5 1 0:NetApp-specific NDMP configuration
Overview
SEP sesam enables you to protect and manage your storage file servers by providing support for Network Data Management Protocol (NDMP). To find out more about NDMP, see NDMP Backup.
The following configuration steps represent a NetApp specific part of the NDMP host configuration. They are based on the NetApp article on using NDMP-based copy utilities. The steps below explain how to enable NDMP and set a password on the source and destination storage systems.
By enabling NDMP support on a storage system, you enable the storage system to communicate with SEP sesam Data Management Application (SDMA), data servers, and tape servers participating in backup or recovery operations. All network communications occur over TCP/IP network.
You can perform tape backup and restore in either node-scoped NDMP mode or storage virtual machine (SVM) scoped NDMP mode.
About NDMP modes of operation
- Node-scoped NDMP mode
- In this mode you can perform backup and restore operations at the node level – on a node that owns the volume. Note that this mode is already deprecated and will be removed in a future major release. Refer to official ONTAP 9 documentation About NDMP modes of operation.
- SVM-scoped NDMP mode
- You can perform backup and restore at the storage virtual machine (SVM, formerly known as Vserver) level if the NDMP service is enabled on the SVM. You can back up and restore all volumes hosted across different nodes in the SVM of a cluster. If a volume and the tape device share the same affinity, then SEP sesam (by using the CAB extension) can perform a local backup or restore operation.
Procedure
Depending on your configuration, use the NDMP activation and authentication procedure specific to your mode.
7-Mode
- Enable NDMP.
- Create a new user specifically for NDMP.
- Non-root users have a special NDMP password that is different from their login password and is displayed by this command.
- Set NDMP to accept plaintext and md5 authentication methods:
netapp> ndmpd on
netapp> useradmin user add sepbackup -g "Backup Operators" New password: XXXXXXXXX Retype new password: XXXXXXXXX User <sepbackup> added.
netapp> ndmpd password sepbackup password MzUV5p6R
Note | |
This NDMP password must be set in the client configuration together with the user name. |
netapp> options ndmpd.authtype plaintext,challenge
Clustered Data ONTAP
Run the following command to verify that your cluster is running in SVM-scoped NDMP mode and not in node-scope mode:
cluster::> system services ndmp node-scope-mode status
If node-scoped NDMP mode is disabled, the cluster is configured for SVM-scoped NDMP mode.
SVM-scoped NDMP mode
You can use the vserver services ndmp commands to manage NDMP on each storage virtual machine (SVM, formerly known as Vserver). These commands are available to cluster administrators at the admin privilege level.
For more information about the vserver commands used below, see the vserver commands man pages.
Configuring SVM-scoped NDMP mode
Cluster Aware Backup (CAB) requires NDMP to be configured in SVM-scoped node at the admin SVM level. This node enables you to back up all the volumes hosted across different nodes of the cluster. When configuring this node, consider the following:
- In the SVM-scoped NDMP mode, user authentication is integrated with the role-based access control mechanism.
- By default, NDMP should be in the allowed protocols list. If it is not, NDMP sessions cannot be established.
- You can control the LIF type on which an NDMP data connection is established by using the -preferred interface-role option. When establishing an NDMP data connection, NDMP chooses an IP address that belongs to the LIF type as specified by this option. If the IP addresses do not belong to any of these LIF types, the NDMP data connection cannot be established.
Steps
- Enabling SVM-scoped NDMP mode on the cluster.
- Configuring a backup user account for the cluster.
- Configuring LIFs for data and control connection.
Enabling SVM-scoped NDMP mode on the cluster
- Enable SVM-scoped NDMP mode by using the system services ndmp command with the node-scope-mode parameter.
- Enable NDMP service on your admin SVM. NDMP service must always be enabled on all nodes in a cluster.
- Verify that NDMP service is enabled.
- Verify that NDMP is allowed on the vserver.
cluster::> system services ndmp node-scope-mode off
Example
cluster1::> system services ndmp node-scope-mode off NDMP node-scope-mode is disabled.
cluster::> vserver services ndmp on -vserver <SVM-name>
Example
cluster1::> vserver services ndmp on -vserver cluster1
By default, the authentication type is set to challenge and plaintext authentication is disabled. It is recommended that the latter stays disabled to ensure secure communication.
cluster::> vserver services ndmp on -vserver <SVM-name>
Example
cluster1::> vserver services ndmp on -vserver cluster1
cluster::> vserver services ndmp show cluster::> vserver services ndmp on -vserver <vserver>
Example
cluster1::> vserver services ndmp show Vserver Enabled Authentication type ------------- --------- ------------------- cluster1 true challenge vs1 false challenge
Configuring a backup user account for the cluster
To authenticate NDMP from SEP sesam, create a local backup user account and generate an NDMP password for the user. Note that if you are using an NIS or LDAP user for the cluster with the admin or backup role, you cannot use an Active Directory user – you have to create the user on the respective server.
