iSCSI uses TCP to encapsulate SCSI traffic, allowing block-level storage LUN access across Ethernet cables. iSCSI SAN uses a client-server architecture. The client, called iSCSI initiator, operates on your host. It initiates iSCSI sessions by issuing SCSI commands and transmitting them, encapsulated into iSCSI protocol, to a server. The server is known as an iSCSI target. The iSCSI target represents a physical storage system on the network. It can also be provided by a virtual iSCSI SAN
To access iSCSI targets, your host uses iSCSI initiators. The initiators transport SCSI requests and responses, encapsulated into the iSCSI protocol, between the host and the iSCSI target. The host supports 2 types of initiators:
Hardware Initiator: An iSCSI HBA that offloads iSCSI processing from the host’s CPU. It’s normally a 1GbE or 10 GbE NIC card with TCP/IP Offload engine capabilities. The hardware initiator can have 2 types of NIC cards i.e.
Dependant Hardwae iSCSI Adapter, Depends on VMware networking, and iSCSI configuration and management interfaces provided by VMware. This type of adapter can be a card that presents a standard network adapter and iSCSI offload functionality for the same port.
Independent Hardware iSCSI Adapter, Implements its own networking and iSCSI configuration and management interfaces. An example of an independent hardware iSCSI adapter is a card that either presents only iSCSI offload functionality or iSCSI offload functionality and standard NIC functionality.
Software Initiator: It uses VMware’s software implementation with VMkernel, alongside a regular Ethernet NIC adapter. From vSphere 4.1 ESXi hosts can boot from SW initiators if the NIC support iBFT (iSCSI Boot Firmware Table)
iSCSI has 2 discovery methods:
Dynamic: Also known as SendTargets discovery. Each time the initiator contacts a specified iSCSI server, the initiator sends the SendTargets request to the server. The server responds by supplying a list of available targets to the initiator. The names and IP addresses of these targets appear on the Static Discovery tab
Static: The initiator does not have to perform any discovery. The initiator has a list of targets it can contact and uses their IP addresses and target names to communicate with them
iSCSI uses CHAP (Challenge Handshake Authentication Protocol) as IP networks that the iSCSI technology uses to connect to remote targets do not protect the data they transport, you must ensure security of the connection.
One Way Chap: In one-way CHAP authentication, also called unidirectional, the target authenticates the initiator, but the initiator does not authenticate the target
Mutual CHAP: In mutual CHAP authentication, also called bidirectional, an additional level of security enables the initiator to authenticate the target. VMware supports this method for software and dependent hardware iSCSI adapters only
iSCSI Best Practices:
- Ensure the iSCSI traffic is on a Non routable VLAN on a dedicated pair of redundant switches, as the traffic is not encrypted
- Enable Jumbo Frames end to end (Servers, Switches, Storage), set the MTU to 9000
- Enable RSTP (Rapid Spanning Tree) or PortFast, this allows immediate transition if an active link fails
- Setup Redundant Hardware Adapters to avoid SPOF
- Use NMP with SATP selection and PSP pathing when using hardware initiators as hosts recognize the HBAs as storage adapters
- For software initiator, create 2 separate VMkernel ports for iSCSI traffic on the same vSwitch and bind the VMkernel ports to their own NICs. Each VMkernel port should have only one NIC as active and rest should be set to unused
- Use 1 Gbe capable switches, NICs and cables for optimal performance
- Use dedicated switches for storage to avoid over subscription