5 1 0:NetApp-specific NDMP configuration

From SEPsesam


Welcome to the latest SEP sesam documentation version 5.1.0 Apollon. For previous documentation version(s), check documentation archive.


Overview


SEP sesam enables you to protect and manage your storage file servers by providing support for Network Data Management Protocol (NDMP). To find out more about NDMP, see NDMP Backup.

The following configuration steps represent a NetApp specific part of the NDMP host configuration. They are based on the NetApp article on using NDMP-based copy utilities. The steps below explain how to enable NDMP and set a password on the source and destination storage systems.

By enabling NDMP support on a storage system, you enable the storage system to communicate with SEP sesam Data Management Application (SDMA), data servers, and tape servers participating in backup or recovery operations. All network communications occur over TCP/IP network.

You can perform tape backup and restore in either node-scoped NDMP mode or storage virtual machine (SVM) scoped NDMP mode.

About NDMP modes of operation

Node-scoped NDMP mode
In this mode you can perform backup and restore operations at the node level – on a node that owns the volume. Note that this mode is already deprecated and will be removed in a future major release. Refer to official ONTAP 9 documentation About NDMP modes of operation.
SVM-scoped NDMP mode
You can perform backup and restore at the storage virtual machine (SVM, formerly known as Vserver) level if the NDMP service is enabled on the SVM. You can back up and restore all volumes hosted across different nodes in the SVM of a cluster. If a volume and the tape device share the same affinity, then SEP sesam (by using the CAB extension) can perform a local backup or restore operation.

Procedure

Depending on your configuration, use the NDMP activation and authentication procedure specific to your mode.

7-Mode

  1. Enable NDMP.
  2.  netapp> ndmpd on
  3. Create a new user specifically for NDMP.
  4.  netapp> useradmin user add sepbackup -g "Backup Operators"
     New password: XXXXXXXXX
     Retype new password: XXXXXXXXX
     User <sepbackup> added.
  5. Non-root users have a special NDMP password that is different from their login password and is displayed by this command.
  6.  netapp> ndmpd password sepbackup
     password MzUV5p6R
    Note
    This NDMP password must be set in the client configuration together with the user name.
  7. Set NDMP to accept plaintext and md5 authentication methods:
  8.  netapp> options ndmpd.authtype plaintext,challenge

Clustered Data ONTAP

Run the following command to verify that your cluster is running in SVM-scoped NDMP mode and not in node-scope mode:

 cluster::> system services ndmp node-scope-mode status

If node-scoped NDMP mode is disabled, the cluster is configured for SVM-scoped NDMP mode.

SVM-scoped NDMP mode

You can use the vserver services ndmp commands to manage NDMP on each storage virtual machine (SVM, formerly known as Vserver). These commands are available to cluster administrators at the admin privilege level.
For more information about the vserver commands used below, see the vserver commands man pages.

Configuring SVM-scoped NDMP mode

Cluster Aware Backup (CAB) requires NDMP to be configured in SVM-scoped node at the admin SVM level. This node enables you to back up all the volumes hosted across different nodes of the cluster. When configuring this node, consider the following:

  • In the SVM-scoped NDMP mode, user authentication is integrated with the role-based access control mechanism.
  • By default, NDMP should be in the allowed protocols list. If it is not, NDMP sessions cannot be established.
  • You can control the LIF type on which an NDMP data connection is established by using the -preferred interface-role option. When establishing an NDMP data connection, NDMP chooses an IP address that belongs to the LIF type as specified by this option. If the IP addresses do not belong to any of these LIF types, the NDMP data connection cannot be established.

Steps

  1. Enabling SVM-scoped NDMP mode on the cluster.
  2. Configuring a backup user account for the cluster.
  3. Configuring LIFs for data and control connection.
Enabling SVM-scoped NDMP mode on the cluster
  1. Enable SVM-scoped NDMP mode by using the system services ndmp command with the node-scope-mode parameter.
  2.  cluster::> system services ndmp node-scope-mode off

    Example

     cluster1::> system services ndmp node-scope-mode off
     NDMP node-scope-mode is disabled.
  3. Enable NDMP service on your admin SVM. NDMP service must always be enabled on all nodes in a cluster.
  4.  cluster::> vserver services ndmp on -vserver <SVM-name>

    Example

     cluster1::> vserver services ndmp on -vserver cluster1

    By default, the authentication type is set to challenge and plaintext authentication is disabled. It is recommended that the latter stays disabled to ensure secure communication.

  5. Verify that NDMP service is enabled.
  6.  cluster::> vserver services ndmp on -vserver <SVM-name>

    Example

     cluster1::> vserver services ndmp on -vserver cluster1
  7. Verify that NDMP is allowed on the vserver.
  8.  cluster::> vserver services ndmp show 
     cluster::> vserver services ndmp on -vserver <vserver> 

    Example

     cluster1::> vserver services ndmp show
     Vserver       Enabled   Authentication type
     ------------- --------- -------------------
     cluster1      true      challenge
     vs1           false     challenge
Configuring a backup user account for the cluster

To authenticate NDMP from SEP sesam, create a local backup user account and generate an NDMP password for the user. Note that if you are using an NIS or LDAP user for the cluster with the admin or backup role, you cannot use an Active Directory user – you have to create the user on the respective server.

