1

[Date]
Anjumam-I-Islam Klasekar Technical Campus,
New Panvel
MUMBAI UNIVERSITY

2014-15
DEPARTMENT OF COMPUTER
A Project Report
On
Storage Area Network

By

Mr. Suhel Khan
Mr. Nazim Pathan
Mr. Israr Shaikh
Mr. Sufiyan Tamboli
(T.E. (CO))

Under Guidance Of
Prof:- Mr. Shahbaz Shaikh

Submitted To
University Of Mumbai
2014 2015






2
[Date]

Acknowledgement

I am very thankful to everyone who all supported me, for I have
completed my project effectively and, moreover, on time.

I would especially thank to all teaching and non-teaching staff of
Computer Science faculty who inspiring me in completion of project. I am
thankful to my project guide Prof. Shehbaz Shiakh my seniors for their
timely help and guidance in completing this project successfully.

I would also like to express our deep regards and gratitude to our
H.O.D Mr. Tabrez Khan, and Director Mr. Abdul Razzaq Honnutagi for
her support and facilities provides to us for the same.
Lastly I would like to thank all those who directly and indirectly
helped in completion of this project.




















3
[Date]

Preface

This project aims at the Introduction to Storage Area Network .This
report contains why, and how, can we use a storage area network? along
with the diagrams so that the logic may be apprehended without difficulty.
For detail information, screen layouts provided with the report can be
viewed.
Although this report is prepared with utmost care, there may be some
errors for the project is subjected to further enhancement as per the
requirements of the organization.






















4
[Date]
Sr. No. Topic Page No.
1 Front cover 1
2 Acknowledgment 2
3 Preface 3
4 Table of content 4
5 Chapter 1: Introduction
What is a network
Interconnection models
What is a storage area network?
Storage area network components
5
6 Chapter 2: Why, and how, can we use a storage area network?
Why use a storage area network?
How can we use a storage area network?
Using the storage area network components
10
7 Chapter 3. Topologies
Fiber Channel topologies
Port types

8 Chapter 4. Storage area network as a service for cloud computing
What is a cloud?
SAN virtualization
38
9 Chapter 5. Security
Security in the storage area network (SAN)
Security principles
Storage area network encryption

10 Chapter 6. Solutions
Basic solution principles
Infrastructure simplification

14 Conclusion
18 Bibliography








5
[Date]
CHAPTER 1: INTRODUCTION

What is a network

A computer network, often simply called a network, is a collection of computers and devices that
are interconnected by communication channels. These channels allow for the efficient sharing of
resources, services, and information among it.

Even though this definition is simple, understanding how to make a network work might be
complicated for people who are not familiar with information technology (IT), or who are just starting out in
the IT world. Because of this unfamiliarity, we explain the basic concepts that need to be understood to
facilitate our understanding of the networking world.

1.1.1 The importance of communication
It is impossible to imagine the human world as stand-alone humans, with nobody that talks or
does anything for each other. Much more importantly, it is hard trying to imagine how a human can work
without using their senses. In our human world, we are sure you would agree with us that communication
between individuals makes a significant difference in all aspects of life.

First of all, communication in any form is not easy, and we need a number of components.
Factors consist of a common language, something to be communicated, a medium where the
communication flows, and finally we need to be sure that whatever was communicated was received and
understood. To do that in the human world, we use language as a communication protocol, and sounds
and writing are the communication medium.

Similarly, a computer network needs almost the same components as our human example, but a
difference is that all factors need to be governed in some way to ensure effective communications. This
monitoring is achieved by the use of industry standards, and companies adhere to those standards to
ensure that communication can take place.

There is a wealth of information that is devoted to networking history and its evolution, and we do
not intend to give a history lesson in this book. This publication focuses on the prevalent interconnection
models, storage, and networking concepts.

Interconnection models

An interconnection model is a standard that is used to connect sources and targets in a network,
and there are some well-known models in the IT industry such as the open systems interconnection
model (OSI), Department of Defense (DOD), TCP/IP protocol suite, and

Fiber Channel. Each model has its advantages and disadvantages. Its model is applied where it
has the maximum benefit in terms of performance, reliability, availability, cost benefits, and so on.

1.2.1 The open systems interconnection model




6
[Date]
The open systems interconnection model (OSI model) was a product of the open systems
interconnection effort at the International Organization for Standardization (ISO). It is a way of subdividing
a communications system into smaller parts called layers. Similar communication functions are grouped
into logical layers. A layer provides services to its upper layer while it receives services from the layer
below. At each layer, an instance provides service to the instances at the layer above and requests
service from the layer below.

For this book, we focus on the Physical, Data Link, Network, and Transport layers.

Layer 1: Physical Layer

The Physical Layer defines electrical and physical specifications for devices. In particular, it
defines the relationship between a device and a transmission medium, such as a copper or optical cable.
This relationship includes the layout of pins, voltages, cable specifications, and more.

Layer 2: Data Link Layer

The Data Link Layer provides the functional and procedural means to transfer data between
network entities. This layer also detects and possibly corrects errors that might occur in the
Physical Layer.

Layer 3: Network Layer

The Network Layer provides the functional and procedural means of transferring variable length
data sequences from a source host on one network to a destination host on a different network. The
Network layer provides this functionality while it maintains the quality of service requested by the
Transport Layer (in contrast to the Data Link layer, which connects hosts within the same network). The
Network Layer performs network routing functions. This layer might also perform fragmentation and
reassembly, and report delivery errors. Routers operate at this layer by sending data throughout the
extended network and making the Internet possible.

Layer 4: Transport Layer

The Transport Layer provides transparent transfer of data between users, providing reliable
data transfer services to the upper layers. The Transport Layer controls the reliability of a specific link
through flow control, segmentation and DE segmentation, and error control. Some protocols are state-
and connection-oriented. This means that the Transport Layer can track the segments and retransmit the
ones that fail. The Transport layer also provides the acknowledgement of the successful data

Now that you know what an interconnection model is, what it does, and how important it is in a
network, we can compare the OSI model with other models.




7
[Date]

1.2.2 Translating the OSI model to the physical world

To make a translation from theoretical models to reality, we introduce physical devices which
perform certain tasks for each layer on each model.

Local area networks (LANs) are a good place to start. We define LANs as a small or large
network that is limited within the same physical site. This site might be a traditional office or a corporate
building.

In Figure 1-2, you see a basic network where computers and a printer are interconnected by
using physical cables and interconnection devices.



8
[Date]

Figure 1-2 Basic network topology

We must keep in mind that any model we choose defines the devices, cables, connectors, and
interface characteristics that we must implement to make it work. We must also support the protocols for
each model layer.

All the network components are categorized into five groups:
End devices: An end device is a computer system which has a final purpose like desktop
computers, printers, storage, or servers
.
Network interface: It is an interface between the media and end devices which can
interact with other network interfaces and understands an interconnection model.

Connector: This is the physical element at the end of the media which allows a
connection to the network interface.


Media: This is the physical path that is used to transmit an electrical or optical signal. It
might be wired or wireless, copper, or a fiber optic cable.

Network devices: These are used to interconnect multiple end devices as a single point
of interconnection, route communication through different networks, or for providing
network security. Examples of network devices are switches, routers, firewalls, and
directors.

Each network component executes a particular role within a network and all of them are required
to reach the final goal of making communication possible.



9
[Date]

What is a storage area network?

The Storage Networking Industry Association (SNIA) defines the storage area network (SAN)
as a network whose primary purpose is the transfer of data between computer systems and storage
elements. A SAN consists of a communication infrastructure, which provides physical connections. It also
includes a management layer, which organizes the connections, storage elements, and computer
systems so that data transfer is secure and robust. The term SAN is usually (but not necessarily)
identified with block I/O services rather than file access services.

In simple terms, a SAN is a specialized, high-speed network that attaches servers and storage
devices. For this reason, it is sometimes referred to as the network behind the servers. A SAN allows
any to any connection across the network, by using interconnect elements such as switches and
directors. It eliminates the traditional dedicated connection between a server and storage, and the
concept that the server effectively owns and manages the storage devices. It also eliminates any
restriction to the amount of data that a server can access, currently limited by the number of storage
devices that are attached to the individual server. Instead, a SAN introduces the flexibility of networking to
enable one server or many heterogeneous servers to share a common storage utility. A network might
include many storage devices, including disk, tape, and optical storage. Additionally, the storage utility
might be located far from the servers that it uses.

The SAN can be viewed as an extension to the storage bus concept. This concept enables
storage devices and servers to be interconnected by using similar elements, such as LANs and wide area
networks (WANs).

SANs create new methods of attaching storage to servers. These new methods can enable great
improvements in both availability and performance. The SANs of today are used to connect shared
storage arrays and tape libraries to multiple servers, and are used by clustered servers for failover.

A SAN can be used to bypass traditional network bottlenecks. It facilitates direct, high-speed data
transfers between servers and storage devices, potentially in any of the following three ways:

Server to storage: This is the traditional model of interaction with storage devices. The advantage
is that the same storage device might be accessed serially or concurrently by multiple servers
Server to server: A SAN might be used for high-speed, high-volume communications between
servers.
Storage to storage: This outboard data movement capability enables data to be moved without
server intervention, therefore freeing up server processor cycles for other activities like
application processing. Examples include a disk device that backs up its data to a tape device
without server intervention, or a remote device mirroring across the SAN.

SANs allow applications that move data to perform better; for example, by having the data sent
directly from the source to the target device with minimal server intervention. SANs also enable new
network architectures where multiple hosts access multiple storage devices that are connected to the
same network. Using a SAN can potentially offer the following benefits:
Improvements to application availability: Storage is independent of applications and accessible
through multiple data paths for better reliability, availability, and serviceability.

Higher application performance: Storage processing is offloaded from servers and moved onto a
separate network.

Centralized and consolidated storage: Simpler management, scalability, flexibility, and Availability




10
[Date]
Data transfer and vaulting to remote sites: Remote copy of data that is enabled for disaster
protection and against malicious attacks.

Simplified centralized management: Single image of storage media simplifies management.


Storage area network components

Fiber Channel is the predominant architecture upon which most storage area network (SAN)
implementations are built. IBM FICON is the standard protocol for IBM z/OS systems and
Fiber Channel Protocol (FCP) is the standard protocol for open systems. The SAN components described
in the following sections are Fiber Channel-based.

Storage area network connectivity

The first element that must be considered in any storage area network (SAN) implementation is
the connectivity of the storage and server components, which typically use Fibre Channel.
The components that are listed in Figure 1-12 are typically used for LAN and WAN implementations.
SANs, such as LANs, interconnect the storage interfaces together into many network configurations and
across longer distances.
Much of the terminology that is used for SAN has its origins in Internet Protocol (IP) network terminology.
In some cases, the industry and IBM use different terms that mean the same thing, and in some cases,
mean different things.

1.5.2 Storage area network storage

The storage area network (SAN) liberates the storage device so it is not on a particular server
bus, and attaches it directly to the network. In other words, storage is externalized and can be functionally
distributed across the organization. The SAN also enables the centralization of storage devices and the
clustering of servers. This has the potential to achieve easier and less expensive centralized
administration that lowers the total cost of ownership (TCO).
The storage infrastructure is the foundation on which information relies, and therefore must support the
business objectives and business model of a company. In this environment, simply deploying more and
faster storage devices is not enough. A SAN infrastructure provides enhanced network availability, data
accessibility, and system manageability. It is important to remember that a good SAN begins with a good
design. This is not only a maxim, but must be a philosophy when we design or implement a SAN.

