1 Reply Latest reply: Aug 25, 2016 9:27 AM by Jonathan Zygmunt RSS

    Private VLANs to isolate in-guest iSCSI

    christoph.berthoud@vista.co Wayfarer
    Visibility: Open to anyone

      I would like to provide multiple VMWare VMs with in-guest iSCSI connectivity however I don't want any of the VMs to have any access or visibility to the other guests iSCSI traffic.

       

      I could do this by creating many VLANs (one per guest/group of guests) but we are talking about 50+ VMs = 50+ VLANs. This got me wondering about the use of Private VLANs?

       

      https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010691

       

      If I created a Private VLAN, placed the Nimble in the Primary VLAN and the guests in an Isolated PVLAN, this may achieve the isolation i'm looking for? I could then use the IQN/IP as extra security and for targeting on the Nimble.

       

      Has anyone done this or have any comments/ideas?

        • Re: Private VLANs to isolate in-guest iSCSI
          Jonathan Zygmunt Adventurer

          I think you can make this a lot simpler by not using VLANs.  Remember that the vswitch acts like a switch, so guest VMs won't receive non-broadcasted ISCSI traffic destined for other guests (assuming you don't turn on promiscuous mode).  That should take care of the visibility part.  To solve the access part of your question, you can simply use initiator groups to not expose LUNs to the VMs IPs so they can't see them.  If you're concerned about someone malicious messing with the IP addresses to get access to something they shouldn't, you can turn on CHAP authentication which would require a secret in order to access the LUNs.  Personally, I always like to use CHAP authentication even if I control the entire stack.