiator would use a config file containing Target info
iSCSI initiator queries the Target
A SendTargets is issued to request a list of targets
Initiator uses Service Location Protocol (SLP)
To locate iSCSI targets or SNS without configuring addresses
Initiator queries a Storage Name Server (SNS, iSNS)
To locate iSCSI targets without configuring addresses
Discovery allows the iSCSI initiator to find (discover) targets to which it has access.
The following discovery methods are valid in an iSCSI environment:
UC434S F.00
8 -25
8 -26
UC434S F.00
iSCSI
iSCSI operations
iSCSI operations
iSCSI login request to initiate
iSCSI session over TCP
iSCSI initiator
iSCSI target
iSCSI initiator
iSCSI target
UC434S F.00
8 -27
iSCSI authentication
iSCSI authentication
iSCSI authentication provides a mechanism to authenticate
iSCSI initiators requesting access to storage devices
(Targets)
Challenge Handshake Authentication Protocol (CHAP) is
one authentication method to pass user name and
password information between initiator and targets.
iSCSI authentication
8 -28
UC434S F.00
iSCSI
UC434S F.00
8 -29
IP Security
IP Security
Security
IKE
IPSEC
Authentication processes
Kerberos v.5
CHAP
Radius
SPKM -1 and SPKM -2
IP security
The maturity of IP based security makes SOIP attractive:
8 -30
IKE
IPSEC
Authentication processes
Kerberos v.5
CHAP
Radius
UC434S F.00
iSCSI
Disadvanatges
UC434S F.00
8 -31
8 -32
UC434S F.00
iSCSI
Unlike a fibre-channel SAN, all data transfers in an iSCSI SAN go over normal LAN
lines. Because of the heavy volume of data transferred in and out of Storage
Nodes, HP strongly recommends designing your network with isolated business LAN
and storage LAN segments.
In the diagram above, business traffic between user workstations and application
servers runs on a corporate LAN. All SAN traffic runs on a separate storage LAN.
The application servers connect to both LAN segments, making them accessible to
both users and the SAN.
Because the CMC must communicate directly with Storage Nodes, it cannot be
located only on the business LAN. There are two common configuration choices:
either dedicate a management system to CMC use, and connect the system directly
to the storage LAN (as shown above); or install the CMC software on one of the
application servers, and access it remotely from any system on the business LAN.
The first solution offers better security, and the second solution is more flexible and
convenient.
UC434S F.00
8 -33
The CMC is the primary interface for configuring and managing the Storage Nodes
in the SAN. This slide shows the areas of interest in the CMC interface.
The Launch Pad opens in the Content Pane when you run the Centralized
Management Console (CMC) for the first time. The Launch Pad offers several
Wizards to simplify the SAN setup process. For example, you can select the Find
Nodes Wizard in the Content Pane to locate the Storage Nodes available on your
network.
8 -34
UC434S F.00
iSCSI
CMC Navigation
The CMC displays different entities such as Management Groups, Storage Nodes,
Clusters, and Volumes in the Navigation Pane. Entities also have sub-entities or
attributes that allow you to configure the entities.
Simply expand the navigation tree by clicking on the + next to an entity this opens
the entity and, if appropriate, logs you in.
UC434S F.00
8 -35
Hierarchical Structure
The Navigation Pane displays the objects and configuration options you will use to
set up the SAN. In this slide you can see a Management Group (called MG1) that
contains several configuration options and a cluster (C1) with two Storage Nodes.
Select any of these objects to open and edit them.
8 -36
UC434S F.00
iSCSI
SAN/iQ is the control software running on the Storage Nodes. It controls all lowlevel data management such as disk striping, data replication across Storage
Nodes, and communication with the application servers. You do not normally
interact directly with SAN/iQ, but it controls all operations in the SAN.
CMC is the management interface you will use to communicate with SAN/iQ and
configure the SAN. When you first run CMC, you will tell CMC to find the
available Storage Nodes in your network. CMC will add them into an Available
Nodes pool.
You will then create Management Groups, which collect Storage Nodes into an
entity where they can be managed.
Within the Management Group you will create Clusters, which contain a subset of
the Storage Nodes in the Management Group. Clusters distribute data across all
Storage Nodes for increased performance and data protection.
You carve out Volumes (LUNs) from the space in a Cluster. Once you have
created your desired Volumes you can present them to remote application servers,
snapshot them (make point-in-time images available for later access), and do other
operations on them.
UC434S F.00
8 -37
This slide illustrates one form of data distribution and protection used in HP
StorageWorks SAN: volume mirroring. This function is called Network RAID
because it operates very much like RAID in a disk controller, but using Storage
Nodes instead of individual disks.
The first example above uses Network RAID-0. In hardware RAID, RAID-0 stripes
data across multiple disks for higher performance. In the same way, Network RAID0 stripes data blocks across multiple storage nodes. Block B1 goes onto the first
Storage Node, block B2 goes onto the second node, and so on.
Hardware RAID-0 provides no protection against data loss, and the same is true for
Network RAID-0. You can instead use Network RAID-10, which provides varying
levels of data replication across the SAN. The second example above uses Network
RAID-10 with 2-way mirroring. Each block is written to two separate Storage Nodes,
so any single Storage Node can fail without loss of data. SAN/iQ supports 2-way
mirroring with no performance penalty, since it writes to two Storage Nodes
simultaneously.
SAN/iQ also supports 3-way mirroring (as shown in the third example) and 4-way
mirroring. 4-way mirroring is particularly useful for high-availability multi-site
installations. You can configure the SAN to have two copies of each data block at
each of two different geographical locations. Thus you could lose access to one of
the sites, and even lose one of the Storage Nodes at the remaining site, without
losing access to your data.
8 -38
UC434S F.00
iSCSI
SAN/iQ also supports network RAID with parity, called Network RAID-5 and
Network RAID-6. Network RAID-5 writes 4 blocks of data and 1 block of parity
across a minimum of 5 Storage Nodes, and can survive the loss of any single
Storage Node. Network RAID-6 writes 4 blocks of data and 2 copies of parity
blocks across a minimum of 6 Storage Nodes, and can survive the loss of any two
nodes.
UC434S F.00
8 -39
The steps above will configure the SAN and present volumes to target application
servers.
These steps are explained in detail in the following slides.
8 -40
UC434S F.00
iSCSI
After launching the CMC, you must find the Storage Nodes in your network. CMC
has several methods to accomplish this.
UC434S F.00
8 -41
When your CMC has found your Storage Nodes, you can collect them into
Management Groups. Management Groups have several functions that are beyond
the scope of this example. You just need to create a Management Group so you can
allocate some of your storage into Volumes.
8 -42
UC434S F.00
iSCSI
Creating a Cluster
Management Group is created by using a Wizard interface. This Wizard also steps
you through creating your first Cluster and Volume. The main operation in Cluster
creation is to choose which Storage Nodes are to be included in the Cluster.
UC434S F.00
8 -43
Creating a Volume
The Wizard next steps you into creating the first Volume. At this point the name and
size of the Volume, and the Cluster in which its storage resides is specified.
At this point you can also specify the data protection level (Network RAID) for the
Volume, and whether the Volume is Thin Provisioned or Fully Provisioned. A ThinProvisioned volume consumes only enough space in the Cluster to hold the data
currently in the Volume. The Volume grows as needed as new data is written to the
Volume, up to the maximum size specified at Volume creation time.
8 -44
UC434S F.00
iSCSI
Creating a Server
SAN/iQ uses objects called Servers to represent the connection between a Volume
and its target application server(s). After a volume is created, a server object is
created which is used to specify the application server that is allowed to connect to
it.
UC434S F.00
8 -45
Now that you have created both the Server and the Volume, you can connect to
them by choosing either the Server or the Volume, that completes the SAN
configuration.
At this point you must go to the application server and configure the iSCSI Initiator to
point to the SAN Volume. Once the iSCSI Initiator connects to the Volume, the
Volume becomes visible to the server OS. Mount the volume, using the appropriate
process for your OS, and you are ready to access the SAN from your applications.
8 -46
UC434S F.00
iSCSI
Final Result
UC434S F.00
8 -47
Lab activity
Lab
activity
Module 8, Lab 1 - iSCSI LUN
Mapping
37
8 -48
uc434s c.01
2009 Hewlett-Packard
uc434sDevelopment
c.01 2009
Company,
Hewlett-Packard
L.P.
Development Company, L.P.
UC434S F.00
SAN extension
Module 9
Objectives
Objectives
UC434S F.00
9 -1
9 -2
UC434S F.00
SAN extension
Distance
IP technologies extend the leverage of installed SAN to
new constituents
Stranded remote servers
The growing need for storage data that is permeating the business community,
coupled with the available bandwidth afforded by IP networks or wave division
multiplexing (WDM), for example, are making SAN extension an increasingly
attractive option to grow the storage network. With SAN extension, users can
connect to data centers at opposite ends of a campus, metropolitan, and wide-area
environment. The challenge is to do so at full-wire speed, with the same reliability
and availability as the storage traffic within each data center.
IP technologies extend the leverage of installed SAN to new constituents for the
following:
Shared tools
Integrated solutions
UC434S F.00
9 -3
9 -4
Long-wave transceivers
FCIP
iFCP
iSCSI
UC434S F.00
SAN extension
Optical
IP
ONS15454
Campus
200 km HP limit
Metro
Regional
250km
256 BB_Credits at
2Gb/s
National
Global
500km
256 BB_Credits at
1Gb/s
~100km
~320km
~500km
~1400km
(2G)
~2800km
~100km
(1G)
FCIP
~20,000km
(1G)
UC434S F.00
9 -5
Optical Small Form-factor Pluggable (SFP) transceivers are available in short- and
long-wavelength versions. The 4 Gb/s and 2 Gb/s transceivers are known as small
form-factor pluggables (SFPs) and use LC style connectors. The 1 Gb/s transceivers
can be LC SFPs or gigabit interface converters (GBICs), which use SC style
connectors
Short wavelength transceivers transmit at 850 nm and are used with 50 or 62.5 m
multimode fiber cabling. For fiber distances greater than several hundred meters
long-wavelength transceivers are used with 9 m single-mode fiber, and typically
operate in the 1310 or 1550 nm range.
Optical transceivers often provide monitoring capabilities that can be viewed through
FC switch management tools, allowing some level of diagnostics of the actual optical
transceiver itself.
The 8 Gbps sfp require a license this applies to the Brocade 300, 5100, and 5300
switches. Without this 8G license even if the correct 8G sfp is installed the maximum
speed the port would operate will be 4Gbps. If a license has been obtained and
installed on the switch, the commands portdisable and portenable on the individual
ports or a switchdisable and switchenable command to enable all the ports will have
to be performed to enable the 8 Gbps functionality on the ports.
9 -6
UC434S F.00
SAN extension
10km GBIC
100km GBIC
10km SFP
35km SFP
UC434S F.00
9 -7
CWDM is much less costly than DWDM because the channel spacing is only 20nm
and much less precise.
CWDM provides 8 channels between two CWDM Multiplexers over a single fiber
pair.
CWDM Multiplexers are usually un-powered devices containing a very accurate
prism to multiplex 8 separate wavelengths of light along a single fiber pair. Max
distance is approx 100Km.
HP offers a CWDM technology solution that involves concepts similar to Dense Wave
Division Multiplexing (DWDM) but is less expensive, less expandable (maximum
eight channels) and works over a distance of 100km. CWDM allows up to eight
1Gbps or 2Gbps channels (or colors) to share a single fiber pair. Each channel uses
a different color or wavelength transceiver. These channels are networked with a
variety of wavelength specific add-drop multiplexers to enable an assortment of ring
or point-to-point topologies.
Note: HP supports the use of all CWDM products as Fibre Channel ISLs provided the
CWDM equipment is configured to 1Gbps or 2Gbps data rates this can give
distances up to 100KM, or 4Gb/s to a distance of 40KM. Hp does not implement
time division multiplexing or any additional conversion method that alter the data
links other than multiplexing different wavelengths.
9 -8
UC434S F.00
SAN extension
A single fiber pair connecting two FC switches together through an ISL provides a
single channel (wavelength of light) between the two switches.
DWDM enables up to 80 channels to share a single fiber pair by dividing the light
up into discrete wavelengths or lambdas separated by approx 1nm spacing around
the 1550nm wavelength.
Wavelength Division Multiplexing devices can be used to extend the distance
between two Fibre Channel switches. These devices are transparent to the switches
themselves and do not count as an additional hop. The only consideration that
should be made to accommodate these devices is to have enough buffer-to-buffer
Adding dense or coarse wavelength division multiplexing (DWDM/CWDM) to basic
Fibre Channel allows greater distances between sites than long-distance GBICs and
SFPs. The difference between WDM and basic fiber configurations is the addition of
a multiplex unit on both sides of the intersite link.
When using WDM, consider the following:
Always ensure WDM installation conforms to vendor specifications, and performance
is affected by distance and/or limited buffer-to-buffer credits on the Fibre Channel
switch. Switch vendors may limit the maximum distance between sites and apply
additional configuration rules for WDM configurations:
Connecting the switch to the WDM unit typically requires one switch-to-WDM
interface cable per wavelength of multimode fiber.
Note: Switches may require an Extended Fabric license.
UC434S F.00
9 -9
Time Division Multiplexing (TDM) takes multiple client-side data channels, such as
FC, and maps them onto a single higher-bit-rate channel for transmission on a single
wavelength. TDM is used in conjunction with a WDM solution provides additional
scalability and bandwidth utilization. However because TDM sometimes relies on
certain FC primitives to maintain synchronization, it may require enhanced
configuration when the extended fabrics are enabled. By default, Extended Fabrics
E_Ports use ARB primitives (specific to Virtual Channels) as fill words between frames.
The Majority of TDM devices require idles as fill words. Configuring a B-Series switch
to use R_RDY flow control will remedy this problem and enable interoperability. The
Remote Switch option is enabled by issuing the portcfgislmode = 1 command, or all
switch models that use fos 3.1 and above.
Note: A license is required for switch models that use 2.x firmware.
Note: HP Continuous Access products are not supported with WDM products that
implement active protocol handling.
Note: HP CWDM Multiplexer solutions are not supported on B-Series and M-Series
switches.
B-Series switch productsAll Brocade WDM-certified products, listed by Brocade
switch or router model number, are supported. The Brocade Data Center Ready
Compatibility Matrix can be viewed at the following address:
http://www.brocade.com/data-center-best-practices/resource-center/index.page
Note: HP supports the use of all WDM products as Fibre Channel ISLs provided the
WDM equipment is configured to 1Gbp/s data rates up to 500KM distance, or
250KM at 2Gb/s or 4Gb/s to distance of 100KM and 40Km at 8Gb/s.
Hp does not implement time division multiplexing or any additional conversion
method that alters the data links other than multiplexing different wavelengths.
9 -10
UC434S F.00
SAN extension
FCIP
FCIP
The Fibre Channel over IP (FCIP) protocol connects switches over a GbE-based
network.
FCIP is a protocol that encapsulates Fibre Channel frames into IP packets and tunnels
them through an existing IP network infrastructure to transparently connect two or
more SAN fabrics together. The IP tunnel acts as a dedicated link to transmit the
Fibre Channel data stream over the IP network, while maintaining full compatibility
with the Fibre Channel SAN.
FCIP gateways perform Fibre Channel encapsulation process into IP packets and
reverse that process at the other end.
Fibre Channel switches (B-Series and M-Series) connect to the FCIP gateways through
an E_Port for SAN fabric extension to remote locations. C-Series switches use plug-in
modules for FCIP functionality.
A tunnel connection is set up through the existing IP network routers and switches
across LAN/WAN/MAN.
This example shows a configuration that connects Fibre Channel SANs using an
Internet Protocol (IP) intersite link.
Note: The gateways at either end of the link must be from the same gateway family
to insure interoperability. Refer to the Continuous Access Data Replication Manager
SAN Extension Reference Guide for details.
UC434S F.00
9 -11
FCIP
FCIP
FC-2
TCP
TCP
FC-2
FC-1
IP
IP
FC-1
FC-0
Link
Link
FC-0
Physical
Physical
IP Network
IP Network
Fibre Channel
Fibre Channel
9 -12
UC434S F.00
SAN extension
FCIP frame
Eth
IP
TCP FCIP
SOF
FC Hdr
FC payload
CRC EOF
SOF
FC Hdr
FC payload
CRC EOF
Before a FC Frame can be sent out via FCIP over a Gigabit Ethernet link, the
transmitting FCIP port encapsulates the FC frame in the payload of each of the four
protocols in the stack, FCIP, TCP, IP and Ethernet. The receiving FCIP port then strips
the Ethernet, IP, TCIP and then the FCIP headers, and if necessary reassembles the
FC frame if an fragmentation has occurred during transit and then forwards the FC
frame in to the fabric and onward to its destination.
UC434S F.00
9 -13
FC Entity
FCIP_LEP
IP wan
IP wan
Multiple
FCIP_LEPs
(Link End Ports)
Tunnels
1-8
Multiple
FCIP_LEPs
(Link End Ports)
Tunnels
1-8
FCIP_LEP
FC Frame
FC Entity
FCIP_LEP
FCIP_LEP
FC Frame
FC Virtual Channels and FCIP tunnels are similar in concept, but the main difference
is that FCIP require an Ip addresses, a TCP port, and its parameters plus QoS
information, and the expected WWN of the device at the other end of the link. With
this information the FC Entity combines with the FCIP entity components to form an
interface between a FC fabric and an IP network
A FC entity contains FC specific components like Field Programmable Gate Arrays
(FPGAs), which is used to determine if Compression/decompression is required on a
packet, if it is the frame is forwarded to the relevant circuitry. The Field
Programmable Gate Arrays (FPGAs), is also used to handles TxID translation which
ensures that the Ip packet is delivered to the correct TCP connection on the correct
GbE port.
The protocol exchanges on the IP network are the responsibility of the FCIP entity,
which contains the FCIP control components, FCIP Link End Ports (FCIP_LEPs) and a
FCIP Data Engine (FCIP_DE). The control components are responsible for FCIP
protocol exchanges on the network, FCIP_LEPs are used to connect one end point of
a TCP connection to the other TCP FCIP_LEPs at the other side, and finally the
FCIP_DE handles FC frame encapsulation, de-encapsulation and transmission. Once
the tunnel is created and the FC frame is in the network all normal IP network routing
procedures apply.
By default, the FCIP feature creates two TCP connections for each FCIP link.
9 -14
UC434S F.00
SAN extension
The other connection is used only for Fibre Channel control frames, that is,
switch-to-switch protocol frames (all Class F). This arrangement provides low
latency for all control frames.
Note: TCP port 3225 is used for FCIP Class of Service F and TCP port 3226 is used
for Class of Serves 2 and 3
UC434S F.00
9 -15
FCIP performance
Packet loss and congestion are synonymous in that congestion is the prime cause of
packet loss in a network. Therefore any packets lost would lead to a need for retransmission of the lost packet. Packet loss significantly degrades FCIP performance;
this is due to the fact the loss must be acknowledged from the receiving port before a
re-transmission can take place.
9 -16
Each FCIP circuit is assigned a metric, which is used in managing load leveling
and failover for FC traffic. FCIP Trunking uses the metric to determine if a circuit
is to be used for load leveling or failover.
2010 Hewlett-Packard Development Company, L.P.
UC434S F.00
SAN extension
ARL applies a minimum and maximum traffic rate, and allows the traffic
demand and WAN connection quality to dynamically determine the rate. As
traffic increases, the rate grows towards the maximum rate, and if traffic
subsides, the rate reduces towards the minimum. If traffic is flowing error-free
over the WAN, the rate grows towards the maximum rate. If TCP reports an
increase in retransmissions, the rate reduces towards the minimum
UC434S F.00
9 -17
Network speeds
9 -18
UC434S F.00
SAN extension
When sending data over fiber, the one-way transmission time is approximately 5
microseconds per km of optical cable. Because a minimum of four trips is required
for each SCSI data transfer, this translates to a total transmission delay per command
of 20 microseconds per km, or about 32.2 microseconds per mile. For example, if a
remote site is located 150 miles away from the local site, the total time will be 4,830
microseconds (4.83 milliseconds) for every data transfer. Because a typical I/O
operation on a non-Data Replication Manager (DRM) configuration with write-back
cache takes approximately 500 microseconds, long distances can have a significant
effect on performance.
Note: The preceding calculations for a link of 150 miles do not include any latency
induced by the FC-to-IP conversions or latency of the routers and switches in the
network.
Additional I/Os, either from additional LUNs on the same controller or from a
different controller, will require additional bandwidth. Care must be taken to
understand this principle.
Adding bandwidth to a given link at a given distance will not increase the time it
takes to complete an I/O operation. It will, however, allow you to add additional
I/Os from different LUNs, thereby consuming the available bandwidth.
Conversely, if enough bandwidth is not given to a link, then the number of I/Os per
second will decrease, possibly to the point of failure.
