You are on page 1of 119

Update Course

Data ONTAP 7.2

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Logistics
Introductions
Schedule (start time, breaks, lunch, close)
Telephones and messages
Food and drinks
Restrooms

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Safety
Alarm signal
Evacuation route
Assembly area
Electrical safety

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Course Prerequisites
Training and experience with Data ONTAP 7.1

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Course Objective
At the completion of this training, you will be able to
recognize the affect on functionality for each of the
new features released with Data ONTAP 7.2

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Course Agenda
Data ONTAP 7.2 Update Overview
FlexShare
Protocol Enhancements
Data Protection Enhancements
Storage Resource Management Enhancements
Windows-Related Improvements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Information Sources
Product information
www.netapp.com/products
www.netapp.com/library

NOW site
now.netapp.com

NetAppU
www.netapp.com/education
netappusupport.custhelp.com
email
General:
NetAppUniversity@NetApp.com
France:
Education.fr@ NetApp.com
Germany:
Education.de@NetApp.com
United Kingdom:
Education.uk@NetApp.com

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Typographic Conventions

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Data ONTAP 7.2 Update:


Overview

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Objectives
At the end of this module you will be able to:
Recognize the impact on functionality for each of the new
features released with Data ONTAP 7.2
Recall that the Data ONTAP 7.2 release supports the FAS6070
and FAS6030 platforms
Identify the new network interface cards supported
Describe FlexShare
Recognize the enhancements, new support, and settings
related to blocks protocols
Describe the IPsec certificate authentication
Describe the improved user controls for security,
asynchronous group replication, SnapMirror variable throttle,
and compliance migration

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Objectives continued
At the end of this module, you will be able to:
Recognize that performance is improved for multiprocessor
systems and file system resiliency is enhanced
Recall that FlexVol volumes have increased to 500
Summarize improvements to CIFS performance
Describe the Group Policy Object
Describe LiveView
Recall that UNIX permissions in mixed security environments
have been improved
Describe improvements to FPolicies
Describe known management issues

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

New Hardware Supported


Data ONTAP 7.2 release supports
FAS6070
FAS6030

New NICs supported

1-Port 10 Gb Ethernet fiber optic PCI-X TOE adapter


4-Port Gb Ethernet copper PCI-X TOE adapter
2-Port Gb Ethernet copper PCI-E adapter
2-Port Gb Ethernet fiber optic PCI-E adapter
Data ONTAP 7.2RC1 supports network interface cards with
on-board TCP/IP Offload Engines (TOE), although TOE
functionality is not supported in this release

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Practical Application

Ports numbered
from bottom

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Manageability Enhancements
FlexShare
Blocks protocols enhancements

T10 Asymetric Logical Unit Access support


Read-only LUN enhancements
PCI-X iSCSI hardware target adapter support
FCP config command to configure adapter speed
Renaming igroups

Security Protocols
IPsec certificate authentication

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

FlexShare
Priorities are assigned to volumes to assign
relative priorities between
Different volumes
Client data accesses and system operations

Hints to affect the way cache buffers are


handled for a given volume

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Limitations
10 Asymmetric Logical Unit Access (ALUA) support
Read-only LUN enhancements
PCI-X iSCSI hardware target adapter support
FCP config command to configure adapter speed
Renaming igroups

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

IPsec Certificate Authentication


Get signed certificate from certificate authority
Create self-signed certificate

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Data Protection Enhancements


Centralized Administration
Consistency groups for synchronous
replication
SnapMirror Variable Throttle
Compliance migration

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

10

Centralized Administration
Allows administrators to TELNET, rsh, SSH, and use
FilerView without having to create users on the filer
Alternative to DataFabric Manager

UNIX
Lightweight Directory Access Protocol (LDAP)
Network Information Service (NIS)
Use entries in nsswitch.conf

Windows
Active Directory (AD)
Domain\username

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

11

Consistency Groups for Synchronous


Replication
When this feature is deployed, consistency groups are
enabled with specific host-side applications (cross
volume; includes all replication)
This support guarantees consistency among data sets
in multiple LUNs, flexible volumes, and volumes
synchronously replicated via Synchronous SnapMirror
(SSM)

