- Creating a NAS service
- NAS client performance
- NAS data protection
- NFSv3 best practices
- SMB best practices
- SMB quick setup guide
- Connecting to SMB shares
- Snapshot access
Scope of document
This document provides guidelines and instructions for setting up the InfiniBox NAS service.
Unless otherwise specified, use Infinidat Management Console's command-line UI (InfiniShell) to run the CLI commands described in this document.
- InfiniBox Best Practices Guide for Setting Up the Network Connectivity
Describes how to set up the physical network prior to setting up the services.
- InfiniBox Best Practices Guide for Setting Up the Replication Service
Creating a NAS service
This configuration requires two switches that support LAGs (LACP port-groups) distributed across them. This configuration is typically supported by stacked switches. It is also supported by some non-stacked switches, such as Cisco Nexus Virtual Port Channel.
It is recommended to:
- Set the LACP rate of the relevant port-group (or port channel) to "Fast". This is consistent with the InfiniBox port groups' IEEE 802.3ad standard for the availability and load-balancing of the physical ports.
- Configure the switches to use a spanning-tree algorithm so that the ports connected to InfiniBox react to network changes.
The switch configuration semantics of many network vendor implementations refer to this as “portfast”, “edge” or “edge-port”.
- Enable RX/TX flow-control for the entire network path between the InfiniBox system and all NAS clients.
- Set the link up/down delay to less than 15 seconds.
Cisco calls this delay "debounce", Juniper calls it "hold-time", and HP calls it "link change suppression".
The default link up/down delay for some switches is 60 seconds or more.
InfiniBox advertises LACP capability on all configured Ethernet ports, regardless of the number of ports configured in a port group.
LACP is only advertised after a network space is configured.
To configure the switch-to-port connections:
- Connect one port from each node to Switch A.
- Connect one port from each node to Switch B.
Creating a network (Ethernet) interface
To configure a LAG for the paired ports:
- In the InfiniBox Management Console, click the Settings icon on the left toolbar.
- Select the Network Interfaces tab, click the Create button, and select Port Group.
- Create a new InfiniBox Port Group that includes the ports connected to all the nodes.
Creating a network space
Create a network space for NAS. If you need to run both NAS and replication on the same port group, create a network space for each using the same port group.
- In the InfiniBox Management Console, click the Settings icon on the left toolbar.
- Select the Network Spaces tab, and click Create.
The Create Network Space window opens.
- Enter a network space name.
In the Service drop-down menu, select NAS.
In the MTU field, enter the size, in bytes, of the Ethernet transfer over the wire. The default value is 1500.
See the "NAS network space MTU best practice" section below.
- For each node, select its Ethernet interface from the drop-down menu.
If the desired interface was not created earlier from the Network Interfaces tab and is not in the drop-down menu, you can add a new one to the menu. See the Creating network (Ethernet) interfaces from the Create Network Space window section in this document.
- (Optional) To group the interfaces into a Virtual LAN, click the Create VLAN button.
- Click Next to proceed to the IP Configuration step.
- Enter the networking data.
Enter the first IP address in the network range.
For each one of the recommended number of IP addresses in the network space:
Enter an IP address or range (in the format 172.16.34.5-12) within the subnet range, and then click Add to verify the validity of the IP address.
For NAS and iSCSI services, it is recommended to enter 6 IP addresses.
For a replication service, it is recommended to enter 10 IP addresses. See InfiniBox Best Practices Guide for Setting Up the Replication Service.
The network space is displayed in the window.
Creating network (Ethernet) interfaces from the Create Network Space window
You can create Ethernet interfaces from the Network Interfaces tab, or from the Create Network Space window.
- In the Create Network Space window, click the Create new option from a node's Ethernet interface field's drop-down menu, or click the Create Interfaces button at the bottom of the window.
The Create Ethernet Interfaces tab opens.
- Either select an Ethernet interface or click Create Interfaces.
- You can rename the default interface name.
- Select two ports for NAS from the available Ethernet ports.
Ports that are already taken by other interfaces are grayed-out.
- Click Create.
The new interface is now selected in the Create Network Space window.
NAS network space MTU best practice
NAS performance highly depends on the actual application workload. As a rule of thumb, large file I/O operations benefit from decreasing the fragmentation of packets.
To decrease packet fragmentation, set your Ethernet network to use jumbo frames. For InfiniBox NAS, set the MTU to 9000, which can be done during the network space creation:
It is important to preserve consistent settings on the client, network, and file server to get the best performance.
NAS client performance
Each client typically connects to the InfiniBox export using a single IP address (as resolved using DNS load balancing). This enables communication to flow between a single IP address on the client and a single IP address on one of the InfiniBox nodes. Due to the underlying LACP interface behavior, a single NFS or SMB connection is limited to the bandwidth of a single physical Ethernet port, even when following the recommendation to place two physical Ethernet ports in the interface.
