Subscribe
Accepted Solution

Limiting protocol by VIF

Hello,

  We recently upgraded to a FAS2050 using iSCSI and NFS from a FC EMC product.  We just noticed that the NetApp doesn't seem to care which of its IP addresses are used to access data, which is a little concerning.

We have 2 2port LACP vifs, one that is meant to handled our NFS VLAN and our Managment VLAN (since, apparently, not all management traffic used the BMC port) and the other to handle our iSCSI VLAN.  The problem is, you can still view all NFS exports (export names only, not data) on the filers using any of their IPs, though we were at least smart enough to limit access based on client IP, which aren't on a routed VLAN.  You can also map iSCSI LUNs via any of the IPs, and the NetApp announces that fact when an Initiator connects to it, allowing what should be non-routed storage traffic to bleed into routed public traffic.  I've done some searching and am unable to find a way to stop the NetApp from announcing all of its IP addresses as viable iscsi targets or to prevent an authenticated initiator from using whichever path it wants to. Is this a known issue or am I missing something obvious?

Re: Limiting protocol by VIF

Data ONTAP 7.3 added functionality to block protocols on interfaces.  Type "options interface" (if you are on 7.3+) and you will see the following.

interface.blocked.cifs
interface.blocked.ftpd
interface.blocked.iscsi
interface.blocked.nfs
interface.blocked.snapmirror

iSCSI already had a similar feature and still does with another method with "iscsi interface disable" and "iscsi interface accesslist".  So, there are two places to block interfaces for iSCSI...

One of my wish list items is to have the interface options work like the access options... where we can specify host=, host!=, if= and if!= for more granular allow/disallow...but it's still nice to have the block feature in 7.3.