How come no one is talking about the security issues created by using VMware in a SAN environment? - B.P., St. Louis. Because no one knows what you are talking about including me. So after I got your e-mail, I started sniffing around, and lo and behold, there sure is a big time bomb out there.
It turns out that the hypervisors (VMware, Zen) that let us turn one physical machine into numerous logical machines have a big flaw when it comes to sharing a Fibre Channel host bus adapter. The HBA presents a WWN (World Wide Name) to the I/O driver of the server, and that server uses it as it will. In a virtual server mode, all of the server instances can see and access the same HBA - and all the same logical unit numbers (LUN) attached to it. Oops. IBM doesnt have the issue on its own hypervisors for the mainframe, AIX and AS/400s, it appears.
Since Im guessing the majority of VMware installations are for consolidation purposes, which means they're most likely using SANs, I can smell burning metal.
It turns out that the likes of Emulex and Q-Logic are working to provide the hypervisor people with a way out. VMware will incorporate Emulexs N-Port Virtualization capabilities shortly - which will enable a slew of virtual WWN to be presented from a single HBA - each assignable to a virtual machine. This will kill the conflicts and enable zoning and LUN masking just like it was a single HBA to a single server relationship. They have even figured out how to fail virtual WWNs in a VMotion environment so the LUNs can move right along with the virtual server instance.
Q-Logic is even working on making its virtual N-Port stuff compatible with Ciscos VSANs, which is also way cool.
So in the interim, be careful how you set this stuff up. Windows still likes to grab everything it sees as its own.
Expect to pay a little to upgrade the firmware of you existing adapters. Id imagine both HBA giants will support a ton of virtual instances on their higher-end cards but probably be restrictive on the lower end. A few hundred bucks shouldnt matter in the overall scheme of things, considering all the benefits you get from the consolidation to begin with - especially now that youll be able to do it much more securely.