Network and Storage Protocols

ifconfig <interface> [trusted | untrusted] means what ?

herbert_feutl
5,767 Views

You can specify whether a network interface is trustworthy or untrustworthy. When you specify an interface as untrusted (untrustworthy), any packets received on the interface are likely to be dropped. For example, if you run a ping command on an untrusted interface, the interface drops any ICMP response packet received.

I have read this in my course material and a few other man pages and I am asking myself - what the hell does that mean ?!

Why do I define a interface as trusted or untrusted and what is allowed or disallowed if I choose the one or the other. Something is happening likely sounds for me like a random decision engine is in place by setting up an untrusted interface.

Hopefully someone can explain or point me to a likely network specific information

Thanks

6 REPLIES 6

scottgelb
5,767 Views

I haven't used it but remember it being discussed for a dmz. you can also set a ping throttle with options ip for the controller for all interfaces.

herbert_feutl
5,767 Views

Hi Scott,

thanks for the answer - but I need a more specific one 

I am actually a network guy - and therefore I would be interested which services and options are available. I mean there has to be a documentation about it - except to say - it trusts or untrusts an interface

So perhaps somebody can point me to a direction (url, document).

scottgelb
5,767 Views

I wish I was more knowledgable about this so hopefully a network TME or other expert replies on this.  The 8.1 nag.pdf (network admin guide) https://library.netapp.com/ecm/ecm_get_file/ECMP1113296 has the same quote you listed but goes further to say only HTTP is allowed by default.  From the command reference, https://library.netapp.com/ecm/ecm_get_file/ECMM1281126 it says untrusted can't be applied to an interface group...so only a single interface not in a vif/ifgrp.  The file system admin guide gives some more information https://library.netapp.com/ecm/ecm_get_file/ECMP1114231  "You restrict HTTP access by marking the subnet interface as untrusted. An untrusted subnet interface provides only read-only HTTP access to the storage system. By default, a subnet interface is trusted." 

nag.pdf

Specifying whether a network interface is trusted

You can specify whether a network interface is trustworthy or untrustworthy. When you specify an

interface as untrusted (untrustworthy), any packets received on the interface are likely to be dropped.

For example, if you run a ping command on an untrusted interface, the interface drops any ICMP

response packet received.

About this task

Applications using protocols such as NFS, CIFS or HTTP can choose to accept packets only from

trusted interfaces. If the destination interface is set as untrusted, it can receive packets from untrusted

interfaces. Otherwise, the packets from untrusted interfaces are dropped. By default, only HTTP

allows receiving packets from untrusted interfaces.

baijulal
5,767 Views

scottgelb
5,767 Views

Good kb. Clarifies http only for untrusted. Do any customers still use http for file access direct to NetApp instead of a front-end web server? I haven't seen it used in years.

Sent from my iPhone 4S

herbert_feutl
5,767 Views

awesome we are getting closer - thanks - but still it feels not all information has been unraveled

so I take your information - thanks - still hopening that somewhere there is a collected knowledge about that

(thumbsup)

Public