ONTAP Discussions

Cross Vlan communication

joesmith

Hello,

I am running ontap 9.7 and I am trying to figure out if there is a way to connect to a lif that is in a different vlan.

To give some background on our network it is set up like this with firewall open from workstations to servers in each department

 

10.10.20.0/24 = Department A workstations

10.10.25.0/24 = Department A Servers

10.10.30.0/24= Department B workstations

10.10.35.0/24 = Department B Servers

 

My networking Team is requesting that we mount our CIFS shares on our workstations through IPs in the server subnets to keep non workstation things off of the workstation subnets. 

 

Our set up on the netapp side currently looks like this.

 

we have ports e0c and e0d aggregated into a0a on both nodes and ports e0e and e0f aggregated into a0b on both nodes.

we then have VLANS set up on all 4 aggregated ports. ie a0a-20 a0a-25 a0a-30 a0a-35 on all 4 aggregated ports.

 

As far as I can see the VLANs are supposed to prevent traffic going between them. So is there a way for me to get the a workstation in vlan 20 to mount a share in vlan 25?

 

Thank you for any guidance you have!

 

 

 

 

7 REPLIES 7

NetApp_SR

Vlans are designed to separate traffic. A router can connect the two networks or a layer 3 switch could be configured to connect the networks. You could also create multiple LIFs on the SVM, one for each Vlan.

paul_stejskal

Just have a LIF per VLAN for each SVM.

joesmith

Thanks for reaching out to help.

 

We have a firewall policy set up at the layer 3 level to allow all traffic from the 10.10.20 subnet to the 10.10.25 subnet but when I try to mount a lif with a 10.10.25 IP from my workstation it won't connect. Everything is working correctly trying to mount with in the workstation subnet.

 

 

paul_stejskal

If the share is going to be open anyway, why not  use a LIF in 10.10.20 on the same VLAN? Unless the network/security team wants to log the traffic going in? But fpolicy could be used for that too.

 

joesmith

That was their desire, to be able to log information about who/what was being accessed. My main concern was the firewall slowing things down a bit, but then when i tried to connect to the SVM from a lif on a different vlan it wouldn't let me access it through that Lif. Thats why i am trying to figure out if/how to make that happen. As I said, the company firewall policy is wide open from 10.10.20 to 10.10.25, so i would think that the netapp is blocking that traffic somehow.

 

paul_stejskal

And the LIF is on like a0a-123 where 123 is the VLAN ID?

 

What is the switch configured for that interface for the VLANs?

Also, if you wish to monitor, fpolicy will do just that. Just throwing it out there. It may work better because it doesn't have to perform any in-flight packet inspection but just logs exactly what is being accessed and when.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public