We had our regular tech mtg today - the last 30 minutes turned into an hour on this topic.
We hashed out the issue and determined ontap's global vfiler routing table has ENABLED some very bad security practices allowing NFS clients to mount secure shares from less secure vlans.  This was very convenient at the time (like giving dev folks access to prod vfiler content)
We concluded we'd much rather have ontap NOT ROUTE AT ALL - thereby keeping NFS access on local secure net routes only.

We are going to test if ipspaces (and vserver cluster mode) could resolve this for the 5% (convenient but security subverting) mounts

thanks


On Aug 24, 2012, at 12:49 PM, Vervloesem Wouter wrote:

If you implement the IPspaces, that would change routing all together. You would have to define the default gateway per IPspace and define other needed routes in all IPspaces.
I would go for the static routes.



Mvg,
Wouter Vervloesem

Neoria - Uptime Group
Veldkant 35D
B-2550 Kontich

Tel: +32 (0)3 451 23 82
Mailto: wouter.vervloesem@neoria.be
Web: http://www.neoria.be

Op 24-aug.-2012, om 20:04 heeft Fletcher Cocquyt <fcocquyt@stanford.edu> het volgende geschreven:

Hi we are running 8.1 on our 3270 clusters with 17 vfilers on 5 different vlans
The vfilers currently share the same default IPspace and we are (understandably) seeing routing issues (asymmetric routing)
when NFS clients outside the vFiler's vlan attempt to communicate with the vFiler.  (these clients are the exception  > 95% of
clients are in the same routable net and don't have any issues)

What are the opinions about adding new IPspaces vs just adding 5 static net routes to the shared routing table so routing works?

thanks,

Fletcher




_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters