Community maintenance is complete. Thank you for your patience!

ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Start a New Post

SVM Security best practice

dng_consulting
‎2017-02-27 07:13 AM

Hi all

 

Does someone know repercution security network or security breach for this 2 methods :

 

2 SVM  with 2 LIF ,  one lif per SVM and 1 vlan per lif  

 

and

 

1 SVM with 2 LIF (on the same SVM)  with export policy for filter by ip/client match.

 

Does somewhere we should found this KB /  Best Practice.

 

Thanks

 

Regards

 

 

0 Kudos
View By:
6 REPLIES 6

SYNTAXERROR
‎2017-02-27 07:25 AM

Hi

 

It depends on what you are doing with the 2 LIFs. If you want to use one for NFS and the other for CIFS I would use 2 SVMs because there is just one routing table per SVM.

I think it is not a security decision because then you use IPSpaces, it's more a networking/routing decision.

 

Regards

Dario

dng_consulting
‎2017-02-27 08:04 AM
In response to SYNTAXERROR

Thanks for this response.

 

My customer would like isolate flux dmz and they would like have one SVM for several VLAN.

I would like to explain their that it's better and properly to segregate each environment with several SVM but i don't have the strong argument 

 

 

 

0 Kudos

SYNTAXERROR
‎2017-02-27 08:30 AM
In response to dng_consulting

I would separate DMZ and the production network with IPSpaces.

In my opinion the following arguments are used to separate SVMs:

- SVM-DR

- Domain Admins have rights on Active Directory joined SVMs 

- If you use NFS SVMs for VMWare Datastore you need a user for a backup tool (like VSC) and you don't want to share the cifs volumes with this user (cloning, destroying and so on)

- Routing issues as mentioned

- Administrative issues: if for example the server team wants to administrate the CIFS Shares on their own and you don't want them to create shares on the NFS volumes

 

So it really depends on what you're using on this SVMs.

0 Kudos

SYNTAXERROR
‎2017-02-27 08:12 AM
In response to dng_consulting

There is no direct relationship between the protocols and the routing table but often you don't want to maintain a routing table for cifs when you don't know exactly in which subnets your clients live.

You can for sure create a SVM with both protocols but beware of the requirements for joining an Active Directory and the security style for the volumes.

JGPSHNTAP
‎2017-02-27 08:22 AM
In response to SYNTAXERROR

^^

agree

 

SVM's with ipspaces would be the way to go, one for DMZ, and one for prod network.

 

Don't mess with export policies to control acl's for cifs

JGPSHNTAP
‎2017-02-27 07:23 AM

Your question is slighly confusing to me.

 

We do one SVM with a lif on each physical from the cluster

 

So for example, SVM1, 2 HA pair would get 4 LIFS

 

In my honest opinion, unless you are in a super secure corporate environment, govt regulated or a true multi-tenant ip filtering is a complete waste of time

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public