Network features by release

Download PDF of this page

Analyze the impact of network features available with each ONTAP 9 release.

Available beginning Feature Description


Auto port placement

ONTAP can automatically configure broadcast domains, select ports, and help configure network interfaces (LIFs), virtual LANs (VLANs), and link aggregation groups (LAGs) based on reachability and network topology detection.

When you first create a cluster, ONTAP automatically discovers the networks connected to ports and configures the needed broadcast domains based on layer 2 reachability. You no longer have to configure broadcast domains manually.

A new cluster will continue to be created with two IPspaces:

Cluster IPspace: Containing one broadcast domain for the cluster interconnect. You should never touch this configuration.

Default IPspace: Containing one or more broadcast domains for the remaining ports. Depending on your network topology, ONTAP configures additional broadcast domains as needed: Default-1, Default-2, and so on. You can rename these broadcast domains if desired, but do not modify which ports are configured in these broadcast domains.

When you configure network interfaces, the home port selection is optional. If you do not manually select a home port, ONTAP will attempt to assign an appropriate home port in the same broadcast domain as other network interfaces in the same subnet.

When creating a VLAN or adding the first port to a newly created LAG, ONTAP will attempt to automatically assign the VLAN or LAG to the appropriate broadcast domain based on its layer 2 reachability.

By automatically configuring broadcast domains and ports, ONTAP helps to ensure that clients maintain access to their data during failover to another port or node in the cluster.

Finally, ONTAP sends EMS messages when it detects that the port reachability is incorrect and provides the "network port reachability repair" command to automatically repair common misconfigurations.


Internet Protocol security (IPsec) over wire encryption

To ensure data is continuously secure and encrypted, even while in transit, ONTAP uses the IPsec protocol in transport mode. IPsec offers data encryption for all IP traffic including the NFS, iSCSI, and SMB/CIFS protocols. IPsec provides the only encryption in flight option for iSCSI traffic.

Once IPsec is configured, network traffic between the client and ONTAP is protected with preventive measures to combat replay and man-in-the-middle (MITM) attacks.

Configure IP security (IPsec) over wire encryption


Virtual IP (VIP) expansion

New fields have been added to the network bgp peer-group command. This expansion allows you to configure two additional Border Gateway Protocol (BGP) attributes for Virtual IP (VIP).

AS path prepend: Other factors being equal, BGP prefers to select the route with shortest AS (autonomous system) Path. You can use the optional AS path prepend attribute to repeat an autonomous system number (ASN), which increases the length of the AS path attribute. The route update with the shortest AS path will be selected by the receiver.

BGP community: The BGP community attribute is a 32-bit tag that can be assigned to the route updates. Each route update can have one or more BGP community tags. The neighbors receiving the prefix can examine the community value and take actions like filtering or applying specific routing policies for redistribution.


Switch CLI simplification

To simplify switch commands, the cluster and storage switch CLIs are consolidated. The consolidated switch CLIs include Ethernet switches, FC switches, and ATTO protocol bridges.

Instead of using separate "system cluster-switch" and "system storage-switch" commands, you now use "system switch". For the ATTO protocol bridge, instead of using "storage bridge", use "system bridge".

Switch health monitoring has similarly expanded to monitor the storage switches as well as the cluster interconnect switch. You can view health information for the cluster interconnect under "cluster_network" in the "client_device" table. You can view health information for a storage switch under "storage_network" in the "client_device" table.


IPv6 variable length

The supported IPv6 variable prefix length range has increased from 64 to 1 through 127 bits. A value of bit 128 remains reserved for virtual IP (VIP).

When upgrading, non-VIP LIF lengths other than 64 bits are blocked until the last node is updated.

When reverting an upgrade, the revert checks any non-VIP LIFs for any prefix other than 64 bits. If found, the check blocks the revert until you delete or modify the offending LIF. VIP LIFs are not checked.


Automatic portmap service

The portmap service maps RPC services to the ports on which they listen.

The portmap service is always accessible in ONTAP 9.3 and earlier, is configurable in ONTAP 9.4 through ONTAP 9.6, and is managed automatically starting in ONTAP 9.7.

In ONTAP 9.3 and earlier: The portmap service (rpcbind) is always accessible on port 111 in network configurations that rely on the built-in ONTAP firewall rather than a third-party firewall.

From ONTAP 9.4 through ONTAP 9.6: You can modify firewall policies to control whether the portmap service is accessible on particular LIFs.

Starting in ONTAP 9.7: The portmap firewall service is eliminated. Instead, the portmap port is opened automatically for all LIFs that support the NFS service.

Portmap service configuration


Cache search

You can cache NIS netgroup.byhost entries using the vserver services name-service nis-domain netgroup-database commands.



CUBIC is the default TCP congestion control algorithm for ONTAP hardware. CUBIC replaced the ONTAP 9.5 and earlier default TCP congestion control algorithm, NewReno.

CUBIC addresses the problems of long, fat networks (LFNs), including high round trip times (RTTs). CUBIC detects and avoids congestion. CUBIC improves performance for most environments.


