Other Network Types

Behind every major enterprise application—every banking transaction, hospital records system, e-commerce platform, and cloud service—lies an infrastructure challenge that most users never contemplate: How do we provide fast, reliable, scalable storage to hundreds or thousands of servers simultaneously?

The naive answer—attach hard drives directly to each server—collapses under enterprise requirements. Individual servers fail, taking their local storage offline. Storage capacity cannot be shared or reallocated efficiently. Backup operations become nightmares of coordination. Growth requires purchasing storage for each server independently.

Storage Area Networks (SANs) emerged as the enterprise answer to these challenges. A SAN creates a separate, high-performance network dedicated exclusively to storage traffic, connecting servers to shared storage resources through specialized protocols and infrastructure. Understanding SANs is essential for anyone working with enterprise infrastructure, data centers, or cloud computing.

A Storage Area Network (SAN) is a dedicated, high-speed network that provides block-level access to consolidated storage. Unlike Network Attached Storage (NAS) which presents storage as file shares over standard networks, SANs present storage devices directly to servers as local disks, enabling the operating system and applications to interact with storage using standard block I/O operations.

Key Distinguishing Characteristics:

1. Block-Level Access: SAN storage appears to servers as raw block devices (like local hard drives). The server's operating system manages file systems, permissions, and data organization. This differs from NAS, where the storage system manages file-level operations.

2. Dedicated Network: SAN traffic flows over a network separate from (or isolated from) regular LAN traffic. This prevents storage I/O from competing with user data and ensures predictable performance.

3. Consolidated Storage: Physical storage resources (disk arrays, tape libraries) are pooled and shared among multiple servers. Storage allocation is logical rather than physical, enabling efficient utilization.

4. High Performance: SAN infrastructure is optimized for low latency and high throughput. Fibre Channel SANs operate at 8, 16, 32, or 64 Gbps per port—far exceeding standard Ethernet until recently.

Historical Context:

Storage Area Networks emerged in the late 1990s as mainframe channel technologies evolved to support distributed systems. The development of Fibre Channel (FC) standards in 1994 provided the foundation for modern SANs. Key milestones include:

• 1988: ANSI begins Fibre Channel standardization
• 1994: Fibre Channel Physical and Signaling Interface (FC-PH) standard published
• 1996: First commercial Fibre Channel switches and storage arrays
• 1999: Fibre Channel over IP (FCIP) specification
• 2000: iSCSI draft specification published
• 2003: iSCSI ratified as RFC 3720
• 2009: Fibre Channel over Ethernet (FCoE) standardized
• 2020s: NVMe over Fabrics (NVMe-oF) emerges as next-generation SAN protocol

Fibre Channel (FC) is the dominant SAN technology in enterprise data centers, providing a high-speed, lossless transport optimized for storage traffic. Despite the spelling, modern Fibre Channel typically runs over copper cabling at shorter distances, reserving fiber optics for inter-switch links and extended deployments.

Fibre Channel Speed Evolution:

Fibre Channel Protocol Stack:

The FC architecture comprises five layers (FC-0 through FC-4):

FC-0: Physical Interface

• Defines physical characteristics: cables, connectors, signal specifications
• Supports multimode and single-mode fiber optic cables
• Copper (Twinax) for short-range connections
• Specifies transmission rates and link distances

FC-1: Transmission Protocol

• Defines encoding/decoding schemes (8b/10b, 64b/66b)
• Handles byte synchronization
• Provides ordered sets for frame delimiters and control
• Implements run-length limiting for clock recovery

FC-2: Signaling Protocol

• Core of Fibre Channel protocol
• Defines frame structure, addressing, flow control
• Manages frame sequencing, exchange management
• Implements three service classes:
  • Class 1: Dedicated connection (rarely used)
  • Class 2: Acknowledged connectionless (rarely used)
  • Class 3: Unacknowledged connectionless (primary class)
• Buffer-to-buffer (B2B) and end-to-end (E2E) credit-based flow control

FC-3: Common Services

• Provides services across multiple ports
• Striping across multiple links for bandwidth
• Multicast delivery capabilities
• Hunt groups for load distribution

