Installation manual
Preparing for NFS Authentication
Adding an NFS Access List
CLI Storage-Management Guide 4-21
These permit and deny rules have a subtle configuration error. The intention was to
allow all clients from 192.168.0.0 except clients from 192.168.77.0 or 192.168.202.0.
For example, a client at IP 192.168.77.29 is supposed to be blocked by the first deny
rule, “deny 192.168.77.0 ...” However, that IP address matches the Class-B network
(192.168.0.0) in the earlier permit rule. The deny rules can never actually be reached.
To correct this configuration error, you must delete the rule(s) that is/are out of order,
then add rules back into the access list in the correct order. This re-ordering method
conforms to industry standards for configuring access lists.
The following command sequence shows an NFS access list with this
mis-configuration and then corrects it:
bstnA6k(gbl)# show nfs-access-list eastcoast
Access List Name: eastcoast
Description: allowable subnets in MA, NY, & DC
NIS Domain: wwmed.com
Anonymous UID: 100
Anonymous GID: 100
Number of References: 1
permit 172.16.100.0 255.255.255.0 read-write root squash
permit 172.16.204.0 255.255.255.0 read-only root allow
permit 172.16.0.0 255.255.0.0 read-write root squash
permit netgroup surgeons read-write root allow
permit netgroup medtechs read-only root squash
permit 192.168.0.0 255.255.0.0 read-write root squash
deny 192.168.77.0 255.255.255.0
deny 192.168.202.0 255.255.255.0
First, remove the permit rule and show that it is gone:
bstnA6k(gbl)# nfs-access-list eastcoast
bstnA6k(gbl-nfs-acl[eastcoast])# no permit 192.168.0.0 255.255.0.0
bstnA6k(gbl-nfs-acl[eastcoast])# show nfs-access-list eastcoast
...
permit netgroup surgeons read-write root allow
permit netgroup medtechs read-only root squash
deny 192.168.77.0 255.255.255.0