Hi we are running 8.1 on our 3270 clusters with 17 vfilers on 5 different vlans The vfilers currently share the same default IPspace and we are (understandably) seeing routing issues (asymmetric routing) when NFS clients outside the vFiler's vlan attempt to communicate with the vFiler. (these clients are the exception > 95% of clients are in the same routable net and don't have any issues)
What are the opinions about adding new IPspaces vs just adding 5 static net routes to the shared routing table so routing works?
thanks,
Fletcher
If you implement the IPspaces, that would change routing all together. You would have to define the default gateway per IPspace and define other needed routes in all IPspaces. I would go for the static routes.
Mvg, Wouter Vervloesem
Neoria - Uptime Group Veldkant 35D B-2550 Kontich
Tel: +32 (0)3 451 23 82 Mailto: wouter.vervloesem@neoria.be Web: http://www.neoria.be
Op 24-aug.-2012, om 20:04 heeft Fletcher Cocquyt fcocquyt@stanford.edu het volgende geschreven:
Hi we are running 8.1 on our 3270 clusters with 17 vfilers on 5 different vlans The vfilers currently share the same default IPspace and we are (understandably) seeing routing issues (asymmetric routing) when NFS clients outside the vFiler's vlan attempt to communicate with the vFiler. (these clients are the exception > 95% of clients are in the same routable net and don't have any issues)
What are the opinions about adding new IPspaces vs just adding 5 static net routes to the shared routing table so routing works?
thanks,
Fletcher
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
We had our regular tech mtg today - the last 30 minutes turned into an hour on this topic. We hashed out the issue and determined ontap's global vfiler routing table has ENABLED some very bad security practices allowing NFS clients to mount secure shares from less secure vlans. This was very convenient at the time (like giving dev folks access to prod vfiler content) We concluded we'd much rather have ontap NOT ROUTE AT ALL - thereby keeping NFS access on local secure net routes only.
We are going to test if ipspaces (and vserver cluster mode) could resolve this for the 5% (convenient but security subverting) mounts
thanks
On Aug 24, 2012, at 12:49 PM, Vervloesem Wouter wrote:
If you implement the IPspaces, that would change routing all together. You would have to define the default gateway per IPspace and define other needed routes in all IPspaces. I would go for the static routes.
Mvg, Wouter Vervloesem
Neoria - Uptime Group Veldkant 35D B-2550 Kontich
Tel: +32 (0)3 451 23 82 Mailto: wouter.vervloesem@neoria.be Web: http://www.neoria.be
Op 24-aug.-2012, om 20:04 heeft Fletcher Cocquyt fcocquyt@stanford.edu het volgende geschreven:
Hi we are running 8.1 on our 3270 clusters with 17 vfilers on 5 different vlans The vfilers currently share the same default IPspace and we are (understandably) seeing routing issues (asymmetric routing) when NFS clients outside the vFiler's vlan attempt to communicate with the vFiler. (these clients are the exception > 95% of clients are in the same routable net and don't have any issues)
What are the opinions about adding new IPspaces vs just adding 5 static net routes to the shared routing table so routing works?
thanks,
Fletcher
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
-
Fletcher Cocquyt -
Vervloesem Wouter