Skip to main content

Configure ONTAP virtual IP (VIP) LIFs

Contributors netapp-aoife netapp-aherbin netapp-barbe netapp-dbagwell netapp-ahibbard netapp-thomi
PDFs

Some next-generation data centers use layer-3 (IP) network mechanisms that require LIFs to be failed over across subnets. ONTAP supports virtual IP (VIP) data LIFs and the associated routing protocol, border gateway protocol (BGP), to meet the failover requirements of these next-generation networks.

About this task

A VIP data LIF is a LIF that is not part of any subnet and is reachable from all ports that host a BGP LIF in the same IPspace. A VIP data LIF eliminates the dependency of a host on individual network interfaces. Because multiple physical adapters carry the data traffic, the entire load is not concentrated on a single adapter and the associated subnet. The existence of a VIP data LIF is advertised to peer routers through the routing protocol, Border Gateway Protocol (BGP).

VIP data LIFs provide the following advantages:

  • LIF portability beyond a broadcast domain or subnet: VIP data LIFs can fail over to any subnet in the network by announcing the current location of each VIP data LIF to routers through BGP.

  • Aggregate throughput: VIP data LIFs can support aggregate throughput that exceeds the bandwidth of any individual port because the VIP LIFs can send or receive data from multiple subnets or ports simultaneously.

Set up border gateway protocol (BGP)

Before creating VIP LIFs, you must set up BGP, which is the routing protocol used for announcing the existence of a VIP LIF to peer routers.

Beginning with ONTAP 9.9.1, VIP provides optional default route automation using BGP peer groups to simplify configuration.

ONTAP has a simple way to learn default routes using the BGP peers as next-hop routers when the BGP peer is on the same subnet. To use the feature, set the -use-peer-as-next-hop attribute to true. By default, this attribute is false.

If you have static routes configured, those are still preferred over these automated default routes.

Before you begin

The peer router must be configured to accept a BGP connection from the BGP LIF for the configured autonomous system number (ASN).

Note ONTAP does not process any incoming route announcements from the router; therefore, you should configure the peer router to not send any route updates to the cluster. This reduces the time it takes for communication with the peer to become fully functional and reduces internal memory usage within ONTAP.
About this task

Setting up BGP involves optionally creating a BGP configuration, creating a BGP LIF, and creating a BGP peer group. ONTAP automatically creates a default BGP configuration with default values when the first BGP peer group is created on a given node.

A BGP LIF is used to establish BGP TCP sessions with peer routers. For a peer router, a BGP LIF is the next hop to reach a VIP LIF. Failover is disabled for the BGP LIF. A BGP peer group advertises the VIP routes for all SVMs in the IPspace used by the peer group. The IPspace used by the peer group is inherited from the BGP LIF.

Beginning with ONTAP 9.16.1, MD5 authentication is supported on BGP peer groups to protect BGP sessions. When MD5 is enabled, BGP sessions can only be established and processed among authorized peers, preventing potential disruptions of the session by an unauthorized actor.

The following fields have been added to the network bgp peer-group create and network bgp peer-group modify commands:

  • -md5-enabled <true/false>

  • -md5-secret <md5 secret in string or hex format>

These parameters enable you to configure a BGP peer group with an MD5 signature for enhanced security. The following requirements apply to using MD5 authentication:

  • You can only specify the -md5-secret parameter when the -md5-enabled parameter is set to true.

  • IPsec must be enabled globally before you can enable MD5 BGP authentication. The BGP LIF is not required to have an active IPsec configuration. Refer to Configure IP security (IPsec) over wire encryption.

  • NetApp recommends that you configure MD5 on the router before configuring it on the ONTAP controller.

Beginning with ONTAP 9.9.1, these fields have been added:

  • -asn or -peer-asn (4-byte value)
    The attribute itself is not new, but it now uses a 4-byte integer.

  • -med

  • -use-peer-as-next-hop

You can make advanced route selections with Multi-Exit Discriminator (MED) support for path prioritization. MED is an optional attribute in the BGP update message that tells routers to select the best route for the traffic. The MED is an unsigned 32-bit integer (0 - 4294967295); lower values are preferred.

Beginning with ONTAP 9.8, these fields have been added to the network bgp peer-group command:

  • -asn-prepend-type

  • -asn-prepend-count

  • -community

These BGP attributes allows you to configure the AS Path and community attributes for the BGP peer group.