FC-4: Protocol Mappings

• Defines upper-layer protocol interfaces
• Maps SCSI commands to FC frames (FCP)
• Supports other protocols: IP, VI, FICON
• FCP (Fibre Channel Protocol) is dominant—essentially SCSI over FC

Fibre Channel Addressing:

FC uses a hierarchical addressing scheme:

World Wide Name (WWN):

• 64-bit globally unique identifier
• Assigned to ports (WWPN) and nodes (WWNN)
• Format: xx:xx:xx:xx:xx:xx:xx:xx (hexadecimal)
• Similar conceptually to MAC addresses
• Used for persistent device identification

Fibre Channel ID (FCID):

• 24-bit address assigned during fabric login
• Format: Domain ID (8 bits) + Area ID (8 bits) + Port ID (8 bits)
• Domain ID identifies the switch
• Area ID identifies the port group within switch
• Port ID identifies the specific port
• Dynamic, assigned by fabric

Address Resolution:

• Fabric Name Server (Name Server) maintains WWPN-to-FCID mappings
• Devices register during FLOGI (Fabric Login)
• Similar to ARP in IP networking
• Enables devices to discover each other

iSCSI (Internet Small Computer System Interface) encapsulates SCSI commands within TCP/IP packets, enabling SAN functionality over standard Ethernet networks. This approach dramatically reduces SAN deployment costs by leveraging existing network infrastructure and commodity hardware.

iSCSI Architecture Components:

Initiator:

• The client that initiates SCSI commands
• Typically a server accessing remote storage
• Implemented as software (OS driver) or hardware (iSCSI HBA)
• Software initiators use standard NICs
• Hardware initiators offload TCP/IP processing

Target:

• The storage system receiving and processing SCSI commands
• Presents storage as iSCSI LUNs (Logical Unit Numbers)
• May be dedicated storage array or software on standard server
• Handles SCSI command execution and data transfer

iSCSI Qualified Name (IQN):

• Globally unique identifier for initiators and targets
• Format: iqn.yyyy-mm.reverse-domain-name:unique-identifier
• Example: iqn.2024-01.com.example:storage:disk1
• Used for access control and device identification

iSCSI Protocol Operation:

Session Establishment:

1. Discovery: Initiator queries target portal for available targets
2. Login: Initiator authenticates with target (CHAP or other methods)
3. Parameter Negotiation: Maximum data segment size, acknowledgment policies, error recovery levels
4. Connection: TCP connections established (one or multiple for multipathing)

Data Transfer:

1. Initiator sends SCSI command in iSCSI PDU (Protocol Data Unit)
2. Target processes command, accesses storage
3. Data transferred in iSCSI data-in/data-out PDUs
4. Target sends status PDU indicating completion
5. Initiator acknowledges receipt (optional, based on settings)

iSCSI PDU Types:

• SCSI Command: Carries SCSI CDB (Command Descriptor Block)
• SCSI Response: Status and sense data
• Data-In: Read data from target
• Data-Out: Write data to target
• Login/Logout: Session management
• Text: Parameter negotiation, discovery
• NOP-Out/NOP-In: Keep-alive, path verification

iSCSI Security Considerations:

Authentication:

• CHAP (Challenge-Handshake Authentication Protocol): Password-based authentication
• Mutual CHAP: Both initiator and target authenticate
• IPSec: Full encryption and authentication at network layer
• Kerberos: Enterprise authentication integration

Network Security:

• Dedicated VLAN isolation for iSCSI traffic
• Firewall rules restricting iSCSI port (TCP 3260) access
• Physical network segregation in high-security environments
• IPSec encryption for data in transit

Access Control:

• Target ACLs based on initiator IQN
• LUN masking prevents unauthorized access to specific LUNs
• CHAP prevents unauthorized login

As data center requirements evolve, new SAN protocols address the limitations of traditional Fibre Channel and iSCSI architectures. Fibre Channel over Ethernet (FCoE) and NVMe over Fabrics (NVMe-oF) represent significant advances in storage networking.