Note: The time it takes an I/O to complete an operation is more complex than this
example, and there are additional factors involved with this calculation. This
discussion is an attempt to help you understand the importance that distance latency
has on the time it takes to complete an I/O operation.
1.0MB Link
Link Bandwidth: 1.0MB/s
Write size: 8KB
Available bandwidth divided by size of I/O equals maximum I/Os per second:
1.0MB/s = 125 I/Os per second
8KB per I/O
2.
50 Miles of Latency
Distance: 50 miles (80km)
Latency: 8 s/mile (5 s/km)
Write size: 8KB
Latency for 1 I/O per mile: 4 trips * 8 s/mile = 32 s per mile
UC434S F.00
9 -19
In summary, when an IP network is used in a situation for which the local and remote
sites are located many miles apart, the speed of light through fiber can cause
unacceptable delays in the completion of an I/O transaction. Increasing the amount
of available bandwidth cannot solve this problem. Give careful consideration to these
factors when matching your needs and wants to a particular application.
9 -20
UC434S F.00
SAN extension
The basic SCSI read operations are simple: in that the SCSI initiator initiates a
request for data and the SCSI target responds with all of the requested data without
further acknowledgements or round-trips across the connection. When there is a
SCSI write operation it is more involved, because it requires two round-trips between
the SCSI initiator and target. Before an initiator is allowed to send any data to the
target, the initiator must first notify the target of the impending write to find out if
space is available in the receiving buffer. The target then responds with a transfer
ready message if space is available. When a SCSI initiator intends to write an
Information Unit (IU) it sends a message, which is part of an exchange called a
sequence, to the SCSI target indicating the size of the write. The SCSI target then
responds with a transfer ready (FCP_XFER_RDY) sequence specifying how much
data the initiator is allowed to transfer, which is usually the size of the entire write.
After all the data has been transferred, the target sends the command completion
sequence (FCP_RSP) back to the initiator, acknowledging that it has received and
stored all of the information written by the initiator. Upon receipt of that response,
the write is complete.
When long distances and significant latencies exist between target and initiator,
SCSI write operations can involve multiple handshake messages between target and
initiator to transfer a SCSI write data sequence (FCP_DATA) from the initiator to the
target.
When the SCSI write operation is performed over distance, each additional roundtrip communication between the SCSI application client and device server increases
the time needed to complete the overall write operation. This results in degraded
UC434S F.00
9 -21
application performance. Unless measures are taken to mitigate the negative impact
of latency, storage data transfers over a few kilometres in distance will suffer to a
degree considered unacceptable for a large number of storage applications.
9 -22
UC434S F.00
SAN extension
Brocade Fastwrite
The Brocade FastWrite feature is designed to overcome the latency effects of SCSI
write operations, this is achieved without compromising data integrity and security.
FastWrite allows the entire data sequence of the SCSI operation to be transported
across the link, without the inefficiencies of waiting for the transfer ready command
(FCP_XFER_RDY) to travel back across the high-latency environment
When a write operation is detected, the Brocade 7500 SAN Router forwards the
write command to the target in the standard way. Commands are therefore delivered
to the target in the same order that they were issued by the initiator. However, the
Brocade 7500, acting as a virtual target, immediately issues an FCP_XFER_RDY
sequence to the initiator, prompting it to transmit the entire data sequence
(FCP_DATA) for the write operation. The Brocade 7500 transfers the data across the
high-latency environment to the remote SAN router. The remote target device then
interacts with the remote SAN Router, which acts as a virtual initiator. FCP_XFER_RDY
issued by the target is handled directly by the remote SAN Router, as if the router
were the real initiator issuing the data for the write operation. FastWrite allows the
SAN Routers to expedite transfer of the SCSI write data sequence, without having to
wait for potentially numerous round-trip handshake messages to travel back and forth
between target and initiator.
There are two options available for enhancing open systems SCSI tape write I/O
performance.
FC fastwrite.
UC434S F.00
9 -23
FCIP fastwrite and tape pipelining are implemented together. FC fastwrite is a FC-FC
routing alternative that disables the local Ethernet ports (ge0 and ge1); this makes it
impossible to configure FCIP fastwrite and tape pipelining and FC fastwrite on the
same 7500 or FC4-18i blade.
To configure a fcip tunnel use the following commands:
portcfg fciptunnel
portshow fciptunnel
Note: Brocade FastWrite is available with either FC-based or FCIP extension.
Note: FCIP FastWrite is supported with XP Continuous Access but is not supported
with Continuous Access EVA.
9 -24
UC434S F.00
SAN extension
Open Systems Tape Pipelining (OSTP) can be used to enhance open systems SCSI
tape write I/O performance, it builds upon the fastwrite feature to optimize
sequential I/Os to a remote device. When the FCIP link is the slowest part of the
network, OSTP can provide accelerated speeds for read and write I/O over FCIP
tunnels. To use OSTP, you need to enable FCIP Fastwrite and Tape Pipelining.
FCIP Fastwrite accelerates the SCSI write I/Os over FCIP.
Tape Pipelining accelerates SCSI read and write I/Os to sequential devices (such
as tape drives) over FCIP, which reduces the number of round-trip times needed to
complete the I/O over the IP network and speeds up the process. Each GbE port
supports up to 2048 simultaneous accelerated exchanges.
Both sides of an FCIP tunnel must have matching configurations for these features to
work. FCIP Fastwrite and Tape Pipelining are enabled by turning them on during the
tunnel configuration process. They are enabled on a per-FCIP tunnel basis.
The tape pipelining process: Firstly the fastwrite operation initiates the local gateway
to send a XFR_RDY command after each SCSI write command is received, resulting
in only one round trip per write operation. Once the data is sent by the initiator to
the local gateway FCP_DATA the local FCIP port immeadiately responds witha
FCP_RSP mesaage. The initiator then interprets this message as the completion of the
write and begins the process of sending the next write. Because FastWrite is
enabled, the local FCIP port is buffering data, allowing it to keep the pipe full and
maintain a steady flow of data to the remote tape device.
UC434S F.00
9 -25
Tape pipelining, require the request and corresponding response traffic to traverse
the same VE_Port tunnel across the metaSAN. To ensure that the request and
response traverse the same VE_Port tunnel, you must set up Traffic Isolation zones in
the edge and backbone fabrics.
Set up a TI zone in an edge fabric to guarantee that traffic from a specific
device in that edge fabric is routed through a particular EX_Port or VEX_Port.
Set up a TI zone in the backbone fabric to guarantee that traffic between two
devices in different fabrics is routed through a particular ISL (VE_Ports or E_Ports)
in the backbone.
This combination of TI zones in the backbone and edge fabrics ensures that the
traffic between devices in different fabrics traverses the same VE_Port tunnel in a
backbone fabric.
9 -26
UC434S F.00
SAN extension
UC434S F.00
9 -27
The write acceleration feature is disabled by default and must be enabled on both
sides of the FCIP link.
If it is only enabled on one side of the FCIP tunnel the write acceleration feature will
be turned operationally off.
9 -28
UC434S F.00
SAN extension
FCIP Compression
FCIP Compression
Improvements
compression
9 -29
IP network considerations
IP network considerations
Do I use my existing WAN link or provision a separate one?
Depends on:
The type of storage I/O
Use of the existing network
Storage I/O type
Factors
A separate network is
recommended.
The ability to use your existing network with FCIP depends on the type of storage
I/O you plan to do and the traffic already existing on your current network. The key
consideration is whether you have enough unused or available bandwidth from your
network to continue the current network load, accommodate future growth, and
handle FCIP SAN load demands.
9 -30
UC434S F.00
SAN extension
Create virtual private networks (VPNs) with Quality of Service (QoS) through
premise routers for the FCIP circuit.
Create separate physical and dedicated networks.
Guarantee the bandwidth, latency, and latency jitter using a third-party
router/QoS vendor.
As mentioned, distance has a dramatic effect on the amount of work that can be
done across a link. Therefore, site planning should include:
UC434S F.00
Designing a plan to add additional storage I/O that will not impact normal
data traffic
Considering additional controller pairs to effectively use available bandwidth.
9 -31
FCIP Security
FCIP Security
Optical DWDM, CWDM, or SONET/SDH links are considered relatively secure due
to the inherent difficulty of tapping into optical fiber. However, security on FCIP
tunnels that are routed over public IP is a serious issue. For regulated institutions like
financial companies, health care, and schools, encryption of data transmitted over
public networks is not just a good idea, it is a requirement.
FCIP gateway products on the market today do not provide integrated encryption.
Users must rely on routers or VPN appliances at the WAN edge to encrypt storage
traffic. Not only does this still leave storage traffic vulnerable to interception up to the
WAN edge, but it may require users to buy yet more equipment if the existing routers
or VPN appliances cant support gigabit-speed storage traffic in addition to existing
WAN traffic loads.
9 -32
UC434S F.00
SAN extension
FCIP encryption
FCIP encryption
Standards-based IPSec protocol to secure FCIP and iSCSI
traffic
Hardware-based end-to-end authentication and encryption
B-Series
Supported on:
Supported on:
C-Series and B-Series switches support Traffic encryptionIPSec over FCIP. At this
moment in time this can only be created on tunnels using IPv4 addressing.
To verify the IPsec information on C-Series switch use the show set of commands
show ip access-list usage
show ip access-list
show crypto transform-set domain ipsec
show crypto map domain ipsec
In a B-Series environment IPSec policies are managed using the policy command.
policy --create type number [-enc encryption_method][-auth
authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs]
policy --show ipsec 1
policy --show ike all
Viewing IPSec information for an FCIP tunnel in a B-Series environment portshow
fciptunnel <Slot/ge-port> <FCIP tunnel number> -ipsec
eg: portshow fciptunnel 8/ge0 3 ipsec.
Hardware encryption services are now available on the DCX Brocade switches by
the use of a FS8 18 blade, or by the use of a Brocade Encryption Switch, these
UC434S F.00
9 -33
9 -34
UC434S F.00
SAN extension
FCIP advantages
FCIP advantages
Advantages:
Disadvantages:
Advantages:
Disadvantages:
UC434S F.00
9 -35
FCIP hardware
FCIP hardware
B-Series
C-Series
8 GbE ports
9 -36
UC434S F.00
SAN extension
9 -37
9 -38
UC434S F.00
SAN extension
Fabric services
Fabric services coordinate communication between switches in a fabric or VSAN.
The fabric services manage device names and addresses, timestamps, and switch
utilities.
Routing connects devices in multiple fabrics or VSANs without extending fabric
services from one routed fabric to another. Each fabric or VSAN maintains a unique
fabric services configuration. Devices in a routed network can communicate across
logical SANs (LSANs) or VSANs despite having different fabric services
configurations. An LSAN is similar to a Fibre Channel zone, but can extend through
a router to include devices in other fabrics.
UC434S F.00
9 -39
World-Wide Name
A recognized naming authority assigns each Fibre Channel device a World-Wide
Name (WWN), which is a unique identifier. Use the device WWNs to:
Meta SANs
Routing creates a Meta SAN or extended VSAN when it connects fabrics or VSANs.
A Meta SAN is a configuration that includes the physical fabrics (subnetworks),
router, and LSANs. When forming a Mata SAN, you determine which fabrics require
connectivity and then specify the devices allowed to communicate across fabrics. The
router does not provide 100% any-to-any connectivity between fabrics, but it does
meet most SAN requirements.
Routing table
The routing function reads the fabric address information in each frame that it
receives, and then uses a routing table to determine the destination fabric or
destination VSAN and the address within that fabric or VSAN. The routing function
then transmits the frame to the address in the destination fabric.
9 -40
UC434S F.00
SAN extension
SAN scaling
SAN scaling
There are two methods for increasing the size of SANs:
UC434S F.00
9 -41
For a SAN design to meet the total port count and total switch count limits, the
following configuration restrictions are enforced:
The fabric size limit for total port or total switch count must not be exceeded.
The use of several small switches to reach a high total port count number is not
acceptable if the design exceeds the total switch count limit.
The use of several high-port-count switches is not acceptable if the design
exceeds the total port count limit.
For large configurations, HP defines the maximum supported port and switch counts.
9 -42
UC434S F.00
SAN extension
State Change
Notification Server
Name/Directory Server
Zone Server
Key Server
Time Server
Simple Name Service (SNS) provides a mapping between device names and their
addresses in a fabric. To ensure that the mapping is current, every switch in the fabric
implements SNS.
UC434S F.00
9 -43
9 -44
UC434S F.00
SAN extension
Scaling by Routing
Scaling by Routing
Demand for higher port counts and connectivity between
devices in different fabrics or VSANs requires Fibre
Channel routing.
Routing improves scaling by connecting independent
fabrics or VSANs
Scaling by routing
Increasing fabric port count and switch count limits meets most customer scaling
requirements. Demand for higher port counts and connectivity between devices in
different fabrics or VSANs requires Fibre Channel routing.
Routing improves scaling by connecting independent fabrics or VSANs, each
potentially at its full capacity. Connectivity between fabrics or VSANs enables you to
share resources, reducing unnecessary redundancy in the routed network.
You can route between fabrics without affecting the total switch and port count limits.
However, the routed network is not the same as a single large fabric or VSAN. Only
selected devices in each fabric, specified by a routing table, can communicate with
devices in other fabrics.
For example, using a router, you can connect three 1,200-port fabrics to construct a
3,600-port Meta SAN.
UC434S F.00
9 -45
UC434S F.00
SAN extension
UC434S F.00
9 -47
9 -48
UC434S F.00
SAN extension
UC434S F.00
9 -49
9 -50
UC434S F.00
SAN extension
UC434S F.00
9 -51
Hp have created a specific configuration for remote replication it is called a fivefabric solution, which consists of one fabric dedicated to replication and four fabrics
that are dedicated to I/O between hosts and arrays. The diagram above shows the
configuration using FC-IP for the replication fabric.
In this configuration, the gold and blue fabrics (6 and 7) are dedicated for host I/O.
A separate fabric consisting of the switches (8) and (9) using a single intersite link
transfer all the replication I/O to the remote site. When implementing this solution
using FC-IP or FC-SONET, only one gateway is required at each site.
9 -52
UC434S F.00
SAN extension
Simplified scalability that allows you to scale a SAN without having to merge
fabrics
Selective sharing of devices in different fabrics so that only devices required for
specific functions are seen across fabrics
Limited sharing or specific times for data migrations and storage consolidation
Ability to access equipment without changing its physical location. Connecting
multiple fabrics to the MP Router enables sharing of devices located anywhere in
the Meta SAN
UC434S F.00
9 -53
The MP Router does not merge fabrics, so existing zoning definitions and assigned
domain IDs can be used without modification. Duplicate zoning definitions and
domain
IDs in fabrics are hidden by the MP Router. Fabrics in a Meta SAN can be scaled
without affecting other fabrics. Multiple SANs can be centralized and consolidated
into one Meta SAN, or partitioned into different administrative domains as required.
HP recommends the use of Fabric Manager to simplify management procedures
when implementing an MP Router-based Meta SAN. The slide graphic shows a
typical configuration for SAN island consolidation.
9 -54
UC434S F.00
SAN extension
UC434S F.00
9 -55
Six-fabric configuration
Six-fabric configuration
The six-fabric configuration consists of two fabrics that are dedicated to replication
and four fabrics that are dedicated to I/O between the hosts and arrays. The
diagram above shows the configuration using FC-IP for the replication fabrics.
As seen previously with the five-fabric configuration there are four local and remote
fabrics two at each site these are represented by (6 and 7) these are dedicated to
host I/O. The way a Six and Five fabric configuration differs is Six-fabric utilizes
separate redundant fabrics which are made up of switches (8 and 10) and two
intersite links (9 and 11). Zoning can be implemented to build the dedicated
replication fabrics out of the local/remote fabrics. In either case, when using physical
or zoned fabrics, a unique gateway is used to connect the local and remote
replication-dedicated fabrics (8 and 10) to the intersite links (9 and 11).
9 -56
UC434S F.00
SAN extension
Tape library
UC434S F.00
9 -57
Broadcast Zones
Inter-fabric broadcast frames
The FC router can receive and forward broadcast frames between edge fabrics and
between the backbone and edge fabrics. Many target devices and HBAs are unable
to handle these broadcast frames. If devices are connected to B-Series switches which
have a Fabric OS v5.3.0 or later, then a broadcast zone can be set up to control
which devices will receive the broadcast frames. It is to be noted therefore that all
devices that are connected to switches that are running an earlier firmware version
will receive all broadcast frames.
To prevent inter-fabric forwarding of broadcast frames to switches running older
versions of firmware, the fcrBcastConfig command can be used on the FC router. By
default, broadcast frames are forwarded from the FC router to all edge fabrics. The
fcrBcastConfig command can be used to specify which fabrics should not receive the
broadcast frames.
Feature
Verified Limit
Maximum Limit
Device Alias
One destination
Up to 10 destinations
VSANs
55 switches
239 switches
32 switches
239 switches
40 Domains
239 Domains
Zone members
Zones
Zone Sets
Supported hops
7 hops
12 hops
IVR zones
9 -58
UC434S F.00
SAN extension
Certain design considerations must be followed to reach these limits, and should be
validated if being used in a large fabric configuration.
Edge fabric scalability
Domains
10
48
31
26
67
Note: The total number of domains in the first three rows must not
exceed 69.
Device ports
1300
1000
Meta SAN
32
12800
16
24
LSAN
128/80/40
10
10000
2,500 (5.x)
5,000 (6.x)
UC434S F.00
9 -59
32
Domains
42
Hop Count
9 -60
12
UC434S F.00
FCoE/CEE
Module 10
Objectives
UC434S F.00
10 -1
FCoE overview
FCoE terminology
Layer 2 Ethernet overview
FCoE Initialization Protocol
FCoE queuing
CEE map
DCBX (Data Center Bridging eXchange Protocol)
Fibre Channel over Ethernet (FCoE) is a standard proposed, and developed by the
InterNational Committee for Information Technology Standards (INCITS T11). FCoE
already has been given various names by partners in the industry, such as Cisco,
Brocade and IBM, names that have been given so far are: Data Center Enhanced
Ethernet, Converged Enhanced Ethernet or Converged Enterprise Ethernet.
The concept of the proposal as its name implies was to map Fibre Channel natively
over Ethernet and allowing it to be independent of the Ethernet forwarding schema.
This allows for an evolutionary approach towards I/O consolidation by preserving all
fibre Channel constructs, maintaining the same latency, security and traffic
management attributes of /fibre Channel while still preserving the investments
already made with in the Fibre Channel environment.
The aim of FCoE is to simplify storage environments by using Ethernet, but avoiding
the need to create a separate protocol for I/O consolidation and being able to
leverage the Fibre Channel technology. This is achieved by the Fibre Channel frame
being encapsulated into an Ethernet frame, but it is critical to resolve the acceptance
of the Ethernet of packet loss, to make it become a lossless fabric, and replacing the
Fibre Channel link with a MAC address. In theory FCoE can be broken down into
three components:
Encapsulation of a Native Fibre Channel Frame into an Ethernet frame
The extension of Ethernet to become a lossless fabric
10 -2
UC434S F.00
FCoE
The replacing of a Fibre Channel link with MAC addresses in a lossless Ethernet
fabric
UC434S F.00
10 -3
FCoE/CEE
FCoE/CEE
Fibre Channel over Ethernet (FCoE) enables for the transportation of FC protocols
and frames over Converged Enhanced Ethernet (CEE) networks. CEE is an enhanced
Ethernet that enables the convergence of various applications in data centers (LAN,
SAN, and HPC) onto a single interconnected technology.
FCoE provides a method of encapsulating the Fibre Channel (FC) traffic over a
physical Ethernet link. FCoE frames use a unique EtherType that enables FCoE traffic
and standard Ethernet traffic to be carried on the same link. FC frames are
encapsulated in an Ethernet frame and sent from one FCoE-aware device across an
Ethernet network to a second FCoE-aware device. The FCoE-aware devices may be
FCoE end nodes (ENodes) such as servers, storage arrays, or tape drives on one end
and FCoE Forwarders on the other end. FCoE Forwarders (FCFs) are switches
providing FC fabric services and FCoE-to-FC bridging.
The motivation behind using CEE networks as a transport mechanism for FC arises
from the desire to simplify host protocol stacks and consolidate network interfaces in
data center environments. FC standards allow for building highly reliable, highperformance fabrics for shared storage, and these characteristics are what CEE
brings to data centers. Therefore, it is logical to consider transporting FC protocols
over a reliable CEE network in such a way that it is completely transparent to the
applications. The underlying CEE fabric is highly reliable and high performing, the
same as the FC SAN.
In FCoE, ENodes discover FCFs and initialize the FCoE connection through the FCoE
Initialization Protocol (FIP). The FIP has a separate EtherType from FCoE. The FIP
10 -4
UC434S F.00
FCoE
includes a discovery phase in which ENodes solicit FCFs, and FCFs respond to the
solicitations with advertisements of their own. At this point, the ENodes know enough
about the FCFs to log into them. The fabric login and fabric discovery (FLOGI/FDISC)
for VN-to-VF port connections is also part of the FIP.