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

12

SnapMirror Variable Throttle


SnapMirror Variable Throttle gives the user the
ability to set a maximum threshold for the
amount of net bandwidth utilized by a storage
system for SnapMirror transfers
This includes the ability to change the
threshold to take effect during the actual
SnapMirror transfer

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

13

Compliance Migration
This feature is a secure and authenticated data
migration mechanism that is required when
files are locked with a long retention period
This assures that all files have been
completely and accurately migrated to another
platform with SnapLock protection

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

14

Storage Resource Management


Enhancements
File system improvements
Performance on multiprocessor systems
Enhanced resiliency against hardware failures

Maximum FlexVols increased to 500

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

15

Maximum FlexVols Increased to 500


Data ONTAP 7.2RC1 provides the ability to
increase the number of FlexVol volumes to
500

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

16

Windows-Related Improvements
Enhanced CIFS performance
Enhanced Group Policy Object (GPO) support
LiveView
Enhanced Multiprotocol support
File screening enhancements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

17

Enhanced CIFS Performance


This release includes the following CIFS
performance enhancements:
Improvements in CIFS scalability on
multiprocessor-based storage systems
Improvements in CIFS performance for high
ChangeNotify environments

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

18

Enhanced Group Policy Object (GPO)


Support
This release includes Group Policy Object
(GPO) support for Restricted Groups security
policy

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

19

LiveView
The LiveView facility supports real-time
viewing of audit events using EventViewer

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

20

Enhanced Multiprotocol Support


This release provides better support for UNIX
permissions in mixed security environments

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

21

File Screening Enhancements


FPolicy functionality has been extended to
support the following:
File screening operations on specified volumes
Native File Blocking on vFiler units

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

22

Management Issues
Synchronous SnapMirror and FlexVol volumes
SSH Secure Shell/SSH Tectia client does not
work properly unless forwarding is disabled
Maximum number of SSH sessions
FilerView does not support roles and
capabilities for all tasks

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

23

Summary
In this module you have learned to
Recognize the impact on functionality for each of the new
features released with Data ONTAP 7.2
Recall that the Data ONTAP 7.2 release supports the FAS6070 and
FAS6030 platforms
Identify the new network interface cards supported
Describe FlexShare
Recognize the enhancements, new support, and settings related
to blocks protocols
Describe the IPsec certificate authentication
Describe the improved user controls for security, synchronous
group replication, SnapMirror variable throttle, and compliance
migration

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

24

Summary continued
In this module you have learned to
Recognize that performance is improved for multiprocessor
systems and file system resiliency is enhanced
Recall that FlexVol volumes have increased to 500
Summarize improvements to CIFS performance
Describe the Group Policy Object
Describe LiveView
Recall that UNIX permissions in mixed security environments
have been improved
Describe improvements to FPolicies
Describe known management issues

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

25

Data ONTAP 7.2 Update:


FlexShare

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Objectives
At the end of this learning object, you will be able to:

Describe FlexShares uses


Describe some FlexShare charactistics
Identify volume operations that affect FlexShare priorities
Describe the default queue
Describe Global I/O Concurrency
Describe procedures to modify FlexShare priorities
Describe procedures to set volume buffer cache policy
Configure FlexShare priorities

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

FlexShare
Facilitates increased storage resource control
Volume priorities
Hints of cache buffers
No license required

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

FlexShare Applications
Scenario 1: Different applications on the same storage
system
A mission-critical database on the same storage system as user
home directories
Use FlexShare to ensure that database accesses are assigned a
higher priority than accesses to home directories

Scenario 2: Reduce the impact of system operations


Use FlexShare to ensure that client accesses are assigned a higher
priority than system operations

Scenario 3: Volumes with different caching


requirements

A database log volume that does not need to be cached after writing
Use the cache buffer policy hint to help Data ONTAP determine
how to manage the cache buffers for those volumes

