Skip to main content

Configure ONTAP LIFs for SVM-scoped NDMP

Contributors netapp-aaron-holt netapp-barbe netapp-dbagwell netapp-aherbin
PDFs

You must identify the LIFs that will be used for establishing a data connection between the data and tape resources, and for control connection between the admin SVM and the backup application. After identifying the LIFs, you must verify the service and failover policies are set.

Note Beginning with ONTAP 9.10.1, firewall policies are deprecated and wholly replaced with LIF service policies. For more information, see Manage supported traffic.
ONTAP 9.10.1 or later
Steps

  1. Identify the intercluster LIF hosted on the nodes by using the network interface show command with the -service-policy parameter.

    network interface show -service-policy default-intercluster

    Learn more about network interface show in the ONTAP command reference.

  2. Identify the management LIF hosted on the nodes by using the network interface show command with the -service-policy parameter.

    network interface show -service-policy default-management

  3. Ensure that the intercluster LIF includes the backup-ndmp-control service:

    network interface service-policy show

    Learn more about network interface service-policy show in the ONTAP command reference.

  4. Ensure that the failover policy is set appropriately for all the LIFs:

    1. Verify that the failover policy for the cluster-management LIF is set to broadcast-domain-wide, and the policy for the intercluster and node-management LIFs is set to local-only by using the network interface show -failover command.

      The following command displays the failover policy for the cluster-management, intercluster, and node-management LIFs:

      cluster1::> network interface show -failover

           Logical          Home            Failover    Failover
Vserver    Interface        Node:Port       Policy      Group
-------    --------------   --------------  ----------  --------
cluster    cluster1_clus1   cluster1-1:e0a  local-only  cluster
                                                     Failover Targets:
                   	                                 .......
cluster1   cluster_mgmt     cluster1-1:e0m  broadcast-  Default
                                          domain-wide
                                                     Failover Targets:
                                                     .......
           IC1              cluster1-1:e0a  local-only  Default
                                                     Failover Targets:
           IC2              cluster1-1:e0b  local-only  Default
                                                     Failover Targets:
                                                     .......
cluster1-1 c1-1_mgmt1       cluster1-1:e0m  local-only  Default
                                                     Failover Targets:
                                                     ......
cluster1-2 c1-2_mgmt1       cluster1-2:e0m  local-only  Default
                                                     Failover Targets:
                                                     ......

    2. If the failover policies are not set appropriately, modify the failover policy by using the network interface modify command with the -failover-policy parameter.

      cluster1::> network interface modify -vserver cluster1 -lif IC1 -failover-policy local-only

      Learn more about network interface modify in the ONTAP command reference.

  5. Specify the LIFs that are required for data connection by using the vserver services ndmp modify command with the preferred-interface-role parameter.

    cluster1::> vserver services ndmp modify -vserver cluster1 -preferred-interface-role intercluster,cluster-mgmt,node-mgmt

  6. Verify that the preferred interface role is set for the cluster by using the vserver services ndmp show command.

    cluster1::> vserver services ndmp show -vserver cluster1

                Vserver: cluster1
                NDMP Version: 4
                .......
                .......
Preferred Interface Role: intercluster, cluster-mgmt, node-mgmt
ONTAP 9.9 or earlier
Steps

  1. Identify the intercluster, cluster-management, and node-management LIFs by using the network interface show command with the -role parameter.

    The following command displays the intercluster LIFs:

    cluster1::> network interface show -role intercluster

            Logical      Status     Network            Current       Current Is
Vserver     Interface    Admin/Oper Address/Mask       Node          Port    Home
----------- ----------   ---------- ------------------ ------------- ------- ----
cluster1    IC1          up/up      192.0.2.65/24      cluster1-1    e0a     true
cluster1    IC2          up/up      192.0.2.68/24      cluster1-2    e0b     true

    The following command displays the cluster-management LIF:

    cluster1::> network interface show -role cluster-mgmt

            Logical       Status     Network            Current     Current Is
Vserver     Interface     Admin/Oper Address/Mask       Node        Port    Home
----------- ----------    ---------- ------------------ ----------- ------- ----
cluster1    cluster_mgmt  up/up      192.0.2.60/24      cluster1-2  e0M     true

    The following command displays the node-management LIFs:

    cluster1::> network interface show -role node-mgmt

            Logical           Status     Network         Current       Current Is
Vserver     Interface         Admin/Oper Address/Mask    Node          Port    Home
----------- ----------        ---------- --------------- ------------  ------  ------
cluster1    cluster1-1_mgmt1  up/up      192.0.2.69/24   cluster1-1    e0M     true
            cluster1-2_mgmt1  up/up      192.0.2.70/24   cluster1-2    e0M     true

    Learn more about network interface show in the ONTAP command reference.

