Home of RAID, SAN, storage protocols, data storage and storage management

Data Transport Processor Applications Overview

White paper
Data Transport Processor Data Transport Processor pages PDF version PDF version.

Table of Content

1. Introduction

Universal storage connectivity for your existing servers and storage devices.

The Data Transport Processor (DTP) routes disk and tape SCSI commands, and the associated block data transfers, between servers and storage devices that have SCSI, FibreChannel, or TCP/IP (iSCSI) interfaces.

The DTP can be cabled to a server's SCSI adapter (as a Target), and to SCSI Disk Arrays or Tape Libraries (as an Initiator), AND to a FibreChannel HBA (point-to-point), or to a FC-Arbitrated Loop, or to a FC switch, AND to an Ethernet NIC, or switch.

That is, the DTP allows you to connect ANY of your existing servers, whether they are SCSI-cabled, FibreChannel-cabled, or Ethernet-cabled (iSCSI) to ANY of your existing SCSI-command disk and tape devices, whether SCSI-cabled or FibreChannel-cabled or Ethernet-cabled (iSCSI).

This re-deployment versatility, made possible by the DTP, can extend the utility of, and thus increase the ROI of your existing server, system software, storage and cabling assets.

The DTP also, of course, allows you to ADD to your SAN plant a new server or block storage device, without having to also add new adapters or cabling to your existing devices.

The any-to-any block-storage connectivity of the DTP can simplify the logistics of deploying new servers and storage devices.

Expanding your FC SAN using iSCSI

Te ability of DTP to interconnect between FibreChannel/SCSI and iSCSI allows you to connect FC Sans to IP network, thus providing additional ROI for your System Software (e.g., Backup/Restore, RDBMS, Mail servers), which can be employed for remote applications.

Presenting your existing Storage Volumes as RAIDs and Partitions

The DTP LUN mapping and RAID functions can be used by system administrators to reorganize existing RAID and JBOD Disk Arrays into storage volumes, which have better performance, security, availability, and recoverability.

Providing Secure Access to your FC SAN and Storage Devices

The DTP Access Control capability (ACL) allows you to restrict access of application servers to specified storage device LUNs, create Firewalls between FC SANs and secure access of IP devices to your FC SAN in case it is connected to IP network.

2. DTP Features Brief.

The DTP 2000 series multi-protocol SAN Router is a state-of-the-art storage interoperability solution is designed to connect Fibre Channel, SCSI, and iSCSI servers and storage devices.

The DTP 2000 can be configured with up to 8 SCSI, Fibre Channel and Gigabit Ethernet cabling interfaces, with maximum of 4 SCSI and FC HBAs, or 3 Ethernet NIC. To accommodate the peak traffic that could occur among 8 interfaces, the DTP backplane is 6.3 Gbit/sec.

All DTP 2000 models include two 10/100 Base-T off-band interfaces, which can be used for remote configuration and monitoring of the DTP either using Graphical or Command Line User Interfaces.

The DTP can be easily installed and monitored via an intuitive and secure (encrypted) web browser interface such as MS Explorer or Netscape.

A command line interface is available either through an RS-232 serial port or an encrypted SSH connection to any Ethernet port on the DTP.

The DTP configuration is done through modules of Webmin, a standard web-based interface commonly used for server management. A Webmin Interface responsible for the DTP storage configurations is shown on Figure 1.

 

DTP SAN Routing configuration
Figure 1. The DTP SAN Routing configuration screen

 

The modules, whose corresponding icons can be seen on Figure 1, have the following functionality:

3. Interoperability of block-storage interfaces and cabling schemes - with no changes to existing servers or devices

The DTP allows you to deploy your existing storage devices in new ways without having to change the I/O adapters, drivers, or cabling of your application/database servers.

The DTP provides additional ROI for servers and storage devices in your SAN; even where extensive FC cabling might have already been deployed:

The DTP also provides additional ROI for non-iSCSI servers, where new iSCSI storage devices have already been deployed:

3.1 SCSI-storage-to-FibreChannel-server Interconnection.

If your storage environment includes FibreChannel cabling, whether point-to-point, or Loop, or switched, then the DTP makes it possible to connect your external SCSI devices to your Fibre-Channel enabled servers.

This will be particularly useful with storage devices that are manufactured with a SCSI interface only.

For example, the DLT series and SDLT220 tape drives produced by Quantum do not have a Fibre Channel version, so they can not be directly used by a Fibre Channel-based server without a SAN Router such as the DTP.


Routing SCSI devices to Fibre Channel Servers

Figure 2. Connecting SCSI devices to Fibre Channel-based Servers

 

3.2 Fibre Channel-storage-to-SCSI-server Interconnection

The DTP can be deployed to allow servers that either do not have Fibre Channel support at all, or simply do not have Fibre Channel hardware and drivers installed, to utilize existing Fibre Channel storage devices.


