Network and Storage Protocols

How can we dedicate network ports for accessing shares only?

support_3
3,131 Views

Hi

We need to dedicate network ports to access shares only it is possible?

2 REPLIES 2

madden
3,131 Views

There are several options you can set to disable the various IP-based protocols on a per Ethernet interface basis.

From the 8.1 'options' manpage:

interface.blocked.cifs
The option is set to a comma-separated list of interface names for which CIFS is blocked. The default is the empty list, "", which means that CIFS is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The
interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.iscsi
The option is set to a comma-separated list of interface names for which iSCSI is blocked. The default is the empty list, "", which means that iSCSI is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The
interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.ftpd
The option is set to a comma-separated list of interface names for which FTP is blocked. The default is the empty list, "", which means that FTP is not blocked on any interface. The interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.mgmt_data_traffic
This option controls the protocol filter for dedicated mgmt ports, such as e0M on many platforms (not all platforms have a dedicated mgmt port). If the option is set to on (the default for new installs), then NDMP, NFS, CIFS, iSCSI and the SNAP* family of data protocols will be blocked by the dedicated mgmt port. "On" is the recommended setting because a dedicated mgmt port is a low-bandwidth port that does not support jumbo frames, vlans, or ifgrps. If a dedicated mgmt port is used for data traffic, it can hide misconfigurations that might lead to a serious loss of storage system throughput. A dedicated mgmt port should only be configured with addresses that are on isolated management-only subnets. See the NMG for details.

interface.blocked.ndmp
The option is set to a comma-separated list of interface names for which NDMP is blocked. The default is the empty list, "", which means that NDMP is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The
interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.nfs
The option is set to a comma-separated list of interface names for which NFS is blocked. The default is the empty list, "", which means that NFS is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The
interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.snapmirror
The option is set to a comma-separated list of interface names for which snap* protocols are blocked. The default is the empty list, "", which means that snap* protocols are not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

So a command like "options interface.blocked.cifs e0a,e0b" would disable CIFS on interfaces e0a and e0b while leaving it enabled on all other interfaces.

The "NMG" it refers to is the "Network Management Guide" that is part of each Data ONTAP release documentation set.

You could also use multistore (vfiler) to for additional separation.  In this case the vfiler protocol is only active on IPs you specifically add (vs. with the blocked options and the ones that you specifically exclude)

Hope that helps.

Christopher Madden

Storage Architect, NetApp EMEA

aborzenkov
3,131 Views

You can restrict protocols for specific adapters. So you can allow CIFS only on dedicated interfaces.

Public