Mailing List Archive

Remote backup hosting with ONTAP...
Hi there

I need some suggestions to a setup where we will be hosing remote backup of other ONTAP clusters on one ONTAP FAS cluster.
The clusters that needs to be backed up should be backed up are on separate VLANS and should be kept separate.
So the plan is to create a SVM per system in its own VLAN.
Trouble is that in order to setup a SVM-Peer you first need to setup a cluster peer?
So I guess there are several ways to do this?


1. Create several cluster mgmt. LIFs (one for each VLAN)
* Could this cause issues?
2. Create a firewall rule for the existing cluster mgmt. LIF so is can be reached from all the VLANs.

I will also be using ipspaces for this because of security, and because there are two systems using the same IP range?

Suggestions are welcome.. I somewhat lean towards option 1.

/Heino

Heino Walther<https://www.linkedin.com/in/heinowalther/>
Beardmann ApS<http://beardmann.dk/>
Jellingvej 9 - 7100 Vejle<https://goo.gl/maps/xQVPFMHXpXu>

D: 7199 9060 M: 2075 7501
--
Re: Remote backup hosting with ONTAP... [ In reply to ]
It sounds like he might be trying to design something that would be
resistant to ransomware? If so, you might want to consider using snaplock
compliance on the back up disks.

On Tue, Mar 9, 2021 at 7:06 AM Heino Walther <hw@beardmann.dk> wrote:

> Hi there
>
>
>
> I need some suggestions to a setup where we will be hosing remote backup
> of other ONTAP clusters on one ONTAP FAS cluster.
>
> The clusters that needs to be backed up should be backed up are on
> separate VLANS and should be kept separate.
>
> So the plan is to create a SVM per system in its own VLAN.
>
> Trouble is that in order to setup a SVM-Peer you first need to setup a
> cluster peer…
>
> So I guess there are several ways to do this…
>
>
>
> 1. Create several cluster mgmt. LIFs (one for each VLAN)
> 1. Could this cause issues?
> 2. Create a firewall rule for the existing cluster mgmt. LIF so is can
> be reached from all the VLANs.
>
>
>
> I will also be using ipspaces for this because of security, and because
> there are two systems using the same IP range…
>
>
>
> Suggestions are welcome.. I somewhat lean towards option 1.
>
>
>
> /Heino
>
>
>
> Heino Walther <https://www.linkedin.com/in/heinowalther/>
>
> Beardmann ApS <http://beardmann.dk/>
>
> Jellingvej 9 - 7100 Vejle <https://goo.gl/maps/xQVPFMHXpXu>
>
>
>
> D: 7199 9060 M: 2075 7501
>
> --
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters
SV: Remote backup hosting with ONTAP... [ In reply to ]
Well not really.. just normal snapvault backups from source systems to this system?
Snaplock would be an option if it were not for the fact the NetApp want?s money this that license?. I think I recall it was free some time ago?

/Heino

Fra: Basil <basilberntsen@gmail.com>
Dato: tirsdag, 9. marts 2021 kl. 13.10
Til: Heino Walther <hw@beardmann.dk>
Cc: toasters@teaparty.net <toasters@teaparty.net>
Emne: Re: Remote backup hosting with ONTAP...
It sounds like he might be trying to design something that would be resistant to ransomware? If so, you might want to consider using snaplock compliance on the back up disks.

On Tue, Mar 9, 2021 at 7:06 AM Heino Walther <hw@beardmann.dk<mailto:hw@beardmann.dk>> wrote:
Hi there

I need some suggestions to a setup where we will be hosing remote backup of other ONTAP clusters on one ONTAP FAS cluster.
The clusters that needs to be backed up should be backed up are on separate VLANS and should be kept separate.
So the plan is to create a SVM per system in its own VLAN.
Trouble is that in order to setup a SVM-Peer you first need to setup a cluster peer?
So I guess there are several ways to do this?


1. Create several cluster mgmt. LIFs (one for each VLAN)

* Could this cause issues?

1. Create a firewall rule for the existing cluster mgmt. LIF so is can be reached from all the VLANs.

I will also be using ipspaces for this because of security, and because there are two systems using the same IP range?

Suggestions are welcome.. I somewhat lean towards option 1.

