ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

Can I add a subnet to a netgroup (and have it work)?

SCOTT_LINDLEY
‎2023-09-19 09:47 AM
2,429 Views

I've been trying to add a subnet as a member of a netgroup used in an export policy rule and the hosts in the subnet still do not have access. I've tried both forms of subnet spec (a.b.c.d/m and a.b.c.d/w.x.y.z) and neither seem to work. I can't find any documentation that states that this isn't allowed, nor can I find any that states that it is. Please advise as to if this is possible or not. If it is, it will greatly simplify the administration of access to filesystems for one of our primary applications. We really don't want to have to add new export policy rules to each impacted filesystem, then have to track them all back down later when we need to update the subnet list, that'd be a ton of overhead and quite error prone. Please advise as whether or not this is possible. We are using netgroups serviced from LDAP.

 

Thank you for your attention to this matter.

0 Kudos
1 ACCEPTED SOLUTION

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2023-09-19 08:59 PM
2,367 Views

Subnet notation of any form for IPs in netgroups is not supported by standard, or by ONTAP, sorry. 

 

View solution in original post

0 Kudos
4 REPLIES 4

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2023-09-19 08:59 PM
2,368 Views

Subnet notation of any form for IPs in netgroups is not supported by standard, or by ONTAP, sorry. 

 

0 Kudos

Vadiraj12
‎2023-09-20 02:10 AM
2,345 Views

I have been adding subnets to export-policy clientmatch and its working like a charm without any issues.

 

The format I am using is a.b.c.d/m. I haven't seen any issues till now. You can add that subnet to the clientmatch in a export rule and run "export-policy check-access" command to verify if that server has proper access or not. Either this will work or I understood this question incorrectly.

 

Either way, I urge you to try it out once. Check the ns-switch output too of that vserver.

0 Kudos

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2023-09-20 04:06 AM
In response to Vadiraj12
2,338 Views

Making it work from a standards compliant netgroup served from LDAP is the key difference from what you’ve posted 

0 Kudos

EWILTS_SAS
‎2023-09-22 02:30 PM
In response to Vadiraj12
2,097 Views

export-policy: yes
netgroup: no
We would certainly love it if netgroups supported subnets but alas, I doubt we'll ever see it.

0 Kudos
All Community Forums
Public