1.5.3 Storage area network servers

The server infrastructure is the underlying reason for all storage area network (SAN) solutions.
This infrastructure includes a mix of server platforms such as Microsoft Windows,
UNIX (and its various versions), and z/OS. With initiatives such as server consolidation and e-business,
the need for SANs increase, making the importance of storage in the network greater.











11
[Date]
CHAPTER 2: WHY, AND HOW,
CAN WE USE A
STORAGE AREA NETWORK?

In Chapter 1, we introduced the basics by presenting a network and storage system introduction.
We also worked on a standard storage area network (SAN) definition and brief description of the
underlying technologies and concepts that are behind a SAN implementation.

In this chapter, we extend this discussion by presenting real-life SANs alongside well-known
technologies and platforms that are used in SAN implementations. We also describe some of the trends
that are driving the SAN evolution, and how they might affect the future of storage technology.

And although SAN technology is different, many of the concepts can also be applied in the
Ethernet networking environment, which is covered in more depth later in this book
2.1 Why use a storage area network?

This section describes the main motivators that drive storage area network (SAN)
implementations, and present some of the key benefits that this technology might bring to data-dependent
business.

2.1.1 The problem

Distributed clients and servers are frequently chosen to meet specific application needs. They
might, therefore, run different operating systems (such as Windows Server, various UNIX offerings, IBM
VMware vSphere, VMS). They might also run different database software (for example, IBM DB2,
Oracle, IBM Informix, SQL Server). Therefore, they have different file systems and different data
formats.

Managing this multi-platform, multivendor, networked environment is increasingly complex and
costly. Software tools for multiple vendors and appropriately skilled human resources must be maintained
to handle data and storage resource management on the many differing systems in the enterprise.
Surveys that are published by industry analysts consistently show that management costs that are
associated with distributed storage are much greater. The costs are shown to be up to 10 times more
than the cost of managing consolidated or centralized storage. This comparison includes the costs of
backup, recovery, space management, performance management, and disaster recovery planning.
Disk storage is often purchased from the processor vendor as an integral feature. It is difficult to establish
if the price you pay per gigabyte (GB) is competitive, compared to the market price of disk storage. Disks
and tape drives, directly attached to one client or server, cannot be used by other systems, leading to
inefficient use of hardware resources. Organizations often find that they need to purchase more storage
capacity, even though free capacity is available in other platforms.



12
[Date]
Additionally, it is difficult to scale capacity and performance to meet rapidly changing
requirements, such as the explosive growth in server, application, and desktop virtualization.
There is also the need to manage information over its entire lifecycle, from conception to intentional
destruction.

Information that is stored on one system cannot readily be made available to other users. One
exception is to create duplicate copies and move the copy to the storage that is attached to another
server. Movement of large files of data might result in significant degradation of performance of the LAN
and WAN, causing conflicts with mission-critical applications.
Multiple copies of the same data might lead to inconsistencies between one copy and another. Data that
is spread on multiple small systems is difficult to coordinate and share for enterprise-wide applications.
Some examples of this type of application include: E-business, enterprise resource planning (ERP), data
warehouse, and business intelligence (BI).

Backup and recovery operations across a LAN might also cause serious disruption to normal
application traffic. Even when using fast Gigabit Ethernet transport, the sustained throughput from a
single server to tape is about 25 GB per hour. It would take approximately 12 hours to fully back up a
relatively moderate departmental database of 300 GBs. This timeframe might exceed the available
window of time in which the backup must be completed. And, it might not be a practical solution if
business operations span multiple time zones. It is increasingly evident to IT managers that these
characteristics of client/server computing are too costly and too inefficient. The islands of information that
result from the distributed model of computing does not match the needs of the enterprise

New ways must be found to control costs, improve efficiency, and simplify the storage
infrastructure to meet the requirements of the modern business world.

2.1.2 The requirements

With this scenario in mind, there are a number of requirements that the storage infrastructures of
today might consider. The following factors are some of the most important requirements to consider:

Unlimited and just-in-time scalability: Businesses require the capability to flexibly adapt to the
rapidly changing demands for storage resources without performance degradation.

System simplification: Businesses require an easy-to-implement infrastructure with the
minimum amount of management and maintenance. The more complex the enterprise
environment, the more costs that are involved in terms of management. Simplifying the
infrastructure can save costs and provide a greater return on investment (ROI).

Flexible and heterogeneous connectivity: The storage resource must be able to support
whatever platforms are within the IT environment. This resource is essentially an investment
protection requirement that allows for the configuration of a storage resource for one set of
systems. It later configures part of the capacity to other systems on an as-needed basis.

Security: This requirement guarantees that data from one application or system does not
become overlaid or corrupted by other applications or systems. Authorization also requires
the ability to fence off the data of one system from other systems.

Encryption: When sensitive data is stored, it must be read or written only from those
authorized systems. If for any reason the storage system is stolen, data must never be
available to be read from the system.

Hypervisors: This requirement is for the support of the server, application, and desktop
virtualization hypervisor features for cloud computing.



13
[Date]

Speed: Storage networks and devices must be able to manage the high number of gigabytes
and intensive I/O that is required by each business industry.

Availability: This is a requirement that implies both the protection against media failure and
the ease of data migration between devices, without interrupting application processing. This
requirement certainly implies improvements to backup and recovery processes. Attaching
disk and tape devices to the same networked infrastructure allows for fast data movement
between devices, which provides enhanced backup and recovery capabilities, such as:

Server less backup. This is the ability to back up your data without using the computing
processor of your servers.
Synchronous copy. This ensures that your data is at two or more places before your application
goes to the next step.
Asynchronous copy. This ensures that your data is at two or more places within a short time. It
is the disk subsystem that controls the data flow.
In the following section, we describe the use of SANs as a response to these business
requirements.

2.2 How can we use a storage area network?

The key benefits that a storage area network (SAN) might bring to a highly data-dependent
business infrastructure can be summarized into three concepts: Infrastructure simplification, information
lifecycle management, and business continuity. They are an effective response to the requirements
presented in the previous section, and are strong arguments for the adoption of SANs. These three
concepts are briefly described, as follows.

2.2.1 Infrastructure simplification

There are four main methods by which infrastructure simplification can be achieved. An overview
is provided for each of the main methods of infrastructure simplification:
Consolidation
Concentrating the systems and resources into locations with fewer, but more powerful, servers
and storage pools can help increase IT efficiency and simplify the infrastructure.
Additionally, centralized storage management tools can help improve scalability, availability, and
disaster tolerance.

Virtualization
Storage virtualization helps in making complexity nearly transparent, and at the same time, can
offer a composite view of storage assets. This feature might help reduce capital and
administrative costs, and it provides users with better service and availability.
Virtualization is designed to help make the IT infrastructure more responsive, scalable, and
available.

Automation
Choosing storage components with autonomic capabilities can improve availability and
responsiveness, and can help protect data as storage needs grow. As soon as day-to-day tasks
are automated, storage administrators might be able to spend more time on critical, higher-level
tasks that are unique to the companys business mission.

Integration
Integrated storage environments simplify system management tasks and improve security.



14
[Date]
When all servers have secure access to all data, your infrastructure might be better able to
respond to the information needs of your users.

Simplified storage environments have fewer elements to manage. This type of environment leads
to increased resource utilization, simplifies storage management, and can provide economies of scale for
owning disk storage servers. These environments can be more resilient and provide an infrastructure for
virtualization and automation.

2.2.2 Information lifecycle management

Information is an increasingly valuable asset, but as the amount of information grows, it becomes
increasingly costly and complex to store and manage it. Information lifecycle management (ILM) is a
process for managing information through its lifecycle, from conception until intentional disposal. The ILM
process manages this information in a manner that optimizes storage and maintains a high level of
access at the lowest cost.

A SAN implementation makes it easier to manage the information lifecycle because it integrates
applications and data into a single-view system, in which the information resides.
This single-view location can be managed more efficiently.
IBM Tivoli Productivity Center For Data was specially designed to support ILM.

2.2.3 Business continuity

It goes without saying that the business climate in the on-demand era of today is highly
competitive. Clients, employees, suppliers, and IBM Business Partners expect to be able to tap into their
information at any hour of the day, from any corner of the globe. Continuous business operations are no
longer optional; they are a business imperative to becoming successful and maintaining a competitive
advantage. Businesses must also be increasingly sensitive to issues of client privacy and data security so
that vital information assets are not compromised. Also, factor in the legal and regulatory requirements,
the inherent demands of participating in the global economy, and accountability. All of a sudden, the lot of
an IT manager is not a happy one.
Currently, with natural disasters seemingly occurring with more frequency, a disaster recovery
(DR) plan is essential. Implementing the correct SAN solution can help not only in real-time recovery
techniques, but it also can reduce the recovery time objective (RTO) for your current
DR plan.
There are many specific vendor solutions in the market which require a SAN running in the background
like IBM VMware Site Recovery Manager (SRM) for business continuity.
It is little wonder that a sound and comprehensive business continuity strategy is now considered a
business imperative, and SANs play a key role in this continuity. By deploying a consistent and safe
infrastructure, SANs make it possible to meet any availability requirements.

2.3 Using the storage area network components

The foundation that a storage area network (SAN) is built on is the interconnection of storage
devices and servers. This section further describes storage, interconnection components, and servers,
and how the different types of servers and storage are used in a typical SAN environment

2.3.1 Storage

This section briefly describes the main types of storage devices that can be found in the market.




15
[Date]
Disk systems
By being contained within a single box, a disk system usually has a central control unit that
manages all of the I/O. This configuration simplifies the integration of the system with other
devices, such as other disk systems or servers.
We introduced you to what a storage system consists of in Chapter 1, Introduction on page 1.
Depending on the specific functionality that is offered by a particular storage system, it is possible
to make it behave as a small, mid-size, or enterprise solution. The decision of which type of disk
system is more suitable for a SAN implementation strongly depends on the performance capacity
and availability requirements for the particular SAN. We describe the product portfolio in Chapter
12, The IBM product portfolio on page 245.

Tape systems
Tape systems, in much the same way as disk systems, are devices that consist of all the
necessary apparatus to manage the use of tapes for storage purposes. In this case, however, the
serial nature of a tape makes it not possible for them to be treated in parallel. This treatment is
because Redundant Array of Independent Disks (RAID) devices are leading to a simpler
architecture to manage and use.

There are basically three types of tape systems: Drives, autoloaders, and libraries. An overview
of each type of system is provided.

Tape drives
As with disk drives, tape drives are the means by which tapes can be connected to other devices.
They provide the physical and logical structure for reading from, and writing to tapes.

Tape autoloaders
Tape autoloaders are autonomous tape drives that can manage tapes and perform automatic
backup operations. They are usually connected to high-throughput devices that require constant
data backup.

Tape libraries
Tape libraries are devices that can manage multiple tapes simultaneously and, as such, can be
viewed as a set of independent tape drives or autoloaders. They are usually deployed in systems
that require massive storage capacity, or that need some type of data separation that would result
in multiple single-tape systems. Because a tape is not a random-access media, tape libraries
cannot provide parallel access to multiple tapes as a way to improve performance. However, they
can provide redundancy as a way to improve data availability and fault-tolerance.
The circumstances under which each of these systems, or even a disk system, might be used,
strongly depend on the specific requirements of a particular SAN implementation.
However, disk systems are usually used for online storage because of their superior performance.
Whereas, tape systems are ideal for offline, high-throughput storage, because of the lower cost of
storage per byte.
The next section describes the prevalent connectivity interfaces, protocols, and services for
building a SAN.

