Configure Network Communication

Manage NAS servers

NAS servers are software components on the system that are dedicated to managing operations for data transferred through the SMB or NFS protocols. You must configure at least one NAS server before you can create network share storage. You can configure a NAS server to support Windows network shares (SMB), Linux/UNIX network shares, or both.

NAS servers run on each SP and communicate with network hosts through SP ports. Once you configure a NAS server, you can then create file systems from which you export NFS or SMB network shares. Configured hosts map or mount the network shares to access the file system storage.

Each NAS server is identified by an ID.

The following table lists the attributes for NAS servers.

Table 1. NAS server attributes

Attributes

Description

ID

ID of the NAS server.

Name

Name of the NAS server.

Health state

Health state of the NAS server. The health state code appears in parentheses. Value is one of the following:

Unknown (0) — Status is unknown.
OK (5) — Working correctly.
OK BUT (7) — Configuration is not complete.
Degraded/Warning (10) — Working and performing all functions, but the performance may not be optimum.
Minor failure (15) — NAS server has faulted.
Major failure (25) — Failed and recovery may not be possible. This condition has resulted in data loss and should be remedied immediately.

Health details

Additional health information. See Appendix A, Reference, for details.

SP

Primary SP on which the NAS server runs.

NOTE: If the primary SP is degraded or has failed, the server fails over to the other SP. The value displays the current SP the server is using in parentheses. For example, SPA (failed over to SPB).

Storage pool

Associated storage pool identifier.

Tenant

Identifier and name of the tenant.

Interface

ID of the network interface assigned to the NAS server that defines the server IP address and allows the server to communicate with the network and hosts.

NOTE: It is allowable to remove the last interface of the server.

CIFS enabled

Indicates whether SMB file systems are enabled on the NAS server. Value is yes or no. Default is no. SMB file systems provide support for SMB network shares.

Multiprotocol sharing enabled

Indicates whether multiprotocol sharing is enabled for all file systems on the NAS server. Valid values are:

yes
no

Unix directory service

Directory service used for looking up identity information for Unix such as UIDs, GIDs, net groups, and so on. Valid values are:

local
nis
ldap
localThenNis
localThenLdap
none (default)

NOTE: A value other than the default is required for accurate multiprotocol files sharing between Unix and Windows users.

Auto user mapping enabled

Applies when multiprotocol sharing mode is enabled. Indicates whether a Windows user who is not mapped to a known Unix/Linux username is allowed to access the NAS server's files.

yes— The system generates an internal UID for the Windows user and allows access to the NAS server's files through Windows.
no (default)— The Windows authentication fails unless there is a default Unix username configured.

Default Unix username

Default Unix user name or Unix ID that grants file access in the multiprotocol sharing mode. This user name is used for Windows users when the corresponding Unix/Linux user name is not found by the mapping mechanism.

The Unix ID format is @uid=xxxx,gid=yyyy@, where xxxx and yyyy are the decimal numerical values of the UID and the primary GID, respectively. When using this ID, the user does not need to be defined in the UDS.

Default Windows username

Default Windows user name that grants file access in the multiprotocol sharing mode. This user name is used for Unix users when the corresponding Windows user name is not found by the mapping mechanism.

Replication type

Indicates in what asynchronous replication this NAS Server is participating. Valid values are:

none
local
remote

Synchronous replication type

Indicates in what synchronous replication this NAS Server is participating. Valid values are:

none
remote

Replication destination

Indicates whether the NAS server is a replication destination. Valid values are:

yes
no

NOTE: This attribute does not apply to the replication status of related file systems. Use the stor/prov/fs show command to view the replication status of file systems.

Backup only

Indicates whether the NAS server is used as backup. This attribute reflects that the NAS server cannot be the production site. This means both planned failover and unplanned failover are disallowed in the backup only NAS server associated replication session.

Migration destination

Indicates whether the NAS server is a destination for a NAS import session. Valid values are:

yes
no

Username translation

Indicates whether a Unix to/from Windows user name mapping is enabled. Valid values are:

yes
no

Packet Reflect enabled

Indicates whether the reflection of outbound (reply) packets through the same interface that inbound (request) packets entered is enabled. Valid values are:

yes
no (default)

Preferred production interfaces overridden

Indicates whether the production preferred interfaces are overridden on the replication destination.

Preferred production IPv4 interface

Specifies the settings for the preferred production IPv4 interface. Valid values are:

<interface ID>
auto

Preferred production IPv6 interface

Specifies the settings for the preferred production IPv6 interface. Valid values are:

<interface ID>
auto

Preferred backup IPv4 interface

Specifies the settings for the preferred backup and disaster recovery test IPv4 interface. Valid values are:

<interface ID>
auto

Preferred backup IPv6 interface

Specifies the settings for the preferred backup and disaster recovery test IPv6 interface. Valid values are:

<interface ID>
auto

Source preferred production IPv4 interface

Specifies replicated production IPv4 preferred interface settings on the replication destination. If overridden, this may be different from the Preferred production IPv4 interface. Valid values are:

<interface ID>
auto

Source preferred production IPv6 interface

Specifies replicated production IPv4 preferred interface settings on the replication destination. If overridden, this may be different from the Preferred production IPv6 interface. Valid values are:

<interface ID>
auto

File space used

Displays the total file space used for the specified NAS server.

Data Reduction space saved

Specifies the size saved when using data reduction for this NAS server.

Data Reduction percent

Specifies the storage percentage saved when using data reduction, compared to the total size used by this NAS server.

Data Reduction ratio

Specifies the ratio between data without data reduction, and data after data reduction savings for this NAS server.

Create a NAS server

Create a NAS server.

NOTE: The NFSv3 protocol is enabled by default when creating a NAS server.

Format

/net/nas/server create -name <value> -sp <value> {-pool <value> | -poolName <value>} [-tenant <value>] [-mpSharingEnabled {no | yes [-autoUserMappingEnabled {yes | no}][-unixDirectoryService {local | ldap | nis | localThenNis | localThenLdap | none}] [-defaultUnixUser <value>] [-defaultWindowsUser <value>]}] [-replDest {yes [-backupOnly {yes | no}] | no}] [-enablePacketReflect {yes | no}]

Action qualifiers

Qualifier

Description

-name

Specifies the NAS server name.

NOTE: NAS server names can contain alphanumeric characters, a single dash, and a single underscore. Server names cannot contain spaces or begin or end with a dash. You can create NAS server names in four parts that are separated by periods (example: aa.bb.cc.dd). Names can contain up to 255 characters, but the first part of the name (before the first period) is limited to 15 characters.

-sp

Specifies the parent SP for the NAS server. Value is SPA or SPB.

-pool

Specifies the ID of the storage pool for the NAS server.

-poolName

Specifies the name of the storage pool for the NAS server.

-tenant

Specifies the tenant identifier.

NOTE: If a tenant is not specified, the NAS server is created in the default network namespace.

-mpSharingEnabled

Indicates whether multiprotocol sharing mode is enabled. Value is yes or no (default).

-unixDirectoryService

Directory Service used for querying identity information for Unix (such as UIDs, GIDs, net groups). Valid values are:

nis
ldap
local
none (default)
localThenNis
localThenLdap

-autoUserMappingEnabled

Indicates whether a Windows user who is not mapped to a known Unix/Linux username is allowed to access the NAS server's files Valid values are:

yes— The system generates an internal UID for the Windows user and allows access to the NAS server's files through Windows.
no (default)— The Windows authentication fails unless there is a default Unix username configured.

-defaultUnixUser

Default Unix user name or Unix ID that grants file access in the multiprotocol sharing mode. This user name or ID is used when the corresponding Unix/Linux user name or ID is not found by the mapping mechanism.

The Unix ID format is @uid=xxxx,gid=yyyy@, where xxxx and yyyy are the decimal numerical values of the UID and the primary GID, respectively. When using this ID, the user does not need to be defined in the UDS.

-defaultWindowsUser

Default Windows user name that grants file access in the multiprotocol sharing mode. This user name is used when the corresponding Windows user name is not found by the mapping mechanism.

-replDest

Replication destination settings for the NAS server. When this option is set to yes, only mandatory parameters may be included. All other optional parameters will be inherited from the source NAS server. Valid values are:

yes
no (default)

-backupOnly

Indicates whether to create NAS server as backup only. The backup only NAS server cannot be a production site, which means both planned failover and unplanned failover are disallowed in a backup only NAS server associated replication session. Valid values:

yes
no

-enablePacketReflect

Indicates whether the reflection of outbound (reply) packets through the same interface that inbound (request) packets entered is enabled. Valid values are:

yes (default)
no

Example

The following command creates a NAS server with these settings:

Name is NasServer_1.
Associated with SP A.
Associated with storage pool pool_0.
IP Packet Reflect is enabled.
The ID of the new NAS server is ID nas_1.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server create -name NasServer_1 -sp spa -pool pool_0 -enablePacketReflect yes

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = nas_1
Operation completed successfully.

View NAS servers

View details about configured NAS servers, including their name, ID, and whether they have enabled support for CIFS (SMB) file systems or NFS file systems. You can filter on the NAS server ID.

NOTE: The show action command explains how to change the output format.

Format

/net/nas/server [{-id <value> | -name <value> | -tenant {<value> | none}}] show

Object qualifiers

Qualifier	Description
-id	Type the ID of a NAS server.
-name	Type the NAS server name.
-tenant	Type the tenant identifier.

Example

The following command displays all details for a list of all configured NAS servers:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection
 
1:    ID                                          = nas_1
      Name                                        = MyVDM1
      NetBIOS name                                =
      SP                                          = spa
      Storage pool                                = pool_1
      Tenant                                      =
      Interface                                   =
      NFS enabled                                 = yes
      NFSv4 enabled                               = no
      CIFS enabled                                = no
      Workgroup                                   =
      Windows domain                              =
      Multiprotocol sharing enabled               = no
      Unix directory service                      = none
      Auto user mapping enabled                   =
      Default Unix username                       =
      Default Windows username                    =
      Extended Unix credentials enabled           = no
      Credentials cache retention                 = 15m
      Username translation                        =
      Packet Reflect enabled                      = yes
      Health state                                = OK (5)
      Health details                              = "The component is operating normally. No action is required."
      Replication type                            = none
      Synchronous replication type                = none
      Replication destination                     = no
      Backup only                                 = no
      Migration destination                       = no
      Preferred production interfaces overridden  =
      Preferred production IPv4 interface         = auto
      Preferred production IPv6 interface         = auto
      Preferred backup and DR test IPv4 interface = auto
      Preferred backup and DR test IPv6 interface = auto
      Source preferred production IPv4 interface  =
      Source preferred production IPv6 interface  =
      File space used                             = 8945901568 (8.3G) 
      Compression space saved                     = 0
      Compression percent                         = 0%
      Compression ratio                           = 1:1
      Data Reduction space saved                  = 0
      Data Reduction percent                      = 0%
      Data Reduction ratio                        = 1:1

Change NAS server settings

Modify an existing NAS server.

Format

/net/nas/server {-id <value | -name <value } set [-name <value>] [-sp {spa | spb}] [-mpSharingEnabled {yes | no}] [-unixDirectoryService {ldap | nis | none}] [-autoUserMappingEnabled {yes | no}] [{-defaultAccessDisabled | [-defaultUnixUser <value>] [-defaultWindowsUser <value>]}] [-enablePacketReflect {yes | no }] [-replDest {yes | no }] [-backupOnly {yes | no}] [-preferredProductionOverride { no | yes }][-preferredProductionIPv4 { auto | <value>}] [-preferredProductionIPv6 { auto | <value>}] [-preferredBackupIPv4 {auto | <value>}] [-preferredBackupIPv6 {auto | <value>}

Object qualifiers

Qualifier	Description
-id	Type the ID of the NAS server to change.
-name	Type the name of the NAS server to change.

Action qualifiers

Qualifier

Description

-name

Shared folder server name.

-sp

Owner SP. Valid values are:

spa
spb

-mpSharingEnabled

Indicates whether multiprotocol sharing mode is enabled. Valid values are:

yes
no

NOTE: You cannot disable multiprotocol file sharing for a NAS server once a file system is created on that NAS server.

-unixDirectoryService

Directory Service used for querying identity information for Unix (such as UIDs, GIDs, net groups). Valid values are:

nis
ldap

-defaultAccessDisabled

Disables file access when no user mapping mechanism is found.

-autoUserMappingEnabled

Indicates whether a Windows user who is not mapped to a known Unix/Linux username is allowed to access the NAS server's files Valid values are:

yes. The system generates an internal UID for the Windows user and allows access to the NAS server's files through Windows.
no (default). The Windows authentication fails unless there is a default Unix username configured.

-defaultUnixUser

Default Unix user name or Unix ID that grants file access in the multiprotocol sharing mode. This user name or ID is used when the corresponding Unix/Linux user name or ID is not found by the mapping mechanism.

The Unix ID format is @uid=xxxx,gid=yyyy@, where xxxx and yyyy are the decimal numerical values of the UID and the primary GID, respectively. When using this ID, the user does not need to be defined in the UDS.

-defaultWindowsUser

Default Windows user name that grants file access in the multiprotocol sharing mode. This user name is used when the corresponding Windows user -defaultWindowsUser name is not found by the mapping mechanism.

-enablePacketReflect

Indicates whether the reflection of outbound (reply) packets through the same interface that inbound (request) packets entered is enabled. Valid values are:

yes
no

-replDest

Replication destination settings for the NAS server. Valid values are:

yes
no

-backupOnly

Indicates whether the NAS server is used as backup. Only a replication destination NAS server can be set as backup only. This attribute reflects that the NAS server cannot be the production site. This means both planned failover and unplanned failover are disallowed in the backup only NAS server associated replication session. Valid values are:

yes
no

-preferredProductionOverride

Override the replicated production interfaces "preferred interface" settings. Valid values are:

yes
no

-preferredProductionIPv4

Production IPv4 preferred interface settings. The interface must be IPv4 and belong to this server. Valid values are:

<interface ID>
auto

-preferredProductionIPv6

Production IPv6 preferred interface settings. The interface must be IPv6 and belong to this server. Valid values are:

<interface ID>
auto

-preferredBackupIPv4

Backup and DR test IPv4 preferred interface settings. The interface must be IPv4 and belong to this server. Valid values are:

<interface ID>
auto

-preferredBackupIPv6

Backup and DR test IPv6 preferred interface settings. The interface must be IPv6 and belong to this server. Valid values are:

<interface ID>
auto

Example 1

The following command updates NAS server nas_1 with these settings:

Enables multiprotocol sharing.
Uses LDAP as the Unix Directory Service.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server -id nas_1 set -mpSharingEnabled yes -unixDirectoryService ldap

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = nas_1
Operation completed successfully.

Example 2

The following command changes the replication settings for NAS server nas_1.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server -id nas_1 set -replDest yes

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = nas_1
Operation completed successfully.

Example 3

The following command changes the storage processor to SPB for NAS server nas_1.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server -id nas_1 set -sp spb

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

WARNING: Modifying the NAS server's SP disrupts any running NDMP jobs, and may also result in data unavailability for some client configurations other than NFS (v3, v4, and v4.1) and SMB3+CA. The NDMP jobs must be restarted after the SP modification is completed. 
Are you sure you want to modify the default SP? 
yes / no:yes

ID = nas_1
Operation completed successfully.

NOTE:

When the SP is being modified, the NAS server health attribute is updated to INFO, and the health details attribute is updated to Transitioning to other Storage Processor. When the SP modification completes, the NAS server health and health details are reverted back to the previous values.
A change to the SP cannot be performed on a NAS Server that is part of an active VDM File Import operation. The Import operation must be completed before the SP can be changed. Otherwise, the following error occurs: Failed: Cannot complete the operation because the resource is under import. (Error Code:0x900012a).
A change to the SP cannot be performed on a NAS Server that is part of an active replication session. Pause the replication session, perform the SP change, and then resume the replication session. Otherwise, the following error occurs: Cannot modify the NAS server's Storage Processor when there are non-paused replication sessions on the NAS server or its file systems. (Error Code:0x6720665).

Delete NAS servers

Delete a NAS server.

Prerequisites

Before you can delete a NAS server, you must first delete all storage resources associated with it.

NOTICE: Deleting a NAS server removes everything configured on the NAS server, but does not delete the storage resources that use it. You cannot delete a NAS server while it has any associated storage resources. After the storage resources are deleted, the files and folders inside them cannot be restored from snapshots. Back up the data from the storage resources before deleting them from the system.

Format

/net/nas/server {-id <value> | -name <value>} delete [{ -cifsDomUser <value> {-cifsDomPwd <value> | -cifsDomPwdSecure} | -skipUnjoin}]

Object qualifiers

Qualifier	Description
-id	Type the ID of the NAS server to delete.
-name	Type the name of the NAS server to delete.

Action qualifiers

Qualifier

Description

-cifsDomUser

Domain username.

NOTE: If the NAS server still has SMB (CIFS) servers joined to it, specify the SMB domain user to unjoin from AD before deleting the NAS server.

-cifsDomPwd

Domain user password.

NOTE: Specify the user password when you want to unjoin the CIFS server from the AD domain before deleting it.

-cifsDomPwdSecure

Domain user password in secure mode. This prompts the user to input the password.

-skipUnjoin

Does not unjoin the SMB server from the AD domain before deleting it.

Example

The following command deletes NAS server nas_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server –id nas_1 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Check and update user mappings for multiprotocol NAS servers

A multiprotocol environment requires the following types of user mappings:

A Windows user name that maps to a corresponding Unix user name
A Unix user name that maps to a corresponding Windows user name which uses NFS to access a file system configured with a Windows access policy
A Unix user name that is not mapped to a corresponding Windows user name which uses NFS to access a file system configured with a Unix or native access policy.

This command uses information from LDAP, NIS, or local files to parse all file systems associated with the NAS server and to update the SID/UID mapping in all nodes.

Format

/net/nas/server {-id <value> | -name <value>} update [-async] {-userMapping [-dryRun] | -confView}

Object qualifiers

Qualifier	Description
-id	Type the ID of the NAS server to update.
-name	Type the name of the NAS server to update.

Action qualifiers

Qualifier

Description

-async

Perform the operation asynchronously.

-userMapping

For all CIFS (SMB) file systems on the NAS server, update the UID/GID and generate a user mapping report. A new UID/GID will be obtained from a Unix Directory Service for the user name of the object owner. The user name will be resolved from Active Directory by the Windows SID.

NOTE: Quota management and correct multiprotocol file access require correct mappings between SIDs and UIDs/GIDs at the NAS server level. Because this operation can take a significant amount of time for large file systems, it is recommended to use the -async qualifier.

-dryRun

Generate a user mapping report for downloading. Once users access a file or folder on the NAS server from the SMB protocol, their SID to UID/GID mapping is stored in an internal mapping database. This operation parses the mapping database, and for each mapped user, queries the existing Unix Directory Service and Active Directory Domain Controller to report any inconsistencies between the UID/GID in the Unix Directory Service and the UID/GID stored in the database.

It is recommended that you generate and review the user mapping report right before enabling multiprotocol. This enables you to ensure that your Unix Directory Service can return a UID/GID for every user whose mapping is inconsistent. Otherwise, after multiprotocol is enabled, users with inconsistent mappings may not be able to access files, because their permissions cannot be determined. Also, access to objects created by these users from SMB/CIFS cannot be granted, because the owners cannot be mapped to Unix.

When the UID/GID mapping for all NAS server file systems are updated, the mapping report is re-generated automatically.

NOTE: Once a user successfully accesses any file or folder on the NAS server from Windows, the UID/GID in the mapping database for this user is updated. The UID/GID is also updated if the user is accessing a file from Unix for a file system with a Windows access policy.

-confView

Force an immediate refresh of the NAS server configuration snapshot. When the NAS server is acting as replication destination of synchronous replication session, its configuration snapshot is updated every 15 minutes by default.

Example 1

The following command generates a user mapping report for NAS server nas_1.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server -id nas_1 update -async -userMapping

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Job ID = 76
Job created successfully.

Example 2

The following command forces an immediate refresh of NAS server nas_1 snapshot.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/server -id nas_1 update -confView

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = nas_1
Operation completed successfully.

Manage FTP settings

File Transfer Protocol (FTP) is a client/server protocol that operates over TCP/IP and allows file sharing across heterogeneous systems. Secure File Transfer Protocol (SFTP) protocol provides secure file transfer and manipulation functionality by using SSH.

You can configure a NAS server to share files using the FTP or SFTP protocol. Remote clients can be authenticated using a Unix or Windows user name. You can also have the FTP service to accept anonymous user authentication.

Table 2. FTP and SFTP attributes for a NAS server

Attribute

Description

NAS server

Associated NAS server identifier.

FTP enabled

Indicates whether the FTP protocol is enabled. Valid values are:

yes
no (default)

SFTP enabled

Indicates whether the SFTP protocol is enabled. Valid values are:

yes
no (default)

CIFS users enabled

Indicates whether Windows (SMB) users can be authenticated by the FTP or SFTP server. Valid values are:

yes (default)
no

Unix users enabled

Indicates whether Unix users can be authenticated by the FTP or SFTP server. Valid values are:

yes (default)
no

Anonymous user enabled

Indicates whether the FTP server supports anonymous user authentication. Valid values are:

yes (default)
no

Home directory limitation enabled

Indicates whether authenticated FTP or SFTP users are limited to their home directories. Valid values are:

yes (default)
no

Default home directory

Indicates the default home directory for the FTP or SFTP users with no defined or accessible home directory.

