iSCSI bridges the storage gap

The lower-cost Fibre Channel alternative can help small-to-midsize offices consolidate storage.

The government’s storage story often focuses on the massive information stores at headquarters, but smaller offices also accumulate data holdings — and headaches. Storage-area networks (SANs) based on the Internet SCSI (iSCSI) protocol provide an opportunity for managers who want to migrate from traditional server-based storage but consider Fibre Channel SANs too complicated and expensive. The iSCSI SAN offers a combination of lower costs and greater ease of use, according to the technology’s adherents.

Industry watchers predict that iSCSI SANs will proliferate in 2006 and beyond. IDC forecasts that the worldwide iSCSI market will more than double this year, reaching $842 million compared with $314.1 million in 2005. IDC predicts iSCSI revenue will surpass the $1 billion mark in 2007.

Despite the momentum, iSCSI SAN vendors continue to fight the perception that their wares lack the punch of Fibre Channel SANs. But many iSCSI SANs offer disaster recovery and point-in-time snapshot capabilities, features usually associated with high-end Fibre Channel environments.

Stephen Foskett, director of strategy services at GlassHouse Technologies, a storage consulting firm, said iSCSI SANs have established a position in the market.

“We don’t foresee them replacing Fibre Channel widely anytime soon, but we see [iSCSI] expanding the market for consolidated storage,” he said. He identified small to midsize offices as a ripe market segment for the technology.

Migrating to iSCSI
The U.S. Probation Office for the Middle District of Pennsylvania demonstrates iSCSI’s appeal to operations of modest size. The office sought to consolidate islands of server-attached storage and decided to explore the SAN approach.

Gene Levis, systems manager in the office’s Technology Division, said the group considered Fibre Channel but decided against the technology. “We are a fairly small shop here,” he said. “We quickly eliminated Fibre Channel for reasons of cost and the expertise required to manage that.”

The office chose an iSCSI SAN from LeftHand Networks. Bill Chambers, LeftHand’s co-founder and chief executive officer, said the Pennsylvania case typifies market trends. He said small to midsize offices want to drop direct-attached storage, and they view iSCSI as a means for doing so.

“There is a lot of pain about managing a direct-attached environment,” Chambers said, adding that organizations must add more servers to increase storage capacity. The administrative burden of backing up numerous servers compounds matters.

Mark Weber, vice president of federal systems at Network Appliance, described the migration from direct-attached to iSCSI storage as “one of our hottest growth markets.” He cited consolidation and data protection as the primary catalysts.

The iSCSI SAN’s price and ease of management encourage storage administrators to pursue this route, industry executives say.

Foskett said a $15,000 investment will let customers acquire an iSCSI array that has 2.5 terabytes of raw storage and the ability to support a half-dozen Microsoft Windows servers. And some configurations cost less than that amount, vendor executives say.

Avoiding expense, complexity
Avoiding costs also comes into play. “The big thing is that [customers] don’t have to spend money on [host bus adapters] and Fibre Channel switches,” said Dave Dale, Network Appliance’s industry evangelist.

In contrast, iSCSI SANs use an organization’s existing IP network infrastructure, so customers don’t need to buy specialized equipment. The iSCSI approach requires the use of an iSCSI software initiator on each server in the SAN. But Microsoft offers a free initiator for its server operating systems. Various Linux and Unix operating systems, in addition to Novell’s NetWare, also provide initiators.

“There’s nothing like a free initiator to enable you to do this,” Dale said.

Dave Lindow, a systems support specialist for the Long Beach, Calif., government, said cost and ease of connectivity are factors in iSCSI’s favor. The city uses an iSCSI SAN from StoneFly Networks.

Levis also cited ease of management as a plus for iSCSI SANs.

The storage platform’s IP orientation means that administrators don’t need to learn the nuances of a new protocol. That “simplifies life tremendously,” Chambers said. “Every organization on the planet has a TCP/IP data communications network installed,” Dale added. “They already have the expertise and tools for network design.”

On the other hand, Fibre Channel presents “a huge barrier to entry…because of the expertise required and the complexity of configuring Fibre Channel fabric,” Dale said. The ability to run a SAN without hiring specialists ranks among iSCSI’s leading attractions, he added.

