Re: Multistore and VIFs
2012-05-07 10:06 AM
I mean that one organization which manages one vFiler can configure the same VLAN(s) as second vFiler and potentially will have opportunity to steal sensitive data.
vFilers are managed through vfiler0. There is no way administrator who has access only to vfiler != vfiler0 can add additional interfaces to this vfiler. It has to be done through vfiler0.
And yes, you have to trust whoever manages vfiler0. Just as you have to trust your cloud provider, your hosting provider and dozens of other providers whose services you use everyday.
Your English seems great to me J True that more than one vFiler can be on the same VLAN (most don’t do this though) regardless of IPspace… even if a different routing table you could configure the same VLAN on both vFilers and that could be a security concern. A key point though is that the vFiler admin cannot create VLANs…those are by the vfiler0 admin (the same is true of creating/destroying aggregates and volumes). So the vfiler0 admin is the security police in this case to ensure multiple vFilers are on separate networks.
Different IPspaces. There is one default gateway per ipspace. So if two vFilers are in the same ipspace, only one can set it and the other would get an error setting what is already there. If different gateways are needed then a use case for a new ipspace. Or route add net/host commands which can be painful.