I'm setting up a new iSCSI storage system at one of our locations, which has VLAN isolation and two distinct subnets for the iSCSI traffic. I've heard mixed opinions about enabling CHAP. Some folks suggest it's a good idea just to be safe, while others consider it unnecessary or even problematic due to potential login issues with the initiator. I'm curious to hear any horror stories or reasons not to enable CHAP. For context, we're using a Dell Unity 380 with two Dell hosts running Windows Hyper-V in a clustered setup, primarily for block storage to house our VMs. We're using the default Windows initiator along with MPIO for traffic management.
7 Answers
When building my recent iSCSI cluster, I opted for bidirectional CHAP just because it was available. It doesn't take much effort, and since it's VLAN isolated, I figured it would be smart to utilize that feature.
I've been in the iSCSI game for over 15 years, and rarely have I seen CHAP used in production. Usually, we rely on physical or logical isolation—it's about error prevention rather than stringent security protocols. Though, hearing chatter about it made me curious, especially since even the Dell rep didn't seem to push for it. Guess I might set it up eventually, but right now, it’s not a priority for me.
I've had a solid experience with CHAP while using ESXi and Windows. It worked flawlessly with both Dell and HPE iSCSI hardware, so I'm all for it.
My strategy is to test without CHAP initially, but enable it for production. I'm guilty of skipping it with isolated setups, but having that layer of security can really save you in the long run.
If your storage network has anything other than servers managing LUN targets, you might want to rethink your setup. If an attacker is on the network, risk mitigation should be a priority. CHAP is easy to enable and adds another hurdle for potential threats, definitely worth turning on.
Absolutely! The more layers of security, the better.
If you've ever had a rogue user on the iSCSI VLAN, you know it's better to have some form of protection. I'd rather face a few challenges getting the host to work than deal with the tiny chance of losing my entire array due to a mishap.
So true, those unexpected issues can cause major headaches!
Exactly, better safe than sorry!
I've skipped on CHAP since our setup is physically and logically segmented. Instead, we whitelist IQN initiators to minimize user error, which seems sufficient for us.
Totally agree! It's better to run tests with both configs to spot any issues before going live.