Manual Pages


Table of Contents

NAME

na_options - Displays or sets the node options.

SYNOPSIS

options

options option

options partial-option

options [ option value ] ...

DESCRIPTION

The options command is used to change configurable node software options. If no options are specified, then options prints the current value of all available options. If an option is specified with no value, then the current value of that option is printed. If only a part of an option is specified with no value, then the list of all options that start with the partial-option string is printed. This is similar to the UNIX grep command. The default value for most options is off, which means that the option is not set. Changing the value to on enables the option; for most options, the only valid values are on (which can also be expressed as yes, true, or 1) in any mixture of upper and lower case, and off (which can also be expressed as no, false, or 0) in any mixture of upper and lower case. The description of the option will indicate the default if it is not off, and will indicate what values are allowed if it isn't an on/off option. For options that take string values, use a double quote ("") as the option argument if you wish to set that option to be the null string. Normally, arguments are limited to 255 characters in total length.

The legal options are as follows:

acp.domain
This option saves ACP (Alternate Control Path) domain value as integer. Any time this is changed, ACP needs to be disabled and re-enabled using option acp.enabled, for change to take effect. The default value is 43200, that is 192.168.0.0

acp.enabled
Enables/disables ACP (Alternate Control Path). The default value is off, value on enable ACP. This option gets set to on if setup is used to enable ACP.

acp.netmask
This option saves ACP (Alternate Control Path) netmask value as integer. Any time this is changed, ACP needs to be disabled and re-enabled using option acp.enabled, for the change to take effect. The default value is 16580607, that is 255.255.252.0

acp.port
This option saves ACP (Alternate Control Path) Ethernet port value, that is interface name. Any time this is changed, ACP needs to be disabled and reenabled using option acp.enabled for the change to take effect. Storage Controller with e0P or lockedwrench Ethernet port has default value as e0P. This value also gets set with the value which is given while enabling or re-configuring ACP.

auditlog.enable
Enables/disables the audit logging of commands executed at the console/telnet shell or by using rsh. The default is on. The data is logged to the file /etc/log/auditlog for a node or /logs/auditlog if the system is a NetCache. The maximum size of auditlog file is allowed to grow to the value specified by the auditlog.max_file_size option. If the auditlog file reaches this size, and on every Saturday at 24:00, /etc/log/auditlog is moved to /etc/log/auditlog.0, /etc/log/auditlog.0 is moved to /etc/log/auditlog.1, and so on (similarly for /logs/auditlog if it is a NetCache). Assuming they do not get full, auditlog files are saved for a total of six weeks.

auditlog.max_file_size
This option controls the maximum size (in bytes) that the auditlog file is allowed to grow to (see above). The default value for this option is 10000000.

auditlog.readonly_api.enable
This option controls auditing of APIs based on their roles. If an API is used to retrieve information but not for modifying the state of the system then this API is not audited by default. The default value of this option is off, which causes read-only APIs not to audit. To overwrite the default value, set this option value to true, or on.

autologout.console.enable
Enables/disables the autologout of console connections. The default is on, which causes console connections to be disconnected after the console has been idle for the number of minutes specified by the autologout.console.timeout value. Any change to this option is effective after a command is entered.

autologout.console.timeout
The number of minutes the console is idle after which console connections are disconnected if autologout.console.enable is on. The default is 60 minutes. Any change to this option is effective after a command is entered.

autologout.telnet.enable
Enables/disables the autologout of telnet/interactive ssh connections. The default is on, which causes telnet/interactive ssh connections to be disconnected after the number of minutes specified by the autologout.telnet.timeout value. Any change to this option requires a logout before it takes effect.

autologout.telnet.timeout
The number of minutes after which telnet/interactive ssh connections are disconnected if autologout.telnet.enable is on. The default is 60 minutes. Any change to this option requires a logout before it takes effect.

autosupport.content
The type of content that the autosupport notification should contain. Allowable values are complete and minimal. The default value is complete. The minimal option allows the delivery of a "sanitized" and smaller version of the autosupport, at the cost of reduced support from NetApp Inc. Please contact NetApp Inc if you feel you need to use the minimal option. The complete option is the traditional (and default) form of autosupport. If this option is changed from complete to minimal then all previous and pending autosupport messages will be deleted under the assumption that complete messages should not be transmitted.

autosupport.doit
Triggers the autosupport daemon to send an autosupport notification immediately. A text word entered as the option is sent in the notification subject line and should be used to explain the reason for the notification.

autosupport.enable
Enables/disables the autosupport notification features (see na_autosupport(1)). The default is on to cause autosupport notifications to be sent. This option will override the autosupport.support.enable option.