In NAS environments where there are thousands of clients, the full aggregate bandwidth of the NAS network space can be used by the clients.
DNS Round Robin is the best and simplest way to enable a balanced distribution of NFS mounts or SMB shares among the 6 IP addresses in the network space. Simply define multiple A records with the same hostname and different IP addresses in your DNS zone file:
With this setup, the name ibox has been assigned as the hostname. Each sequential name lookup results in the next IP being used, so client connections are distributed across the available ports and IP addresses.
Automounter can be used to balance NFS mounts between multiple IP addresses:
Manual IP balancing can also be used when there are a small number of clients.
NAS data protection
InfiniBox currently offers asynchronous replication capabilities for both block and NAS storage. For more information on replication, see InfiniBox Best Practices Guide for Setting Up the Replication Service.
We recommend utilizing the highly efficient InfiniBox snapshot capability for backup. We offer convenient integration with several key backup vendor environments for snapshot management. Check with your InfiniBox sales representative for more details.
NFSv3 best practices
Infinidat NFS and UNIX defaults
New InfiniBox NFS exports have default access permissions, defined by a system-level parameter
There are several system-level defaults that can be modified by Infinidat support:
|Setting||Parameter Name||Default Value|
Export permissions for newly created exports
Access permissions for newly created filesystems
The root folder on new filesystems are created with root:root ownership and permissions 0755/-rwxr-xr-x.
Modify the filesystem ownership and/or permissions on the client, with root access to the filesystem as needed.
Linux NFS client configuration options
Numerous articles describe NFS client performance tuning recommendations. For example, for Linux clients, refer to: http://nfs.sourceforge.net/nfs-howto/ar01s05.html
The recommended Linux mount options are:
InfiniBox releases 5.0 and above support NLM (Network Lock Manager).
Infinidat strongly recommends setting the mount options
hard so that hard NFS mounts are used with interrupts disabled.
When using soft a NFS mount, NFS timeouts and errors are propagated to applications, causing file access disruptions. This can cause application errors during unplanned situations (such as network failures) or planned operations (such as InfiniBox software upgrade).
VMware NFS client configuration
VMware offers less flexibility for NFS mount configuration. In particular, read/write block size cannot be tuned, and are fixed at 64KB.
VMware does not use NLM for file locking.
Follow the VMware standard recommendations for NFS datastores configuration:
Windows NFS client configuration
There are several NFS client implementations for Microsoft Windows operating systems. This document describes how to configure the native Microsoft NFS client to access InfiniBox NFS.
Installing Windows NFS client
The Microsoft NFS client installation procedure may differ slightly for different Windows versions. It is highly recommended to check Microsoft documentation for your specific version to ensure a proper setup.
To install Microsoft NFS client on Windows Server 2012 R2:
- Log in to your Windows Server and start the Server Manager.
- In the navigation pane, select Local Server.
- Open the Manage menu at the right top of the toolbar, and select Add Roles and Features.
- In the Installation Type dialog, select Role-based or feature-based installation.
- In the Features dialog, select the Client for NFS option.
- In the Confirmation dialog, click the Install button.
- It is important to define mapping of Unix User IDs/Group IDs to Windows users and groups. If Active Directory is deployed in your organization, it can be used for such mapping.
To configure the Microsoft NFS client to use Active Directory for UID-to-user-name mapping, run at the Windows command prompt:
Configuring Windows user account UID and GID
To configure UIDs and GIDs for a Windows user account in Active Directory:
- Launch Active Directory Users and Computers on your AD controller.
- In the View menu, make sure the Advanced Features option is enabled.
- In the Users section, right-click the user’s name, and open the Attribute Editor tab. Modify the uidNumber, uid, gidNumber, gid as needed.
Running the NFS filesystem mount command
The NFS filesystem must be mounted using the following arguments:
mtype=hard- the mount type is hard, as is customary for Linux client implementations
nolock- do not use NLM to lock files
To mount the NFS filesystem on your Windows machine, run at the Windows command prompt:
mtype for Windows NFS client is soft. If the NFS mount is soft, errors will be propagated to applications whenever NFS times out, causing file access disruptions. This can cause application errors during unplanned situations (such as network failures) or planned operations (such as InfiniBox software upgrade).
To ensure a hard NFS mount, Infinidat strongly recommends using the mount option
mtype=hard whenever mounting an NFS export in Windows.
The snapshot pseudo-directory enables NFS clients to access the contents of filesystem snapshots. The snapshot directory allows end-users to recover deleted or modified files autonomously without the intervention of the administrator. Using the snapshot directory, the end-user can run a backup from a static view of the filesystem, without mounting the snapshot.
This feature supports customers migrating from existing NAS solutions by allowing the admin to determine the way the snapshot directory is named.
Visibility and contents of the snapshot directory
- The snapshot directory appears and is accessible as a regular folder.
- Its name is configurable during the filesystem creation. The default name is .snapshot
- After an upgrade, if there was a folder named .snapshot, the existing folder will not be accessible.
