Restricting NFS export to specific fsn ?

As far as I know, there is no option to restrict any export through a specific interface or device. However, there is an option to define VLAN IDs with the server_export command from CLI.
-option vlan= ,[,vlanid>,...]

It specifies that all hosts belonging to the VLAN ID will have access
to the exported file system. Hosts on other VLANs will be denied.

Another option may be with access= [: :...] option with the server_export command - this will restrict which hosts can mount the export. You may use a subnet or netgroup as the client in this definition - thereby restricting to those hosts in the same subnet as your fsn interface.

You may refer to the Celerra Network Server Command Reference Manual for more details.

However, I'll also wait to hear from others, if there is any other tricks.

Have a wonderful weekend.
Thanks,
Sandip

yes, thats a very usefull option.

Note that in order to use it you have to configure your network interfaces to use tagged VLANs (as well as the switch interfaces the Celerra connects to).

The nice thing is that it doesnt just limit access - it will even prevent clients from other VLAN to see what NFS exports are there via showmount

This option is only available in the CLI - however if you set it once you can then configure other NFS export option in the GUI and it wont change the vlan export.

Technically speaking I think we go one step more than denying access - I think we just drop the NFS request.

Just note that for "hiding" that these exports exist this vlan option is your only way.

VLAN tagging is very easy to setup. Chances are that if you have multile subnets on a physical interface you are already using it.

Otherwise any NFS server will give you the list of exported NFS shares when you do a showmount from a client. Thats normal NFS behaviour

thank you for your replies ...i would prefer not to mess with VLAN tagging, i guess i'll just rely on export permissions. I wanted to hide exports from particular networks, for example let's say i have HIPAA type of exports, i don't even want people from other networks to see that these type of exports exist on this NAS appliance or give hackers another incentive to bang on my Celerra even only via NFS.

This does not seem to block the mount directly unless I have something wrong.
[nasadmin@phx-ucs101 ~]$ server_export server_9
server_9 :
export "/dmx9av512" vlan=512
export "/dmx9av45" vlan=45


From a server in vlan45 I can mount dmx9av512.

Yep, All interfaces on the mover, including VDM's have vlan tags on the interface.
Double checked each one.

The servers all connect through a Firewall Service module in our 6509's Tagging is performed in that module.

Will the version of tcpdump on T5.6.40.3 captrue the vlan tag ? I know older versions did not.

Thanks Rainer.

Scot

not sure - I think you should open a service request on that one

If you are only after not showing exports to clients that arent on the export list there is soon going to be an easy "NFS export hiding" functionality available.

Have you actually setup VLAN tagging on the Celerra and the switch to deliver the packets tagged to the Celerra ?

No I wish it were that easy.
I need to actively deny them from mounting or reading the FS for PCI compliance.

Looks like you can't capture vlan tags from a datamover if you are using fsn or virtual devices.

Cannot start capture; device owned by a virtual nic.
Start capture on virtual nic instead.


If I capture on the virtual device the tags will have already been stripped because it was delivered to that vlan.

Scot

Are you sure there is no routing somewhere between your VLANs? Also, check the route table on the Data Mover

Each interface (virtual or physical) has its own IP stack. The built-in tcpdump utility captures data from within the IP stack of the interface you select, so you won't get the VLAN tag details since, as you correctly inferred, the tag has already been stripped and the packet passed to the virtual adapter's IP stack.

To see the detail before that happens, you would need to use an external passthrough sniffer or a span port on the switch.

Not sure what routing would have to do with it .

I am not having a problem seeing the share the problem is I don't want to see it.
Also I am looking at fsn0 NOT the virtual interface I created for the vlan.

dmx9_fsn0_v512 protocol=IP device=fsn0
inet=#.#.#.# netmask=255.255.255.0 broadcast#.#.#.# UP, ethernet, mtu=1500, vlan=512, macaddr=0:60:16:25:ff:ff


ran ./server_tcpdump server_9 -start fsn0 -w .....

Looked at the packet dump using wireshark on my Fedora 10 laptop.
Display filter Vlan ID is present "vlan.id".