https://community.netapp.com/t5/VMware-Solutions-Discussions/Segmentation-for-VMware-workloads/m-p/133649#M9049 <P>Hi there, we have been using our NetAPP FIler FAS for a couple of years, and I'm looking on design ideas on how we can include this new usecase. &nbsp;We have a customer coming in that will want 4 different envrionments with similar applications in each envrionment. &nbsp;We are going to use portgroups/vlans on that segment to have them access their volumes on netapp. &nbsp;I think we will have both NFS mounts for Oracle filesystems, and they will also have some CIFS shares. &nbsp;I believe that the current NFS is v3. &nbsp;So I"m trying to come up with an architecture where each envrionment can access file mounts on the NetAPP for access. &nbsp;I thought about using SVM, but I'm wondering if that is overkill for what I'm trying to protect against. &nbsp;We will still end up managing these netapp volumes, so they will not have separate admins on each volume.&nbsp;</P><P>&nbsp;</P><P>I know that I could do it with firewall rules so that all traffic leaving the segement in vSphere can only talk to a particular LIF on the NetAPP. &nbsp;Then we could use export policies for the NFS workload, and the for CIFS, there would have to be access based on which envrionment the request is coming from. &nbsp;I believe they will have an AD per envrionment, so that will make it easy. &nbsp;</P><P>When I talk about protecting against...my concerns are that vms in one environment can not mount shares/volumes on the wrong netapp mount point. &nbsp;I don't want development &nbsp;vms writing to production data on NetAPP. &nbsp;I want to keep to policies pretty generic so that I don't have to do much on the vms(if possible). &nbsp;I would like to hear what are some of the better ways to control access into a netAPP from a multi-tenant VMware envrionment?</P><P>&nbsp;</P><P>&nbsp;I've tried ot provide a rough picture of how it would look.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks.</P><P>Sony,</P> Wed, 16 Aug 2017 14:55:55 GMT sonyf 2017-08-16T14:55:55Z https://community.netapp.com/t5/VMware-Solutions-Discussions/Segmentation-for-VMware-workloads/m-p/133649#M9049 <P>Hi there, we have been using our NetAPP FIler FAS for a couple of years, and I'm looking on design ideas on how we can include this new usecase. &nbsp;We have a customer coming in that will want 4 different envrionments with similar applications in each envrionment. &nbsp;We are going to use portgroups/vlans on that segment to have them access their volumes on netapp. &nbsp;I think we will have both NFS mounts for Oracle filesystems, and they will also have some CIFS shares. &nbsp;I believe that the current NFS is v3. &nbsp;So I"m trying to come up with an architecture where each envrionment can access file mounts on the NetAPP for access. &nbsp;I thought about using SVM, but I'm wondering if that is overkill for what I'm trying to protect against. &nbsp;We will still end up managing these netapp volumes, so they will not have separate admins on each volume.&nbsp;</P><P>&nbsp;</P><P>I know that I could do it with firewall rules so that all traffic leaving the segement in vSphere can only talk to a particular LIF on the NetAPP. &nbsp;Then we could use export policies for the NFS workload, and the for CIFS, there would have to be access based on which envrionment the request is coming from. &nbsp;I believe they will have an AD per envrionment, so that will make it easy. &nbsp;</P><P>When I talk about protecting against...my concerns are that vms in one environment can not mount shares/volumes on the wrong netapp mount point. &nbsp;I don't want development &nbsp;vms writing to production data on NetAPP. &nbsp;I want to keep to policies pretty generic so that I don't have to do much on the vms(if possible). &nbsp;I would like to hear what are some of the better ways to control access into a netAPP from a multi-tenant VMware envrionment?</P><P>&nbsp;</P><P>&nbsp;I've tried ot provide a rough picture of how it would look.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks.</P><P>Sony,</P> Wed, 16 Aug 2017 14:55:55 GMT https://community.netapp.com/t5/VMware-Solutions-Discussions/Segmentation-for-VMware-workloads/m-p/133649#M9049 sonyf 2017-08-16T14:55:55Z https://community.netapp.com/t5/VMware-Solutions-Discussions/Segmentation-for-VMware-workloads/m-p/133654#M9050 <P>If each "environment" has a different AD domain, then you will need multiple SVMs. &nbsp;Beyond that, assuming each environment is using a different subnet, configure the export rules to only allow connections from the appropriate subnet.</P><P>&nbsp;</P><P>Andrew</P> Wed, 16 Aug 2017 15:26:28 GMT https://community.netapp.com/t5/VMware-Solutions-Discussions/Segmentation-for-VMware-workloads/m-p/133654#M9050 asulliva 2017-08-16T15:26:28Z https://community.netapp.com/t5/VMware-Solutions-Discussions/Segmentation-for-VMware-workloads/m-p/133674#M9052 <P>Andrew,</P><P>Thanks for the response. &nbsp;So if we have different ADs for each env, then we should segment by SVM. &nbsp;Otherwise, if we are just talkng about NFS mounts, and a single AD environment, then we could get a way with a single SVM. &nbsp;</P><P>Sony,</P> Thu, 17 Aug 2017 02:23:39 GMT https://community.netapp.com/t5/VMware-Solutions-Discussions/Segmentation-for-VMware-workloads/m-p/133674#M9052 sonyf 2017-08-17T02:23:39Z