Skip to main content

Prerequisites for cluster peering

Contributors netapp-barbe netapp-mwallis netapp-pcarriga netapp-ahibbard netapp-folivia netapp-thomi netapp-aherbin

Before you set up cluster peering, you should confirm that the connectivity, port, IP address, subnet, firewall, and cluster-naming requirements are met.

Note

Beginning with ONTAP 9.6, Cluster Peering provides TLS 1.2 AES-256 GCM encryption support for data replication by default. The default security ciphers ("PSK-AES256-GCM-SHA384") are required for Cluster Peering to work even if encryption is disabled.

Beginning with ONTAP 9.11.1, DHE-PSK security ciphers are available by default.

Beginning with ONTAP 9.15.1, Cluster Peering provides TLS 1.3 encryption support for data replication by default.

Connectivity requirements

Every intercluster LIF on the local cluster must be able to communicate with every intercluster LIF on the remote cluster.

Although it is not required, it is typically simpler to configure the IP addresses used for intercluster LIFs in the same subnet. The IP addresses can reside in the same subnet as data LIFs, or in a different subnet. The subnet used in each cluster must meet the following requirements:

  • The subnet must belong to the broadcast domain that contains the ports that are used for intercluster communication.

  • The subnet must have enough IP addresses available to allocate to one intercluster LIF per node.

    For example, in a four-node cluster, the subnet used for intercluster communication must have four available IP addresses.

Each node must have an intercluster LIF with an IP address on the intercluster network.

Intercluster LIFs can have an IPv4 address or an IPv6 address.

Note ONTAP enables you to migrate your peering networks from IPv4 to IPv6 by optionally allowing both protocols to be present simultaneously on the intercluster LIFs. In earlier releases, all intercluster relationships for an entire cluster were either IPv4 or IPv6. This meant that changing protocols was a potentially disruptive event.

Port requirements

You can use dedicated ports for intercluster communication, or share ports used by the data network. Ports must meet the following requirements:

  • All ports that are used to communicate with a given remote cluster must be in the same IPspace.

    You can use multiple IPspaces to peer with multiple clusters. Pair-wise full-mesh connectivity is required only within an IPspace.

  • The broadcast domain that is used for intercluster communication must include at least two ports per node so that intercluster communication can fail over from one port to another port.

    Ports added to a broadcast domain can be physical network ports, VLANs, or interface groups (ifgrps).

  • All ports must be cabled.

  • All ports must be in a healthy state.

  • The MTU settings of the ports must be consistent.

Firewall requirements

Note Beginning with ONTAP 9.10.1, firewall policies are deprecated and wholly replaced with LIF service policies. For more information, see Configure firewall policies for LIFs.

Firewalls and the intercluster firewall policy must allow the following protocols:

  • Bidirectional ICMP traffic

  • Bidirectional initiated TCP traffic to the IP addresses of all the intercluster LIFs over ports 11104 and 11105

  • Bidirectional HTTPS between the intercluster LIFs

    Although HTTPS is not required when you set up cluster peering using the CLI, HTTPS is required later if you use System Manager to configure data protection.

The default intercluster firewall policy allows access through the HTTPS protocol and from all IP addresses (0.0.0.0/0). You can modify or replace the policy if necessary.

Cluster requirement

Clusters must meet the following requirement:

  • A cluster cannot be in a peer relationship with more than 255 clusters.