IBM TotalStorage Expert Network Planning Considerations Abstract Because the TotalStorage Expert communicates with your ESS and ETL through a TCP/IP network, you need to carefully plan how the TotalStorage Expert is going to attach to your network. For related information about this topic, refer to the following IBM Redbooks publication: IBM TotalStorage Expert Hands-On Usage Guide, SG24-6102-02 Contents This tip discusses the two major considerations when planning the TotalStorage Expert network attachment. The considerations are network security and performance. Network security considerations You need to take care of network bandwidth and several levels of security, such as security for physical network links and user access control. In this section we describe three possible network topologies that could be used. Based on prior experiences with firewall implementation, careful planning should be made in this regard. The most optimal method of ESS Expert host installation, is to have the hosts where the Expert will be installed, located on the ESS side of the firewall. The ESS Specialist application uses a dynamic port assignment for progress-status and heartbeat data. That means that the network administrator cannot configure the firewall to let this data pass through to the ESS Expert. Due to the current design of the ESS Specialist appplication, both the Web browser and the ESS must be on the same side of the firewall in order to perform configuration. The same applies to Expert; both the ESS Expert host and the ESS must be on the same side of the firewall to do configuration or performance monitoring. To access the ESS Specialist for read-only data is not a problem, because all that data passes through to the Expert host on the standard HTTP ports. The range of ports that are used by ESS Expert during dynamic port assignment for inbound and outbound sockets are between 1025 and 65535 (the full available range of ports). It is not advantageous for a customer to implement the ESS Expert host system across a firewall from the ESS Specialist. Due to the restrictive network filtering and subsequent unforeseen data traffic issues, it is recommended to have the TotalStorage Expert host which will be doing the actual ESS and ETL monitoring within the firewall. Other hosts accessing the ESS Expert data through the browser interface may be outside the firewall and still function normally as long as firewall parameters are not set to restrict the access of these hosts to the hosts running the Expert application. Note: Although it is not recommended, you are able to implement a firewall between the ESS Specialist and ESS Expert as long as all of the following policies are active on the firewall: Allow TCP from ESS Expert on ports > 1024 to all ESS clusters on port 80 (HTTP). Allow TCP from ESS Expert on ports > 1024 to all ESS clusters on port 443. (HTTPS). Allow TCP from all ESS clusters on ports > 1024 to Expert on ports > 1024. All the ESS Expert host initiated communication occurs to destination ports 80 and 443. All ESS initiated communication (interval-based performance data offloads) occurs to non-well-known listening ports selected by ESS Expert and communicated to ESS clusters via ESS Expert-initiated transactions to port 443. ESS Expert selects its listening ports by using the first available port in a series, therefore predicting these ports is not possible. TotalStorage Expert and ESS or ETL in a closed network The figure below shows a configuration for a high security environment, where most enterprise systems are preconfigured on a series of high security private networks. If your installation is configured like this, you would connect a machine to the ETL or ESS Net and install the TotalStorage Expert on the machine. Because no one can have network access to the ESSs on your installation through your intranet, this configuration provides a high level of network security. However, due to the nature of private networks, this configuration cannot provide flexibility when you perform administrative tasks regarding the ESS. For example, you cannot operate the TotalStorage Expert through your intranet, or configure the ESSs to have them send service information messages through an e-mail. Putting your ESS or ETL behind a router The configuration shown in the figure below provides more flexibility than the previous one. In this case, you can install and configure the TotalStorage Expert on your intranet. If you use this configuration, you need to have an IP router (forwarder) configured to route packets into your ESS private network. The advantage of this approach is that you still have high security for the ESS Net, and can allow communications between your intranet and the ESS Net through the router. We suggest that you have a high performance router and other network devices such as switching hubs, as the network performance between the TotalStorage Expert and the ESSs would be heavily dependent on these components. Connecting your ESS or ETL to the intranet The figure below shows a configuration which has each ESS Net as a part of your intranet. Each ESS Net is a part of your intranet. Once you have set up appropriate domain name servers (DNSs) and other network configurations, almost anyone on your intranet, including dial-up clients, can have access not only to the ESS Expert, but also to your ESSs, through a Web browser. Therefore, the only way to restrict network access to the ESS or the TotalStorage Expert is to specify userids and passwords for them. You should note that the network performance on your intranet will impact on the ESS’s cross cluster communication as well as communication between the ESS Expert and the ESSs. If your intranet is a large network, you will need to be very careful with your network configuration in order to minimize the impact. Network bandwidth considerations Another issue of concern is the packet size and packet type that is transferred over the network between the ESS and the TotalStorage Expert. The Ethernet card on the ESS is 10Base-T. Accordingly, you will have various limitations on how many ESSs you can monitor and how far away in terms of network topology you can be from the ESS Net. In your design, placement, and implementation planning, you will have to consider the following: Packet transfer during performance data collection: the TotalStorage Expert receives raw data at every time interval that you specify. When we specify the interval as 5 minutes, the TotalStorage Expert gets 10 to 15 KB size packets per second every 5 minutes from an ESS. During this time it writes this data into the DB/2 database. Your network traffic will have a slight peak at these intervals, which is almost negligible in a high bandwidth switched environment. When running the Web interface, the Java applets being transferred may reach 100-300 KB in size. You should take into consideration that invoking the browser over a slow WAN link or dialup connection may just have some slight delays. However, this will not happen when running the browser on the local network.