Welcome message

Indicates the welcome message that appears to FTP or SFTP users before authentication.

Message of the day

Indicates the message of the day that appears once the FTP or SFTP users log on.

Audit enabled

Indicates whether the FTP or SFTP server has audit file collection enabled. Valid values are:

yes
no

Audit files directory

Specifies the directory where the audit files for the FTP or SFTP server are stored.

Audit file maximum size

Specifies the maximum file size of the audit files. When the maximum is reached, a new audit file is created.

Allowed hosts

Specifies a comma-separated list of host IPs that are allowed access to the FTP or SFTP server. The IP can be the IPv4, IPv6, or subnet address.

For subnets, the following notation convention must be used:

10.0.0.1/10
2000:DB1::/10

Network names are ignored.

NOTE: If this option is specified, FTP/SFTP connections are allowed only for clients whose IP addresses are included in those specified in the allowed hosts list. Any clients whose IP is not specified in this list are denied access. If a subnet is defined in the allowed hosts list, the client IP must belong to the specified subnet to be allowed to connect to the NAS server. If defined, denied hosts cannot be defined.

Allowed users

Specifies a comma-separated list of user names that are allowed access to the FTP or SFTP server (numerical user IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are allowed only for the specified users. Any users not specified in this list are denied access. If defined, denied users cannot be defined.

Allowed groups

Specifics a comma-separated list of user groups that are allowed access to the FTP or SFTP server. Specify the name of the group (numerical group IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are allowed only for the listed groups. Any user groups not specified in this list will be denied access. If defined, denied groups cannot be defined.

Denied hosts

Specifies a comma-separated list of host IPs that are denied access to the FTP or SFTP server. The IP can be the IPv4, IPv6, or subnet address.

For subnets, the following notation convention must be used:

10.0.0.1/10
2000:DB1::/10

Network names are ignored.

NOTE: If this option is specified, FTP/SFTP connections are denied only for clients whose IP addresses or subnet addresses are included in this list. If defined, allowed hosts cannot be defined.

Denied users

Specifies a comma-separated list of user names that are denied access to the FTP or SFTP server (numerical user IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are denied only for the specified users. Any users not specified in this list are allowed access. If defined, allowed users cannot be defined.

Denied groups

Specifics a comma-separated list of user groups that are denied access to the FTP or SFTP server. Specify the name of the group (numerical group IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are denied only for the listed groups. Any user groups not specified in this list will be allowed access. If defined, allowed groups cannot be defined.

View FTP settings

View FTP or SFTP server settings for a NAS server.

Format

/net/nas/ftp [-server <value>] show

Object qualifier

Qualifier	Description
-server	Type the name of the associated NAS server.

Example

The following command displays the FTP server settings for a NAS server:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ftp show

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:    NAS server                 = nas_1
      FTP enabled                = yes
      SFTP enabled               = no
      CIFS users enabled         = yes
      Unix users enabled         = yes
      Anonymous user enabled     = no
      Homedir limitation enabled = no
      Default home directory     = /home/public      
      Allowed hosts              = 1.2.3.10,1.2.3.11,192.168.0.0/16,2001:db8::/48
      Allowed users              = 
      Allowed groups             =
      Denied hosts               =
      Denied users               = guest,jack,john
      Denied groups              = guests,group1

Change FTP settings

Modify existing FTP or SFTP settings of a NAS server.

Format

/net/nas/ftp -server <value> set [-ftpEnabled <value>] [-sftpEnabled <value>] [-cifsUserEnabled <value>] [-unixUserEnabled <value>] [-anonymousUserEnabled <value>] [-homedirLimitEnabled <value>] [-defaultHomedir <value>] [-welcome <value>] [-motd <value>] [-auditEnabled {yes|no}] [-auditDir <value>] [-auditMaxSize <value>] {[-allowHost <value>] | [-appendAllowHost <value>] | [-removeAllowHost <value>] | [-denyHost <value>] | [-appendDenyHost <value>] | [-removeDenyHost <value>]} {[-allowUser <value>] | [-appendAllowUser <value>] | [-removeAllowUser <value>] | [-denyUser <value>] | [-appendDenyUser <value>] | [-removeDenyUser <value>]} {[-allowGroup <value>]| [-appendAllowGroup <value>] | [-removeAllowGroup <value>] |[-denyGroup <value>] | [-appendDenyGroup <value>] | [-removeDenyGroup <value>]}

Object qualifier

Qualifier	Description
-server	Type the name of the NAS server.

Action qualifier

Qualifier

Description

-ftpEnabled

Indicates whether the FTP server is enabled on the NAS server. Valid values are:

yes
no

-sftpEnabled

Indicates whether the SFTP server is enabled on the NAS server. Valid values are:

yes
no

-cifsUserEnabled

Indicates whether Windows (SMB) users can be authenticated by the FTP or SFTP server. Valid values are:

yes
no

-unixUserEnabled

Indicates whether Unix users can be authenticated by the FTP or SFTP server. Valid values are:

yes
no

-anonymousUserEnabled

Indicates whether the FTP server supports anonymous user authentication. Valid values are:

yes
no

-homedirLimitEnabled

Indicates whether authenticated FTP or SFTP users are limited to their home directories. Valid values are:

yes
no

-defaultHomedir

Type the default home directory for the FTP or SFTP users with no defined or accessible home directory.

-welcome

Type the welcome message that appears to FTP or SFTP users before authentication.

-motd

Type the message of the day that appears once the FTP or SFTP users log on.

-auditEnabled

Indicates whether FTP/SFTP auditing is enabled on the NAS server. Valid values are:

yes
no

-auditDir

Type the directory where the audit files should be saved.

-auditMaxSize

Type the maximum size for the audit log file. When this maximum is exceeded, a new audit file is created.

-allowHost

Type the comma-separated list of allowed client host IPs. The IP can be the IPv4, IPv6, or subnet address.

For subnets, the following notation convention must be used:

10.0.0.1/10
2000:DB1::/10

Network names are ignored.

NOTE: If specified, FTP/SFTP connections are allowed only for clients whose IP addresses are included in those specified in the allowed hosts list. Any clients whose IP is not specified in this list are denied access. If a subnet is defined in the allowed hosts list, the client IP must belong to the specified subnet to be allowed to connect to the NAS FTP/SFTP server. If -allowHost is defined, -denyHost cannot be defined.

-appendAllowHost

Specify one or multiple comma-separated host IPs to append to existing list of allowed host IP addresses.

-removeAllowHost

Specify one or multiple comma-separated host IPs to remove from the existing list of allowed host IP addresses.

-denyHost

Type the comma-separated list of client host IPs that will be denied access to the FTP/SFTP server. The IP can be the IPv4, IPv6, or subnet address.

For subnets, the following notation convention must be used:

10.0.0.1/10
2000:DB1::/10

Network names are ignored.

NOTE: If specified, FTP/SFTP connections are denied only for clients whose IP addresses are included in those specified in the -denyHost list. Any clients whose IP is not specified in this list are allowed access. If a subnet is defined in the denied hosts list, client IPs which belong to the specified subnet will be denied access to the NAS FTP/SFTP server. If -denyHost is defined, -allowHost cannot be defined.

-appendDenyHost

Specify one or multiple comma-separated host IPs to append to existing list of denied host IP addresses.

-removeDenyHost

Specify one or multiple comma-separated host IPs to remove from the existing list of denied host IP addresses.

-allowUser

Type the comma-separated list of user names that will be allowed access to the FTP/SFTP server (numerical user IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are allowed only for the specified users. Any users not specified in this list are denied access. If -allowUser is defined, -denyUser cannot be defined.

-appendAllowUser

Specify one or multiple comma-separated user names to append to existing list of allowed users.

-removeAllowUser

Specify one or multiple comma-separated user names to remove from the existing list of allowed users.

-denyUser

Type the comma-separated list of user names that will be denied access to the FTP/SFTP server (numerical user IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are denied only for the specified users. Any users not specified in this list are denied access. If -denyUser is defined, -allowUser cannot be defined.

-appendDenyUser

Specify one or multiple comma-separated user names to append to existing list of denied users.

-removeDenyUser

Specify one or multiple comma-separated user names to remove from the existing list of denied users.

-allowGroup

Type the comma-separated list of user group names that will be allowed access to the FTP/SFTP server (numerical group IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are allowed only for the listed groups. Any user groups not specified in this list will be denied access. If -allowGroup is defined, -denyGroup cannot be defined.

-appendAllowGroup

Specify one or multiple comma-separated user group names to append to existing list of allowed groups.

-removeAllowGroup

Specify one or multiple comma-separated user group names to remove from the existing list of allowed groups.

-denyGroup

Type the comma-separated list of user group names that will be denied access to the FTP/SFTP server (numerical group IDs are invalid and ignored).

NOTE: If this option is specified, FTP/SFTP connections are denied only for the listed groups. Any user groups not specified in this list will be allowed access. If -denyGroup is defined, -allowGroup cannot be defined.

-appendDenyGroup

Specify one or multiple comma-separated user group names to append to existing list of denied groups.

-removeDenyGroup

Specify one or multiple comma-separated user group names to remove from the existing list of denied groups.

Example 1

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ftp -server nas_1 set -ftpEnabled yes -sftpEnabled no -cifsUserEnabled yes -unixUserEnabled yes -anonymousUserEnabled no -homedirLimitEnabled no -defaultHomedir /home/public -welcome "Welcome to this awesome server"

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Example 2

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ftp -server nas_1 set -denyUser "guest,jack,john" -appendAllowHost 1.2.3.4,1.2.3.5

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage LDAP settings of a NAS server

The Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying directory services running on TCP/IP networks. LDAP provides central management for network authentication and authorization operations by helping to centralize user and group management across the network.

You can configure a NAS server to use LDAP or NIS as a Unix Directory Service to map users, retrieve netgroups, and build a Unix credential. When an initial LDAP configuration is applied, the system checks for the type of LDAP server. It can be an Active Directory schema (IDMU), IPLANET schema, or an RFC 2307 (open LDAP) schema. By default, the RFC 2307 schema is generated. Once the schema is identified, it is saved inside a ldap.conf file. You can download this LDAP schema, edit it based on your needs, and upload it back again using the CLI commands mentioned in this section.

The following table lists the attributes for LDAP settings for a NAS server.

Table 3. LDAP settings of a NAS server

Attribute

Description

NAS server

Unique identifier of the associated NAS server. The LDAP client configuration object is identified by the NAS server ID.

Servers

Relevant IP addresses of the associated LDAP servers. If you want the NAS server to use DNS service discovery to obtain LDAP server IP addresses automatically, do not specify a value for this option.

NOTE: For the automatic discovery process to work, the DNS server must contain pointers to the LDAP servers, and the LDAP servers must share the same authentication settings.

Port

The TCP/IP port used by the NAS server to connect to the LDAP servers. Default value for LDAP is 389 and LDAPS is 636.

Protocol

Type of LDAP protocol. Valid values are:

ldap
ldaps

For a secure SSL connection, use ldaps.

Authentication type

Type of authentication for the LDAP server. Valid values are:

anonymous
kerberos
simple

Verify certificate

Indicates whether Certification Authority certificate is used to verify the LDAP server certificate for secure SSL connections. Valid values are:

yes
no

Value shows as empty when the LDAP protocol is selected (no SSL).Value defaults to yes when the LDAPS protocol is used.

Use CIFS account (applies to Kerberos authentication)

Indicates whether CIFS authentication is used to authenticate to the LDAP server. Valid values are:

yes – Indicates that the CIFS (SMB) settings are used for Kerberos authentication. This option is commonly used when configuring IDMU as a Unix directory service.
no – Indicates that Kerberos uses its own settings. See Configure Kerberos settings to configure authentication through the Kerberos realm.

Principal (applies to Kerberos authentication)

Specifies the principal name for Kerberos authentication.

Realm (applies to Kerberos authentication)

Specifies the realm name for Kerberos authentication.

Password (applies to Kerberos authentication)

Specifies the associated password for Kerberos authentication.

Bind DN (applies to Simple authentication)

Specifies the Distinguished Name (DN) used when binding.

Bind password (applies to Simple authentication)

Specifies the associated password used when binding.

Base DN

Specifies the DN of the root level in the directory tree in RFC notation, or specifies the dotted domain name.

Profile DN

For an iPlanet LDAP server, specifies the DN of the entry with the configuration profile.

Replication sync

Indicates the status of the LDAP servers addresses list in the NAS server operating as a replication destination. When a replicated LDAP servers list is created on the source NAS server, it is automatically synchronized to the destination. Valid values are:

Not replicated – LDAP list is not replicated over to the destination.
Auto synchronized – LDAP list is automatically synchronized over to the replication destination. Any modify or delete operations at the source will automatically be reflected on the destination.
Overridden – LDAP list has been manually modified or overridden on the replication destination. Modifications or deletions of addresses from the LDAP list on the source NAS server will have no effect on the overridden DNS list on the replication destination.

NOTE: When a LDAP list is disabled or deleted from the source, overridden LDAP list in the destination may not get disabled or deleted automatically.

Source servers

List of LDAP server IP addresses defined on the replication source.

View LDAP settings of a NAS server

View LDAP settings of a NAS server.

Format

/net/nas/ldap [-server <value>] show

Object qualifier

Qualifier	Description
-server	Name of the associated NAS server.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ldap -server nas_1 show -detail

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1: NAS server       = nas_1
   IP address       = 10.64.74.64, 10.64.74.74
   Port             = 636
   Protocol         = ldaps
   Authentication   = simple
   Use CIFS account =
   Principal        =
   Realm            =
   Bind DN          = cn=administrator,cn=User,dc=emc,dc=com
   Base DN          = dc=emc,dc=com
   Profile DN       =
   Replication sync = Not replicated
   Source servers   =

Change LDAP settings of a NAS server

Modify LDAP settings of a NAS server.

Format

/net/nas/ldap -server <value> set {-enabled no | [ -ip <value>] [-port <value>] [-protocol {ldap | ldaps}] [-verifyCert {yes | no}] [-authType {anonymous | kerberos {-useCifsAccount | -principal <value> [-realm <value>] [{-password <value> | -passwordSecure }]} | simple [-bindDn <value> {-bindPasswd <value> | -bindPasswdSecure}]}] [-baseDn <value>] [-profileDn <value>]} [-replSync {auto | overridden}]

Object qualifier

Qualifier	Description
-server	Identifies the associated NAS server.

Action qualifier

Qualifier

Description

-enabled

Specify to disable LDAP for an existing NAS server. Valid value is no.

NOTE: Setting the value to no removes the LDAP settings for an existing NAS server.

-ip

Type the IP addresses (separated by comma) of the associated LDAP servers. If you want the NAS server to use DNS service discovery to obtain LDAP server IP addresses automatically, do not specify a value for this option.

NOTE: For the automatic discovery process to work, the DNS server must contain pointers to the LDAP servers, and the LDAP servers must share the same authentication settings.

-port

Type the port associated with the LDAP server. If LDAPS is used, the default is 363. If LDAP is used, the default port is 389.

-protocol

For a secure SSL connection, use ldaps.

-verifyCert

Specify that uploaded Certification Authority (CA) certificates should be used to verify the certificates of LDAP servers for establishing secure SSL connections. Valid values are:

yes
no

Applicable only when the protocol is LDAPS. Value shows as empty when LDAP (no SSL) is used.

-authType

Specify the type of authentication for the LDAP server. Valid values are:

anonymous
kerberos
simple

-bindDn (valid only when simple authentication is used)

Type the Distinguished Name (DN) to be used when binding to the server.

-bindPasswd (valid only when simple authentication is used)

Type the associated password to be used when binding to the server.

-bindPasswdSecure (valid only when simple authentication is used)

Type the password in secured mode. You will be prompted to enter the password separately.

-useCifsAccount (valid only when kerberos authentication is used)

Specify whether you want to use CIFS (SMB) authentication. For Kerberos authentication only. Commonly used to configure NAS servers to use IDMU as a Unix Directory Service. (Choose simple authentication to authenticate AD without using a CIFS account.)

-principal (valid only when kerberos authentication is used)

Type the principal name for Kerberos authentication.

-realm (valid only when kerberos authentication is used)

Type the realm name for Kerberos authentication.

-password (valid only when kerberos authentication is used)

Type the associated password for Kerberos authentication.

-baseDn

Type the DN of the root level in the directory tree in RFC notation, or type the dotted domain name. Valid notation formats include:

RFC, for example <dc=nt2k80, dc=drm,dc=lab,dc=emc,dc=com>
Dotted domain name, for example <nt2k80.drm.lab.emc.com>

-profileDn

For an iPlanet LDAP server, type the DN of the entry with the configuration profile.

-replSync

Status of the LDAP addresses servers list in the NAS server operating as a replication destination. Valid values are:

auto
overridden

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ldap -server nas_1 set -ip 10.64.74.64,10.64.74.74 -port 636 -protocol ldaps -authType simple -bindDn "cn=administrator,cn=User,dc=emc,dc=com" -bindPasswd "Ldap123!" -baseDn "dc=mec,dc=com"

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Upload an LDAP schema

You can customize the LDAP schema for your NAS server, and upload the new schema file. Once the schema is uploaded, it gets validated. If the schema is valid, it is applied, and your NAS server LDAP configuration is changed.

Example

uemcli -upload -f "LDAP_nas_1.conf" -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ldap -server nas_1 -type config

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Download an LDAP schema

When an initial LDAP configuration is applied, the system checks for the type of LDAP server. Once the schema is identified, the schema is saved inside an ldap.conf file. You can download this LDAP schema using the -download switch, and customize it based on your needs. For more information on switches, see Switches.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! -download /net/nas/ldap -server nas_1 -type config

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Upload a Certification Authority certificate

You can upload Certification Authority (CA) certificates for your NAS LDAP servers. Once you upload the CA certificate, it can be used for validating certificates of an LDAP server.

Example

uemcli –upload -f “MyCert.pem” -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ldap –server nas_1 –type CACertificate

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Download a Certification Authority certificate

A Certification Authority (CA) certificate is used for validating certificates of an LDAP server.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! –download /net/nas/ldap –server nas_1 –type CACertificate

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage NAS interfaces

NAS interfaces represent the network interface configured on an Ethernet port for a NAS server.

Table 4. Interface attributes

Attribute

Description

ID

ID of the interface.

NAS server

NAS server identifier.

Preferred

Sets the network interface as the preferred source for outgoing traffic. All outgoing DNS or Active Directory requests are forwarded through this interface, and the IP address assigned to this interface is used as the source address of the data packets. For each NAS server, you can choose a single IP address as preferred. Valid values are:

yes
no

NOTE: This attribute applies to file interfaces only.

Port

ID of the physical port or link aggregation on an SP on which the interface is running. The ID includes the port name and SP name.

VLAN ID

Virtual local area network (VLAN) ID for the interface. The interface uses the ID to accept packets that have VLAN tags. The value range is 1-4095.

For IP multi-tenancy, the VLAN ID of a NAS server interface must comply with the set of VLAN IDs assigned to a tenant to which the NAS server belongs. Only unassigned VLAN IDs are allowed for NAS servers that do not belong to a tenant.

NOTE: If no VLAN ID is specified, which is the default, packets do not have VLAN tags. The Unisphere online help provides more details about VLANs.

IP address

IPv4 or IPv6 address.

Subnet mask

IPv4 subnet mask.

Gateway

IPv4 or IPv6 gateway.

MAC address

MAC address of the interface.

SP

SP that uses the interface.

Role

Specifies the use of the file interface. Valid values are:

production
backup

Backup interfaces are only available for backup via NFS and NDMP protocols, and are not available for CIFS (SMB) protocol. Interfaces associated with NAS servers in a replication session are not replicated via the replication session. You can create a backup interface on the destination NAS server. Unlike production interfaces, backup interfaces become instantly active on the destination NAS server and enable you to perform backup and disaster recovery testing via the NFS share over the snapshot.

Replication sync

Applies to production interfaces replicated over replication sessions. Valid values are:

Not replicated
Auto synchronized – indicates that such interface is automatically synchronized over the replication session to the destination. Any modify and delete operations on the source will be automatically reflected on the destination.
Overridden – indicates that such interface is manually modified / overridden on the destination side.

When a replication production interface is created on the source NAS server, it is auto-synchronized to the destination.

NOTE: Modifications or deletions of network settings of the corresponding source IP interfaces have no effect on overridden interface on destination. However, when an interface is deleted on the source, overridden interfaces stop responding and health state values of such interfaces become degraded/warning. This is because the SMB/CIFS shares are tightly set to the production IP interfaces, and they will not operate via overridden interfaces after a failover.

Health state

A numerical value indicating the health of the system. Valid values are:

Unknown (0)
OK (5)
OK BUT (7)
Degraded/Warning (10)
Minor failure (15)
Major failure (20)

Health details

Additional health information.

Source VLAN ID

Indicates the value of the corresponding VLAN ID as defined on the source NAS server in a replication session.

Source IP address

Indicates the value of the corresponding IP address as defined on the source NAS server in a replication session.

Source subnet mask

Indicates the value of the corresponding subnet mask as defined on the source NAS server in a replication session.

Source gateway

Indicates the value of the corresponding gateway as defined on the source NAS server in a replication session.

Create a NAS interface

Create a NAS interface.