UC434S F.00
10 -5
I/O Consolidation
Although being simple in concept I/O consolidation where Ethernet and Fibre
channel can share the same physical cable and still maintain protocol isolation, and
utilize and configure the same type of hardware for either network is complex. But
benefits from this simple idea are significant. By leveraging I/O consolidation
organizations will free up slots by using a combined Network Interface Card (Nic)
and a Host Bus Adapter (HBA) providing a multi-function network/san. In turn this
will also reduce power consumption, from the reduced number of cards, which in the
case of PCI Express is 25 watts per card, reduced number of switch ports, plus the
reduction in power consumed in the cooling process; which is the primary barrier to
data-center expansion and inefficiency encountered at the present moment in time.
Another advantage of I/O consolidation is that it will give enterprise organizations
the means to simplify their cable management. At the moment 20 Gb of bandwidth
may be provide by two 4Gb FC Connections and twelve 1Gb Ethernet connections.
By combining Fibre Channel and Ethernet this can be achieved by using two 10
Gigabit Ethernet cables still maintaining the bandwidth but reducing the number of
cables being managed by 75%. This also results in fewer points of management
administrators will have to control.
10 -6
UC434S F.00
FCoE
FCoE
10 -7
File Backups to Tape Libraries and Recovery from these devices will continue to use
existing backup and recovery tools.
FCoE is designed to maintain the Fibre Channel model, allowing the utilization of the
same management tools, providing the same views of Fibre Channel initiators and
targets seen in a SAN but being used in FCoE environment.
By encapsulating native Fibre Channel in FCoE, the transparent interoperability of
existing SAN networks is possible, because everything above the transport layer
remains intact. This enables existing virtualization applications to continue to work
within FCoE.
10 -8
UC434S F.00
FCoE
FcoE Terminology
FCoE is designed to enable the transport of storage and networking traffic over the
same physical link, as such ports and devices have to be distinguished from other
devices that are using the infrastructure, such a standard network and fibre channel
entities, which are not FCoE.
UC434S F.00
10 -9
The intermediate switching devices in the CEE network do not have to be FCoEaware. They simply route the FCoE traffic to the FCoE device based on the Ethernet
destination address in the FCoE frame.
For supported configurations and limitations check the HP white paper:
HP StorageWorks Fibre Channel Over Ethernet Application Note
10 -10
UC434S F.00
FCoE
FC Stack
ULP
Scsi-3
ULP
Scsi-3
Transport
FC-4
FC-4
Network
FC-3
FC-3
Data Link
FC-2
FCoE Mapping
Mac
FC-2
FC-1
Link
Link
FC-0
OSI Stack
Application
Presentation
Session
Encapsulation
By mapping of FC onto Ethernet, the encapsulation of the Fibre Channel can occur.
Both Fibre Channel and networks have stack layers concept, where each layer
represents functionality within the protocol. Ethernet is typically considered a set of
protocols defined by seven-layer OSI stack that define the physical and data link
layers. The Fibre Channel stack consists of five layers, FC-0 through FC-4, which was
created very much aligned to the OSI model from the physical, up to and including
the transport layer.
FCoE mapping allows FC traffic to pass over an Ethernet infrastructure by providing
the capability to carry the FC-2 layer traffic over the Ethernet layer, which allows for
Ethernet to transmit the upper Fibre Channel layers FC-3 and FC-4 over the IEEE
802.3 Ethernet layers.
UC434S F.00
10 -11
FCoE encapsulation
FCoE encapsulation
FCoE
Ether type
16 bit
4 bit
Version
field
SOF
8 bits
Encapsulated FC frame
IEEE
8.02 Q tag
32 bit
Source
Mac address
48 bits
EOF
FCS
Reserved
Frame Format
FCoE encapsulates a Fibre Channel frame within an Ethernet frame.
The first 48-bits in the frame are used to specify the Destination MAC address; the
next 48-bits specify the Source MAC Addresses. The 32-bit IEEE 802.1Q Tag
provides the same function as it does for virtual LANs, which allow for multiple virtual
networks across a single physical infrastructure. FCoE has its own Ethernet type which
is designated by the next 16 bits; this in turn is followed by the 4-bit version field. The
next 100-bits are reserved and are followed by the 8-bit Start of Frame and then the
actual FC frame. The 8-bit End-of Frame delimiter is followed by 24 reserved bits. The
frame ends with the final 32-bits dedicated to the FCS function which provides error
detection for the Ethernet frame.
The encapsulated Fibre Channel frame consists of the original 24 byte FC header
and the data being transported including the Fibre Channel CRC. The FC header is
maintained so that when a traditional FC Storage Area Network is connected to an
FCoE capable switch the frame are de-encapsulated and handed off seamlessly. This
capability enables FCoE to integrate with existing FC SANs without the need of a
gateway.
10 -12
UC434S F.00
FCoE
Frame size is also a factor in FCoE. A classical Ethernet frame is typically 1.5 KB or
less. To maintain good performance, FCoE must utilize jumbo frames or at least the
2.5 KB baby jumbo frame to prevent a Fibre Channel frame from being split into
two Ethernet frames, as a typical Fibre Channel data frame has a 2112 byte payload,
a header and Frame Check Sequence.
UC434S F.00
10 -13
Lossless Ethernet
Lossless Ethernet
Port A
Port B
Port A
Port B
Ethernet Traffic
Pause
Queue Full
Lossless Ethernet
Fibre Channel transport frame is a lossless transport format, where congestion has to
be managed to ensure no data packets are dropped. This is achieved in Fibre
Channel by the use of link-level, credit based flow control that guarantees that frames
are not lost in normal conditions. Ethernet on the other hand, when used with TCP/IP
uses a packet drop flow control to handle congestion and is therefore not lossless, so
making it unacceptable for use with storage traffic. In the IEEE 802.3x standard an
optional PAUSE capability is defined which means a busy receive port can send a
control frame to a transmitting port requesting a pause in transmission. By utilizing
this feature Fibre Channel traffic is able to use an Ethernet network in a lossless fabric
format.
A new Ethernet enhancement being developed will allow the PAUSE functionality to
be enabled for each user-priority supported in Ethernet. While PAUSE provides the
basic functionality to make Ethernet lossless, the new proposal for Priority Flow
Control will provide significant benefit for both FC and Ethernet traffic.
10 -14
UC434S F.00
FCoE
UC434S F.00
10 -15
UC434S F.00
FCoE
UC434S F.00
10 -17
HP offers the HP CN1000E CNA and also supports the Emulex LightPulse LP21000
family of CNAs and QLogic 8100 Series CNAs in certain ProLiant servers.
Features
The HP CN1000E CNA has the following features:
Ships with half-height and full-height brackets
Dual ports for redundancy
Full 10-Gb/s bandwidth on both ports
Each port can operate as a NIC and/or FCoE port
2 SFP+ connectors
Supports optical or copper cables
Considerations
x8 PCI Express Gen2 card
Requires 14.5 W of power
1 GbE is not supported
The Emulex CNAs have the following features:
Emulex 4-Gb/s FC dual-port controller
Dual-port 10-GbE Intel Opland 82598 NIC
10 -18
UC434S F.00
FCoE
UC434S F.00
10 -19
Ethernet Overview
FCoE hardware contains CEE ports that support FCoE forwarding. The CEE ports are
also backwards compatible and support classic Layer 2 Ethernet networks. In Layer 2
Ethernet operation, a host with a Converged Network Adapter (CNA) can be directly
attached to a CEE port on the FCoE hardware. Another host with a classic 10Gigabit Ethernet NIC can be either directly attached to a CEE port, or attached to a
classic Layer 2 Ethernet network which is attached to the FCoE hardware.
Layer 2 Ethernet frames are forwarded on the CEE ports. 802.1Q VLAN support is
used to tag incoming frames to specific VLANs, and 802.3ac VLAN tagging support
is used to accept VLAN tagged frames from external devices. The 802.1D Spanning
Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning
Tree Protocol (MSTP) are used as the bridging protocols between Layer 2 switches.
FCoE hardware handles Ethernet frames as follows:
When the destination MAC address is not in the lookup table, the frame is
flooded on all ports except the ingress port.
When the destination MAC address is present in the lookup table, the frame is
switched only to the correct egress port.
When the destination MAC address is present in the lookup table, and the
egress port is the same as the ingress port, the frame is dropped.
10 -20
UC434S F.00
FCoE
If the Ethernet Frame Check Sequence (FCS) is incorrect, because the switch is
in cut-through mode, a correctly formatted Ethernet frame is sent out with an
incorrect FCS.
If the Ethernet frame is too short, the frame is discarded and the error counter
is incremented.
If the Ethernet frame is too long, the frame is discarded and the error counter
is incremented.
Frames sent to a broadcast destination MAC address are flooded on all ports
except the ingress port.
When MAC address entries in the lookup table time out, they are removed. In
this event, frame forwarding changes from unicast to flood.
An existing MAC address entry in the lookup table is discarded when a device
is moved to a new location. When a device is moved, the ingress frame from the
new port causes the old lookup table entry to be discarded and the new entry
inserted into the lookup table. Frame forwarding remains unicast to the new port.
When the lookup table is full, new entries replace the oldest MAC addresses
after the oldest MAC addresses age and time out. MAC addresses that still have
traffic running are not timed out.
UC434S F.00
10 -21
CEE Map
10 -22
UC434S F.00
FCoE
DCBX (Data Center Bridging eXchange Protocol) runs on CEE links and is an
extension of the Link Layer Discovery Protocol (LLDP). The primary goal of DCBX is to
allow the discovery of CEE-capable hosts and switches and allow CEE-specific
parameterssuch as those for ETS and PFCto be sent before the link is shared.
The IEEE 802.1AB Link Layer Discovery Protocol (LLDP) enhances the ability of
network management tools to discover and maintain accurate network topologies
and simplify LAN troubleshooting in multi-vendor environments. To efficiently and
effectively operate the various devices in a LAN you must ensure the correct and
valid configuration of the protocols and applications that are enabled on these
devices. With Layer 2 networks expanding dramatically, it is difficult for a network
administrator to statically monitor and configure each device in the network.
Using LLDP, network devices such as routers and switches advertise information about
themselves to other network devices and store the information they discover. Details
such as device configuration, device capabilities, and device identification are
advertised. LLDP defines the following:
A common set of advertisement messages.
A protocol for transmitting the advertisements.
A method for storing the information contained in received advertisements.
UC434S F.00
10 -23
NOTE
LLDP runs over the data-link layer which allows two devices running different network
layer protocols to learn about each other.
LLDP information is transmitted periodically and stored for a finite period. Every time
a device receives an LLDP advertisement frame, it stores the information and
initializes a timer. If the timer reaches the time to live (TTL) value, the LLDP device
deletes the stored information ensuring that only valid and current LLDP information is
stored in network devices and is available to network management systems.
10 -24
UC434S F.00
FCoE
VLAN Membership
IEEE 802.1q Virtual LANs (VLANs) provide the capability to overlay the physical
network with multiple virtual networks. VLANs allow network traffic isolation into
separate virtual networks reducing the size of administrative and broadcast domains.
A VLAN contains end stations that have a common set of requirements which can be
in independent physical locations. You can group end stations in a VLAN even if
they are not physically located in the same LAN segment. VLANs are typically
associated with IP subnets and all the end stations in a particular IP subnet belong to
the same VLAN.
In addition to creating a special VLAN for FCoE traffic, VLAN classifiers are applied
to incoming EtherTypes for FCoE Initiation Protocol (FIP) and FCoE. VLAN classifiers
are rules used to dynamically classify Ethernet frames on an untagged interface to
VLANs.
Traffic from downstream CEE interfaces can be assigned to a VLAN using several
methods:
The VLAN tag contained in the incoming frame
The VLAN classifiers
The Port-VLAN ID (PVID)
Because the Ethernet uplink ports from the Brocade FCoE hardware to the distribution
layer switches will carry traffic for multiple VLANs, they are configured as 802.1q
trunk ports.
UC434S F.00
10 -25
The downstream CEE ports connected to the server CNAs are configured as access
ports with a PVID of either 10 or 20. The VLAN classifier group created for the FIP
and FCoE EtherTypes must be applied to the interfaces in order to place FCoE traffic
on the correct VLAN. The CEE map is also applied to the interface.
Note: Up to 4,000 VLANs, but only one FCoE VLAN is currently supported
10 -26
UC434S F.00
FCoE
FCoE CN switches have dual capabilities in that they serve as both an Ethernet
switch and an FC switch. You must perform a setup procedure to achieve the desired
function.
A 2408 FCoE Converged Network Switch or DC SAN Director Switch 10/24 Blade
can be a standalone switch or an edge switch in a Fibre Channel fabric. To attach
the switch to an existing Fibre Channel fabric as an edge switch, at least one Fibre
Channel port on the FCoE
CN switch must be connected to a Fibre Channel switch in the fabric (E_Port). There
cannot be any other FCoE or 10-GbE CEE switches in the path to the Fibre Channel
switch.
Similarly, a DC or DC04 SAN Director with a 10/24 FCoE Blade installed can be a
standalone switch, an edge switch, or a core switch in a Fibre Channel fabric. If it is
an edge switch or core switch, other switches in the fabric can be attached to any
available FC port (E_Port) on other FC blades in the director.
For FCoE E_Port connectivity, see the appropriate Fabric OS release notes for the
minimum and recommended Fibre Channel switch firmware versions and the
supported Fibre Channel switch models. HP recommends Brocade FOS 6.3.0b or
later.
UC434S F.00
10 -27
10 -28
UC434S F.00
FCoE
File System
SCSI
FC 4
iSCSI / iSER
TCP/IP
FCoE
FC
Ethernet
UC434S F.00
10 -29
A key benefit of iSCSI is its ability to integrate with an existing network environment,
utilizing Network interface cards, switches and routers to transport SCSI storage
block data between servers, desktops and even laptops to storage media. Although
touted as inexpensive solution, iSCSI storage targets costs vary depending on the
type of disks that are used is it hardware based or software based implementation.
As there are no iSCSI disk drives, ISCSI is reliant upon some form of bridging
protocol iSCSI to SATA, SAS, or Fibre Channel controllers to retrieve and store
block data. It has to be noted that iSCSI is an affordable means to integrate a lower
performing storage in to a 1Gbit/sec Ethernet providing shared storage for
departmental use. At 10 Gbit/sec, iSCSI loses its much of its publicized cost
advantage. By using a 10Gbit/ sec Ethernet implies that the applications being
hosted require high reliability and performance. At 1Gbit/sec standard NICs can
be used, however when implementing on 10Gbit/sec network server performance is
enhanced by the use of iSCSI cards which utilize auxiliary components like TOE (TCP
off-load Engine) or iSER (iSCSI Extensions for RDMA), which helps to avoid multiple
memory copies of SCSI data between the interface and application memory. These
types of cards (TOE and/or iSER) can add significant cost per attached server
compared to an 8Gbit/sec FC HBA, and could undermine the value proposition of
iSCSI at 1 Gbit/sec.
By the use of iSCSI-to-FC gateways would enable iSCSI initiators to access FC
storage targets, the required protocol conversion is more complex than FCoE frame
mapping to Fibre Channel. When using an iSCSI gateway, a complete address
translation is required between the iSCSI and FC address. In addition, the gateway
must act as proxy virtual FC initiators and also a virtual iSCSI targets plus it must also
terminate sessions within the gateway between the iSCSI and fibre Channel
protocols. If the ultimate objective is to have Ethernet-attached servers accessing FC
SAN targets, then FCoE will require less protocol overhead and processing latency to
span between Ethernet and Fibre Channel transports.
FCoE is a component technology that enables highly efficient movement of block
storage over Ethernet for consolidating server network connectivity. By enabling
organizations the opportunities to deploy a single server interface for fibre channel
and Ethernet traffic. By simplifying the management and deployment infrastructure of
server network connectivity, and still maintaining the high available and reliable
standards required for storage data transactions. FCoE is to be viewed not as a
replacement for, but an extension of, Fibre Channel and is intended to coexist with
existing FC SANs.
10 -30
UC434S F.00
FCoE
Storage Support
HP storage system support for access from CNA-based servers. These storage systems
can be attached to Fibre Channel switches in the fabric or connected to the Fibre
Channel ports of an FCoE CN switch.
SAN boot is not supported when storage systems are connected to the Fibre Channel
ports of an FCoE CN switch. SAN boot is supported for storage attached to the Fibre
Channel ports in a SAN Director that contains a 10/24 FCoE blade and based on
the current support listed for Fibre Channel switches.
UC434S F.00
10 -31
10 -32
UC434S F.00
SAN Management
Module 11
Objectives
Objectives
Discuss the need for SAN management
Technologies driving SAN management
HP SAN management today
HP Storage Essentials
UC434S F.00
11 -1
Storage Resource
Allocation and Usage
SAN
SAN
Storage Capacity
QoS Planning
Intuitive Console
Backup Planning and Management
Policy Based Administration
Reporting and Billing
Security Administration
Task Automation
Provisioning
SAN
NAS Management
SAN
SAN
SAN
System Availability
Bandwidth
Management
11 -2
Asset Management
Performance Planning
Capacity Planning
SAN Design
Device Management
Escalation Management
QoS Planning
Intuitive Console
UC434S F.00
SAN Management
Security Administration
Task Automation
Provisioning
NAS Management
UC434S F.00
11 -3
11 -4
UC434S F.00
SAN Management
Resource
management
Fault
management
Performance
management
Device
management
UC434S F.00
11 -5
Fabric management
Storage management
Data management
Fabric management
SAN fabric management can be thought of as the control of the SAN infrastructure
or traffic flow within the SAN. This concept pertains to control and management of
device communication or access within the SAN, such as switch zoning, or LUN
Masking. This concept also includes managing SAN interconnect components,
individually and collectively, throughout the fabric.
11 -6
UC434S F.00
SAN Management
Storage management
Storage management allows control of the specific storage system configuration such
as redundant paths, creation and management of storagesets (LUNs), the setting of
RAID levels, and the setting of platform-specific SAN interface characteristics and
parameters.
Data management
SAN data management applications help ensure that data is available and
accessible. The data being stored on the SAN is part of a company's assets. It is
imperative to keep this data available to system applications with minimal, if any,
downtime. Techniques such as cloning, snapshots, data replication, and backups
protect the data from disasters.
UC434S F.00
11 -7
SAN management
SAN management
The HP SAN management strategy
Simplify storage management using standardized web-based
GUIs
Centralize the management of multi vendor heterogeneous SANs
Automate policy-based management
Optimize functionality by exploiting all currently available
management levels
HP is rapidly transitioning from the traditional server, storage, and component levelbased management to SAN-level application architecture and implementation using
the HP recommended Microsoft Windows server running SAN and Storage
management software.
Just as important as the quality and feature set of the SANs hardware is the
effectiveness of the SAN management applications in tying these devices together
and simplifying the complexity of the storage network. Whether using an HP
standard topology or a custom design using the HP StorageWorks SAN Design
Guide rules, IT managers must configure, monitor, and maintain the SAN, as well as
plan for and accommodate growth.
The HP Open SAN Management strategy is to:
11 -8
UC434S F.00
SAN Management
64
UC434S F.00
11 -9
If users experience performance problems in the system, you can use the
performance collection methods to find out where the problem existed or to eliminate
the problem areas. The problem might seem related to distance, however, the
customer might think the issues is the system and the problem might have nothing to
do with the system, which had 80% availability the whole time.
Performance data is used to support these kinds of incidents and problems. From a
storage perspective, it is important to register, monitor, and collect the performance
of the logical volumes that are offered to the systems.
11 -10
UC434S F.00
SAN Management
To ensure a well designed SAN, the SAN architect must research capacity planning
for future requirements. The SA is also responsible for contingency planning, storage
capacity analysis, and regression forecasting.
The following areas comprise storage capacity management in corporate
management environments:
The planning, acquisition, and optimal usage of SAN resources that are driven
by agreed service levels at lowest possible cost.
Understanding that SAN capacity planning is a primary SAN management
function and one of the main goals is long-term planning of approximately one
to three years in the future. It is also important to consider short-term planning
goals of approximately one to five months in the future.
SAN trend analysis, which has become an important part of storage capacity
management with regression reporting providing necessary information that can
then be used for the SAN performance management process. Trend analysis can
also be utilized for future SAN usage prediction and prediction of SAN service
levels.
The impact analysis of the following components during SAN topology changes.
These factors must be included in capacity planning and management:
Availability
Service level
UC434S F.00
11 -11
Topology configuration
11 -12
UC434S F.00
SAN Management
SMI-S
SMI-S
Replaces multiple disparate managed object models,
protocols, and transports with a single object-oriented
model for each type of component in a storage network
Created by the SNIA
Enables management application developers to support
devices from multiple vendors
SMI-S components:
Common Information Model (CIM) (object model)
WBEM
Service Location Protocol (SLP) (discovery protocol)
UC434S F.00
WBEM
Organized around profiles that describe objects relevant for a class of storage
subsystem (arrays, HBAs, and SAN devices)
11 -13
Implementing SMI-S
Implementing SMI-S
Components provided by
vendors as:
Embedded agent
SMI-S solution
11 -14
More than 100 storage products have emerged into the market place that
conforms to the SMI-S v1.0.2.
