AnsweredAssumed Answered

Isolate iSCSI Boot LUNs from VMware Host?

Question asked by Ross Anderson on Aug 23, 2016
Latest reply on Sep 22, 2016 by Dan Bauder

Configuration - Cisco UCS, vSphere 6, iSCSI Boot

 

As part of a recent storage migration to Nimble, I've been reloading hosts and wanted to isolate the BOOT luns so that only the UCS blade can see them (ie. VMware hosts should not see those vols/luns). This is not the default method, because when VMware is first installed (using iSCSI boot on UCS), the vmware iscsi software adapter will take the same initiator name as the UCS blade (iSCSI vNIC). This means that the host will also be able to "see" the boot LUNs, which presents a small risk because someone may accidentally use a boot lun as a datastore (however unlikely). This is the way I have done it in the past, which has been fine really but still presents a small risk.

 

To address this, I've renamed the host's iscsi software adapter initiator name (aka WWN) so that it's different than the UCS Blade's iscsi vnic initiator name - thus, upon initial boot, the blade can access the Boot lun but since the vmware host now has a different initiator name, it cannot see the boot luns and can only see the datastores assigned to it's own initiator name. Great - it seems to work fine and I'm able to use the host normally and reboot without issues, but I'm just wondering if the VMware host will ever need to access the BOOT LUN for anything after the initial boot.

 

Has anyone else isolated their boot luns from their vmware hosts? It seems odd that after initial boot, neither the ucs blade nor the vmware host needs to have access to the boot lun (I've verified that there are NO iscsi connections to the boot vol once boot-up is complete - they disappear after the hypervisor fully starts), but maybe I'm just missing something?

 

Any thoughts? Thanks in advance!

Outcomes