Format

/net/nas/if create [-vlanId <value>] {-server <value> | -serverName <value>} [-preferred] -port <value> -addr <value>] [-netmask <value>] [-gateway <value>] [-role {production | backup}]

Action qualifiers

Qualifier

Description

-server

NAS server identifier.

NOTE: A NAS server cannot have more than one IPv4 interface and one IPv6 interface.

-serverName

NAS server name.

NOTE: A NAS server cannot have more than one IPv4 interface and one IPv6 interface.

-preferred

Specify this qualifier to set the network interface as the preferred source for outgoing traffic. That means that all outgoing DNS or Active Directory requests will be forwarded though interface marked as preferred and will use the IP address assigned to this interface as a source address of the packets.

NOTE: For each NAS server, you can choose an IPv4 interface and IPv6 interface as the preferred interfaces.

-port

Type the ID of the SP port or link aggregation that will use the interface.

NOTE: On dual SP systems, a file interface is created on a pair of symmetric Ethernet ports (or link aggregations) rather than on a single specified port. Its current port is defined by NAS server SP and may differ from the specified port (for example, if the user specifies spa_eth2, but the NAS server current SP is SP B, the interface is created on spb_eth2 instead).

-vlanId

Type the virtual LAN (VLAN) ID for the interface. The interface uses the ID to accept packets that have VLAN tags. The value range is 1–4095.

NOTE: If no VLAN ID is specified, which is the default, packets do not have VLAN tags. The Unisphere online help provides more details about VLANs.

-addr

Type the IP address for the interface. The prefix length should be appended to the IPv6 address and, if omitted, will default to 64. For IPv4 addresses, the default length is 24. The IPv4 netmask may be specified in address attribute after slash.

-netmask

Type the subnet mask for the interface.

NOTE: This qualifier is not required if the prefix length is specified in the -addr attribute.

-gateway

Type the gateway for the interface.

NOTE: This qualifier configures the default gateway for the specified port’s SP.

-role

Specify the role of the interface. Valid values are:

production (default)
backup

NOTE: To create an interface on a NAS server operating as a replication destination, specify the value as backup.

Example

The following command creates a NAS interface. The interface receives the ID IF_2:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/if create -server nas_1 -port eth0_SPA -addr 10.0.0.1 -netmask 255.255.255.0

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = IF_2
Operation completed successfully.

View NAS interfaces

View a list of NAS interfaces on the system. You can filter on the interface ID.

NOTE: The show action command explains how to change the output format.

Format

/net/nas/if [ {-id <value> | -port <value> | -server <value> | -serverName <value>} ] show

Object qualifiers

Qualifier	Description
-id	Type the ID of an interface.
-port	Type the port the interface is associated with.
-server	Type the NAS server the interface is associated with.
-serverName	Type the name of the NAS server the interface is associated with.

Example

The following command displays all NAS interfaces on the system:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/if show

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID                      = if_0
       NAS server              = nas_0
       Preferred               = yes
       Port                    = eth0_spa
       VLAN ID                 = 0
       IP address              = 3ffe:80c0:22c:4e:a:0:2:7f/64
       Subnet mask             = 
       Gateway                 = fe80::20a8bff:fe5a:967c
       SP                      = SPA

2:     ID                      = if_1
       NAS server              = nas_1
       Preferred               = yes
       Port                    = eth1_spa
       VLAN ID                 = 1
       IP address              = 192.168.1.2
       Subnet mask             = 255.255.255.0
       Gateway                 = 192.168.1.254
       SP                      = SPA

3:     ID                      = if_2
       Type                    = replication
       NAS server              =
       Preferred               = no
       Port                    = eth1_spb
       VLAN ID                 =
       IP address              = 10.103.75.56
       Subnet mask             = 255.255.248.0
       Gateway                 = 10.103.72.1
       SP                      = spb

Change NAS interface settings

Change the settings for a NAS interface.

Format

/net/nas/if -id <value> set [-vlanId <value>] [-addr <value>] [-netmask <value>] [-gateway <value>][-preferred] [-replSync {auto | overridden}]

Object qualifier

Qualifier	Description
-id	Type the ID of the interface to change.

Action qualifier

Qualifier

Description

-vlanId

Type the virtual LAN (VLAN) ID for the interface. The interface uses the ID to accept packets that have VLAN tags. The value range is 1–4095.

NOTE: If no VLAN ID is specified, which is the default, packets do not have VLAN tags. The Unisphere online help provides more details on VLANs.

-addr

Specify the IP address for the interface.

NOTE: The prefix length should be appended to the IPv6 address. The IPv4 netmask may be specified in address attribute after the slash.

-netmask

Specify the IPv4 subnet mask for the interface.

-gateway

Specify the gateway for the interface.

NOTE: The gateway is optional for both IPv4 and IPv6. This qualifier configures the default gateway for the specified port’s SP.

-preferred

Specify this qualifier to set the network interface as the preferred source for outgoing traffic. For each NAS server, you can choose an IPv4 interface and IPv6 interface as the preferred interfaces.

NOTE: This attribute applies to file interfaces only.

-replSync

Applicable only to NAS server acting as replication destination. Any modification to network address information automatically switches the interface into overridden mode. Valid values are:

auto
overridden

Note the following:

Use this qualifier to switch an interface back into "auto" synchronization and clear all overridden settings.
When the corresponding interface is already deleted on the source, when replication sync is set to "auto", it will also cause deletion of the interface on destination.
Value "overridden" will cause network interfaces to stop being automatically synchronized. Current settings on the source system will become "frozen" and auto-propagation will stop.

Example

The following command changes the gateway address for interface IF_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456!/net/nas/if –id IF_1 set -gateway 2001:db8:0:170:a:0:2:70

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = IF_1
Operation completed successfully.

Delete NAS interfaces

Delete a NAS interface.

CAUTION: Deleting a NAS interface can break the connection between systems that use it, such as configured hosts.

Format

/net/nas/if –id <value> delete

Object qualifier

Qualifier	Description
-id	Type the ID of the interface to delete.

Example

The following command deletes interface IF_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/if –id IF_1 delete

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage NAS routes

A NAS route represents a route configured on a NAS interface.

Table 5. NAS route attributes
Attribute	Description
ID	ID of the route.
NAS server	NAS server identifier.
Interface	ID of the interface used to reach the gateway.
Route type	Type of route. Valid values are (case-insensitive): default – The system uses a default gateway/route when it cannot find a more specific host or network route to a given destination. One default IPv4 and IPv6 route is allowed per interface. host – Creates a route to a host. net – Creates a route to a subnet.
Target	IP address for the target network node based on the value of -type. Value is one of the following: For a default route, the system will use the IP address specified for -gateway. For a host route, specify the IP address of a target host. For a net route, specify the IP address of a target subnet. Include the -netmask qualifier for the target subnet.
Netmask	Subnet mask.
Gateway	Gateway address.
Replication sync	If the route source is a NAS server production interface, this is a copy of the Replication sync attribute of the associated interface. (The associated interface is specified in the Interface attribute). If the route source is not a NAS server production interface, the value of this attribute is empty.
Health state	Numerical value indicating the health of the system. Valid values are: Unknown (0) OK (5) OK BUT (7) Degraded/Warning (10) Minor failure (15) Major failure (20)
Health details	Additional health information.
Use for external services access	Flag indicating whether the route is used for access to external services. Valid values are: yes no

Create a NAS route

Create a route for a NAS interface.

Format

/net/nas/route create -if <value> -type {default | host -target <value> | net -target <value> [-netmask <value>]} -gateway <value>

Action qualifiers

Qualifier	Description
-if	Specify the interface associated with the route. Each interface has its own routing table for use in responding to inbound service requests.
-type	Specify the type of route. Valid values are (case-insensitive): default – System uses the default route/gateway when a more specific host or network route is not available. One default IPv4 and IPv6 route is allowed per interface. host – Create a route to a host. net – Create a route to a subnet.
-target	Specify the IP address for the target network node based on the value of -type: For a default route, do not specify a value. For a host route, specify the IP address of a target host. For a net route, specify the IP address of a target subnet. Include the -netmask qualifier for the target subnet.
-netmask	For a route to a subnet, specify the netmask of the destination subnet.
-gateway	Specify the gateway for the route.

Example

The following command creates a network route for interface if_1 to reach the 10.64.74.x subnet using gateway 10.64.74.1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/route create -if if_1 -type net -target 10.64.200.10 ‑netmask 255.255.255.0 -gateway 10.64.74.1

                              Storage system address: 10.64.75.201
Storage system port: 443
HTTPS connection

ID = route_1
Operation completed successfully.

Change NAS route settings

Change the settings for a NAS route.

Format

/net/nas/route -id <value> set [-type {default | host | net}] [-target <value>] [-netmask <value>] [-gateway <value>]

Object qualifier

Qualifier	Description
-id	Identifies the NAS route object.

Action qualifiers

Qualifier	Description
-type	Specify the type of route. Valid values are (case-insensitive): default – System uses the default route/gateway when a more specific host or network route is not available. One default IPv4 and IPv6 route is allowed per interface. host – Create a route to a host. net – Create a route to a subnet.
-target	Specify the IP address for the target network node based on the value of -type. Valid values are: For a default route, do not specify a value. The system will use the IP address specified for -gateway. For a host route, specify the IP address of a target host. For a net route, specify the IP address of a target subnet. Include the -netmask qualifier for the target subnet.
-netmask	For a route to a subnet, specify the netmask of the destination subnet.
-gateway	Specify the gateway for the route.

Example

The following command changes the target IP address to 10.64.200.11, the netmask to 255.255.255.0, and the gateway to 10.64.74.2 for NAS route route_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456!/net/nas/route -id route_1 set -target 10.64.200.11 ‑netmask 255.255.255.0 -gateway 10.64.74.2 uemcli

                              Storage system address: 10.64.75.201
Storage system port: 443
HTTPS connection

ID = route_1
Operation completed successfully.

View NAS routes

View a list of routes for a specified NAS interface or for all NAS interfaces on the system.

NOTE: The show action command explains how to change the output format.

Format

/net/nas/route [{-id <value> | -server <value> [-useForESAccess {yes | no}] | -if <value>}] show

Object qualifiers

Qualifier	Description
-id	Specify the ID of the route.
-server	Specify the NAS server for which to view routes.
-useForESAccess	Indicate whether you want the system to display only the routes that are used for external services.
-if	Indicate whether you want the system to display only the routes associated with the specified NAS server.

Example

The following command displays all NAS routes on the system:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/route show -detail

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:    ID                               = route_1
      NAS server                       = nas_1
      Type                             = net
      Target                           = 10.50.50.10
      Netmask                          = 255.255.255.0
      Gateway                          = 10.0.0.1
      Interface                        = if_1
      Health state                     = OK (5)
      Health details                   = "The component is operating normally. action is required."
      Replication sync                 = 
      Use for external services access = no
	

2:    ID                               = route_2
      NAS server                       = nas_1
      Type                             = default
      Target                           =
      Netmask                          =
      Gateway                          = 10.0.0.2
      Interface                        = if_2
      Health state                     = OK (5)
      Health details                   = "The component is operating normally. No action is required."
      Replication sync                 = 
      Use for external services access = no

3:    ID                               = route_3
      NAS server                       = nas_1
      Type                             = host
      Target                           = 10.50.50.168
      Netmask                          =
      Gateway                          = 10.0.0.3
      Interface                        = if_3
      Health state                     = OK (5)
      Health details                   = "The component is operating normally. No action is required."
      Replication sync                 = 
      Use for external services access = yes

Delete NAS routes

Delete a NAS route.

CAUTION: Deleting a NAS route can break the connection between systems that use it, such as configured hosts.

Format

/net/nas/route -id <value> delete

Object qualifier

Qualifier	Description
-id	Specify the ID of the interface to delete.

Example

The following command deletes route route_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/route -id route_1 delete

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage Kerberos settings

Settings for custom Kerberos key distribution center servers.

Kerberos is a distributed authentication service designed to provide strong authentication with secret-key cryptography. It works on the basis of "tickets" that allow nodes communicating over a non-secure network to prove their identity in a secure manner. When configured to act as a secure NFS server, the NAS server uses the RPCSEC_GSS security framework and Kerberos authentication protocol to verify users and services. You can configure a secure NFS environment for a multiprotocol NAS server or one that supports Unix-only shares. In this environment, user access to NFS file systems is granted based on Kerberos principal names.

Table 6. Kerberos attributes
Attribute	Description
NAS server	Kerberos realm configuration object, as identified by the NAS server ID.
Realm	Name of the Kerberos realm.
Servers	Comma separated list of DNS names for the Kerberos Key Distribution Center (KDC) servers.
Port	KDC servers TCP port. Default: 88.

Configure Kerberos settings

Set Kerberos settings for a NAS server.

Format

/net/nas/kerberos -server <value> set {-enabled no | [ -addr <value>] [-port <value>] [-realm <value>]}

Object qualifier

Qualifier	Description
-server	Identifies the associated NAS server.

Action qualifiers

Qualifier

Description

-enabled

Enables Kerberos on the NAS server. Value is yes or no.

-addr

Specifies the DNS names of the Kerberos KDC servers, separated by commas.

NOTE: Setting addresses via IP and overriding them is not supported in this release. A fully qualified DNS name is expected.

-port

Specifies the TCP port of the KDC server. Value is any TCP port.

-realm

Identifies the Kerberos realm. When non-unique for the system, the operation returns an error.

Example

The following command configures a custom Kerberos realm for NAS server nas_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/kerberos -server nas_1 set -addr "master.mydomain.lab.emc.com,slave.mydomain.emc.com" -realm "MYDOMAIN.LAB.EMC.COM"

                              Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

View Kerberos settings

View Kerberos settings.

Format

/net/nas/kerberos [{-server <value> | -realm <value>}] show

Object qualifiers

Qualifier	Description
-server	Identifies the associated NAS server.
-realm	Identifies the associated Kerberos realm.

Example

The following command shows Kerberos settings for all of the storage system's NAS servers.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/kerberos show

                              
Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:    NAS server = nas_2
      Realm      = TEST.LAB.EMC.COM
      Servers    = us67890.test.lab.emc.com

2:    NAS server = nas_1
      Realm      = TEST.LAB.EMC.COM
      Servers    = us12345.test.lab.emc.com

Manage VLANs

Network partitioning is provided through Virtual LANs. VLANs are statically allocated in the system, and the only allowed actions are to assign or de-assign a VLAN ID either to or from a specific tenant.

Each VLAN is identified by an ID.

The following table lists the attributes for VLANs.

Table 7. VLAN attributes
Attribute	Description
ID	VLAN identifier.
Tenant	Tenant identifier, if assigned.
Interface	List of network interfaces that use this VLAN ID for network traffic tagging.

View VLANs

View details about configured VLANs. You can filter on the ID of the VLAN.

Format

/net/vlan show {-id <value> | [-from <value>] [-count <value>] [-inUse {yes | no}] [-assigned {yes [-tenant <value>] | no}]}

Action qualifiers

Qualifier	Description
-id	Identifies the VLAN ID. Valid values are 1 to 4095. If specified, no other VLAN ID range, network interface or tenant assignment selectors are allowed.
-from	Specifies the lower boundary of the VLAN range to be displayed. Valid values are 1 to 4095. If omitted, the default value is 1.
-count	Specifies the number of items to be displayed. Valid values are 1 to 4095. If omitted, the default value is 10.
-inUse	Valid values are: yes — Shows only those VLANs being used by a network interface. These VLANs cannot be moved to or from another tenant. no — Shows only those VLANs that are not being used by a network interface.
-assigned	Valid values are: yes — Shows only those VLANs that are assigned to a tenant. no — Shows only those VLANs that are not assigned to a tenant.
-tenant	If specified, identifies the tenant.

Example

The following command displays information for VLANs that are in use starting from 100:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/vlan show -from 100 -inUse yes

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     VLAN      = 101
       Tenant    = tenant_1
       Interface = if_1,if_3
 
2:     VLAN      = 105
       Tenant    =
       Interface = if_5

Manage tenants

IP multi-tenancy provides the ability to assign multiple network namespaces to the NAS Servers on a storage processor. Tenants are used to create isolated file-based (CIFS/NFS) storage partitions. This enables cost-effective tenant management of available resources while ensuring that tenant visibility and management are restricted to assigned resources only.

Each tenant can have its own:

VLAN domain
Routing table
IP firewall
Virtual interface, traffic separated from virtual device and in Linux Kernel layer
DNS server or other administrative servers to allow the tenant to have its own authentication and security validation from the Protocol layer

Each tenant is identified by a Universally Unique Identifier (UUID).

The following table lists the attributes for tenants.

Table 8. Tenant attributes
Attribute	Description
ID	Tenant identifier
Name	Friendly name of the tenant.
UUID	Universally unique identifier of a tenant.
VLAN	Comma-separated list of VLAN IDs assigned to the tenant.

Create a tenant

Create a tenant.

Format

/net/tenant create -name <value> -uuid <value> [-vlan <value>]

Action qualifiers

Qualifier

Description

-name

Specify the tenant name.

-uuid

Specify the Universally Unique Identifier of a tenant.

-vlan

Specify the comma-separated list of VLAN IDs that the tenant can use.

NOTE: Valid values are 1 to 4095; however, each specific VLAN ID can be assigned to a tenant if:

It is not assigned to any other tenant.
No existing network interfaces are tagged with the VLAN ID.

Example

The following command creates a tenant with these settings:

Tenant name is Tenant A.
UUID is b67cedd7-2369-40c5-afc9-9e8753b88dee.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/tenant create -name "Tenant A" -uuid b67cedd7-2369-40c5-afc9-9e8753b88dee

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = tenant_1
Operation completed successfully.

View tenants

View details about configured tenants. You can filter on the ID of the tenant.

Format

/net/tenant [-id <value>] show

Object qualifier

Qualifier	Description
-id	Identifies the tenant to be displayed.

Example

The following command displays tenant information:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/tenant show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID     = tenant_1
       Name   = Tenant A
       UUID   = b67cedd7-2369-40c5-afc9-9e8753b88dee
       VLAN   = 102,103,104

Change tenant settings

Change the settings for a tenant.

Format

/net/tenant –id <value> set [ -name <value> ] { [-vlan <value>] | [-addVlan <value>] | [-removeVlan <value>] }

Object qualifier

Qualifier	Description
-id	Identifies the tenant.

Action qualifiers

Qualifier

Description

-name

Specify the new name of the tenant.

-vlan

Specify the comma-separated list of VLAN IDs.

NOTE: Valid values for VLAN IDs are 1 to 4095. The new set of VLAN IDs is compared against VLAN IDs already assigned to this tenant. Mismatches are interpreted as if respective IDs were passed to -addVlan or -removeVlan qualifiers. For example, if VLANs 101,102, and103 are assigned to tenant X, the command:

                                                tenant -id X set -Vlan 101,102,104

is equivalent to:

                                                tenant –id X set –removeVlan 103
tenant –id X set –addVlan 104

-addVlan

Specify the VLAN ID to be assigned to the tenant.

NOTE: Valid values for VLAN IDs are 1 to 4095; however, each specific VLAN ID can be assigned to a tenant if:

It is not assigned to any other tenant.
No existing network interfaces are tagged with the VLAN ID.

-removeVlan

Specify the VLAN ID to be removed from the tenant.

NOTE: The VLAN ID can be removed only if it is not in use by any interface of any NAS server within this tenant.

Example

The following command changes the tenant settings for the list of VLAN IDs:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/tenant –id tenant_1 set -vlan 101,102,104

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Delete a tenant

Deletes an existing tenant. When you delete an existing tenant, the VLANs associated with that tenant become available for use with other tenants.

Format

/net/tenant -id <value> delete

Object qualifiers

Qualifier	Description
-id	Identifies the tenant.

Example

The following command deletes a tenant.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/tenant –id tenant_1 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = tenant_1
Operation completed successfully.

Manage CIFS Servers

CIFS (SMB) servers use the CIFS protocol to transfer files. A CIFS server can participate as a member of a Windows Active Directory domain or operate independently of any Windows domain as a stand-alone CIFS server.

The following table lists the attributes for CIFS servers.

Table 9. CIFS Server attributes
Attribute	Description
ID	ID of the CIFS server.
NAS server	Associated NAS server ID.
Name	Name of the CIFS server account used when joining the Active Directory.
Description	Description of the CIFS server.
NetBIOS name	Server NetBIOS name.
Windows domain	Windows server domain name.
User name	Windows domain user name.
Password	Windows domain user password.
Last used organization unit	Last used Active Directory organizational unit.
Workgroup	Workgroup name.
Workgroup administrator password	Workgroup administrator password.

Create a CIFS server

Create a CIFS (SMB) server.

NOTE: Only one CIFS server per NAS server can be created.

Format

/net/nas/cifs create {-server <value> | -serverName <value>} [-name <value>] [-description <value>] [-netbiosName <value>] {-domain <value> -username <value> {-passwd <value> | -passwdSecure} [-orgUnit <value>] | -workgroup <value> {-adminPasswd <value> | -adminPasswdSecure}}

Action qualifiers

Qualifier	Description
-server	Specifies the NAS server identifier.
-serverName	Specifies the NAS server name.
-name	Specifies the CIFS server name. By default, this is the same as the value for serverName. This value is ignored if the CIFS server is standalone.
-description	Specifies the description of the CIFS server.
-netbiosName	Specifies the CIFS server NetBIOS name. By default it is generated automatically based on the CIFS server name.
-domain	Specifies Windows Active Directory domain name.
-username	Specifies the Active Directory user that will be used to join the CIFS server to AD.
-passwd	Specifies the AD user password.
-passwdSecure	Specifies the password in secure mode. The user will be prompted to input the password and the password confirmation.
-orgUnit	Active directory organizational unit.