UC434S F.00
SAN Management
Vendor products have passed the SNIA Conformance Testing Program (SNIACTP), which means they are conformant to the SMI-S interface. For the first time
in the history of the storage industry, end-users and integrators can ask for
vendor products that conform to a functionally rich, open, secure and extensible,
storage management interface standard.
SMI-S enabled products deliver a value chain that includes simpler configuration
and set-up procedures, standardized controls for complex operations and
automated provisioning.
Presently, the SMI-S is the only standard that addresses the end user's need for
reducing the costs associated with multi-vendor storage management. Today, each
device in the SAN has its own disparate management interface, which is a
nightmare for administrators and systems integrators. As the first standard to
addresses consolidating the management interfaces, it aims to reverse the trend of
vendors developing their own proprietary management approaches and contributing
to the storage management nightmare.
At a high-level, SMI-S is a standard focused on management interoperability between
storage hardware providers and software management application clients.
Essentially, SMI-S provides a standardized management interface to enable
"management interoperability" for storage hardware and software.
11 -15
The SNIA-Conformance Test Program (SNIACTP) is the testing process to validate the
implementation of the SMI specification and assure that it conforms to the SNIA
standard in this case SMI-S v1.0.2. The testing process is a critical building block in
the effort to make multi-vendor storage operate in a predictable manner for end
users. Products that pass the SNIA-CTP offer IT Administrators more confidence in the
technology they are purchasing reducing the risk when deploying complex
networked storage solutions.
Storage vendors that successfully complete the SNIA-CTP master test suites receive a
formal confirmation and are allowed to use the SNIACTP mark. This mark indicates
that the storage vendor has completed conformance testing and can be placed on
product packaging and in marketing materials.
End-users looking to ensure that a vendors SMI-S implementation conforms to SNIA
standards should look for officially marked and tested products and they can check
the SNIA-CTP site: (http://www.snia.org/tech_activities/sniactp/certified) for
specific details.
On the horizon are standardized storage management products that have
implemented features to the specification standard. These products will offer
increased trust and flexibility in choosing solutions that reduce the overhead and
complexity of managing storage.
11 -16
UC434S F.00
SAN Management
Storage Essentials
Storage Essentials
Base components
HP Storage Essentials
HP Storage Essentials
Enterprise Edition
Discovery
Event management
Discovery
Event Management Capacity
Capacity
Role-based
security
Role
-Based Security
Topology
Performance
Path
management
Historical
&
future
trends
Topology
Path Management
Performance
Historical & Future Trends
Reports
Tool kit
forKit
custom
scripts
Reports CLI /APIs
CLI / APIs
Tool
for Custom
ScriptsPolicy
Policy Manager
Manager
Policy Manager
Event Manager
Reporter
Business Tools (Enterprise Edition only)
The Storage Essentials base components listed above provide essential functionality
and require purchase of the Storage Essentials base product.
An Oracle database 10g Release 2 (10.2.0.3) database is bundled with the base
Storage Essentials product (both editions). This database is controlled by Storage
Essentials and cannot be modified for other use, nor can it be remotely deployed by
another server.
In addition to the basic components, plug-in Storage Essentials modules are available
with the product or included for a fee. Storage Essentials software is required to
support any of the other modules.
UC434S F.00
11 -17
Feature
Application
storage
management
Configuration
management
Reporting
11 -18
Component
Description
Database Viewer
Exchange Viewer
Provisioning
Manager
Chargeback
Manager
NAS Manager
Backup Manager
Global Reporter
Report Designer
UC434S F.00
SAN Management
All of the above are plug-ins and are available within Storage Essentials Enterprise
Edition. Most are licensed feature this can be based on ports, application, or
storage capacity.
UC434S F.00
11 -19
The Enterprise Edition supports several additional plug-ins (modules) not available
with the Standard Edition. Licenses are needed for the added plug-ins. At the time of
this writing, upgrade from Standard Edition to Enterprise Edition is not supported.
11 -20
UC434S F.00
SAN Management
The following pages will introduce the base components of HP Storage Essentials.
UC434S F.00
11 -21
System Manager
The System Manager has two panesthe tree pane and connections pane.
The System Manager is often the first tool used to access the managed infrastructure
to investigate element details collected and stored within the SE database.
The connections pane contains a graphical representation of the SAN topology
including discovered applications, hosts (with CIM extension agents), storage
switches, storage arrays and tape libraries (based upon supported products).
The tree pane, on the left side, contains the following three tabs
11 -22
UC434S F.00
SAN Management
Capacity Manager
Capacity and utilization reports show changes over time for hosts, switches,
applications, and storage.
UC434S F.00
11 -23
Performance Manager
Multiple windows for viewing different performance metrics and different time
periods
Similar to the System and Capacity Managers, the Performance manger provides
topological view of the connected infrastructure for ease of management.
Performance enabled objects are represented by additional symbols on the map.
11 -24
UC434S F.00
SAN Management
Application Viewer
The SE Application Viewer helps you navigate the following types of applications:
Exchange applications
Oracle applications
SQL applications
Sybase applications
InterSystems Cache
DB2
Informix
Virtual applications
UC434S F.00
11 -25
Policy Manager
The SE Policy Manager helps you efficiently manage both utilization and
infrastructure policies. Navigation is in the left pane and display is in the right pane.
Policy Manager enables you to:
11 -26
Root node policies apply to all elements under that node (element type)
Events
UC434S F.00
SAN Management
Event Manager
Event Manager lets you view, clear, sort and filter events from managed elements. An
event can be anything that occurs on the element, such as a device connected to a
Brocade switch has gone off-line. It provides the following information about the
events:
Summary Text Brief explanation of the event. When you click the summary
text, the details of the event are displayed.
Element Type - Specifies whether the source of this event is an application, a
host, and so on
Rank By estimated cost implication. This column is hidden until you enable it.
Storage Essentials device events are also visible within the HP SIM event
management structure.
UC434S F.00
11 -27
Report Optimizer
11 -28
System These reports are enterprise wide and they collect information about
the following:
Application Data about applications the management server monitors, such
as reports on application utilization and dependencies.
Events Data about events occurring on the elements the management server
monitors, such as summary reports on events.
Fabric Data about fabrics, such as SAN components not zoned and world
wide names that appear in zones but not in SANs.
File Server Data about the file servers the management server monitors, such
as reports on groups and users by server. This information is provided only if you
have purchased the license for File System Viewer.
HBA A summary report on the host bust adapters (HBAs) the management
server detects.
Host Data about the hosts in the management server monitors, such as
reports on host storage allocation and total host utilization.
2010 Hewlett-Packard Development Company, L.P.
UC434S F.00
SAN Management
UC434S F.00
NAS Data about NAS storage devices, such as reports on volume and
aggregate usage.
Performance Historical performance data for devices, such as reports on I/O
performance.
Storage System Data about storage systems the management server monitors,
such as reports on storage system capacity and storage system utilization.
Switch Data about switches the management server monitors, such as reports
on switch port traffic and port utilization by connection type.
Backup Manager Data about backups, such as reports about the status of the
daily backup, backup volume and media availability.
Applications These reports provide information about an application, such as
Oracle, SQL, Sybase, or Microsoft Exchange.
Tape Libraries These reports provide information about a tape library.
Recent Lists the last 10 reports viewed. This option is not displayed when you
first access Reporting.
Only Enterprise Edition has support for the following reports:
Global These global-wide reports provide data gathered from multiple
management servers.
Asset Management These reports provide information based on assets and
ownership.
Chargeback Manager These reports provide cost information about the
management and storage usage of an element.
11 -29
11 -30
UC434S F.00
SAN Management
Database Viewer
UC434S F.00
Automatically discovers the database, tablespaces, devices, and files and then
graphically depicts their dependencies on the SAN.
Contains a single, integrated view depicts the path that each database element
takes through mount points, host servers, volume management software, host bus
adapters (HBAs), fabric switches, and storage systems. These path management
capabilities, combined with real-time performance monitoring features, enable
you to predict the impact of planned and unplanned SAN downtime on
database applications and determine where in the SAN stack performance is
being impacted.
Extends the full range of capacity management, role-based security, event
management, reporting, and policy-based automation capabilities of Storage
Essentials to database environments.
11 -31
Exchange Viewer
11 -32
UC434S F.00
SAN Management
File System Viewer extends the Storage Essentials suite with scalable file-level storage
resource management (SRM) capabilities. Whether the file servers are hosted on
direct attached storage (Enterprise Edition), NAS, or SANs, File System Viewer
provides the file system scanning, analysis, and reporting features you need to
reclaim wasted disk space, ensure file server availability, monitor user consumption,
and classify unstructured data for ILM initiatives.
File System Viewer discovers file systems, logical volumes, and user shares, and
conducts high performance scans to collect age, size, and type statistics on every
file. Detailed reports categorize files according to file extensions (for example, mp3,
log, tmp, pst), size, and dates created, last accessed, and last modified so you can
quickly identify disk space that can be recycled and critical files that should be
replicated. Because the module is tightly integrated with the SAN management
capabilities of Storage Essentials, it also depicts file server dependencies on HBAs,
fabric switches, and storage systems, and extends Storage Essentials full range of
role-based security, event management, reporting, and policy-based automation
capabilities to file servers.
File System Viewer reports on logical volumes, files, user shares, and user and group
disk space consumption File type analysis quickly identifies inappropriate or
unnecessary files that can be deleted or archived to reclaim disk space.
UC434S F.00
11 -33
Backup Manager
Backup Manager
Supports
HP Data Protector
Veritas NetBackup
Monitors the overall
configuration (topology)
physical infrastructure
supporting the backup
process, backup
application, backup
server, network, tape
library, and media
11 -34
Monitor the overall status of the backup process; shows health and performance
of the data protection infrastructure. Identifies unprotected applications, servers,
files. Increases utilization of backup resources.
Visualize the backup configuration and recoverability of a file, directory, volume
or a server.
View the status of the physical infrastructure supporting the backup process,
backup application, backup server, network, tape library and media.
Provide information on reasons for backup failures and advisory information for
configuring new backup schedules.
UC434S F.00
SAN Management
application for:
Levels
SAN
Management tool
Storage
Essentials
Java-based
Monitor and configure multiple
SAN/Fabric
B-Series
Element
Fabric
Manager
Web Tools
Firmware management
Tool integration
Improved reporting
UC434S F.00
11 -35
For a list of the latest supported B-Series switches and firmware versions, refer to the
HP StorageWorks SAN Design Reference Guide available from:
http://h18000.www1.hp.com/products/storageworks/san/documentation.html
Fabric Manager is tightly integrated with the entire family and can extend those
products' capabilities (such as Web Tools and Fabric Watch). This unique ability to
work tightly with all B-Series management tools effectively reduces the time and costs
of managing B-Series fabrics. From Fabric Manager you can launch the Advanced
Web Tools application for a specific switch to perform element (switch) management.
This action is transparent to the user. Fabric Manager provides more efficient fabric
management than Advanced Web Tools alone.
To download a copy of Fabric Manager, go to:
http://h18006.www1.hp.com/storage/networking/b_switches/index.html
11 -36
UC434S F.00
SAN Management
UC434S F.00
11 -37
11 -38
Switch login credentials are saved for a session, so that users only need to
authenticate themselves for a switch or multiple switches once
UC434S F.00
SAN Management
UC434S F.00
Download firmware to all switches in a group with the same model number.
Reboot the core switches of a fabric and then the edge switches.
11 -39
11 -40
UC434S F.00
SAN Management
Element name
IP address
Domain ID
WWN
Use the address field to enter the switch IP address to discover a switch. All
discovered elements display in the SAN Elements navigation tree. These are
organized by fabrics, SwitchGroups, and switch PortGroups. Select an element to
show element details on the view screens. Right-click the element to launch actions.
The background color of each element indicates the physical status of that element:
UC434S F.00
11 -41
If you notice a color change, expand the navigation tree to determine the source.
Note: Port status does not affect switch icon background color.
11 -42
UC434S F.00
SAN Management
Firmware upgrade
Firmware upgrade
Upgrade multiple switches simultaneously across fabrics
Requirements:
All switches can run firmware version to be downloaded
TCP/UDP Ports 20 and 21 are available between server and
each switch
To simultaneously reboot switches after download they must
reside on same fabric
Could experience switch connection interruption during
Firmware upgrade
You can upgrade switch firmware on multiple switches simultaneously, and across
fabrics, using the Fabric Manager firmware download function. There a certain
requirements that must be met:
TCP/UDP Ports 20 and 21 must be available between server and each switch.
If you are upgrading firmware from Fabric OS v3.0.0 to v3.1.0, or from Fabric OS
v4.0.0 to v4.1.0, any port name changes that you have made in Fabric Manager are
lost; this ensures that multiple Fabric Manager clients that are simultaneously active
during the firmware upgrade do not overwrite each others port names.
The Fabric Manager firmware download to multiple switches feature is not supported
for switches running XPath OS. If you attempt to download firmware to one of these
switches using Fabric Manager, the Web Tools-AP Edition is launched. See the Web
ToolsAP Edition Administrators Guide for more information.
UC434S F.00
11 -43
Note: If the switch loses network connectivity during the firmware download from
Fabric Manager, the firmware download action times out after approximately 25
minutes for switches running Fabric OS v2.x or v3.x, and after approximately 80
minutes for switches running Fabric OS v4.x or v5.x. An error message is not
returned when the firmware download is interrupted.
11 -44
UC434S F.00
SAN Management
across fabrics
Useful to:
Propagate configuration to a new switch before adding to
fabric
Propagate configuration to another fabric before merging two
fabrics
Compare configurations for troubleshooting segmented fabrics
UC434S F.00
11 -45
11 -46
UC434S F.00
SAN Management
UC434S F.00
Data Center Fabric Manager allows for the management and the securing of
data flow across B-Series switches FOS 5.0v or higher, also supporting fabrics in
the interop mode with M-EOS based fabrics, however Fabrics composed of both
FOS and M-EOS require B-Series switches to be running FOS version 6.0 or
higher and M-EOS version 9.6 or higher.
HP DCFM allows for the measurement and the displaying of real-time and
historical network performance, this highly-scalable application Scalability which
can support up to 24 SANs, 9,000 switch ports, and 20,000 end devices
provides the essential functions for efficiently configuring, monitoring, and
dynamic provisioning SAN fabrics through a Enhanced GUI with wizard driven
operations for automating tasks. It also features easy-to-use admin tools that
streamline or automate repetitive tasks so organizations can achieve high levels
of productivity, by configuring Quality of Service (QoS) priorities for improved
utilization of virtual machines, DCFM also supports Brocade encryption
capabilities for data-at-rest and HBA products. This product is available on 75
Day Free Trail download
11 -47
11 -48
UC434S F.00
SAN Management
legacy versions.
GUI
Is a set of two network management tools that supports Secure Simple Network
Management Protocol version 3 (SNMPv3) and legacy versions.
Provides a graphical user interface (GUI) that displays real-time views of your
network fabric, and lets you manage the configuration of Cisco MDS 9000
Family devices and third-party switches.
Fabric Manager
Device Manager
UC434S F.00
11 -49
Fabric Manager
Fabric Manager
The Fabric Manager displays a view of your network fabric, including Cisco 9000
family or third-party switches and devices. To launch the Fabric Manager from your
desktop, double-click the Fabric Manager icon.
Changes made using Fabric Manager are applied to the running configuration of the
switches you are managing and the changes may not be saved when the switch
restarts. After you make a change to the configuration or perform an operation (such
as activating zones), the system prompts you to save your changes before you exit.
The Cisco Fabric Manager is an alternative to the command-line interface (CLI) for
most switch configuration commands.
For information on using the CLI to configure a Cisco MDS 9000 Family switch, refer
to the Cisco 9000 Family Configuration Guide or the Cisco 9000 Family Command
Reference.
11 -50
UC434S F.00
SAN Management
Device Manager
Device Manager
Tabs
Menu bar
Toolbar
Switching
or services
modules
Supervisor
modules
Physical representation of switch
chassis
Launch by:
Device Manager
Device Manager provides a physical representation of your switch chassis, with the
modules, ports, power supplies, and fan assemblies. The menu bar at the top of the
Device Manager window provides access to options, organized into menus that
correspond to the menu tree in Fabric Manager.
The legend at the bottom right of the Device Manager indicates port status, as
follows:
UC434S F.00
11 -51
11 -52
UC434S F.00
SAN Management
UC434S F.00
11 -53
Lab activity
11 -54
UC434S F.00
SAN Management
Lab
activity
Module 11, Lab 1 - Data
Center Fabric Manager
DCFM
45
UC434S F.00
uc434s c.01
2009 Hewlett-Packard
uc434sDevelopment
c.01 2009Company,
Hewlett-Packard
L.P.
Development Company, L.P.
11 -55
11 -56
UC434S F.00
SAN Security
Module 12
Objectives
Objectives
Discuss the basic storage security model and access
points
Describe approaches to planning security in a SAN
Outline the core components for securing SAN Data and
SAN Management
Security in practice
Authentication
Encryption
UC434S F.00
12 -1
Security in a SAN
Security in a SAN
A fundamental requirement for enterprise SANs
Multi-Customer environments have new security
requirements
Security enables sharing of SAN resources among
multiple customers securely
Reduces xSP (multi-customer) infrastructure costs and
enables economies of scale
12 -2
UC434S F.00
SAN Security
Information security is a fundamental issue that must be dealt with while managing
any data center. HP understands the importance and complexity of establishing and
maintaining a secure information storage environment. HP storage products are
designed to make it easy to protect the availability, integrity, and confidentiality of
the customer data that they hold.
HP is working with other storage vendors in the Storage Networking Industry
Association to develop enhanced SAN security technology.
HP is also working with the Fibre Channel standards community to develop storage
network security protocols.
The ideal mass storage system provides fast storage and retrieval of information for a
number of servers.
This one-line summary leaves unspoken many of additional expectations:
UC434S F.00
It is expected that data written to the storage system today will be available
tomorrow.
It is expected that the data will be the same when it's read as it was when it was
written.
It's expected that the data is not available to any server or any person not
specifically authorized to have access.
12 -3
These three possibilities are covered under the general headings of availability,
integrity, and confidentiality. These additional expectations form the basis for
defining the availability and security of the data in the mass storage system. For
example, the data should be available even if a hardware or software component in
the storage system fails; RAID and remote mirroring technology are methods used to
maximize data availability.
Security is a fundamental requirement for enterprise SANs. Multi-Customer
environments have new security requirements. Security enables sharing of SAN
resources among multiple customers securely and reduces xSP (multi-customer)
infrastructure costs and enables economies of scale.
Security can be implemented at three levels in the SAN:
Fabric level
Host level
Three types of attacks, corresponding to the three aspects of information security, can
be made on a computer system:
Any computer security system must deal with these types of attacks.
The security of a computer system is the responsibility of a security manager. This
person defines the operational rules and procedures that are required to maintain the
desired security level. To achieve the desired security level in an HP SAN system, the
operational rules and procedures should incorporate the guidelines discussed in this
module.
12 -4
UC434S F.00
SAN Security
Security domains
Security domains
Define one or more security domains to make a storage
infrastructure secure
A logical grouping of related components
Include a set of rules that specify the amount of
communication that is allowed
Types
Host-to-switch domain
Administrator-to-security management domain
Security management-to-fabric domain
Switch-to-switch domain
The basic approach to making a system secure is to define one or more security
domains. A security domain is a logical grouping of related components in the
storage system, along with a set of rules that specify the amount of communication
that is allowed between the components. Devices, such as servers and storage
systems that are within a given security domain, are allowed to communicate with
each other. The security manager defines the communicationif anythat is
allowed between domains. The security system works by controlling every possible
communication path between the security domains, so that data cannot be moved
between domains without authorization.
The boundaries of the security domains are barriers that control access to the
components. The boundaries also control communication between domains through
the network or storage bus connections. Any potential path between security
domains must be reviewed to make sure that only approved access is permitted. This
can be an extremely complex undertaking.
Domain types
UC434S F.00
Host-to-switch domain between host servers and their host bus adapters (HBAs),
and the connected switches
Administrator-to-security management domain between administrators and their
management applications
12 -5
12 -6
UC434S F.00
SAN Security
The consequences of these are clear. Sensitive business or customer data can be
exposed, and business records can be altered or destroyed. One can easily imagine
a worst-case scenario for ones own organizationbut also a more typical case,
such as a minor administrative error on one system destroying data belonging to
another.
