ONTAP Discussions

how to appropirately manage default export policy on cdot?

dragontiger
4,262 Views

The default export policy is wild open to all hosts (0.0.0.0/0), if a rule is created under this policy with specified clients, then we should be alright, this is how I understood.

 

My question is, should we ever use the default policy, or in what situation, it could be used. I would say we should not use it.

 

What would you say?

5 REPLIES 5

aborzenkov
4,232 Views

Default policy does not contain any rule, so access is denied by default. There no universal answer whether you should add rules to default policy or define your own - it all depends on your specific requirements.

dragontiger
4,140 Views

OK. Would it cause any issues if I use one volume - one policy, which means everytime I create a volume I will assigned a new policy specifically to the volume?

chott
4,133 Views

The idea behind having central policies is to enable easier administration by reusing policies.

 

In my opinion adding one policy per volume would defeat that purpose and would make your system cumbersom to administrate.

 

Just as a side note: There is a limit to the maximum number of export policies you can create depending on the cluster size:

https://fieldportal.netapp.com/Core/DownloadDoc.aspx?documentID=139294&contentID=273354

https://fieldportal.netapp.com/Core/DownloadDoc.aspx?documentID=139296&contentID=273359

https://fieldportal.netapp.com/Core/DownloadDoc.aspx?documentID=139298&contentID=273360

 

I think there is no one answer fits it all, as already posted.

 

hope that helps.

cheers chriz

 

 

P.S. if you feel this post is useful, please KUDO or “accept as a solution" so other people may find it faster.

netappmagic
4,121 Views

Understand that there is no one answer fits it all.

 

However, I am looking for a rule of thumb in creating exporting policy, if there is such. For instance, may be one policy for all related applications / projects /clients? Would that be a common rule?

 

Thanks for sharing.

chott
4,119 Views

Yes I think your suggestion is great.

Create an export-policy per Client / Application

 

cheers chriz

P.S. if you feel this post is useful, please KUDO or “accept as a solution" so other people may find it faster.
Public