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

FlexShare Characteristics
No performance guarantees
Priority levels are relative
Both nodes in active configuration (cluster)

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Volume Operations Affect FlexShare


Priorities
- Volume operation

- Effect on FlexShare settings

- Deletion

- FlexShare settings removed

- Rename

- FlexShare settings unchanged

- FlexClone volume creation

- Parent volume settings unchanged


FlexShare settings for new FlexClone
volume unset (as for a newly created
volume)

- Copy

- Source volume settings unchanged


FlexShare settings for destination
volume unset (as for a newly created
volume)

- Offline or online

- FlexShare settings preserved

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Default Queue
A volume with unassigned priorities will be in
the default queue
All volumes in default queue share resources
Once priorities are set for some, they should
be set for all volumes to be controlled

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Global I/O Concurrency Option


FlexShare limits concurrent I/O based on
Volume priority
Disk type

Default for most applications


Change for nonstandard disks or load

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Assign Priorities to Volume Data Access


1. Ensure that FlexShare is enabled:
priority on

2. Specify the priority for the volume by entering


the following command:
priority set volume vol_name

3. Optionally verify the priority level:


priority show volume [-v] vol_name

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Buffer Cache Policy


Settings
Keep
Reuse
Default

Setting Policy
Priority on
Priority set volume vol_name cache=policy

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

10

Removing or Disabling FlexShare Policies


Temporarily disabling FlexShare priority
filer1> priority set volume [volname] service=off

Removing FlexShare priority


filer1> priority delete volume [volname]

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

11

Default Volume Priority


To specify or modify the default volume
priority, use this command:
priority set default option=value [option=value]

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

12

Set Vol Buffer Cache Policy


1. priority on
2. priority set volume vol_name cache=policy
3. priority show volume -v vol_name (to verify)

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

13

Demonstration
The instructor will demonstrate the FlexShare
Feature.
The procedure is included in the student guide
for reference

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

14

Summary
In this module you have learned to

Describe FlexShares uses


Describe some FlexShare charactistics
Identify volume operations that affect FlexShare priorities
Describe the default queue
Describe Global I/O Concurrency
Describe procedures to modify FlexShare priorities
Describe procedures to set volume buffer cache policy
Configure FlexShare priorities

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

15

Data ONTAP 7.2 Update:


Protocol Enhancements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Objectives
At the end of this module, you will be able to
Describe the T10 Asymmetric Logical Unit Access
(ALUA) Standard
Describe read-only LUN enhancements for
SnapMirror
Describe PCI-X iSCSI hardware target adapter
support
Describe IPsec certificate authentication

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

T10 Asymmetric Logical Unit Access


(ALUA ) standard for iSCSI
What is ALUA?
ALUA = Asymmetric Logical Unit Access (aka SCSI
Target Port Groups)
A standard set of SCSI commands for discovering
and managing multiple paths to LUNs on a SAN.

Benefit
Eliminates the need for host-specific plug-ins in a
SAN

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enabling and Using the ALUA Standard

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

ALUA: More Information


For more detail about the ALUA standard, refer
to:
NetApp Documentation
Data ONTAP 7.2 Block Access Management
Guide for iSCSI and FCP
The SCSI SPC-3 Specification
http://www.t10.org/drafts.htm#spc3

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Read-Only LUN Management


for SnapMirror
New capabilities

Can manage LUNs on a SnapMirror destination while the SnapMirror


relationship is intact
Can manage LUN maps for LUNs on mirrored qtrees and volumes
Can create new igroups on the destination, map the destination LUN to those
igroups, or use existing igroups
After setting up LUN maps for a destination LUN, you can continue to use the
LUN regardless of the mirror relationship; if a mirror is broken, the LUN
transparently migrates to a read or write state (note: hosts might need to
remount)

Limitations

Online or offline status of a destination LUN is inherited from the source LUN
and cannot be changed on the destination
Operations allowed on read-only LUNs are: lun map, lun unmap, lun show, lun
stats, and changes to SCSI-2 reservations and SCSI-3 persistent reservations

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Read-only LUNs and SnapMirror:


More Information
For more detail about read-only LUNs and
SnapMirror, refer to:
NetApp Documentation
Data ONTAP 7.2 Block Access Management
Guide for iSCSI and FCP
Data Protection Online Backup and Recovery
Guide

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

PCI-X iSCSI Hardware Target Adapter


Support
The following Emulex PCI-X iSCSI hardware
target adapters are supported:
LP100i-D1 copper (X1029B-R5)
LP100i-F1 fiber optic (X1036B-R5)

VLANs and jumbo frames are supported with


these adapters as well

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

IPsec Security Authentication


What is IPsec?
A security protocol that protects data from unauthorized disclosure
during transmission between end-stations (storage systems and
clients).
IPsec enables you to:
Configure encryption and authentication algorithms between endstations.
Negotiate Security Associations (SAs) between end-stations.

IPsec can take two forms: Authentication Header (AH) or


Encapsulating Security Payload (ESP)

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

IPsec Security in Data ONTAP 7.2


Security Associations (SAs) are Negotiated via Key Exchange
Protocols:
Kerberos (Windows clients)
Certificate authority (Windows clients, storage system <-> storage
system)
Preshared keys (Solaris clients, Windows clients, storage system <->
storage system)

Failover environment is not ideal for IPsec SAs


In a takeover, clients will continue to send packets to the failed client
for the lifetime of the SA
Best practice: on clients, set SA lifetimes to minimum values

IPsec can be enabled on a per-vFiler unit basis


rSuent IcPosmecmcaonndfiguration within vFiler unit, or with the
vfiler
IPsec configuration is preserved when a vFiler unit is moved, so long
as the IP address stays the same
NetApp Internal 2006, Network Appliance, Inc. All rights reserved

10

Setting Up IPsec Authentication


1. Before using IPsec, you must:
Select and configure a key exchange mechanism.
Kerberos
Certificate authority
Preshared keys
Enable IPsec functionality on the storage system with

options ip.ipsec.enable on | off.

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

11

1. Before using IPsec, you must:


Select and configure a key exchange mechanism.
Kerberos
Certificate authority
Preshared keys
Enable IPsec functionality on the storage system with
options ip.ipsec.enable on | off.

2. Create security policies: ipsec policy add


3. View security associations

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

12

IPsec: More Information


For more detail about the IPsec Authentication
standard, refer to:
NetApp Documentation
Data ONTAP 7.2 Network Administration Guide
The Internet Engineering Task Force, Security Architecture for the
Internet Protocol Standard
http://www.ietf.org/rfc/rfc2401.txt

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

13

Summary
In this module you have learned to
Describe the T10 Asymmetric Logical Unit Access
(ALUA) Standard
Describe read-only LUN enhancements for
SnapMirror
Describe PCI-X iSCSI hardware target adapter
support
Describe IPsec certificate authentication

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

14

Data ONTAP 7.2 Update:


Data Protection
Enhancements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Objectives
At the end of this module, you will be able to
Describe consistency groups for synchronous
replication
Describe SnapMirror Variable Throttle
Describe Compliance migration
Describe SnapVault for NetBackup 6.0
Describe SnapVault check and fixer for OSSV

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Consistency Groups for Asynchronous


Replication
Support for applications that store data in multiple
data volumes, and that need crash or restore
consistent checkpoints across these volumes
Checkpoint cycle that is non-intrusive to the
application, and can be accomplished in 5-10 seconds
Support for preventing the "rolling-disaster" type
failure by assuring correct ordering of causally
dependent writes across failures
Enables outside agents (SnapDrive, SnapManager) to
manage this capability for applications

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

System-wide Throttling of
SnapMirror/SnapVault Transfers
System-wide throttling enabled using three
new options:
Set using the options command

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Throttle Examples

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Throttle Example 2

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Disabling Throttling

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

SnapVault for NetBackup 6.0

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

SnapVault Check and Fixer for OSSV


New in OSSV 2.2

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Checker
Diagnostic command in 7.2
snapvault start check -S source destination
Need to modify snapvault.cfg to enable verify checksum in order to run
checker/fixer
[QSM:GenerateVerifyChecksums]
value=TRUE
A restart of OSSV agent and update is needed before running checker.
Support directory, file data and metadata, ACL, NT streams
Does not support non-NetApp attributes including encrypted file, sparse
file or stream, UNIX acls

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

10

Checker Session

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

11

Fixer

Diagnostic command in 7.2


snapvault start check -F -S source destination

An immediate update is needed to complete fixer cycle.

Need to enable verify checksum in order to run fixer.

[QSM:GenerateVerifyChecksums]
value=TRUE
A restart of OSSV agent and update is needed before running fixer.

Support directory, file data and metadata, ACL, NT streams.

OSSV Fixer have two phase, fixer phase is a pseudo checker phase for OSSV.
Directory, file metadata and holey blocks are fixed in this phase and mismatched blocks are
requested from secondary, OSSV will mark these block as dirty for next update.
Second phase for OSSV fixer is the update. OSSV update will send the changed data and mismatched blocks
during this phase.

Doesnt support Non-NetApp attributes including encrypted file, sparse file.

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

12

Summary
In this module you have learned to:
Describe and enable consistency groups for
synchronous replication
Describe SnapMirror Variable Throttle
Describe Compliance migration
Describe SnapVault for NetBackup 6.0
Describe SnapVault check and fixer for OSSV

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

13

Data ONTAP 7.2 Update:


Storage Resource Mgmt
Enhancements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Objectives
At the end of this module, you will be able to:

Describe file system improvements


State that the maximum FlexVols is 500
100 aggregates
Describe issues and limitations related to Storage
Resource Management

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

File System Improvements


Performance on multiprocessor systems
Code changes to improve performance

Enhanced resiliency against HW failures

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enhanced Resiliency Against HW Failures


Common and recoverable panics identified from
autosupport data
On encountering panics

The affected data (block/file/volume) is made inaccessible


Deny access by returning an error to client
Delete bad snapshot
Keep inconsistent volume offline
Warnings are printed
A micro-core is dumped
An autosupport is triggered

If more than a few problems are seen, the volume is


taken offline

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Panic Resiliency Requirements


No specific hardware or software
requirements
No license required
No specific installation/configuration/management
required
Does not affect upgrade/revert
No performance impacts

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Maximum FlexVols Increased to 500


Data ONTAP 7.2RC1 provides the ability to
increase the number of FlexVol volumes to
500

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Storage Resource Management Issues


Partition alignment problems cause an iSCSI LUN
performance problem
Linux LUN partitioning of certain drivers will not align to
4096bytes boundary
Follow procedures in Knowledge article 8190

CFO partner nodes SSL certificate may be used after


takeover and giveback
Restart SSH
Operations that can cause volumes of to temporarily
reserve more space (new in 7.2RC1)
Volume reallocation (new in 7.2RC1)
The ostype parameter is now required (new in 7.2RC1)
NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Storage Resource Management Issues


continued
High CPU use when using user or group
quotas on qtrees (new in 7.2RC1)
Change in sysstat -x command output (new in
7.2RC1)
Disk auto-assignment cannot be disabled
during boot (new in 7.2RC1)
If takeover is enabled for network interface
failure, automatic giveback should be disabled
(new in 7.2RC1)

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Summary
In this module you have learned to

Describe file system improvements


State that the maximum FlexVols is 500
Describe issues and limitations related to Storage
Resource Management

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Data ONTAP 7.2 Update:


Windows-related
Improvements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Objectives
At the end of this module you will be able to:

Describe enhanced CIFS performance


Describe enhanced GPO support
Describe LiveView
Describe enhanced multiprotocol support
Describe file screening enhancements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enhanced CIFS Performance