Example

The following command creates a CIFS server.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/cifs create -server nas_0 -name CIFSserver1 -description "CIFS description" -domain domain.one.com -username user1 -passwd password1

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = CIFS_0
Operation completed successfully.

View CIFS server

The following command displays CIFS (SMB) server settings.

Format

/net/nas/cifs [{-id <value> | -name <value> | -server <value> | -serverName <value>}] show

Object qualifiers

Qualifier	Description
-id	Type the ID of the CIFS server.
-name	Type the name of the CIFS server.
-server	Type the ID of the associated NAS server.
-serverName	Type the name of the associated NAS server.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/cifs show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID             = CIFS_0
       NAS server     = nas_0
       Name           = CIFSserver1
       Description    = CIFS description
       NetBIOS name   = CIFSserv
       Windows domain = domain.one.com

Change CIFS server settings

Modify an existing CIFS (SMB) server.

If moving a CIFS server from one domain to another, include the following options:

[-domain <value>]
[-newUsername <value> {-newPasswd <value> | -newPasswdSecure}]

Note that you must specify the username and password of the domain to which the CIFS server was previously joined in order to perform the unjoin. You must also specify the user name and password of the new domain to which it will be joined.

Format

/net/nas/cifs {-id <value> | -name <value>} set [-name <value>] [-description <value>] [-netbiosName <value>] [-currentUsername <value> {-currentPasswd <value> | -currentPasswdSecure} | -skipUnjoin} ] { [-domain <value>] [-newUsername <value> {-newPasswd <value> | -newPasswdSecure} ] | [-orgUnit <value>] | -workgroup <value>] [ {-adminPasswd <value> | -adminPasswdSecure} ] }

Object qualifiers

Qualifier	Description
-id	Type the ID of the CIFS server to change .
-name	Type the name of the CIFS server to change.

Action qualifiers

Qualifier	Description
-name	Specifies the new CIFS server name.
-description	Specifies the description of the CIFS server.
-netbiosName	Specifies the new CIFS server NetBIOS name.
-domain	Specifies the new Windows server domain name.
-orgUnit	Active Directory organizational unit.
-currentUsername	Specifies the current domain user.
-currentPasswd	Specifies the current domain user password.
-currentPasswdSecure	Specifies the current password in secure mode - the user will be prompted to input the password and the password confirmation.
-skipUnjoin	Do not unjoin the CIFS server from an AD domain.
-newUsername	Specifies the new domain user.
-newPasswd	Specifies the new domain user password.
-newPasswdSecure	Specifies the new password in secure mode - the user will be prompted to input the password and the password confirmation.
-workgroup	Specifies the new workgroup of the stand-alone CIFS server.
-adminPasswd	Specifies the new local admin password of the stand-alone CIFS server.
-adminPasswdSecure	Specifies the password in secure mode - the user will be prompted to input the password and the password confirmation.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/cifs -id CIFS_0 set -workgroup MyWorkgroup -adminPasswd MyPassword

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = CIFS_0
Operation completed successfully.

Delete a CIFS server

Delete an existing CIFS (SMB) server.

NOTE: When you delete an existing CIFS server or convert it to a stand-alone configuration, you must specify the current credentials (username and password) to properly unjoin it from the domain and remove the computer account from Active Directory. You can use the -skipUnjoin option to delete the CIFS server without removing the computer account from AD. (This will require the administrator to manually remove the account from AD.) The -skipUnjoin option can also be used when AD is not operational or cannot be reached. If you ran this command without the username and password, you will not be able to join the CIFS server with the same name back again. To join the same CIFS server back to the domain, you will then need to first change its name.

Format

/net/nas/cifs {-id <value> | -name <value>} delete [ {-username <value> {-passwd <value> | -passwdSecure} | -skipUnjoin} ]

Object qualifiers

Qualifier	Description
-id	Type the ID of the CIFS server to delete.
-name	Identifies the CIFS server name.

Action qualifiers

Qualifier

Description

-username

Specifies the domain username. Not required for stand-alone CIFS servers.

NOTE: Specify the username when you want to unjoin the CIFS server from the AD domain before deleting it.

-passwd

Specifies the domain user password. Not required for stand-alone CIFS servers.

NOTE: Specify the user password when you want to unjoin the CIFS server from the AD domain before deleting it.

-passwdSecure

Specifies the password in secure mode. This prompts the user to input the password.

-skipUnjoin

Does not unjoin the CIFS server from the AD domain before deleting it.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/cifs -id CIFS_0 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = CIFS_0
Operation completed successfully.

Manage NFS servers

NFS servers use the NFS protocol to transfer files.

The following table lists the attributes for NAS servers.

Table 10. NFS Server attributes
Attribute	Description
ID	ID of the NFS server.
NAS server	Associated NAS server ID.
Hostname	NFS server hostname. When an SMB server is joined to an Active Directory (AD) domain, the NFS server hostname is defaulted to the SMB computer name. If you configure NFS secure to use a custom realm for Kerberos authentication, this hostname can be customized.
NFSv3 enabled	Indicates whether NFS shares can be accessed by using the NFSv3 protocol. Valid values are yes or no (default is yes).
NFSv4 enabled	Indicates whether NFS shares can be accessed by using the NFSv4 protocol. Valid values are yes or no (default is no).
Secure NFS enabled	Indicates whether secure NFS (with Kerberos) is enabled. Value is yes or no.
Kerberos KDC type	Indicates the type of KDC realm to use for NFS secure. Value is one of the following: Windows — Use the Windows realm associated with the SMB server configured on the NAS server. If you configure secure NFS using this method, SMB support cannot be deleted from the NAS server while secure NFS is enabled and configured to use the Windows realm. custom — Configure a custom realm to point to any type of Kerberos realm. (Windows, MIT, Heidmal). If you configure secure NFS using this method, you must upload the keytab file to the NAS server being defined. Refer to Configure Kerberos settings for more information.
Service principal name	Comma-separated list of service principal names to used to authenticate to the Kerberos realm. The name is automatically deducted from the NFS server hostname and the selected realm.
Extended Unix credentials enabled	Use more than 16 Unix groups. Value is yes or no (default).
Credentials cache retention	Credentials cache refreshing timeout, in minutes.

Create an NFS server

Create an NFS server.

NOTE: Only one NFS server per NAS server can be created.

Format

/net/nas/nfs create {-server <value> | -serverName <value>} [-hostname <value>] [-v3 {yes | no}][-v4 {yes | no}] [-secure {no | yes [-kdcType {Windows | custom}]}] [-username <value> {-passwd <value> | -passwdSecure}] [-extendedUnixCredEnabled {yes|no}] [-credCacheRetention <value>]

Action qualifiers

Qualifier	Description
-server	Specifies the NAS server identifier.
-serverName	Specifies the NAS server name.
-hostname	Specifies the hostname for the NFS server. This is used in Kerberos and DNS registration, so that the client can specify this name when mounting exports. By default, the hostname is the same as the SMB computer name or NAS server name.
-v3	Indicates whether NFS shares can be accessed using the NFSv4 protocol. Value is yes (default) or no.
-v4	Indicates whether NFS shares can be accessed using the NFSv4 protocol. Value is yes or no (default).
-secure	Indicates whether to enable secure NFS (with Kerberos). Value is yes or no (default). To enable secure NFS, you must also configure the NAS server Kerberos object, specify a corresponding KDC type using the -kdcType qualifier, and upload the keytab file (generated with kadmin).
-kdcType	Specifies the type of type of KDC realm to use for NFS secure. Value is one of the following: windows - Use the Windows realm associated with the SMB-enabled NAS server. If you configure secure NFS using this method, SMB support cannot be deleted from the NAS server while secure NFS is enabled and configured to use the Windows realm. custom - Configure a custom realm to point to any type of Kerberos realm. (Windows, MIT, Heidmal). If you configure secure NFS using this method, you must upload the keytab file to the NAS server being defined. Refer to Configure Kerberos settings for more information.
-username	(Applies when the -kdcType is Windows.) Specifies a user name with administrative rights to register the service principal in the AD domain.
-passwd	(Applies when the -kdcType is Windows.) Specifies the AD domain administrator password.
-passwdSecure	Specifies the password in secure mode. The user will be prompted to input the password and the password confirmation.
-extendedUnixCredEnabled	Specifies whether there are more than 16 Unix groups. Valid value is yes or no (default).
-credCacheRetention	Specifies the amount of time (in minutes) when the credential cache refreshes or times out. Default value is 15 minutes.

Example

The following command creates an NFS server on NAS server nas_1 with ID nfs_1 that supports NFSv4 and NFS secure.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/nfs create -server nas_1 -v4 yes -secure yes

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = nfs_1
Operation completed successfully.

View an NFS server

The following command displays NFS server settings.

Format

/net/nas/nfs [{-id <value> | -server <value> | -serverName <value> | -hostname <value>}] show

Object qualifiers

Qualifier	Description
-id	Type the ID of the NFS server to view.
-server	Type the ID of the associated NAS server.
-serverName	Type the name of the associated NAS server.
-hostname	Type the hostname for the NFS server. The FDQN or short name formats are supported.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/nfs show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID                                = nfs_1
       NAS server                        = nas_1
       Hostname                          = SATURN
       NFSv3 enabled                     = yes
       NFSv4 enabled                     = yes
       Secure NFS enabled                = yes
       Kerberos KDC type                 = Windows
       Service principal name            = nfs/SATURN.domain.lab.emc.com, nfs/SATURN
       Extended Unix credentials enabled = no
       Credentials cache retention       = 15

Change NFS server settings

Modify an existing NFS server.

Format

/net/nas/nfs [-id <value>] set [-hostname <value>] [-v3 {yes | no}] [-v4 {yes | no}] [-secure {no | yes [-kdcType {Windows | custom}]}] [-username <value> {-passwd <value> | -passwdSecure}] [-extendedUnixCredEnabled {yes | no}] [-credCacheRetention <value>]

Object qualifier

Qualifier	Description
-id	Identifies the NFS server to change.

Action qualifiers

Qualifier	Description
-hostname	Specifies the new hostname for the NFS server. This is used in Kerberos and DNS registration, so that the client can specify this name when mounting exports. By default, the hostname is the same as the SMB computer name or NAS server name
-v3	Indicates whether NFS shares can be accessed using the NFSv3 protocol. Valid values are yes or no.
-v4	Indicates whether NFS shares can be accessed using the NFSv4 protocol. Valid values are yes or no.
-secure	Indicates whether to enable secure NFS (with Kerberos). Value is yes or no. To enable secure NFS, you must also configure the NAS server Kerberos object, specify a corresponding KDC type using the -kdcType qualifier, and upload the keytab file (generated with kadmin).
-kdcType	Specifies the type of type of KDC realm to use for NFS secure. Value is one of the following: Windows - Use the Windows realm associated with the SMB server configured on the NAS server. If you configure secure NFS using this method, SMB support cannot be deleted from the NAS server while secure NFS is enabled and configured to use the Windows realm. custom - Configure a custom realm to point to any type of Kerberos realm (Windows, MIT, Heidmal). If you configure secure NFS using this method, you must upload the keytab file to the NAS server being defined. Refer to Configure Kerberos settings for more information.
-username	(Applies when the -kdcType is Windows.) Specifies a user name with administrative rights to register the service principal in the AD domain.
-password	(Applies when the -kdcType is Windows.) Specifies the AD domain administrator password.
-passwdSecure	Specifies the password in secure mode. The user will be prompted to input the password and the password confirmation.
-skipUnjoin	(Applies when the KDC realm type is Windows.) Deletes the NFS server without automatically unregistering the NFS service principals from the AD domain.
-extendedUnixCredEnabled	Specifies whether there are more than 16 Unix groups. Valid values are yes or no.
-creditCacheRetention	Specifies the amount of time (in minutes) when the credential cache refreshes or times out. Default value is 15 minutes.

Example

The following command changes the credit cache retention period for NFS server nfs_1.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/nfs -id nfs_1 set -credCacheRetention 20

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = nfs_1
Operation completed successfully.

Delete an NFS server

Delete an existing NFS server. The NFS server cannot be deleted if it has any associated resources, such as NFS shares, on the NAS server.

Format

/net/nas/nfs -id <value> delete [-username <value> {-passwd <value> | -passwdSecure}] [-skipUnjoin]

Object qualifier

Qualifier	Description
-id	Identifies the NFS server to delete.

Action qualifiers

Qualifier	Description
-username (applies when the KDC realm type is Windows)	Specifies a user name with administrative rights to unregister the service principal from the AD domain.
-passwd (applies when the KDC realm type is Windows)	Specifies the AD domain administrator password.
-passwdSecure	Specifies the password in secure mode. The user will be prompted to input the password and the password confirmation.
-skipUnjoin (applies when the KDC realm type is Windows)	Deletes the NFS server without automatically unregistering the NFS service principals from the AD domain.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/nfs -id nfs_1 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage Common Anti Virus Agent (CAVA)

The following table lists the attributes for CAVA:

Table 11. CAVA attributes

Attribute

Description

NAS server

Associated NAS server identifier.

Enabled

Indicates if CAVA is enabled. Valid values are:

yes
no

NOTE: Before you can enable CAVA, you must first upload a CAVA configuration file to the NAS server. See View the switches for details on how to upload the configuration file.

View CAVA settings

View details about CAVA settings.

Format

/net/nas/cava [-server <value>] show

Object qualifier

Qualifier	Description
-server	Identifies the associated NAS server.

Example

The following command displays the CAVA settings:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/cava show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection


1:     NAS server  = nas_0
       Enabled     = yes

2:     NAS server  = nas_1
       Enabled     = no

Change CAVA settings

Modify the CAVA settings.

Format

/net/nas/cava -server <value> set -enabled {yes | no}

Object qualifier

Qualifier	Description
-server	Identifies the associated NAS server.

Action qualifier

Qualifier

Description

-enabled

Specify whether CAVA is enabled. Valid values are:

yes
no

NOTE: Before you can enable CAVA, you must first upload a CAVA configuration file to the NAS server. See View the switches for details on how to upload the configuration file.

Example

The following command enables CAVA:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/cava -server nas_1 set -enabled yes

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage Events Publishing configuration settings

Events Publishing allows third-party applications to register to receive event notification and context from the storage system when accessing file systems by using the SMB or NFS protocols. The Common Event Publishing Agent (CEPA) delivers to the application both event notification and associated context in one message. Context may consist of file metadata or directory metadata that is needed to decide business policy.

You must define at least one event option (pre-, post-, or post-error event) when Events Publishing is enabled.

Pre-event notifications are sent before processing an SMB or NFS client request.
Post-event notifications are sent after a successful SMB or NFS client request.
Post-error event notifications are sent after a failed SMB or NFS client request.

Table 12. Events Publishing attributes
Attributes	Description
NAS server	Identifies the associated NAS server.
Enabled	Identifies whether Events Publishing is enabled on the NAS Server. Valid values are: yes no (default)
Pre-event failure policy	Policy applied when a pre-event notification fails. Valid values are: ignore (default) - indicates that when a pre-event notification fails, it is acknowledged as being successful. deny - indicates that when a pre-event notification fails, the request of the SMB or NFS client is not executed by the storage system. The client receives a 'denied' response.
Post-event failure policy	Policy applied when a post-event notification fails. The policy is also applied to post-error events. Valid values are: ignore (default) - continue and tolerate lost events. accumulate - continue and use a persistence file as a circular event buffer for lost events. guarantee - continue and use a persistence file as a circular event buffer for lost events until the buffer is filled, and then deny access to file systems where Events Publishing is enabled. deny - on CEPA connectivity failure, deny access to file systems where Events Publishing is enabled.
HTTP port	HTTP port number for connectivity to the CEPA server. The default value is 12228. The HTTP protocol is used to connect to CEPA servers. It is not protected by a username or password.
HTTP enabled	Identifies whether connecting to CEPA servers by using the HTTP protocol is enabled. When enabled, a connection by using HTTP is tried first. If HTTP is either disabled or the connection fails, then connection through the MS-RPC protocol is tried if all CEPA servers are defined by a fully-qualified domain name (FQDN). When an SMB server is defined in a NAS server in the Active Directory (AD) domain, the NAS server's SMB account is used to make an MS-RPC connection. Valid values are: yes (default) no
Username	When using the MS-RPC protocol, name of a Windows user allowed to connect to CEPA servers.
Password	When using the MS-RPC protocol, password of the Windows user defined by the username.
Heartbeat	Time interval (in seconds) between scanning CEPA servers to detect their online or offline status. The default is 10 seconds. The range is from 1 through 120 seconds.
Timeout	Time in ms to determine whether a CEPA server is offline. The default is 1,000 ms. The range is from 50 ms through 5,000 ms.
Health state	Health state of Events Publishing. The health state code appears in parentheses. Valid values are: OK (5) - the Events Publishing service is operating normally. OK_BUT (7) - some CEPA servers configured for the NAS server cannot be reached. Minor failure (15) - the Events Publishing service is not functional. Major failure (20) - all CEPA servers configured for the NAS server cannot be reached.
Health details	Additional health information. See Appendix A, Reference, for details.

View CEPA configuration settings

View details about CEPA configuration settings.

Format

/net/nas/event/config [-server <value>] show

Object qualifier

Qualifier	Description
-server	Identifies the associated NAS server.

Example

The following example displays the CEPA settings.

uemcli /net/nas/event/config -server nas_1 show -detail

                          Storage system address: 10.1.2.100
Storage system port: 443
HTTPS connection

1:     NAS server                = nas_1
       Enabled                   = yes    
       Pre-event failure policy  = ignore
       Post-event failure policy = ignore
       HTTP port                 = 12228
       HTTP enabled              = yes
       Username                  = user1
       Heartbeat                 = 10s
       Timeout                   = 1000ms
       Health state              = OK (5)
       Health details            = The Events Publishing Service is operating normally.

Change CEPA configuration settings

Modify the Events Publishing configuration. When you create a NAS server, an Events Publishing configuration object is automatically created with default values.

Format

/net/nas/event/config –server <value> set [-enabled {yes | no}] [-preEventPolicy {ignore | deny}] [-postEventPolicy {ignore | accumulate | guarantee | deny}] [-httpPort <value>] [-httpEnabled {yes | no}] [-username <value> {-passwd <value> | -passwdSecure}] [-heartbeat <value>] [-timeout <value>]

Object qualifier

Qualifier	Description
-server	Identifies the associated NAS server.

Action qualifiers

Qualifier

Description

-enabled

Identifies whether Events Publishing is enabled on the NAS Server. Valid values are:

yes
no (default)

-preEventPolicy

Identifies the policy applied when a pre-event notification fails. Valid values are:

ignore (default) - indicates that when a pre-event notification fails, it is acknowledged as being successful.
deny - indicates that when a pre-event notification fails, it is acknowledged with a 'denied' answer.

-postEventPolicy

Identifies the policy applied when a post-event notification fails. The policy is also applied to post-error events. Valid values are:

ignore (default) - continue and tolerate lost events.
accumulate - continue and use a persistence file as a circular event buffer for lost events.
guarantee - continue and use a persistence file as a circular event buffer for lost events until the buffer is filled, and then deny access to file systems where Events Publishing is enabled.
deny - on CEPA connectivity failure, deny access to file systems where Events Publishing is enabled.

-httpPort

HTTP port number used for connectivity to the CEPA server. The default value is 12228. The HTTP protocol is used to connect to CEPA servers. It is not protected by a username or password.

-httpEnabled

Specifies whether connecting to CEPA servers by using the HTTP protocol is enabled. When enabled, a connection by using HTTP is tried first. If HTTP is either disabled or the connection fails, then connection through the MS-RPC protocol is tried if all CEPA servers are defined by a fully-qualified domain name (FQDN). The SMB account of the NAS server in the Active Directory domain is used to make the connection by using MS-RPC. Valid values are (case insensitive):

yes (default)
no

-username

Name of a Windows user who is allowed to connect to CEPA servers.

NOTE: To ensure that a secure connection (by using the Microsoft RPC protocol) is used, you must disable HTTP by setting -httpEnabled=no.

-passwd

Password of the Windows user defined by the username.

-passwdSecure

Specifies the password in secure mode. The user is prompted to specify the password.

-heartbeat

Time interval between scanning CEPA servers (in seconds) to detect their online or offline status. The default is 10 seconds. The range is from 1 through 120 seconds.

-timeout

Time in ms to determine whether a CEPA server is offline. The default is 1,000 ms. The range is from 50 ms through 5,000 ms.

Example

The following command enables Events Publishing and sets the post-event policy to accumulate.

uemcli /net/nas/event/config -server nas_1 set -enabled yes -postEventPolicy accumulate

                          Storage system address: 10.1.2.100
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage CEPA pool configuration settings

Event pools configure the types of events published by the NAS Server, and the addresses of CEPA servers.

Events Publishing must be enabled for both the NAS server and the file system. Certain types of events can be enabled for either the NFS protocol, the SMB protocol, or both NFS and SMB on a file system basis.

