Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been trying to add a subnet as a member of a netgroup used in an export policy rule and the hosts in the subnet still do not have access. I've tried both forms of subnet spec (a.b.c.d/m and a.b.c.d/w.x.y.z) and neither seem to work. I can't find any documentation that states that this isn't allowed, nor can I find any that states that it is. Please advise as to if this is possible or not. If it is, it will greatly simplify the administration of access to filesystems for one of our primary applications. We really don't want to have to add new export policy rules to each impacted filesystem, then have to track them all back down later when we need to update the subnet list, that'd be a ton of overhead and quite error prone. Please advise as whether or not this is possible. We are using netgroups serviced from LDAP.
Thank you for your attention to this matter.
Solved! See The Solution
1 ACCEPTED SOLUTION
AlexDawson has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subnet notation of any form for IPs in netgroups is not supported by standard, or by ONTAP, sorry.
4 REPLIES 4
AlexDawson has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subnet notation of any form for IPs in netgroups is not supported by standard, or by ONTAP, sorry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been adding subnets to export-policy clientmatch and its working like a charm without any issues.
The format I am using is a.b.c.d/m. I haven't seen any issues till now. You can add that subnet to the clientmatch in a export rule and run "export-policy check-access" command to verify if that server has proper access or not. Either this will work or I understood this question incorrectly.
Either way, I urge you to try it out once. Check the ns-switch output too of that vserver.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Making it work from a standards compliant netgroup served from LDAP is the key difference from what you’ve posted
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
export-policy: yes
netgroup: no
We would certainly love it if netgroups supported subnets but alas, I doubt we'll ever see it.
