#Network Interface Service Policies

We have a filer that has multiple nodes and shows existing default service policies and also service policies that are custom that look something like this:

VSERVER = vsrvr1 POLICY = Default-date-files
VSERVER = vsrvr1 POLICY = custom-data-5532

I understand that the services and subnets listed in the default allow for protocols to be allowed to communicate over those lifs within the subnets. What I don't know is why the system decided to add custom entries and if they are needed. Should I just add the delta's between the 2 policies to the Default and delete the custom or is there more data to define these. The documentation I accessed didn't give a bunch of clarity on it.

Note we want to clean these up to create a concise environment. Please let me know what you think.

the custom entries were created when you upgraded your cluster. at some point the existing role and data-protocol fields got converted to (custom) service policies. You should be able to just replace them by the default ones (but check each one just to make sure)

I like to verify: net int service-policy show -vserver xxx -policy default-data-files| custom-data-5532

if they look the same, just apply You may find that one may have more "enabled" services. The "default-data-files" is likely the minimum you need to operate. If something breaks, you can always put the old policy back on the LIF

These service policies drive me crazy.
I had set all the LIFs on our test clusters to use default-data-files or default-management, but after we upgraded OnTap, it just decided to create some custom ones for whatever reason (presumably because at some point we turned on some feature that needed additional access?) So, if I want to automate LIF creation, how do I know what service-policy to assign to my LIF? Especially since the custom policies on various clusters and SVMs seem to have different "Allowed Addresses" added to them.

i.e. when comparing my custom service policy to "default-data-files", the custom policy added "backup-ndmp-control:0.0.0.0/0" and removed "data-flexcache:0.0.0.0/0". Why? We don't use either of these features, so what is making it add/remove them from the service policy?

Would I be better off just adding all the possible "Allowed Addresses" to the default service policy and then always assign that to the LIFs?

I don't think you can edit the default service policies. So unless you can use 0.0.0.0/0 as allowed addresses, you will have to create your own service policies.
I can see two possible ways to deal with them.
a) use the default policies exclusively and try to put them on every LIF. This works well if you have separate data and management LIFs and are not worried about firewalling (i.e. if it's a closed network anyways)
b) use a custom service-policy and explicitly define the services you use (and only those), and the allowed addresses. Then you need to micro-manage yourself, e.g. if the next ONTAP update brings a separate service policy for, dunno, LDAP client traffic then you need to add those manually (I know LDAP is already an existing service it was just an example 😉 )