Table 13. CEPA pool attributes
Attributes	Description
ID	Identifies the Events Publishing pool.
NAS server	Identifies the associated NAS server.
Name	Identifies the Events Publishing pool name.
Addresses	Addresses of the CEPA servers. A CEPA pool allows using IPv4, IPv6, and FQDN addresses.
Replication sync	Applicable only when the NAS server is replicated through a replication session. Valid values are: Not replicated Auto synchronized – indicates that the Events Publishing pool servers list is automatically synchronized over the replication session to the destination. Any modify and delete operations on the source are automatically reflected on the destination. Overridden – indicates that the Events Publishing pool servers list is manually modified or overridden on the destination side. When an Events Publishing pool servers list is created on the source of a replication, it is auto-synchronized to the destination NAS server. IP address changes or deletions from the Events Publishing pool servers list on a source Events Publishing server have no effect on overridden Events Publishing pool servers on the destination.
Source addresses	Addresses of the CEPA servers defined on the replication source. A CEPA pool allows using IPv4, IPv6, and FQDN addresses.
Pre-events	Lists the selected pre-events. The NAS server sends a request event notification to the CEPA server before an event occurs and processes the response. The valid events are defined in the table that follows.
Post-events	Lists the selected post-events. The NAS server sends a notification after an event occurs. The valid events are defined in the table that follows.
Post-error events	Lists the selected post-error events. The NAS server sends notification after an event generates an error. The valid events are defined in the table that follows.

Table 14. Event descriptions
Value	Definition	Protocol
OpenFileNoAccess	Sends a notification when a file is opened for a change other than read or write access (for example, read or write attributes on the file).	SMB/CIFS NFS (v4)
OpenFileRead	Sends a notification when a file is opened for read access.	SMB/CIFS NFS (v4)
OpenFileReadOffline	Sends a notification when an offline file is opened for read access.	SMB/CIFS NFS (v4)
OpenFileWrite	Sends a notification when a file is opened for write access.	SMB/CIFS NFS (v4)
OpenFileWriteOffline	Sends a notification when an offline file is opened for write access.	SMB/CIFS NFS (v4)
OpenDir	Sends a notification when a directory is opened.	SMB/CIFS
FileRead	Sends a notification when a file read is received over NFS.	NFS (v3/v4)
FileWrite	Sends a notification when a file write is received over NFS.	NFS (v3/v4)
CreateFile	Sends a notification when a file is created.	SMB/CIFS NFS (v3/v4)
CreateDir	Sends a notification when a directory is created.	SMB/CIFS NFS (v3/v4)
DeleteFile	Sends a notification when a file is deleted.	SMB/CIFS NFS (v3/v4)
DeleteDir	Sends a notification when a directory is deleted.	SMB/CIFS NFS (v3/v4)
CloseModified	Sends a notification when a file is changed before closing.	SMB/CIFS NFS (v4)
CloseUnmodified	Sends a notification when a file is not changed before closing.	SMB/CIFS NFS (v4)
CloseDir	Sends a notification when a directory is closed.	SMB/CIFS
RenameFile	Sends a notification when a file is renamed.	SMB/CIFS NFS (v3/v4)
RenameDir	Sends a notification when a directory is renamed.	SMB/CIFS NFS (v3/v4)
SetAclFile	Sends a notification when the security descriptor (ACL) on a file is changed.	SMB/CIFS
SetAclDir	Sends a notification when the security descriptor (ACL) on a directory is changed.	SMB/CIFS
SetSecFile	Sends a notification when a file security change is received over NFS.	NFS (v3/v4)
SetSecDir	Sends a notification when a directory security change is received over NFS.	NFS (v3/v4)

Create a CEPA pool

Create a CEPA pool.

Format

/net/nas/event/pool create -server <value> -name <value> -addr <value> [-preEvents <value>] [-postEvents <value>] [-postErrEvents <value>]

Action qualifiers

Qualifier	Description
-server	Identifies the associated NAS server.
-name	Specifies a CEPA pool name. The name must be unique for each NAS server.
-addr	Specifies a comma-separated list of addresses of the CEPA servers. You can specify IPv4, IPv6, and FQDN addresses.
-preEvents	Specifies the comma-separated list of pre-events.
-postEvents	Specifies the comma-separated list of post-events.
-postErrEvents	Specifies the comma-separated list of post-error events.

Example

The following command creates a CEPA pool and a list of post events for which to be notified.

uemcli /net/nas/event/pool create -server nas_1 -name mypool1 -addr 10.1.2.100 -postEvents CreateFile,DeleteFile

                          Storage system address: 10.1.2.100
Storage system port: 443
HTTPS connection

ID = cepa_pool_1
Operation completed successfully.

View CEPA pool settings

View details about a CEPA pool.

Format

/net/nas/event/pool [{-id <value> | -server <value> | -name <value>}] show

Object qualifier

Qualifier	Description
-id	Identifies the Events Publishing pool.
-server	Identifies the associated NAS server.
-name	Identifies the Events Publishing pool name.

Example

The following command displays information about a CEPA pool.

uemcli /net/nas/event/pool -server nas_1 show

                          Storage system address: 10.1.2.100
Storage system port: 443
HTTPS connection

1:     ID                 = cepa_pool_1
       NAS server         = nas_1
       Name               = MyCepaPool
       Addresses          = 10.1.2.2
       Pre-events         = 
       Post-events        = CreateFile, DeleteFile
       Post-error events  =

Change CEPA pool settings

Modify settings for an existing Events Publishing pool.

Format

/net/nas/event/pool -id <value> set [-name <value>] [-addr <value>] [-preEvents <value>] [-postEvents <value>] [-postErrEvents <value>] [-replSync {auto | overridden}]

Object qualifier

Qualifier	Description
-id	Identifies the Events Publishing pool.

Action qualifiers

Qualifier	Description
-name	Specifies a CEPA Pool name. The name is unique for any specified NAS server.
-addr	Specifies a comma-separated list of addresses of the CEPA servers. A CEPA pool allows IPv4, IPv6, and FQDN addresses.
-preEvents	Specifies the comma-separated list of pre-events.
-postEvents	Specifies the comma-separated list of post-events.
-postErrEvents	Specifies the comma separated list of post-error events.
-replSync	Applicable only when the NAS server is operating as a replication destination. The valid values are: auto – indicates that the Events Publishing pool servers list is automatically synchronized over the replication session to the destination. Any change and delete operations on the source are automatically reflected on the destination. overridden – indicates that the Events Publishing pool servers list is manually changed or overridden on the destination side. When a replicated Events Publishing pool servers list is created on the source Events Publishing server, it is auto-synchronized to the destination. Changes or deletions of IP addresses from the Events Publishing pool servers list on a source Events Publishing service have no effect on an overridden Events Publishing pool servers list on the destination.

Example

The following command changes the name for a CEPA pool.

uemcli /net/nas/event/pool -id cepa_pool_1 set -name TestCepaPool

                          Storage system address: 10.1.2.100
Storage system port: 443
HTTPS connection

ID = cepa_pool_1
Operation completed successfully.

Delete a CEPA pool

Deletes a CEPA pool.

Before you begin

The Events Publishing service requires at least one CEPA pool. If you delete the last CEPA pool, the Events Publishing service becomes disabled.

Format

/net/nas/event/pool [{-id <value> | -name <value>}] delete

Object qualifiers

Qualifier	Description
-id	Identifies the Events Publishing pool.
-name	Identifies the Events Publishing pool name.

Example

The following command deletes a CEPA pool.

uemcli /net/nas/event/pool –id cepa_pool_1 delete

                          Storage system address: 10.1.2.100
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage VMware NAS protocol endpoint servers

VMware protocol endpoint servers are NFS-based NAS servers enabled to provide an I/O path from the VMware host to it's respective File VVol datastore on the storage system.

When creating a NAS protocol endpoint server, you can choose which IP address the NAS PE will use from the list of IP interfaces already created for the NAS server. It is recommended that you enable at least two NAS servers for VVols, one on each SP, for high availability. The system will select one of these NAS PEs automatically based on which will maximize throughput.

Table 15. Protocol endpoint server attributes
Attribute	Description
ID	VMware protocol endpoint identifier.
NAS server	Identifier of the associated NAS server for NAS PEs.
NAS server interface	Identifier of the NAS server IP interface to be used by the VMware NAS protocol endpoint server.

NOTE: Only one VMware protocol endpoint server per NAS server is supported.

Create protocol endpoint servers

Create VMware protocol endpoints servers for File VVols.

Format

/net/nas/vmwarepe create [-async] {-server <value> | -serverName <value>} -if <value>

Action qualifier

Qualifier	Description
-async	Run the operation in asynchronous mode.
-server	Type the identifier of the NAS server.
-serverName	Type the name of the NAS server.
-if	Type the name of the identifier for the NAS IP interface to be used by the VMware protocol endpoint server.

Example

The following example creates a protocol endpoint server on NAS server "nas_1" with the IP interface "if_1".

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/vmwarepe create -server nas_1 -if if_ 1

                          Storage system address: 10.0.0.1 
Storage system port: 443 
HTTPS connection 

ID = PES_0 
Operation completed successfully.

View VMware protocol endpoint servers

View VMware protocol endpoints servers for File VVols.

Format

/net/nas/vmwarepe [{-id <value> | -server <value> | -serverName <value>}] show

Action qualifier

Qualifier	Description
-id	Type the identifier of the NAS protocol endpoint server.
-server	Type the identifier of the associated NAS server.
-serverName	Type the name of the associated NAS server.

Example

The following example shows the details for all of the VMware protocol endpoint servers on the system.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456!/net/nas/vmwarepe show -detail

                          Storage system address: 10.0.0.1 
Storage system port: 443 
HTTPS connection 

1:     ID                   = PES_0
       NAS server           = nas_1
       NAS server interface = if_1

Delete protocol endpoint servers

Delete a VMware protocol endpoints server.

Format

/net/nas/vmwarepe -id <value> delete [-async] [-force]

Object qualifiers

Qualifier	Description
-id	Type the identifier or the VMware protocol endpoint server to be deleted.

Action qualifiers

Qualifier	Description
-async	Run the operation in asynchronous mode.
-force	Unconditionally removes all VMware NAS protocol endpoints using the VMware protocol endpoint server and unbinds all virtual volumes using the protocol endpoint server.

Example

The following example deletes VMware NAS protocol endpoint server "PES_0".

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/vmwarepe –id PES_0 delete

                          Storage system address: 10.0.0.1 
Storage system port: 443 
HTTPS connection 

Operation completed successfully.

Manage reverse CHAP for mutual CHAP authentication

The Challenge Handshake Authentication Protocol (CHAP) is a security protocol that defines a method for authenticating hosts (initiators) and iSCSI nodes (targets). When CHAP is enabled, an iSCSI target will “challenge” an initiator that attempts to establish a connection with it. If the initiator does not respond with a valid password (called a secret), the target refuses the connection. CHAP authentication can be one-way, where only the target authenticates the initiator, or reverse (also called mutual), where the target and initiator authenticate each other. Compared to one-way CHAP, enabling reverse CHAP provides an extra level of security. To set one-way CHAP authentication, create an iSCSI CHAP account for a host. Manage iSCSI CHAP accounts for one-way CHAP authentication explains the commands for configuring one-way CHAP authentication.

NOTE: For reverse CHAP, the secret password you specify applies to all iSCSI nodes on the system. Also, the CHAP secret specified for any host configuration must be different from the reverse CHAP password specified for iSCSI nodes.

The iSCSI reverse CHAP object manages the username/secret used by the target (storage system) to respond to a challenge from an initiator (host).

Specify reverse CHAP secret settings

The following table lists the iSCSI reverse CHAP attributes.

Table 16. iSCSI reverse CHAP attributes
Attribute	Description
Username	The reverse CHAP user name.
Secret	The reverse CHAP secret (password).
Secret format	The reverse CHAP input format. Value is one of the following: ascii - ASCII format hex - Hexadecimal format

Sets the reverse CHAP username and secret.

Format

/net/iscsi/reversechap set { [–username <value>] {-secret <value> | -secretSecure} [-secretFormat { ascii | hex } ] | -noChap}

Action qualifiers

Qualifier

Description

-username

The reverse CHAP user name.

-secret

Specifies the reverse CHAP secret (password).

NOTE: Restrictions: the CHAP secret is an ASCII string that is 12 to 16 characters. Hexadecimal secrets are 12 to 16 pairs of data (24 to 32 characters).

-secretSecure

Specifies the password in secure mode - the user will be prompted to input the password.

-secretFormat

The reverse CHAP input format. Value is one of the following:

ascii - ASCII format
hex - Hexadecimal format

-noChap

Remove the reverse CHAP credentials.

Example

uemcli /net/iscsi/reversechap set -secret xyz0123456789

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

View reverse CHAP secret settings

View whether a reverse CHAP secret password has been configured for iSCSI nodes.

NOTE: The show action command explains how to change the output format.

Format

/net/iscsi/reversechap show

Example

The following command shows the current reverse CHAP setting:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/reversechap show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:       Username = ReverseChapUser

Set up iSNS for iSCSI storage

The iSNS protocol (iSNSP) allows centralized management of iSCSI devices. An iSNS server can provide services such as remote discovery and configuration for iSCSI nodes and hosts. When iSNSP is in use, both the iSCSI nodes (targets) and hosts (initiators) on the network must be configured to use the iSNS server. You create a single iSNS server record for the system. The following table lists the attributes for iSNS server records.

Table 17. iSNS server record attributes
Attribute	Description
ID	ID of the iSNS server record.
Server	Name or IP address of an iSNS server.

Create iSNS server records

Create an iSNS server record to specify an iSNS server for the system to use. When you create an iSNS server record, it will overwrite the existing record on the system.

Format

/net/iscsi/isns create -server <value>

Action qualifiers

Qualifier	Description
-server	Type the name or IP address of the iSNS server.

Example

The following command creates an iSNS server record for server IP address 10.5.2.128. The server record receives the ID iSNS_10.5.2.128:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/isns create –server 10.5.2.128

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = isns_0
Operation completed successfully.

View iSNS server records

View details for configured iSNS server records.

NOTE: The show action command explains how to change the output format.

Format

/net/iscsi/isns show

Example

The following command shows details for the iSNS server record:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/isns show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = isns_0
Operation completed successfully.

Delete iSNS server records

Delete an iSNS server record.

Format

/net/iscsi/isns -id <value> delete

Object qualifier

Qualifier	Description
-id	Type the ID of the iSNS server record to delete.

Example

The following command deletes the iSNS server record isns_0:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/isns -id isns_0 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Change iSNS server record settings

Modify an existing iSNS server record.

Format

/net/iscsi/isns -id <value> set -server <value>

Object qualifier

Qualifier	Description
-id	Type the ID of the iSNS server record to delete.

Action qualifiers

Qualifier	Description
-server	New IP address associated with the iSNS server.

Example

The following command modifies the iSNS server record:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/isns -id isns_0 set -server 10.5.2.130

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = isns_0
Operation completed successfully.

Manage iSCSI configuration

The following table lists the attributes for iSCSI configuration.

Table 18. ISCSI configuration attributes
Attribute	Description
CHAP required	Specifies whether CHAP authentication is required in order to access iSCSI storage. Valid values are: yes no

View iSCSI configuration

View details about the iSCSI configuration.

Format

/net/iscsi/config show

Example

The following command shows details for the iSCSI configuration:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/config show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1: CHAP required = yes

Change iSCSI configuration

Modify the iSCSI configuration.

Format

/net/iscsi/config set -chapRequired {yes | no}

Object qualifier

Qualifier	Description
-chapRequired	Specify whether CHAP authentication is required. Values are case-sensitive. Valid values are: yes no

Example

The following command denies host access without CHAP authentication:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/config set -chapRequired yes

                          Storage system address:10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage iSCSI nodes (servers)

iSCSI nodes, or iSCSI Servers, are software components on the system that are dedicated to managing operations for data transferred through the iSCSI protocol. iSCSI nodes run on each Ethernet port and communicate with network hosts through the SP ports.

iSCSI nodes handle storage creation, monitoring, and management tasks for iSCSI LUNs. Hosts connect to the LUN through iSCSI initiators.

Each iSCSI node is identified by an ID.

Manage reverse CHAP for mutual CHAP authentication explains how to configure reverse CHAP authentication between iSCSI hosts and nodes.

The following table lists the attributes for iSCSI nodes.

Table 19. iSCSI node attributes

Attribute

Description

ID

ID of the iSCSI node.

Alias

Name of the iSCSI node.

IQN

iSCSI qualified name (IQN) for the node. The iSCSI protocol outlines a specific address syntax for iSCSI devices that communicate on a network. The iSCSI addresses are called IQNs. Each IQN includes a Type field, Date field, Naming Authority field, and String field. For example: iqn.1992-07.com.emc:apm000650039080000-3

SP

Primary SP on which the node runs..

Health state

Health state of the iSCSI node. The health state code appears in parentheses. Value is one of the following:

Unknown (0) — Status is unknown.
OK (5) — Working correctly.
Degraded/Warning (10) — Working and performing all functions, but the performance may not be optimum.
Critical failure (25) — Failed and recovery may not be possible. This condition has resulted in data loss and should be remedied immediately.

Health details

Additional health information. See Appendix A, Reference, for health information details.

Port

Associated network port identifier.

Interfaces

ID of each network interface assigned to the iSCSI node. The interface defines the IP address for the node and allows it to communicate with the network and hosts.

NOTE: Manage network interfaces explains how to configure network interfaces on the system.

View iSCSI nodes

View details about iSCSI nodes. You can filter on the iSCSI node ID.

NOTE: The show action command explains how to change the output format.

Format

/net/iscsi/node [–id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of an iSCSI node.

Example

The following command lists all iSCSI nodes on the system:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/node show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID           = ISCSIN_1
       Alias        = MyISCSIserver1
       IQN          = iqn.1992-05.com.emc:fcnch0821001340000-1         
       Health state = OK (5)
       SP           = SPA
       Port         = eth0_SPA
       Interfaces   = IF_1,IF_2

2:     ID           = ISCSIN_2
       Name         = MyISCSIserver2
       IQN          = iqn.1992-05.com.emc:fcnch0821001340001-1          
       Health state = OK (5)
       SP           = SPA
       Port         = eth1_SPA
       Interfaces   = IF_3

Change iSCSI node settings

Change the network interface alias assigned to the node.

Format

/net/iscsi/node –id <value> set -alias <value>

Object qualifier

Qualifier	Description
-id	Type the ID of the iSCSI node to change.

Action qualifier

Qualifier	Description
-alias	User-friendly name that identifies the iSCSI node.

Example

The following command assigns an alias to the ISCSIN_1 node:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/iscsi/node -id ISCSIN_1 set -alias “My iSCSI node”

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = ISCSIN_1
Operation completed successfully.

Manage Ethernet ports

View and change the settings for the network ports on each SP.

The following table describes the port attributes.

Table 20. Network port attributes

Attribute

Description

ID

ID of the port.

Name

Name of the port.

SP

Name of the SP on which the port resides. Value is SPA or SPB.

Protocols

Types of protocols the port supports. Value is one of the following:

mgmt — Management interface.
file — Network interface for Windows (SMB) and Linux/UNIX (NFS) storage.
iscsi — iSCSI interface for iSCSI storage.

Manage network interfaces explains how to configure network interfaces on the system.

MTU size

Maximum transmission unit (MTU) packet size (in bytes) that the port can transmit. Default is 1500 bytes per packet.

Requested MTU size

MTU size set by the user.

Available MTU size

List of available MTU sizes.

NOTE: This can display as either a comma-separate list of exact values (if there is an iSCSI interface on the port), or an interval defined by the minimum or maximum values, such as 1280-9216.

Speed

Current link speed of the port.

Requested speed

Link speed set by the user.

Available speeds

List of available speed values.

Health state

Health state of the port. The health state code appears in parentheses. Value is one of the following:

Unknown (0) — Status is unknown.
OK (5) — Port is operating normally.
OK BUT (7) — Lost communication, but the port is not in use.
Minor failure (15) — Lost communication. Check the network connection and connected cables.
Major failure (20) — Port has failed. Replace the SP that contains the port.

Health details

Additional health information. See Appendix A, Reference, for health information details.

Aggregated port ID

If the port is in a link aggregation, the ID of the link aggregation appears. Manage link aggregations explains how to configure link aggregations on the SP ports.

Connector type

Physical connector type. Valid values are:

unknown
RJ45
LC
MiniSAS_HD
CopperPigtail
NoSeparableConnector

MAC address

Unique identifier assigned to a network device for communications on a network segment.

SFP supported speeds

List of supported speed values of the inserted Small Form-factor Pluggable.

SFP supported protocols

List of supported protocols of the inserted Small Form-factor Pluggable. Valid values are:

unknown
FibreChannel
Ethernet
SAS

View Ethernet port settings

View details about the network ports. You can filter on the port ID.

NOTE: The show action command explains how to change the output format.

