|
|
Question : Problem: WTF's up with my iSCSI network config ???
|
|
Experts:
I just purchased an EMC AX4-5i dual-SP SAN appliance; two racks, one for SAS drives and the other with SATA drives. I'm just setting up the appliance and I'm stuck, hoping you all can help me figure something out.
If you look at the attached file you'll notice my vanilla setup: 1 server with 3 NICs connected to a pair of GigE switches configured in a meshed network connecting a pair of SP units, each with two iSCSI ports of their own.
The problem I'm having is that on the server i can only ping one of two switches and only two of four iSCSI ports
C:\Program Files\Support Tools>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : galapagos Primary Dns Suffix . . . . . . . : xxx.local Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : Yes WINS Proxy Enabled. . . . . . . . : Yes DNS Suffix Search List. . . . . . : xxx.local
Ethernet adapter 192.168.253.98:
Connection-specific DNS Suffix . : xxx.local Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter Physical Address. . . . . . . . . : 00-04-23-AB-6A-0B DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.253.98 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :
Ethernet adapter 192.168.253.99:
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter #2 Physical Address. . . . . . . . . : 00-04-23-AB-6A-0C DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.253.99 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . :
Ethernet adapter 192.168.10.25:
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NC3163 Fast Ethernet NIC Physical Address. . . . . . . . . : 00-50-8B-EB-15-1C DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.10.25 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.10.1 DNS Servers . . . . . . . . . . . : 192.168.10.13 192.168.10.25 Primary WINS Server . . . . . . . : 192.168.10.13 Secondary WINS Server . . . . . . : 192.168.10.25
C:\Program Files\Support Tools>ping 192.168.253.199
Pinging 192.168.253.199 with 32 bytes of data:
Reply from 192.168.253.199: bytes=32 time=3ms TTL=64 Reply from 192.168.253.199: bytes=32 time=2ms TTL=64 Reply from 192.168.253.199: bytes=32 time=1ms TTL=64 Reply from 192.168.253.199: bytes=32 time=2ms TTL=64
Ping statistics for 192.168.253.199: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 3ms, Average = 2ms
C:\Program Files\Support Tools>ping 192.168.253.198
Pinging 192.168.253.198 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 192.168.253.198: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Program Files\Support Tools>ping 192.168.253.200
Pinging 192.168.253.200 with 32 bytes of data:
Reply from 192.168.253.200: bytes=32 time<1ms TTL=64 Reply from 192.168.253.200: bytes=32 time<1ms TTL=64 Reply from 192.168.253.200: bytes=32 time<1ms TTL=64 Reply from 192.168.253.200: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.253.200: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Program Files\Support Tools>ping 192.168.253.201
Pinging 192.168.253.201 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 192.168.253.201: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Program Files\Support Tools>ping 192.168.253.202
Pinging 192.168.253.202 with 32 bytes of data:
Reply from 192.168.253.202: bytes=32 time=1ms TTL=64 Reply from 192.168.253.202: bytes=32 time<1ms TTL=64 Reply from 192.168.253.202: bytes=32 time<1ms TTL=64 Reply from 192.168.253.202: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.253.202: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
C:\Program Files\Support Tools>ping 192.168.253.203
Pinging 192.168.253.203 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 192.168.253.203: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Program Files\Support Tools>
So before I go any further and start configuring iSCSI initiators or LUNs, etc...I wanted to clear up this networking mystery
Thanks, juckyt
|
Answer : Problem: WTF's up with my iSCSI network config ???
|
|
You will need to add a service and a rule:
From the Admin guide:
Add Service To add a service not listed in the Services window, click Access on the left side of the browser window, and then click the Add Service tab. The list on the right side of the window displays the services that are currently defined. These services also appear in the Services window. Two numbers appear in brackets next to each service. The first number indicates the service's IP port number. The second number indicates the IP protocol type (6 for TCP, 17 for UDP, or 1 for ICMP). Tip There can be multiple entries with the same name. For example, the default configuration has two entries labeled Name Service (DNS) for UDP port 53 and TCP port 53. Multiple entries with the same name are grouped together, and are treated as a single service. Up to 128 entries are supported. Add a Known Service 1. Select the name of the service you want to add from the Add a known service list. 2. Click Add. The new service appears in the list box on the right side of the browser window. Note that some services add more than one entry to the list. Add a Custom Service 1. Select [Custom Service] from the Add a known service list. 2. Type a unique name, such as CC:mail or Quake in the Name field. 3. Enter the beginning number of the IP port range and ending number of the IP port range in the Port Range fields. If the service only requires one IP port, enter the single port number in both Port Range fields. Tip Visit <http://www.ietf.org/rfc/rfc1700.txt> for a list of IP port numbers. Network Access Rules Page 131 4. Select the IP protocol type, TCP, UDP or ICMP, from the Protocol list. 5. Click Add. The new service appears in the list on the right side of the browser window. Tip If multiple entries with the same name are created, they are grouped together as a single service and can not function as expected.