CIFS domain created separate from the
computer domain running WAFL
Allows CIFS operations in parallel to WAFL
activities
Load balancing in multiprocessor systems

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enhanced GPO Support


Three new policies
1. Restricted Group
Automatically provides security memberships for default
Windows 2000 groups

2. User Rights Assignment


Take ownership of files or other objects

3. GPO refresh time interval random offset


Adds to the refresh interval to prevent all clients from
requesting Group Policy at the same time

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

LiveView
Allows users to view real-time auditing
information on the filer
Gives users the ability of connecting to the
storage appliance to view real-time auditing
information
Enabled on the filer and then accessed from a
client

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

LiveView Syntax
options cifs.audit.liveview.enable[off|on]

Command Output:
ALF: CIFS EVT Live View facility has been started

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enhanced Multiprotocol Support


This preserves the UNIX permissions when a
file is saved as UNIX or Mixed
cifs.preserve_unix_security [on|off]

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enhanced Multiprotocol Support


UNIX style security qtrees now look like NTFS volumes
UNIX permissions are mapped to hard-coded SIDs (referred to as
Perm SIDs)
uid is represented by:
S-1-5-21-2038298172-1297133386-11111-uid
gid is represented by:
S-1-5-21-2038298172-1297133386-22222-gid
others is represented by:
S-1-5-21-2038298172-1297133386-33333
suid is represented by:
S-1-5-21-2038298172-1297133386-44444
sgid is represented by:
S-1-5-21-2038298172-1297133386-55555
svtx is represented by:
S-1-5-21-2038298172-1297133386-66666
NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enhanced Multiprotocol Support


Perm SIDs resolve to the following names:
uid: UNIXPermUid\username. If the username
cannot be resolved the numeric uid is displayed
gid: UNIXPermGid\groupname. If the groupname
cannot be resolved, the numeric gid is displayed
others: UNIXPerm\others
suid: UNIXPerm\suid
sgid: UNIXPerm\sgid
svtx: UNIXPerm\svtx

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

Enhanced Multiprotocol Support


rwx permissions are set for uid, gid, and
others by setting the Read Data, Write Data,
and Execute File bits in the access mask of the
ACL
The suid, sgid and svtx bits are set by setting
the Read Data bit in the access mask of the
ACL

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

10

Enhanced Multiprotocol Support


Viewing UNIX permissions in Windows

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

11

Enhanced Multiprotocol Support


Setting UNIX permissions from Windows

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

12

File Screening Enhancements


FPolicy functionality has been extended to
support the following:
File screening operations on specified volumes
Native File Blocking on vFiler units

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

1
13

FPolicy Overview
FPolicy is similar to vscan
FPolicy was introduced in 6.4
NFS support added in 7.0
Bug cleanup in GB

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

14

Step 1 Notification

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

15

Step 2 Processing

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

16

Step 3 Completion

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

17

Available Notifications
FPolicy server tells the filer which ops should
trigger notification
FPolicy server can choose to be notified for
access by clients which are using NFS and/or
CIFS protocols
FPolicy can choose from a wide range of client
ops, including open, create, close, delete,
rename, read, write, mkdir, rmdir, getattr,
setattr, NFS-lookup, and create-symlink

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

18

Uses
File blocking/file screening
Hierarchical storage management (HSM)
Quotas on directories

There can be multiple policies running at the


same time.

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

19

Filer Tell Server


Filename (or directory name for mkdir, etc.)
Path for CIFS, inode for NFS
IP address and user info for the client (SID for
CIFS, uid/gid for NFS)
Which operation is being requested by the
user, which protocol is being used for access

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

20

FPolicy CLI
Used to configure and control policies

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

21

Hardware & Software Requirements


FPolicy needs a CIFS license because the FPolicy
server must authenticate to the filer using CIFS
The FPolicy application runs off-filer on another
machine, normally a PC
FPolicy is free to customers, no special license is
needed; of course, they must have CIFS and get a
partner product to enforce the policy, etc.
Typical partners include NuView, Symantec,
Kazeon, NTP, Overtone, CommVault, and NeoPath

