#Any reasons of why NFS/CIFS networks needs to communicate with MGMT network in the NetApp cluster?

Upon monitoring traffic data (from NetFlow), we have found a lot of traffics between NFS/CIFS networks and MGMT network in the cluster.

We are trying to create ACL to block all unnecessary access to mgmt due to a lot of illegitimate.

Can you think of any reasons or requirements for this communications?

If you are setup using a regular cifs svm for data and you have enabled a domain tunnel from the admin svm to allow domain logins…that’s traffic that will be there

Otherwise there should be no reason. I’ve plenty of customers with admin mgmt on a separate isolated network (no domain login) with data only on the svm

Would any inquiries, for instance, DNS required by client matching in export or AD for CIFS, require them to traverse to Mgmt network from NFS/CIFS netowrks?

No. Each SVM is its own networking. SHould have its own DNS configured
If you are using the "LDAP client" configured to bind with cifs creds, I would think that is still in the data svm and will only go there.

Have you gotten a full trace and actually traced the full communications?

Do the admin SVM and the data SVM share any network (like e0M is on 192.168.99.0/24 and the the data svm has an IP in the same 192.168.99.0/24 ip space) Maybe you are seeing broadcast traffic?

admin SVM and the data SVM are not sharing e0M. They are in the same "default" ipspace.

However, based on the output below, since the mgmt vlan GW is in the routing table though Metric=30, my understanding the priority is behind NFS data GW, so, the NFS data shouldn't go through mgmt vlan. What would you say now?
*> route show -vserver cls-nfs
Vserver Destination Gateway Metric

cls-nfs
0.0.0.0/0 10.192.18.1 30
0.0.0.0/0 10.192.26.1 20
0.0.0.0/0 10.192.27.1 10
3 entries were displayed.

That is not what I am saying. Not sharing the same e0M, sharing the same IP network
Does the vserver cls-nfs have any IP addresses that are in the same range as your admin svm...
meaning 10.192.18.0/24 or 10.192.26.0/24 or 10.192.270/24?
Are there any LIFs in the same IP range on both SVMs?

if there are, you may see some broadcast for the data SVM hitting the admin SVM

If I understand you correct, the LIF cls-nfs-admin: 10.192.18.62/24, so, could it cause boradcast for NFS SVM hitting admin SVM?

it may be happening. I do not know your infrastructure. It could be the communication to/from the DATA LIF or to/from the admin LIF.

That is why you should do packet traces to fully verify what each LIF/interface is seeing

the admin LIF for a SVM, cls-nfs-admin, is it really needed/required? we have such admin LIF for every SVM.

For the data-SVMs, do you need to SSH to it?
Or if you are doing external KMIP per SVM?
those are cases you may need an admin LIF in the data-SVM. In most cases, you can just run that over the data-LIFs
If your DATA-LIFs are "routable" they are likely to be be able to get out to where they need. For most NAS-SVMs, an "admin" LIF is usually not needed (it can route around anyway). You just need to make sure the whatever service-policy attached to the data-LIFs have the needed services.

One way to truely be sure your SVM isn't using other networks than the LIFs assigned to it, would be to put them into their own ipspace... that may require additional NICs or VLANs. but the SVM then gets its own IP-stack and can potentially have the same IP as another SVM... We use it to seperate our SVMs from each other on a system with multiple customers...

this config makes no sense. In this case only the .18.1 gateway will ever be used for all traffic. You should only ever have one "default gateway", that's why it is called "default"

Counter: you can have multiple “default” gateways based on metric. Lowest metric has highest priority. I see/do this all the time. Zero issues

The issues arise when all metrics are the same (20 -> no way to modify this in the current GUI either). ONTAP may get confused at some point and send data down an incorrect path. This is infrequent, but happens

Always as additional routes from the cli

true, but in that case ONTAP would still only use a single gateway, the one with the lowest metric (unless that one fails/dies)