Confidentiality of data (reads, other than by the application or user who owns it)
Integrity of data (modifications, other than by the application that owns it)
UC434S F.00
12 -7
Mitigation of risk
Identification (authentication)
An administrator must log on (give his or her own user id, then prove he or she is
that user by knowing a password or using some more sophisticated mechanism)
before administrative actions are permitted.
Emerging technology: a device must not only be on the list of devices permitted in the
storage network, but must also proving that it is in fact who it says it is rather than an
impostor. This prevents a rogue system from, for example, pretending to be a switch
and issuing unauthorized I/Os with forged WWNs to bypass LUN-level security.
Fibre Channels FC-SP protocol works this way; iSCSI accomplishes the same end but
in a slightly different way.
Authorization
12 -8
Storage devices must verify that the specific administrator who issued a
command is authorized to do so, before performing the requested action.
Disk arrays must verify that the specific system that issued a read or write
command has permission to do so for that LUN, before performing the I/O.
Emerging technology: a tape library controller can similarly verify permissions
on I/Os to a tape library.
UC434S F.00
SAN Security
Audit
The storage subsystem as a whole must log all administrative actions (changes)
and any events of significance. This is typically done individually in devices, but
software to present a single view (and allow queries) is preferred.
Protects both confidentiality (no one saw it) and integrity (no one changed it) of
data.
UC434S F.00
12 -9
To prevent unauthorized
configuration require
multilevel passwords
Extensive use of ACLs
Centralization of fabric
configuration changes on
trusted switches
12 -10
Multilevel passwords
UC434S F.00
SAN Security
The diagram above places major parts of these mitigations into the categories of
data security and management security, then further divides those categories. Some
items in these categories are in routine use today, while others represent the leading
edge of what can be done (or could be done in the next few years). For example,
selectively showing each system only the devices and LUNs it is allowed to access is
a feature in widespread use in SAN installations today, while storage encryption is a
leading-edge technology. Simplified language has been used: Authentication of
users encompasses not just Single Sign On but also more traditional approaches.
UC434S F.00
12 -11
Data security
Data security
No authentication
Fibre Channel WWN
FC-SP
iSCSI
No authorization
LUN Masking
iSCSI
NAS
ILM
Data in transit
between data centres
Data in transit within
the data centre
Data on disk and tape
Authentication
Authentication of devices is an effort expended by a device to ensure the identity of
another device with which it is communicating.
There are three levels of authentication relevant to storage: none, trusting the devices
address, and challenging the device to prove its identity. Historically no
authentication at all was done. More recently the Fibre Channel WWN has been
trusted as a devices identity. Looking to the future, both in Fibre Channel and in
iSCSI, state-of-the-art challenge/response protocols will be used to confirm a devices
identity.
No authentication
Devices on a SCSI cable are presumed to belong there; there is no concept of
identity.
Early Fibre Channel installations split a SAN into zones. A system connected to a
zone was presumed to belong there, much as a system on a SCSI cable. Zoning
remains important for isolating traffic for interoperability or fault isolation reasons.
UC434S F.00
SAN Security
iSCSI
iSCSI provides for the use of the Challenge Handshake Authentication Protocol
(CHAP, a state-of-the-art challenge/response protocol) for a storage client to
authenticate itself to the storage server, during login time, much as FC-SP does. It is
thus not possible for a storage client to masquerade as a valid user of anothers
iSCSI port ID. However, if the iSCSI traffic is not encrypted, a sophisticated attack
could theoretically take over an established connection. Such encryption is
accomplished using Internet Protocol Security (IPsec), a set of protocols that allows
encryption of data over an IP network like a LAN or even the Internet. IPsec prevents
this attack because the attacker cannot know the correct data encryption keys. IPsec
depends on the customers security infrastructure, specifically on CHAP (or possibly
SRP) for authentication, on IPsec policies, and on an appropriate mechanism for
exchanging keys.
When implementing IP-based storage, whether iSCSI or NAS, it is important to keep
in mind just how broadly a network is connected. While the greatest risk may be
from a disgruntled employee or simple error, an external attack would find a Fibre
Channel SAN contained entirely within a locked data center a much more difficult
target than an open network reaching every desk in a company, which is in turn
harder to reach than the Internet.
12 -13
both without keys ever appearing on the network in the clear and without device B
seeing device As key.
A variant of this approach uses Public Key Encryption, in particular Certificates. For
Public Key Encryption, a particular user (or company or device) is given a pair of
keysa public key and a private key. Two basic operations can be performed:
encrypt data with your private key, and anyone can decrypt it with your public key;
anyone can encrypt a message with your public key, knowing that only you have the
private key to decrypt it. Roughly speaking, for trusted communication between two
users (devices), the message is encrypted using the recipients public key, and then a
checksum of the message is encrypted using the senders private key. A Certificate
is a users name, public key, an expiration date, and the assertion by a certificateissuing authority that it was really the user and not someone else the certificate was
issued to. Care must be taken in which certificate-issuing authorities to trust and in
the actual issuing of certificates: unlike a central directory, which can instantly revoke
an identity, a certificate has a life of typically a year. The whole topic of Public Key
Infrastructurecertificate-issuing authorities, secure distribution of private keys to
their owners, means of finding someones public keyrequires both expertise and
effort to establish and operate.
Authorization
Authorization has evolved from DAS model of if you can see it, you own it to more
sophisticated mechanisms that enable pooling of resources on the SAN.
No authorization needed
As mentioned before, SCSI does not have an authorization mechanism: any system
can read and write any device connected to the same cable.
Early Fibre Channel SANs offered a variant of SCSI by dividing the SAN into
segments, called zones. Each zone behaved like a SCSI cableany system in the
zone could read and write any device in the zone. Later versions allowed
overlapping zones. Today, of course, zoning remains important, primarily used to
isolate traffic for interoperability or fault isolation reasons.
12 -14
UC434S F.00
SAN Security
iSCSI
iSCSI devices offer both device level and per-LUN Access Control Lists (ACLs). PerLUN ACLs are similar to Fibre Channel LUN masking. VLANs on the network are
analogous to Fibre Channel zones. It is up to administrators to verify that a particular
array supports the features they plan to use.
UC434S F.00
12 -15
Encryption
Encryption has drawn a lot of attention. Taken purely as a technology, that exotic
branch of mathematics, which for centuries was out of reach of all but military and
espionage, has suddenly found a mass market. The Internet has made it necessary to
secure transactions across an un-trusted connection between parties who trust each
other, and VLSI technology has made such security affordable. On the other hand,
exponential growth in computer power has made it possible for experts to try every
possible key and decode messages, which just a few years ago were thought
unbreakable.
While encrypting (or decrypting) data at hundreds of megabytes per second
storage system speedsis considerably more difficult than encrypting a few
thousand bytes using software on your PC, such speeds are attainable using
commercially available technology today. Many people across the storage industry
have thought about how this technology could be applied, resulting in a number of
products from a variety of companies.
Rather than seeking applications for one of these products, consider systematically
the customer needs that encryption might address. In general, data can be encrypted
either in flight (crossing a Fibre Channel, Ethernet, or WAN network) or at rest (on a
disk or tape).
12 -16
UC434S F.00
SAN Security
12 -17
12 -18
UC434S F.00
SAN Security
Management security
Management security
Authentication of
administrators
Single sign on
Selective
administration
capability
Role-based access
Error tracking
Centralised
management view
Management Security
While far less exotic than encryption technology, basic management security for
storage devices is the most important area to focus on today, and is in transition.
Historically in the days of SCSIand today for the disks in a PCstorage is entirely
owned by a single system, any management software for that storage runs on that
system, and the only storage security (or storage management security) is what that
system provides.
As storage became shared by many systems, typically there was a management
utility installed on one or more of those systems, and the storage administrator was
required to supply a password to manage a particular array. This is normal practice
in the industry today, and works quite well when there is a single administrator of a
modest amount of storage.
However, as storage requirements have grown rapidly over the past few years and
pooling of free storage at a SAN level rather than inventorying free storage perapplication have become common, it has become much more important to have
multiple administrators, each with much more granular permissions as to which
actions they can perform, on which storage devices. Fortunately, this problem has
long been faced by the administrators of large numbers of servers, and technology
addressing it is well established. Single sign on is enabled by protocols such as
RADIUS (historically Remote Authentication Dial-in User Service) that forward a
logon request to a central server for validation, and by central servers such as
UC434S F.00
12 -19
Authentication
Instead of having distinct (user id, password) logons for each system or device, a user
(application or person) has a single identity. Logging on to a given server, or to the
management port on a given device, appears to be by that device but in fact is
delegated to a data centers (preferably enterprises) central authentication server,
using RADIUS or a similar protocol. While common for user logons to systems today,
use of this technique to administer devices is just now starting to occur.
Technically, single sign on is usually accomplished by the users computer receiving
and holding a token (time limited key) as the result of logging on, which can be
transparently presented in response to future logon (authentication) requests. The
details of how such a token can be used without eavesdropping and impersonation
are very interesting technically but beyond the scope of this paper. RADIUS is a
protocol that, when user A is logging on to server B, allows B to ask the
RADIUS server is this logon valid? rather than maintain its own copy of the
user/password file.
Central authentication services offer several benefits. Single sign on gives a user only
one password to remember, so it is practical to change it periodically. If a user
leaves the organization, there is only one logon of concern, and it can be revoked
quickly and productively. The organization can move with relative ease from
12 -20
UC434S F.00
SAN Security
something you know (a password) to something you have and something you
know (a card and a PIN or password) authentication.
Authorization
Beyond single sign on, the second difference from current storage management
practice is that there will no longer be an administrator logon to manage a device,
which has all privileges and is shared by all administrators. Rather, administrator of
device x is a role that can be assigned to an individual.
The third and perhaps most important difference is that administrative privileges can
be granted in a fine-grain way. For example, one administrator could be given the
right to view anything but change nothing in a particular storage subsystem, while a
more senior administrator could make changes. Roles are predefined sets of
permissions that can be assigned to a particular person.
Again, the customer continues to have the flexibility to organize server and storage
administration. A small organization can continue to have a single administrator with
all permissions, while a larger organization might continue to have separate server,
storage, and network administration departments, each with varying permissions
based on specific individuals roles.
Audit
All configuration changes and other significant events should be logged, so that
problems of any sort (including security breaches) can be traced to their origin.
Understanding which administrator made the erroneous configuration change, and
when, makes it much easier to find and correct the process or procedure breakdown
that led to the error.
A centralized view of the audit trails/logs from the various devices in the data center
is important. The ability to query the collective set of logs rather than individual
elements is very important in tracking down issues, whether they are security
intrusions, administrator errors, or other problems. Overall security administration
may call for specific reports to be periodically generated from these logs.
When data is automatically moved between devices, such as in archiving,
Hierarchical Storage Management (HSM), or ILM, the software performing the data
movement must be duly authorized, and logs of such movement must be kept. This is
an emerging area; this is a goal rather than standard practice today.
UC434S F.00
12 -21
The switch maintains the user name and password locally and stores the password
information in encrypted form. The users are authenticated based on the locally
stored information.
12 -22
UC434S F.00
SAN Security
Role-Based Action Control (RBAC) is the method that defines user accounts and
assigns a pre-defined set of permissions on the accounts based on those roles. This
allows a restricted list of commands that can be issued by that account, on a switch
or within the fabric. There can be up to 15 user defined accounts that can be
created, and the default accounts User and Admin may be disabled.
WARNING: Before disabling the Admin account, make sure that a user defined
account with the admin role has been defined and works, if the Admin account is
disabled without an account with admin privileges being enabled it will mean that
the switch can not be fully managed.
All the following commands require the Admin Role:
userConfig show -a shows all account information for a logical switch
userConfig show username this command shows account information for a specified
user account
To create an account:
Userconfig --add name r role eg: userconfig add battleaxe r admin
To delete an account:
userConfig delete username eg: userConfig delete battleaxe
UC434S F.00
12 -23
To change roles:
userconfig --change username [-r rolename] eg: userconfig --change battleaxe r
SecurityAdmin
2.
12 -24
UC434S F.00
SAN Security
The following example creates new user account ad2admin with an admin role,
access to Admin
Domains 1 and 2, and home Admin Domain set to 2.
sw5:admin> userconfig --add ad2admin -r admin -h 2 -a "1,2"
By creating defined user accounts assists in the tracking of changes within the san
environment, tracking who did what and when, to enable tracking enter the following
command:
TrackChangeSet 1
Users can also be created using the Switch admini gui. both methods are
covered in the lab after this module.
UC434S F.00
12 -25
Role-based access assigns roles or groups to users and limits access to the switch.
Access is assigned based on the permission level associated with each user ID. Your
administrator can provide complete access to each user or restrict access to specific
read and write levels for each command. This can also be on a per-VSAN basis.
SNMP and CLI access rights are organized by roles. Each role is similar to a group.
Each group of users has a specific role, and the access for that group can be
enabled or disabled.
By default, two roles exist in all switches:
_ Network operator (network-operator): Has permission to view the configuration only. The
operator cannot make any configuration changes.
_ Network administrator (network-admin): Has permission to execute all commands and
make configuration changes. The administrator can also create and customize up to 64
additional roles.
The two default roles cannot be changed or deleted.
Secure switch access: Available when you explicitly enable Secure Shell
(SSH) access to the switch. SSH access provides additional controlled security by
encrypting data, user IDs, and passwords. By default, Telnet access is enabled on
each switch.
SNMP access: SNMPv3 provides built-in security for secure user authentication and
data encryption.
12 -26
UC434S F.00
SAN Security
RADIUS Authentication
RADIUS (Remote Authentication Dial-In User Service) is a protocol for carrying all
authentication, authorization, and accounting (AAA) information between devices.
When configured to use RADIUS, the switch acts as a network access server (NAS)
and a RADIUS client. The switch sends all authentication, authorization, and
accounting (AAA) service requests to the RADIUS server. The RADIUS server receives
the request, validates the request, and sends its response back to the switch.
The supported management access channels that integrate with RADIUS or include
serial port, Telnet, SSH, Web Tools, and API. All these require the switch IP address
or name to connect. The RADIUS server accepts both IPv4 and IPv6 address formats.
Note: RADIUS protocol only encryptspasswords
Brocade also support LDAP lightweight directory access protocol (LDAP) using
Microsoft Active Directory in Windows at the same time. A switch can be
configured to try both RADIUS or LDAP and local switch authentication.
Cisco also supports TACACS+ which is a client-server protocol this uses TCP (TCP
port 49) for transport requirements.
The addition of TACACS+ support in enables the following advantages over
RADIUS authentication:
Provides independent, modular AAA facilities, authorization can be done without
authentication. It performs independent of servers if it is configured to use a local
database. Can utilize TCP to send data between the AAA client and server,
providing reliable, connection oriented sessions and encrypts the entire protocol
UC434S F.00
12 -27
payload between the switch and the AAA server to ensure higher data
confidentiality..
12 -28
UC434S F.00
SAN Security
UC434S F.00
12 -29
12 -30
Port-level ACLs
UC434S F.00
SAN Security
Data Security refers to the protection of the communication path used to move
user data through the SAN.
SAN Management Path Security refers to the protection of the communication
path used to move management information through the SAN.
This is a functional distinction. In some cases, the same physical connection is used
for both user data and management information.
The HP storage security model is implemented as three distinct areas.
UC434S F.00
The overall security of the storage system is an integral part of the total solution
security and is deployed within the context of a comprehensive understanding of
the system, developed and delivered by HP Professional Services.
The software components of the storage system provide management path
security by controlling operator access rights and securing the SAN
management communication paths.
The hardware components of the SAN provide data path security by controlling
storage array access and governing the SAN fabric configuration control
mechanisms.
2010 Hewlett-Packard Development Company, L.P.
12 -31
UC434S F.00
SAN Security
security risk for the storage system because the ordinary users of the system do not
have physical access to the machines.
Security expectations
This environment has a requirement for a high level of storage system security.
Protection is needed against unauthorized, accidental, and malicious data access
attempts. The required security level is set by the department with the most strict
security needs.
Response to attacks
Two attack scenarios are possible in this situation. Accidental inappropriate data
access requests might be made by any user, and malicious attempts to make an
inappropriate data access requests might be made by a user.
Inappropriate read and write requests by system users are routinely handled by the
operating system. Disk mounting requires a privileged account, and directories are
protected by ACLs. The benign server environment puts little stress on the security
capabilities of the storage system.
Because the storage systems are located in a secure area, the risk of inappropriate
access to the array controllers is limited. There is some risk that the fiber optic cables
might be tapped, but this requires a technical approach that is unlikely in this
scenario.
UC434S F.00
12 -33
Checklist
For a SAN storage system that requires a moderate level of security and where the
storage systems and Fibre Channel switches are located in a secure area, the
following steps are required.
12 -34
UC434S F.00
SAN Security
Security in practice
Security in practice
N_Port authentication
E_Port authentication
Encryption at rest and on the move
Zoning
LUN Masking
Virtual fabrics traffic separation
Role-based Access Control
UC434S F.00
12 -35
Authentication
Authentication
Authenticate port wwn of newly
connected device against ACL in
fabric
Authenticate switch wwn before
E_Port approval
1. FLOGI
2. Check ACL
3. Allow/deny
Distributed
ACL
Specifies which devices can participate in a fabric and locks them down to a specific
port within the fabric to prevent the addition of a device to an unauthorized port.
Organizations can use this policy as a WWN spoofing countermeasure by
preventing a device that is configured to mimic an existing device from joining a
fabric unless the device being spoofed is first disconnected then physically replaced
with an unauthorized device.
DHCHAP is a mandatory password-based, key-exchange authentication protocol that
supports both switch-to-switch and host-to-switch authentication. DHCHAP negotiates
hash algorithms and DH groups before performing authentication. It supports MD5
and SHA-1 algorithm-based authentication.
12 -36
UC434S F.00
SAN Security
Today it seems to be a regular occurrence that, a laptop, a memory key, a DVD have
gone missing in the post or left on a train or coffee bar. With encryption although
embarrassing it does eliminate all the effects of the information loss in restricting
access to data by unauthorized persons. In many countries laws are in place that
require immediate notification for breach of security were personnel details may be
involved, but are exempted if the data was encrypted.
How a company or government agency is perceived after a data loss can have a
major impact on public and business perception of that organization. This could
lead to loss of orders, devaluation of stock or mistrust of organizations, government
and public in keeping individual information safe and secure. In todays hi-tech
environments encryption of data is critical ensuring the integrity of the organization
and data enshrined with in it..
UC434S F.00
12 -37
B-Series
Supported on:
Supported on:
As discussed previously IPSec is supported on C-Series and B-Series, which can have
a performance, impact on applications due to the overhead of encryption. Each can
benefit from being deployed and managed as part of a computer network. This
leads to benefits that include high availability, scalable performance with low
latency, and simplified load balancing through network traffic management. To meet
the security concerns and government compliance Cisco and Brocade have
developed their own encryption solutions. Both companies have created solutions
that simplify deployment and also increase performance of the encryption process
within the San.
12 -38
UC434S F.00
SAN Security
UC434S F.00
12 -39
12 -40
UC434S F.00
SAN Security
Lab activity
Lab
activity
Module 12, Lab 1 Fabric
Security
28
UC434S F.00
uc434s c.01
12 -41
12 -42
UC434S F.00
Data protection
Module 13
Objectives
Objectives
Discuss backup, types and their differences
De-duplication - Accelerated de-duplication & Dynamic
de-duplication (hash-based chunking)
Distinguish between synchronous and Asynchronous
replication
Explain split mirror and snapshot replication in more
detail
UC434S F.00
13 -1
Data Protection
Data Protection
Maintaining availability of data is the primary goal
of data protection
Why is it important?
50% companies which loose data go out of business
immediately
90% do not survive more than 2 years following that
loss
If Raid is designed to protect data against bit and byte errors, then the concept of
business continuance is to handle the perceived problems at the server and
application levels. This maybe achieved by making separate copies of data, this can
be performed in ways that allow the original data to still be accessed by users, while
the second copy is being created. This copy maybe created locally, or a copy may
be stored remotely which is routinely synchronized with the original data to ensure
integrity between the original and its copy. This copy process may be performed
through the operating system, application or storage system solution, such as Hp
Storage Works Business Copy.
13 -2
UC434S F.00
Data protection
Window
Inconsistent recovery
Recovery time too long
Impact on production applications
Protection gaps
Disaster recovery
Compliance
Backup Window - The time it takes for a backup job to complete. This may be more
time than is available.
Inconsistent Recovery Data backed up to tape during a backup job may not be
integral when/if restore is attempted. Backup has not been verified.
Recovery time too long Unacceptable delay before restoration may occur,
particularly if required data are situated on tape in offsite store.
Impact on production applications application downtime associated with regular
backup job may not suit business model
Protection gaps failed or inconsistent backups may result in protection gaps
Disaster Recovery DR planning may be incomplete or unworkable test your plan!
Compliance there may be a regulatory requirement for some types of data to be
retained in a specific way for a finite duration.