Format

/net/port/eth [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of the port.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/port/eth show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:    ID                      = spa_eth2
      Name                    = SP A Ethernet Port 2
      SP                      = spa
      Protocols               = file, net, iscsi
      MTU size                = 4500
      Requested MTU size      = 4500
      Available MTU sizes     = 1280-9216
      Linux device name       = eth2
      Speed                   = 1 Gbps
      Requested speed         = auto
      Available speeds        = 1 Gbps, 10 Gbps, 100 Mbps, auto
      Health state            = OK (5)
      Health details          = "The port is operating normally."
      Aggregated port ID      = None
      FSN port ID             = None
      Connector type          = RJ45
      MAC address             = 00:60:16:7A:7F:CF
      SFP supported speeds    =
      SFP supported protocols =

2:    ID                      = spa_eth3
      Name                    = SP A Ethernet Port 3
      SP                      = spa
      Protocols               = file, net, iscsi
      MTU size                = 1500
      Requested MTU size      = 1500
      Available MTU sizes     = 1500, 9000
      Linux device name       = eth3
      Speed                   = 1 Gbps
      Requested speed         = auto
      Available speeds        = 1 Gbps, 10 Gbps, 100 Mbps, auto
      Health state            = OK (5)
      Health details          = "The port is operating normally."
      Aggregated port ID      = None
      FSN port ID             = None
      Connector type          = RJ45
      MAC address             = 00:60:16:7A:7F:CE
      SFP supported speeds    =
      SFP supported protocols =

Change Ethernet port settings

NOTE: The new settings are applied to a pair of symmetrical ports on dual SP systems.

Change the maximum transmission unit size and port speed for an Ethernet port.

Format

/net/port/eth -id <value> set [-mtuSize <value>] [-speed <value>]

Object qualifier

Qualifier	Description
-id	Type the ID of the network port.

Action qualifier

Qualifier

Description

-mtuSize

Type the maximum transmission unit packet size (in bytes) for the port:

If an Ethernet port carries File interfaces only, the MTU size can be set to a custom value between 1280 and 9216.
If an Ethernet port carries iSCSI interfaces, the allowed MTU sizes are 1500 and 9000.

Specific I/O modules may also restrict allowed range for MTU size value. The MTU size values of 1500 bytes (default) and 9000 bytes (jumbo frame) are supported by all interfaces and I/O modules.

-speed

Type the port speed.

Example

The following command sets the MTU size for Ethernet port 0 (eth0) on SP A to 9000 bytes:

uemcli /net/port/eth –id spa_eth0 set –mtuSize 9000

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = spa_eth0
ID = spb_eth0
Operation completed successfully.

Manage SAS ports (physical deployments only)

View the settings for the SAS ports on each SP. The following table describes the port attributes.

Table 21. SAS port attributes
Attribute	Description
ID	ID of the port.
Name	Name of the port.
SP	Name of the SP on which the port resides. Valid values are: spa spb
Speed	Current link speed of the port.
Health state	Health state of the port. The health state code appears in parentheses. Valid values are: Unknown (0) — Status is unknown. OK (5) — Port is operating normally. OK BUT (7) — Lost communication, but the port is not in use. Minor failure (15) — Lost communication. Check the network connection and connected cables. Major failure (20) — Port has failed. Replace the SP that contains the port.
Health details	Additional health information. See Health details for health information details.
Connector type	Physical connector type. Valid values are: unknown RJ45 LC MiniSAS_HD CopperPigtail NoSeparableConnector

View SAS settings

View details about the SAS ports. You can filter on the port ID.

NOTE: The show action command explains how to change the output format.

Format

/net/port/sas [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of the port.

Example

uemcli /net/port/sas show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID           = spa_sas0
       Name         = SP A SAS Port 0
       SP           = spa
       Speed        = 
       Health state = OK_BUT (7)

2:     ID           = spa_sas1
       Name         = SP A SAS Port 1
       SP           = spa
       Speed        = 6 Gbps
       Health state = OK (5)

Manage FC ports

View and change the settings for the FC ports on each SP.

The following table describes the port attributes.

Table 22. FC port attributes
Attribute	Description
ID	ID of the port.
Name	Name of the port.
SP	Name of the SP on which the port resides.
WWN	World Wide Name (WWN) of the port.
Speed	Current link speed of the port.
Requested speed	Link speed set by the user.
Available speed	List of available speed values.
Health state	Health state of the port. The health state code appears in parentheses. Value is one of the following: Unknown (0) — Status is unknown. OK (5) — Port is operating normally. OK BUT (7) — Lost communication, but the port is not in use. Minor failure (15) — Lost communication. Check the network connection and connected cables. Major failure (20) — Port has failed. Replace the SP that contains the port.
Health details	Additional health information. See Appendix A, Reference, for health information details.
Connector type	Physical connector type. Valid values are: unknown RJ45 LC MiniSAS_HD CopperPigtail NoSeparableConnector
SFP supported speeds	List of supported speed values of the inserted Small Form-factor Pluggable.
SFP supported protocols	List of supported protocols of the inserted Small Form-factor Pluggable. Valid values are: unknown FibreChannel Ethernet SAS
Replication capability	Type of replication capability. Valid values are: Sync replication RecoverPoint

View FC port settings

View details about the FC ports. You can filter on the port ID.

Format

/net/port/fc [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of the port.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/port/fc show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID                      = spa_fc4
       Name                    = SP A FC Port 4
       SP                      = spa
       WWN                     = 50:06:BD:01:60:05:8E:50:06:01:64:3D:E0:05:8E
       Speed                   = 1 Gbps
       Requested speed         = auto
       Available speeds        = 4 Gbps, 8 Gbps, 16 Gbps, auto
       Health state            = OK (5)
       Health details          = "The port is operating normally."
       SFP supported speeds    = 4 Gbps, 8 Gbps, 16 Gbps
       SFP supported protocols = FibreChannel
       Replication capability  = Sync replication
       SFP supported mode      = Multimode

Change port settings

Change the speed for an FC port.

Format

/net/port/fc -id <value> set -speed <value>

Object qualifier

Qualifier	Description
-id	Type the ID of the FC port.

Action qualifier

Qualifier	Description
-speed	Type the port speed.

Example

The following command sets the speed for FC port fc1 on SP A to 1 Gbps:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/port/fc –id spa_fc1 set –speed 1Gbps

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = spa_fc1
Operation completed successfully.

Manage uncommitted ports

This command is used to manage uncommitted network ports.

Uncommitted ports must be initialized in order to be used by the system. Use the CLI to view information on the uncommitted and removed system Small Form-factor Pluggable (SFP) ports.

Table 23. Uncommitted port attributes
Attribute	Description
ID	Port identifier.
Name	Port name.
SP	Storage processor on which the port resides.
Health state	Current health state of the port. Valid states are: Unknown (0) — Status is unknown. OK (5)—The Uncommitted port is uninitialized. It needs to be committed before it can be used. OK (5)—The Small Form-factor Pluggable (SFP) module in this Uncommitted port has been removed. Since the port is not in use, no action is required.
Health details	Additional health information.
Connector type	Physical connector type associated with the uncommitted port. Valid values are: unknown RJ45 LC MiniSAS_HD CopperPigtail NoSeparableConnector
SFP supported speeds	List of supported speed values of the inserted SFP.
SFP supported protocols	List of supported protocols of the inserted SFP. Valid values are: unknown FibreChannel Ethernet

View uncommitted ports

Use this command to view a list of uncommitted ports on the system.

View details about uncommited ports.

Format

/net/port/unc [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of the port.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/port/unc show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection


1:    ID                      = spb_unc5
      Name                    = SP B Uncommitted Port 5
      SP                      = spb
      Health state            = OK (5)
      Health details          = "The Small Form-factor Pluggable (SFP) module in this Uncommitted port has been removed. Since the port is not in use, no action is required."
      Connector type          = LC
      SFP supported speeds    =
      SFP supported protocols =

2:    ID                      = spa_unc5
      Name                    = SP A Uncommitted Port 5
      SP                      = spa
      Health state            = OK (5)
      Health details          = "The Uncommitted port is uninitialized. It needs to be committed before it can be used."
      Connector type          = LC
      SFP supported speeds    = 10 Gbps
      SFP supported protocols = Ethernet

3:    ID                      = spb_iom_1_unc0
      Name                    = SP B I/O Module 1 Uncommitted Port 0
      SP                      = spb
      Health state            = OK (5)
      Health details          = "The Uncommitted port is uninitialized. It needs to be committed before it can be used."
      Connector type          = RJ45
      SFP supported speeds    =
      SFP supported protocols =

Manage Management network interfaces

Configure management network interfaces to remotely manage and monitor the system, the network, and configured hosts. Specify the IP address for the interface as well as the IP addresses for the subnet mask and gateway. View details about existing management interfaces configured on the system through the Connection Utility. Each management interface is identified by its IP protocol version. IPv4 and IPv6 can be configured, independently of each other, at the same time, but they cannot both be disabled at the same time. The netmask can be specified with the appropriate prefix length, separated from the IP address with a /, such as 10.0.0.1/24. This is optional for IPv4, but required for IPv6. There can be up to five IPv6 addresses assigned automatically. Only one IPv6 address can be set manually.

The following table lists the interface attributes with a description of each.

Table 24. Interface attributes
Attribute	Description
IP protocol version	IP protocol version. Valid values are: ipv4 ipv6
Address origin	IP settings origin. Valid values are: disabled— Indicates the interface is disabled. automatic— Indicates the IP attributes are set automatically by DHCP or SLAAC (IPv6 only). static— Indicates the IP attributes are set manually.
IP address	IPv4 or IPv6 address.
Subnet mask	IPv4 subnet mask.
Gateway	IPv4 or IPv6 gateway.
MAC address	MAC address associated with the interface.

View management interfaces

View a list of interfaces on the system. You can filter on the interface ID.

Format

/net/if/mgmt show

Example

The following command displays all management interfaces on the system:

uemcli /net/if/mgmt show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     IP protocol version = ipv4
       Address origin      = static
       IP address          = 10.0.0.1
       Subnet mask         = 255.255.255.0
       Gateway             = 10.0.0.2

2:     IP protocol version = ipv6
       Address origin      = automatic
       IP address          = 3ffe:80c0:22c:4e:a:0:2:7f/64
       Subnet mask         = 
       Gateway             = 3ffe

Change interface settings

Change the settings for an interface.

Format

/net/if/mgmt set { -ipv4 | -ipv6 } {disabled | automatic | static [-addr <value>] [-netmask <value>] [-gateway <value>] }

Action qualifier

Qualifier

Description

-ipv4

Specifies the IPv4 origin. Value is one of the following:

disabled — Indicates the interface is disabled.
automatic — Indicates the IP attributes are set automatically by DHCP.
static — Indicates the IP attributes are set manually

-ipv6

Specifies the IPv6 origin. Value is one of the following:

disabled — Indicates the interface is disabled.
automatic — Indicates the IP attributes are set automatically by DHCP. or SLAAC.Multiple addresses are possible
static — Indicates the IP attributes are set manually.

-addr

Specifies the IPv4 or IPv6 address of the interface. Optionally, you can also specify the prefix length in the following format: <IP address>/<prefix length> .

NOTE: The default prefix length for IPv6 is 64.

-netmask

Specifies the IPv4 subnet mask for the interface.

NOTE: This is optional if you specify the prefix length in the -addr attribute.

-gateway

Specifies the IPv4 or IPv6 gateway for the interface.

Example

The following command changes the IP address, the netmask, and the gateway for interface IF_1:

uemcli /net/if/mgmt set -ipv4 static -addr 192.168.1.1 -netmask 255.255.255.0 -gateway 192.168.1.2

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage network interfaces

Create interfaces to enable and control access between the system, the network, and configured hosts. Specify the IP address for the interface as well as the IP addresses for the subnet mask and gateway.

You can create the following types of interfaces:

iSCSI interfaces for controlling access to iSCSI storage. You assign the interface to an iSCSI node.
Replication interfaces for replication-related data or management traffic.

The system configures each interface on a pair of symmetrical SP ports. The interface can be moved between SPs. You have the option of indicating which SP the interface will use, either a physical port or a link aggregation port. You also have the option of specifying a virtual LAN (VLAN) ID, for communicating with VLAN networks.

Each interface is identified by an ID.

The following table lists the interface attributes with a description of each.

Table 25. Interface attributes

Attribute

Description

ID

ID of the interface.

Type

Interface type. Value is one of the following:

iscsi — Interface for iSCSI storage.
replication — Interface for replication-related data or management traffic.

Port

ID of the physical port or link aggregation on an SP on which the interface is running. The ID includes the port name and SP name.

VLAN ID

Virtual local area network (VLAN) ID for the interface. The interface uses the ID to accept packets that have VLAN tags. The value range is 1-4095.

NOTE: If no VLAN ID is specified, which is the default, packets do not have VLAN tags. The Unisphere online help provides more details about VLANs.

IP address

IPv4 or IPv6 address.

Subnet mask

IPv4 subnet mask.

Gateway

IPv4 or IPv6 gateway.

MAC address

MAC address of the interface.

SP

SP that uses the interface.

Health state

A numerical value indicating the health of the system. Value is one of the following:

Unknown (0)
OK (5)
OK BUT (7)
Degraded/Warning (10)
Minor failure (15)
Major failure (20)

Health details

Additional health information.

Create interfaces

Create an interface.

Format

/net/if create [ -async ] [-vlanId <value>] -type { iscsi | replication} -port <value> -addr <value> [-netmask <value>] [-gateway <value>]

Action qualifier

Qualifier

Description

-async

Run the creation operation in asynchronous mode.

-type

Specify the interface type. Value is one of the following:

iscsi — Interface for iSCSI storage.
replication — Interface for replication-related data or management traffic.

-port

Specify the ID of the SP port or link aggregation that will use the interface.

NOTE: For systems with two SPs, a file interface is created on a pair of symmetric Ethernet ports rather than on a single specified port. Its current port is defined by NAS server SP and may differ from the specified port. For example, if the user specifies port spa_eth2, but the NAS server is on SP B, the interface is created on port spb_eth2.

-vlanId

Specify the virtual LAN (VLAN) ID for the interface. The interface uses the ID to accept packets that have VLAN tags. The value range is 1–4095.

NOTE: If no VLAN ID is specified, which is the default, packets do not have VLAN tags. The Unisphere online help provides more details about VLANs.

-addr

Specify the IP address for the interface. The prefix length should be appended to the IPv6 address and, if omitted, will default to 64. For IPv4 addresses, the default length is 24. The IPv4 netmask may be specified in address attribute after slash.

-netmask

Specify the subnet mask for the interface.

NOTE: This qualifier is not required if the prefix length is specified in the -addr attribute.

-gateway

Specify the gateway for the interface.

NOTE: This qualifier configures the default gateway for the specified port’s SP.

Example

The following command creates a replication interface. The interface receives the ID IF_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/if create -type replication -port eth1_spb -addr 10.0.0.1 -netmask 255.255.255.0 -gateway 10.0.0.1

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = IF_1
Operation completed successfully.

View interfaces

View a list of interfaces on the system. You can filter on the interface ID.

NOTE: The show action command explains how to change the output format.

Format

/net/if [ {-id <value> | -port <value> | -type <value>} ] show

Object qualifier

Qualifier	Description
-id	Type the ID of an interface.
-port	Type the port the interface is associated with.
-type	Specify the type of the interface. Valid values are: iscsi replication

Example

The following command displays the details of all interfaces on the system.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/if show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID                      = if_0
       Type                    = file
       NAS server              = nas_0
       Port                    = eth0_spa
       VLAN ID                 = 0
       IP address              = 3ffe:80c0:22c:4e:a:0:2:7f/64
       Subnet mask             = 
       Gateway                 = fe80::20a8bff:fe5a:967c
       IPv4 mode               = 
       IPv4 address            = 
       IPv4 subnet mask        = 
       IPv4 gateway            = 
       IPv6 mode               = static
       IPv6 address            = 3ffe:80c0:22c:4e:a:0:2:7f/64
       IPv6 link-local address = 
       IPv6 gateway            = fe80::20a8bff:fe5a:967c
       MAC address             = EA:3E:22:3F:0C:62
       SP                      = spa
       Preferred               = yes

2:     ID                      = if_1
       Type                    = file
       NAS server              = nas_1
       Port                    = eth1_spb
       VLAN ID                 = 1
       IP address              = 192.168.1.2
       Subnet mask             = 255.255.255.0
       Gateway                 = 192.168.1.254
       IPv4 mode               = static
       IPv4 address            = 192.168.1.2
       IPv4 subnet mask        = 255.255.255.0
       IPv4 gateway            = 192.168.1.254
       IPv6 mode               = 
       IPv6 address            = 
       IPv6 link-local address = 
       IPv6 gateway            = 
       MAC address             = EA:3E:22:21:7A:78
       SP                      = spa
       Preferred               = yes

3:     ID                      = if_2
       Type                    = replication
       NAS server              =
       Port                    = eth1_spb
       VLAN ID                 =
       IP address              = 10.103.75.56
       Subnet mask             = 255.255.248.0
       Gateway                 = 10.103.72.1
       IPv4 mode               = static
       IPv4 address            = 10.103.75.56
       IPv4 subnet mask        = 255.255.248.0
       IPv4 gateway            = 10.103.72.1
       IPv6 mode               =
       IPv6 address            =
       IPv6 gateway            =
       MAC address             = EA:3E:22:6D:BA:40
       SP                      = spb
       Preferred               = no

Change interface settings

Change the settings for an interface.

Format

/net/if -id <value> set [-vlanId <value>] [-addr <value>] [-netmask <value>] [-gateway <value>]

Object qualifier

Qualifier	Description
-id	Type the ID of the interface to change.

Action qualifier

Qualifier

Description

-vlanId

Type the virtual LAN (VLAN) ID for the interface. The interface uses the ID to accept packets that have VLAN tags. The value range is 1–4095.

NOTE: If no VLAN ID is specified, which is the default, packets do not have VLAN tags. The Unisphere online help provides more details on VLANs.

-addr

Specify the IP address for the interface.

NOTE: The prefix length should be appended to the IPv6 address. The IPv4 netmask may be specified in address attribute after the slash.

-netmask

Specify the IPv4 subnet mask for the interface.

-gateway

Specify the gateway for the interface.

NOTE: The gateway is optional for both IPv4 and IPv6. This qualifier configures the default gateway for the specified port’s SP.

Example

The following command changes the gateway address for interface IF_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456!/net/if –id IF_1 set -gateway 2001:db8:0:170:a:0:2:70

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = IF_1
Operation completed successfully.

Delete interfaces

Delete an interface.

NOTICE: Deleting an interface can break the connection between systems that use it, such as configured hosts.

Format

/net/if –id <value> delete

Object qualifier

Qualifier	Description
-id	Type the ID of the interface to delete.

Example

The following command deletes interface IF_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/if –id IF_1 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage static IP routes

A route determines where to forward a packet destined for a non-local subnet so it can reach its destination, whether that destination is a network or host. A static IP route is a host, network, or default route that is configured manually.

The system selects a route in order from most specific to least specific, as follows:

Host (most specific)
Network
Default (least specific)

NOTE: An IP route connects an interface (IP address) to the larger network through a gateway. Without the route, the interface is no longer accessible outside its immediate subnet. As a result, network shares and exports associated with the interface are no longer available to clients outside of its immediate subnet.

Each route is identified by an ID.

The following table describes the attributes for static IP routes.

Table 26. Static IP route attributes
Attribute	Description
ID	ID of the route.
Interface ID	ID of the interface the route uses to reach the gateway. The interface is associated with a SP. View interfaces explains how to view the network interface IDs.
Route type	Type of route. Valid values are: default — Default gateway the system uses when it cannot find a route to a connected node. host — Static route to a specific host. net — Static route to a subnet IP address.
Target	IP address of the target network node based on the specified route type. Valid values are: For default, there is no value, as the system will use the specified gateway IP address. For host, the value is the IP address of the host. For net, the value is a subnet IP address.
Netmask	For a subnet route, the IP address of the subnet mask.
Gateway	IP address of the gateway.
Health state	A numerical value indicating the health of the system. Valid values are: Unknown (0) OK (5) OK BUT (7) Degraded/Warning (10) Minor failure (15) Major failure (20)
Health details	Additional health information. See Appendix A, Reference, for health information details.

Create IP routes

Create an IP route.

NOTE: To change a route, delete it and re-create it with the new settings.

Format

/net/route create -if <value> -type {default | host -target <value> | net -target <value> [-netmask <value>]} [-gateway <value>]

Action qualifier

Qualifier

Description

-if

Type the ID of the interface that the route will use to reach the gateway. View interfaces explains how to view the network interface IDs.

NOTE: The system may not use the interface you type for the route. The system determines the best interface for the route automatically.

-type

Type the type of route. Value is one of the following:

default — System uses the default gateway when it cannot find a route to a connected node.
host — Create a route to a host.
net — Create a route to a subnet.

-target

Type the IP address for the target network node based on the value of -type. Value is one of the following:

For default, the system will use the IP address specified for -gateway.
For host, type the IP address of a target host.
For net, type the IP address of a target subnet. Include the -netmask qualifier to specify the IP address of the subnet mask.

-netmask

For a route to a subnet, type the IP address of the subnet mask.

-gateway

Type the gateway IP address for the route.

Example

The following command creates a network route for interface if_1 to reach the 10.64.74.x subnet using gateway 10.64.74.1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/route create –if IF_1 –type net –target 10.64.200.10 netmask 255.255.255.0 –gateway 10.64.74.1

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = RT_1
Operation completed successfully.

View IP routes

View details about IP routes. You can filter on the route ID.

NOTE: The show action command explains how to change the output format.

Format

/net/route [ {-id <value> | -if <value>} ] show

Object qualifier

Qualifier	Description
-id	Specifies the ID of a route.
-if	Specifies the network interface for which you want to return routes.

