ndmp backups with firewalls

We are looking to reduce the number of firewall ports required to do ndmp backups/restores with netbackup.

I found the netapp bug 134670 that reports that there is a fix to the problem of NDMP 3-way backups/restores being filewall unfriendly.

Has anyone tried the fix which is reported to be in some of the 7.3 and 8.0 ontap releases?

I am having a hard time finding the doc on how to use to use this fix.

Thank You for any help with this.

Re: ndmp backups with firewalls


You can use the 'options ndmpd.data_port_range' command to specify a specific range of ports for NDMP to use, thus making it "firewall friendly".

=== man page entry ===


This  option  allows  administrators to specify a port range on which the NDMP server  can  listen  for  data connections.

Syntax:      options      ndmpd.data_port_range      {<start_port>-<end_port> | all }.  start_port, end_port can  have values between [1024-65535]; start_port must be lesser than or equal to end_port.

If a valid range is specified, NDMP uses a port within that  range  to  listen for data connections. A listen request fails if no ports in the specified  range  are free. The value 'all' implies that any available port can be used to listen for data connections. The default value for this option is 'all'. This option is persistent across reboots.


Cheers, Tony

Re: ndmp backups with firewalls

I´m using an active active configuration on FAS3270 controllers, using SnapVault to a secondary site for backup.

Could this affect any SnapVault relationships.

I´m using a NDMP accelerator for backup up data (to a third- site 400miles apart.)

I did change and set the options      ndmpd.data_port_range 27000-27000

After that some of my snapvault relationships to my secondary FAS controller started failing. Using other IP adresses than the preferred interface for NDMP??

Also, is it Ok just to have one port as in my case above.

Because then I set it to 27000-65535, and the first backup was OK running on port 27000.

Second try failed running on port 27001, also third try on port 27002 failed.

All ports between 27000-65535 is open for traffic.