Best practices for network connections

[feeblebob]

Afternoon all,

New to FreeNAS, or pretty much, I might have dabbled before but I'm certainly no SAN expert anyway.

I building a decent lab at home for VMWare VCP and beyond, and am looking to use FreeNAS as my storage backend. It's going to go on an HP DL380 G5 with likely around 32GB of RAM and a couple of processors. I'll be using the two onboard NICs but adding a more. I have a few 2 and 4 port NICs to spare if they're of benefit.

Question is, using this device as an iSCSI (better alternative?) storage backend for ESX, what do people find is the best way to connect up? I've read : http://doc.freenas.org/9.3/freenas_network.html#lacp-mpio-nfs-and-esxi that ends up essentially saying to use a single network connection, NFS doesn't understand MPIO, LACP doesn't like virtualisation etc. I can see a single 1GB link getting very quickly saturated with 4 or 5 ESX hosts.

What might be the best solution here? Storage traffic is to traverse the infrastructure on it's own network and dedicated 48-port switch. Plan was to aggregate maybe 4 or more GB ports up to the switch and then connect each host using a teamed pair (again, or better).

Looking for suggestions here, happy to learn and listen to suggestions, I'm certainly no SAN expert and I don't specialise in the network side so any advice welcome, even a starter to point me in the right direction :)

 

[L]

The point of the doc you referenced is that tools like lacp won't increase bandwidth of a single client, but will help with multiple connections. Multipathing io is recommended by vmware for tolerance.

 

[feeblebob]

OK, I'll look down that route, many thanks.

Is it considered good practice on these FreeNAS servers to run a management port on a separate network segment for management? I was considering using one of the onboard NIC's for this purpose.

 

[Ericloewe]

Separate port? Definitely.

Separate netowrk segment? Depends on how paranoid you are and how complex the existing network is. I wouldn't bother for home use, unless the infrastructure was already in place.

 

[jal]

Perhaps a different perspective on IPMI ports... If you have any concerns that someone you don't trust could communicate with it, you should have means to control access not involving on-machine BMC access control. It of course depends on the vendor, but there are compromise kits in the wild for a number of BMCs, and in general security quality of this stuff has been generally weak. Google around a bit, or for a slightly old look at what folks have found in the past, see: https://community.rapid7.com/commun...013/07/02/a-penetration-testers-guide-to-ipmi

For my home machines, I personally put them on a separate switch having no internet uplink, on the theory that it is really handy (especially considering the machines live in a hard-to-access place) and if someone I don't trust can plug in to my private network I have other problems. One employer of mine decided the risk was too great for production machines sitting in colocations and epoxies or removes the physical ports.

Bottom line, you have to evaluate the risk vs. convenience for yourself. But a having a volunteer sysadmin gain access to your IPMI consoles is a Very Bad Thing.