English Community

Datacenter SystemsBladeCenter / Flex Systems
All Forum Topics
Options

14 Posts

06-12-2018

PK

19 Signins

116 Page Views

  • Posts: 14
  • Registered: ‎06-12-2018
  • Location: PK
  • Views: 116
  • Message 1 of 5

Isolation of Blades

2020-10-02, 4:42 AM

Hello Experts,

 

 

 

I need you help regarding below issue.

 

 

 

We have procured IBM Blade Center S with three blades and storage 6 Years back and installed Microsoft Hyper-V with Failover cluster and running different Virtual Machines.

 

 

 

Now we have a requirement to isolate two virtual machines due to compliance requirement with all other rest of the machines which required to isolate HOST (One of the Blade), Storage and VLAN.

 

 

 

IBM Blade Server S-8886 contains a total of three BladeCenter HS23 servers and Virtual Machine 01 and Virtual Machine 02 both run from one single HS23 server. These three HS23 are all connected to a  shared storage device (SAN) via RAID 1 and RAID 5; at this time all three Blades Servers have access to all the disks (or LUNs) available in the SAN. Also all servers are on the same network.

 

 

 

For the isolation to be approved we are looking to see that there is a disk (or LUN) in the SAN storage device that can be accessed only by the HS23 server that’s running Virtual Machine 01 and Virtual Machine 02, and not by the other two blades as well. Also the HS23 machine running Virtual Machine 01 and Virtual Machine 02 needs to be on a separate VLAN.

 

 

 

Is creating a dedicated LUN in the SAN for the HS23 with Virtual Machine 01 an issue? This should be an option from the SAN device’s console; . How about a separate VLAN at switch level? Is this option also be available from the devices’ console ?

 

 

 

can we configure it with examples: LUN masking or SAN zoning in the SAN device configuration, and a separate VLAN at switch level

Reply
Options

105 Posts

06-03-2020

US

82 Signins

885 Page Views

  • Posts: 105
  • Registered: ‎06-03-2020
  • Location: US
  • Views: 885
  • Message 2 of 5

Re:Isolation of Blades

2020-10-02, 12:07 PM

Hello,

 

I will let someone else respond to the SAN questions but for the Ethernet VLAN question,, short answer is, yes, VLAN isolation is possible. To understand any limitations to this statement we would need to know exactly what Ethernet modules are installed in the BladeCenter S? Can you share this information (what model modules in what switch bays) for your environment?

 

Thanks, Matt

 

Reply
Options

14 Posts

06-12-2018

PK

19 Signins

116 Page Views

  • Posts: 14
  • Registered: ‎06-12-2018
  • Location: PK
  • Views: 116
  • Message 3 of 5

Re:Isolation of Blades

2020-10-02, 12:27 PM

There are two ethernet switches I/O modules from which one is functional I/O module2

 

Reply
Options

105 Posts

06-03-2020

US

82 Signins

885 Page Views

  • Posts: 105
  • Registered: ‎06-03-2020
  • Location: US
  • Views: 885
  • Message 4 of 5

Re:Isolation of Blades

2020-10-02, 12:56 PM

Hello, unfortunately that screen shot does not provide an exact model, but we can tell enough to know it is one of the Blade Network Technologies Ethernet switches, and they will support VLAN isolation. You could also install (if not already) a Broadcom 2+2 CFFh card into the HS23's, and start making use of the Ethernet switch in bay 2, and could then isolate by completely different network switches if desired. I have attached a PDF that shows the networking connections within the BladeCenter -S, with HS23 connections seen on page 9.

 

Hope this helps. Now hopefully someone will provide feedback on your SAN questions. 

 

Thanks, Matt

Reply
Options

14 Posts

06-12-2018

PK

19 Signins

116 Page Views

  • Posts: 14
  • Registered: ‎06-12-2018
  • Location: PK
  • Views: 116
  • Message 5 of 5

Re:Isolation of Blades

2020-10-05, 4:42 AM

We need to fit our existing cluster-based model on this scenario (DBEE is one where XYZ program will run)

 

In order for this to be approved the following must be addressed:

• Network isolation – even though there are no other clusters aside from the one you shared all three machines are part of the same network. Simply put the physical machine resources are available across the network; basically the machine running XYZ programs must be on its own network. Creating a separate VLAN would ensure that the isolation has been performed at network level.

 

 

• Storage isolation – there are currently three nodes accessing the shared storage device; considering that disabling VM migration from the Hyper-V console is not an accepted solution it is considered that the VM’s running XYZ are accessible via the shared storage by other machines/nodes as well. One way to achieve isolation at storage level is to assign a LUN specifically dedicated to the node running XYZ programs which is not visible and therefore cannot be accessed by the other nodes.

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete