Virtual SANs (VSANs) offer the ability to scale SANs beyond current limitations in a resilient, secure, cost-effective, and manageable fashion. Using VSANs, SAN designers are able to build larger consolidated fabrics and still maintain the required security and isolation between applications beyond what is currently offered through zoning.

Today, SAN designers build separate fabrics, otherwise known as SAN islands, for a variety of reasons. A SAN island refers to a completely physically isolated switch or group of switches used to connect hosts to storage devices. Reasons for building SAN islands may include the desire to isolate different applications into their own fabric or to raise availability by minimizing the impact of fabric-wide disruptive events. In addition, physically separate SAN islands also offer a higher degree of security as each physical infrastructure contains its own separate set of fabric services and management access. While these are valid reasons for building separate fabrics, this practice can quickly become costly and wasteful in terms of fabric ports and resources.

The prospect of additional separate fabrics means more hardware, more ports, more cost, more devices to manage, and typically underutilized hardware. Another drawback to building out separate SAN islands is the inflexible nature of completely isolated islands in terms of resource re-allocation. If one fabric has many unused ports and another fabric is short of ports, one cannot simply reassign the unused ports where they are required.



Benefits of VSANs

  • Virtual SAN Fabric Islands — There are many reasons still exist today in storage networking that mandate SAN designers build separate fabrics for different applications. VSANs offer the SAN designer a way to consolidate what would amount to multiple costly physical SAN islands onto a more cost-effective common redundant SAN fabric. Using VSANs the same security and isolation as achieved by building physically separate islands can be replicated virtually on the same physical infrastructure.


  • Transparent to End Devices — VSANs do not require any special awareness, configuration, or software on the SAN end devices such as hosts/HBAs (Host-Bus-Adapter) or disk subsystems. Traffic is tagged as it enters a switch and the tagging is removed once a frame leaves a switch for an Nx_Port.



  • ISL Trunking — Even though each VSAN represents a separate fabric and traffic cannot cross VSANs, the Cisco MDS 9000 Family supports “trunking” of VSANs over a Trunking E_Port (TE_Port). Using TE_Ports provides several advantages. While traffic cannot span VSANs, multiple VSANs can share the same ISLs. Multiple VSANs can share the bandwidth of ISLs for increased ISL utilization. This could significantly reduce the number of ISLs needed in a given deployment. Trunking of VSANs across TE_Ports also allow for a basic form of traffic shaping. Because VSANs can be individually assigned to a Trunk, VSANs with lower priority traffic could be assigned to ISLs that may have a higher path metric thus leaving shorter paths for higher priority traffic.


  • Fabric Availability — Each VSAN includes separate instances of all fabric services. This provides for a much more stable fabric as not only are fabric service failures isolated per VSAN but fabric level events such as Build Fabric or Reconfigure Fabric are also isolated per VSAN. Should a switch need to be added to an existing network, only the VSAN(s) required on the new switch will experience a fabric rebuild or reconfigure and not the remaining VSANs on the entire network. The VSAN capability limits any possible disruption to devices that need to be in an isolated environment without the need for physical isolation. The resultant increase in availability offered by VSANs also allows the SAN designer to build larger and more cost efficient SANs instead of smaller SAN islands.



  • Fabric Scalability Fibre Channel (FC) has several limitations when it comes to the scalability of the network. However, VSANs provide a way to scale a fabric. When deploying VSANs within a physical infrastructure, the Fibre Channel addressing scheme must only be unique per VSAN. Within a standard fabric only 239 domains (switches) are allowed. This effectively limits the scalability of the fabric. By deploying VSANs the Fibre Channel addressing scheme is implemented on a per VSAN basis. Now, up to 239 domains can exist per VSAN, thus extending the scalability within the physical infrastructure.


  • Collapsed Physical Infrastructure — A common implementation of Storage Area Networks is to deploy `SAN Islands'. Each application, operating system, or business unit has its own SAN fabric. When deploying with this design, hardware is typically underutilized and wastes costly hardware and management resources. In contrast, deploying VSANs provides the ability to collapse the many individual SANs into a larger single infrastructure. This reduces hardware costs, and increases the manageability of the entire network while maintaining the stability and traffic isolation of the SAN island model.



  • Traffic Management and Service Differentiation — The implementation of VSANs gives the SAN designer more control over the flow of traffic and its prioritization through the network. Using the VSAN capability, different VSANs can be prioritized and given access to specific paths within the fabric on a per-application basis. Using VSANs, traffic flows can be engineered to provide an efficient usage of network bandwidth. One level of traffic engineering allows the SAN designer to selectively enable or disable a particular VSAN from traversing any given common VSAN trunk (EISL) thereby creating a restricted topology for the particular VSAN. A second level of traffic engineering is derived from independent routing configurations per VSAN. As discussed, the implementation of VSANs dictates that each configured VSAN support a separate set of fabric services. One such service is the FSPF routing protocol which can be independently configured per VSAN. Therefore, within each VSAN topology, FSPF can be configured to provide a unique routing configuration and resultant traffic flow. Using the traffic engineering capabilities offered by VSANs allows a greater control over traffic within the fabric and a higher utilization of the deployed fabric resources.


  • VSAN Management Security — Different with zoning, the VSAN service is not a distributed service within the fabric. VSAN configuration is local to each switch and configuring VSANs on one switch does not affect the configuration of any other switch within the network. Although one could use the Cisco Fabric Manager to configure VSANs across many switches within the network, each switch is individually configured by the tool. Therefore, each switch only enforces the VSAN configuration locally configured on the switch itself. Using the roles-based configuration security within the Cisco MDS 9000 Family of products, VSAN configuration can further be limited to selected users on selected switches.