Skip to main content

Configure LIF service policies

Contributors netapp-barbe netapp-ahibbard mpittman-netapp netapp-thomi

You can configure LIF service policies to identify a single service or a list of services that will use a LIF.

Create a service policy for LIFs

You can create a service policy for LIFs. You can assign a service policy to one or more LIFs; thereby allowing the LIF to carry traffic for a single service or a list of services.

You need advanced privileges to run the network interface service-policy create command.

About this task

Built-in services and service policies are available for managing data and management traffic on both data and system SVMs. Most use cases are satisfied using a built-in service policy rather than creating a custom service policy.

You can modify these built-in service policies, if required.

Steps
  1. View the services that are available in the cluster:

    network interface service show

    Services represent the applications accessed by a LIF as well as the applications served by the cluster. Each service includes zero or more TCP and UDP ports on which the application is listening.

    The following additional data and management services are available:

    cluster1::> network interface service show
    
    Service                     Protocol:Ports
    -------                     --------------
    cluster-core                -
    data-cifs                   -
    data-core                   -
    data-flexcache              -
    data-iscsi                  -
    data-nfs                    -
    intercluster-core           tcp:11104-11105
    management-autosupport      -
    management-bgp              tcp:179
    management-core             -
    management-https            tcp:443
    management-ssh              tcp:22
    12 entries were displayed.
  2. View the service policies that exist in the cluster:

    cluster1::> network interface service-policy show
    
    Vserver   Policy                     Service: Allowed Addresses
    --------- -------------------------- ----------------------------------------
    cluster1
              default-intercluster       intercluster-core: 0.0.0.0/0
                                         management-https: 0.0.0.0/0
    
              default-management         management-core: 0.0.0.0/0
                                         management-autosupport: 0.0.0.0/0
                                         management-ssh: 0.0.0.0/0
                                         management-https: 0.0.0.0/0
    
              default-route-announce     management-bgp: 0.0.0.0/0
    
    Cluster
              default-cluster            cluster-core: 0.0.0.0/0
    
    vs0
              default-data-blocks        data-core: 0.0.0.0/0
                                         data-iscsi: 0.0.0.0/0
    
              default-data-files         data-core: 0.0.0.0/0
                                         data-nfs: 0.0.0.0/0
                                         data-cifs: 0.0.0.0/0
                                         data-flexcache: 0.0.0.0/0
    
              default-management         data-core: 0.0.0.0/0
                                         management-ssh: 0.0.0.0/0
                                         management-https: 0.0.0.0/0
    
    7 entries were displayed.
  3. Create a service policy:

    cluster1::> set -privilege advanced
    Warning: These advanced commands are potentially dangerous; use them only when directed to do so by technical support.
    Do you wish to continue? (y or n): y
    
    cluster1::> network interface service-policy create -vserver <svm_name> -policy <service_policy_name> -services <service_name> -allowed-addresses <IP_address/mask,...>
    • "service_name" specifies a list of services that should be included in the policy.

    • "IP_address/mask" specifies the list of subnet masks for addresses that are allowed to access the services in the service policy. By default, all specified services are added with a default allowed address list of 0.0.0.0/0, which allows traffic from all subnets. When a non-default allowed address list is provided, LIFs using the policy are configured to block all requests with a source address that does not match any of the specified masks.

      The following example shows how to create a data service policy, svm1_data_policy, for an SVM that includes NFS and SMB services:

      cluster1::> set -privilege advanced
      Warning: These advanced commands are potentially dangerous; use them only when directed to do so by technical support.
      Do you wish to continue? (y or n): y
      
      cluster1::> network interface service-policy create -vserver svm1 -policy svm1_data_policy -services data-nfs,data-cifs,data-core

      The following example shows how to create an intercluster service policy:

      cluster1::> set -privilege advanced
      Warning: These advanced commands are potentially dangerous; use them only when directed to do so by technical support.
      Do you wish to continue? (y or n): y
      
      cluster1::> network interface service-policy create -vserver cluster1 -policy intercluster1 -services intercluster-core
  4. Verify that the service policy is created.