/Heino

Heino Walther<https://www.linkedin.com/in/heinowalther/>
Beardmann ApS<http://beardmann.dk/>
Jellingvej 9 - 7100 Vejle<https://goo.gl/maps/xQVPFMHXpXu>

D: 7199 9060 M: 2075 7501
--

_______________________________________________
Toasters mailing list
Toasters@teaparty.net<mailto:Toasters@teaparty.net>
https://www.teaparty.net/mailman/listinfo/toasters
Re: Remote backup hosting with ONTAP... [ In reply to ]
Keep in mind that cluster peering involves the intercluster lifs as well as the snapmirror/vault traffic is passing through those lifs. AFAIK you will have to have ipspaces for your intercluster lifs (at least on the destination) to peer all those source machines

Markus Nödl
Senior Storage Architect

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-50-556-3410
Mobil: +43 664 88241622

E-Mail: MNoedl@anexia-it.com<mailto:MNoedl@anexia-it.com>
Web: http://www.anexia.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601



From: Toasters <toasters-bounces@teaparty.net> on behalf of Heino Walther <hw@beardmann.dk>
Date: Tuesday, 9. March 2021 at 13:03
To: "toasters@teaparty.net" <toasters@teaparty.net>
Subject: Remote backup hosting with ONTAP...

Hi there

I need some suggestions to a setup where we will be hosing remote backup of other ONTAP clusters on one ONTAP FAS cluster.
The clusters that needs to be backed up should be backed up are on separate VLANS and should be kept separate.
So the plan is to create a SVM per system in its own VLAN.
Trouble is that in order to setup a SVM-Peer you first need to setup a cluster peer…
So I guess there are several ways to do this…


1. Create several cluster mgmt. LIFs (one for each VLAN)
* Could this cause issues?
2. Create a firewall rule for the existing cluster mgmt. LIF so is can be reached from all the VLANs.

I will also be using ipspaces for this because of security, and because there are two systems using the same IP range…

Suggestions are welcome.. I somewhat lean towards option 1.

/Heino

Heino Walther<https://www.linkedin.com/in/heinowalther/>
Beardmann ApS<http://beardmann.dk/>
Jellingvej 9 - 7100 Vejle<https://goo.gl/maps/xQVPFMHXpXu>

D: 7199 9060 M: 2075 7501
--
Re: Remote backup hosting with ONTAP... [ In reply to ]
Yep,

* IPSpaces for every Source-Cluster (or every customer)
* InterCluster LIFs "in" those IPSpaces
o These are the LIFs, that will be used for Cluster Peering
* SVM Management LIFs for control, if necessary (not the Cluster Mgmt
LIFs you (Heino) mentioned)
* I can't think of a reason, why you would need to give access to the
Cluster Mgmt LIF to your customers
o Firewall rules probably unnecessary

my 2c


Sebastian

On 09.03.2021 13:19, Markus Nödl wrote:
>
> Keep in mind that cluster peering involves the intercluster lifs as
> well as the snapmirror/vault traffic is passing through those lifs.
> AFAIK you will have to have ipspaces for your intercluster lifs (at
> least on the destination) to peer all those source machines
>
> *Markus Nödl*
>
> Senior Storage Architect
>
> ANEXIA Internetdienstleistungs GmbH
>
> Telefon: +43-50-556-3410
>
> Mobil: +43 664 88241622
>
> E-Mail: MNoedl@anexia-it.com <mailto:MNoedl@anexia-it.com>
>
> Web: http://www.anexia.com/ <http://www.anexia.com/>
>
> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
>
> Geschäftsführer: Alexander Windbichler
>
> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT
> U63216601
>
> *From: *Toasters <toasters-bounces@teaparty.net> on behalf of Heino
> Walther <hw@beardmann.dk>
> *Date: *Tuesday, 9. March 2021 at 13:03
> *To: *"toasters@teaparty.net" <toasters@teaparty.net>
> *Subject: *Remote backup hosting with ONTAP...
>
> Hi there
>
> I need some suggestions to a setup where we will be hosing remote
> backup of other ONTAP clusters  on one ONTAP FAS cluster.
>
> The clusters that needs to be backed up should be backed up are on
> separate VLANS and should be kept separate.
>
> So the plan is to create a SVM per system in its own VLAN.
>
> Trouble is that in order to setup a SVM-Peer you first need to setup a
> cluster peer…
>
> So I guess there are several ways to do this…
>
> 1. Create several cluster mgmt. LIFs (one for each VLAN)
> 1. Could this cause issues?
> 2. Create a firewall rule for the existing cluster mgmt. LIF so is
> can be reached from all the VLANs.
>
> I will also be using ipspaces for this because of security, and
> because there are two systems using the same IP range…
>
> Suggestions are welcome..  I somewhat lean towards option 1.
>
> /Heino
>
> Heino Walther <https://www.linkedin.com/in/heinowalther/>
>
> Beardmann ApS <http://beardmann.dk/>
>
> Jellingvej 9 - 7100 Vejle <https://goo.gl/maps/xQVPFMHXpXu>
>
> D: 7199 9060 M: 2075 7501
>
> --
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters
SV: Remote backup hosting with ONTAP... [ In reply to ]
Hi there

