NetApp SRA 2.1 Advanced Export Policy Configurations

Most of the questions I receive regarding the NetApp SRA are in some way related to the discovery of devices.  In SRA 2.1 for clustered Data ONTAP, there are many different configurations a user could have for their protected/recovery site export policies. This post aims to explain expected behavior for some of the more advanced configurations.

Alternative Export Policy Names
By default, clustered Data ONTAP includes an export policy named ‘default’. In some cases, users may want to use an alternative policy or a policy with a different name. While this is supported in SRA for the purposes of detecting exports on the production side, the user might encounter behavior different from what they expect in regards to usage of recovery site export policies and rules.

Here is an example of a perfectly acceptable alternative export policy name on your protected site, which SRA will detect and use for the purposes of discovery:

On your recovery site, you can choose to use only a single export policy called Conforming_Single_IP_Policy, which is set on both your root namespace as well as another datastore used for production VMs.

Here is an example of what the Conforming_Single_IP_Policy policy looks like on the recovery site.

After a recovery operation or test failover has completed, a few modifications should be noted on your recovery site. Firstly, the volumes that come online will ONLY be exported with the default policy (there is no way to select an alternative policy name in SRA):

Next, it can be seen that the default policy has been modified to include the VMKernel IP address of the recovery ESX host:

This is an important consideration, because if the existing ‘default’ export policy had existing rules, a new rule with IP would have been ADDED to the end of the list (as we see is the result in the Export Policies with Subnets section). This could cause other volumes using this export to become inappropriately configured by virtue of increased unintended access to them. As a rule, you should NOT use the default policy for anything other than access to the root namespace when SRA is managing the recovery operations.

Export Policies with Subnets
SRA for Clustered Data ONTAP supports the detection of export policies on the protected site, which involves the use of subnets instead of individual IP addresses. The configuration on the protected site may look like this:

On the recovery site however, SRA will ignore existing rules involving subnets. Instead, SRA will modify the export to include each individual IP address that SRM classifies as an ‘access group’. Below is an expected export policy modification from the perspective of the recovery site, where a single ESX recovery host exists with VMKernel IP It is important to note, during a recovery operation to your DR site and then another recovery back to your production site, you should expect to see the production site export policies modified to reflect each individual IP, regardless of whether it has a subnet rule:

Root Export Policy Modification on the Recovery Site
SRA for clustered Data ONTAP supports the use of different export polices at both the root namespace and sub-namespace level on both protected and recovery sites. For recovery site purposes, it is important to recognize that BOTH the root namespace policy and the policy assigned to the volume to be mounted will be modified, to include the IP addresses of each individual VMKernel port on the ESX hosts that are part of the SRM Access List.

Here, we can see a configuration where a single export policy named ‘Conforming_Subnet_Policy’ for both the root namespace and the sub-namespace is used on the recovery site.

The recovery site’s export policy ‘Conforming_Subnet_Policy’ shows the rule that includes the entire subnet with full access, and the default export policy is empty:

Once a test failover or recovery is triggered, the volume will come online at the recovery site with the default export policy:

Take special note of what happened to the export polices on the recovery site; notice that the default policy has been modified to include the VMKernel IP address of our recovery ESX host, but that the export policy assigned to the root namespace was also modified to include the same. This is because SRA does not honor subnet exports on recovery; however, it will use them for the purpose of recovery on the protected site. It is therefore recommended that the default policy be used for the root namespace, to avoid the unintentional modification of an export policy used by other sub-namespaces:

Again these are advanced export policy configurations.  For most environments the default export policy should work fine.  Many thanks to Donald Patterson for putting together this collection of alternate configurations.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s