Connecting SCSI server to the Fibre Channel Network

Figure 3. Connecting SCSI server to the Fibre Channel Network

 

For example, your Enterprise contains an XYZ machine, running Obscurix OS and which, of course, has a unique and irreplaceable application and you wish to attach it to your FC SAN.

The Fibre Channel HBA is not available for this architecture, but the system does have a SCSI port available.

You can attach XYZ via SCSI to the DTP, which will be connected to the SAN via Fibre Channel for the additional storage.

DTP will make any FC device on this SAN visible to the XYZ as a SCSI device.
Up to 1920 devices connected to Fibre Channel SAN (15 SCSI Target IDs multiplied by 128 LUNs) can be routed through DTP via a single wide SCSI interface.

3.3 iSCSI-storage-to-FibreChannel/SCSI-server Interconnection

Even the new, native iSCSI storage devices, which you might have recently acquired, can be now be utilized by servers whose Operating Systems, such as BSD, IRIX, HP-UX, AIX, TRU64, etc., do not yet have iSCSI drivers.


Connecting iSCSI devices to FibreChannel/SCSI

Figure 4. Connecting iSCSI devices to FibreChannel/SCSI - based Servers.

 

4. Expanding SAN with iSCSI.

With the distance limitation of 10 Kilometers for the FC networks, remote data access in your FC SAN is currently limited to MAN space. Since iSCSI is based on TCP/IP protocol suite, the interconnection of iSCSI and FC/SCSI allows attaching legacy SCSI and Fibre Channel subsystems to IP Networks.

The ability of DTP to interconnect between FibreChannel/SCSI and iSCSI provides additional ROI for your System Software (e.g., Backup/Restore, RDBMS, Mail servers).

A pair of DTPs - because they implement iSCSI - will allow you to extend the reach of both your SCSI adapters and cabling and your Fibre Channel HBAs and cabling, by using your switched Ethernet fabric without having to add iSCSI drivers and, perhaps, higher-speed NICs to your servers. This allows you, in turn, to:

  1. Access remote data residing on FC SAN devices;
    (See Section 4.1)
  2. Consolidate backups of scattered servers to a centralized storage device, such as a large tape silo;
    (See Section 4.2)
  3. Create one or more distant backups, or even mirrors, of an important server´s files and databases. In this case, the DTP can direct the mirroring-writes for its client OS, instead of the OS itself having to execute "software RAID 1.";
    (See Section 4.3)
  4. Connect many FC SANs for centralized SAN management;
    (See Section 4.4)

4.1 Accessing Remote Storage

Remote access to the storage allows getting business critical data all over the world. The setup for such application is shown on Figure 5.


Accessing Remote FC/SCSI SAN

Figure 5. Accessing Remote FC/SCSI SAN Data.

 

This application setup requires the DTP router, which connects FC SAN to the IP network. In order to access FC SAN data, a server, in addition to IP network connectivity, must have an iSCSI driver installed. This driver is freely available on the Internet for Windows, SUN, and Linux OSes.

Once a server connects to the DTP, the storage devices, which are seen by the DTP in the SAN, will be presented to the server as SCSI LUNs, local to this server machine. iSCSI authentication mechanisms can be configured at the DTP to control access of iSCSI clients. Moreover, the DTP access control mechanisms can precisely specify, which devices would be seen, and thus accessible by which client.

The fact that iSCSI is based on TCP/IP protocol stack makes possible using the TCP/IP based encryption software such as SSL and SSH for transferring iSCSI packets. Figure 6 demonstrates how secure access between connected to the Internet server and FC SAN can be configured in order to perform data transfer through encrypted channels.


Remote access to FC SAN Data with encrypted channel

Figure 6. Accessing Remote FC SAN Data using encrypted channel, for which either SSL or SSH encryption software is used

 

The encryption of data is usually needed in the following cases:

For servers or clients, whose Operating Systems (BSD, IRIX, HP-UX, etc.) do not yet have iSCSI drivers, but access to remote storage is still desired, the second DTP should be used as shown on Figure 7. In such setup, the server or servers are connected to the DTP using FC or SCSI cabling. Again, if the secure connection is desired for the iSCSI link between two DTPs, then an encrypted SSL or SSH channel between those DTPs can be used.


Accessing Remote Data using DTP

Figure 7. Accessing Remote Data using DTP pair

 

4.2 Remote Data Backup and Archiving

The ability of the DTP Router to connect FC SAN to IP network made possible remote backup of data.