2.3.2 Storage area network connectivity

Storage area network (SAN) connectivity consists of hardware and software components
that make possible the interconnection of storage devices and servers. You are now introduced to
the Fibre Channel (FC) model for SANs.

Standards and models for storage connectivity



16
[Date]
Networking is governed by adherence to standards and models. Data transfer is also governed
by standards. By far the most common is Small Computer System Interface (SCSI).
SCSI is an American National Standards Institute (ANSI) standard that is one of the leading
I/O buses in the computer industry.

An industry effort was started to create a stricter standard allowing devices from different vendors
to work together. This effort is recognized in the ANSI SCSI-1 standard. The SCSI-1 standard (circa
1985) is rapidly becoming obsolete. The current standard is SCSI-2. The
SCSI-3 standard is in the production stage.

The SCSI bus is a parallel bus, which comes in a number of variants, as shown in Figure 2-2 on
page 22.

Fibre Channel: For more information about parallel and serial data transfer, see
Chapter 3, Fibre Channel internals on page 31.




In addition to a physical interconnection standard, SCSI defines a logical (command set) standard
to which disk devices must adhere. This standard is called the Common Command
Set (CCS) and was developed more or less in parallel with ANSI SCSI-1.

The SCSI bus not only has data lines, but also a number of control signals. An elaborate protocol
is part of the standard to allow multiple devices to share the bus efficiently.

In SCSI-3, even faster bus types are introduced, along with serial SCSI buses that reduce the
cabling overhead and allow a higher maximum bus length. It is at this point where the Fibre
Channel model is introduced.

As always, the demands and needs of the market push for new technologies. In particular, there
is always a push for faster communications without limitations on distance or on the number of connected
devices.

Fibre Channel is a serial interface (primarily implemented with fiber-optic cable) and is the
primary architecture for most SANs. To support this interface, there are many vendors in the marketplace
that produce Fibre Channel adapters and other Fibre Channel devices. Fibre Channel brought these
advantages by introducing a new protocol stack and by keeping the SCSI-3 CCS on top of it.
Figure2-3 shows the evolution of Fibre Channel speeds. Fibre Channel is described in greater depth
throughout this publication.




17
[Date]

Figure 2-3 Fibre Channel (FC) evolution


Figure 2-4 on page 23 shows an overview of the Fibre Channel model. The diagram shows the Fibre
Channel, which is divided into four lower layers (FC-0, FC-1, FC-2, and FC-3) and one upper layer (FC-4).
FC-4 is where the upper level protocols are used, such as SCSI-3,
Internet Protocol (IP), and Fibre Channel connection (FICON).
Figure 2-

Figure 2-4 Fibre Channel (FC) model overview


Options for storage connectivity

In this section, we divided these components into three sections according to the
abstraction level to which they belong: Lower-level layers, middle-level layers, and
higher-level layers.
Figure 2-5 provides an idea of each networking stack.





18
[Date]


Figure 2-5 Networking stack comparison


Lower-level layers

As Figure 2-5 shows, there are only three stacks that can directly interact with the
physical wire: Ethernet, SCSI, and Fibre Channel. Because of this configuration, these models
are considered the lower-level layers. All of the other stacks are combinations of the layers,
such as Internet SCSI (iSCSI), Fibre Channel over IP (FCIP), and Fibre Channel over Ethernet
(FCoE), also called the middle-level layers.
We are assuming a basic knowledge of Ethernet, which is typically used on conventional server-
to-server or workstation-to-server network connections. The connections build up a common-bus
topology by which every attached device can communicate with each other using this common
bus. Ethernet speed is increasing as it becomes more pervasive in the data center. Key concepts
of Ethernet are describer later in this book.


Middle-level layers
This section consists of the transport protocol and session layers.

Internet Small Computer System Interface
Internet Small Computer System Interface (iSCSI) is a transport protocol that
carries SCSI commands from an initiator to a target. It is a data storage networking
protocol that transports standard SCSI requests over the standard Transmission Control
Protocol/Internet Protocol (TCP/IP) networking technology. iSCSI enables the
implementation of IP-based SANs, enabling clients to use the same networking



19
[Date]
technologies, for both storage and data networks. Because it uses TCP/IP, iSCSI is also
suited to run over almost any physical network. By eliminating the need for a second
network technology just for storage, iSCSI has the potential to lower the costs of
deploying networked storage.

Fibre Channel Protocol

The Fibre Channel Protocol (FCP) is the interface protocol of SCSI on Fibre
Channel (FC). It is a gigabit speed network technology that is primarily used for storage
networking. Fibre Channel is standardized in the T11 Technical Committee of the
International Committee of Information Technology Standards (INCITS), an ANSI
accredited standards committee. It started for use primarily in the supercomputer field,
but is now the standard connection type for SANs in enterprise storage. Despite its name,
Fibre Channel signaling can run on both twisted-pair copper wire and fiber optic cables.

Fibre Channel over IP

Fibre Channel over IP (FCIP) is also known as Fibre Channel tunneling or
storage tunneling. It is a method to allow the transmission of Fibre Channel information to
be tunneled through the IP network. Because most organizations already have an
existing IP infrastructure, the attraction of being able to link geographically dispersed
SANs, at a relatively low cost, is enormous.
FCIP encapsulates Fibre Channel block data and then transports it over a TCP socket.
TCP/IP services are used to establish connectivity between remote SANs. Any
congestion control and management, and data error and data loss recovery, is handled
by TCP/IP services and does not affect Fibre Channel fabric services.
The major consideration with FCIP is that it does not replace Fibre Channel with IP; it
allows deployments of Fibre Channel fabrics by using IP tunneling. The assumption that
this might lead to is that the industry decided that Fibre Channel-based SANs are more
than appropriate. Another possible assumption is that the only need for the IP connection
is to facilitate any distance requirement that is beyond the current scope of an FCP SAN.

Fibre Channel connection
Fibre Channel connection (FICON) architecture is an enhancement of, rather
than a replacement for, the traditional IBM Enterprise Systems Connection (ESCON)
architecture. A SAN is Fibre Channel-based (FC-based). Therefore, FICON is a
prerequisite for IBM z/OS systems to fully participate in a heterogeneous SAN, where the
SAN switch devices allow the mixture of open systems and mainframe traffic.

FICON is a protocol that uses Fibre Channel as its physical medium. FICON
channels can achieve data rates up to 200 MBps full duplex and extend the channel
distance (up to 100 km). FICON can also increase the number of control unit images per
link and the number of device addresses per control unit link. The protocol can also retain
the topology and switch management characteristics of ESCON.

Higher-level layers

This section consists of the presentation and application layers.

Server-attached storage
The earliest approach was to tightly couple the storage device with the server.
This server-attached storage approach keeps performance overhead to a minimum.
Storage is attached directly to the server bus by using an adapter, and the storage device



20
[Date]
is dedicated toa single server. The server itself controls the I/O to the device, issues the
low-level device commands, and monitors device responses.
Initially, disk and tape storage devices had no onboard intelligence. They just ran the I/O
requests of the server. Subsequent evolution led to the introduction of control units.
These units are storage offload servers that contain a limited level of intelligence. They
are able tom perform functions, such as I/O request caching for performance
improvements, or dual copy of data (RAID 1) for availability. Many advanced storage
functions are developed and implemented inside the control unit.

Network-attached storage
Network-attached storage (NAS) is basically a LAN-attached file server that
serves files by using a network protocol such as Network File System (NFS). NAS is a
term that is used to refer to storage elements that connect to a network and provide file
access services to computer systems. A NAS storage element consists of an engine that
implements the file services (by using access protocols such as NFS or Common Internet
File System (CIFS)) and one or more devices, on which data is stored. NAS elements
might be attached to any type of network. From a SAN perspective, a SAN-attached NAS
engine is treated just like any other server. However, a NAS does not provide any of the
activities that a server in a server-centric system typically provides, such as email,
authentication, or file management.

NAS allows more hard disk storage space to be added to a network that already
uses servers, without shutting them down for maintenance and upgrades. With a NAS
device, storage is not a part of the server. Instead, in this storage-centric design, the
server still handles all of the processing of data, but a NAS device delivers the data to the
user. A NAS device does not need to be located within the server, but can exist
anywhere in the LAN and can be made up of multiple networked NAS devices. These
units communicate to a host by using Ethernet and file-based protocols. This method is in
contrast to the disk units that are already described, which use Fibre Channel protocol
and block-based protocols to communicate. NAS storage provides acceptable
performance and security, and it is often less expensive for servers to implement (for
example, Ethernet adapters are less expensive than Fibre Channel adapters).

To bridge the two worlds and open up new configuration options for clients, some
vendors, including IBM, sell NAS units that act as a gateway between IP-based users and
SAN-attached storage. This configuration allows for the connection of the storage device and
shares it between your high-performance database servers (attached directly through FC) and
your users (attached through IP). These users do not have performance requirements nearly as
strict.
NAS is an ideal solution for serving files that are stored on the SAN to users in cases
where it would be impractical and expensive to equip users with Fibre Channel adapters. NAS
allow

2.3.3 Servers
Each of the different server platforms (IBM System z, UNIX, IBM AIX, HPUX, Sun Solaris,
Linux, IBM i, and Microsoft Windows Server) implement SAN solutions by using various interconnects and
storage technologies. The following sections review these solutions and the different implementations on
each of the platforms.








21
[Date]
Mainframe servers

In simple terms, a mainframe is a single, monolithic, and possibly multi-processor high-
performance computer system. Apart from the fact that IT evolution is pointing toward a more distributed
and loosely coupled infrastructure, mainframes still play an important role on businesses that depend on
massive storage capabilities.

The IBM System z is a processor and operating system mainframe set. Historically, System z
servers supported many different operating systems, such as z/OS, IBM OS/390, VM, VSE, and TPF,
which have been enhanced over the years. The processor to storage device interconnection also evolved
from a bus and tag interface to ESCON channels, and now to
FICON channels. Figure 2-6 shows the various processor-to-storage interfaces.

Because of architectural differences, and strict data integrity and management requirements, the
implementation of FICON is somewhat behind that of FCP on open systems. However, at the time of
writing, FICON is caught up with FCP SANs, and they coexist amicably.
For the latest news on IBM zSeries FICON connectivity, see this website:

http://www-03.ibm.com/systems/z/hardware/connectivity/index.html

In addition to FICON for traditional zSeries operating systems, IBM has standard Fibre
Channel adapters for use with zSeries servers that can implement Linux.


UNIX based servers

Originally designed for high-performance computer systems, such as mainframes, the UNIX
operating systems of today present on a great variety of hardware platforms, ranging from
Linux based PCs to dedicated large-scale stations. Because of its popularity and maturity, it also plays an
important role on both existing and earlier IT infrastructures.
The IBM System p line of servers, running a UNIX operating system that is called AIX, offers various
processor to storage interfaces, including SCSI, SAS (Serial Attached SCSI), and Fibre Channel. The
Serial Storage Architecture (SSA) interconnection is primarily used for disk storage. Fibre Channel
adapters are able to connect to tape and disk. Figure 2-7 shows the various processor-to-storage
interconnect options for the System p family.