UC434S F.00
13 -3
Mission Critical
Important
Archived
Current data
Required 24x7
Catastrophic loss could cause failure of
business
Recent data
Not needed 24x7
Loss may cause business disruption
Historical data
Accessed infrequently
Often required by law
13 -4
UC434S F.00
Data protection
Recovery operations
Recovery operations
Recovery Point Objective
Maximum tolerated time prior
to disaster over which data
may be lost as a
consequence of recovery
Recovery Point
Recovery Time
Time
UC434S F.00
13 -5
Tape
backups
Disk
Real time
backups
replication
Snapshots
Archives
Recovery Point
Recovery
Methods
Instant
recovery
Roll back
Tape
restores
Recovery Time
Time
Recovery methods:
Instant recovery
Roll back
Tape restores
Disk Restores
Restore from disk is less time consuming than restoring from tape, especially if data
on tape has been encrypted, compressed, or de-duplicated.
13 -6
UC434S F.00
Data protection
Tape
Virtual Tape
Replication
Local
Remote
Clustering
Physical tape will always be the foundation of a robust data protection strategy
offering low cost/GB storage and off-site vaulting capabilities. However, in many
cases an increase in backup performance can be achieved by using disk-assisted
backup techniques1.
Disk has the advantage of being random access and does not suffer the same
performance (repositioning) issues when backing up lots of small files. Additionally
backup to disk does not generally suffer from some of the error conditions that can
cause backup jobs to tape to fail, for example, no media in the media pool, media
coming to the end of its useful life, tape jams, and robotic failures.
Tape media is small for its capacity as well as transportable; it can therefore be
stored offsite easily.
Its long shelf life of up to 30 years makes it a dependable medium for archiving.
UC434S F.00
13 -7
Virtual tape
Virtual tape* is a disk-based storage device that appears to the LAN or SAN as a
tape drive, tape autoloader, or tape library. By presenting a virtual tape device to the
LAN or SAN, the pool of storage within it may be shared dynamically among
multiple hosts. Virtual tape can improve backup and restore performance
dramatically because virtual tapes are easy to provision.
Replication
Snapshots, clones, and mirrors* allow backups to be performed with no interruption
to your applications. They also allow data to be restored instantly from saved images
on the disk array.
Clustering
Clustering provides protection against basic hardware failure. A cluster of servers
provides fault tolerance because if one server fails in a system, one or more
additional servers are still available to take over operations.
13 -8
UC434S F.00
Data protection
Management
SCSI
connection
= Primary storage
= Tape drive
The preceding diagram shows a basic server backup environment (also referred to as
a local backup) in which each server connects to its own backup device through a
SCSI bus. The operator loads a dedicated instance of the backup software for each
server that has a backup requirement. The backup software reads the data from
primary storage then writes the data to the backup device.
The operator controls the application locally or remotely, depending on the remote
management capabilities of the application. The storage media for each server is
managed locally and manually.
In this arrangement, the speed of the backup device affects backup performance.
Backup data and network traffic each travel on separate lines. However, one
advantage of this backup method is that backups do not consume LAN bandwidth.
Basic server backup advantages and disadvantages
UC434S F.00
Advantages
Disadvantages
Fast
Does not consume LAN bandwidth
Relatively expensive
Must manage each server individually
13 -9
Management
Backup
application
SCSI
connection
Client
agent
software
= Primary storage
= Tape drive
With the introduction of client push agents, backup devices no longer require
attachment directly to the server in need of a backup; they can be located on a
different server attached to the LAN. The backup application runs on the server
hosting the backup devices, and client agents push the data over the LAN to the
server running the backup application. Media management difficulties decrease with
the consolidation into one backup device.
However, for installations with many servers, the LAN becomes the performance
bottleneck for backup. The additional traffic on the LAN consumes bandwidth that
could otherwise be used for business productivity. This backup traffic places new
constraints on the network when backups are performed, and the scheduling of
server backup windows becomes critical to the smooth operation of the business.
The following table displays maximum and typical LAN speeds that can be regarded
as the upper limits to backup data transfer rates over a LAN.
LAN type
Maximum
speed
Typical speed
10Base-T
100Base-T
FDDI
3.6GB/hr
36GB/hr
Similar to
100Base-T
2GB/hr
15 20GB/hr
Similar to
100Base-T
Fibre Channel
13 -10
360GB/hr
280GB/hr
UC434S F.00
Data protection
Management
Backup
application
Client
agent
software
Tape library
= Primary storage
Using a LTO tape library adds capacity and automation to further reduce the media
management problems.
Example
With all data flowing through one server, the backup speed is limited by the:
Because backups require most of the network bandwidth, they must be scheduled
during off-peak hours or during scheduled outage windows.
Automated centralized backup advantages and disadvantages
UC434S F.00
Advantages
Disadvantages
Centralized management
Tape automation
High speeds from backup server to tape device
13 -11
Management
Backup
application
Client
agent
software
In this solution the San is used to move data required for backup, and is sometimes
defined as a Lan Free backup. Although in reality the lan is still used to send bytes of
information regarding the progress of the backup and which files have been
processed.
The process may be something like this:
a.
Backup server issues a backup command via the lan to the backup client.
b.
The request is read by the client, regarding the data and type to be backed
up via the San.
c.
Data is the written from the backup client to a tape library over the san.
d.
As each file is written to the tape library, the client also issues a few bytes of
control data to the backup server these commands however travel over the
lan.
e.
When all the data has been successfully transferred to tape, the lan is used
again by the backup client to communicate with the backup server
indicating completion of the backup.
13 -12
Advantages
Disadvantages
Centralized management
UC434S F.00
Data protection
Tape libraries
Tape libraries
High
performance and
reliability
Sophisticated robotics to
automate tape-changing and
backups
Allow SAN-based centralization
and reduced management costs
LTO-4 compatible
1.6TB compressed per tape
240MB/s compressed data
transfer
AES 256 bit hardware encryption
Each of the HP StorageWorks tape libraries offers high performance for reliability.
The libraries commonly used in SANs are the HP StorageWorks ESL E-Series .
Note: Refer to the Designing and Implementing the HP StorageWorks Enterprise
Backup Solutions WBT course for more detailed information on the HP tape libraries.
All the libraries employ sophisticated robotics to automate tape-changing functions
and enable backups of thousands of gigabytes of data. The HP library mechanisms
place and remove tape cartridges with minimum contact to surfaces through a
precision-grip cartridge handling system that emulates the human hand.
UC434S F.00
13 -13
zone?
Zoning may not always be required for configurations that are already small or
simple. Typically the bigger the SAN is, the more zoning is needed. HP recommends
the following for determining how and when to use zoning.
13 -14
Small fabric (16 ports or less)May not need zoning, depending on the type of
hosts and storage devices. If no zoning is used, it is recommended that the tape
controllers reside in the lowest ports of the switch.
Small to medium fabric (16 - 128 ports)Use host-centric zoning. Host-centric
zoning is implemented by creating a specific zone for each server or host, and
adding only those storage elements to be utilized by that host. Host-centric
zoning prevents a server from detecting any other devices on the SAN or
including other servers, and it simplifies the device discovery process.
UC434S F.00
Data protection
UC434S F.00
Large fabric (128 ports or more)Use host-centric zoning and split disk and tape
targets. Splitting disk and tape targets from being in the same zone together will
help to keep the tape controllers free from discovering disk controllers, which is
unnecessary unless extended copy is required.
To implement a host-centric zone, create a specific zone for each server or host
and add only those storage elements to be used by that host. This configuration
prevents a server from detecting any other devices on the SAN (including other
servers) and simplifies the device discovery process.
13 -15
Storage connections
File block size
File (data) compression ratio (hardware/software
compression)
Tape technology
UC434S F.00
Data protection
Performance
To analyze speed and performance, the entire backup process must be examined as
a system of components. The backup process can be divided into a set of five
components that affect performance. Each of these components must be thoroughly
understood and factored in to the backup equation to determine the maximum
performance in any specific situation.
The five components of the EBS are:
Feed source - This is usually the hard disk primary storage system, but it can be
network-connected storage or even a remote system.
Storage connection for EBS - This is a Fibre Channel connection.
File block size - EBS supports up to a 32KB transfer block size for NetWare and
a 64KB transfer block size for Windows NT 4.0 or Windows 2000.
File (data) compression ratio - The amount of compression has a direct impact on
the rate at which a DLT tape drive can read and write data.
Tape drive (secondary storage) system - For the EBS, these systems are HP
StorageWorks libraries.
UC434S F.00
13 -17
A Virtual Tape Library (VTL) is a dedicated computing appliance that emulates the
drives of a physical tape library and stores backup images to disk. Backup
applications, like HP Data Protector, use the VTL emulated tape and library devices
for backups when in fact it is an array-based appliance. The VTL consists of three
components: computer hardware, a RAID-based array of disk drives, and application
software which emulates a tape library.
UC434S F.00
Data protection
UC434S F.00
13 -19
VTL in practice
VTL in practice
Faster
Backups
Faster Restores
C onfig uration
P hys ical T ape
V irtual Tape (no compres s ion)
V irtual Tape (with compres s ion)
T ime
7
min 23 sec (443
s ec)
3
min 10 sec (190
s4ec)
min 12 sec (252
s ec)
MB /s
29.34
68.42
51.58
R es tore T ype
S erver 1 from phys ical tape
S erver 3
phys ical
tape
1 from virtual
tape
(no
ion) virtual tape (no
Scompress
erver 3 from
compress ion)
R es
tore
2
min
6 s Tecime
(126
s ec)
3 min (180 sec)
22 s ec
20 s ec
The example above shows five servers. Servers 1 and 2 have network connections to
the backup server, while Servers 3, 4, and 5 have SAN-attached storage residing on
the HP StorageWorks Modular Smart Array 1000 (MSA1000). The configuration
simulates a small mixed (LAN and SAN) backup environment. Approximately 2.6 GB
of known data (file sizes 64 K to 64 MB, 2:1 compressible data) is created on
Servers 1 and 2 (on the local drive) and on Servers 3, 4, and 5 as mapped LUNs on
the MSA1000 disk array.
The five servers are backed up to three different configurations:
A five-drive virtual tape library with no compression on the virtual tape drives
A five-drive virtual tape library with compression on the virtual tape drives
Faster Backups
With configuration 1, the backup job must wait for physical tape drives to become
available for different servers (physical limit of two drives), whereas with the virtual
tape backups, a dedicated virtual tape drive is allocated to each server, so the
backup effectively happens in parallel.
13 -20
UC434S F.00
Data protection
Data compression within the VLS6000 series is performed in software in the VLS
node, and this increases the capacity of the VLS6105 in this example from 2.5 TB up
to 5.0 TB (with 2:1 compressible data). The downside is that because the data
compression is performed in software, the throughput is reduced, as can be seen in
the results.
UC434S F.00
13 -21
Disk to Tape
Disk to Tape
For a reliable and robust Data Protection policy HP
recommends using the backup application to migrate data
from Disk to Tape
HP strongly recommends the use of the backup application to migrate data from the
Virtual Library System to physical tape because using the backup application means
all the media (virtual and physical) is tracked in the backup application catalog. This
ensures reliable, robust data recovery. Tape technology has long been the standard
for protecting business data. Its portable, it has a long shelf life, its cost-effective
and it can hold a lot of data. And for these reasons, its still the best choice for
certain small businesses, depending on their recovery needs. But for other small and
medium businesses, or SMBs, a tape-based approach alone may not meet their
demand for business continuity. Thats why the best backup and restore plans today
dont use just tapethey incorporate disk, too. This two-tiered approach might be the
only way to get the specific data SMBs need back fast enough to keep their
businesses up and runningand now its actually an affordable strategy.
13 -22
UC434S F.00
Data protection
Data replication
Data replication
Split
mirror
Snapshots
De-duplication
Array-based replication
Host based replication (software)
Split mirror
Snapshots
De-duplication
Array-based replication
UC434S F.00
13 -23
Application host
M
0
M
1
M
2
Backup host
P primary LDEV
M mirror copy (MU0-2)
* - EVA MirrorClone supports one Mirror only
The general idea behind split-mirror backups is to stream the backup from the mirror
instead of the production disk. The mirror is typically connected to a separate host
(called the backup host) with a tape device attached. Usually, hardware mirror
technologies such as HP StorageWorks Business Copy XP or HP StorageWorks
Continuous Access XP are used to create the mirror.
Before a backup of a mirror can be started, a valid point-in-time disk image must be
created. The disk image must be consistent so that it can be fully restored. The mirror
must be established before proceeding with the backup. To create the backup image,
the mirror is split off the production disk at backup time.
Because the application host and backup host are different, all cached information
(database and file system cache) on the host is flushed to the disk before the mirror is
split off. Depending on the type of data to back up, flush the cache by:
The split-mirror backup completes successfully with the file system mounted. However,
a successful restore of all files and directories cannot be guaranteed because cached
data is not written to disk before the split. HP therefore recommends dismounting a
file system before performing a spit-mirror backup.
13 -24
UC434S F.00
Data protection
If a database is running on a file system, there is no need to dismount the file system
because the database controls the write to the disk and ensures that data is written to
the disk and not to the file system cache.
For the online database backup, the backup image alone cannot be restored. The
archive log files from the application host are also needed. The archive log backup
can be started when the database is taken out of backup mode, which occurs right
after the mirrors are successfully split off their productive disks. This is true for Oracle,
SQL and certain other databases, but not necessarily true for all database
applications.
Mirror rotation
Mirror rotation relies on the ability of Business Copy to maintain up to three
independent secondary volumes (S-Vols) of one primary volume (P-Vol). The different
S-Vols are labeled as mirror units (MU#0, MU#1, and MU#2).
Data Protector can perform split-mirror backups of each of these mirrors. Users can
either supply one dedicated S-Vol or multiple S-Vols for backup. If two or more
mirrors are available, Data Protector automatically uses them in a cyclic fashion. At
the end of the backup, the S-Vol used is left split off the P-Vol, thus keeping the
backup versions on the S-Vol available for IR. For the next backup, another S-Vol is
used. This process provides a high level of data protection.
N.B. the number of MirrorClones for EVA may be less than the number available to
configure for the XP Array.
UC434S F.00
13 -25
Application host
S
Backup host
P primary LUN
S snapshot/child
The snapshot backup concept is similar to the split-mirror backup. The snapshot
backup is currently supported with the HP Virtual Enterprise Array Systems XP Storage
Systems.
Snapshots can be created dynamically within the array, or they can be designated
for reuse for backup using a rotation strategy. Snapshots can also be designated for
use with the IR capabilities of Data Protector.
13 -26
UC434S F.00
Data protection
De-Duplication
De-Duplication
Because virtual tape libraries are disk-based backup devices with a virtual file system
and the backup process it tends to have a great deal of repetitive data, virtual tape
libraries lend themselves particularly well to data de-duplication. In storage
technology, de-duplication essentially refers to the elimination of redundant data. In
the de-duplication process, duplicate data is deleted, leaving only one copy of the
data to be stored. However, indexing of all data is still retained should that data ever
be required. De-duplication is able to reduce the required storage capacity since
only the unique data is stored.
With a virtual tape library that has de-duplication, the net effect is that, over time, a
given amount of disk storage capacity can hold more data than is actually sent to it.
To work de-duplication needs a random access capability offered by disk based
backup. This is not to say physical tape is dead, indeed tape is still required for
archiving and disaster recovery, both disk and tape have their own unique attributes
in a comprehensive data protection solution. The capacity optimization offered by
de-duplication is dependent on:
Retention periods
UC434S F.00
13 -27
13 -28
The ability to store dramatically more data online (by online we mean disk
based)
An increase in the range of Recovery Point Objectives (RPOs) available data can
be recovered from further back in time from the backup to better meet Service
Level Agreements (SLAs). Disk recovery of a single files is always faster than
tape
A reduction of investment in physical tape by restricting its use more to a deep
archiving and Disaster recovery usage model
De-duplication can automate the disaster recovery process by providing the
ability to perform site to site replication at a lower cost. Because de-duplication
knows what data has changed at a block or byte level, replication becomes
more intelligent and transfers only the changed data as opposed to the complete
data set. This saves time and replication bandwidth and is one of the most
attractive propositions that de-duplication offers. Customers who do not use disk
based replication across sites today will embrace low-bandwidth replication, as
it enables better disaster tolerance without the need and operational costs
associated with transporting data off-site on physical tape. Replication is
performed at a tape cartridge level
UC434S F.00
Data protection
UC434S F.00
a.
After the first backup job completes, tasks are scheduled to begin the deduplication processing. The content database is used to identify subsequent
backups from the same data sources. This is essential, since the way objectlevel differencing works is to compare the current backup from a host to the
previous backup from that same host
b.
13 -29
13 -30
c.
d.
Secondary Integrity Checkbefore a backup tape is replaced by a deduplicated version with pointers to a more recent occurrence of that data, a
byte-for-byte comparison can take place comparing the original backup
with the reconstructed backup, including pointers to ensure that the two
are identical. Only when the compare succeeds will the original backup
tape be replaced by a version including pointers.
e.
Space reclamation occurs when all the free space created by replacing
duplicate data with pointers to a single instance of the data is complete.
This can take some time and results in used capacity being returned to a
free pool on the device
UC434S F.00
Data protection
The major issue with object-level differencing is that the device has to be
knowledgeable in terms of backup formats and data types to understand the Meta
data. HP Accelerated de-duplication will support a subset of backup applications
and data types at launch.
Additionally, object-level differencing compares only backups from the same host
against each other, so there is no de-duplication across hosts, but the amount of
common data across different hosts can be quite low.
The object-level differencing in HP Accelerated de-duplication is unique in the
marketplace. Unlike hash-based techniques that are an all-or-nothing method of deduplication, object-level differencing applies intelligence to the process, giving users
the ability to decide what data types are de-duplicated and allowing flexibility to
reduce the de-duplication load if it is not yielding the expected or desired results. HP
Object-level differencing technology is also the only de-duplication technology that
can scale to hundreds of terabytes with no impact on backup performance, because
the architecture does not depend on managing ever increasing amounts of Index
tables, as is the case with Hash based chunking. It is also well suited for larger
saleable systems since it is able to distribute the de-duplication workload across all
the available processing resources and can even have dedicated nodes purely for
de-duplication activities.
UC434S F.00
13 -31
13 -32
a.
As the backup data stream enters the target device (in this case the HP
D2D2500 or D2D4000 Backup System), it is chunked into nominal 4K
chunks against which the SHA-1 hashing algorithm is run. These results are
place in an index (hash value) and stored in RAM in the target D2D
device. The hash value is also stored as an entry in a recipe file which
represents the backup stream, and points to the data in the de-duplication
store where the original 4K chunk is stored. This happens in real time as the
backup is taking place. Step 1 continues for the whole backup data stream.
b.
UC434S F.00
Data protection
UC434S F.00
c.
In the case of backup 2. As the data stream is run through the hashing
algorithm again, much of the data will generate the same hash index codes
as in backup 1, hence, there is no need to add indexes to the table or use
storage in the de-duplication store. In this backup, some of the data has
changed. In some cases (#222, #75, and #86), the data is unique and
generates new indexes for the index store and new data entries into the deduplication store.
d.
13 -33
On receiving a restore command from the backup system, the D2D device selects the
correct recipe file and starts sequentially re-assembling the file to restore.
a.
b.
c.
d.
e.
Issues Associated with Hash-Based Chunking - The main issue with hash-based
chunking technology is the growth of indexes and the limited amount of RAM storage
required to store them. Let us take a simple example: if we have a 1TB backup data
stream using 4K chunks, and every 4K chunk produces a unique hash value. This
equates to 250 million 20-byte hash values or 5GB of storage.
HP has developed a unique innovated technology leveraging work from HP Labs that
dramatically reduces the amount of memory required for managing the index without
sacrificing performance or de-duplication efficiency.
13 -34
UC434S F.00
Data protection
Despite the above limitations, de-duplication using hash-based chunking is a wellproven technology and serves remote offices and medium sized businesses very well.
The biggest benefit of hash-based chunking is that it is totally data formatindependent and it does not have to be engineered to work with specific backup
applications and data types. The products using the hash based de-duplication
technology still have to be tested with the various backup applications but the design
approach is generic.
UC434S F.00
13 -35
13 -36
Uses far less memory by implementing algorithms that determine which are the
most optimal indexes to hold in RAM for a given backup data stream
Allows the use of much smaller chunk sizes to provide more effective data
deduplication which is more robust to variations in backup stream formats or
data types
Provides intelligent storage of chunks and recipe files to limit disk I/O and
paging
Works well in a broad range of environments since it is independent of backup
software format and data types
UC434S F.00
Data protection
Initially it will not possible for D2D devices to replicate into the much larger VLS
devices, since their de-duplication technologies are so different, but HP plans to be
able to offer this feature in the near future.
What will be possible is to replicate multiple HP D2D250 into a central D2D4000 or
replicate smaller VLS6200 models into a central VLS 12000 (See Figure 18)
De-duplication technology is leading us is to the point where many remote sites can
replicate data back to a central data center at a reasonable cost, removing the need
for tedious off-site vaulting of tapes and fully automating the processsaving even
more costs.