Fibre Channel over Ethernet (FCoE):

FCoE encapsulates native Fibre Channel frames within Ethernet frames, enabling FC traffic to traverse Ethernet networks. This convergence reduces infrastructure complexity by eliminating separate FC and Ethernet networks.

Key Concepts:

Converged Network Adapter (CNA): Single adapter handling both FC and Ethernet traffic, reducing server I/O slots, cables, and switch ports.

Data Center Bridging (DCB): Enhanced Ethernet extensions required for lossless FCoE transport:

• Priority Flow Control (PFC) - IEEE 802.1Qbb: Per-priority pause frames prevent buffer overflow for storage traffic class
• Enhanced Transmission Selection (ETS) - IEEE 802.1Qaz: Bandwidth allocation across traffic classes
• Data Center Bridging Exchange (DCBX): Protocol for automatic DCB parameter negotiation
• Congestion Notification (CN) - IEEE 802.1Qau: End-to-end congestion management

FCoE Frame Structure:

• Standard Ethernet header (destination/source MAC, EtherType 0x8906)
• FCoE header (version, EOF/SOF markers)
• Native FC frame (complete, unmodified)
• Ethernet FCS (Frame Check Sequence)

FCoE Deployment Considerations:

• Requires DCB-capable switches throughout the path
• Cannot traverse standard Ethernet switches or routers
• FCFs (FCoE Forwarders) bridge between FCoE and native FC
• Primarily useful for server-to-switch connectivity
• End-to-end FCoE still relatively uncommon

NVMe over Fabrics (NVMe-oF):

NVMe-oF represents the next generation of SAN protocols, designed specifically for flash storage performance. Traditional FC and iSCSI were designed when hard disk drives (HDDs) were the norm—their latencies masked protocol overhead. Modern NVMe SSDs deliver sub-100 microsecond latency, making traditional SAN protocols the bottleneck.

NVMe Native Advantages:

• Single queue per CPU core eliminates contention
• 65,535 I/O queues per controller (vs. 1 for legacy SCSI)
• 65,536 commands per queue
• Streamlined command set optimized for SSDs
• Lower CPU overhead than SCSI command processing

NVMe-oF Transport Options:

1. NVMe over Fibre Channel (FC-NVMe):

• Uses existing FC infrastructure
• NVMe commands mapped to FC-4 layer
• Leverages FC's lossless transport
• Requires newer 16/32/64GFC equipment with FC-NVMe support

2. NVMe over RDMA (RoCE, iWARP, InfiniBand):

• Bypasses kernel network stack entirely
• Sub-10 microsecond network latency
• CPU offload for maximum performance
• Requires RDMA-capable NICs and switches
• RoCE (RDMA over Converged Ethernet): Most accessible, runs over DCB Ethernet
• InfiniBand: Highest performance, separate infrastructure

3. NVMe over TCP:

• Runs over standard TCP/IP networks
• No special hardware required
• Higher latency than RDMA
• Suitable for less latency-sensitive workloads
• Easier deployment at cost of performance

Building a functional SAN requires specialized components working together. Understanding each component's role enables effective design and troubleshooting.

Host Components:

Host Bus Adapter (HBA):

• Specialized adapter connecting servers to SAN fabric
• Similar to NIC for Ethernet, but for FC/iSCSI
• Handles protocol processing, offloading from server CPU
• Each port has unique WWPN for identification
• Dual-port HBAs standard for redundancy
• Common vendors: Broadcom (Emulex), Marvell (QLogic)

Converged Network Adapter (CNA):

• Combines HBA and NIC functionality
• Single adapter handles FCoE, iSCSI, and Ethernet
• Reduces server I/O complexity
• Requires DCB-capable switches for FCoE

iSCSI HBA vs. Software Initiator:

• Hardware HBA offloads TCP/IP processing, reducing server CPU load
• Software initiators use standard NICs, lower cost but higher CPU usage
• TOE (TCP Offload Engine) NICs provide middle ground
• For high-performance workloads, hardware HBA preferred
• For VMs and less demanding workloads, software initiator often sufficient

Fabric Components:

SAN Switches:

