topic Re: Cross Vlan communication in ONTAP Discussions

Cross Vlan communication

joesmith — Thu, 20 Aug 2020 21:26:05 GMT

Hello,

I am running ontap 9.7 and I am trying to figure out if there is a way to connect to a lif that is in a different vlan.

To give some background on our network it is set up like this with firewall open from workstations to servers in each department

10.10.20.0/24 = Department A workstations

10.10.25.0/24 = Department A Servers

10.10.30.0/24= Department B workstations

10.10.35.0/24 = Department B Servers

My networking Team is requesting that we mount our CIFS shares on our workstations through IPs in the server subnets to keep non workstation things off of the workstation subnets.

Our set up on the netapp side currently looks like this.

we have ports e0c and e0d aggregated into a0a on both nodes and ports e0e and e0f aggregated into a0b on both nodes.

we then have VLANS set up on all 4 aggregated ports. ie a0a-20 a0a-25 a0a-30 a0a-35 on all 4 aggregated ports.

As far as I can see the VLANs are supposed to prevent traffic going between them. So is there a way for me to get the a workstation in vlan 20 to mount a share in vlan 25?

Thank you for any guidance you have!

Re: Cross Vlan communication

NetApp_SR — Fri, 21 Aug 2020 03:03:02 GMT

Vlans are designed to separate traffic. A router can connect the two networks or a layer 3 switch could be configured to connect the networks. You could also create multiple LIFs on the SVM, one for each Vlan.

Re: Cross Vlan communication

paul_stejskal — Fri, 21 Aug 2020 14:51:12 GMT

Just have a LIF per VLAN for each SVM.

Re: Cross Vlan communication

joesmith — Fri, 21 Aug 2020 16:31:02 GMT

Thanks for reaching out to help.

We have a firewall policy set up at the layer 3 level to allow all traffic from the 10.10.20 subnet to the 10.10.25 subnet but when I try to mount a lif with a 10.10.25 IP from my workstation it won't connect. Everything is working correctly trying to mount with in the workstation subnet.

Re: Cross Vlan communication

paul_stejskal — Fri, 21 Aug 2020 16:39:26 GMT

If the share is going to be open anyway, why not use a LIF in 10.10.20 on the same VLAN? Unless the network/security team wants to log the traffic going in? But fpolicy could be used for that too.

Re: Cross Vlan communication

joesmith — Fri, 21 Aug 2020 17:14:05 GMT

That was their desire, to be able to log information about who/what was being accessed. My main concern was the firewall slowing things down a bit, but then when i tried to connect to the SVM from a lif on a different vlan it wouldn't let me access it through that Lif. Thats why i am trying to figure out if/how to make that happen. As I said, the company firewall policy is wide open from 10.10.20 to 10.10.25, so i would think that the netapp is blocking that traffic somehow.

Re: Cross Vlan communication

paul_stejskal — Fri, 21 Aug 2020 17:24:28 GMT

And the LIF is on like a0a-123 where 123 is the VLAN ID?

What is the switch configured for that interface for the VLANs?

Re: Cross Vlan communication

paul_stejskal — Fri, 21 Aug 2020 21:50:56 GMT

Also, if you wish to monitor, fpolicy will do just that. Just throwing it out there. It may work better because it doesn't have to perform any in-flight packet inspection but just logs exactly what is being accessed and when.

Re: Cross Vlan communication

Tzammel — Thu, 29 Aug 2024 17:26:35 GMT

Hi Gents, did anyone find a solution to this thread ? Thanks

Re: Cross Vlan communication

paul_stejskal — Thu, 29 Aug 2024 18:52:12 GMT

You need to set your switch to allow VLANs to cross or layer 3 cross-VLAN connectivity. Alternatively set up a LIF on the user VLAN.

Re: Cross Vlan communication

Tzammel — Fri, 30 Aug 2024 15:41:24 GMT

Thank you very much for your help.

I found this NetApp article that describes the situation we are facing:

https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/Network_traffic_not_sent_or_sent_out_of_an_unexpected_interface_after_upgrade_to_9.2_due_to_elimination_of_IP_Fastpath

Any idea how to create the return routes ?