Skip to main content
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.
NetApp Knowledge Base

How are NFS export-policies evaluated in ONTAP 9?

Last Updated:

Applies to

  • ONTAP 9
  • NFS


  • An export-policy is evaluated when a client attempts to access the NFS namespace and no existing access rule has been cached
    • During mount, the root volume export-policy is evaluated before the volume or qtree policy
    • The volume policy will be evaluated for all access afterward unless it is a qtree, and qtree-exports are enabled
  • When the policy is evaluated
    • The process is iterative and stops on the first match
    • When an error occurs in processing a clientmatch, access will be determined by preceding rules only
    • Access Cache entries will be created when evaluation completes
    • NAS Layer caches will store further Name Service information for the following
      • hostname
      • domain name
      • netgroup
  • Rules may be ordered to alleviate changes in Name Service availability
    • Each of the following groups should be further ordered from most to least restrictive
      1. IP address
      2. subnet
      3. hostname
      4. domain name
      5. netgroup
    • The clientmatch field further supports comma-delimited lists of IPs or hostnames
      • Each change in access can be on one line
      • Allows efficient grouping and evaluation for clients with the same access

Additional Information


Scan to view the article on your device