• Core fabric building blocks
• Fibre Channel switches: 8-256+ ports per switch
• FC switched fabric enables any-to-any connectivity
• Each switch is a Domain in FC addressing
• Support ISLs (Inter-Switch Links) for fabric expansion
• Modern switches offer hybrid FC/FCoE/Ethernet
• Common vendors: Cisco (MDS series), Brocade (now Broadcom), HPE

Directors:

• High-port-count, modular SAN switches
• Chassis-based with slot-based blade insertion
• Non-disruptive blade replacement
• Typically 128-512+ ports
• Used as core switches in large fabrics
• Built-in redundancy (power, fans, supervisors)

FC Routers:

• Connect separate FC fabrics without merging
• Enable inter-fabric communication
• Provide routing between fabrics with different domain IDs
• Used for isolating environments while sharing storage

Storage Components:

Storage Array:

• Enterprise storage system with multiple disk drives
• Presents storage as LUNs to SAN-connected hosts
• Internal RAID protection for disk failures
• Dual controllers for high availability
• Cache memory for performance optimization
• Common vendors: Dell EMC, NetApp, HPE, Pure Storage, Hitachi

All-Flash Arrays (AFA):

• SSDs replace HDDs entirely
• Dramatically lower latency (sub-millisecond)
• Higher IOPS density per rack unit
• Data reduction (deduplication, compression) standard
• NVMe internal protocols increasingly common

Storage Controllers:

• The 'brains' of storage arrays
• Process incoming SCSI/NVMe commands
• Manage cache, RAID calculations, data placement
• Dual-active or active-passive for HA
• Each controller presents ports to SAN fabric

In large SAN environments, not every server should access every storage resource. Zoning and LUN Masking provide complementary layers of access control—zoning at the fabric level and LUN masking at the storage level.

Zoning - Fabric-Level Access Control:

Zoning segments the SAN fabric into logical groups, controlling which devices can communicate. Think of zones as VLANs for SAN traffic.

Zoning Types:

Port Zoning (Hard Zoning):

• Zone membership based on switch port numbers
• Example: "Port 1 on Switch A can communicate with Port 5 on Switch B"
• Device-independent—any device on that port gains membership
• Hardware-enforced at switch ASIC level
• Survives device replacement without reconfiguration
• Format: Domain ID + Port number (e.g., 1,5 for domain 1, port 5)

WWN Zoning (Soft Zoning):

• Zone membership based on World Wide Port Names (WWPNs)
• Device-specific—follows the HBA regardless of port
• More flexible for device relocation
• Example: "WWPN 10:00:00:00:00:00:00:01 can communicate with WWPN 50:00:00:00:00:00:00:10"
• Requires Name Server database lookup
• Some implementations enforce in hardware, some in software

Mixed Zoning:

• Combines port and WWN zoning elements
• Common practice: HBAs by WWPN, storage by port
• Provides benefits of both approaches

Zoning Best Practices:

• Single initiator zoning: One HBA per zone with its storage targets
• Prevents host-to-host communication that can corrupt shared storage
• Name zones descriptively: "ServerA_HBA1_ArrayB_CL0_FC0"
• Activate changes during maintenance windows
• Document zone configurations thoroughly

LUN Masking - Storage-Level Access Control:

LUN Masking (also called Host Groups or Initiator Groups) restricts which hosts can see specific LUNs, even if zoning allows communication.

Purposes:

• Zoning allows communication; masking allows access to specific LUNs
• Prevents accidental access to critical volumes
• Enables multiple hosts to share array ports while accessing different LUNs
• Essential for multitenant environments

Implementation:

1. Create host record on storage array with HBA WWPNs
2. Create LUN(s) from storage pools
3. Map LUN(s) to specific host records
4. Only mapped hosts can see and access those LUNs

LUN Masking vs. Zoning:

Storage virtualization abstracts physical storage resources into logical pools, decoupling hosts from underlying physical storage infrastructure. This enables sophisticated data management capabilities and operational flexibility.