SAN vendors also emphasize familiar features in areas such as management interfaces. DataCore Software’s SANmelody product, which organizations can buy to build iSCSI SANs, uses the Microsoft Management Console, said George Teixeira, the company’s president and CEO. He said administrators accustomed to Windows tools and management software should find DataCore SANs a simple jump.

iSCSI performance
The performance of iSCSI SANs has been a subject of debate since the technology’s arrival in 2003.

Most of the discussion has focused on the necessary network infrastructure, potential TCP/IP bottlenecks and appropriate uses. Three years later, storage vendors and managers have started to identify some basic principles regarding iSCSI performance.

The general consensus is that the technology’s sweet spot is in smaller organizations or in divisions of larger ones. Mike Tomky, product manager of information lifecycle management solutions hardware infrastructure at Sun Microsystems’ Data Management Group, said iSCSI “is targeted more at the department level and small SANs.”

In addition to smaller groups, smaller applications also fall within iSCSI’s grasp. Foskett said iSCSI works best with applications that have lower throughput requirements.

Conversely, Fibre Channel remains the preferred technology for a customer’s most demanding applications.

“A company with heavy database use in their SAN is going to want to stay on Fibre Channel,” Tomky said.

Although a high-transaction-volume database might remain on Fibre Channel, iSCSI SANs still have plenty of room to contribute. An organization could place a few critical systems on Fibre Channel while still possessing many systems that lack any consolidated storage, Foskett said. “So iSCSI is going to enable midlevel applications to take advantage of consolidated storage,” he said.

Long Beach uses Fibre Channel and iSCSI to meet storage needs. The city uses Fibre Channel for mission-critical data, while employing iSCSI in situations that don’t demand super-fast throughput, Lindow said.

But the distinctions between iSCSI and Fibre Channel arrays will begin to diminish in some product categories.

Eric Schott, director of product management at network storage vendor EqualLogic, said using Serial Attached SCSI/Serial Advanced Technology Attachment drives will blur the lines among storage products. “It’s going to be hard to say why this storage array is different from another, other than the cable that plugs into it,” he said.

Other performance fears
TCP/IP processing has been another aspect of the iSCSI performance dialogue. In the technology’s early days, some industry executives contended that server CPUs would have trouble handling both iSCSI and general network TCP/IP processing. A few vendors began offering TCP/IP offload engine cards to boost performance.

But the iSCSI performance crunch has not come to pass, at least in the Windows server environment.

Chambers said the arrival of faster CPUs have allowed servers to keep pace with iSCSI’s processing demands. He said a server equipped with a 3 GHz Intel Xeon processor can run a Microsoft Exchange electronic messaging application and still have “a lot of extra [processing] cycles available.”

Foskett agreed that most Windows systems have CPU time to spare, making an offload engine unnecessary for performance reasons. But he added that customers might want such an engine for the ability to boot servers from the SAN.

Chambers added that host bus adapters with offload engines will become necessary as customers upgrade to the latest 10 Gigabit Ethernet network environments.

However, iSCSI deployments often find a home in Gigabit Ethernet environments. “In most cases, customers are deploying [iSCSI] with Gigabit Ethernet,” Chambers said. “Most have it deployed in their server rooms.”

But Teixeira said small organizations can get by with Ethernet.

“Small businesses aren’t out there running 1,000-user Oracle databases,” he said. “In reality, Ethernet, for most, is going to be fine.”

Advanced features
With a sound SAN foundation in place, iSCSI users can move beyond consolidated storage to take advantage of expanding capabilities. Current vendor offerings contradict the belief that iSCSI has limited functionality.

“Out of the gate, they offer a pretty full feature set,” Foskett said.

Teixeira said customers who start with simple disk capacity services might move on to snapshots for backup capability. He said SANmelody’s snapshot feature lets customers capture periodic images of an Exchange database, for example. Customers can take snapshots every few hours to create frequent recovery points in the event of a crash, he added.

In addition to local backups, iSCSI SANs also facilitate remote replication for disaster recovery. DataCore offers a dual-site disaster recovery package for SANmelody.

EMC’s entry-level AX100i and CX300i iSCSI products can also take snapshots, while the recently released NS350 storage system provides remote replication, said Jay Krone, director of Clariion platforms marketing at EMC.

LeftHand also offers remote replication for disaster recovery. Chambers cited widespread customer interest in protecting data geographically. The U.S. Probation Office in Pennsylvania uses LeftHand’s SAN/iQ Remote Copy to replicate data from its main site to a backup facility. In Long Beach, Lindow said the city hasn’t looked into disaster recovery for its iSCSI SAN, but he added that the topic could come up in the future. The city’s StoneFly iSCSI SAN backs up to a tape drive located in the same office.

