So the replication traffic will not have a src IP of the VIF?!

The solution you gave will be very confusing to implement as we will also be using mutistore - One VIF (4 x 1Gb links) will have multiple vlans (one per customer / vfiler) and each vlan will have an IP and 3 aliases (for IP load balancing).

Are there any other ways we can make sure replication comes from only 1 designated IP?

Hi,

If you are doing "vfiler to vfiler" snapmirror, then the rules are the same.  Each multistore/vfiler context has a separate routing table.  These work the same as on any other server.  There is no guarantee for source addresses if you have 3 IP on the (connection) source side in the same subnet.  If you are doing vfiler to vfiler mirroring, then IP filtering shouldn't be a big deal anyway.  All of the data belongs to the same customer, most likely.

Here you could introduce also a second subnet (and vlan) into each vfiler for snapmirror traffic with a host route (and the correct snapmirror source hostname) to make sure that the traffic is using the right net.  You can only use one ipspace (that means only one routing table and one default route) per vfiler, so you'll need the "host route" hack.

You could also do all of your snapmirror work via vfiler0 and just avoid the issue, if you don't have separate WAN connections per customer.  It would be infinitely simpler.

A bit of the confusion here is the juxtaposition of snapmirror source filer and snapmirror source connection IP, perhaps.  Since the updates are started from the snapmirror destination, this is the source IP for the connection even if it is on the snapmirror destination. Yes, it sounds a bit confusing, but it really isn't.

You can force snapmirror to check the IP, but that won't change the source IP address of the connection, because that is a matter of routing, and your aliases all have equal value as a source IP for the connection.

There is no "source routing" on ONTap, and frankly, I am happy for that.  It makes people have to understand routing and not just "make it work".

The vfilers will host data that should be securely partitioned and each vfiler will require an ipspace - Also, each vfiler will replicate data through separate network infrastructure and WAN links (once it has routed off the storage infrastructure).

With this is mind I can only have one subnet / VLAN (ipspace) so can't separate my replication traffic to a VLAN with a single IP??? Can I?

also I am not using vfiler DR

As in my previous post, as I need separation using ipspaces I can only have on vlan per vfiler and this would prevent me from being able to use a separate vlan for snapmirror replication. This leaves me with having to allow all IPs (vif + aliases) through an ACL for snapmirror - Can anyone confirm if I am right or wrong?

Hi,

I guess you probably haven't said enough about your setup.  If you are just trying to run a segregated setup for VMWare and have the multiple aliase for multi-connection iSCSI, then that could be a "private" vlan, that is, only reachable from the local servers.  This net wouldn't need to have a default route, necessarily, depending on what your DR setup is (do the servers have to be able to reach the snapmirror destination directly?)  Then you could have a second vlan for snapmirror traffic where the default route is.  There is no problem having multiple vlans per vfiler, but only one ipspace and one default route.

Either way, both the primary and secondary vfilers have the same data and should be in the same security zone, so I am having a bit of a problem understanding the ACL requirements anyway.

Using all of these address might not get you what you are looking for anyway.  Using 1 GE interfaces for server-storage connections is rapidly reaching the end of its usefulness.  The complexity of all of the extra ip addresses to hack multi-connection iscsi when there is no deterministic behavior forcing an even balance of traffic among your 1 GE links might just be more work that it is worth.  Depending on your actual customer needs,  a 10 GE net might be worth thinking about.

In any case, I guess the realities of the routing situation should be clear.  The other suggestion here is a bit like I also suggested.  Your options should be pretty clear by now.

Good luck.

Thanks for your input - I have some good options now and have a better understanding of this topic....

Many thanks