    cluster1::> network interface service-policy show

    The following output shows the service policies that are available:

    cluster1::> network interface service-policy show
    
    Vserver   Policy                     Service: Allowed Addresses
    --------- -------------------------- ----------------------------------------
    cluster1
              default-intercluster       intercluster-core: 0.0.0.0/0
                                         management-https: 0.0.0.0/0
    
              intercluster1              intercluster-core: 0.0.0.0/0
    
              default-management         management-core: 0.0.0.0/0
                                         management-autosupport: 0.0.0.0/0
                                         management-ssh: 0.0.0.0/0
                                         management-https: 0.0.0.0/0
    
              default-route-announce     management-bgp: 0.0.0.0/0
    
    Cluster
              default-cluster            cluster-core: 0.0.0.0/0
    
    vs0
              default-data-blocks        data-core: 0.0.0.0/0
                                         data-iscsi: 0.0.0.0/0
    
              default-data-files         data-core: 0.0.0.0/0
                                         data-nfs: 0.0.0.0/0
                                         data-cifs: 0.0.0.0/0
                                         data-flexcache: 0.0.0.0/0
    
              default-management         data-core: 0.0.0.0/0
                                         management-ssh: 0.0.0.0/0
                                         management-https: 0.0.0.0/0
    
              svm1_data_policy           data-core: 0.0.0.0/0
                                         data-nfs: 0.0.0.0/0
                                         data-cifs: 0.0.0.0/0
    
    9 entries were displayed.
After you finish

Assign the service policy to a LIF either at the time of creation or by modifying an existing LIF.

Assign a service policy to a LIF

You can assign a service policy to a LIF either at the time of creating the LIF or by modifying the LIF. A service policy defines the list of services that can be used with the LIF.

About this task

You can assign service policies for LIFs in the admin and data SVMs.

Step

Depending on when you want to assign the service policy to a LIF, perform one of the following actions:

If you are…​ Assign the service policy…​

Creating a LIF

network interface create -vserver svm_name -lif <lif_name> -home-node <node_name> -home-port <port_name> {(-address <IP_address> -netmask <IP_address>) -subnet-name <subnet_name>} -service-policy <service_policy_name>

Modifying a LIF

network interface modify -vserver <svm_name> -lif <lif_name> -service-policy <service_policy_name>

When you specify a service policy for a LIF, you need not specify the data protocol and role for the LIF. Creating LIFs by specifying the role and data protocols is also supported.

Note A service policy can only be used by LIFs in the same SVM that you specified when creating the service policy.

Examples

The following example shows how to modify the service policy of a LIF to use the default- management service policy:

cluster1::> network interface modify -vserver cluster1 -lif lif1 -service-policy default-management

Commands for managing LIF service policies

Use the network interface service-policy commands to manage LIF service policies.

Before you begin

Modifying the service policy of a LIF in an active SnapMirror relationship disrupts the replication schedule. If you convert a LIF from intercluster to non-intercluster (or vice versa), those changes are not replicated to the peered cluster. To update the peer cluster after modifying the LIF service policy, first perform the snapmirror abort operation then resynchronize the replication relationship.

If you want to…​ Use this command…​

Create a service policy (advanced privileges required)

network interface service-policy create

Add an additional service entry to an existing service policy (advanced privileges required)

network interface service-policy add-service

Clone an existing service policy (advanced privileges required)

network interface service-policy clone

Modify a service entry in an existing service policy (advanced privileges required)

network interface service-policy modify-service

Remove a service entry from an existing service policy (advanced privileges required)

network interface service-policy remove-service

Rename an existing service policy (advanced privileges required)

network interface service-policy rename

Delete an existing service policy (advanced privileges required)

network interface service-policy delete

Restore a built-in service-policy to its original state (advanced privileges required)

network interface service-policy restore-defaults

Display existing service policies

network interface service-policy show