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

22

FPolicy Volume
fpolicy volume is a CLI command which restricts a policy to a
certain set of volumes
Command syntax: fpolicy help volume
fpolicy vol[ume] {inc[lude]|exc[lude]}
[add|remove|set|reset|show|eval] <PolicyName> [<vol_spec>
[,<vol_spec>]*]

vol_spec supports wild cards (* and ?)


you can have either an include-set or exclude-set
if you provide both, the include-set is ignored

FPolicy notification can be provided when clients access the filer


via NFS or CIFS
All filer platforms

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

23

FPolicy Volume

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

24

Native File Blocking


1. First create a policy.
2. Configure the policy to provide notification for
certain operations on files with targeted file
extensions.
3. Set the policy to deny requests unless a
server specifically allows them.
Since no server is provided, user requests
fitting the configured setup are denied.

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

25

FPolicy Monitor
Normally the FPolicy server tells the filer
which operations it wishes to monitor
You would not want to change that because it
would be confusing for the server if it asked for
notifications for open file and the filer started
sending mkdir notifications

But for Native File Blocking, there is no server;


the sysadmin has to manually set the list of
monitored operations

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

26

FPolicy Monitor
Command syntax: fpolicy help monitor

fpolicy mon[itor] [add|remove|set]


<PolicyName> [-p {nfs|cifs}] -f
op_spec[,op_spec,...,op_spec]
If protocol is not selected, then both CIFS and NFS will cease
notifications; the force flag (-f) stops the filer from issuing an
are you sure? prompt
The ops which may be chosen are (see man page): all, none,
close, create, create_dir, delete, delete_dir, getattr, link, lookup,
open, read, rename, rename_dir, setattr, symlink, write

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

27

Native File Blocking


Create our MP3 blocker policy

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

28

Native File Blocking

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

29

Installation, Configuration & Management


Policies can be created and configured through the
filer CLI (the fpolicy command).
You can set which file extensions trigger notifications,
which volumes are affected by the policy.
The FPolicy partner software must be installed (details
are specific to each partner and to the type of policy
that is being implemented).
One partner product uses Manage ONTAP APIs to
create and configure its own policy.
When the FPolicy server connects to the filer, it will
tell the filer which operations it is interested in and
which policy it wants to be the server for.
NetApp Internal 2006, Network Appliance, Inc. All rights reserved

30

Upgrade and Revert


If a filer is reverted, settings not supported in
the back release are lost.
If a filer is reverted far enough, support for
FPolicy goes away (support started in 6.4).

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

31

Troubleshooting & Diagnostics


Error messages
A set of EMS events
Some console error messages for commands that fail

Autosupport messages
Output from fpolicy is in autosupport

Debugging/diagnostics related to new features


None

Known problems and public BURTS (subtype


fpolicy)
Common problems
Nothing special, but FPolicy is inherently complex due to having
interrupted client operations, plus network communications to an
off-filer server and a separate software application running on that
server
NetApp Internal 2006, Network Appliance, Inc. All rights reserved

32

Feature Limitations
CIFS and NFS protocols only
Only client requests trigger notifications, no
notification for internal ops; for example,
creating a qtree does not provide a mkdir
notification
An off-filer server and partner software is
needed

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

33

Performance Information
No specific performance information, but FPolicy will
slow client requests down since an off-filer server is
notified; the clients request blocks till the server
completes its processing
There is an async mode in which the filer delivers
notifications but does not wait for a response from the
FPolicy server (the server has to request this when it
connects to the filer); this is fast and results in little
impact on filer performance
Read and write notifications are almost never a good
idea; use read and write notifications only for offline
files
NetApp Internal 2006, Network Appliance, Inc. All rights reserved

34

Summary
In this module you have learned to

Describe enhanced CIFS performance


Describe enhanced GPO support
Describe LiveView
Describe enhanced multiprotocol support
Describe file screening enhancements

NetApp Internal 2006, Network Appliance, Inc. All rights reserved

35