LIFs and service policies (ONTAP 9.6 and later)
Suggest changes
PDFs
You can assign service policies (instead of LIF roles or firewall policies) to LIFs that determine the kind of traffic that is supported for the LIFs. Service policies define a collection of network services supported by a LIF. ONTAP provides a set of built-in service policies that can be associated with a LIF.
You can display service policies and their details using the following command:
network interface service-policy show
Features that are not bound to a specific service will use a system-defined behavior to select LIFs for outbound connections.
Applications on a LIF with an empty service policy might behave unexpectedly.
Service policies for system SVMs
The admin SVM and any system SVM contain service policies that can be used for LIFs in that SVM, including management and intercluster LIFs. These policies are automatically created by the system when an IPspace is created.
The following table lists the built-in policies for LIFs in system SVMs as of ONTAP 9.12.1. For other releases, display the service policies and their details using the following command:
network interface service-policy show
Policy |
Included services |
Equivalent role |
Description |
|---|---|---|---|
default-intercluster |
intercluster-core, management-https |
intercluster |
Used by LIFs carrying intercluster traffic. |
default-route-announce |
management-bgp |
- |
Used by LIFs carrying BGP peer connections |
default-management |
management-core, management-https, management-http, management-ssh, management-autosupport, management-ems, management-dns-client, management-ad-client, management-ldap-client, management-nis-client, management-ntp-client, management-log-forwarding |
node-mgmt, or cluster-mgmt |
Use this system scoped management policy to create node- and cluster-scoped management LIFs owned by a system SVM. These LIFs can be used for outbound connections to DNS, AD, LDAP, or NIS servers as well as some additional connections to support applications that run on behalf of the entire system. |
The following table lists the services that LIFs can use on a system SVM as of ONTAP 9.11.1:
Service |
Failover limitations |
Description |
|---|---|---|
intercluster-core |
home-node-only |
Core intercluster services |
management-core |
- |
Core management services |
management-ssh |
- |
Services for SSH management access |
management-http |
- |
Services for HTTP management access |
management-https |
- |
Services for HTTPS management access |
management-autosupport |
- |
Services related to posting AutoSupport payloads |
management-bgp |
home-port-only |
Services related to BGP peer interactions |
backup-ndmp-control |
- |
Services for NDMP backup controls |
management-ems |
- |
Services for management messaging access |
management-ntp-client |
- |
Introduced in ONTAP 9.10.1. |
management-ntp-server |
- |
Introduced in ONTAP 9.10.1. |
management-portmap |
- |
Services for portmap management |
management-rsh-server |
- |
Services for rsh server management |
management-snmp-server |
- |
Services for SNMP server management |
management-telnet-server |
- |
Services for telnet server management |
management-log-forwarding |
- |
Introduced in ONTAP 9.12.1. |
Service policies for data SVMs
All data SVMs contain service policies that can be used by LIFs in that SVM.
The following table lists the built-in policies for LIFs in data SVMs as of ONTAP 9.11.1. For other releases, display the service policies and their details using the following command:
network interface service-policy show
Policy |
Included services |
Equivalent data protocol |
Description |
|---|---|---|---|
default-management |
management-https, management-http, management-ssh, management-dns-client, management-ad-client, management-ldap-client, management-nis-client |
none |
Use this SVM-scoped management policy to create SVM management LIFs owned by a data SVM. These LIFs can be used to provide SSH or HTTPS access to SVM administrators. When necessary, these LIFs can be used for outbound connections to an external DNS, AD, LDAP, or NIS servers. |
default-data-blocks |
data-core, data-iscsi |
iscsi |
Used by LIFs carrying block-oriented SAN data traffic. Starting in ONTAP 9.10.1, the "default-data-blocks" policy is deprecated. Use the "default-data-iscsi" service policy instead. |
default-data-files |
data-fpolicy-client, data-dns-server, data-flexcache, data-cifs, data-nfs, management-dns-client, management-ad-client, management-ldap-client, management-nis-client |
nfs, cifs, fcache |