LIF service policies replace LIF roles

You can assign service policies (instead of LIF roles) to LIFs that determine the kind of traffic that is supported for the LIFs. Service policies define a collection of network services supported by a LIF. ONTAP provides a set of built-in service policies that can be associated with a LIF.

ONTAP supports service policies starting with ONTAP 9.5; however, service policies can only be used to configure a limited number of services. Starting with ONTAP 9.6, LIF roles are deprecated and service policies are supported for all types of services.

LIFs and service policies


NTPv3 support

Network Time Protocol (NTP) version 3 includes symmetric authentication using SHA-1 keys, which increases network security.


SSH login security alerts

When you log in as a Secure Shell (SSH) admin user, you can view information about previous logins, unsuccessful attempts to log in, and changes to your role and privileges since your last successful login.


LIF service policies

You can create new service policies or use a built-in policy. You can assign a service policy to one or more LIFs; thereby allowing the LIF to carry traffic for a single service or a list of services.

LIFs and service policies


VIP LIFs and BGP support

A VIP data LIF is a LIF that is not part of any subnet and is reachable from all ports that host a border gateway protocol (BGP) LIF in the same IPspace. A VIP data LIF eliminates the dependency of a host on individual network interfaces.

Create a virtual IP (VIP) data LIF


Multipath routing

Multipath routing provides load balancing by utilizing all the available routes to a destination.

Enable multipath routing


Portmap service

The portmap service maps remote procedure call (RPC) services to the ports on which they listen.

The portmap service is always accessible in ONTAP 9.3 and earlier. Starting in ONTAP 9.4, the portmap service is configurable.

You can modify firewall policies to control whether the portmap service is accessible on particular LIFs.

Portmap service configuration



SSH multi-factor authentication (MFA) for LDAP or NIS uses a public key and nsswitch to authenticate remote users.



SSH MFA for local administrator accounts use a public key and a password to authenticate local users.


SAML authentication

You can use Security Assertion Markup Language (SAML) authentication to configure MFA for web services such as Service Processor Infrastructure (spi), ONTAP APIs, and OnCommand System Manager.


SSH login attempts

You can configure the maximum number of unsuccessful SSH login attempts to protect against brute force attacks.


Digital security certificates

ONTAP provides enhanced support for digital certificate security with Online Certificate Status Protocol (OCSP) and pre-installed default security certificates.



As part of a networking stack update for improved performance and resiliency, fast path routing support was removed in ONTAP 9.2 and later releases because it made it difficult to identify problems with improper routing tables. Therefore, it is no longer possible to set the following option in the nodeshell, and existing fast path configurations are disabled when upgrading to ONTAP 9.2 and later:


Network traffic not sent or sent out of an unexpected interface after upgrade to 9.2 due to elimination of IP Fastpath


Security with SNMPv3 traphosts

You can configure SNMPv3 traphosts with the User-based Security Model (USM) security. With this enhancement, SNMPv3 traps can be generated by using a predefined USM user’s authentication and privacy credentials.

Configure traphosts to receive SNMP notifications



Dynamic DNS (DDNS) name service is available on IPv6 LIFs.

Create a LIF


LIFs per node

The supported number of LIFs per node has increased for some systems. See the Hardware Universe for the number of LIFs supported on each platform for a specified ONTAP release.

Create a LIF

NetApp hardware universe


LIF management

ONTAP and System Manager automatically detect and isolate network port failures. LIFs are automatically migrated from degraded ports to healthy ports.

Monitor the health of network ports



Link Layer Discovery Protocol (LLDP) provides a vendor-neutral interface for verifying and troubleshooting cabling between an ONTAP system and a switch or router. It is an alternative to Cisco Discovery Protocol (CDP), a proprietary link layer protocol developed by Cisco Systems.

Enable or Disable LLDP


UC compliance with DSCP marking

Unified Capability (UC) compliance with Differentiated Services Code Point (DSCP) marking.

Differentiated Services Code Point (DSCP) marking is a mechanism for classifying and managing network traffic and is a component of Unified Capability (UC) compliance. You can enable DSCP marking on outgoing (egress) IP packet traffic for a given protocol with a default or user-provided DSCP code.

If you do not provide a DSCP value when enabling DSCP marking for a given protocol, a default is used:

0x0A (10): The default value for data protocols/traffic.

0x30 (48): The default value for control protocols/traffic.

DSCP marking for US compliance


SHA-2 password hash function

To enhance password security, ONTAP 9 supports the SHA-2 password hash function and uses SHA-512 by default for hashing newly created or changed passwords.

Existing user accounts with unchanged passwords continue to use the MD5 hash function after the upgrade to ONTAP 9 or later, and users can continue to access their accounts. However, it is strongly recommended that you migrate MD5 accounts to SHA-512 by having users change their passwords.


FIPS 140-2 support

You can enable the Federal Information Processing Standard (FIPS) 140-2 compliance mode for cluster-wide control plane web service interfaces.

By default, the FIPS 140-2 only mode is disabled.

Configure network security using Federal Information Processing Standards (FIPS)