  1. Create a backup user with the backup role. You can specify a local backup user name or an NIS or LDAP user name for the -user-or-group-name parameter.
  2.  cluster::> security login create -user-or-group <user> -application ssh -authmethod password -role backup 

    Example: The following command creates the backup user ndmpuser with the backup role.

     cluster1::> security login create -user-or-group-name ndmpuser -application ssh 
     -authmethod password -role backup
     Please enter a password for user 'backup_admin1':
     Please enter it again:
  3. Generate an NDMP password for the admin SVM. This password is not the same as the password for the user account and will be used to authenticate the NDMP connection by SEP sesam.
  4.  cluster::> vserver services ndmp generate-password -vserver <SVM-name> -user <user>

    Example

     cluster::> vserver services ndmp generate-password -vserver <SVM-name> -user <user>
     Vserver: cluster1
        User: ndmpuser
     Password: yMGg5d0LyUG8l1kn
Configuring LIFs for data and control connection

You must identify the Logical Interfaces (LIFs) that will be used for establishing data connection to be able to send the backup data to the SEP sesam Server or RDS, and for establishing control connection between the admin SVM and SEP sesam. Once the LIFs are identified, you must verify that firewall and failover policies are correctly set. Then you have to specify the preferred interface role that allows you to control the LIF type on which the NDMP data connection is established; NDMP will choose an IP address that belongs to the LIF type as specified by the -preferredinterface-role option.

Note
If the IP addresses are not matched to any of these LIF types, the NDMP data connection cannot be established and your vServer-scoped NDMP backups will fail with an error.

Steps

  1. Identify the interfaces for the roles of type data, the intercluster, cluster-management, and node-management LIFs.
  2.  cluster::> network interface show -role >role-type>

    Example 1: Identify the intercluster LIFs which were created previously for the SVM cluster1.

     cluster1::> network interface show -role intercluster
    
                 Logical           Status     Network            Current       Current Is
     Vserver     Interface         Admin/Oper Address/Mask       Node          Port    Home
     ----------- ----------        ---------- ------------------ ------------- ------- ----
     cluster1    IC1               up/up      192.0.2.65/24      cluster1-1    e0a     true
     cluster1    IC2               up/up      192.0.2.68/24      cluster1-2    e0b     true

    Example 2: Identify the cluster-mgmt LIFs which can be used to backup all volumes across all nodes.

     cluster1::> network interface show -role cluster-mgmt
                 Logical           Status     Network            Current       Current Is
     Vserver     Interface         Admin/Oper Address/Mask       Node          Port    Home
     ----------- ----------        ---------- ------------------ ------------- ------- ----
     cluster1    cluster_mgmt      up/up      192.0.2.60/24      cluster1-2    e0M     true

    Example 3: Identify the node-mgmt LIFs.

     cluster1::> network interface show -role node-mgmt
                 Logical           Status     Network            Current       Current Is
     Vserver     Interface         Admin/Oper Address/Mask       Node          Port    Home
     ----------- ----------        ---------- ------------------ ------------  ------  ------ 
     cluster1    cluster1-1_mgmt1  up/up      192.0.2.69/24      cluster1-1    e0M     true
                 cluster1-2_mgmt1  up/up      192.0.2.70/24      cluster1-2    e0M     true
  3. Ensure that the firewall policy is enabled for NDMP on all LIF types.
  4.  cluster::> system services firewall policy show 

    Example

     cluster1::> system services firewall policy show
     Vserver Policy       Service    Allowed
     ------- ------------ ---------- -------------------
     cluster1
             data
                          dns        0.0.0.0/0, ::/0
                          ndmp       0.0.0.0/0, ::/0
                          ndmps      0.0.0.0/0, ::/0
     cluster1
             intercluster
                          ndmp       0.0.0.0/0, ::/0
                          ndmps      0.0.0.0/0, ::/0
     cluster1
             mgmt
                          dns        0.0.0.0/0, ::/0
                          http       0.0.0.0/0, ::/0
                          https      0.0.0.0/0, ::/0
                          ndmp       0.0.0.0/0, ::/0
                          ndmps      0.0.0.0/0, ::/0
                          ntp        0.0.0.0/0, ::/0
                          snmp       0.0.0.0/0, ::/0
                          ssh        0.0.0.0/0, ::/0
  5. If the firewall policy is not enabled, enable it by using -service parameter.
  6. Example: The following command enables firewall policy for the intercluster LIF.
     cluster1::> system services firewall policy modify -vserver cluster1 -policy intercluster  service ndmp 0.0.0.0/0
  7. Ensure that the failover policy is set appropriately for all LIFs: the failover policy for the cluster-management LIF must be set to broadcast-domain-wide, and the policy for the intercluster and node-management LIFs must be set to local-only.
  8. Example: Displaying the failover policy for the cluster-management, intercluster, and node-management LIFs.
     cluster1::> network interface show -failover
     Logical            Home              Failover              Failover
     Vserver    Interface          Node:Port         Policy                Group
     ---------- -----------------  ----------------- --------------------  --------
     cluster    cluster1_clus1     cluster1-1:e0a    local-only            cluster
                                                          Failover Targets:
                        	                                 .......
     