Use the default-data-files policy to create NAS LIFs supporting file-based data protocols. Sometimes there is only one LIF present in the SVM, therefore this policy allows the LIF to be used for outbound connections to an external DNS, AD, LDAP, or NIS server. You can remove these services to from this policy if you prefer these connections utilize only management LIFs. |
default-data-iscsi |
data-core, data-iscsi |
iscsi |
Used by LIFs carrying iSCSI data traffic. |
default-data-nvme-tcp |
data-core, data-nvme-tcp |
nvme-tcp |
Used by LIFs carrying NVMe/TCP data traffic. |
The following table lists the services that can be used on a data SVM along with any restrictions each service imposes on a LIF's failover policy as of ONTAP 9.11.1:
Service |
Failover restrictions |
Description |
|---|---|---|
management-ssh |
- |
Services for SSH management access |
management-http |
- |
Introduced in ONTAP 9.10.1 |
management-https |
- |
Services for HTTPS management access |
management-portmap |
- |
Services for portmap management access |
management-snmp-server |
- |
Introduced in ONTAP 9.10.1 |
data-core |
- |
Core data services |
data-nfs |
- |
NFS data service |
data-cifs |
- |
CIFS data service |
data-flexcache |
- |
FlexCache data service |
data-iscsi |
home-port-only for AFF/FAS; sfo-partner-only for ASA |
iSCSI data service |
backup-ndmp-control |
- |
Introduced in ONTAP 9.10.1 |
data-dns-server |
- |
Introduced in ONTAP 9.10.1 |
data-fpolicy-client |
- |
File-screening policy data service |
data-nvme-tcp |
home-port-only |
Introduced in ONTAP 9.10.1 |
data-s3-server |
- |
Simple Storage Service (S3) server data service |
You should be aware of how the service policies are assigned to the LIFs in data SVMs:
-
If a data SVM is created with a list of data services, the built-in "default-data-files" and "default-data-blocks" service policies in that SVM are created using the specified services.
-
If a data SVM is created without specifying a list of data services, the built-in "default-data-files" and "default-data-blocks" service policies in that SVM are created using a default list of data services.
The default data services list includes the iSCSI, NFS, NVMe, SMB, and FlexCache services.
-
When a LIF is created with a list of data protocols, a service policy equivalent to the specified data protocols is assigned to the LIF.
-
If an equivalent service policy does not exist, a custom service policy is created.
-
When a LIF is created without a service policy or list of data protocols, the default-data-files service policy is assigned to the LIF by default.
Data-core service
The data-core service allows components that previously used LIFs with the data role to work as expected on clusters that have been upgraded to manage LIFs using service policies instead of LIF roles (which are deprecated in ONTAP 9.6).
Specifying data-core as a service does not open any ports in the firewall, but the service should be included in any service policy in a data SVM. For example, the default-data-files service policy contains the following services by default:
-
data-core
-
data-nfs
-
data-cifs
-
data-flexcache
The data-core service should be included in the policy to ensure all applications using the LIF work as expected, but the other three services can be removed, if desired.
Client-side LIF service
Beginning with ONTAP 9.10.1, ONTAP provides client-side LIF services for multiple applications. These services provide control over which LIFs are used for outbound connections on behalf of each application.
The following new services give administrators control over which LIFs are used as source addresses for certain applications.
Service |
SVM restrictions |
Description |
|---|---|---|
management-ad-client |
- |
Beginning with ONTAP 9.11.1, ONTAP provides Active Directory client service for outbound connections to an external AD server. |
management-dns-client |
- |
Beginning with ONTAP 9.11.1, ONTAP provides DNS client service for outbound connections to an external DNS server. |
management-ldap-client |
- |
Beginning with ONTAP 9.11.1, ONTAP provides LDAP client service for outbound connections to an external LDAP server. |
management-nis-client |
- |
Beginning with ONTAP 9.11.1, ONTAP provides NIS client service for outbound connections to an external NIS server. |
management-ntp-client |
system-only |
Beginning with ONTAP 9.10.1, ONTAP provides NTP client service for outbound connections to an external NTP server. |
data-fpolicy-client |
data-only |
Beginning with ONTAP 9.8, ONTAP provides client service for outbound FPolicy connections. |
Each of the new services are automatically included in some of the built-in service policies, but administrators can remove them from the built-in policies or add them to custom policies to control which LIFs are used for outbound connections on behalf of each application.