This ensures
UC434S F.00
13 -37
HP has a range of disk-based backup products with de-duplication starting with the
entry-level D2D2500 at 2.25TB user unit for small businesses and remote offices,
right up to the VLS12000 EVA Gateway with capacities over 1 PB for the high-end
enterprise data center customer. They emulate a range of HP Physical tape
autoloaders and libraries.
The HP StorageWorks D2D2500 and D2D4000 Backup Systems support HP
dynamic de-duplication These range in size from 2.25TB to 7.5TB and are aimed at
remote offices or small enterprise customers. The D2D2500 has an iSCSI interface to
reduce the cost of implementation at remote offices, while the D2D4000 offers a
choice of iSCSI or 4Gb FC.
The HP StorageWorks Virtual Library Systems are all 4Gb SAN-attach devices which
range in native user capacity from 4.4TB to over a petabyte with the VLS9000 and
VLS12000 EVA Gateway. Hardware compression is available on the VLS6000,
9000 and 12000 models, achieving even higher capacities. The VLS9000 and
VLS12000 use a multi-node architecture that allows the performance to scale in a
linear fashion. With eight nodes, these devices can sustain a throughput of up to
4800MB/sec at 2:1 data compression, providing the SAN hosts can supply data at
this rate. HP Virtual Library Systems will deploy the HP Accelerated de-duplication
technology
13 -38
UC434S F.00
Data protection
Remote replication
Remote replication
Synchronous replication
+ Guaranteed in-sync local and remote data
- Round-trip latency
Asynchronous replication
+ Improved application performance
- Remote data may not be fully updated
Synchronous replication
+ Guaranteed in-sync local and remote data
- Round-trip latency
Asynchronous replication
+ Improved application performance
- Remote data may not be fully updated
UC434S F.00
13 -39
The maximum number of copy sets, DR groups, and remote copy sets is based on
the EVA storage system model and controller software version (for up to date details
check the HP StorageWorks Enterprise Virtual Array compatibility reference guide).
On all storage systems, the limit is the total number of DR groups and copy sets that
are either a source or a destination. When replicating across storage systems with
different limits, the lower limit applies to the storage system replication pair.
13 -40
UC434S F.00
Data protection
Synchronous replication (1 of 2)
Synchronous replication (1 of 2)
Writes are ensured
Host A
1. I/O sent
to controllers
11
4. Acknowledgment
to host
2. Copy sent to
destination
Source array
5. I/O complete
3. Acknowledgment
from destination
Destination array
I/O completion status not returned to host until both local and remote writes to
cache complete
UC434S F.00
13 -41
Synchronous replication (2 of 2)
Synchronous replication (2 of 2)
I/O completion status not returned to host until both
local and remote writes to cache complete
Data is mirrored in real-time
In-order delivery guaranteed using group sequence
numbers
Data consistency is crucial to application
Can increase response time on writes
Higher latency of link, the more impact on performance
Note that the I/O complete message does not imply the data is on the disk platters.
Rather, it is in the battery protected writeback cache and is written to the disks when
not competing with I/O or before the cache is full.
13 -42
UC434S F.00
Data protection
Asynchronous replication (1 of 2)
Asynchronous replication (1 of 2)
Host A
1. I/O sent to
controllers
2. I/O
acknowledgement
3. I/O complete
5. Acknowledgment
from destination
4. Copy sent to
destination
1
Source array
Destination array
UC434S F.00
13 -43
Asynchronous replication (2 of 2)
Asynchronous replication (2 of 2)
I/O completion status returned when local write
completes
Destination writes are deferred until later
At risk if source system is lost
13 -44
UC434S F.00
Data protection
Synchronous
Perform
task
(user)
Update data
at source
Transmit
update
(network)
Update
Notify user
data at
(network)
destination
Time
Asynchronous
Perform
task
(user)
Transaction is not
complete at this point
Update data
at source
Notify user
(network)
Transmit
update
(network)
Update
data at
destination
Time
HP recommends synchronous mode for most data replication. The reasons to use
synchronous or asynchronous modes are discussed in the best practices module.
Financial transactions
Brokerage accounts
Banking
Mortgage servicing
Manufacturing systems
Asynchronous
Data warehousing
Development systems
Mirrored websites
UC434S F.00
13 -45
13 -46
Index updates
UC434S F.00
Data protection
IP
IP
LAN
SAN Switch
IP
IP
Data is replicated
between servers
over LAN, WAN or
SAN IP connections.
SAN Switch
If your Disk Array does not support Controller-based Replication then software
replication can help.
Storage Mirroring can replicate across WAN links to offsite storage (no distance
constraints)
Because Storage Mirroring is based on standard IP technology, as IP over fibre
channel comes into maturity, the SAN can be used to take data replication off of the
LAN and onto the high speed SAN fabric. Also, with fibre channel currently limited
to 10 KM itself, Storage Mirroring can be used to replicate SAN based data over
WAN links to an offsite server or SAN.
UC434S F.00
13 -47
Target
Initial Mirror
13 -48
ALL files (in repset) are sent to the Target. (32KB chunks)
Low CPU impact - High Memory impact on server. (compared to File Diff)
Process of transmitting user-specified data from the Source to the Target so that
an identical copy exists on the Target.
Initially connection, a Full Mirror of the selected data including file attributes and
permissions is mirrored to the Target
This creates a foundation upon which Storage Mirroring can effectively update
by replicating changes
UC434S F.00
Data protection
Target
UC434S F.00
Only files with DTS difference are sent to the Target. (32KB chunks)
High CPU impact - Low Memory impact on server. (compared to Full Mirror)
13 -49
Lab activity
Lab
activity
1. Module 13, Lab 1
Snapshot Management
2. Module 13, Lab 2
Installing HP
StorageWorks Storage
Mirroring
3. Module 13, Lab 3
SWSM Basic Operations
13 41uc434s c.01
41
13 -50
2009 Hewlett-Packard
uc434s
uc434sDevelopment
d.00
d00 2009
2009
Company,
Hewlett-Packard
Hewlett-Packard
L.P.
Development
DevelopmentCompany,
Company,L.P.
L.P.
UC434S F.00
Performance
Module 14
Objectives
Objectives
Understand what factors affect storage area network
(SAN) performance
Describe Fibre Channel technology and how it affects
storage performance
List the factors that affect disk performance, such as data
rates and response time
Explain the effects of drive speed on performance
Plan a disk system that account for effects of RAID,
cache, and chunk size on performance
I/O profiling
UC434S F.00
14 -1
This objective of a SAN is to access data. A SAN is often designed by drawing the
various components on a piece of paper and linking them with lines to represent the
Fibre Channel cables. Some questions that may arise are often answered without
considering performance. For example:
14 -2
High performance
a.
b.
MB/s
2.
High availability
3.
Low cost
2010 Hewlett-Packard Development Company, L.P.
UC434S F.00
Performance
But you cannot have all three, so you have to decide what is important for the
customer and the application.
When designing a SAN for performance, it means firstly having to determine the
performance requirements, and the application I/O profile. Even if the SAN is
already in production, you need to understand the application profile to determine
how you can optimize or maintain performance. Without this knowledge, any
change or upgrade could result in a lowering of performance.
Availability is also another consideration. But be aware that designing or
redesigning a SAN for availability will probably change the performance
characteristics of the SAN.
UC434S F.00
14 -3
Performance factors
Performance factors
Attenuation
Bandwidth
Data
rate
Applied load
Request size
Read/write ratio
Request
rate
Response Time
Rotational Speed
Seek Time
Service Time
Throughput
Utilization
Bus Contention
14 -4
UC434S F.00
Performance
Performance terms
The following definitions are frequently used to describe performance:
Applied load
Request size
Read/write ratio
The data transfer rate is usually expressed as megabytes per second (MB/s).
Considering bus arbitration and protocol overheads on the Ultra Wide SCSI bus, the
amount of data that can be processed is less than the rated bandwidth.
Example
The data rate for a Wide Ultra SCSI bus is approximately 38MB/s.
UC434S F.00
14 -5
Seek time The time delay associated with reading or writing data to a disk
drive. To read or write data to a particular place on the disk, the read/write
head of the disk that must move to the correct place. This process is known as
seeking and the time it takes for the head to move to the right place is the seek
time.
Service time The amount of time a device needs to process a request. Service
time is also known as latency and varies with request characteristics.
Throughput The number of I/O requests satisfied per unit of time. Throughput
is expressed in I/O requests per second, where a request is an application
request to a storage subsystem to perform a read or write operation. Although
throughput and bandwidth are sometimes used interchangeably there is a
fundamental difference between the two terms. The difference stems from the
fact that operations reported in the throughput can have different data sizes.
Utilization The fraction (or percentage) of time a device is busy. Utilization
depends on the service time and request rate and is expressed as a percentage,
where 100% utilization is the maximum utilization.
Drive speed
Using faster drives yields better performance. How much of an increase depends on
the workload (I/O profile) and the applied load.
The original 1.6-inch 7,200-rpm drives consisted of up to ten 3.5-inch platters. When
spinning these drives at high rpms, interaction between the air and the platters
caused friction. This friction generated heat that caused drive failures. The 10,000rpm drive design was changed to use 2.8-inch platters that addressed the heat issue
and provided higher rotational speeds.
Bit density on the platters has also increased, reducing the total number of platters in
a drive and increasing drive and speed capacities.
The end result is:
14 -6
Higher capacity
Higher speed
UC434S F.00
Performance
Response time
Response time
Bottlenecks can form when data moves from a device with
a high data rate to a device with a lower data rate
Controller
bottleneck
Adapter
bottleneck
Load
imbalance
500MB/s
80MB/s
Host
CPU
Adapter
90MB/s
I/O Bus
55MB/s
Controller
Queues of request
UC434S F.00
14 -7
Bus utilization
Bus utilization
Bandwidth specifies the maximum rate at which data
can be transferred over that bus
Maximum data rate over a given bus is 85% of the bus
bandwidth
Apply the 80% rule to avoid excessive response times
Bus utilization should not exceed 68% of the maximum
bandwidth
14 -8
Bus
Bandwidth
Fast SCSI-2
10MB/s
Fast-Wide SCSI-2
20MB/s
Wide-Ultra SCSI-2
40MB/s
80MB/s
160MB/s
UC434S F.00
Performance
Device utilization
Device utilization
9
8
7
6
5
4
3
2
1
0
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Utilization
The devices with the highest utilization can be identified after the performance data
has been collected. By definition, the devices with the highest utilization are the
bottleneck devices. The preceding graph depicts the relationship between utilization
and relative (normalized) response time.
When the incoming request rate is low (low utilization), the response time is equal to
the service time. This response time is given a value of 1 on the vertical axis. As
the workload increases (utilization increases), queues form within the I/O subsystem
and response time increases. At low utilization levels, the increase in response time is
relatively slow, but after the utilization rate exceeds 75%, the response time rises
rapidly.
Optimum response times are achieved when device utilization is kept below 80%.
This applies to all devices.
Improving performance
When the bottleneck devices have been identified, the next step to improve
performance is to take measures to reduce response times. Two ways to reduce
response time are:
UC434S F.00
14 -9
Reducing usage
Reduce the device request rate or the device service time to lower usage.
You can reduce the device request rate by:
14 -10
Distributing the workload over more drives by using a drive array and RAID
technology
UC434S F.00
Performance
RAID controllers
Disk configuration
14 -11
For fabrics consisting of 8 Gb/s, 4 Gb/s, and 2 Gb/s or 4 Gb/s, 2 Gb/s, and 1
Gb/s switches and devices, the fabric segment connections negotiate the speed at
which specific devices communicate.
The presence of lower speed devices in a fabric does not force other independent
higher speed devices or paths to a lower speed. Fibre Channel requires that all 8
Gb/s ports be able to negotiate to 4 Gb/s and 2 Gb/s, and all 4 Gb/s ports to 2
Gb/s and 1 Gb/s speeds. Switch ports or user ports in a fabric communicate at the
highest mutually supported speed.
14 -12
UC434S F.00
Performance
Latencies
Latencies
Long distance fiber
Host
8?
16
Switch
16
2
Array
16
27
Switch
Switch
27
16
2
Array
Buffer-to-Buffer (BB) credit flow control is implemented to limit the amount of data that
a port may send based on the number and size of the frames sent from that port.
Buffer credits represent finite physical port memory. Within a fabric, each port may
have a different number of BB credits.
Within a connection, each side may have a different number of BB credits.
Buffer-to-Buffer flow control is flow control between adjacent ports in the I/O path,
for example, transmission control over individual network links. A separate,
independent pool of credits is used to manage Buffer-to-Buffer flow control. Buffer-toBuffer flow control works by a sending port using its available credit supply and
waiting to have the credits replenished by the port on the opposite end of the link.
These BB credits are used by Class 2 and Class 3 service and rely on the Fibre
Channel Receiver-Ready (R_RDY) control word to be sent by the receiving link port to
the sender. The rate of frame transmission is regulated by the receiving port based on
the availability of buffers to hold received frames.
Upon arrival at a receiver, a frame goes through several steps. It is received,
deserialized, decoded, and is stored in a receive buffer where it is processed by the
receiving port. If another frame arrives while the receiver is processing the first frame,
a second receive buffer is needed to hold this new frame. Unless the receiver is
capable of processing frames as fast as the transmitter is capable of sending them, it
is possible for all of the receive buffers to fill up with received frames. At this point, if
the transmitter should send another frame, the receiver will not have a receive buffer
available and the frame will be lost. Buffer-to-Buffer flow control provides consistent
and reliable frame delivery of information from sender to receiver.
UC434S F.00
14 -13
The default configured F_Port buffer credit is fixed at eight buffers. You can use the
portCfgFPortBuffers command to configure a given port with the specified number of
buffers.
14 -14
UC434S F.00
Performance
ISL oversubscription
ISL oversubscription
3 to 1 ISL oversubscription
12
x1
Gb
/s
Po
rts
4 x 1 Gb/s ISLs
UC434S F.00
14 -15
14 -16
UC434S F.00
Performance
Hop latency
Hop latency
The
Fabric latency the time it takes a frame to traverse from its source to its destination,
is referred to as the latency of the link. Sometimes a frame is switched from source to
destination on a single switch, and other times a frame must traverse one or more
hops between switches before it reaches its destination. A common misconception is
that the hop counts introduce unacceptable latency. For most Fibre Channel devices,
the latency associated with traversing one or more ISLs is inconsequential.
Example:
Every hop in the B-Series SAN fabric adds no more than 2ms of latency. In a large
fabric designed with seven hops between two devices (the B-Series-supported
maximum), the latency could be up to 14ms.
The distance between switches also introduces latency, especially for long-distance
solutions spread over larger metropolitan areas. The speed of light in fibre optics is
approximately five u/s per km.
B-Series switches address the need for long-distance performance with B-Series
Extended Fabrics. This product enables full-bandwidth performance across long
distances spanning more than 100km, with greater distances possible at lower
speeds.
UC434S F.00
14 -17
14 -18
UC434S F.00
Performance
Enables traffic
prioritization during
network congestion
User-definable,
weighted queues
Priority is given to
control traffic over
all others
Map to IP QoS for
SAN Extension
DWRR
Weight
Priority
Absolute
Queue 2
60
Queue 3
30
Queue 4
10
PQ
DWRR 2
Transmit
Queue
DWRR 3
DWRR 4
14 -19
Each I/O can have a fair share of the bandwidth, so that a large-size I/O will not
consume the whole bandwidth and starve a small-size I/O, thus balancing the
performance of different devices communicating across the ISL.
14 -20
UC434S F.00
Performance
Although device placement does not constitute a fabric topology, it can affect and be
affected by the type of topology selected.
For example, by attaching a device to a core switch you reduce the quantity of core
ports available for expansion. Expansion issues are less of a concern for the higher
port count B-Series, M-Series, and C-Series SAN switches.
Local Attach Adding a host and its disk to one edge switch consumes no core
ports and no hops are involved in transferring data.
Core Attach Adding a host to an edge switch and its disk to a core switch
introduces one hop when transferring data and consumes one core port.
Edge Attach Adding a host and its disk to different core switches increases the
number of hops to two when transferring data and consumes two core ports.
UC434S F.00
14 -21
2Gb/s ISL
4Gb/s connect
8Gb/s Trunk
Localize 2 Gb/s
devices
Maximum distance for a 8Gb/s ISL is 150 meters using OM3 Cable
UC434S F.00
Performance
UC434S F.00
14 -23
Distance considerations
Distance considerations
2.0
0.5KB
1.8
1.6
1KB
1.4
4KB
1.2
1.0
8KB
0.8
0.6
0.4
0.2
0.0
0 km
10.5 km
21 km
31.5 km
42 km
Latencies increase
With distance because of the speed of light
With transfer size, so more trips are needed
If there are no available buffer credits
Buffer credit delays result in an underutilized fiber
Contention occurs when two sessions that are sharing an ISL try to send full frames at the same
time
Each session receives only half the potential bandwidth
The response time of different transfer sizes over different lengths of fiber are shown
in the graph.
When designing a Fibre Channel SAN, consider:
Contention occurs when two sessions that are sharing an ISL try to send full
frames at the same time. Each session receives only half the potential bandwidth.
14 -24
UC434S F.00
Performance
consideration
Primary consideration
UC434S F.00
14 -25
Distributed fabrics
Distributed fabrics
Extended Fabrics
1
8
Switch
32.8km fiber
Switch
16
15
14
13
12
11
10
6
Switch
41.0km fiber
Switch
16
15
14
13
12
11
10
or
Switch ports run out of buffer to buffer credits
as distance increases
UC434S F.00
Performance
during port initialization versus the desired distance value. For LS, distance in
kilometres is always the desired distance value.
UC434S F.00
14 -27
Site A
0 120 KM
Site B
14 -28
UC434S F.00
Performance
Use the highest speed available for all infrastructure components and
devices.
When possible, ensure that there is an equal number of highbandwidth application servers and storage systems (for one-to-one
access).
Although the topology and size of the fabric affect performance, adhering to the
rules and recommendations outlined in this guide minimizes these factors. The
topology designs have been defined to accommodate specific data access types.
Recommendations on the number of ISLs based on device-to-device access ratios
ensure that adequate bandwidth is available across the fabric, minimizing
oversubscription.
To maximize fabric performance, HP recommends the following guidelines:
Implement dual-fabric SANs.
In a cascaded or core-edge fabric, position switches with the highest port speeds
near the center of the fabric.
Use the highest speed available for all infrastructure components and devices.
Ensure that communicating devices have the same speed connectivity path through
the fabric.
Connect devices that communicate frequently to the same Fibre Channel switch.
When possible, ensure that there is an equal number of high-bandwidth
application servers and storage systems (for one-to-one access).
Ensure that FCC is enabled on all C-series switches.
FCC allows C-series switches to intelligently regulate traffic across ISLs and ensure
that each initiator- target pair of devices has the required bandwidth for data
transfer. C-series switches can also prioritize frames using the QoS feature.
UC434S F.00
14 -29
Collect the peak read and write workloads for a given period of time
At each sample interval, capture reads per second (I/Os per second),
read throughput per second (Mb/s), writes per second (I/Os per second),
and write throughput per second (Mb/s).
If possible, collect read and write latency data.
Perform the collection by application, capturing the data for each logical
unit (device) used by that application.
Create a graph of each data set that shows where the peaks occur
during the day
Determine whether the daily average change rate is level or is in bursts
14 -30
UC434S F.00
Performance
UC434S F.00
14 -31
Bus type
Seek time
Flow control
Drive scaling
Moving to faster interfaces does not always improve disk performance (response
time). The graph shows the amount of time required to transfer 8KB of data from
a drive.
A full Fibre Channel frame takes 20 microseconds to pass from the beginning of the
transmission to the end of the transmission. One 2KB I/O can fit into one frame.
Based on the propagation of the Fibre Channel media, the beginning of the frame is
4km away when the end leaves the HBA. That means that for most fabrics, only one
frame is in transit at any given time.
14 -32
UC434S F.00
Performance
The switch adds less than a 2 microsecond delay, and if one frame must wait for
another to finish traversing an inter switch link (ISL), the wait is 20 microseconds, or
about 20 times the actual time of traversing a switch.
The most significant time delays occur within the disk drive because it is a
mechanical device. Although the amount of data that can be stored on a disk
continues to increase and the physical size of the disk continues to decrease, the time
to perform a seek and the rotational speed of disk drives continue to limit disk drive
performance. The preceeding graph shows that changing interfaces results in
marginal performance gains, as indicated by the last time slice.
SCSI and Fibre Channel drives use the same state-of-the-art mechanicals. Both have
the same rotational and seek characteristics.
However, changing from SCSI drives to an FC-AL configuration would not provide
significant performance gains. On average, performance increases are minimal
compared to regular SCSI drives for 8KB I/O.