The various UNIX system vendors in the market deploy different variants of the UNIX operating
system, each having some unique enhancements, and often supporting different file systems such as the
journaled file system (JFS), enhanced journaled file system (JFS2), and the IBM Andrew File System
(AFS). The server-to-storage interconnect is similar to
System p, as shown in Figure 2-7.
For the latest System p IBM Power Systems products, see this website:

http://www.ibm.com/systems/storage/product/power.html


Windows based servers

Based on the reports of various analysts regarding growth in the Windows server market (both in
the number and size of Windows servers), Windows will become the largest market for SAN solution
deployment. More and more Windows servers will host mission-critical applications that benefit from SAN
solutions, such as disk and tape pooling, tape sharing, multipathing, and remote copy.




22
[Date]
The processor-to-storage interfaces on IBM System x servers (IBM Intel-based processors that
support the Microsoft Windows Server operating system) are similar to the interfaces that
are supported on UNIX servers, including SCSI and Fibre Channel.

For more information, see the IBM System x SAN website:
http://www.ibm.com/systems/storage/product/x.html


Single-level storage
Single-level storage (SLS) is probably the most significant differentiator in a SAN solution
implementation on an IBM System i server. This System i differentiator is a factor when compared to
other systems such as z/OS, UNIX, and Windows. In IBM i, both the main storage (memory) and the
auxiliary storage (disks) are treated as a large virtual address space that is known as SLS.

Figure 2-8 compares the IBM i SLS addressing with the way that Windows or UNIX systems work,
by using the processor local storage. With 32-bit addressing, each process (job) has
4 GB of addressable memory. With 64-bit SLS addressing, over 18 million terabytes (18 Exabyte) of
addressable storage is possible. Because a single page table maps all virtual addresses to physical
addresses, task switching is efficient. SLS further eliminates the need for address translation, thus
speeding up data access.



Figure 2-8 IBM i versus Windows Server 32 bits or UNIX storage addressing


The System i SAN support was rapidly expanded. System I servers now support attachment to switched
fabrics and to most of the IBM SAN-attached storage products.

For more information, see the IBM System I SAN website:
http://www.ibm.com/systems/i/hardware/storage/


2.3.4 Putting the components together
After going through a myriad of technologies and platforms, we can easily understand why it is a
challenge to implement true heterogeneous storage and data environments across different hardware and
operating system platforms. Examples of such environments include:
Disk and tape sharing across z/OS, IBM i, UNIX, and Windows Server.



23
[Date]

One of the SAN principles, which is infrastructure simplification, cannot be easily achieved.
Each platform, along with its operating system, treats data differently at various levels in the system
architecture, thus creating some of these many challenges:

Different attachment interfaces and protocols, such as SCSI, ESCON, and FICON.
Different data formats, such as extended count key data (IBM ECKD), blocks, clusters, and
sectors.
Different file systems, such as Virtual Storage Access Method (VSAM), JFS, JFS2, AFS, and
Windows Server file system (NTFS).
IBM i, with the concept of single-level storage.
Different file system structures, such as catalogs and directories.
Different file naming conventions, such as AAA.BBB.CCC and DIR/Xxx/Yyy.
Different data encoding techniques, such as EBCDIC, ASCII, floating point, and little or big
endian.

Figure 2-9 shows a brief summary of these differences for several systems.








































24
[Date]
CHAPTER 3 : TOPOLOGIES

5.1 Fibre Channel topologies

Fibre Channel-based networks support three types of base topologies: point-to-point, arbitrated
loop, and switched fabric. A switched fabric is the most commonly encountered topology today and it
has sub classifications of topology. Figure 5-1 depicts the various classifications of SAN topology


Figure 5-1 SAN topologies

5.1.1 Point-to-point topology

A point-to-point connection is the simplest topology. It is used when there are exactly two
nodes, and future expansion is not predicted. There is no sharing of the media, which allows the devices
to use the total bandwidth of the link. A simple link initialization is needed before communications can
begin.
Fibre Channel is a full duplex protocol, which means both paths transmit data simultaneously.
As an example, Fibre Channel connections that are based on the 1 Gbps standard are able to transmit at
100 MBps and receive at 100 MBps simultaneously. As another example, for Fibre Channel connections
that are based on the 2 Gbps standard, they can transmit at 200 MBps and receive at 200 MBps
simultaneously. This speed extends to 4 Gbps, 8 Gbps, and 16 GBPS technologies as well.



25
[Date]
Figure 5-2 shows an illustration of a simple point-to-point connection.

Figure 5-2 Point-to-point connection

5.1.2 Arbitrated loop topology

Arbitrated loop topology: Although this topology is rarely encountered anymore, and is
considered as a legacy topology, we include it for historical reasons only.

Our second topology is Fibre Channel Arbitrated Loop (FC-AL). FC-AL is more useful for
storage applications. It is a loop of up to 126 nodes (NL_Ports) that is managed as a shared bus. Traffic
flows in one direction, carrying data frames and primitives around the loop with a total bandwidth of 400
MBps (or 200 MBps for a loop-based topology on 2 Gbps technology).

Using arbitration protocol, a single connection is established between a sender and a receiver,
and a data frame is transferred around the loop. When the communication comes to an end between the
two connected ports, the loop becomes available for arbitration and a new connection might be
established. Loops can be configured with hubs to make connection management easier. A distance of
up to 10 km is supported by the Fibre Channel standard for both of these configurations. However,
latency on the arbitrated loop configuration is affected by the loop size

A simple loop, which is configured by using a hub, is shown in Figure 5-3.
Figure 5-



26
[Date]

Figure 5-3 Arbitrated loop

We describe FC-AL in more depth in 5.4, Fibre Channel Arbitrated Loop protocols on page 108.


5.1.3 Switched fabric topology

Our third, and the most useful topology that is used in SAN implementations, is Fibre
Channel Switched Fabric (FC-SW). It applies to switches and directors that support the
FC-SW standard; that is, it is not limited to switches as its name suggests. A Fibre Channel fabric is one
or more fabric switches in a single, sometimes extended, configuration. Switched fabrics provide full
bandwidth for each port that is compared to the shared bandwidth for each port in arbitrated loop
implementations.

One of the key differentiators is that if you add a device into the arbitrated loop, you further divide
the shared bandwidth. However, in a switched fabric, adding a device or a new connection between
existing ones actually increases the bandwidth. For example, an eight-port switch (assume that it is based
on Gbps technology) with three initiators and three targets, can support three concurrent 200 MBps
conversations or a total of 600 MBps throughput. This equates to 1,200 MBps, if full-duplex applications
were available.

A switched fabric configuration is shown in Figure 5-4.



27
[Date]

Figure 5-4 Sample switched fabric topology

This configuration is one of the major reasons why arbitrated loop is considered a legacy SAN topology. A
switched fabric is usually referred to as a fabric.
In terms of switch interconnections, the switched SAN topologies can be classified as the following types:
Single switch topology
Cascaded and ring topology
Mesh topology


5.1.4 Single switch topology

The single switch topology has only one switch and has no inter-switch links (ISLs). It is the
simplest design for infrastructures which do not need any redundancy. Because of the issues of it
introducing a single point of failure, this topology is rarely used.






28
[Date]
Figure 5-5 indicates a single switch topology with all devices connected to same switch.

Figure 5-5 Single switch topology

5.1.5 Cascaded and ring topology

In a cascaded topology, switches are connected in a queue fashion, as shown in Figure 5-6.

Figure 5-6 Cascade topology



29
[Date]

Even in a ring topology, the switches are connected in a queue fashion, but it forms a closed ring with an
additional inter-switch link (ISL), as shown in Figure 5-7.

Figure 5-7 Ring topology

5.1.6 Mesh topology

In a full mesh topology, each switch is connected to every other switch in the fabric, as shown
in Figure 5-8.




30
[Date]


Figure 5-8 IBM SAN768B connected to form a mesh topology

In terms of a tiered approach, the switched fabric can be further classified with the following topology:

Core-edge topology
Edge-core-edge topology

5.1.7 Core-edge topology

In core-edge topology, the servers are connected to the edge fabric and the storage is connected to
core switches. Figure 5-9 depicts the core-edge topology.




31
[Date]

Figure 5-9 Core-edge topology

5.1.8 Edge-core-edge topology

In this topology, the server and storage are connected to the edge fabric and the core switch connectivity
is used only for scalability in terms of connecting to edge switches. This configuration expands the SAN
traffic flow to long distance by dense wavelength division multiplexing (DWDM), connecting to
virtualization appliances, and encryption switches. Also, the servers might be isolated to one edge and
storage can be at the other edge which helps with management.




32
[Date]
Figure 5-10 shows the edge-core-edge topology.

Figure 5-10 Edge-core-edge topology

5.2 Port types

The basic building block of the Fibre Channel is the port. There are various kinds of
Fibre Channel port types.






33
[Date]
5.2.1 Common port types

The following list provides the various kinds of Fibre Channel port types and their purpose in switches,
servers, and storage:
F_Port. This is a fabric port that is connected to an N_Port point-point to a switch.
FL_Port. This is a fabric port that is counted to a loop device. It is used to connect an NL_Port to
the switch in a public loop configuration.
TL_port. A Cisco specific port type. It is a translated loop port that is connected with non-fabric
aware, private loop devices.
G_Port. This is a generic port that can operate as either an E_Port or an F_Port. A port is
defined as a G_Port after it is connected but has not received a response to loop initialization or
has not yet completed the link initialization procedure with the adjacent Fibre Channel device.
L_Port. This is a loop-capable node or switch port.
U_Port. This is a universal port: a more generic switch port than a G_Port. It can operate as
either an E_Port, F_Port, or FL_Port. A port is defined as a U_Port when it is not connected or
has not yet assumed a specific function in the fabric.
N_Port. This is a node port that is not loop capable. It is a host end port that is used to connect to
the fabric switch.
NL_Port. This is a node port that is loop capable. It is used to connect an equipment port to the
fabric in a loop configuration through an L_Port or FL_Port.

Figure 5-11 depicts different common port types of switch and nodes.





34
[Date]
Figure 5-11 Common port types

5.2.2 Expansion port types

The following ports are found in a multi-switch fabric where switches are interconnected via an FC link:

E_Port. This is an expansion port. A port is designated an E_Port when it is used as an
ISL to connect to the E_Port of another switch to enlarge the switch fabric.
_ Ex_port. The type of E_Port used to connect a Multiprotocol Router to an edge fabric. An
EX_Port follows standard E_Port protocols, and supports FC-NAT, but does not allow fabric
merging across EX_Ports.
VE_port. A virtual E port is a port that emulates an E_Port over an FCIP link. VE port connectivity
is supported over point-to-point links.
VEX_port. VEX_Ports are routed VE_Ports, just as Ex_Ports are routed E_Ports.
VE_Ports and VEX_Ports have the same behavior and functionality.
TE_port. The TE_port provides not only standard E_port functions, but allows for routing of
multiple VSANs (virtual SANs). This capability is accomplished by modifying the standard Fibre
Channel frame (VSAN tagging) upon ingress and egress of the VSAN environment. It is also
known as a Trunking E_port.

Figure 5-12 shows a fabric with expansion ports.



Figure 5-12 Fabric with expansion ports



35
[Date]



5.2.3 Diagnostic port types

D_port is a diagnostic port type which can be enabled only on the 16 Gbps b-type switches with
Fabric Operating System 7.0. This system uses the Spinfab test and performs electrical loop
back, optical loop back, measures link distance, and also stress tests with a link saturation test.

