LIF roles in ONTAP 9.5 and earlier
LIFs with different roles have different characteristics. A LIF role determines the kind of traffic that is supported over the interface, along with the failover rules that apply, the firewall restrictions that are in place, the security, the load balancing, and the routing behavior for each LIF. A LIF can have any one of the five roles: node management, cluster management, cluster, intercluster, and data.
Starting with ONTAP 9.6, LIF roles are deprecated. You should specify service policies for LIFs instead of a role. It is not necessary to specify a LIF role when creating a LIF with a service policy.
LIF compatibility with port types
Note
When intercluster and management LIFs are configured in the same subnet to associate with a static route and if the route associates with an intercluster LIF, the management traffic is blocked by an external firewall and the AutoSupport and NTP connections fail. You can recover the system by running the network interface modify -vserver vserver name -lif intercluster LIF -status-admin up|down command to toggle the intercluster LIF. However, you should set the intercluster LIF and management LIF in different subnets to avoid this issue.
| Data LIF | Cluster LIF | Node management LIF | Cluster management LIF | Intercluster LIF | |
|---|---|---|---|---|---|
| Primary traffic types | NFS server, CIFS server, NIS client, Active Directory, LDAP, WINS, DNS client and server, iSCSI and FC server | Intracluster | SSH server, HTTPS server, NTP client, SNMP, AutoSupport client, DNS client, loading software updates | SSH server, HTTPS server | Cross-cluster replication |
| Notes | SAN LIFs cannot fail over. These LIFs also do not support load balancing. | Unauthenticated, unencrypted; essentially an internal Ethernet busof the cluster. | Traffic flowing over intercluster LIFs is not encrypted. |
LIF security
| Data LIF | Cluster LIF | Node management LIF | Cluster management LIF | Intercluster LIF | |
|---|---|---|---|---|---|
| Require private IP subnet? | No | Yes | No | No | No |
| Require secure network? | No | Yes | No | No | Yes |
| Default firewall policy | Very restrictive | Completely open | Medium | Medium | Very restrictive |
| Is firewall customizable? | Yes | No | Yes | Yes | Yes |
LIF failover
| Data LIF | Cluster LIF | Node management LIF | Cluster management LIF | Intercluster LIF | |
|---|---|---|---|---|---|
| Default behavior | Only those ports in the same failover group that are on the LIF's home node and on a non-SFO partner node | Only those ports in the same failover group that are on the LIF's home node | Only those ports in the same failover group that are on the LIF's home node | Any port in the same failover group | Only those ports in the same failover group that are on the LIF's home node |
| Is customizable? | Yes | No | Yes | Yes | Yes |
LIF routing
| Data LIF | Cluster LIF | Node management LIF | Cluster management LIF | Intercluster LIF | |
|---|---|---|---|---|---|
| When is a default route needed? | When clients or domain controller are on different IP subnet | Never | When any of the primary traffic types require access to a different IP subnet | When administrator is connecting from another IP subnet | When other intercluster LIFs are on a different IP subnet |
| When is a static route to a specific IP subnet needed? | Rare | Never | Rare | Rare | When nodes of another cluster have their intercluster LIFs in different IP subnets |
| When is a static host route to a specific server needed? | To have one of the traffic types listed under node management LIF, go through a data LIF rather than a node management LIF. This requires a corresponding firewall change. | Never | Rare | Rare | Rare |
LIF rebalancing
| Data LIF | Cluster LIF | Node management LIF | Cluster management LIF | Intercluster LIF | |
|---|---|---|---|---|---|
| DNS: use as DNS server? | Yes | No | No | No | No |
| DNS: export as zone? | Yes | No | No | No | No |
Give documentation feedback