https://community.netapp.com/t5/ONTAP-Discussions/cdot-management-interface-firewall-rules/m-p/111539#M23560 <P>Hi.</P><P>&nbsp;</P><P>We are in the early stages of deploying a new Cdot 831 cluster.&nbsp;</P><P>&nbsp;</P><P>For security reasons, management interfaces will be firewalled.. (nodemgmt/clustermgmt/SP) &nbsp;so various firewall rules need to be put in place for services access.</P><P>I see that administration services normally connect to the cluster management (over port 443) but what about other "infrastructure" type services.</P><P>&nbsp;</P><P>Eg. SMTP,NTP, DNS, SNMP &nbsp;etc - It is not clear which services&nbsp;use which interface.</P><P>&nbsp;</P><P>Can anyone provide an overview?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Jun 2025 22:59:00 GMT colin_graham 2025-06-04T22:59:00Z https://community.netapp.com/t5/ONTAP-Discussions/cdot-management-interface-firewall-rules/m-p/111539#M23560 <P>Hi.</P><P>&nbsp;</P><P>We are in the early stages of deploying a new Cdot 831 cluster.&nbsp;</P><P>&nbsp;</P><P>For security reasons, management interfaces will be firewalled.. (nodemgmt/clustermgmt/SP) &nbsp;so various firewall rules need to be put in place for services access.</P><P>I see that administration services normally connect to the cluster management (over port 443) but what about other "infrastructure" type services.</P><P>&nbsp;</P><P>Eg. SMTP,NTP, DNS, SNMP &nbsp;etc - It is not clear which services&nbsp;use which interface.</P><P>&nbsp;</P><P>Can anyone provide an overview?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Jun 2025 22:59:00 GMT https://community.netapp.com/t5/ONTAP-Discussions/cdot-management-interface-firewall-rules/m-p/111539#M23560 colin_graham 2025-06-04T22:59:00Z https://community.netapp.com/t5/ONTAP-Discussions/cdot-management-interface-firewall-rules/m-p/111550#M23561 <P>Hi Colin -</P><P>&nbsp;</P><P>Great question. &nbsp;CDot 8.3 family changed a number of things with respect to various networking services you mentioned.</P><P>&nbsp;</P><P>Services can be generally categorized by scope - that is cluster scoped (or cluster wide) services, node scoped services, and SVM (vServer) scoped services. &nbsp;Prior to cDot 8.3, SVM scoped services such as DNs, LDAP, Active Directory, etc. could use cluster or node level management interfaces to query the appropriate service. &nbsp;In 8.3+, SVM scoped services must use a network interface associated only with the SVM. &nbsp;For that reason, there are now three possible types of management interfaces to consider - cluster, node, and SVM. &nbsp;</P><P>&nbsp;</P><P>SVM scoped services need an SVM based interface. &nbsp;It is best practice to define a "management" interface with protocol&nbsp;"none". &nbsp;Such an interface will be the default to use for SVM scoped services. &nbsp;If a specific management interface is not defined, SVMs will use any other "data" interface available. &nbsp;SVM scoped services include DNS client (for the SVM), LDAP, AD, NIS, and the data protocols of course.</P><P>&nbsp;</P><P>Node scoped services use a node management network interface. &nbsp;Node scoped services include NTP, SNMP, SMTP (for autosupport if configured to send email), SSH server for connection to a node specifically, HTTPS server, HTTP/S outbound (again for autosupport), DNS client (for the node), FTP client (might be used for software updates, sending support logs, etc.). &nbsp;Some of these are optional depending on your use case - for example I use an internal utility FTP server for software/firmware updates because it's simpler, so I have to allow FTP client out from my node management interfaces.</P><P>&nbsp;</P><P>Cluster scoped services use a cluster management network interface. &nbsp;Cluster scoped services are SSH server for connection to the "cluster" by name, and the HTTPS server for cluster management functions.</P><P>&nbsp;</P><P>A Node service processor should allow SSH inbound of course. &nbsp;There is also a configureable API-service port for the SPs, default is port 50000 per documentation. &nbsp;This service can be disabled. &nbsp;The SP also supports the Remote Support Agent function which is a service that can enable automatic upload of information to Netapp Support when incidents occur. &nbsp;It basically works by periodically connecting to a designated Netapp server over the web via HTTPS protocols to see if Netapp Support needs anything. &nbsp;When an incident has occurred, the RSA connects more frequently - about once every five minutes for a while if memory servers. &nbsp;Netapp support engineers can post that they'd like a specific log or autosupport to help solve an incident, and the RSA mechanism can then automatically upload that log. &nbsp;RSA uses web protocols and can also work through a proxy server to access the internet if desired. &nbsp;If you plan for using RSA the key thing to understand is that Netapp cannot access your kit directly, nor can they pull any data from your SVMs. &nbsp;RSA just makes getting the data that you'd normally send to Netapp more easily available in cases where a person isn't immediately available to do it. &nbsp;There's a whole guide on network setup for RSA available on the support site. &nbsp;</P><P>&nbsp;</P><P>That's the quick summary - there is a lot more detail information of course available in the 8.3.1 documentation.</P><P>&nbsp;</P><P>&nbsp;</P><P>Hope this helps you.</P><P>&nbsp;</P><P>Bob Greenwald</P><P>Lead Storage Engineer</P><P>Huron Legal | Huron Consulting Group</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 22 Oct 2015 13:39:37 GMT https://community.netapp.com/t5/ONTAP-Discussions/cdot-management-interface-firewall-rules/m-p/111550#M23561 bobshouseofcards 2015-10-22T13:39:37Z