  2. Ensure that the firewall policy is enabled for NDMP on the intercluster, cluster-management (cluster-mgmt), and node-management (node-mgmt) LIFs:

    1. Verify that the firewall policy is enabled for NDMP by using the system services firewall policy show command.

      The following command displays the firewall policy for the cluster-management LIF:

      cluster1::> system services firewall policy show -policy cluster

Vserver     Policy       Service    Allowed
-------     ------------ ---------- -----------------
cluster     cluster      dns        0.0.0.0/0
                         http       0.0.0.0/0
                         https      0.0.0.0/0
                         ndmp       0.0.0.0/0
                         ndmps      0.0.0.0/0
                         ntp        0.0.0.0/0
                         rsh        0.0.0.0/0
                         snmp       0.0.0.0/0
                         ssh        0.0.0.0/0
                         telnet     0.0.0.0/0
10 entries were displayed.

      The following command displays the firewall policy for the intercluster LIF:

      cluster1::> system services firewall policy show -policy intercluster

Vserver     Policy       Service    Allowed
-------     ------------ ---------- -------------------
cluster1    intercluster dns        -
                         http       -
                         https      -
                         ndmp       0.0.0.0/0, ::/0
                         ndmps      -
                         ntp        -
                         rsh        -
                         ssh        -
                         telnet     -
9 entries were displayed.

      The following command displays the firewall policy for the node-management LIF:

      cluster1::> system services firewall policy show -policy mgmt

Vserver     Policy       Service    Allowed
-------     ------------ ---------- -------------------
cluster1-1  mgmt         dns        0.0.0.0/0, ::/0
                         http       0.0.0.0/0, ::/0
                         https      0.0.0.0/0, ::/0
                         ndmp       0.0.0.0/0, ::/0
                         ndmps      0.0.0.0/0, ::/0
                         ntp        0.0.0.0/0, ::/0
                         rsh        -
                         snmp       0.0.0.0/0, ::/0
                         ssh        0.0.0.0/0, ::/0
                         telnet     -
10 entries were displayed.

    2. If the firewall policy is not enabled, enable the firewall policy by using the system services firewall policy modify command with the -service parameter.

      The following command enables firewall policy for the intercluster LIF:

      cluster1::> system services firewall policy modify -vserver cluster1 -policy intercluster -service ndmp 0.0.0.0/0

  3. Ensure that the failover policy is set appropriately for all the LIFs:

    1. Verify that the failover policy for the cluster-management LIF is set to broadcast-domain-wide, and the policy for the intercluster and node-management LIFs is set to local-only by using the network interface show -failover command.

      The following command displays the failover policy for the cluster-management, intercluster, and node-management LIFs:

      cluster1::> network interface show -failover

           Logical            Home              Failover              Failover
Vserver    Interface          Node:Port         Policy                Group
---------- -----------------  ----------------- --------------------  --------
cluster    cluster1_clus1     cluster1-1:e0a    local-only            cluster
                                                     Failover Targets:
                   	                                 .......

cluster1   cluster_mgmt       cluster1-1:e0m    broadcast-domain-wide Default
                                                     Failover Targets:
                                                     .......
           IC1                 cluster1-1:e0a    local-only           Default
                                                     Failover Targets:
           IC2                 cluster1-1:e0b    local-only           Default
                                                     Failover Targets:
                                                     .......
cluster1-1 cluster1-1_mgmt1   cluster1-1:e0m    local-only            Default
                                                     Failover Targets:
                                                     ......
cluster1-2 cluster1-2_mgmt1   cluster1-2:e0m    local-only            Default
                                                     Failover Targets:
                                                     ......

    2. If the failover policies are not set appropriately, modify the failover policy by using the network interface modify command with the -failover-policy parameter.

      cluster1::> network interface modify -vserver cluster1 -lif IC1 -failover-policy local-only

      Learn more about network interface modify in the ONTAP command reference.

  4. Specify the LIFs that are required for data connection by using the vserver services ndmp modify command with the preferred-interface-role parameter.

    cluster1::> vserver services ndmp modify -vserver cluster1 -preferred-interface-role intercluster,cluster-mgmt,node-mgmt

  5. Verify that the preferred interface role is set for the cluster by using the vserver services ndmp show command.

    cluster1::> vserver services ndmp show -vserver cluster1

                             Vserver: cluster1
                        NDMP Version: 4
                        .......
                        .......
            Preferred Interface Role: intercluster, cluster-mgmt, node-mgmt