Note While ONTAP supports the above BGP attributes, routers do not need to honor them. NetApp strongly recommends you confirm which attributes are supported by your router and configure BGP peer groups accordingly. For details, refer to the BGP documentation provided by your router.
Steps

  1. Log in to the advanced privilege level:

    set -privilege advanced

  2. Optional: Create a BGP configuration or modify the default BGP configuration of the cluster by performing one of the following actions:

    1. Create a BGP configuration:

      network bgp config create -node {node_name | local} -asn <asn_number> -holdtime
<hold_time> -routerid <router_id>
      Note

      • The -routerid parameter accepts a dotted-decimal 32-bit value that only needs to be unique within an AS domain. NetApp recommends that you use the node management IP (v4) address for <router_id> which guarantees uniqueness.

      • Although ONTAP BGP supports 32-bit ASN numbers, only standard decimal notation is supported. Dotted ASN notation, such as 65000.1 instead of 4259840001 for a private ASN, is not supported.

      Sample with a 2-byte ASN:

      network bgp config create -node node1 -asn 65502 -holdtime 180 -routerid 1.1.1.1

      Sample with a 4-byte ASN:

      network bgp config create -node node1 -asn 85502 -holdtime 180 -routerid 1.1.1.1

    2. Modify the default BGP configuration:

      network bgp defaults modify -asn <asn_number> -holdtime <hold_time>
network bgp defaults modify -asn 65502 -holdtime 60

      • <asn_number> specifies the ASN number. Beginning with ONTAP 9.8, ASN for BGP supports a 2-byte non-negative integer. This is a 16-bit number (1 to 65534 available values). Beginning with ONTAP 9.9.1, ASN for BGP supports a 4-byte non-negative integer (1 to 4294967295). The default ASN is 65501. ASN 23456 is reserved for ONTAP session establishment with peers that do not announce 4-byte ASN capability.

      • <hold_time> specifies the hold time in seconds. The default value is 180s.

        Note ONTAP only supports one global <asn_number>, <hold_time>, and <router_id>, even if you configure BGP for multiple IPspaces. The BGP and all IP routing information is completely isolated within one IPspace. An IPspace is equivalent to a virtual routing and forwarding (VRF) instance.

  3. Create a BGP LIF for the system SVM:

    For the default IPspace, the SVM name is the cluster name. For additional IPspaces, the SVM name is identical to the IPspace name.

    network interface create -vserver <system_svm> -lif <lif_name> -service-policy default-route-announce -home-node <home_node> -home-port <home_port> -address <ip_address> -netmask <netmask>

    You can use the default-route-announce service policy for the BGP LIF or any custom service policy which contains the "management-bgp" service.

    network interface create -vserver cluster1 -lif bgp1 -service-policy default-route-announce -home-node cluster1-01 -home-port e0c -address 10.10.10.100 -netmask 255.255.255.0

  4. Create a BGP peer group that is used to establish BGP sessions with the remote peer routers and configure the VIP route information that is advertised to the peer routers:

    Sample 1: Create a peer group without an auto default route

    In this case, the admin needs to create a static route to the BGP peer.

    network bgp peer-group create -peer-group <group_name> -ipspace <ipspace_name> -bgp-lif <bgp_lif> -peer-address <peer-router_ip_address> -peer-asn <peer_asn_number> {-route-preference <integer>} {-asn-prepend-type <ASN_prepend_type>} {-asn-prepend-count <integer>} {-med <integer>} {-community BGP community list <0-65535>:<0-65535>}
    network bgp peer-group create -peer-group group1 -ipspace Default -bgp-lif bgp1 -peer-address 10.10.10.1 -peer-asn 65503 -route-preference 100 -asn-prepend-type local-asn -asn-prepend-count 2 -med 100 -community 9000:900,8000:800

    Sample 2: Create a peer group with an auto default route

    network bgp peer-group create -peer-group <group_name> -ipspace <ipspace_name> -bgp-lif <bgp_lif> -peer-address <peer-router_ip_address> -peer-asn <peer_asn_number> {-use-peer-as-next-hop true} {-route-preference <integer>} {-asn-prepend-type <ASN_prepend_type>} {-asn-prepend-count <integer>} {-med <integer>} {-community BGP community list <0-65535>:<0-65535>}
    network bgp peer-group create -peer-group group1 -ipspace Default -bgp-lif bgp1 -peer-address 10.10.10.1 -peer-asn 65503 -use-peer-as-next-hop true -route-preference 100 -asn-prepend-type local-asn -asn-prepend-count 2 -med 100 -community 9000:900,8000:800

