3

I'm going through DISA security hardening on our network devices. Our iSCSI SAN network uses 2 Cisco 2960G layer 2 switches. The SAN consists of 2 HP P4000 devices. Servers are 3 Dell R710s in a Hyper-V cluster. DISA has a rule about enabling port security or 802.1x but will that mess up multi-path IO or NIC teaming?

Edit: Each SAN and server has a connection to each switch and there is an etherchannel between the 2 switches so it's a full mesh configuration. Probably doesn't help the question but it may help visualize the configuration.

murisonc
  • 2,968
  • 2
  • 21
  • 31

2 Answers2

1

Port security should not be a problem, assuming that the connection layout remains static. I'm not sure if there are any iSCSI SANs that even support 802.1x, so that may be a non-starter.

Just make sure all the unused ports on the SAN switches are shut and moved to an unused VLAN and port security sticky is set on the used ports. This should satisfy the STIG.

newmanth
  • 3,943
  • 4
  • 26
  • 47
0

It could do, it depends on what software is doing the multi-pathing, if the two NICs advertise their physical MACs and a moving team-MAC then you could be in trouble. Only way to be sure is to watch the CAMs before, during and after testing each failover scenario.

Chopper3
  • 101,299
  • 9
  • 108
  • 239