Figure 5-13 describes the different test options. Long-distance cable checks also can be
done with D_Port diagnostic capabilities.



36
[Date]


Figure 5-13 D_Port type diagnostics

MTx_Port is a CNT port that is used as a mirror for viewing the transmit stream of the port to be
diagnosed.
MRx_Port is a CNT port that is used as a mirror for viewing the receive stream of the port to be
diagnosed.



37
[Date]
SD_Port is a Cisco SPAN diagnostic port that is used for diagnostic capture with a connection
to SPAN- switch port analyzer.
ST_Port is the Cisco port type for Remote Strategic Position Analysis (RSPAN) monitoring in a
source switch. This switch is an undedicated port that is used for RSPAN analysis, and is not
connected to any other device.

Figure 5-14 represents the Cisco specific Fibre Channel port types.

Figure 5-14 Cisco specific Fibre Channel ports













38
[Date]
CHAPTER 4 : STORAGE AREA
NETWORK AS A
SERVICE FOR CLOUD
COMPUTING



While information can be your greatest asset, it can also be your greatest challenge as you struggle to
keep up with explosive data growth. More data means more storage and more pressure to install another
rack into the data center.
Cloud computing offers a new way of solution provisioning with significant cost savings and high reliability.

















39
[Date]
6.1 What is a cloud?

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (for example: networks, servers, storage, applications, and
services). These resources can be rapidly provisioned and released with minimal management effort or
service provider interaction. Figure 6-1 shows an overview of cloud computing.


Figure 6-1 Cloud computing overview

Cloud computing provides computation, software, data access, and storage services that do not require
user knowledge of the physical location and configuration of the system that delivers the services.
Parallels to this concept can be drawn with the electricity grid, wherein users use power without needing
to understand the component devices or infrastructure that is required to provide the service.
Cloud computing describes a new consumption and delivery model for IT services, and it typically
involves provisioning of dynamically scalable and virtualized resources. The cloud introduces three key
concepts: cost savings, service reliability, and infrastructure flexibility.

To cater to the increasing, on-demand needs of business, IT services and infrastructures are moving
rapidly towards a flexible utility and consumer model by adopting new technologies.

One of these technologies is virtualization. Cloud computing is an example of a virtual, flexible delivery
model. Inspired by consumer Internet services, cloud computing puts the user in the drivers seat; that is,
users can use Internet offerings and services by using this self-service, on-demand model.

Cloud computing has the potential to make an enormous affect to your business by providing the
following benefits:



40
[Date]

Reducing IT labor costs for configuration, operations, management, and monitoring
Improving capital utilization and significantly reducing license costs
Reducing provisioning cycle times from weeks to minutes
Improving quality and eliminating many software defects
Reducing user IT support costs

From a technical perspective, cloud computing enables these capabilities, among others:

Abstraction of resources
Dynamic right-sizing
Rapid provisioning


6.1.1 Private and public cloud

A cloud can be private or public. A public cloud sells services to anyone on the Internet. A private cloud
is a proprietary network or a data center that supplies hosted services to a limited number of people.
When a service provider uses public cloud resources to create their private cloud, the result is called a
virtual private cloud. Whether private or public, the goal of cloud computing is to provide easy, scalable
access to computing resources and IT services.

A cloud has four basic components, as shown in Figure 6-2.


Figure 6-2 Cloud computing components

6.1.2 Cloud computing components

We describe the cloud computing components, or layers, in our model.







41
[Date]
Cloud Services

This layer is the service that is delivered to the client, it can be an application, a desktop, a server, or disk
storage space. The client does not need to know where or how their service is running, they just use it.

Cloud Infrastructure

This layer can be difficult to visualize depending on the final delivered service. If the final service is a chat
application, the cloud infrastructure is the servers on which the chat application is running. In the other
case, if the final service is a virtualized server, the cloud infrastructure is all the other servers that are
required to provide a server as a service to the client. Examples of these types of servers include:
domain name server (DNS), security services, and management.

Cloud Platform

This layer consists of the selected platform to build the cloud. There are many vendors like
IBM Smart Business Storage Cloud, VMware vSphere, Microsoft Hyper V, and Citrix Xen
Server, which are well known cloud solutions in the market.
SAN + Storage

This layer is where information flows and lives. Without it, nothing can happen. Depending on the cloud
design, the storage can be any of the previously presented solutions. Examples include: Direct-attached
storage (DAS), network-attached storage (NAS), Internet Small Computer System Interface (iSCSI),
storage area network (SAN), or Fibre Channel over Ethernet (FCoE). For the purpose of this book,
describe Fibre Channel or FCoE for networking and compatible storage devices.

6.1.3 Cloud computing models

While cloud computing is still a relatively new technology, there are generally three cloud service models,
each with a unique focus. The American National Institute of Standards and Technology (NIST) defined
the following cloud service models:

Software as a service (SaaS): This capability that is provided to the consumer is to use the
applications that a provider runs on a cloud infrastructure. The applications are accessible from
various client devices through a thin client interface, such as a web browser (for example, web-
based email). The consumer does not manage or control the underlying cloud infrastructure,
including the network, servers, operating systems, storage, or even individual application
capabilities. One possible exception is for the consumer to continue the control of limited user-
specific application configuration settings.
Platform as a service (PaaS): This capability that is provided to the consumer is to deploy
consumer-created or acquired applications onto the cloud infrastructure. Examples of these types
of applications include those that are created by using programming languages and tools that are
supported by the provider. The consumer does not manage or control the underlying cloud
infrastructure, including the network, servers, operating systems, or storage. But, the consumer
has control over the deployed applications and possibly application-hosting environment
configurations.
Infrastructure as a service (IaaS): This capability that is provided to the consumer is to provision
processing, storage, networks, and other fundamental computing resources where the consumer
is able to deploy and run arbitrary software. These resources can include operating systems and
applications. The consumer does not manage or control the underlying cloud infrastructure, but



42
[Date]
has control over operating systems, storage, and deployed applications. The consumer might
also have limited control of select networking components (for example, hosts).

Figure 6-3 shows these cloud models

Figure 6-3 Examples of SaaS, PaaS, and IaaS services

In addition, NIST also defined the following models for deploying cloud services:

Private cloud: The cloud infrastructure is owned or leased by a single organization and is
operated solely for that organization.
Community cloud: The cloud infrastructure is shared by several organizations an supports a
specific community that shares (for example, mission, security requirements policy, and
compliance considerations).
Public cloud: The cloud infrastructure is owned by an organization that sells cloud services to the
general public or to a large industry group.
Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (internal, community,
or public) that remain unique entities. However, these entities are bound together by standardized
or proprietary technology that enables data and application portability (for example, cloud
bursting).

Figure 6-4 shows cloud computing deployment models





43
[Date]




Figure 6-4 Cloud computing deployment models

From a storage perspective, IBM clients, based on their business requirements, can choose to adopt
either a public or private storage cloud. The following definitions describe these types of storage clouds:

Public storage cloud: This is designed for clients who do not want to own, manage, or maintain
the storage environment, thus reducing their capital and operational expenditures for storage.
IBM dictates the choice of technology and cloud location, shared infrastructure with variable
monthly charges, dynamic physical capacity at the client level, and security measures to isolate
client data. The public storage cloud allows for variable billing options and shared tenancy of the
storage cloud, giving clients the flexibility to manage the use and growth of their storage needs.
This type is the industry-standard view of a storage cloud offering and is comparable to storage
cloud offerings by other vendors.
Private storage cloud: With a private storage cloud, clients have the choice of technology and
location on a dedicated infrastructure with fixed monthly charges and a physical capacity that is
manageable by the client. Each application can use dynamic capacity by sharing the cloud
storage among multiple applications.

Private storage cloud solution technology and services from IBM address multiple areas of functionality.
For more information, see this website:
http://www.ibm.com/cloud-computing/us/en/




44
[Date]
6.2 Virtualization and the cloud

When people talk about virtualization, they are usually referring to server virtualization, which means
partitioning one physical server into several virtual servers, or machines. Each virtual machine can
interact independently with other devices, applications, data, and users as though it were a separate
physical resource.

Different virtual machines can run different operating systems and multiple applications while they are
sharing the resources of a single physical computer. And, because each virtual machine is isolated from
other virtualized machines, if one crashes, it does not affect the others.

Hypervisor software is the secret sauce that makes virtualization possible. This software sits between the
hardware and the operating system, and de-couples the operating system and applications from the
hardware. The hypervisor assigns the amount of access that the operating systems and applications have
with the processor and other hardware resources, such as memory and disk input/output.

In addition to using virtualization technology to partition one machine into several virtual machines, you
can also use virtualization solutions to combine multiple physical resources into a single virtual resource.
A good example of this solution is storage virtualization. This type of virtualization is where multiple
network storage resources are pooled into what is displayed as a single storage device for easier and
more efficient management of these resources. Other types of virtualization you might hear about include
the following:

Network virtualization splits available bandwidth in a network into independent channels that
can be assigned to specific servers or devices.
Application virtualization separates applications from the hardware and the operating system,
putting them in a container that can be relocated without disrupting other systems.
Desktop virtualization enables a centralized server to deliver and manage individualized
desktops remotely. This type of virtualization gives users a full client experience, but allows IT
staff to provision, manage, upgrade, and patch them virtually, instead of physically.

Virtualization was first introduced in the 1960s by IBM. It was designed to boost utilization of large,
expensive mainframe systems by partitioning them into logical, separate virtual machines that could run
multiple applications and processes at the same time. In the 1980s and 1990s, this centrally shared
mainframe model gave way to a distributed, client/server computing model, in which many low-cost x86
servers and desktops independently run specific applications.

6.2.1 Cloud infrastructure virtualization

This type consists of virtualizing three key parts: servers, desktops, or applications. The virtualization
concept that is used for servers and desktops is almost the same, but for applications, the concept is
different.

Virtualizing servers and desktops basically takes physical computers and makes them virtual.
To make virtualization possible, a cloud platform is required. We show the traditional physical
environment in Figure 6-5 on page 130. This model shows where one application maps to one operating
system (OS), and one OS to one physical server, and one physical server to one storage.




45
[Date]

Figure 6-5 Traditional physical environment model

6.2.2 Cloud platforms

There must be a platform that can handle putting multiple virtual servers into a single physical computer.
This platform is called the hypervisor. This platform is a layer in the computer stack between the virtual
and physical components.
There are four core concepts in virtualization: encapsulation, isolation, partitioning, and hardware
independence:

Encapsulation. The entire machine becomes a set of files, and these files contain the operating
system and application files plus the virtual machine configuration. The virtual machine files can
be managed the same way that you manage other files.
Isolation. Virtual machines (VMs) that run on a hardware platform cannot see or affect each
other, so multiple applications can be run securely on a single server.
Partitioning. VMware, for example, divides and actively manages the physical resources in the
server to maintain optimum allocation.
Hardware independence. The hypervisor provides a layer between the operating systems and
hardware. This layer allows hardware from multiple vendors to run on the same physical resource,
if the server is on Hardware Compatibility List.








46
[Date]
Figure 6-6 shows the virtualized environment.

Figure 6-6 Virtualized environment model

Server virtualization

There are three popular approaches to server virtualization: the virtual machine model, the paravirtual
machine model, and virtualization at the operating system layer.