Ahh I’m stupid ????. Sorry…
I’m not sure why I thought that I would need the cluster mgmt lif. In order to create the cluster peering… of cause you only need the IC LIFs here… and they will be running in an ipspace inside a vlan.
Easy ????

Now NetApp only needs to enable web management for each separate SVM…. I have not tested 9.8 yet, but I’m pretty sure you still need to manage your SVM via ssh/rest?

/Heino


Fra: Sebastian Goetze <spgoetze@gmail.com>
Dato: tirsdag, 9. marts 2021 kl. 13.27
Til: Markus Nödl <mnoedl@anexia-it.com>, Heino Walther <hw@beardmann.dk>, toasters@teaparty.net <toasters@teaparty.net>
Emne: Re: Remote backup hosting with ONTAP...

Yep,

* IPSpaces for every Source-Cluster (or every customer)
* InterCluster LIFs "in" those IPSpaces
* These are the LIFs, that will be used for Cluster Peering
* SVM Management LIFs for control, if necessary (not the Cluster Mgmt LIFs you (Heino) mentioned)
* I can't think of a reason, why you would need to give access to the Cluster Mgmt LIF to your customers
* Firewall rules probably unnecessary

my 2c



Sebastian
On 09.03.2021 13:19, Markus Nödl wrote:
Keep in mind that cluster peering involves the intercluster lifs as well as the snapmirror/vault traffic is passing through those lifs. AFAIK you will have to have ipspaces for your intercluster lifs (at least on the destination) to peer all those source machines

Markus Nödl
Senior Storage Architect

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-50-556-3410
Mobil: +43 664 88241622

E-Mail: MNoedl@anexia-it.com<mailto:MNoedl@anexia-it.com>
Web: http://www.anexia.com/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601



From: Toasters <toasters-bounces@teaparty.net><mailto:toasters-bounces@teaparty.net> on behalf of Heino Walther <hw@beardmann.dk><mailto:hw@beardmann.dk>
Date: Tuesday, 9. March 2021 at 13:03
To: "toasters@teaparty.net"<mailto:toasters@teaparty.net> <toasters@teaparty.net><mailto:toasters@teaparty.net>
Subject: Remote backup hosting with ONTAP...

Hi there

I need some suggestions to a setup where we will be hosing remote backup of other ONTAP clusters on one ONTAP FAS cluster.
The clusters that needs to be backed up should be backed up are on separate VLANS and should be kept separate.
So the plan is to create a SVM per system in its own VLAN.
Trouble is that in order to setup a SVM-Peer you first need to setup a cluster peer…
So I guess there are several ways to do this…


1. Create several cluster mgmt. LIFs (one for each VLAN)

* Could this cause issues?

1. Create a firewall rule for the existing cluster mgmt. LIF so is can be reached from all the VLANs.

I will also be using ipspaces for this because of security, and because there are two systems using the same IP range…

Suggestions are welcome.. I somewhat lean towards option 1.

/Heino

Heino Walther<https://www.linkedin.com/in/heinowalther/>
Beardmann ApS<http://beardmann.dk/>
Jellingvej 9 - 7100 Vejle<https://goo.gl/maps/xQVPFMHXpXu>

D: 7199 9060 M: 2075 7501
--




_______________________________________________

Toasters mailing list

Toasters@teaparty.net<mailto:Toasters@teaparty.net>

https://www.teaparty.net/mailman/listinfo/toasters
Re: Remote backup hosting with ONTAP... [ In reply to ]
We run a backup service like this on one cluster for multiple customers.

