Subscribe

Share storage between segregated networks

Hey all,

Need help figuring out a solution.  My company has its network segregated into various "risk domains".  We have our intranet, and a DMZ, and a third network layer between the two, all separated by firewalls.  Someting like the following.

Internet

     firewall

DMZ

     firewall

Moderate Risk domain

     firewall

intranet

Each of the segregated networks has its own unique, separate Windows domain.  We're often asked for a way to share the same data between two, or even all three, of the risk domains.  As a filer can only belong to a single AD Domain, I have yet to come up with a solution.  All of this would be so much simpler if the data were all NFS....

Anybody else facing this type of situation and, if so, how have you resolved it?

Thanks,

bt

Re: Share storage between segregated networks

Hi Brian,

This is the perfect use case for Multistore.  Multistore allows you to create virtual filers (vfilers) from a single physical controller (filer).  Theses vfilers can belong to completely different AD domains.  I have a number of customers doing exactly what you're trying to do with a single controller.  Here is a link with more info on Mutlistore: http://now.netapp.com/NOW/knowledge/docs/ontap/rel732rc1/html/ontap/vfiler/index.html

In addition, I've attached an independent security analysis of the Multistore mechanism.

Cheers, Tony

Re: Share storage between segregated networks

Smack-on case for MultiStore.

Or....use VMware with NetApp providing the underlying storage but only VMs on discrete vSwitches exposed to the differerent security zones.

Re: Share storage between segregated networks

Tony,

OK, maybe I've misunderstood everything I've read about vfilers so far.  My understanding was that vfiler could carve a single filer into multiple logical filers, but that physical resources were assigned to each logical vfiler.  If you're familiar to traditional AIX LPARs, this is the same concept.

Am I completely off base here?

I need to share the same volume between multiple Active Directory domains (no trust betweent he domains).

Re: Share storage between segregated networks

I need to share the same volume between multiple Active Directory domains (no trust betweent he domains).

Given this clarity from the author about the need - I am actually NOT sure if MultiStore is going to help all the way. Agreed that MultiStore will create virtual partitions - but sharing the same volume between two domains - is not something that can be accomplished by MultiStore.. IMHO.

If you have a FlexVol as part of a vFiler unit, you can create a CIFS share in that vfiler unit, but you cannot create a share for that same volume in the parent vfiler (vfiler0), as far as my testing goes.

Re: Share storage between segregated networks

In the MultiStore training labs from NetApp Insight, I created some case examples on how to share data between vFilers.  You can create a flexclone of a volume in one vfiler, then add the clone as a resource to another vfiler.  You can also SnapMirror from one vfiler to another vfiler flexvol or qtree with the loopback adapter (snapmirror from vfiler0 with no network specified).  The don't meet all requirements, but give more options that might help.  The requirement for sharing this way is that the vFilers be on the same physical vfiler0.