ONTAP Discussions

Cross Vlan communication

joesmith
4,961 Views

Hello,

I am running ontap 9.7 and I am trying to figure out if there is a way to connect to a lif that is in a different vlan.

To give some background on our network it is set up like this with firewall open from workstations to servers in each department

 

10.10.20.0/24 = Department A workstations

10.10.25.0/24 = Department A Servers

10.10.30.0/24= Department B workstations

10.10.35.0/24 = Department B Servers

 

My networking Team is requesting that we mount our CIFS shares on our workstations through IPs in the server subnets to keep non workstation things off of the workstation subnets. 

 

Our set up on the netapp side currently looks like this.

 

we have ports e0c and e0d aggregated into a0a on both nodes and ports e0e and e0f aggregated into a0b on both nodes.

we then have VLANS set up on all 4 aggregated ports. ie a0a-20 a0a-25 a0a-30 a0a-35 on all 4 aggregated ports.

 

As far as I can see the VLANs are supposed to prevent traffic going between them. So is there a way for me to get the a workstation in vlan 20 to mount a share in vlan 25?

 

Thank you for any guidance you have!

 

 

 

 

10 REPLIES 10

NetApp_SR
4,911 Views

Vlans are designed to separate traffic. A router can connect the two networks or a layer 3 switch could be configured to connect the networks. You could also create multiple LIFs on the SVM, one for each Vlan.

paul_stejskal
4,876 Views

Just have a LIF per VLAN for each SVM.

joesmith
4,866 Views

Thanks for reaching out to help.

 

We have a firewall policy set up at the layer 3 level to allow all traffic from the 10.10.20 subnet to the 10.10.25 subnet but when I try to mount a lif with a 10.10.25 IP from my workstation it won't connect. Everything is working correctly trying to mount with in the workstation subnet.

 

 

paul_stejskal
4,864 Views

If the share is going to be open anyway, why not  use a LIF in 10.10.20 on the same VLAN? Unless the network/security team wants to log the traffic going in? But fpolicy could be used for that too.

 

joesmith
4,858 Views

That was their desire, to be able to log information about who/what was being accessed. My main concern was the firewall slowing things down a bit, but then when i tried to connect to the SVM from a lif on a different vlan it wouldn't let me access it through that Lif. Thats why i am trying to figure out if/how to make that happen. As I said, the company firewall policy is wide open from 10.10.20 to 10.10.25, so i would think that the netapp is blocking that traffic somehow.

 

paul_stejskal
4,856 Views

And the LIF is on like a0a-123 where 123 is the VLAN ID?

 

What is the switch configured for that interface for the VLANs?

paul_stejskal
4,839 Views

Also, if you wish to monitor, fpolicy will do just that. Just throwing it out there. It may work better because it doesn't have to perform any in-flight packet inspection but just logs exactly what is being accessed and when.

Tzammel
1,041 Views

Hi Gents, did anyone find a solution to this thread ? Thanks

paul_stejskal
1,031 Views

You need to set your switch to allow VLANs to cross or layer 3 cross-VLAN connectivity. Alternatively set up a LIF on the user VLAN.

Tzammel
916 Views

Thank you very much for your help.

I found this NetApp article that describes the situation we are facing:

https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/Network_traffic_not_sent_or_sent_out_of_an_unexpected_interface_after_upgrade_to_9.2_due_to_elimin...

Any idea how to create the return routes ?

Public