Sebastian's advice is basically what we do. The one thing I can add is be aware of

cluster name collisions for cluster peering. We ran into a situation where some of the customer's

clusters were set up by the same PS resource and as a result the clusters all were named

the same. That caused issues for peering.


And we've arranged for all customers to use separate VLAN ids.


________________________________
From: Toasters <toasters-bounces@teaparty.net> on behalf of Heino Walther <hw@beardmann.dk>
Sent: Tuesday, March 9, 2021 4:32 AM
To: Sebastian Goetze; Markus Nödl; toasters@teaparty.net
Subject: SV: Remote backup hosting with ONTAP...


Hi there



Ahh I’m stupid ????. Sorry…

I’m not sure why I thought that I would need the cluster mgmt lif. In order to create the cluster peering… of cause you only need the IC LIFs here… and they will be running in an ipspace inside a vlan.

Easy ????



Now NetApp only needs to enable web management for each separate SVM…. I have not tested 9.8 yet, but I’m pretty sure you still need to manage your SVM via ssh/rest?



/Heino





Fra: Sebastian Goetze <spgoetze@gmail.com>
Dato: tirsdag, 9. marts 2021 kl. 13.27
Til: Markus Nödl <mnoedl@anexia-it.com>, Heino Walther <hw@beardmann.dk>, toasters@teaparty.net <toasters@teaparty.net>
Emne: Re: Remote backup hosting with ONTAP...

Yep,

* IPSpaces for every Source-Cluster (or every customer)
* InterCluster LIFs "in" those IPSpaces
* These are the LIFs, that will be used for Cluster Peering
* SVM Management LIFs for control, if necessary (not the Cluster Mgmt LIFs you (Heino) mentioned)
* I can't think of a reason, why you would need to give access to the Cluster Mgmt LIF to your customers
* Firewall rules probably unnecessary

my 2c



Sebastian

On 09.03.2021 13:19, Markus Nödl wrote:

Keep in mind that cluster peering involves the intercluster lifs as well as the snapmirror/vault traffic is passing through those lifs. AFAIK you will have to have ipspaces for your intercluster lifs (at least on the destination) to peer all those source machines



Markus Nödl

Senior Storage Architect



ANEXIA Internetdienstleistungs GmbH



Telefon: +43-50-556-3410

Mobil: +43 664 88241622



E-Mail: MNoedl@anexia-it.com<mailto:MNoedl@anexia-it.com>

Web: http://www.anexia.com/



Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt

Geschäftsführer: Alexander Windbichler

Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601







From: Toasters <toasters-bounces@teaparty.net><mailto:toasters-bounces@teaparty.net> on behalf of Heino Walther <hw@beardmann.dk><mailto:hw@beardmann.dk>
Date: Tuesday, 9. March 2021 at 13:03
To: "toasters@teaparty.net"<mailto:toasters@teaparty.net> <toasters@teaparty.net><mailto:toasters@teaparty.net>
Subject: Remote backup hosting with ONTAP...



Hi there



I need some suggestions to a setup where we will be hosing remote backup of other ONTAP clusters on one ONTAP FAS cluster.

The clusters that needs to be backed up should be backed up are on separate VLANS and should be kept separate.

So the plan is to create a SVM per system in its own VLAN.

Trouble is that in order to setup a SVM-Peer you first need to setup a cluster peer…

So I guess there are several ways to do this…



1. Create several cluster mgmt. LIFs (one for each VLAN)

* Could this cause issues?

1. Create a firewall rule for the existing cluster mgmt. LIF so is can be reached from all the VLANs.



I will also be using ipspaces for this because of security, and because there are two systems using the same IP range…



Suggestions are welcome.. I somewhat lean towards option 1.



/Heino



Heino Walther<https://www.linkedin.com/in/heinowalther/>

Beardmann ApS<http://beardmann.dk/>

Jellingvej 9 - 7100 Vejle<https://goo.gl/maps/xQVPFMHXpXu>



D: 7199 9060 M: 2075 7501

--





_______________________________________________

Toasters mailing list

Toasters@teaparty.net<mailto:Toasters@teaparty.net>

https://www.teaparty.net/mailman/listinfo/toasters