network interface service-policy doesn't work or misconfigured?

SuperTeam · ‎2020-05-12

Hey,

I have a cluster running ontap 9.7P1.

For the sake of testing I created a custom service-policy which allows data-core for all ips (0.0.0.0/0)

and data-cifs with 1.1.1.0/24 in order to block anyone from accessing the svm via cifs (again, just for testing).

I assigned the data lif to this new service-policy and even brought it down and up but I can still access \\ the svm (and I'm not part of this ip segment).

I also tried to change the data-core service to 1.1.1.0/24 just to try and it didn't help also.

anyone has an idea?

thanks in advance 🙂

Ontapforrum · ‎2020-05-12

Hi,

Before troubleshooting, first thing I want to ask :

Is the export-policy enabled? (By-default it is disabled for cifs)

According to the KB below:
Since 8.2, export policies have no effect on CIFS, and only CIFS ACLs and share level permissions determine access. If you want ipbased (export policy based) access restrictions for cifs to apply, modify the corresponding advanced level cifs vserver option with cifs option modify on the cluster.

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_do_export-policies_work_in_clustered_Data_ONTAP%3F

Go to advance level:

::> set adv
Warning: These advanced commands are potentially dangerous; use them only when directed to do so by NetApp personnel.
Do you want to continue? {y|n}: y

Check the current policy first:

::*> vserver cifs options show -vserver <vserver name> -fields is-exportpolicy-enabled
vserver is-exportpolicy-enabled
------- - ----------------------
<vserver name> false

Enable it:

::*> vserver cifs options modify -vserver <vserver name> -is-exportpolicy-enabled true

Once enabled, give it a try.

Thanks!

SuperTeam · ‎2020-05-12

Thanks, I'll try that out

network interface service-policy doesn't work or misconfigured?

Latest video from NetApp KBTV

Join us on Discord