7 Posts
0
4892
September 7th, 2020 06:00
Multiple access zone config
Hi All,
I have a question regarding Access Zones in OneFS 8.2.2.
The goal is to have a production and test access zone, each with their own
AD/domain. Two 10Gb interfaces are connected to the switch using LACP. On
Isilon there are 2 groupnets (since DNS servers are different with
different search domains) and 2 subnets, each with their own vlan-id.
Two access zones are created (prod and test) with path:
/ifs/isilon1/prod
/ifs/isilon1/test
I would like to segregate network traffic according to best practices and
to move data access from System zone. Therefore, there should be access
zone for each protocol. In my case only SMB is used, so I need only one
access zone for SMB. The synciq and ndmp are also used, but they don't
require the access zone.
Since the best practice is to use unique paths for access zones, what
should I use in this case?
For example, should the root directory for SMB zone look like:
/ifs/isilon1/smb
or I need to use shared access zones, like:
/ifs/isilon1/prod/smb
It seems logical, that all shares should be created under prod/test zones
and related path, but this would mean use of shared access zones to
separate SMB traffic, if I understood everything correctly.
Is there any better approach?
Thank you in advance!
tenortim
36 Posts
0
September 14th, 2020 08:00
I think the wording is unclear. I believe what we're trying to say there is "put front-facing client protocol traffic in an access zone other than System", not "put SMB and NFS in different access zones". As you point out, that doesn't make any sense.
Access Zones are a way of separating different groups that (can) use different authentication directory services. If you are implementing multi-protocol, there has to be a common source of identities for that to work and so all protocols you wish to use would be active in the same zone.
viku99
2 Posts
1
September 8th, 2020 07:00
"Therefore, there should be access zone for each protocol" - Where did you find it?
Access zone should have its own path like:
Accesszone1 = /ifs/isilon1/prod
Accesszone2 = /ifs/isilon1/test
Means paths are no overlapping. User mapping table is separated and so on.
Never heard about separating paths by access protocol. Does it make sense at all in case of multiprotocol shares?
bi69t
7 Posts
0
September 8th, 2020 10:00
This is what I've found in "h16463-isilon-advanced-networking-fundamentals" guide as a best practice for Access zones:
=====
When a PowerScale cluster is first configured, the System Zone is created by default. The System Zone should only be used for management as a best practice. In certain special cases, some protocols require the system zone, but generally speaking, all protocol traffic should be moved to an Access Zone. If nothing else, NFS and SMB should have protocol specific Access Zones.
Moving client traffic to Access Zones ensures the System Zone is only used for management and accessed by administrators. Access Zones provide greater security as administration, and file access is limited to a subset of the cluster, rather than the entire cluster.
======
Maybe I misunderstood something, but according to above you should separate SMB and NFS for example, to different access zones. In my case, customer won't use multiprotocol shares, only SMB.
Peter_Sero
4 Operator
•
1.2K Posts
1
September 8th, 2020 11:00
@bi69t
maybe some confusion comes from the observation that the System zone and custom access zones will overlap and therefore look like "shared" zones. But that is normal, the System zone is alway at the top level and does not count as "shared" zone with respect to user file access via SMB, NFS and other protocols.
makes sense?
-- Peter
Phil.Lam
3 Apprentice
•
624 Posts
0
September 8th, 2020 12:00
https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h16463-isilon-advanced-networking-fundamentals.pdf page 50.
bi69t
7 Posts
0
September 8th, 2020 23:00
No, I'm not confused with the system zone. Below part is confusing to me:
===
If nothing else, NFS and SMB should have protocol specific Access Zones.
Moving client traffic to Access Zones ensures the System Zone is only used for management and accessed by administrators.
===
What does that mean?
viku99
2 Posts
0
September 14th, 2020 08:00
It is a recommendation only, might sometimes make sense, but definitely not necessary. Haven't face any issues.
check page 51.
Root Based Paths may also be based on protocol. As an example, protocols are matched with a Root Based
Path in the following table:
Protocol Root Based Path
NFS Access /ifs/cls1/AZ1/nfs
SMB Access /ifs/cls1/AZ2/smb
NFS / SMB / HDFS /ifs/cls1/AZ3/mp
bi69t
7 Posts
0
September 14th, 2020 09:00
thanks @viku99 and @isi_tim for clarifying this one for me. Now, it makes much more sense.
MIMIFATI13
4 Posts
0
September 26th, 2020 08:00
If you are implementing multi-protocol, there has to be a common source of identities for that to work and so all protocols you wish to use would be active in the same zone.
MIMIFATI13
4 Posts
0
October 9th, 2020 13:00
the System zone is alway at the top level and does not count as Nox Vidmate VLC