     cluster1   cluster_mgmt       cluster1-1:e0m    broadcast-domain-wide Default
                                                          Failover Targets: 
                                                          .......
                IC1                 cluster1-1:e0a    local-only           Default
                                                          Failover Targets:
                IC2                 cluster1-1:e0b    local-only           Default
                                                          Failover Targets:
                                                          ....... 
     cluster1-1 cluster1-1_mgmt1   cluster1-1:e0m    local-only            Default
                                                          Failover Targets: 
                                                          ......
     cluster1-2 cluster1-2_mgmt1   cluster1-2:e0m    local-only            Default
                                                          Failover Targets: 
                                                          ......

    If the failover policies are not set appropriately, modify them by using the network interface modify command with the -failover-policy parameter. For details on command, refer to NetApp ONTAP man pages system services firewall policy commands.

     cluster::> network interface modify -vserver <vserver> -lif <lif> -failover-policy <policy> 
  9. Ensure that the preferred interface roles intercluster, cluster-mgmt and node-mgmt are defined for the NDMP service.
  10.  cluster::> vserver services ndmp modify -vserver <vserver> -preferred-interface-role intercluster,cluster-mgmt,node-mgmt
  11. Verify that the preferred interface role is set for the cluster.
  12.  cluster::> vserver services ndmp show -vserver <vserver> 

    Example

     cluster1::> vserver services ndmp show -vserver cluster1
                                 Vserver: cluster1
                            NDMP Version: 4
                            .......
                            .......
                Preferred Interface Role: intercluster, cluster-mgmt, node-mgmt
  13. Set the preferred interface roles, if they are not set.
  14.  cluster::> vserver services ndmp modify -vserver <vserver> -preferred-interface-role intercluster,cluster-mgmt,node-mgmt 

Node-scoped NDMP mode

You must use NDMP-specific credentials to access a storage system and perform tape backup and restore.

Note
The following commands are deprecated and will be removed in a future major release.

For more information, see the man pages for the system services ndmp commands.

  1. Enable NDMP.
  2.  ::> system services ndmp on -node *
  3. Set a password.
  4.  ::> system services ndmp modify -node * -user-id root
     Please enter password: XXXXXXXXX
     Confirm password: XXXXXXXXX
     X entries were modified.
  5. Set NDMP to accept both plaintext and md5 authentication requests.
  6.  ::>system services ndmp modify -node * -clear-text true

Firewall settings

In the environments where the source and target networks are separated by a network firewall, NDMP connection uses a control port 10000 by default to manage backups and restores. This connection is used to send and receive NDMP requests. However, the NDMP data connection that is used for transferring data may use any available port from the firewall configuration randomly.

Specify NDMP data port range

The following example modifies the NDMP data port range on a ONTAP 9.x node named NODE1. The configuration sets the NDMP data port range from default value all to 55100-55200.

NODE1::>  vserver services ndmp modify -vserver NODE1 -data-port-range 55100-55200

The format of this option is start_port and can have values between [1024-65535]. NDMP uses a port within that range to listen for data connections. A listen request fails if no ports in the specified range are free. The default value for this option is all. This option is persistent across reboots. For more information, check the NetApp article vserver services ndmp modify.

[-data-port-range <start_port>-<end port> | all] - Data Port Range

You can show the used data port range with the following command:

NODE1::> vserver services ndmp show -vserver NODE1 -fields data-port-range
vserver data-port-range
------- ---------------
NODE1  55100-55200

As of DOT 7.3.5.1 and 8.0.1, the NDMP data port can be specified as follows:

options ndmpd.data_port_range {start_port-end_port}

Its usage is explained in the NetApp article Designating the range of ports for NDMP data connections. The following information is based on this article.

To specify a range of ports to be used by NDMP data connection, use the following command on NetApp Controller:

options ndmpd.data_port_range {start_port-end_port}

Syntax:      options      ndmpd.data_port_range      {<start_port>-<end_port> | all }. 
                                                     start_port and end_port can have values between 1024 and 65535
                                                     start_port must be less than or equal to end_port
                                                     It is best to use start_port and end_port values between 18600 and 18699.

Example:

options ndmpd.data_port_range {11400-11800}

The default value for this option is all, which means that any available port may be used. By specifying a valid range, a port within this range is used. A listen request fails if no ports in the specified range are free. The additional ports must be open in both directions for backup and restore purposes.

Note
The ndmpd.data_port_range option is persistent across reboots.

Once you have specified the ports, restart ndmpd on NetApp Controller by using ndmpd {on|off}.


Known issues

If you have NDMP configuration related problems, check the NDMP troubleshooting.

See also

NDMP Backup - NetApp

Copyright © SEP AG 1999-2024. All rights reserved.
Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.