    Sample 3: Create a peer group with MD5 enabled

    1. Enable IPsec:

      security ipsec config modify -is-enabled true

    2. Create the BGP peer group with MD5 enabled:

      network bgp peer-group create -ipspace Default -peer-group <group_name> -bgp-lif bgp_lif -peer-address <peer_router_ip_address> {-md5-enabled true} {-md5-secret <md5 secret in string or hex format>}

      Example using a hex key:

      network bgp peer-group create -ipspace Default -peer-group peer1 -bgp-lif bgp_lif1 -peer-address 10.1.1.100 -md5-enabled true -md5-secret 0x7465737420736563726574

      Example using a string:

      network bgp peer-group create -ipspace Default -peer-group peer1 -bgp-lif bgp_lif1 -peer-address 10.1.1.100 -md5-enabled true -md5-secret "test secret"
Note After you create the BGP peer group, a virtual ethernet port (starting with v0a..v0z,v1a…​) is listed when you run the network port show command. The MTU of this interface is always reported at 1500. The actual MTU used for traffic is derived from the physical port (BGP LIF), which is determined when traffic is sent.

Create a virtual IP (VIP) data LIF

The existence of a VIP data LIF is advertised to peer routers through the routing protocol, Border Gateway Protocol (BGP).

Before you begin

  • The BGP peer group must be set up and the BGP session for the SVM on which the LIF is to be created must be active.

  • A static route to the BGP router or any other router in the BGP LIF’s subnet must be created for any outgoing VIP traffic for the SVM.

  • You should turn on multipath routing so that the outgoing VIP traffic can utilize all the available routes.

    If multipath routing is not enabled, all the outgoing VIP traffic goes from a single interface.

Steps

  1. Create a VIP data LIF:

    network interface create -vserver <svm_name> -lif <lif_name> -role data -data-protocol
{nfs|cifs|iscsi|fcache|none|fc-nvme} -home-node <home_node> -address <ip_address> -is-vip true -failover-policy broadcast-domain-wide

    A VIP port is automatically selected if you do not specify the home port with the network interface create command.

    By default, the VIP data LIF belongs to the system-created broadcast domain named 'Vip', for each IPspace. You cannot modify the VIP broadcast domain.

    A VIP data LIF is reachable simultaneously on all ports hosting a BGP LIF of an IPspace. If there is no active BGP session for the VIP's SVM on the local node, the VIP data LIF fails over to the next VIP port on the node that has a BGP session established for that SVM.

  2. Verify that the BGP session is in the up status for the SVM of the VIP data LIF:

    network bgp vserver-status show

Node        Vserver  bgp status
	    ----------  -------- ---------
	    node1       vs1      up

    If the BGP status is down for the SVM on a node, the VIP data LIF fails over to a different node where the BGP status is up for the SVM. If BGP status is down on all the nodes, the VIP data LIF cannot be hosted anywhere, and has LIF status as down.

Commands for managing the BGP

Beginning with ONTAP 9.5, you use the network bgp commands to manage the BGP sessions in ONTAP.

Manage BGP configuration

If you want to…​

Use this command…​

Create a BGP configuration

network bgp config create

Modify BGP configuration

network bgp config modify

Delete BGP configuration

network bgp config delete

Display BGP configuration

network bgp config show

Displays the BGP status for the SVM of the VIP LIF

network bgp vserver-status show

Manage BGP default values

If you want to…​

Use this command…​

Modify BGP default values

network bgp defaults modify

Display BGP default values

network bgp defaults show

Manage BGP peer groups

If you want to…​

Use this command…​

Create a BGP peer group

network bgp peer-group create

Modify a BGP peer group

network bgp peer-group modify

Delete a BGP peer group

network bgp peer-group delete

Display BGP peer groups information

network bgp peer-group show

Rename a BGP peer group

network bgp peer-group rename

Manage BGP peer groups with MD5

Beginning with ONTAP 9.16.1, you can enable or disable MD5 authentication on an existing BGP peer group.

Note If you enable or disable MD5 on an existing BGP peer group, the BGP connection is terminated and re-created to apply the MD5 configuration changes.

If you want to…​

Use this command…​

Enable MD5 on an existing BGP peer group

network bgp peer-group modify -ipspace Default -peer-group <group_name> -bgp-lif <bgp_lif> -peer-address <peer_router_ip_address> -md5-enabled true -md5-secret <md5 secret in string or hex format>

Disable MD5 on an existing BGP peer group

network bgp peer-group modify -ipspace Default -peer-group <group_name> -bgp-lif <bgp_lif> -md5-enabled false
Related information

ONTAP command reference