One application of remote backup is for recovery of data in case of disaster such as fire or flood in the main office of the organization. In such cases, off-site backup will be the only place to rescue the data from.

Remote backup is a cost effective backup solution for the organizations that have many locations. For such businesses, in addition to costs of installations of backup hardware and software at each location, there is a significant expense on compensation and benefits for IT personnel.

Many organizations require a secure way to perform backups. While Fibre Channel protocol does not provide such a mechanism, for iSCSI there are readily available IP network security technologies like firewall, encryption and authentication.

A pair of the DTPs that connect backup server and Tape Library/Silos warehouse to the IP network can make remote backup possible. The DTP will present remote backup hardware to the backup server as hardware, which is locally attached to the SAN the backup server belongs to. This capability makes possible usage of standard backup software such as Veritas, Legato, Tivoli, BakBone, etc. for performing data backup to remotely located hardware.

The setup for remote backup is shown on Figure 8. The iSCSI connection between the DTPs can be encrypted if needed.


remote data backup

Figure 8. Data Backup to remotely located Tape Library.

 

4.3 Remote Data Mirroring.

Remote Data Mirroring is a variation of remote backup. Unlike the regular data backup, mirroring allows you to record data at the same time at the secondary storage device as it is being written to the primary storage device.

Most of the backup software available today does not perform mirroring.

Remote Mirroring provided by the DTP does not require any mirroring software at the host or storage device.

The DTP RAID management module allows you to combine two storage arrays, local and remote into mirrored RAID, or RAID1. The local storage array can have any interface: FC, SCSI, or iSCSI. A remote storage array, which has iSCSI interface, can be directly connected to IP network. If a remote storage array has SCSI or FC interface, then the DTP would be needed to connect this array to IP network.

Certainly, one DTP pair can be used for composing more then one above-described mirrored RAID.

Advantage of such remote mirroring is that it can be centralized into one location; it does not require backup windows, any additional backup software as well as server resources such as CPU power.

The iSCSI connection can be done through encrypted channels as well to ensure data security.


Remote data mirroring

Figure 9. Remote mirroring

 

4.4 Bridging together FC SANs

Attaching FC SAN to an IP network can connect many Fibre Channel SANs over long distances as shown on Figure 10.


Interconnecting Fibre Channel SANs

Figure 10. Interconnecting two Fibre Channel SANs, placed in different locations

 

Interconnecting all FC SANs into a single network makes possible to centrally manage this storage network using Fibre Channel SAN management software such as Veritas Volume Manager, HP Open View, Brocade´s software, etc., which is used for management of a single FC SAN.

In the example presented on Figure 10, the SAN management software, installed in one FC SAN, will be able to detect devices connected to another FC SAN, because the DTP pair, which connects those SANs to each other, will present their devices of as locally attached.

5. DTP SAN Management Capabilities

The DTP routing core allows you to perform a number of SAN management functions, thus increasing the DTP ROI value. Those functions are the following:

  1. Creating Storage Device Virtual Volumes and Partitions for efficient utilization of storage devices;
    (See Section 5.1)
  2. Access Control to storage devices and networks to provide:

    • Controlled Access of Servers to Storage;
    • Fibre Channel SAN security;
    • IP Firewall security;
  3. (See Section 5.2)

5.1 Creating Storage Device Virtual Volumes and Partitions

The DTP software allows you to manage Storage Arrays in efficient way combining them into bigger volumes or splitting their volumes into smaller chunks.

The DTP allows you to create RAID levels such as concatenated (devices are combined into single volume with no additional RAID capabilities), mirror (RAID1), stripe (RAID0), redundant (RAID5) and combined RAID 1+0.

The Arrays, a RAID may consist of, can have different storage interfaces: FibreChannel, SCSI, or iSCSI.

Many Storage RAID Arrays do not have software, which would be able to present that Array externally as a set of partitions. Array partitioning is either done by the application server or special SAN management software has to be installed on the server attached to the FC SAN that array connects to.

The DTP provides partitioning mechanism, such that connected to it array can be divided on many chunks and each chunk will be presented to the servers as independent LUN.

5.2 Access Control to Storage Devices and Networks.

By itself, FibreChannel is not a secure protocol. Without implementing certain security measures within a FC SAN, application servers will be able to see all devices on the SAN and could even write to the same physical disk.

Securing a SAN involves limiting what storage the server can access, or even see. The two most common methods of providing security on a FibreChannel are zoning and LUN masking.

Zoning is a function provided by fabric switches that allows segregation of a node by port, name, or address. The zones are similar to VLANs in data networking in the way they establish a "virtual SAN" within a SAN. Zone members have any-to-any connectivity within the zone and non-members have none. Zones are established by linking either ports on FC fabric (hard zoning) or World Wide Name of FC device (soft zoning).