Example

The following command displays details of the IP routes RT_1, RT_2, and RT_3:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/route show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID           = RT_1
       Type         = net
       Target       = 10.64.74.10
       Netmask      = 255.255.255.0
       Gateway      = 10.0.0.1
       Interface    = IF_1
       Health state = OK (5)

2:     ID           = RT_2
       Type         = default
       Target       =
       Netmask      =
       Gateway      = 10.64.74.2
       Interface    = IF_2
       Health state = OK (5)

3:     ID           = RT_3
       Type         = host
       Target       = 10.64.74.168
       Netmask      =
       Gateway      = 10.0.0.3
       Interface    = IF_3
       Health state = OK (5)

Change IP routes

Modify an existing IP route.

Format

/net/route set route -id <value> set [-type {default | host | net}] [-target <value> [-netmask <value>]] [-gateway <value>]

Object qualifier

Qualifier	Description
-id	Identifies the route object.

Action qualifier

Qualifier	Description
-type	Specify the type of route. Only one default IPv4 route instance is allowed. Valid values are (case-insensitive): default — System uses the default gateway when it cannot find a more specific host or network route. host — Create a route to a host. net — Create a route to a subnet.
-target	Specify the destination IP address or a range of IP addresses. If the route type is: `host`, the value is an IP address of the host. `net`, the value is a subnet IP address with the following format: `<IPv4 address>/[<prefix length>]` or `<IPv6 address>/[<prefix length>].` Default prefix length is 24 for IPv4 address and 64 for IPv6 address. Valid values are: For a default route, the system uses the IP address specified for -gateway. For a host route, specify the IP address of a target host. For a net route, specify the IP address of a target subnet. Include the -netmask qualifier to specify the IP address of the subnet mask.
-netmask	For a route to a subnet, type the IP address of the subnet mask.
-gateway	Specify the gateway IP address for the route.

Example

The following command changes the target IP address to 10.64.200.11, the netmask to 255.255.255.0, and the gateway to 10.64.74.2 for IP route RT_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/route -id RT_1 set -target 10.64.200.11 ‑netmask 255.255.255.0 -gateway 10.64.74.2

                          Storage system address: 10.64.75.201
Storage system port: 443
HTTPS connection

ID = RT_1
Operation completed successfully.

Delete IP routes

Delete an IP route.

Format

/net/route –id <value> delete

Object qualifier

Qualifier	Description
-id	Type the ID of the route to delete.

Example

The following command deletes route RT_1:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/route –id RT_1 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage link aggregations

Link aggregation lets you link physical ports (for example, port 0 and port 1) on a SP to a single logical port and therefore lets you use up to four Ethernet ports on the SP. If your system has two SPs, and you link two physical ports, the same ports on both SPs are linked for redundancy. For example, if you link port 0 and port 1, the system creates a link aggregation for these ports on SP A and a link aggregation on SP B.

Each link aggregation is identified by an ID.

NOTE: The cabling on SP A must be identical to the cabling on SP B, or you cannot configure link aggregation.

Link aggregation has the following advantages:

Increases overall throughput since two physical ports are linked into one logical port.
Provides basic load balancing across linked ports since the network traffic is distributed across multiple physical ports.
Provides redundant ports so that if one port in a linked pair fails, the system does not lose connectivity.

NOTE: With link aggregation, both linked ports must be connected to the same switch and the switch must be configured to use link aggregation that uses the Link Aggregation Control Protocol (LACP). The documentation that came with your switch should provide more information on using LACP.

The following table describes the attributes for link aggregation.

Table 27. Link aggregation attributes

Attribute

Description

ID

ID of the link aggregation. The ID is a combination of the link ID and the SP that contains the linked ports.

Ports

IDs of the linked physical ports. The port names include the name of the SP that contains the ports.

SP

Name of the SP on which the ports are linked. Valid values are:

SPA
SPB

MTU size

Maximum transmission unit (MTU) packet size (in bytes) for the linked ports. Default is 1500 bytes per packet.

Linux device name

Linux network device name.

FSN port ID

ID of the FSN port to which the link aggregation belongs, if it is part of an FSN.

Available MTU size

List of available MTU sizes.

NOTE: This displays as an interval defined by the minimum and maximum values, for example: 1280-9216.

Health state

Health state of the link aggregation. The health state code appears in parentheses. Value is one of the following:

Unknown (0) — Status is unknown.
OK (5) — Working correctly.
OK BUT (7) — Lost connection, but the link aggregation is not in use.
Degraded/Warning (10) — Working and performing all functions, but the performance may not be optimum.
Minor failure (15) — Working and performing all functions, but overall performance is degraded. This condition has a minor impact on the system and should be remedied at some point, but does not need to be fixed immediately.
Major failure (20) — Failing and some or all functions may be degraded or not working. This condition has a significant impact on the system and should be remedied immediately.
Critical failure (25) — Failed and recovery may not be possible. This condition has resulted in data loss and should be remedied immediately.
Non-recoverable error (30) — Completely failed and cannot be recovered.

Health details

Additional health information.

Create link aggregations

Create a link aggregation by linking two physical ports on an SP to create a logical port.

Format

/net/la create –ports <value> [-mtuSize <value>]

Action qualifier

Qualifier	Description
-ports	Type the IDs of the physical ports to link on the SP. Separate the IDs with a comma. For example, to link ports 0 and 1 on SPA, type: eth0_SPA,eth1_SPA.
-mtuSize	Type the MTU size (in bytes) for the linked ports. The MTU size can be set to a custom value between 1280 and 9216. Specific I/O modules may restrict allowed range for MTU size value. The MTU size values of 1500 bytes (default) and 9000 bytes (jumbo frame) are supported by all interfaces and I/O modules.

Example

The following command links port 0 and port 1 on SPA with the default MTU size. The system has two SPs, so port 0 and port 1 on SPB are also linked, which results in two link aggregation IDs:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/la create -ports "eth0_SPA,eth1_SPA"

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = la0_SPA
ID = la0_SPB
Operation completed successfully.

View link aggregations

View details about link aggregations. You can filter on the link aggregation ID.

Format

/net/la [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of the link aggregation.

Example

The following command shows the link aggregations on the system, in this case, for both SPA and SPB:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/la show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:    ID                  = spa_la_0_2
      SP                  = spa
      Ports               = spa_iom_0_eth2, spa_iom_0_eth3
      FSN port ID         = None
      MTU size            = 3456
      Available MTU sizes = 1280-9216
      Linux device name   = bond12
      Health state        = OK (5)
      Health details      = "The component is operating normally. No action is required."
      Operational status  =

2:    ID                  = spb_la_0_2
      SP                  = spb
      Ports               = spb_iom_0_eth2, spb_iom_0_eth3
      FSN port ID         = None
      MTU size            = 3456
      Available MTU sizes = 1280-9216
      Linux device name   = bond12
      Health state        = OK (5)
      Health details      = "The component is operating normally. No action is required."
      Operational status  =

Change link aggregations

Change the settings of a link aggregation.

Format

/net/la -id <value> set [-ports <value>] [-mtuSize <value>]

Object qualifier

Qualifier	Description
-id	Type the ID of the link aggregation to change.

Action qualifier

Qualifier	Description
-ports	Type the IDs of the physical ports to link on the SP. Separate the IDs with a comma. For example, to link ports 0 and 1 on SPA, type: eth0_SPA,eth1_SPA
-mtuSize	Type the MTU size (in bytes) for the linked ports. The MTU size can be set to a custom value between 1280 and 9216. Specific I/O modules may restrict allowed range for MTU size value. The MTU size values of 1500 bytes (default) and 9000 bytes (jumbo frame) are supported by all interfaces and I/O modules.

Example

The following command changes the MTU size for link aggregation la0_SPA to 9000 bytes. The system has two SPs, so MTU size is updated for both link aggregation IDs:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/la –id la0_SPA set –mtuSize 9000

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = la0_SPA
ID = la0_SPB
Operation completed successfully.

Delete link aggregations

Delete a link aggregation.

Format

/net/la [-id <value>] delete

Object qualifier

Qualifier	Description
-id	Type the ID of the link aggregation to delete.

Example

The following command deletes link aggregation la0_SPA. The system has two SPs, so link aggregation la0_SPB is also deleted:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/la –id la0_SPA delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = la0_SPA
ID = la0_SPB
Operation completed successfully.

Manage Fail-safe networking (physical deployments only)

Learn about Fail-safe networking (FSN) and which attributes are used to manage FSN in the CLI.

A Fail-Safe Network (FSN) is a high-availability feature that extends link failover into the network by providing switch-level redundancy. An FSN appears as a single link with a single MAC address and potentially multiple IP addresses. An FSN can be a port, a link aggregation, or any combination of the two. An FSN adds an extra layer of availability to link aggregations alone. Link aggregations provide availability in the event of a port failure. FSNs provide availability in the event of a switch failure. Each port or link aggregation is considered as a single connection. Only one connection in an FSN is active at a time. All the connections making up the FSN share a single hardware (MAC) address.

If the system detects a failure of the active connection, it will automatically switch to the standby connection in the FSN. That new connection assumes the network identity of the failed connection, until the primary connection is available again. You can designate which connection is the primary port/connection. To ensure connectivity in the event of a hardware failure, create FSN devices on multiple I/O modules or onboard ports. The FSN components are connected to different switches. If the network switch for the active connection fails, the FSN fails over to a connection using a different switch, thus extending link failover out into the network.

When replicating from one Unity system to another, configure the FSN the same way on both systems as a best practice. You will need to manually configure the FSN on the destination before setting up replication. Otherwise, if you set up the FSN on the destination after replication is configured, you will need to use the override option to select the FSN as the interface for the destination NAS server.

NOTE: A NAS server IP interface should be build on the highest level logical device. If you want to repurpose a port or link aggregation currently used as a NAS server IP interface for an FSN, you will need to remove the IP interface from the NAS server, create the FSN, and reassign the IP interface to the FSN device.

Table 28. FSN attributes

Attribute

Description

ID

ID of the Fail-Safe Networking port.

SP

Storage processor the FSN is on.

MTU size

Maximum Transmission Unit (MTU) size.

Available MTU sizes

List of available MTU sizes.

NOTE: This displays as an interval defined by the minimum and maximum values, for example: 1280-9216.

Linux device name

Name of the Linux network device.

Primary port

ID of the primary port used in the FSN. The primary port cannot be removed.

Secondary ports

Comma-separated list of the other secondary ports in the FSN. This includes both link aggregations and ethernet ports.

Active port

ID of the active port for the FSN.

Health state

The health state of the FSN. Valid values are:

OK (5) — The FSN is operating normally, or the active port of the FSN has changed.
Degraded/Warning (10) — Performance of the FSN has degraded.
Minor failure (15) — An FSN port link is down.
Major failure (20) — An FSN port is missing ports, or an FSN port is not symmetrical.

Health details

Detailed health information for the FSN.

Create an FSN

Use the CLI to create a fail-safe network.

Create a fail-safe network using two or more ports or link aggregations.

Format

/net/fsn create -primaryPort <value> -secondaryPorts <value> [-mtuSize <value>]

Action qualifier

Qualifier	Description
-primaryPort	Type the ID of the primary port for the FSN. This can be either an ethernet port or link aggregation.
-secondaryPorts	Type the comma-separated list of additional port or link aggregation IDs to be included in the FSN.
-mtuSize	Optionally, type the Maximum Transmission Unit size for the FSN. The MTU must be in the range allowed for all of the ports included in the FSN. The MTU size can be set to a custom value between 1280 and 9216. Specific I/O modules may restrict allowed range for MTU size value. The MTU size values of 1500 bytes (default) and 9000 bytes (jumbo frame) are supported by all interfaces and I/O modules.

Example

The following example creates an FSN where the primary port is a single ethernet port, and the secondary ports include a link aggregation and additional single ethernet port.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/fsn create -primaryPort spa_eth0 -secondaryPorts "spa_la_2,spa_eth3"

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = spa_fsn_0
ID = spb_fsn_0

Operation completed successfully.

View FSN settings

Review the list and details of each FSN on the system.

Format

/net/fsn [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID for the FSN port for which you would like to view details. Do not specify to see details for all FSNs on the system.

Example

The following example shows the details of all the FSNs on the system.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/fsn show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:    ID                  = spa_fsn_0_1
      SP                  = spa
      Primary port        = spa_iom_0_eth1
      Secondary ports     = spa_la_2
      Active port         = spa_iom_0_eth1
      MTU size            = 1500
      Available MTU sizes = 1500,9000
      Health state        = OK (5)
      Health details      = "FSN port is operating normally."

2:    ID                  = spb_fsn_0_1
      SP                  = spb
      Primary port        = spb_iom_0_eth1
      Secondary ports     = spb_la_2
      Active port         = spb_iom_0_eth1
      MTU size            = 1500
      Available MTU sizes = 1500,9000
      Health state        = OK (5)
      Health details      = "FSN port is operating normally."

Change an FSN

Make changes to an existing FSN.

Change a fail-safe network by modifying the included secondary ports or MTU sizes.

Format

/net/fsn -id <value> set [-secondaryPorts <value>] [-mtuSize <value>]

Object qualifier

Qualifier	Description
-id	Type the ID of the FSN port.

Action qualifier

Qualifier	Description
-secondaryPorts	Type the list of full IDs of the physical ports and/or link aggregation ports for the FSN. Remove any from the list you wanted deleted from the FSN, and add any you want included.
-mtuSize	Type the new Maximum Transmission Unit (MTU) size for the FSN. The MTU must be in the range allowed for all of the ports included in the FSN. The MTU size can be set to a custom value between 1280 and 9216. Specific I/O modules may restrict allowed range for MTU size value. The MTU size values of 1500 bytes (default) and 9000 bytes (jumbo frame) are supported by all interfaces and I/O modules.

Example 1

The following example changes the MTU size of the FSN "spa_fsn_0".

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/fsn -d spa_fsn_0 set -mtuSize 9000

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = spa_fsn_0
ID = spb_fsn_0

Operation completed successfully.

Example 2

The following example shows an attempt to add Ethernet port "spa_iom_0_eth2" to FSN "spa_fsn_0", however this ethernet port is already in use for another link aggregation and could not be added independently to the FSN.

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/fsn -d spa_fsn_0 set -secondaryPorts spa_iom_0_eth2

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation failed. Error code: 0x6000851
One of the specified ports cannot be used to configure an FSN because to it is already included in an FSN or link aggregation. (Error Code:0x6000851)

Delete an FSN

Delete an FSN from the system.

Delete a fail-safe network.

Format

/net/fsn -id <value> delete

Object qualifier

Qualifier	Description
-id	Type the ID of the FSN port.

Example

The following example deletes FSN "spa_fsn_0"

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/fsn -id spa_fsn_0 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = spa_fsn_0
ID = spb_fsn_0

Operation completed successfully.

Manage DNS settings

A domain name server (DNS) is a network service responsible for converting domain names to their corresponding IP addresses. The system uses DNS services to resolve network names and IP addresses for the network services it needs (for example, for NTP and SMTP servers) and so that it can obtain IP addresses for hosts addressed by network names rather than IP addresses.

During the initial system configuration process you must specify the network address of at least one DNS server for resolving host names to IP addresses. Later, you can add, delete, or change DNS server settings.

You can configure multiple DNS server domains to specify each domain and IP address of the DNS servers for the system to use. By default, the system uses the top entry in the list as the current DNS. The remaining list provides a hierarchy of DNS servers to use if the first-choice server becomes unavailable. If the first DNS server in the list becomes unavailable, the system proceeds to the next DNS server in the list, and so on. You can also specify default DNS server addresses to indicate which addresses the system will use first.

DNS domains allow configuring DNS server addresses. All addresses are grouped under user-defined DNS server domains. DNS settings are identified by NAS server domain ID. NAS server DNS settings should allow DNS resolution of all names within an SMB server domain in order for the SMB protocol to operate normally within an Active Directory domain.

NOTICE: You must configure at least one valid DNS server entry in the domain for the system. Deleting the last DNS entry can disrupt network communication to the device, and potentially interrupt communication between the system and the hosts that use its storage resources.

The following table lists the attributes for DNS domains.

Table 29. DNS domain and server attributes

Attribute

Description

NAS server

ID of the associated NAS server.

Name

Name of the DNS domain.

Auto-configuration enabled

Indicates whether DNS addresses are configured automatically.

Name servers

List of IP addresses that correspond to the name servers in the domain.

Replication sync

Indicates the status of the DNS list in the NAS server operating as a replication destination. When a replicated DNS servers list is created on the source NAS server, it is automatically synchronized to the destination. Valid values are:

Not replicated – DNS list is not replicated over to the destination.
Auto synchronized – DNS list is automatically synchronized over to the replication destination. Any modify or delete operations at the source will automatically be reflected on the destination.
Overridden – DNS list has been manually modified or overridden on the replication destination. Modifications or deletions of addresses from the DNS list on the source NAS server will have no effect on the overridden DNS list on the replication destination.

NOTE: When a DNS list is disabled or deleted from the source, overridden DNS list in the destination may not get disabled or deleted automatically.

Source name servers

List of name server IP addresses defined on the replication source.

Configure DNS settings

Configure the DNS settings for the storage system.

Format

/net/dns/config set {-nameServer <value> | -auto | -noNameServer}

Action qualifier

Qualifier	Description
-nameServer	Type a list of DNS server addresses to designate as default addresses. Separate the addresses with a comma. The system uses the addresses in the order in which you type them.
-auto	Set DNS addresses dynamically.
-noNameServer	Clear the list of IP addresses.

Example

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/dns/config set -nameServer “128.222.132.29,128.222.132.32”

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

View default DNS addresses

View the DNS server addresses designated as a default.

Format

/net/dns/config show

Example

The following command displays the DNS server addresses:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/dns/config show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1. Auto-configuration enabled = no	
   Name servers               = 10.5.3.29,10.5.3.32,2001:db8:170:9400:212:3fff:fe2a:8812

View DNS server domains

View details about configured DNS server domains.

NOTE: The show action command explains how to change the output format.

Format

/net/nas/dns [-server <value>] show

Object qualifier

Qualifier	Description
-server	Type the ID of the associated NAS server.

Example

The following command lists all DNS server domains:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/dns -server nas_1 show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     NAS server          = nas_1
       Name                = domain.one.com
       Name servers        = 10.64.74.1,10.64.74.201
       Replication sync    = Overridden
       Source name servers = 10.64.74.1,10.64.74.201

Configure a DNS domain

Configure a DNS server domain.

Format

/net/nas/dns -server <value> set { [-name <value>] [-nameServer <value>]| -enabled no} [-replSync {auto | overridden}]

Object qualifier

Qualifier	Description
-server	Type the name of the associated NAS server.

Action qualifier

Qualifier	Description
-name	Type the name of the associated NAS server.
-nameServer	Type the IP addresses of the DNS servers. Separate the addresses using a comma.
-enabled	Set the value to no to remove DNS settings for the NAS server. Valid value is no.
-replSync	Status of the DNS list in the NAS server operating as a replication destination. Valid values are: auto overridden

Example

The following command deletes the DNS domain domain.two.com:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/dns –server nas_1 set -name “newdomain.one.com”

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage NTP server settings

NOTE: NTP is not required, but some functionality is unavailable without it.

The system relies on the network time protocol (NTP) as a standard for synchronizing the system clock with other nodes on the network. NTP provides a way of synchronizing clocks of distributed systems within approximately one millisecond of each other. A Windows Active Directory domain controller can operate as a time server if the Windows Time Service is running on it.

Some applications will not operate correctly if the clock on the system is not synchronized with the clock on connected hosts. Configure the system and any connected hosts to use the same time server. Doing so does the following:

Minimizes the chance that synchronization issues will arise between the system and connected hosts.
Reduces the difficulty of reconciling timestamps used for log information in the different systems.

NOTE: When using a NAS server for CIFS (SMB) network shares, the system cannot access an Active Directory domain unless the system is synchronized within five minutes of the Active Directory controller for the domain where the network shares reside.

You can configure a total of three NTP server addresses for the system. All NTP server addresses are grouped into a single NTP server record. NTP is not required, but some functionality is unavailable without it.

The following table lists the attributes for the NTP server record.

Table 30. NTP server record attributes
Attribute	Description
ID	ID of the NTP server record.
Server	Name or IP address of an NTP server.

Create an NTP server record

Create an NTP server to specify an IP address of each NTP server the system will use.

NOTE: By default, the first NTP server address you specify will become the primary.

Format

/net/ntp/server create –server <value> [-force {noReboot | allowReboot | allowDU}]

Action qualifier

Qualifier

Description

-server

Type the name or IP address of an NTP server.

-force

Accept or decline the system reboot, which may be needed to complete the time change. If the qualifier isn't specified, you will be asked to confirm reboot if it's needed. Valid values are:

noReboot
allowReboot
allowDU

NOTE: Note: allowDU is used if the system is in a degraded state or has one SP (data will be unavailable during its reboot). Otherwise allowReboot is used. In silent mode, system will be rebooted if needed.

Example

The following creates an NTP server record that contains NTP server address 0.north-america.pool.ntp.org:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/ntp/server create –server 0.north-america.pool.ntp.org

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

ID = NTP_0.north-america.pool.ntp.org 
Operation completed successfully.

View NTP server settings

View details about the NTP server.

NOTE: The show action command explains how to change the output format.

