ONTAP Discussions

snapmirror over ssh tunnel

boardvantage
7,093 Views

Hi,

Just a small question. I am toally new to netapp, and I am tryingto configure snap mirror over ssh tunnel. While searching for the info, I did came across a comment mentioning that snap mirror cannot be done via ssh tunnel. I was wondering if any one can please give me some info regarding this. I can ssh into the remote filer using the ssh tunnel so why not snapmirror.

Thanks,

7 REPLIES 7

adamfox
7,093 Views

I'm not aware of the ability to do this natively on the storage controller. I've heard of some solutions that may come down the line, but nothing now. I think most customer who have this requirement use an external encryption box.

boardvantage
7,093 Views

Hi,

Thanks for your reply. I was not talking about doing it natively. Here is my scenario.

I have my win box. I use my ssh client to ssh into the SSH server of my production site. To access the inside networks I have created the appropriate tunnels. Now I have my linux box on the same network as my win box. If SSH client on my win box is running and say it has a tunnel defined, I could SSH from my linux box to my winbox on the specified port in the tunnel and reach theinside of my production website.

I did the same for the filer. Created the tunnel and then from my linux box SSH my win box to reach the filer.

Now for snapmirror, I defined a tunnel in my SSH client on my win box for the port 10566 which I believe is used by the filer for snap mirror. Told my destination filer that the source is my win box and configured everything else. Now in theory when the destination filer goes to source which is my win box it should land onto the source filer at port 10566 because of the defined tunnel. This is what is not happening!!!!!!!!!!

Please let me know if you do not get it. I understand that my explanation might not be very clear.

btw here is the link which stated that this is not possible and I was curious as to why....

http://toasters.mathworks.com/toasters/5830.html

Thanks,

BrendonHiggins
7,093 Views

Sorry ~ Heavy night on the beer last night...

If you have created a ssh tunnel between two PCs and they are moving all the packets for you, ie a VPN. You can route the snapmirror traffic via normal IP routing rules. We have created a VIF with an IP in a differrent subnet and both filers. We then set up the snapmirror to use this vif. Your router then sends the traffic down the correct pipe.

Is this what you was asking?

boardvantage
7,093 Views

hehe never mind I'll have one today!!

Actually NO. I have my office network. If I want to connect to a server on inside network on my production site, I connect to the SSH server in dmz of my production site. I then create appropriate tunnels to route http, vnc etc tracffic to the inside server where I want to reach. Only port 22 and 443 are open on our network. We do everything else via ssh tunneling.

Thats waht I want to to with filer snapmirror. Now filer does not have a SSH client natively, so what I am trying to do is that I have opened a SSH connection to my production site with a tunnel forwarding the traffic to port 105666 of the source filer. I have given the IP of my win box hosting my SSH tunnel as a source IP to the filer. I believe what should happen is that as soon as I initialize the snapmirror, my destination filer should look for my winbox and then through the tunnel land on the filer port 105666 to initiate the transfer. but that is not happening!!!!Apparently everything is right, and I was wondering if there is any issue with filer traffic which SSH caanot handle or some thing.

boardvantage
7,093 Views

Well Certainly snapmirror over ssh tunnel is possible. I jsut added all the ports to my tunnel, still need to see which one made the difference other than 10566. Just another question though. I am getting an error, source incmopatible version when i initialise the mirror. Are their any dependencies of data ontap. One is running 7.3 RC2 while other has 7.2.4L1.

Thanks

BrendonHiggins
7,093 Views

You can snapmirror from an older version (7.2.1) of OnTap to a newer version (7.2.2) as this allows time for the OS to be upgraded on both systems. I am not sure about in point releases however, as they often have different features (Thinking parity disks, etc). The best pratice says the versions show be the same.

tljohnsn1
7,093 Views

I did get snapmirror to work over an ssh tunnel using the following procedure:

The desination filer has an address of 10.0.2.142 on the remote network

From some other host on the same lan as the source filer, setup a tunnel:

ssh -N -g -L 10565:10.0.2.142:10565 -L 10566:10.0.2.142:10566 -L 10568:10.0.2.142:10568 -L 10569:10.0.2.142:10569 remote.example.com

on the source filer, put create a /etc/hosts entry with the name of the remote filer and the ip address of the box you ran the ssh tunnel on

on the destination filer, create another /etc/hosts entry with the ip address of the tunnel endpoint and the name of the source filer

on the source filer create an access entry with the name of the destination filer

Then on the destination run:

vol create <source filer>_test -s none aggr0 1g

vol restrict <source filer>_test

snapmirror initialize -S <source filer>:test <source filer>_test

snapmirror status -l <source filer>_test

Public