LUN Masking restricts access even further, to specific logical storage units. For each application server connected to the SAN, LUN masking effectively masks off the LUNs that are not assigned to the application server, allowing only the assigned LUNs to appear to the application server´s operating system. The hardware connections to other LUNs still exist, but the LUN masking makes those LUNs invisible.

The DTP Access Control capability (ACL) allows you to restrict access of application servers to specified storage device LUNs. ACL configuration involves composing of list of accessible LUNs for a server or a group of servers, thus creating so-called "Views". A view consists of table of LUNs and identifiers of servers, to which those LUNs are shown. Since application servers can connect to the DTP by FC, SCSI, or iSCSI cabling there are several means of server identification.

World Wide Name, IP hostname/address, SCSI ID are used to identify FC-cabled, IP-cabled and SCSI-cabled servers, correspondingly.

5.2.1 Controlling Server Access to Storage Devices.

The DTP Access Control capability allows you to restrict access of application servers to specified storage device LUNs in FC SAN. The scheme of such setup is shown on Figure 11.


access control right

Figure 11. Restricting Application Servers for accessing only specified Storage Arrays

 

As it is seen on Figure 11, while every Application Server and RAID Array are physically connected to the DTP, only a specific set of LUNs is visible to each Server. In order to do that, at the DTP three Views were configured. Each View consisted of the Server WWN number and set of devices and LUNs, accessible by the server with that WWN. When a server connects to the DTP, the latter looks for the View, corresponding to that Server. From that View the DTP finds out the list of LUNs, which should be presented to the Server.

5.2.2 Fibre Channel SAN Security.

The DTP can be employed as FibreChannel Firewall between two FC SANs in order to control access of servers and clients residing on one SAN to the devices residing on another SAN. Such setup is presented on Figure 12.


FC SAN Access Control Firewall

Figure 12. FC SAN Access Control Firewall.

 

Two dual or four single FibreChannel HBAs must be set at the DTP and the Target/Initiator configuration of those interfaces is shown on Figure 13.


FC Firewall

Figure 13. FC Interface configuration of DTP for FC Firewall setup

 

After the FC interfaces are set, the SAN FC Firewall Rules can be configured in two ways. The first, generic, way is for "FC Target" of one FC SAN list LUNs of all the devices residing on the other FC SAN, which can be accessed by servers connected to that "FC Target". For the example shown on Figure 13, this rule will be presented at a router as two views. One View will contain "FC Target" of "FC SAN 0" and list of LUNs and devices of "FC SAN 1". Correspondingly, another View will contain "FC Target" of "FC SAN 1" and list of LUNs and devices of "FC SAN 0".

The second, more specific, way to configure FC Firewall rules is to list for each server WWN number a list of LUNs of devices, which reside on the other FC San, that can be visible by that server. This way requires creating as many views as there are servers that need to access other FC SAN devices, which makes configuration a bit more complicated.

Both above-described types of rules can be combined together. The generic rule can be set as a default one. Then if some specific servers require access to different set of devices then one described in default set, the additional views for those servers can be created.

5.2.3 IP Firewall Security.

When the DTP connects FC SAN to IP network, it can act like a Firewall, in order to control access of IP servers and clients to FC SAN.

The example of such setup is presented on Figure 14. By default, all IP connected servers and clients do not see or able to access any of storage device residing on FC SAN. In order to allow IP connected machine to access FC SAN device, the view for IP address of that machine has to be configured at the DTP. That View contains the set of FC SAN devices and their LUNs, which are accessible by that machine.

As it is seen at Figure 14, the "Application Server" can see and access RAID 2 and RAID 4 as LUNs 0 and. Since no View for IP address of a "Client" is configured in the DTP, the "Client" when trying to connect to the DTP will see no LUNs corresponding to FC SAN devices.


IP-to-FC SAN Firewall

Figure 14. DTP employed as IP-to-FC SAN Firewall

 

6. Conclusions.

The state-of-the-art DTP Router provides a number of functions, which are needed in a modern SAN environment.

The main DTP functionality involves multi-protocol conversion for Storage Area Networks with no changes to existing servers or devices. We have shown that DTP can route between FC, SCSI and iSCSI cabled server and storage device in any direction and combination.

In addition to that, the ability of DTP to route iSCSI to FC and SCSI protocols, allows clients and servers to access remote block storage, thus opening availability of such applications as remote backup and mirroring.

The built-in capability of the DTP to perform certain SAN management functions such as creation of virtual volumes and partitions and access control to storage devices raises its ROI value. The DTP Access Control capability allows it to function as a Firewall for FibreChannel and IP setups.


clean
Technomages Inc., 2003 Home | Products | Support | Contacts