Overall, customers are gravitating toward iSCSI’s expanded feature set. “Everyone shopping for IP SANs wants add-on features, in my experience,” said Jame Ervin, technical accounts manager at StoneFly.


**********

Case Study: Probation office reins in scattered storage assets

Data consolidation and protection were the main drivers behind the Internet SCSI storage-area network deployment at the U.S Probation Office for the Middle District of Pennsylvania.

The office had been relying on server-attached storage to support 33 counties in central Pennsylvania. Local storage was housed on a mix of Microsoft Windows, Novell NetWare and Linux machines. Servers were backed up to tape drives. Now, the organization is in the process of moving its data onto a consolidated iSCSI SAN from LeftHand Networks.

“Our vision is…to centralize data in one location,” said Gene Levis, systems manager in the office’s Technology Division. Officials plan to phase out the remote office servers through a combination of consolidated storage and the use of Citrix Systems’ on-demand application access product.

In addition to consolidated storage, the SAN architecture also provides multiple levels of data protection. The LeftHand SAN creates two copies of the office’s data, which are stored on two separate devices, Levis said. The office uses three LeftHand storage modules in its primary data center. This approach provides data availability in case a disk controller or a storage module fails.

The office maintains about 4.27 terabytes of data at its main storage site. To provide disaster recovery capability, that data is mirrored at another facility using LeftHand’s SAN/iQ Remote Copy software. The off-site location also operates three LeftHand storage modules. The office’s Web server is currently the only machine on the SAN. Point-in-time snapshots of the data are taken six times a day and replicated off-site. Levis said the replication strategy will be used as more systems are brought onto the SAN. Different time intervals may be used, he said.

Levis said continuity of operations was a major reason the office looked into SAN technology. Overall, he cited ease of data recovery as a benefit of the new storage approach.

“We are backing up to disk instead of tape,” Levis said. “We can recover [a file] without asking someone to flip tapes until we find the correct tape,” he said. That’s an important consideration for a small IT shop that covers a wide geographic area, he added.

The SAN environment also makes it easier to deal with server or workstation failure. “If something goes wrong with a piece of hardware, we just bring up another machine and point it to a storage device,” Levis said.

— John Moore

Special security considerations

An Internet SCSI storage-area network (SAN) can resemble a TCP/IP data network, but customers should not treat it like one, storage experts say.

“What they need to do when designing an iSCSI SAN is [recognize] they are doing a SAN” and not a local-area network, said Stephen Foskett, director of strategy services at GlassHouse Technologies, a storage consulting firm.

An iSCSI SAN should not be connected to a LAN for any reason, he added, because data can leak into the corporate LAN and from there to the Internet. “That is a very real concern,” he said.

Customers “have to plan for the fact that [iSCSI] is open to the outside world to some degree,” said Mike Tomky, product manager of information lifecycle management solutions hardware infrastructure at Sun Microsystems’ Data Management Group.

In light of the security issue, vendors recommend confining iSCSI traffic to its own subnetwork and choosing one of two main options for segregating iSCSI traffic. One involves installing a separate switch to create a private, stand-alone network, said Dave Dale, industry evangelist at Network Appliance.

The other method is to carve out an IP-based SAN using a virtual LAN, which Dale described as a standard approach among organizations with Gigabit Ethernet backbones and Cisco Systems’ Catalyst 6500 Series switches, which have spare Gigabit Ethernet ports.

Dale said about half of iSCSI customers use separate switches, while the other half use virtual LANs.

Organizations can also choose from various levels of authentication to protect their iSCSI storage networks, including:

  • Strong — The most basic level of protection is access control based on initiator name, which authenticates a server to an iSCSI storage resource.

  • Stronger — Challenge Handshake Authentication Protocol (CHAP) represents the next step up and provides more comprehensive authentication, Foskett said. CHAP relies on iSCSI initiators and targets that share a security key.

  • Strongest — IP Security (IPSec) encryption and authentication offer the highest level of security. However, experts don’t recommend using it for iSCSI SANs. “The vendors of current iSCSI SANs warn against using [IPSec because] it can seriously affect performance,” Foskett said.

— John Moore