Virtual machines (VMs) are based on the host/guest paradigm. Each guest runs on a virtual
implementation of the hardware layer. This approach allows the guest operating system to run without
modifications. It also allows the administrator to create guests that use different operating systems. The
guest has no knowledge of the host operating system because it is not aware that it is not running on real
hardware. It does, however, require real computing resources from the host so it uses a hypervisor to
coordinate instructions to the CPU. The para virtual machine (PVM) model is also based on the
host/guest paradigm and it uses a virtual machine monitor (VMM). In the paravirtual machine model,
however, the VMM actually modifies the code of the guest operating system. This modification is called
porting. Porting supports the VMM so it can use privileged systems calls sparingly. Like virtual machines,
paravirtual machines can run multiple operating systems. Xen and UML both use the paravirtual machine
model.

Virtualization at the OS level works a little differently. It is not based on the host/guest paradigm. In the
OS level model, the host runs a single OS kernel as its core and exports the operating system
functionality to each of the guests. Guests must use the same operating system as the host, although
different distributions of the same system are allowed. This distributed architecture eliminates system
calls between layers, which reduce CPU usage overhead. It also requires that each partition remains
strictly isolated from its neighbors so that a failure or security breach in one partition is not able to affect
any of the other partitions.



47
[Date]
In this model, common binary files and libraries on the same physical machine can be shared, allowing an
OS-level virtual server to host thousands of guests at the same time. IBM AIX VIO and Solaris Zones both
use OS-level virtualization.

Desktop Virtualization

This is sometimes referred to as client virtualization, and is defined as a virtualization technology that is
used to separate a computer desktop environment from the physical computer. Desktop virtualization is
considered a type of client/server computing model because the virtualized desktop is stored on a
centralized, or remote, server and not the physical machine that is being virtualized.
Desktop virtualization virtualizes desktop computers and these virtual desktop environments are served
to users on the network. Users interact with a virtual desktop in the same way that a physical desktop is
accessed and used. Another benefit of desktop virtualization is that it allows you to remotely log in to
access your desktop from any location.
One of the most popular uses of desktop virtualization is in the data center, where personalized desktop
images for each user are hosted on a data center server.
There are also options for using hosted virtual desktops, where the desktop virtualization services are
provided to a business through a third party. The service provider provides the managed desktop
configuration, security, and SAN.

Application Virtualization

Application virtualization is just like desktop virtualization, where individual desktop sessions
(OS and applications) are virtualized and run from a centralized server. However, Application
virtualization virtualizes the applications so that it can either be run from a centralized server or it can be
streamed from a central server and run in an isolated environment in the desktop itself.
In the first type of application virtualization, the application image is loaded on to a central server and
when a user requests the application, it is streamed to an isolated environment on the users computer for
execution. The application starts running shortly after it gets sufficient data to start running, and since the
application is isolated from other applications, there might not be any conflicts. The applications that can
be downloaded can be restricted based on the user ID which is established by logging in to corporate
directories such as Active Directory
(AD) or Lightweight Directory Access Protocol (LDAP).
In the second type of application virtualization, the applications are loaded as an image in remote servers
and they are run (executed) in the servers itself. Only the on-screen information that is required to be
seen by the user is sent over the LAN. This is closer to desktop virtualization, but here only the
application is virtualized instead of both the application and the operating system. The biggest advantage
of this type of application virtualization is that it does not matter what the underlying OS is in the users
computer because the applications are processed in the server. Another advantage is the effectiveness of
mobile devices (mobile phones, tablet computers, and so on) that have lesser processing power while
running processor hungry applications. This is because these applications are processed in the powerful
processors of the servers.

6.2.3 Storage virtualization

Storage virtualization refers to the abstraction of storage systems from applications or computers. It is a
foundation for the implementation of other technologies, such as thin provisioning, tiering, and data
protection, which are transparent to the server.

These are some of the advantages of storage virtualization:




48
[Date]
Improved physical resource utilization: By consolidating and virtualizing storage systems, we can
make more efficient use of previously wasted white spaces.
Improved responsiveness and flexibility: De-coupling physical storage to virtual storage provides
the ability to reallocate resources dynamically, as required by the applications or storage
subsystems.
Lower total cost of ownership: Virtualized storage allows more to be done with the same or less
storage.

Several types of storage virtualization are available.

Block level storage virtualization

Block level storage virtualization refers to provisioning storage to your operating systems or
applications in the form of virtual disks. Fibre Channel (FC) and Internet Small Computer
System Interface (iSCSI) are examples of protocols that are used by this type of storage virtualization.
There are two types of block level virtualization:
Disk level virtualization. This is an abstraction process from a physical disk to a logical unit
number (LUN) that is presented as if it were a physical device.
Storage level virtualization. Unlike disk level virtualization, storage level virtualization hides the
physical layer of Redundant Array of Independent Disks (RAID) controllers and disks, and hides
and virtualizes the entire storage system.

File level storage virtualization

File level storage virtualization refers to provisioning storage volumes to operating systems or
applications in the form of files and directories. Access to storage is by network protocols, such as
Common Internet File Systems (CIFS) and Network File Systems (NFS). It is a file presentation in a
single global namespace, regardless of the physical file location.

Tape virtualization

Tape virtualization refers to the virtualization of tapes and tape drives that use specialized hardware
and software. This type of virtualization can enhance backup and restore flexibility and performance
because disk devices are used in the virtualization process, rather than tape media.












49
[Date]
CHAPTER 5: SECURITY








9.1 Security in the storage area network (SAN)

Security is always a major concern for networked systems administrators and users. Even for specialized
networked infrastructures, such as SANs, special care must be taken so that information does not get
corrupted, either accidentally or deliberately, or fall into the wrong hands. And we also must ensure that at
a fabric level the correct security is in place; for example, to ensure that a user does not inadvertently
change the configuration incorrectly.

Now that SANs have broken the traditional direct-attached storage paradigm of servers being cabled
directly to servers, the inherent security that this provides is lost. The SAN and its resources might be
shared by many users and many departments. The SAN might be shared by different operating systems
that have differing ideas as to who owns what storage.

To protect the privacy and safeguard the storage, SAN vendors came up with a segmentation feature to
overcome this consideration. This feature is called zoning.

The fabric itself enforces the separation of data so that only those users that are intended to have access
are able to communicate with the data which is intended for them.

Zoning, however, does not provide security in that sense; it implements only the means of segregation
(isolation). The real security issue is the vulnerability when the data itself must travel outside of the data
center, and over long distances. This type of travel often involves transmission over networks that are
owned by different carriers.

We must look at security from two different angles: For data-in-flight, as explained in 9.4.2,
Data-in-flight on page 198, and for data-at-rest, explained in 9.4.3, Data-at-rest on page 199.
More often than not, data is not encrypted when it is sent from the source to a target.

Therefore, any information is readable with the correct tools, even though it is slightly more Complicated
than simply eavesdropping on a telephone line. Because all the data is sent at a block level with the Fibre
Channel protocol (meaning that all data that is sent is squeezed into the Fibre Channel frame before
sending), sniffing a frame or two might give you 2112 bytes




50
[Date]
of data. As an example of the difficulty, this amount would be similar to 1/333.000 of a normal
CD or 13 milliseconds of a CD spanning 74 minutes. Obviously this comparison does not give
you much information without putting it in the right context.

There is more concern if the whole Fibre Channel port or disk volumes and arrays are
mirrored, or tapes that contain information end up in the wrong hands. However, to tamper
with information from a SAN is not something that just happens, it is something that takes a
concerted effort.

The storage architect and administrators must understand that in a SAN environment, often with a
combination of diverse operating systems and vendor storage devices, some combination of technologies
is required. This mixture ensures that the SAN is secure from unauthorized systems and users, whether
accidental or deliberate.

In the discussions that follow, we briefly explore some of the technologies and their associated
methodologies that can be used to ensure data integrity, and to protect and manage the fabric. Each
technology has advantages and disadvantages. And each must be considered based on a well thought-
out SAN security strategy, which is developed during the
SAN design phase.
9.2 Security principles

It is a well-known fact that a chain is only as strong as its weakest link, and when describing computer
security, the same concept applies. There is no point in locking all of the doors and then leaving a window
open. A secure, networked infrastructure must protect information at many levels or layers, and have no
single point of failure.
The levels of defense must be complementary, and work with each other. If you have a SAN, or any other
network, that crumbles after a single penetration, then this level of defense is not a recipe for success.
There are a number of unique entities that must be given consideration in any environment.
We describe some of the most important ones in the topics that follow.

9.2.1 Access control

Access control can be performed both with authentication and authorization techniques:
Authentication Means that the secure system must challenge the user (usually with a password) so that
this user is identified.
Authorization After identifying a user, the system is able to know what this user is allowed to access and
what they are not.
As in any IT environment, including SAN, access to information and to the configuration or management
tools, must be restricted. Access must be granted to only those individuals that need to have access and
are authorized to make changes. Any configuration or management software is typically protected with
several levels of security. Levels usually start with a user
ID and password that must be assigned appropriately to personnel based on their skill level and
responsibility.

9.2.2 Auditing and accounting
An audit trail must be maintained for auditing and troubleshooting purposes, especially when you create a
root cause analysis (RCA) after an incident occurs. Inspect and archive logs regularly.

9.2.3 Data security




51
[Date]
Whether we describe data-at-rest or data-in-flight, data security consists of both data confidentiality and
integrity:
Data confidentiality The system must guarantee that the information cannot be accessed by
unauthorized people, that it remains confidential, and is only available for authorized personnel. As shown
in the next section, confidentiality is usually accomplished by using data encryption.
Data integrity The system must guarantee that the data is stored or processed within its boundaries and
that it is not altered or tampered with in any way.
The data security and integrity requirement aims to guarantee that data from one application or system
does not become overlaid, corrupted, or otherwise destroyed. This requirement applies whether data is
intentionally destroyed or destroyed by accident, either by other applications or systems. This requirement
might involve some form of authorization, and the ability to fence off the data from one system from
another system.


This data security necessity must be balanced with the requirement for the expansion of SANs to
enterprise-wide environments, with a particular emphasis on multi-platform connectivity. True cross-
platform data sharing solutions, as opposed to data partitioning solutions, are also a requirement. Security
and access control also must be improved to guarantee data integrity.
In the topics that follow, we overview some of the common approaches to securing data that are
encountered in the SAN environment. This list is not meant to be an in-depth description.
It is merely an attempt to acquaint you with the technology and terminology that is likely to be
encountered when a discussion on SAN security occurs.
9.2.4 Securing a fabric

In this section, some of the current methods for securing a SAN fabric are presented.

Fibre Channel Authentication Protocol

The Switch Link Authentication Protocol (SLAP/FC-SW-3) establishes a region of trust between switches.
For an end-to-end solution to be effective, this region of trust must extend throughout the SAN, which
requires the participation of fabric-connected devices, such as host bus adapters (HBAs). The joint
initiative between Brocade and Emulex establishes Fibre
Channel Authentication Protocol (FCAP) as the next-generation implementation of SLAP.
Clients gain the assurance that a region of trust extends over the entire domain.
FCAP was incorporated into its fabric switch architecture and proposed the specification as a standard to
ANSI T11 (as part of FC-SP). FCAP is a Public Key Infrastructure (PKI)-based cryptographic
authentication mechanism for establishing a common region of trust among the various entities (such as
switches and HBAs) in a SAN. A central, trusted third party serves as a guarantor to establish this trust.
With FCAP, certificate exchange takes place among the switches and edge devices in the fabric to create
a region of trust that consists of switches and HBAs.
The fabric authorization database is a list of the WWNs and associated information like domain IDs of the
switches that are authorized to join the fabric.
The fabric authentication database is a list of the set of parameters that allows the authentication of a
switch within a fabric. An entry of the authentication database holds at least the switch worldwide name
(WWN), authentication mechanism Identifier, and a list of appropriate authentication parameters.