Storage Virtualization Levels:

Host-Based Virtualization:

• Volume managers on servers abstract physical LUNs
• LVM (Linux), VxVM (Veritas), Windows Storage Spaces
• Creates volumes spanning multiple LUNs
• Enables RAID, striping, mirroring at host level
• Limitation: Management burden per host, limited mobility

Array-Based Virtualization:

• Storage array presents virtual LUNs from disk pools
• Thin provisioning: LUNs appear larger than allocated physical space
• Automated tiering: Data migrates between SSD and HDD tiers based on access
• Snapshots and clones: Space-efficient point-in-time copies
• Internal to array; hosts see simple LUNs
• Most common form of storage virtualization

Network-Based Virtualization:

• Appliance/controller sits between hosts and storage
• Aggregates disparate storage arrays into unified pool
• Enables heterogeneous storage management
• Data migration between arrays without host disruption
• Examples: IBM SAN Volume Controller (SVC), VMware vSAN (in-kernel)
• Adds latency and complexity but maximum flexibility

Key Virtualization Features:

Thin Provisioning:

• Allocate large virtual capacity with minimal physical allocation
• Physical storage consumed only as data is written
• Enables overprovisioning (sum of virtual > physical)
• Requires monitoring to prevent out-of-space conditions
• Example: Provision 10TB LUN consuming only 1TB initially

Snapshots:

• Point-in-time logical copy of data
• Uses copy-on-write or redirect-on-write techniques
• Minimal space consumption (only changed blocks stored)
• Instant creation regardless of data size
• Use cases: Backup, development clones, recovery points

Clones:

• Full, independent copy of data
• Initially may share blocks with source (space-efficient clones)
• Eventually becomes independent as data diverges
• Use case: Test/dev environments, application migration

Replication:

• Copies data between storage systems
• Synchronous: Every write confirmed at both sites (zero data loss, latency-sensitive)
• Asynchronous: Writes batched and replicated periodically (some data loss possible, distance-tolerant)
• Essential for disaster recovery
• RPO (Recovery Point Objective) and RTO (Recovery Time Objective) drive design

Enterprise SANs require both high availability (no unplanned downtime) and resilience (recovery from component failures). Multipathing is the cornerstone technique enabling these requirements by providing multiple physical paths between hosts and storage.

Multipathing Fundamentals:

With multipathing, each LUN is accessible through multiple independent paths:

Server                    SAN Fabric                  Storage
                                                      
[HBA Port 1] ─────────► [Switch A] ─────────► [Controller A Port 1]
           \                                 /
            \─────────► [Switch A] ─────────► [Controller B Port 1]
                                             
[HBA Port 2] ─────────► [Switch B] ─────────► [Controller A Port 2]
           \                                 /
            \─────────► [Switch B] ─────────► [Controller B Port 2]

This topology provides 4 paths per LUN, surviving failure of:

• Either HBA port
• Either SAN switch
• Either storage controller
• Any single cable

Multipath Policies:

Multipath Software:

• Windows MPIO: Built into Windows Server, supports various DSMs (Device-Specific Modules)
• Linux Device Mapper Multipath (dm-multipath): Standard Linux multipathing
• Veritas DMP (Dynamic Multi-Pathing): Enterprise solution, now part of InfoScale
• PowerPath (Dell EMC): Array-specific optimized multipathing
• VMware NMP (Native Multipathing Plugin): vSphere built-in multipath

High Availability Design Principles:

Redundancy at Every Layer:

• Dual HBA ports per server
• Dual SAN fabrics (Fabric A and Fabric B)
• Dual storage controllers
• Dual power feeds, dual fans

Fabric Isolation:

• Fabric A and Fabric B are completely independent
• Different switches, different cables, ideally different routes
• Prevents single configuration error from affecting both paths

No Single Point of Failure (NSPOF):

• Audit entire path for any shared component
• Same rack, same power circuit, same room = shared failure domain
• Geographic separation for disaster recovery

We have conducted a comprehensive examination of Storage Area Networks—the backbone of enterprise data infrastructure. Let us consolidate the essential knowledge:

What's Next:

Having explored the specialized world of Storage Area Networks, we now examine Virtual Private Networks (VPN)—technology that creates secure, private network connections over public infrastructure. While SANs optimize for internal data center storage, VPNs extend organizational networks securely across the internet.