Format

/net/ntp/server [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of the NTP server.

Example

The following command displays the NTP server record, which contains two NTP server addresses:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/ntp/server show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID      = NTP_0.north-america.pool.ntp.org
       Server  = 0.north-america.pool.ntp.org

2:     ID      = NTP_1.north-america.pool.ntp.org
       Server  = 1.north-america.pool.ntp.org

Configure NTP server settings

Configure the NTP server setting.

Format

/net/ntp/server set –addr <value>

Action qualifier

Qualifier	Description
-addr	Enter a list of one or more IP addresses or network names of each NTP server to include in the NTP server setting. Separate the addresses with a comma.

Example

The following command adds two IP addresses to the NTP server setting:

uemcli -d 10.0.0.1 -u Local/joe -p 12345 /net/ntp/server set –addr “10.64.75.55,10.64.75.44”

Delete NTP server settings

Delete an NTP server record to remove the NTP settings.

NOTE: If you delete the primary NTP server record, the system automatically determines the NTP server record to use.

Format

/net/ntp/server –id <value> delete

Action qualifier

Qualifier	Description
-id	Type the ID of the NTP server setting to delete.

Example

The following command deletes NTP server setting NTP_10.5.1.207:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/ntp/server –id NTP_10.5.1.207 delete

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage NIS server domains

The Network Information Service (NIS) consists of a directory service protocol for maintaining and distributing system configuration information, such as user and group information, hostnames, and e-mail aliases to network hosts. For example, to back up data on file system shares, some NDMP products require information from NIS servers to back up file system data.

NIS server addresses are grouped under domains, which are identified by domain IDs.

The following table lists the attributes for NIS servers domains.

Table 31. NIS server domain attributes

Attribute

Description

NAS server

ID of the associated NAS server.

Domain

Name of the NIS server domain.

Servers

List of IP addresses of the NIS servers in the domain.

Replication sync

Indicates the status of the NIS server addresses list in the NAS server operating as a replication destination. When a replicated NIS servers list is created on the source NAS server, it is automatically synchronized to the destination. Valid values are:

Not replicated – NIS list is not replicated over to the destination.
Auto synchronized – NIS list is automatically synchronized over to the replication destination. Any modify or delete operations at the source will automatically be reflected on the destination.
Overridden – NIS list has been manually modified or overridden on the replication destination. Modifications or deletions of addresses from the NIS list on the source NAS server will have no effect on the overridden NIS list on the replication destination.

NOTE: When a NIS list is disabled or deleted from the source, overridden NIS list in the destination may not get disabled or deleted automatically.

Source servers

List of IP addresses for the NIS servers defined on the replication source.

View NIS server domains

View details about NIS server domains.

Format

/net/nas/nis [-server <value>] show

Object qualifier

Qualifier	Description
-server	Type the ID of the associated NAS server

Example

The following command displays details about the NIS server domain:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/nis show -detail

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     NAS server       = nas_0
       Domain           = nis.one.com
       Servers          = nisserver1.one.com,10.64.74.1
       Replication sync = Overridden
       Source servers   = 10.64.74.74,10.64.74.1

Change NIS server domains

Add NIS server addresses to an NIS server domain.

Format

/net/nas/nis –server <value> set { [-domain <value>] [–ip <value>] | {-enabled no}} [-replSync {auto | overridden}]

Object qualifier

Qualifier	Description
-server	Type the ID of the associated NAS server

Action qualifier

Qualifier	Description
-domain	Type the NIS domain name.
-ip	Type the IP addresses of the NIS servers to include in the domain. Separate the addresses with a comma.
-enabled	Set the value to no to remove NIS settings for the NAS server. Valid value is no.
-replSync	Status of the NIS list in the NAS server operating as a replication destination. Valid values are: auto overridden

Example

The following command adds a new IP address to NIS server domain nis.two.com:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/nis –id nis.two.com set –ip “10.64.74.200”

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection


Operation completed successfully.

Manage SMTP server settings

The system uses the Simple Mail Transport Protocol (SMTP) to e-mail alerts, based on alert severity, of system events to specified e-mail addresses and to EMC support. Once you provide the IP address of the SMTP server to use, you can enable the following features on the system:

E-mail alerts — The system sends e-mail alerts of system events to the specified IP address when it encounters alert or error conditions. The system uses the first IP address you specify.

Configure alert settings explains how to specify the alert severity of which to e-mail alerts. All IP addresses are grouped under a single SMTP server setting.

The following table lists the attributes for SMTP server settings.

Table 32. SMTP server attributes
Attribute	Description
ID	ID of the SMTP server.
Address	IP address of the SMTP server.
Port	Port of the SMTP server.
Encryption level	Encryption level (SSL method) used to communicate with the SMTP server. Valid values are: None Start TLS SSL
Authentication type	Type of authentication used to log in to the SMTP server. Valid value are: None Plain Login CRAM_MD5 DIGEST_MD5
User name	User name used to log in to the SMTP server.
Bypass proxy	Indicates whether or not the global proxy settings will be bypassed. yes: Global proxy server settings are ignored and the SMTP server will be accessed directly. no (default): Global proxy server settings are used to access the SMTP server.

View SMTP server settings

View the IP addresses of the SMTP servers.

NOTE: The show action command explains how to change the output format.

Format

/net/smtp [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of an SMTP server.

Example

The following command lists the IP addresses of the two SMTP servers in the setting:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/smtp show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID                  = default
       Address             = 192.168.0.15
       Port                = 25
       Encryption level    = SSL
       Authentication type = Plain
       User name           = test
       Bypass proxy        = no

Configure SMTP server settings

Specify the IP addresses for the SMTP server setting.

Format

/net/smtp -id <value> set -addr <value> [-port <value>] [-encryptLevel {none|startTLS|ssl}] [-authType {none|plain|login|cram_md5|digest_md5}] [-user <value> {-passwd <value> |-passwdSecure}][-bypassproxy {yes|no}]

Object qualifier

Qualifier	Description
-id	Type the ID of an SMTP server for which to specify an IP address.

Action qualifier

Qualifier	Description
-addr	Type the IP address for the SMTP server. Note that the address can be either IPv4 or IPv6.
-port	Enter the port of the SMTP server.
-encryptLevel	Specifies the encryption level (SSL method) of the SMTP server. Valid values are: none startTLS ssl
-authType	Specifies the authentication type of the SMTP server. Valid values are: none plain login cram_md5 digest_md5
-user	Specifies the user name of the SMTP server.
-passwd	Specifies the password of the SMTP server.
-passwdSecure	Specifies the password in secure mode. The user will be prompted to input the password.
-bypassproxy	Specifies whether the global proxy settings are bypassed when accessing the SMTP server. Valid values are: yes: Ignores the global proxy server settings to access the SMTP server directly. no (default): Uses the global proxy server settings.

Example

The following command sets the IP address for the default SMTP server that the system will use:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/smtp -id default set -addr 10.64.74.16 -port 25 -encryptLevel ssl -authType plain -user test -passwd test

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage NDMP server settings

The Network Data Management Protocol (NDMP) provides a standard for backing up file servers on a network. NDMP allows centralized applications to back up file servers that run on various platforms and platform versions. NDMP reduces network congestion by isolating control path traffic from data path traffic, which permits centrally managed and monitored local backup operations.

Enable NDMP to use NDMP products for backing up and restoring data on file system storage.

The following table lists the attributes for NDMP servers.

Table 33. NDMP server attributes
Attribute	Description
NAS server	ID of the associated NAS server.
Enabled	Indication of whether NDP is enabled. Value is yes or no.
Username	User name for accessing the NDMP server.
Password	Password for accessing the NDMP server.

View NDMP server settings

View whether NDMP is enabled or disabled.

Format

/net/nas/ndmp [-server <value>] show

Object qualifier

Qualifier	Description
-server	Type the ID of the associated NAS server.

Example

The following command displays the NDMP settings, which show that NDMP is enabled:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ndmp show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     NAS server  = nas_0
       Enabled     = yes

2:     NAS server  = nas_1
       Enabled     = no

Configure NDMP server settings

Configure NDMP server settings, which includes enabling or disabling NDMP and changing the password for accessing the NDMP server.

Format

/net/nas/ndmp -server <value> set -enabled {yes {-passwd <value> | -passwdSecure} | no}

Object qualifier

Qualifier	Description
-server	Type the ID of the associated NAS server.

Action qualifier

Qualifier	Description
-enabled	Enable NDMP. Value is yes or no. For yes, type the NDMP server password.
-passwd	Type the password for the NDMP server. You must specify the password when enabling NDMP.
-passwdSecure	Specify the password in secure mode - the user will be prompted to input the password and the password confirmation.

Example

The following command enables NDMP:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/nas/ndmp -server nas_0 set –enabled yes –passwd “Password0123”

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

Operation completed successfully.

Manage LDAP settings

The Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying directory services running on TCP/IP networks. LDAP provides central management for network authentication and authorization operations by helping to centralize user and group management across the network. Integrating the system into an existing LDAP environment provides a way to control user and user group access to the system through Unisphere CLI or Unisphere.

After you configure LDAP settings for the system, you can manage users and user groups, within the context of an established LDAP directory structure. For instance, you can assign access permissions to Unisphere CLI that are based on existing users and groups.

NOTE: The system uses the LDAP settings only for facilitating control of access to Unisphere CLI and Unisphere, not for access to storage resources.

The following table lists the attributes for LDAP settings.

NOTE: If you intend to use LDAP with SSL, you must upload the CA certificate of the LDAP server to the system by using the -upload command before configuring the LDAP settings. For example:

                                uemcli -d 10.0.0.1 -u admin -p MyPwd -upload -f /tmp/myldapservercertificate.cer
/sys/cert -type CA -service Mgmt_LDAP

Table 34. LDAP server attributes

Attribute

Description

ID

ID of the LDAP server.

Auto discovery enabled

Indicates whether the LDAP server names are obtained using DNS. To use this feature, the DNS server for the LDAP domain must be configured as the first server in the list of DNS servers.

Name

Server hostnames or IP addresses of the LDAP servers, specified as a comma-separated list. If IP addresses are specified, the DNS Server for the LDAP domain must be configured with a reverse lookup so that it provides the FQDN for the specified IP addresses.

Domain name

Domain name for the LDAP server.

Port

Port number used by the directory server for LDAP communications. By default, LDAP uses port 389, and LDAP over SSL (LDAPS) uses port 636.

For forest-level authentication, specify port 3268 for LDAP or port 3269 for LDAPS.

Protocol

Indication of whether the LDAP protocol uses SSL for secure network communication. SSL provides encryption and authentication capabilities. SSL encrypts data over the network and provides message and server authentication. Value is one of the following:

ldap (default) — LDAP without SSL.
ldaps — LDAP with SSL.

Bind DN

Distinguished name (DN) for a user with administrator privileges on the LDAP Server. The DN can be expressed in several formats. For example:

cn=Administrator,cn=Users,dc=mycompany,dc=com

Administrator@mycompany.com

mycompany.com/Administrator

Bind password

Password to be used for binding to the LDAP server. This is the password for the user specified in the Bind DN attribute.

User search path

Path to search for users on the directory server. For example: ou=People,dc=lss,dc=emc,dc=com.

NOTE: On an Active Directory server, a default search path is used.

Group search path

Path to search for groups on the directory server. For example: uid=<name>,ou=people,dc=<domaincomponent>,or dc=<domain component>.

NOTE: On an Active Directory server, a default search path is used.

User ID attribute

Name of the LDAP attribute whose value indicates the user ID. Default value is uid. For forest-level authenticaion, specify userPrincipalName.

Group name attribute

Name of the LDAP attribute whose value indicates the group name. Default value is cn.

User object class

LDAP object class for users. Default is user. In Active Directory, groups and users are stored in the same hierarchical directory path and the class is called group.

Group object class

LDAP object class for groups. Default value is group. In Active Directory, groups and users are stored in the same directory path and the class is called group.

Group member class

Name of the LDAP attribute whose value contains names of group members within a group. Default value is member.

Certificate filepath

Path to (filename of) the trusted certificate file used for one-way LDAP server authentication. The chain cannot contain the server certificate.

LDAP timeout

Timeout for the LDAP server in milliseconds. If the system does not receive a reply from the LDAP server after the specified timeout, it stops sending requests. Default value is 10,000 milliseconds, or 10 seconds.

Configure LDAP settings

Configure LDAP settings to control user access to Unisphere CLI and Unisphere from an LDAP server.

NOTE: If you intend to use LDAP with SSL, you must upload the CA certificate of the LDAP server to the system by using the -upload command before configuring the LDAP settings. For example:

                                      uemcli -d 10.0.0.1 -u admin -p MyPwd -upload -f /tmp/myldapservercertificate.cer
/sys/cert -type CA -service Mgmt_LDAP

Format

/net/ldap create [{-name <value> | -autoDiscoveryEnabled}] –domain <value> [-port <value>] [-protocol {ldap|ldaps -certFilePath <value>}] -bindDn <value> {-bindPasswd <value> | -bindPasswdSecure} [-userSearchPath <value>] [-groupSearchPath <value>] [-userIdAttr <value>] [-groupNameAttr <value>] [-userObjectClass <value>] [-groupObjectClass <value>] [-groupMemberAttr <value>] [-timeout <value>]

Action qualifier

Qualifier

Description

-name

Type the LDAP IP addresses or hostnames as a comma-separated string. If IP addresses are specified, the DNS server for the LDAP domain must be configured with a reverse lookup so that it provides the FQDN for a specified IP address.

-autoDiscoveryEnabled

Specify to direct the system to obtain the LDAP server addresses using DNS. To use this feature, the DNS server for the LDAP domain must be configured as the first server in the list of DNS servers.

NOTE: -autoDiscoveryEnabled is the default if you do not specify either -name or -autoDiscoveryEnabled.

-domain

Type the domain name for the LDAP server.

-protocol

Specify whether the LDAP protocol uses SSL for secure network communication. SSL provides encryption and authentication capabilities. SSL encrypts data over the network and provides message and server authentication. Valid values are:

ldap (default) — LDAP without SSL.
ldaps — LDAP with SSL.

-certFilePath

Path to (filename of) the trusted certificate file used for one way server authentication.

NOTE: If the value of -protocol is ldaps, this qualifier is required.

-port

Type the port number used by the directory server for LDAP communications. By default, LDAP uses port 389, and LDAP over an SSL uses port 636. For forest-level authentication, specify port 3268 for LDAP or port 3269 for LDAPS.

-bindDn

Type the distinguished name (DN) for a user with administrator privileges on the LDAP Server. The DN can be expressed in several formats. For example:

cn=Administrator,cn=Users,dc=mycompany,dc=com

Administrator@mycompany.com

mycompany.com/Administrator

-bindPasswd

Type the password to be used for binding to the LDAP server. This is the password for the user specified in the Bind DN attribute.

-bindPasswdSecure

Specify the password in secure mode - the user will be prompted to input the password.

-userSearchPath

Type the path to search for users on the directory server. For example: ou=People,dc=lss,dc=emc,dc=com

NOTE: On an Active Directory server, a default search path is used.

-groupSearchPath

Type the path to search for groups on the directory server. For example: ai.uid=<name>,ou=people,dc=<domaincomponent>,or dc=<domain component>.

NOTE: On an Active Directory server, a default search path is used.

-userIdAttr

Type the name of the LDAP attribute whose value indicates the user ID. Default value is uid.

-groupNameAttr

Type the LDAP object class for users. Default value is user. In Active Directory, groups and users are stored in the same hierarchical directory path and the class is called group.

-groupObjectClass

Type the LDAP object class for groups. Default value is group. In Active Directory, groups and users are stored in the same directory path and the class is called group.

-groupMemberAttr

Type the name of the LDAP attribute whose value contains names of group members within a group. Default value is member.

-timeout

Type the timeout for the LDAP server in milliseconds. If the system does not receive a reply from the LDAP server after the specified timeout, it stops sending requests. Default is 10,000 milliseconds, or 10 seconds.

Example 1: Creating an LDAP configuration with a specific LDAP server address specified

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/ldap create -name lpso242.lss.emc.com -domain domain.example.com -port 389 -protocol ldap -bindDn "cn=Directory Manager" -bindPasswd Password0123 -userSearchPath "ou=People,dc=lss,dc=emc,dc=com" -groupSearchPath "ou=Groups,dc=lss,dc=emc,dc=com" -userIdAttr "uid" ‑groupNameAttr "cn" -userObjectClass "interOrgPerson" -groupObjectClass "groupOfUniqueNames" -groupMemberAttr "uniqueMember" -timeout 40000

                          Storage system address: 10.64.75.201
Storage system port: 443
HTTPS connection

ID = LDAP_1
Operation completed successfully.

Example 2: Creating an LDAP configuration with multiple LDAP server address specified

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/ldap create -name lpso242.lss.emc.com,lpso243.lss.emc.com -domain domain.example.com -port 389 -protocol ldap -bindDn "cn=Directory Manager" -bindPasswd Password0123 -userSearchPath "ou=People,dc=lss,dc=emc,dc=com" -groupSearchPath "ou=Groups,dc=lss,dc=emc,dc=com" -userIdAttr "uid" -groupNameAttr "cn" -userObjectClass "interOrgPerson" -groupObjectClass "groupOfUniqueNames" -groupMemberAttr "uniqueMember" -timeout 40000

                          Storage system address: 10.64.75.201
Storage system port: 443
HTTPS connection

ID = LDAP_1
Operation completed successfully

Example 3: Creating an LDAP configuration using auto discovery through DNS to configure the server addresses

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/ldap create -autoDiscoveryEnabled -domain domain.example.com -port 389 -protocol ldap -bindDn "cn=Administartor,ou=Users,dc=domain,dc=example,dc=com" -bindPasswd Password0123 -userSearchPath "ou=Users,dc=domain,dc=example,dc=com" -groupSearchPath "ou=Groups,dc=domain,dc=example,dc=com" -userIdAttr "uid" -groupNameAttr "cn" -userObjectClass "interOrgPerson" -groupObjectClass "groupOfUniqueNames" -groupMemberAttr "uniqueMember" -timeout 40000

                          Storage system address: 10.64.75.201
Storage system port: 443
HTTPS connection

ID = LDAP_1
Operation completed successfully

View LDAP settings

View details for configured LDAP settings.

NOTE: The show action command explains how to change the output format.

Format

/net/ldap [-id <value>] show

Object qualifier

Qualifier	Description
-id	Type the ID of the LDAP setting.

Example

The following command displays the LDAP settings:

uemcli -d 10.0.0.1 -u Local/joe -p MyPassword456! /net/ldap show

                          Storage system address: 10.0.0.1
Storage system port: 443
HTTPS connection

1:     ID              = LDAP_1
       Server name     = lpso242.lss.emc.com
       Domain          = local
       Protocol        = ldap
       Port            = 389

Change LDAP settings

Update a configured LDAP setting.

NOTE: If you intend to use LDAP with SSL, you must upload the CA certificate of the LDAP server to the system by using the -upload command before configuring the LDAP settings. For example:

                                      uemcli -d 10.0.0.1 -u admin -p MyPwd -upload -f /tmp/myldapservercertificate.cer
/sys/cert -type CA -service Mgmt_LDAP

Format

/net/ldap –id <value> set [{-name <value> | -autoDiscoveryEnabled}] [-port <value>] [-protocol {ldap | ldaps {-certFilePath <value>}}] [-bindDn <value>] [-bindPasswd <value> | -bindPasswdSecure] [-userSearchPath <value>] [-groupSearchPath <value>] [-userIdAttr <value>] [-groupNameAttr <value>] [-userObjectClass <value>] [-groupObjectClass <value>] [-groupMemberAttr <value>] [-timeout <value>]

Object qualifier

Qualifier	Description
-id	Type the ID of the LDAP setting to change.

Action qualifier

Qualifier

Description

-name

Type the IP addresses or hostnames of the primary directory servers to use for authentication. The values you type depends on the format of the subject field entry in each directory server's certificate. Typically, this requires a hostname. Type the LDAP IP addresses or hostnames as a comma-separated string. If IP addresses are specified, the DNS Server for the LDAP domain must be configured with a reverse lookup so that it provides the FQDN for the specified IP addresses.

-autoDiscoveryEnabled

Specify to direct the system to obtain the LDAP server addresses or hostnames using DNS. DNS must be configured for this option to take effect.

NOTE: -autoDiscoveryEnabled is the default if you do not specify either -name or -autoDiscoveryEnabled.

-domain

Type the domain name for the LDAP server.

-port

Type the port number used by the directory server for LDAP communications. By default, LDAP uses port 389, and LDAP over an SSL uses port 636. For forest-level authentication, specify port 3268 for LDAP or port 3269 for LDAPS.

-protocol

Type whether the LDAP protocol uses SSL for secure network communication. SSL provides encryption and authentication capabilities. SSL encrypts data over the network and provides message and server authentication. Value is one of the following:

ldap (default) — LDAP without SSL.
ldaps — LDAP with SSL.

-certFilePath

Path to (filename of) the trusted certificate file used for one way server authentication.

NOTE: If the value of -protocol is ldaps, this qualifier is required.

-bindDn

Type the distinguished name (DN) for a user with administrator privileges on the LDAP Server. The DN can be expressed in several formats. For example:

cn=Administrator,cn=Users,dc=mycompany,dc=com

Administrator@mycompany.com

mycompany.com/Administrator

-bindPasswd