Zoning

Initially, SANs did not have any zoning. It was an any-to-any communication, and there was no real
access control mechanism to protect storage that was used by one host from being accessed by another
host. When SANs grew, this drawback became a security risk as SANs became more complex and were
running more vital parts of the business. To mitigate the risk of unwanted cross communication, zoning
was invented to isolate communication to devices within the same zone.



52
[Date]

Persistent binding

Server-level access control is called persistent binding. Persistent binding uses configuration information
that is stored on the server, and is implemented through the HBA driver of the server. This process binds
a server device name to a specific Fibre Channel storage volume or logical unit number (LUN), through a
specific HBA and storage port WWN. Or, put in more technical terms, it is a host-centric way to direct an
operating system to assign certain
Small Computer System Interface (SCSI) target IDs and LUNs.

Logical unit number masking

One approach to securing storage devices from hosts that want to take over already assigned resources,
is logical unit number (LUN) masking. Every storage device offers its resources to the hosts with LUNs.
For example, each partition in the storage server has its own LUN. If the host (server) wants to access the
storage, it must request access to the LUN in the storage device. The purpose of LUN masking is to
control access to the LUNs. The storage device itself accepts or rejects access requests from different
hosts. The user defines which hosts can access which LUN with the storage device control program.
Whenever the host accesses
a particular LUN, the storage device checks its access list for that LUN. The device allows or disallows
the host to gain access to the LUN.

Port binding
To provide a higher level of security, you can also use port binding to bind a particular device (as
represented by a WWN) to a specific port that does not allow any other device to plug into the port. This
device then assumes the role of the device that was there. The reason for this is that the rogue device
that was inserted has a different WWN in which the port was bound.

Role-based access control

A role-based access control feature (RBAC) is available in most SAN devices today. By using
RBAC, you can control user access and user authority in a simple way. RBAC allows you to provide users
with access or permission to run tasks that are only within their skill set or job role.
Normally there are three definitions for RBAC:
Role assignment
Role authorization
Permission authorization
Usually each role can contain multiple users and each user can be part of multiple roles. For example, if
role1 users are only allowed access to configuration commands, and role2 users are only allowed access
to debug commands, then if John belongs to both role1 and role2, he can access configuration and
debug commands.
These predefined roles in a SAN environment are important to ensure that correct login and access is
defined for each user.

9.2.5 Zoning, masking, and binding

Although zoning, masking, or binding are not classed as security products or mechanisms, combining all
of their functionality together can make the SAN more secure than it would be without them.






53
[Date]







CHAPTER 6: SOLUTIONS














Basic solution principles

A number of important decisions must be made by the system architect, either when a new
SAN is being designed, or when an existing SAN is being expanded. Such decisions usually refer to the
choice of the connectivity technology, the preferred practices for adding capacity to a SAN, or the more
suitable technology for achieving data integration. This section describes some of these aspects.





54
[Date]
10.2.1 Connectivity

Connecting servers to storage devices through a SAN fabric is often the first step that is taken in a
phased SAN implementation. Fibre Channel attachments have the following benefits:
Improved performance by running Small Computer System Interface (SCSI) over
Fibre Channel
Extended connection distances (sometimes called remote storage)
Enhanced addressability
Many implementations of Fibre Channel technology are simple configurations that remove some of the
restrictions of the existing storage environments, and allow you to build one common physical
infrastructure. The SAN uses common cabling to the storage and other peripheral devices. The handling
of separate sets of cables, such as OEMI, ESCON, SCSI
single-ended, SCSI differential, SCSI LVD, and others, have caused the IT organization management
much trauma as it attempted to treat each of these differently. One of the biggest issues is the special
handling that is needed to circumvent the various distance limitations.
Installations without SANs commonly use SCSI cables to attach to their storage. SCSI has many
restrictions such as limited speed, only a few devices that can be attached, and severe distance
limitations. Running SCSI over Fibre Channel helps to alleviate these restrictions.
SCSI over Fibre Channel helps improve performance and enables more flexible addressability and much
greater attachment distances when compared to a normal SCSI attachment.

A key requirement of this type of increased connectivity is providing consistent management interfaces for
configuration, monitoring, and management of these SAN components. This
type of connectivity allows companies to begin to reap the benefits of Fibre Channel
technology, while also protecting their current storage investments.
The flexibility and simplification of the SAN infrastructure can be dramatically improved by
using Fibre Channel over Ethernet (FCoE), which evolved over the last few years. This
enablement can easily replace dedicated switching solutions for LAN and SAN with a single
device that is able to transfer both types of data: IP packets and storage data. We call these
deployments, Converged Networks. In the following topics, we briefly present the basic
migration steps to convergency
10.2.2 Adding capacity

The addition of storage capacity to one or more servers might be facilitated while the device is
connected to a SAN. Depending on the SAN configuration and the server operating system, it
might be possible to add or remove devices without stopping and restarting the server.
If new storage devices are attached to a section of a SAN with loop topology (mainly tape
drives), the loop initialization primitive (LIP) might affect the operation of other devices that
are on the loop. This setback might be overcome by slowing down the operating system
activity to all of the devices on that particular loop, before you attach the new device. This
setback is far less of a problem with the latest generation of loop-capable switches. If storage
devices are attached to a SAN by a switch, then the use of the switch and management
software makes it is possible to make the devices available to any system that is connected to
the SAN.
10.2.3 Data movement and copy

Data movement solutions require that data be moved between similar or dissimilar storage
devices. Today, data movement or replication is performed by the server or multiple servers.
The server reads data from the source device, perhaps transmitting the data across a LAN or
WAN to another server. Then, the data is written to the destination device. This task ties up
server processor cycles and causes the data to travel twice over the SAN. The data travels



55
[Date]
one time from the source device to a server, and then a second time from a server to a
destination device.
The objective of SAN data movement solutions is to avoid copying data through the server,
and across a LAN or WAN. This practice frees up server processor cycles and LAN or WAN
bandwidth. Today, this data replication can be accomplished in a SAN by using intelligent
tools and utilities and between data centers that use, for example, FCoE protocol on a WAN.
The following sections list some of the available copy services functions.

Data migration

One of the critical tasks for a SAN administrator is to move data between two independent
SAN infrastructures. The administrator might move data from an old storage system that is
being discontinued, to the new enterprise and highly performing disk system. There are
basically two scenarios: When SANs are independent and cannot be interconnected
together, even if they reside in the same data center; and when the disk systems can be
cross-connected through SAN switches.

Data replication over storage area networks

In this scenario, we are able to interconnect both storage devices (both SANs) together and
migrate data directly from an old to the new storage box. This step is completed without any
interruption of service or performance affect on the application or host server. This type of
migration is what we consider, a block-level data copy. In this type of migration, storage
systems do not analyze the data on disks, they just split it into blocks and copy the data that
has changed or been modified. Many storage vendors, including IBM, offer replication
services for their disk storage systems as an optional feature of service delivery, usually as a
part of a backup and recovery solution. Copy services can be even further extended to long
distances through a WAN to fulfill disaster recovery requirements or just to make application
services highly available across geographies.
Figure 10-1 demonstrates how this data (logical unit number (LUN)) migration works, in
principle.



56
[Date]
Figure 10-






57
[Date]
In Figure 10-1, the storage administrator is challenged to migrate data to the newly deployed,
highly performing disk storage system without interruption to the most critical SAP applications of the
client. Luckily, we can manage both source and target storage systems.
These systems are configured to communicate together through SAN switches. Disk copy
services are able to replicate specific LUNs from the old to the new storage devices and, most
importantly, without any performance affect to the SAP application.
In addition, this procedure is often used to prepare a standby application server that is
connected to the replicated disk LUNs. Or, this procedure is used just to replace the old
server hardware where the SAP application is running, all with the minimum outage
necessary to switch the application over to the prepared server.

Host-based data migration

Host-based migration of storage data is the option that is used when the storage
administrator is not able to establish a connection between the source and target disk storage
system. This type of migration usually happens in data centers with two independent SANs.
In most cases, each of these SANs is managed by a different team of administrators or even
by different vendors.
The principle of the migration is shown in Figure 10-2.



58
[Date]

The application server is connected to both SANs by use of independent host bus adapters
(HBAs). Application owners and SAN2 administrators analyze the current disk structure that
is assigned from the source storage system. The same disk capacity is to be assigned by the
SAN2 administrator to the application server. The application or system owner then migrates
the data from the source disk to the target disk. This migration is done manually by using the
operating system functions (the application is offline), or disk mirroring must be enabled.
When the data is synchronized between the source and target disks, the mirror can be
broken, source disks can be unassigned, and the source storage system can be
disconnected from the application server. The disadvantage of this solution is a significant I/O
operation on the source and target LUNs that can potentially affect the performance of critical
applications.
Remote data copy and migration

Remote copy or data migration is a business requirement that is used to protect data from



59
[Date]
disasters, or to migrate data from one location to avoid application downtime for planned
outages such as hardware or software maintenance. Another challenge of remote copy
services is to provide a highly available or fault-tolerant infrastructure for business critical
systems and applications across data centers, typically over long distances, sometimes even
continents.
Remote copy solutions are either synchronous or asynchronous, and they require different
levels of automation to guarantee data consistency across disks and disk subsystems.
Remote copy solutions are implemented only for disks at a physical or logical volume data
block level. There are complete solutions from various vendors to support data migration
projects to optimally schedule and use client network resources and to eliminate the affect on
critical production environments. Products such as these help clients efficiently and effectively
migrate the whole SAN data volumes from small remote data centers to the central one
across a WAN without interruption to the service.
In the future, with more advanced storage management techniques such as outboard
hierarchical storage management and file pooling, remote copy solutions would need to be
implemented at the file level. This implies more data to be copied, and requires more
advanced technologies to guarantee data consistency across files, disks, and tape in
multi-server heterogeneous environments. Data center networking infrastructure is required
to support various data transfer protocols to support these requirements. Examples of these
interfaces include: FCoE, Converged Enhanced Ethernet (CEE), or simple iSCSI.
Real-time snapshot copy

Another outboard copy service that is enabled by Fibre Channel technology is
real-time snapshot (also known as T0 or time=zero) copy. This service is the process of
taking an online snapshot, or freezing the data (databases, files, or volumes) at a certain
time. This process allows the applications to update the original data while the frozen copy is
duplicated. With the flexibility and extensibility that Fibre Channel brings, these snapshot
copies can be made to either local or remote storage devices. The requirement for this type of
function is driven by the need for 24x7 availability of key database systems. This solution is
optimal in homogeneous infrastructures that consist of the devices from a single vendor.
10.2.4 Upgrading to faster speeds

One of the other considerations of any SAN environment is how newer, faster technology is to
be introduced. Both 8 Gbps Fibre Channel and 10 GbE products already have a significant
footprint in the market and participate in data center networking. We are now seeing vendors
move forward with even faster technologies and products such as 16 Gbps Fibre Channel
ports and HBAs. For most applications, this faster technology does not mean that they can
immediately benefit. Applications that have random or bursty I/O might not necessarily gain
any advantage. Only those applications and systems that stream large amounts of data are
likely to see the most immediate benefits. One place that makes sense for 16 Gbps to be
used is the inter-switch link (ISL). This scenario has two advantages: The increased speed
between switches is the obvious one; the other advantage is that it might be possible to have
fewer ISLs with the increased bandwidth. Having fewer ISLs means that it might be possible
to reassign ISLs and use them to attach hosts or storage.
Another consideration that must be taken into account is the cost factor. IT architects and
investors must evaluate their current SAN solutions in data centers and make strategic
decisions to determine if it is beneficial to continue with the upgrade to a dedicated Fibre
Channel solution that is running 16 Gbps devices. Or, the architects and investors must determine if it is
the right time to consider an upgrade to converged networks and use, for
example, FCoE. There are many products that are available on the market that support such
transformations and transitions and protect the investments of the clients for the future.



