NetApp PowerShell Toolkit 101: Managing Data Access

Over the last several posts we have reviewed how to create and manage aggregates, SVMs, and volumes. All of that is great, but at this point you still can’t access that capacity to begin storing things. In this post we will discuss the various ways to access the volumes and the data inside them.

  • Junctioning
  • Export Policies
  • NFS Exports
  • CIFS/SMB Shares
  • LUNs
    • LUN Management
    • iGroups
    • LUN Mapping


A junction is the path which the volume is accessed by. Exports and CIFS/SMB shares are both “mounted” to the root of the storage virtual machine (SVM) using the junction path. That junction path is then used by storage consumers to access the volume and read/write data to it.

Let’s look at an example. If you have a volume, “volume1”, you can junction it however you like: “/volume1” would mean that, for NFS, the mount would be, or for CIFS/SMB, it would be \\\volume1. If you had a second volume, creatively named “volume2”, you could junction it at the root as well (e.g. “/volume2”), or you could nest it under volume1, e.g. “/volume1/volume2”.

Additionally, you can name the junction whatever you want. The name of the volume and the junction name are completely separate entities and are not required to match.

Export Policies

An export policy, despite the name, applies to both NFS exports and CIFS/SMB shares. The export policy is what determines the permissions for accessing the junction. Remember that these are specific to each SVM.

We will discuss policy rules below and address them for each of the access protocols.

NFS Exports

NFS access is managed using export policy rules. Make sure that the NFS server has been started and the NFS version you want to use has been configured.

For VMware volumes, you will want to use “sys” or “all” for the RO, RW, and SU security flavors. For maximum security, create a new rule for each of the hosts which will be connecting to the export and set the client match rule to the ESXi host IP address. If you are using a private network for NFS traffic, using the subnet for that VLAN is also a safe bet.


CIFS/SMB shares provide Windows clients access to data. Make sure that you have enabled the CIFS server and are joined to an Active Directory domain for authentication/authorization services. Shares are created/destroyed using the Add-NcCifsShare and Remove-NcCifsShare cmdlets. Export policies are optional for CIFS/SMB as of cDOT 8.2.

My personal recommendation is to not use export policy rules to limit access to a share. NTFS permissions are a perfectly acceptable method of managing access to data. Plus, as a storage administrator, do you really want to be managing share permissions for the Windows admins?


LUNs are the method of access for all block based protocols (FC, FCoE, iSCSI). They are created the same, however they are mapped to initiators slightly differently. Let’s look at creating a LUN, then we’ll look at iGroups, and finally mapping the LUNs.

  • LUN Management
  • iGroups
  • LUN Mapping

    Clustered Data ONTAP 8.3 will not show the LUN as accessible from all hosts by default. To add another host for LUN reporting (for example, when preparing to do a LUN move operation), you will need to explicitly add it to the map.

Leave a Reply