- Create a backup user with the backup role. You can specify a local backup user name or an NIS or LDAP user name for the -user-or-group-name parameter.
- Generate an NDMP password for the admin SVM. This password is not the same as the password for the user account and will be used to authenticate the NDMP connection by SEP sesam.
cluster::> security login create -user-or-group <user> -application ssh -authmethod password -role backup
Example: The following command creates the backup user ndmpuser with the backup role.
cluster1::> security login create -user-or-group-name ndmpuser -application ssh -authmethod password -role backup Please enter a password for user 'backup_admin1': Please enter it again:
cluster::> vserver services ndmp generate-password -vserver <SVM-name> -user <user>
Example
cluster::> vserver services ndmp generate-password -vserver <SVM-name> -user <user> Vserver: cluster1 User: ndmpuser Password: yMGg5d0LyUG8l1kn
Configuring LIFs for data and control connection
You must identify the Logical Interfaces (LIFs) that will be used for establishing data connection to be able to send the backup data to the SEP sesam Server or RDS, and for establishing control connection between the admin SVM and SEP sesam. Once the LIFs are identified, you must verify that firewall and failover policies are correctly set. Then you have to specify the preferred interface role that allows you to control the LIF type on which the NDMP data connection is established; NDMP will choose an IP address that belongs to the LIF type as specified by the -preferredinterface-role option.
Note | |
If the IP addresses are not matched to any of these LIF types, the NDMP data connection cannot be established and your vServer-scoped NDMP backups will fail with an error. |
- To troubleshoot the NDMP data connection issue, check the NetApp knowledgebase article vServer-scoped NDMP fails to establish data connection.
- For details on what resources are available in Vserver-scope (the supported NDMP data connection types in relation to the NDMP control connection LIF type), see NetApp ONTAP documentation NDMP data connection types.
- Additionally, to understand what LIF type is being used check the NetApp knowledgebase articles What is the LIF Choice order for Cluster Aware backups in NDMP? and How to identify which resources are available through NDMP based on LIF type.
Steps
- Identify the interfaces for the roles of type data, the intercluster, cluster-management, and node-management LIFs.
- Ensure that the firewall policy is enabled for NDMP on all LIF types.
- If the firewall policy is not enabled, enable it by using -service parameter. Example: The following command enables firewall policy for the intercluster LIF.
- Ensure that the failover policy is set appropriately for all LIFs: the failover policy for the cluster-management LIF must be set to broadcast-domain-wide, and the policy for the intercluster and node-management LIFs must be set to local-only. Example: Displaying the failover policy for the cluster-management, intercluster, and node-management LIFs.
- Ensure that the preferred interface roles intercluster, cluster-mgmt and node-mgmt are defined for the NDMP service.
- Verify that the preferred interface role is set for the cluster.
- Set the preferred interface roles, if they are not set.
cluster::> network interface show -role >role-type>
Example 1: Identify the intercluster LIFs which were created previously for the SVM cluster1.
cluster1::> network interface show -role intercluster Logical Status Network Current Current Is Vserver Interface Admin/Oper Address/Mask Node Port Home ----------- ---------- ---------- ------------------ ------------- ------- ---- cluster1 IC1 up/up 192.0.2.65/24 cluster1-1 e0a true cluster1 IC2 up/up 192.0.2.68/24 cluster1-2 e0b true
Example 2: Identify the cluster-mgmt LIFs which can be used to backup all volumes across all nodes.
cluster1::> network interface show -role cluster-mgmt Logical Status Network Current Current Is Vserver Interface Admin/Oper Address/Mask Node Port Home ----------- ---------- ---------- ------------------ ------------- ------- ---- cluster1 cluster_mgmt up/up 192.0.2.60/24 cluster1-2 e0M true
Example 3: Identify the node-mgmt LIFs.