60
[Date]
10.3 Infrastructure simplification
High on the list of critical business requirements is the need for IT infrastructures to better
support business integration and transformation efforts. At the heart of these data center
efforts is often the simplification and streamlining of core storage provisioning services and
storage networking.
Viewed in the broadest sense, infrastructure simplification represents an optimized view and
evolutionary approach (or the next logical step beyond basic server consolidation and
virtualization) for companies on the verge of becoming true on-demand businesses. That is,
businesses that are highly competitive in the market.
Is your IT infrastructure a complex set of disparate, server-specific, siloed applications that
are operating across an endless area of servers (that is: transaction processing servers,
database servers, tiered application servers, data gateways, human resource servers,
accounting servers, manufacturing servers, engineering servers, email servers, web servers,
and so on)? If so, then you must be able to answer questions such as: Where can we deploy
the next application? Where can we physically put the next server? How can we extend our
storage resources? How can we connect more virtual or physical servers? Or, just Is there
a simpler way to manage all of these servers? We try to answer all of these questions in the
following topics.
10.3.1 Where does the complexity come from?

A SAN, in theory, is a simple thing. It is a path from a server to a common storage resource.
Therefore, where did all the complexity come from?
Limited budgets and short-sighted strategic thinking push IT organizations into looking for
short-term solutions to pain points. When a new application or project becomes available, the
easy, inexpensive option is to add another low-cost server. Because this server sprawl, or
proliferation of UNIX and Windows Intel servers is an attractive short-term solution, the
infrastructure costs to support these inexpensive servers often exceeds the purchase price of
the server.
Now, storage systems are also added to the sprawl. Every server has two or four HBAs and a
share of the consolidated storage. As more servers are added, we run out of SAN ports, so
we add another switch, and then another, and finally another. Now we have SAN sprawl with
a complex interlinked fabric that is difficult to maintain or change.
To make things more difficult, the servers are probably purchased from multiple vendors, with
decisions made on cost, suitability to a specific application, or merely the personal preference
of someone. The servers of different vendors are tested on specific SAN configurations.
Every server producer has its own interoperability matrix or list of SAN configurations that the
vendor tested, and that particular vendor supports. It might be difficult for a SAN administrator
to find the appropriate devices and configurations that work together smoothly.
10.3.2 Storage pooling

Before SANs, the concept of the physical pooling of devices in a common area of the
computing center was often not possible, and when it was possible, it required expensive and
unique extension technology. By introducing a network between the servers and the storage
resources, this problem is minimized. Hardware interconnections become common across all
servers and devices. For example, common trunk cables can be used for all servers, storage,
and switches.
This section briefly describes the two main types of storage device pooling: disk pooling and
tape pooling.

Disk pooling




61
[Date]
Disk pooling allows multiple servers to use a common pool of SAN-attached disk storage
devices. Disk storage resources are pooled within a disk subsystem or across multiple IBM
and non-IBM disk subsystems. And, capacity is assigned to independent file systems
supported by the operating systems on the servers. The servers are potentially a
heterogeneous mix of UNIX, Microsoft Windows, and even IBM z/OS.
Storage can be dynamically added to the disk pool and assigned to any SAN-attached server
when and where it is needed. This function provides efficient access to shared disk resources
without a level of indirection that is associated with a separate file server. This scenario is
possible because storage is effectively directly attached to all the servers, and efficiencies of
scalability result from consolidation of storage capacity.
When storage is added, zoning can be used to restrict access to the added capacity. Because
many devices (or LUNs) can be attached to a single port, access can be further restricted by
using LUN-masking. This masking means being able to specify who can access a specific
device or LUN.
Attaching and detaching storage devices can be done under the control of a common
administrative interface. Storage capacity can be added without stopping the server, and can
be immediately made available to the applications.
Tape pooling

Tape pooling addresses the problem faced today in an open systems environment in which
multiple servers are unable to share tape resources across multiple hosts. Older methods of
sharing a device between hosts consist of either manually switching the tape device from one
host to the other, or writing applications that communicate with connected servers through
distributed programming.
Tape pooling allows applications on one or more servers to share tape drives, libraries, and
cartridges in a SAN environment in an automated, secure manner. With a SAN infrastructure,
each host can directly address the tape device as though it is connected to all of the hosts.
Tape drives, libraries, and cartridges are owned by either a central manager (tape library
manager) or a peer-to-peer management implementation. These devices are dynamically
allocated and reallocated to systems (tape library clients) as required, based on demand.
Tape pooling allows for resource sharing, automation, improved tape management, and
added security for tape media.
Software is required to manage the assignment and locking of the tape devices to serialize
tape access. Tape pooling is an efficient and cost effective way of sharing expensive tape
resources, such as automated tape libraries. At any particular instant in time, a tape drive can
be owned by one system only.
This concept of tape resource sharing and pooling is proven in medium to enterprise backup
and archive solutions that use, for example, IBM Tivoli Storage Manager with SAN-attached
IBM tape libraries.

Logical volume partitioning

At first sight an individual might ask: How will logical volume partitioning make my
infrastructure simpler? It looks as if we are creating more and more pieces to manage in my
storage. Conceptually, this thought is correct, but the benefit of logical volume partitioning is
to address the need for maximum volume capacity and to effectively use it within target
systems. It is essentially a way of dividing the capacity of a single storage server into multiple
pieces. The storage subsystems are connected to multiple servers, and storage capacity is
partitioned among the various subsystems.
Logical disk volumes are defined within the storage subsystem and assigned to servers. The
logical disk is addressable from the server. A logical disk might be a subset or superset of
disks that are only addressable by the subsystem itself. A logical disk volume can also be
defined as subsets of several physical disks (striping). The capacity of a disk volume is set



62
[Date]
when defined. For example, two logical disks, with different capacities (for example, 50 GB
and 150 GB) might be created from a single 300 GB hardware addressable disk. Each of
these two disks is assigned to a different server, leaving 100 GB of unassigned capacity. A
single 2000 GB logical disk might also be created from multiple real disks that exist in different
storage subsystems. The underlying storage controller must have the necessary logic to
manage the volume grouping and guarantee access securely to the data.
The function of a storage controller can be further used by some of the storage virtualization
engines, such as the IBM SAN Volume Controller. This engine, when compared to
environments that do not use this controller, offers even better and more scalability and
virtualization of storage resources. The SAN Volume Controller provides these benefits with
less management effort and clearer visibility to the target host systems.
10.3.3 Consolidation

We can improve scalability, security, and manageability by enabling devices in separate SAN
fabrics to communicate without merging fabrics into a single, large SAN fabric. This capability
enables clients to initially deploy separate SAN solutions at the departmental and data center
levels and then to consolidate them into large enterprise SAN solutions. This consolidation
occurs as their experience and requirements grow and change. This type of solution is also
known as Data Center Bridging.
Clients deploy multiple SAN islands for different applications with different fabric switch
solutions. The growing availability of iSCSI server capabilities creates the opportunity for
low-cost iSCSI server integration and storage consolidation. Additionally, depending on the
choice of router, they provide Fibre Channel over IP (FCIP) or iFCP capability.
The available multiprotocol SAN routers provide an iSCSI Gateway Service to integrate
low-cost Ethernet-connected servers to existing SAN infrastructures. It also provides Fibre
Channel, FC-FC Routing Service to interconnect multiple SAN islands without requiring the
fabrics to merge into a single large SAN
A multiprotocol capable router solution brings a number of benefits to the marketplace. In our
example, there are discrete SAN islands, and number of different protocols involved. To
merge these SAN fabrics, it would involve a number of disruptive and potentially expensive
actions:
Migration costs
Configuration costs
Purchase of more licenses
Ongoing maintenance
However, by installing a multiprotocol router or core FCoE-enabled switch or director, there
are many advantages:
Least disruptive method
No need to purchase extra HBAs
Minimum number of ports to connect to the router
No expensive downtime
No expensive migration costs
No ongoing maintenance costs other than router
Support of other protocols
Increases return on investment (ROI) by consolidating resources
Can be used to isolate the SAN environment to be more secure
There are more benefits that the router and core switch can provide. In this example, an
FC-FC routing service that negates the need for a costly SAN fabric merge exercise, the
advantages are apparent, and real. The router can also be used to provide the following
benefits:
Device connectivity across multiple SANs for infrastructure simplification
Tape-backup consolidation for information lifecycle management (ILM)



63
[Date]
Long-distance SAN extension for business continuity
Low-cost server connectivity to SAN resources
10.3.4 Migration to a converged network

Medium and enterprise data centers usually run multiple separate networks. These networks
include an Ethernet network for client to server and server to server communications, and a
Fibre Channel SAN for the same type of connections. To support various types of networks,
data centers use separate redundant interface modules for each network: Ethernet network
interface cards (NICs) and Fibre Channel interfaces (HBAs) in their servers, and redundant
pairs of switches at each layer in the network architecture. Use of parallel infrastructures
increase capital costs, makes data center management more difficult, and diminishes
business flexibility.
The principle of consolidation of both independent networks to share a single, integrated
networking infrastructure relies on utilization of FCoE and helps address these challenges
efficiently and effectively. In the following topics, we briefly describe how to upgrade your
current infrastructure to a converged network in three principal steps. The prerequisite of
the converged network is lossless 10 Gbps (GoE) Ethernet, inline with the Data Center
Bridging standards (DCB).






















64
[Date]
CONCLUSION
Benefits for SANs include:
Improved application availability
Increased application performance
Centralized storage
Centralized management
SAN architecture and management are still evolving.
Emerging technologies such as FCIP and iSCSI are based on existing,
proven technologies.
SANs components and technologies are being developed which will
reduce overall costs.
Management will continue to evolve with a goal of supporting a
heterogeneous multi-vendor SAN that would work with components from
any vendor.















65
[Date]
BIBLIOGRAPHY
Introduction to Storage Area Networks,
http://www.redbooks.ibm.com/redbooks/pdfs/
sg245470.pdf, March 2003
Windows Servers in a Storage Area Network
Environment White Paper,
http://download.microsoft.com/download/1/1/9/119ed79d-3e58-4452-
be36-f28325805857/MS%20SANs.doc, April 2004
A Dictionary of Storage Networking Terminology: Common storage
networking-related terms and the Definitions applied to them, by the
Storage Networking Industry Association,
http://www.snia.org/education/dictionary/s/#storage_area_network