2017-06-02 06:35 AM
I would like to know if there is a way to do this :
- Add many IP adresses to a filer. Each IP from different VLANs
- Create cifs shares or NFS exports only accessible from one of theses adresses.
My idea is to
- Create a rule on the firewall to allow trafic between as set of Windows or Linux servers to oneof the IP adresses of the filer
- Allow data acces from this IP adress to a set of server on the filer.
I take a look at DOT 9 documentation and it seems an export policy may restrict access to qtree to a set of servers.
But I did not see that the IP used by the filer can be set too in a rule.
The only alternative should to create a SVM for each IP, but it's not very convenient
2017-06-02 09:03 AM
its possible to restrict the NAS protocol to restrict to a range or IP or a single IP
here is some example.
To Setup NFS Read-Write Access for the Client with IP Address 10.10.10.11, Use the following Export-Policy Rule.
::> vserver export-policy rule create -vserver nfs01 -policy nfspolicy -ruleindex 1 -protocol nfs -clientmatch 10.10.10.11 -rorule sys -rwrule sys
To Setup CIFS Read-Write Access for the Client with IP Address 10.10.10.11, Use the following Export-Policy Rule.
::> vserver export-policy rule create -vserver cifs01 -policy cifspolicy -ruleindex 1 -protocol cifs -clientmatch 10.10.10.11 -rorule ntlm,krb5 -rwrule ntlm,krb5
Hope that help..
2017-06-06 08:21 AM
Thank you for your answer. But it does not answer to my needs :
To be more precise, I would like to be able to
- restrict CIFS share A to subnet 10.0.0.0/0
- restrict CIFS shares B to subnet 18.104.22.168/0
- restrict NFS export C to subnet 22.214.171.124./0 (in addtion of the exports file settings)
- restict NFS export D1 and CIFS share D1 on the same data to subnet 126.96.36.199/0
2017-08-17 09:54 PM
For what the original poster is looking at - having a share only accessable on one of the systems' IP addresses, and not others, the best option is to create multiple SVMs - each will have its own AD account and can have totally seperate domain auth as well as IP ranges.