ONTAP Discussions

Do I need DNS access on SVM LIFS to serve CIFS?

B_R
3,045 Views

Hi everyone!

 

Short version: Do I need direct access to DNS from SVM data LIFS to join the SVM to an AD Domain and serve CIFS? Shouldn't DNS access from the node management interfaces be enough?

 

Long version:

We've recently acquired a FAS2750 with OnTap 9.4P1 to replace our aging FAS8020 (still running OnTap 8.2.4P5) that will be sent to a second site. The FAS8020 is serving NFS datastores for VMware, and a multitude of NFS and CIFS shares to different machines, and the idea is for the FAS2750 to do the same (it's already serving NFS with no issues).

 

The NFS and CIFS networks (192.168.x.x) are segregated from the management/core network (10.x.x.x) and on separate switches and VLANs so as to not impact or be impacted by the core network.

The only points of contact with the 10.x.x.x networks we have are the management interfaces on the controllers/cluster. All data LIFS are on the 192.168 network, on separate VLANs for NFS and CIFS. The SVM only has data LIFS on 192.168.xx.

 

10.x.x.x (management) and 192.168.x.x (storage services) do not route to each other. CIFS clients have a NIC in the storage network/VLAN, and access CIFS shares from there.

 

The FAS8020 happily serves CIFS on the 192.168 network since it is able to reach DNS and the Domain Controllers from the cluster management interfaces that are on 10.x.

However, the FAS2750 apparently cannot use the cluster management interfaces to reach DNS, and as such can't find the DNS servers in order to successfully join the AD domain.

 

How can I keep my management and storage network separate on the 2750, but still reach DNS from the SVM CIFS LIFs in order to join the domain and serve CIFS from the storage network? Do I need a management network LIF on the SVM as well, just to reach DNS and join the domain?

1 ACCEPTED SOLUTION

B_R
2,919 Views

I posted the same question on Reddit and had a few more replies:

https://www.reddit.com/r/netapp/comments/cb1pbo/do_i_need_dns_access_on_svm_lifs_to_serve_cifs/

 

The moral of the story for me is that:

- SVMs need management LIFs so that they can reach DNS by themselves; the controllers reaching DNS is not enough

- These LIFs cannot be added on e0m; they must be on data ports

- As such, in my case I can either mix management and data traffic on separate VLANs but the same data ports, or I'll have to dedicate other data ports exclusively to get name resolution

 

View solution in original post

3 REPLIES 3

aborzenkov
3,031 Views

Yes, each SVM is using local LIFs for DNS access. And this LIF must be sufficiently redundant, ideally with failover port in each node.

 

You can add restricted administration LIF on management network to SVM.

B_R
3,027 Views

Thank you, aborzenkov.

 

So... this means I'll have to either:

- Add the management VLAN to the same network ports where the data LIFs reside, and have management+data traffic on the same interfaces, or

- Dedicate controller network ports to this management LIF that will only be used to reach DNS.

 

Is this correct?

B_R
2,920 Views

I posted the same question on Reddit and had a few more replies:

https://www.reddit.com/r/netapp/comments/cb1pbo/do_i_need_dns_access_on_svm_lifs_to_serve_cifs/

 

The moral of the story for me is that:

- SVMs need management LIFs so that they can reach DNS by themselves; the controllers reaching DNS is not enough

- These LIFs cannot be added on e0m; they must be on data ports

- As such, in my case I can either mix management and data traffic on separate VLANs but the same data ports, or I'll have to dedicate other data ports exclusively to get name resolution

 

Public