Skip to main content

Creating a service policy for LIFs

Starting with ONTAP 9.5, you can create a service policy for LIFs. You can assign a service policy to one or more LIFs; thereby allowing the LIF to carry traffic for a single service or a list of services.

About this task

In ONTAP 9.5, built-in services and service policies are available only for managing intercluster and BGP peer traffic in the admin SVM. In ONTAP 9.6, built-in services and service policies are available for managing data and management traffic on both data and system SVMs.

Refer to LIFs and service policies in ONTAP 9.6 and later

You can modify these built-in service policies, if required.

  1. View the services that are available in the cluster: network interface service show

    Services represent the applications accessed by a LIF as well as the applications served by the cluster. Each service includes zero or more TCP and UDP ports on which the application is listening.

    Example

    In ONTAP 9.5 and earlier, the following two management services are available:

    cluster1::> network interface service show
    Service                Protocol:Port
    ---------------------- -------------
    intercluster-core      tcp:11104
                           tcp:11105
    management-bgp         tcp:179

    2 entries were displayed.

    In ONTAP 9.6 and later, the following additional data and management services are available:

    cluster1::> network interface service show
    Service                     Protocol:Ports
    --------------------------- ------------------------------------------------
    cluster-core                -
    data-cifs                   -
    data-core                   -
    data-flexcache              -
    data-iscsi                  -
    data-nfs                    -
    intercluster-core           tcp:11104-11105
    management-autosupport      -
    management-bgp              tcp:179
    management-core             -
    management-https            tcp:443
    management-ssh              tcp:22
    12 entries were displayed.
  2. Create a service policy: network interface service-policy create -vserver svm_name -policy service_policy_name -services service_name -allowed-addresses IP_address/mask,...

    service_name specifies a list of services that should be included in the policy.

    IP_address/mask specifies the list of subnet masks for addresses that are allowed to access the services in the service policy. By default, all specified services are added with a default allowed address list of 0.0.0.0/0, which allows traffic from all subnets. When a non-default allowed address list is provided, LIFs using the policy are configured to block all requests with a source address that does not match any of the specified masks.

    Example

    The following example shows how to create a data service policy, svm1_data_policy, for an SVM that includes NFS and CIFS services in ONTAP 9.6:

    cluster1::*> network interface service-policy create -vserver svm1 -policy svm1_data_policy 
    -services data-nfs,data-cifs -allowed-addresses 10.1.0.0/16
    The following example shows how to create an intercluster service policy:
    cluster1::*> network interface service-policy create -vserver cluster1 -policy intercluster1 
    -services intercluster-core -allowed-addresses 10.1.0.0/16
  3. Verify that the service policy is created: network interface service-policy show

    Example

    The following output shows the service policies that are available in ONTAP 9.6:

    cluster1::> network interface service-policy show
    Vserver   Policy                     Service: Allowed Addresses
    --------- -------------------------- ----------------------------------------
    cluster1
              default-intercluster       intercluster-core: 0.0.0.0/0
                                         management-https: 0.0.0.0/0

              default-management         management-core: 0.0.0.0/0
                                         management-autosupport: 0.0.0.0/0
                                         management-ssh: 0.0.0.0/0
                                         management-https: 0.0.0.0/0

              default-route-announce     management-bgp: 0.0.0.0/0

    Cluster
              default-cluster            cluster-core: 0.0.0.0/0

    vs0
              default-data-blocks        data-core: 0.0.0.0/0
                                         data-iscsi: 0.0.0.0/0

              default-data-files         data-core: 0.0.0.0/0
                                         data-nfs: 0.0.0.0/0
                                         data-cifs: 0.0.0.0/0
                                         data-flexcache: 0.0.0.0/0

              default-management         data-core: 0.0.0.0/0
                                         management-ssh: 0.0.0.0/0
                                         management-https: 0.0.0.0/0

    7 entries were displayed.

    The following output shows the service policies in ONTAP 9.5:
    cluster1::> network interface service-policy show
    Vserver   Policy                 Service: Allowed Addresses
    --------- ---------------------- -------------------------------
    cluster1
              intercluster1          intercluster-core: 10.1.0.0/16
                                     
              net-intercluster       intercluster-core: 0.0.0.0/0

    3 entries were displayed.

After you finish

Assign the service policy to a LIF either at the time of creation or by modifying an existing LIF.