- Only RO snapshots that were never writable can be visible and accessed in the snapshot directory.
- Visibility of the snapshot directory:
- The visibility of snapshot directory is configurable per export.
- A snapshot directory that is not visible is still accessible by providing the specific path.
- Snapshots of snapshots are not accessible from the snapshot directory. They are accessible if mounted to the first-level snapshots.
- The snapshot directory is accessible from any folder.
- Replication snapshot are not visible on the snapshot directory.
For more information, see Overview of snapshot directory.
Backup to external media via NFS mount
For backup to external media we recommend mounting relevant filesystems directly on the backup media server and performing backup via NFS mount.
SMB best practices
SMB quick setup guide
Make sure a NAS network space has been defined on the InfiniBox system. SMB clients will use this network space to access the shares you define.
Changing the default local Administrator password
The default password for the local SMB Administrator user is
P@ssw0rd (note the zero). It is recommended to replace the default Administrator password with a new one.
SMB user passwords must comply with the standard password complexity rules in Windows environments. See https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756109(v=ws.10)
To change the Administrator password, run the following CLI command:
Joining the Active Directory domain
To specify which AD domain to join, include its FQDN and IP addresses of the domain controllers InfiniBox should use, in the following CLI command:
The InfiniBox system name and FQDN of should be different than those of the Active Directory.
Creating a filesystem that supports SMB
To create a filesystem that supports SMB shares, include the
security_style=WINDOWS parameter in the following CLI command:
The root folder on new filesystems (with WINDOWS security style) are owned by the local SMB Administrator user, and
- Allow members of the local SMB Administrator group and members of the Active Directory Domain Admins group full control of files in the share
- Allow everyone else read-only access to files in the share
Creating an SMB share
To create an SMB share on the filesystem root folder, run the following CLI command:
Connecting to SMB shares
Windows clients can access SMB shares by mapping them, either using Windows File Explorer or via Windows CLIs such as Command Prompt.
Mac users can access SMB shares through the Connect to Server feature.
In all cases, to gain access to the share, Windows clients must authenticate using either Kerberos authentication or NTLMv2 authentication.
Authenticating using Kerberos
Kerberos authentication is more secure than NTLMv2. It requires the following conditions:
- The InfiniBox system is joined to an Active Directory domain.
- The SMB client is a member of this domain (or a trusted domain).
- The user logged into the SMB client using an Active Directory domain account.
- The user uses FQDN to mount the SMB share, and the FQDN resolves to an IP address from the NAS network space.
If the above conditions are not all met, the Windows client must authenticate using NTLMv2.
Authenticating using NTLMv2
A local SMB user (defined in InfiniBox) and an Active Directory domain account (if the InfiniBox system was joined to an Active Directory domain) can both authenticate using NTLMv2.
With NTLMv2 authentication, Windows users must provide a valid user name and password.
The authenticating user need not be the same as the one logged into the Windows client.
When authenticating a local SMB user using NTLMv2, use one of the following formats:
system-nameis the name of the InfiniBox system as it appears in in the GUI, and in the
For example, to use the default Administrator user of InfiniBox system ibox2833, connect as
NAS-IP-addressis an IP address from the NAS network space.
For example, to use the default Administrator user while accessing through the IP address 192.168.1.1, connect as
The local SMB user name is case-sensitive.
When authenticating an Active Directory domain account, use one of the following formats:
domain-FQDNis the FQDN of the Active Directory domain.
domain-NetBIOS-nameis the NetBIOS (short) name of the Active Directory domain.
The Active Directory user name is not case-sensitive.
Connecting to a share using Windows Explorer
To connect to a share with Kerberos authentication, the UNC used must contain an FQDN that resolves to an IP address in the NAS network space. For example:
If Kerberos authentication is not possible, select the Connect using different credentials checkbox. The Windows client will use NTLMv2 authentication and the Enter network credentials dialog will appear.
Type in the user name, in the format stated above (see authentication with NTLMv2), and the user's password:
Connecting to a share using Windows Command Prompt
To connect to a share using Kerberos authentication, issue the
net use command without specifying a dedicated user. For example:
If Kerberos authentication is not possible, include the user name in the
net use command. For example:
The Command Prompt requests the user's password:
You can also specify the user's password on the command line. For example:
To disconnect from a share, run at the Windows command prompt:
Connecting to a share from a Mac
To connect to a share from a Mac using NTLMv2 authentication:
- Select Go > Connect to Server.
- Enter the drive and IP address of the share server, and click Connect.
- Enter your credentials , and click Connect.
- Click Connect.
To access historical content of files and folders, use the Windows File Explorer to access the file or folder's Properties window, and select the Previous Versions tab:
Refer to Microsoft documentation at https://support.microsoft.com/en-us/windows/recover-lost-or-deleted-files-7bf065bf-f1ea-0a78-c1cf-7dcf51cc8bfc.