A major benefit of Fibre Channel technology is the distance allowed between the
controller and the drives. Extended distances can be implemented with SCSI drive
subsystems using Fibre Channel interfaces between the host and storage system.
Fibre Channel drives provide the greatest benefit in high bandwidth applications such
as video editing and data streaming.
Bottleneck analysis is the best way to improve response time. To perform this
analysis, determine which aspect of your system workload provides the most stress
and address that issue first.
UC434S F.00
14 -33
Performance
Price
Availability
When designing a SAN, you must determine which of these factors is most important
for the customer and use the corresponding RAID level.
The different RAID levels affect read and write performance in different ways. For
example, RAID 5 can significantly improve read performance but significantly reduce
write performance. Understanding the read/write ratio of an application will
determine if a particular RAID level will increase or a decrease performance.
14 -34
UC434S F.00
Performance
RAID levels
RAID level comparisons to a single disk and respective uses are:
RAID 0 Striping Provides I/O load balancing but does not provide protection.
RAID 0 is good for testing and benchmarking or when data can easily be recovered.
It is the fastest of all RAID levels for both reads and writes.
RAID 1 Mirroring Provides performance improvement in a read-intensive
environment. If the environment is write-intensive, then performance will be reduced.
Parallel reads can provide more than a 10% performance increase, depending on
data patterns.
RAID 0+1 Striped Mirror Is used when continuous performance and availability
are required. This level combines the benefits of RAID 1 and RAID 0, providing load
balancing and parallel reads. However, it is the most expensive RAID level to
implement.
RAID 5 Independent access, parity striped over all the drives Provides balancing
and parallel reads. However, RAID 5 requires a read/write ratio greater than 55% to
be effective. RAID 5 can be used in a high-performance environment if sufficient
bandwidth can be provided for the application.
RAID 6 According to the Storage Networking Industry Association (SNIA), the
definition of RAID 6 is: "Any form of RAID that can continue to execute read and
write requests to all of a RAID array's virtual disks in the presence of any two
concurrent disk failures. RAID 6 does not have a performance penalty for read
operations, but it does have a performance penalty on write operations because of
the overhead associated with parity calculations. Performance varies greatly
depending on how RAID 6 is implemented in the manufacturer's storage architecture
UC434S F.00
14 -35
Relative
efficiency
Relative Efficiency
120
120
Database files
0
100
100
80
RAID 0
RAID 1+
0+10
RAID 5
10 ++10
60
60
40
40
20
20
00
0%
0%
20%
20%
40%
60%
40%
60%
%
read
operations
% Read Operations
80%
80%
100%
100%
The preceding graph compares RAID 0, 1+0, and 5 under different read-to-write
ratios. Log files consist entirely of write requests during normal operation and are
positioned at the 0% read mark. Database files, however, can vary in the level of
reads to writes depending on the given environment.
The graph shows that if an application consists of 100% random access reads, the
relative performance is similar for all specified RAID levels. RAID overhead is only
relevant when the application starts writing to disk. The performance of the system is
limited to the number of drives.
RAID 0 provides no protection. RAID 1+0 provides the best performance, with RAID
5 being the next best level.
14 -36
UC434S F.00
Performance
Disk Performance
Users are interested in the number of transactions they can perform within a set
amount of time.
Choosing enough disk drives of the correct type can provide a certain ratio of MB/s
or I/O per second but this does not provide the number of user transactions. The
RAID controller generates multiple read/writes to the disks based on one read/write
request from the application, and the application generates multiple read/write
requests to the RAID controller based on one read/write request from the User
transaction.
UC434S F.00
14 -37
2.
3.
4.
5.
Use hardware RAID 1 for the redo log files and hardware RAID
5 for the data files
6.
7.
Automatic data distribution and I/O balancing across multiple disk drives
UC434S F.00
Performance
then to the other. Until the redo log has been updated, the transaction is not
complete. Try to use different physical volumes for each redo log.
Note: Multiple sequential I/O requests to the same physical volume randomize the
I/O and decrease performance. Place multiple sequential I/O streams on separate
physical volumes to achieve the best performance.
Rule 5 Use hardware RAID 1 for the redo log files and hardware RAID
5 for the data files
For performance, recovery, and other benefits, use hardware RAID whenever
possible. The guidelines are:
Protect the redo log files and place them on a RAID 1 volume.
Place the data files on a RAID 5 volume if no downtime from a failed disk is
required.
UC434S F.00
14 -39
14 -40
UC434S F.00
Performance
Controller
Example:
If it is in the application cache then the access to it will be faster then if it is in the
device cache.
Applications and operating systems implement their own caching structures that use
the main memory in the host. Data is typically read from disk media and cached in
the main memory of the host, providing better response times should the same data
be required again.
At the controller and disk level, another level of cache is used to increase data
transfer to and from disk media. If the application requests a read from a disk drive,
the disk drive will transfer more data than was requested and store this in cache.
Applications that access data sequentially will benefit from this caching technique,
but applications that are random will not.
UC434S F.00
14 -41
Essentially, each read is converted into a larger read, usually the data from a full
drive rotation. If the data is not required by the application, then it is put into cache
only to be overwritten by the next read.
Disk caching affects performance in the following areas:
Many disk controllers have a configurable cache memory. They provide read-only
caching, write caching, or a combination of read and write caching.
14 -42
UC434S F.00
Performance
Write-back caching
Write-back caching
CPU processing
Seek
Rotate
Xfr
CPU processing
Cache
CPU processing data CPU processing
Seek
Time
Saved
Rotate Xfr
Done in background
Write-back caching enables the application to post the write request in the controller
cache and immediately respond with a completion status. The data is written to the
disk drives later.
Write cache is beneficial in high I/O capacity environments, where the I/O profile
includes random write requests. The write requests can be posted in the cache,
increasing the overall system performance if the workload is incremental, as shown in
the preceding diagram. When the write-back cache flushes, the incoming writes are
paused for a short time. If this happens when the workload is at a low point, then it
is correct. If the workload is constant, as in a backup restore, the write cannot be
completed and significant interruption can occur. Response times can grow
significantly.
For example, consider a database application with OLTP. In high-bandwidth write
environments, the write cache gets saturated easily and loses its effectiveness.
UC434S F.00
14 -43
When cache is saturated, the response time is determined by the speed of the drives.
Most disk controllers allow cache memory upgrades to increase the cache size. Most
controller parameters can also be tuned.
When the cache is only partially used and not saturated, adding more cache
memory is a waste of resources. Performance does not improve.
14 -44
UC434S F.00
Performance
WBC
No WBC
HP Storage 1
Storage 2
Storage 3
Storage 4
The preceding graph shows that performance increases significantly when write-back
cache is enabled in a write-intensive database environment. In addition to almost
eliminating response time, write-back cache also provides the following benefits:
Multiple writes to the same location are optimized because only the last update
is applied.
Multiple small sequential writes are combined into more efficient larger writes.
The read- and write-back penalty of RAID 5 can be eliminated for RAID
controllers that implement RAID 3/5
Cache mirroring that is configurable with two controllers and protects against
hardware failure
UC434S F.00
14 -45
14 -46
UC434S F.00
Performance
Effects of cache
Effects of cache
100
90
80
No cache
70
Read-ahead
cache
60
50
40
Write-back
cache
30
20
10
0
200
400
600
800
1000
Requests per second
1200
1400
The preceding graph summarizes the effects of read-ahead and write-back cache on
performance:
Write-back cache Performance improves until the cache is saturated and then
writes occur at device speed.
Read-ahead caching
Read caching is used in two ways:
Read-ahead buffers These buffers are helpful during sequential read access.
When the disk controller detects sequential read patterns, it reads anticipated
information before the application requests it. This type of cache is called readahead cache.
Memory holding reusable information Any valid data located in the cache is
reused for new read requests. This type of cache is called most recently used
read cache.
14 -47
However, if the application maintains its own cache in the system memory, the
chances of reusing information stored in the disk controller cache are minimal. The
data is more likely to be available from the application cache than from the disk
controller cache.
Cache is not always a performance booster. Read-ahead cache that experiences a
high incidence of cache misses can hurt performance. The preceding graph shows
the performance impact of read-ahead cache for theoretical HP StorageWorks
storage systems.
Performance for the HP StorageWorks systems remains the same in both cases as a
result of optimized system design. Cache performance and efficiency are attributed
largely to the design of the array controller. Although some vendors promote larger
caches as advantageous, performance depends on several factors, including
environment and cache design. Some controllers use adaptive read-ahead cache that
only reads ahead sequential I/O requests and does not affect non-sequential I/O.
14 -48
UC434S F.00
Performance
If you have a mix of random and sequential access during the most critical time,
use a block size of either 4,096KB or 8192KB depending on the ratio of random
to sequential access.
Because the transaction log is always configured with drive mirroring in large
systems, transaction log archiving allows the information to be migrated to less costly
parity-based schemes during periods of reduced activity.
UC434S F.00
14 -49
Environment profiling
Environment profiling
Database block size recommendations
If performance is most critical during applications that primarily
access the database in a random fashion; use a block size of
2KB
If most applications are accessing the database sequentially
when performance is most critical, use a block size of 16KB
If you have a split of random and sequential access during the
most critical time, use a block size of either 4KB or 8KB
The performance required by the average email user determines the storage design.
The average load is multiplied by the number of users to find the storage
requirement. Conversely, the capabilities of an existing system can determine the
maximum number of users.
To calculate the average I/O per user in an Exchange environment, the PERFMON
object's disk-transfers-per-second value is divided by the number of active
connections. The storage capacity calculated from the average I/O needs an
additional safety factor to maintain performance during peak periods. In practice,
the maximum number of users is less than the calculated value when:
Users increase the size of their mailboxes.
Services such as antivirus scanners or content indexers are added to the Exchange
server.
A medium-sized user profile provides a 60 MB mailbox, and a large profile provides
a 100 MB mailbox. Larger mailboxes affect both storage sizing and performance,
and are disproportionately more difficult for Exchange to manage.
14 -50
UC434S F.00
Performance
10
15
20
512KB Sequential
sequential
Read,
read, single
Single stream
Stream
9GB, 10K
512KB Sequential
sequential
Read,
read, single
Single stream
Stream
4GB, 10K
512KB Sequential
sequential
Read,
Single stream
Stream
read, single
9GB, 7K
512KB Sequential
sequential
Read,
Single stream
Stream
read, single
4GB, 7K
MB/s
The preceding chart compares the performance of 7,200-rpm and 10,000-rpm drives
in a large sequential I/O read environment. This environment is representative of
video editing or streaming. In this case, performance gains are as much as 70% at
full capacity.
The performance gain in a given situation depends on the:
I/O profile
I/O size
Frequency of reads/writes
RAID level
Faster drive technology does not automatically yield better performance. You must
analyze your system to determine where the most time is being spent.
The general rule to use is that for an application that requires high MB/s, choose
disk drives that have the highest rotational speeds and the highest data density. For
an application that requires high I/O per second, maximize the number of disks you
use.
UC434S F.00
14 -51
Server Application
Server Application
Application
Processor
Memory
Storage
Network
File Server
Light
Medium
Active
Active
Database Server
Active
Active
Active
Light
Web Server
Medium
Active
Active
Active
Active
Medium Medium
E-mail Server
Active
Active
Medium
Medium
Database Servers
SQL Server read/write sensitive
Oracle Server mixed profile, read/write dependent
Exchange Server random read/write I/O excl. logs
Note that the table above details typical examples of each server type. Notice that
Memory and Storage are almost always Active. These occur at either end of the
I/O path and, as such, there are direct performance consequences if there are
bottlenecks in these places.
14 -52
UC434S F.00
Performance
File System/ Database: file systems map continuous space (a file) onto the underlying
storage block units. In this respect database systems are no different than a file
system, and should be treated as a file system until a definite distinction has to be
made. Instead of mapping files, database systems map database tables onto
storage blocks. They must perform all the customary file system operations such as
open, read, write and backups.
Note: You must specify the DB_BLOCK_SIZE parameter before creating the database
because a change in DB_BLOCK_SIZE requires the database to be rebuilt.
Depending on the application, the value of DB_BLOCK_SIZE should be between 2KB
and 16KB.
SQL, Oracle, and Exchange share similar I/O profiles. The database and
information stores consist of random I/O with a high percentage of reads. Read
performance is crucial. Writes occur asynchronously and have little impact on users.
All multithreaded asynchronous write functions benefit from RAID.
The log areas consist of sequentially accessed data and should be physically
separated from the random I/O. In all three applications, this is a single-threaded,
low-queue-depth environment that does not benefit from RAID I/O distribution.
However, RAID 1 is usually implemented to protect crucial data. The speed of these
three applications depends largely on the speed at which requests are committed to
the log file. Log files with write-back cache enabled improve application
performance.
Note: Applications that issue multiple I/Os at a time benefit more from RAID than
environments where one I/O is issued at a time. Applications that do not issue more
than one I/O at a time do not benefit from RAID I/O distribution.
Random access
Flushed in intervals
Multithreaded
UC434S F.00
14 -53
The peak performance on the server translates into one I/O per second per user.
From the previous tables, you can see that there are several solutions to the 180GB
information storage requirement with the associated number of available I/Os per
second to the application.
To determine if drive performance can be improved, review the system components.
The HBA can process nearly 10 times the I/O rate required without saturating, and
the switch port nearly 30 times. The controller is close to saturating and the workload
is random. The bottleneck seems to be caused by the disk physical characteristics
that are dominating the processing time.
Oracle 8 Server
Oracle 8 Server for Windows 2000 is a 32-bit application that is implemented on
Windows 2000 as a single process, multithreaded architecture.
Each Oracle 8 Server instance consists of:
A redo log
14 -54
Multithreaded
With queues
UC434S F.00
Performance
Exchange Server
The profile for Exchange Server can be characterized as:
Multithreaded
Use the Microsoft Diskpart.exe utility to align the sectors of all Exchange LUNs
prior to formatting. Microsoft provides the diskpart.exe utility as part of
Windows 2003 Service Pack 1 support tools
UC434S F.00
14 -55
Improving performance
Improving performance
Reducing service time
Replace drives
Increase the number of drives
Reducing usage
Distribute the workload over more drives by using a drive array
and RAID technology
Shift the workload to another device if the application permits
Bypass the device with cache
14 -56
UC434S F.00
Performance
VRAID5 DBs
VRAID1 Logs
VRAID5 Logs
14000
Disk Transfers/sec
12000
10000
8000
6000
4000
2000
0
9
12
15
Jetstress threads
18
21
When deploying VRAID5 LUNs, there is a performance penalty for write intensive applications because of the additional cost
of calculating and writing out the parity bit. The graph indicates that, as expected, I/O throughput is higher when the
database LUN is configured with VRAID1.
14 -57
For both reliability and performance, the recommendation for an Exchange Server
installation is to isolate the database and transaction logs. For performance
considerations, HP recommends creating the largest possible disk group for the
database I/O streams and isolating the transaction log I/O streams on a separate
disk group.
As a quick background advisory, applications that utilize EVA VRAID disks might
experience a write performance penalty with the default Windows 2003 primary
disk partition alignment. Windows 2003 uses the first 63 sectors for volume
information before the start of the first partition, causing the first partition to start on
the last sector of the first track. Exchange Server 2003 writes out data in 4,000
chunks so every eighth I/O will cross a track boundary, resulting in additional
latency on the I/O request. Using the DiskPar utility before formatting the drive, the
alignment can be set so that the first partition begins with a sector offset alignment of
64, rather than the default 63, which causes the first partition to begin on a new
track without incurring any track overlapping.
14 -58
UC434S F.00
Performance
Look at the drive type and VRAID type to determine the total
number of host IOPS the disk group can handle and deliver
acceptable latencies.
Rules for sizing load are contained in this spreadsheet and are implemented through
the following variables:
UC434S F.00
14 -59
This spreadsheet puts all the rules into one place and allows you to calculate and use
baseline numbers for performance data.
14 -60
UC434S F.00
Performance
Above is the SAFE IOPs calculator available through Microsoft site and is
available to customers. As with the HP internal version, you input the number of
drives and the read percent to get a disk group Safe IOPs number
UC434S F.00
14 -61
EVAPerf
EVAPerf
To capture the necessary statistics for analysis, Windows Performance Monitor was
utilized along with the EVAPerf add-in that enables monitoring of specific EVA
subsystem counters.
14 -62
Disk Bytes/secThe rate bytes are transferred to or from the disk during write or
read operations
UC434S F.00
Performance
Avg. Disk sec/readThe average time, in seconds, of a read of data to the disk
EVAPerf counters
The EVAPerf utility is an add-in to the Windows Performance Monitor for monitoring
of the EVA subsystem.
Drive latencyThis counter tracks the time between when a data transfer
command is sent to a disk and when command completion is returned from the
disk. This time, which is measured in microseconds, is not broken into read and
writes latencies but is simply a command processing time. Note that
completion of a disk command does not necessarily imply host I/O completion
because the I/O to a specific disk might be only a part of a larger I/O
operation.
Drive Queue DepthThis counter tracks the total number of requests that have
been sent to the drive but not yet completed. It is incremented whenever a
command is sent to the disk and decremented whenever a command completes.
Read RPSThis counter tracks the number of read requests that have been sent
to the disk drive. Because this counter is updated once per second, it translates
directly into the read requests per second.
Write RPSThis counter tracks the number of write requests that have been sent
to the disk drive. Because this counter is updated once per second, it translates
directly into the write requests per second.
UC434S F.00
14 -63
Read Hit LatencyThis counter tracks the time taken from when a host read
request is received until such time as that request has been satisfied from the
EVA cache memory. The time, which is measured in microseconds, only applies
to read commands that are satisfied from read cache. If the read command is a
cache miss, the time is not tabulated here (see Read Miss Latency). Note that
this value includes not only the latency from cache hits generated from random
access activity, but also the latency associated with a cache hit as a result of a
prefetch operation generated by a sequential read data stream.
Read Miss LatencyThis counter tracks the time taken from when a host read
request is received until such time as that request has been satisfied from the
physical disks. The time, which is measured in microseconds, only applies to
read commands where the data is not in read cache and must be read from
disk. If the read command results in the data being read from cache, the time is
not tabulated here.
Write RPSThis counter tracks the total number of write requests to a virtual disk
that were received from all hosts. Because this data is updated once per second,
it translates directly into write requests per second.
14 -64
Total host KBSThis counter tracks the total KB that has been read and written
by all hosts connected to the EVA. Because this information is updated once per
second, it translates directly into the total KB per second that the EVA is
processing. Note that this is the sum of both read and write data.
Total host RPSThis counter tracks the total number of I/O requests that have
been issued by all hosts connected to the EVA. Because this information is
updated once per second, it translates directly into the total requests per second
that the EVA is processing. Note that this is the sum of both read and write
requests.
UC434S F.00
Performance
End-to-end performance monitoring looks at traffic on SID/DID pairs in any direction. That is,
even if the SID is for a remote device, the traffic is monitored in both directions (the Tx/Rx
counters are reversed).
UC434S F.00
14 -65
Top talker
Top talker
Top Talker supports two modes:
port mode and fabric mode
Adding a Top Talker monitor on to an F_Port
To monitor an incoming port 5:
perfttmon --add ingress 5
To monitor the outgoing traffic on port 5:
perfttmon --add egress 5
To delete the monitor on port:
perfttmon --delete 7
Top Talkers
The Top Talkers feature is part of the licensed Advanced Performance Monitoring
The Top Talkers feature provides real-time information about the bandwidth being
consumed on a specific port; it identifies the SID/DID pairs that consume the most
bandwidth. This then allows for the configuration of QoS attributes to assign
effective priority.
Top Talker can be installed only on switches that run Fabric OS v6.0.0 or later, and
is not supported on the B-Series 4/16 (Brocade 200E).
Top Talker supports two modes: port mode and fabric mode.
Port mode Top Talker, this allows for Top Talker to be installed on to an F_Port,
allowing for the measurement of bandwidth used by this port to different
destinations.
In Fabric mode Top Talker monitors are installed on every E_Port measuring the
data rate of all the incoming data flow to the E_Port, allowing for the
determination of the highest bandwidth device.
Top Talker monitors can be configured as Port Mode or Fabric Mode but not both.
End-to-end monitors provide counter statistics for traffic flowing between a given
SID-DID pair. Top Talker monitors identify all possible SID-DID flow combinations that
are possible on a given port and provides a sorted output of the top talking flows.
14 -66
UC434S F.00
Performance
If the number of flows exceeds the hardware resources, existing end-to-end monitors
fail to get real time data for all of them; however, Top Talker monitors can monitor all
flows for a given port (E_Port or F_Port).
Top Talker monitors cannot detect transient surges in traffic through a given flow.
UC434S F.00
14 -67
Lab activity
Lab
activity
1.Module 14, Lab 1 Performance Testing Your
SAN Volumes
2.Module 14, Lab 2 - B-series
Trunking
43
14 -68
uc434s c.01
UC434S F.00