Add A New Rule 1. Click Add New Rule... in the Rules window to open the Add Rule window. 2. Select Allow or Deny in the Action list depending upon whether the rule is intended to permit or block IP traffic. 3. Select the name of the service affected by the Rule from the Service list. If the service is not listed, you must define the service in the Add Service window. The Default service encompasses all IP services. 4. Select the source of the traffic affected by the rule, either LAN or WAN, *(both), from the Source Ethernet menu. If you want to define the source IP addresses that are affected by the rule, such as restricting certain users from accessing the Internet, enter the starting IP addresses of the address range in the Addr Range Begin field and the ending IP address in the Addr Range End field. To include all IP addresses, enter * in the Addr Range Begin field. 5. Select the destination of the traffic affected by the rule, either LAN or WAN or *, from the Destination Ethernet menu. If you want to define the destination IP addresses that are affected by the rule, for example, to allow inbound Web access to several Web servers on your LAN, enter the starting IP addresses of the address range in the Addr Range Begin field and the ending IP address in the Addr Range End field. To include all IP addresses, enter * in the Addr Range Begin field. 6. Select always from the Apply this rule menu if the rule is always in effect. 7. Select from the Apply this rule to define the specific time and day of week to enforce the rule. Enter the time of day (in 24-hour format) to begin and end enforcement. Then select the day of the week to begin and end enforcement. Tip If you want to enable the rule at different times depending on the day of the week, make additional rules for each time period. 8. If you would like for the rule to timeout after a period of inactivity, set the amount of time, in minutes, in the Inactivity Timeout in Minutes field. The default value is 5 minutes. Network Access Rules Page 135 9. Do not select the Allow Fragmented Packets check box. Large IP packets are often divided into fragments before they are routed over the Internet and then reassembled at a destination host. Because hackers exploit IP fragmentation in Denial of Service attacks, the SonicWALL blocks fragmented packets by default. You can override the default configuration to allow fragmented packets over PPTP or IPSec. 10. Enable Bandwidth Management, and enter the Guaranteed Bandwidth in Kbps. 11. Enter the maximum amount of bandwidth available to the Rule at any time in the Maximum Bandwidth field. Assign a priority from 0 (highest) to 7 (lowest). 12. Click Update. Once the SonicWALL has been updated, the new rule appears in the list of Current Network Access Rules. Tip Although custom rules can be created that allow inbound IP traffic, the SonicWALL does not disable protection from Denial of Service attacks, such as the SYN Flood and Ping of Death attacks. For example, to configure the SonicWALL to allow Internet traffic to your Web server with an IP address of 208.5.5.5 (Standard mode), create the following rule: 1. Verify that HTTP has been added as a Service as outlined previously. 2. Click the Rules tab, and click Add New Rule.... 3. Select Allow, then Web (HTTP) from the Service menu. 4. Select WAN from the Ethernet Source menu, and leave the Addr Range Begin and Addr Range End as they appear. 5. Select LAN from the Ethernet Destination menu, and enter in the IP address of the Web server, 208.5.5.5 in the Addr Range Begin field. No IP address is added in the Addr Range End since the destination is not a range of IP addresses. 6. Select always from the Apply this rule menu. 7. Enter a value (in minutes) in the Activity Timeout in Minutes field. 8. Do not select the Allow Fragmented Packets check box. Page 136 SonicWALL Internet Security Appliance Administrators Guide 9. If you want the Rule to have guaranteed bandwidth, select Enable Outbound Bandwidth Management, and enter values for Guaranteed Bandwidth, Maximum Bandwidth, and Bandwidth Priority. 10. Click Update to add the rule to the SonicWALL. Tip The source part (WAN or LAN) can be limited to certain parts of the Internet using a range of IP addresses on the WAN or LAN. For example, the following rule can be used to configure the same Web server to be only visible from a single C class subnet on the Internet: Allow HTTP, Source WAN 216.77.88.1 - 216.77.88.254, Destination LAN 208.5.5.5. Add New Rule Examples The following examples illustrate methods for creating Network Access Rules. Blocking LAN Access for Specific Services This example shows how to block LAN access to NNTP servers on the Internet during business hours. 1. Click Add New Rule in the Rules window to launch the Add Network Access Rule Web browser window. 2. Select Deny from the Action menu. 3. Select NNTP from the Service menu. If the service is not listed in the list, you must to add it in the Add Service window. 4. Select LAN from the Source Ethernet menu. 5. Since all computers on the LAN are to be affected, enter * in the Source Addr Range Begin field. 6. Select WAN from the Destination Ethernet menu. 7. Enter * in the Destination Addr Range Begin field to block access to all NNTP servers. 8. Select Apply this rule "from" to configure the time of enforcement. 9. Enter "8:30" and "17:30" in the hour fields. 10. Select Mon to Fri from the menu. 11. Click Update to add your new Rule. Enabling Ping By default, your SonicWALL does not respond to ping requests from the Internet. This Rule allows ping requests from your ISP servers to your SonicWALL. 1. Click Add New Rule in the Rules window to launch the "Add Network Access Rule" window. 2. Select Allow from the Action menu. 3. Select Ping from the Service menu. 4. Select WAN from the Source Ethernet menu. 5. Enter the starting IP address of the ISP network in the Source Addr Range Begin field and the ending IP address of the ISP network in the Source Addr Range End field. 6. Select LAN from the Destination Ethernet menu. Network Access Rules Page 137 7. Since the intent is to allow a ping only to the SonicWALL, enter the SonicWALL LAN IP Address in the Destination Addr Range Begin field. 8. Select Always from the Apply this rule menu to ensure continuous enforcement. 9. Click Update to add your new Rule.
Hope this helps
|
|
|
|