cluster1::> network interface show -role node-mgmt Logical Status Network Current Current Is Vserver Interface Admin/Oper Address/Mask Node Port Home ----------- ---------- ---------- ------------------ ------------ ------ ------ cluster1 cluster1-1_mgmt1 up/up 192.0.2.69/24 cluster1-1 e0M true cluster1-2_mgmt1 up/up 192.0.2.70/24 cluster1-2 e0M true
cluster::> system services firewall policy show
Example
cluster1::> system services firewall policy show Vserver Policy Service Allowed ------- ------------ ---------- ------------------- cluster1 data dns 0.0.0.0/0, ::/0 ndmp 0.0.0.0/0, ::/0 ndmps 0.0.0.0/0, ::/0 cluster1 intercluster ndmp 0.0.0.0/0, ::/0 ndmps 0.0.0.0/0, ::/0 cluster1 mgmt dns 0.0.0.0/0, ::/0 http 0.0.0.0/0, ::/0 https 0.0.0.0/0, ::/0 ndmp 0.0.0.0/0, ::/0 ndmps 0.0.0.0/0, ::/0 ntp 0.0.0.0/0, ::/0 snmp 0.0.0.0/0, ::/0 ssh 0.0.0.0/0, ::/0
cluster1::> system services firewall policy modify -vserver cluster1 -policy intercluster service ndmp 0.0.0.0/0
cluster1::> network interface show -failover Logical Home Failover Failover Vserver Interface Node:Port Policy Group ---------- ----------------- ----------------- -------------------- -------- cluster cluster1_clus1 cluster1-1:e0a local-only cluster Failover Targets: ....... cluster1 cluster_mgmt cluster1-1:e0m broadcast-domain-wide Default Failover Targets: ....... IC1 cluster1-1:e0a local-only Default Failover Targets: IC2 cluster1-1:e0b local-only Default Failover Targets: ....... cluster1-1 cluster1-1_mgmt1 cluster1-1:e0m local-only Default Failover Targets: ...... cluster1-2 cluster1-2_mgmt1 cluster1-2:e0m local-only Default Failover Targets: ......
If the failover policies are not set appropriately, modify them by using the network interface modify command with the -failover-policy parameter. For details on command, refer to NetApp ONTAP man pages system services firewall policy commands.
cluster::> network interface modify -vserver <vserver> -lif <lif> -failover-policy <policy>
cluster::> vserver services ndmp modify -vserver <vserver> -preferred-interface-role intercluster,cluster-mgmt,node-mgmt
cluster::> vserver services ndmp show -vserver <vserver>
Example
cluster1::> vserver services ndmp show -vserver cluster1 Vserver: cluster1 NDMP Version: 4 ....... ....... Preferred Interface Role: intercluster, cluster-mgmt, node-mgmt
cluster::> vserver services ndmp modify -vserver <vserver> -preferred-interface-role intercluster,cluster-mgmt,node-mgmt
Node-scoped NDMP mode
You must use NDMP-specific credentials to access a storage system and perform tape backup and restore.
Note | |
The following commands are deprecated and will be removed in a future major release. |
For more information, see the man pages for the system services ndmp commands.
- Enable NDMP.
- Set a password.
- Set NDMP to accept both plaintext and md5 authentication requests.
::> system services ndmp on -node *
::> system services ndmp modify -node * -user-id root Please enter password: XXXXXXXXX Confirm password: XXXXXXXXX X entries were modified.
::>system services ndmp modify -node * -clear-text true
Firewall settings
In the environments where the source and target networks are separated by a network firewall, NDMP connection uses a control port 10000 by default to manage backups and restores. This connection is used to send and receive NDMP requests. However, the NDMP data connection that is used for transferring data may use any available port from the firewall configuration randomly.
Specify NDMP data port range
The following example modifies the NDMP data port range on a ONTAP 9.x node named NODE1. The configuration sets the NDMP data port range from default value all to 55100-55200.
NODE1::> vserver services ndmp modify -vserver NODE1 -data-port-range 55100-55200
The format of this option is start_port and can have values between [1024-65535]. NDMP uses a port within that range to listen for data connections. A listen request fails if no ports in the specified range are free. The default value for this option is all. This option is persistent across reboots. For more information, check the NetApp article vserver services ndmp modify.
[-data-port-range <start_port>-<end port> | all] - Data Port Range
You can show the used data port range with the following command:
NODE1::> vserver services ndmp show -vserver NODE1 -fields data-port-range vserver data-port-range ------- --------------- NODE1 55100-55200
As of DOT 7.3.5.1 and 8.0.1, the NDMP data port can be specified as follows:
options ndmpd.data_port_range {start_port-end_port}
Its usage is explained in the NetApp article Designating the range of ports for NDMP data connections. The following information is based on this article.
To specify a range of ports to be used by NDMP data connection, use the following command on NetApp Controller:
options ndmpd.data_port_range {start_port-end_port} Syntax: options ndmpd.data_port_range {<start_port>-<end_port> | all }. start_port and end_port can have values between 1024 and 65535 start_port must be less than or equal to end_port It is best to use start_port and end_port values between 18600 and 18699.
Example:
options ndmpd.data_port_range {11400-11800}
The default value for this option is all, which means that any available port may be used. By specifying a valid range, a port within this range is used. A listen request fails if no ports in the specified range are free. The additional ports must be open in both directions for backup and restore purposes.
Note | |
The ndmpd.data_port_range option is persistent across reboots. |
Once you have specified the ports, restart ndmpd on NetApp Controller by using ndmpd {on|off}.
Known issues
If you have NDMP configuration related problems, check the NDMP troubleshooting.