autosupport.from
Defines the user to be designated as the sender of the notification. The default is postmaster@your.domain. Email replies from NetApp Inc will be sent to this address.

autosupport.local_collection
Use this parameter with the value false to disable local storage of AutoSupport files when sending of AutoSupport messages is disabled. The default setting is true, which causes the node to store AutoSupport files locally even if AutoSupport is disabled.

autosupport.mailhost
Defines the list of up to 5 mailhost names. Enter the host names as a comma-separated list with no spaces in between. The default is an empty list. Both IPv6 and IPv4 addresses are accepted.

autosupport.max_http_size
Use this parameter to specify the maximum file size (in bytes by default, but can also be specified in KB, MB, TB or PB) for HTTP and HTTPS transfers. Setting the value to 0 disables the delivery size budget.

If the size of the AutoSupport message exceeds this value, AutoSupport will deliver as much of the message as possible. You can use the "autosupport manifest show" command to identify the sections of the message that AutoSupport sent. AutoSupport collects and sends the content in order of priority. The priority is predefined for each AutoSupport message. To identify the collection order for an AutoSupport trigger, use the "autosupport trigger show" command with the -instance parameter.

autosupport.max_smtp_size
Use this parameter to specify the maximum file size (in bytes by default, but can also be specified in KB, MB, TB or PB) for SMTP (e-mail) transfers. Setting the value to 0 disables the delivery size budget.

If the size of the AutoSupport message exceeds this value, AutoSupport will deliver as much of the message as possible. You can use the "autosupport manifest show" command to identify the sections of the message that AutoSupport sent. AutoSupport collects and sends the content in order of priority. The priority is predefined for each AutoSupport message. To identify the collection order for an AutoSupport trigger, use the "autosupport trigger show" command with the -instance parameter.

autosupport.minimal.subject.id
Defines the type of string that is used in the identification portion of the subject line when autosupport.content is set to minimal. Allowable values are systemid and hostname. The default is systemid.

autosupport.nht_data.enable
Enables/disables the generation of the Health Trigger (NHT) data autosupport. Default is on

autosupport.noteto
Defines the list of recipients for the autosupport short note email. Up to 5 mail addresses are allowed. Enter the addresses as a comma-separated list with no spaces in between. The default is an empty list to disable short note emails.

autosupport.ondemand.polling_interval
Defines the rate in minutes, at which the node polls the AutoSupport OnDemand Server. Valid values range from 5 minutes to 2880 minutes (48 hours). The default is 60 minutes.

autosupport.ondemand.remotediag.state
Defines whether the AutoSupport OnDemand Remote Diagnostics feature is enabled or disabled on the node. The default is on.

autosupport.ondemand.server_url
Defines the AutoSupport OnDemand Server URL that the node communicates with.

autosupport.ondemand.state
Defines whether the AutoSupport OnDemand feature is enabled or disabled on the node. The default is on.

autosupport.partner.to
Defines the list of recipients for the autosupport email notification that will receive all messages that are or will be sent to the standard NetApp Inc autosupport email address. Up to 5 mail addresses are allowed. Enter the addresses as a comma-separated list with no spaces in between. To disable, clear this list. The default is an empty list.

autosupport.payload_format
Use this parameter to specify the file format of the message payload. Use "7z" to specify 7-Zip archive format. Use "tgz" to specify GNU zipped tar file. The default is "7z".

autosupport.performance_data.doit
Triggers the autosupport daemon to send a performance data autosupport notification immediately to NetApp Inc, as described by the autosupport.support.transport option. The given value for this option is ignored.

autosupport.performance_data.enable
Enables/disables hourly sampling of system performance data, and weekly creation of a performance data autosupport. The default is on.

autosupport.periodic.tx_window
Use this parameter to specify a randomized delay window for periodic AutoSupport messages. The transmission window prevents message floods from periodic AutoSupport triggers such as

"callhome.weekly",
"callhome.performance.data", "callhome.nht.data", and "callhome.management.log". Valid values range from 0 minutes to 240 minutes (4 hours).The default is 60 minutes (1 hour). Setting the value to 0 disables the randomized delay.

autosupport.retry.count
Number of times to try resending the mail before giving up and dropping the mail. Minimum is 5 and maximum is 4294967295. The default is 15.

autosupport.retry.interval
Time in minutes to delay before trying to send the autosupport again. Minimum is 30 seconds, maximum is 1 day. Values may end with `s', `m' or `h' to indicate seconds, minutes or hours respectively If no units are specified, then input is assumed to be in seconds. The default value is 4m.

autosupport.support.enable
Enables/disables the autosupport notification to NetApp Inc. The default is on to cause autosupport notifications to be sent directly to NetApp Inc as described by the autosupport.support.transport option. This option is superseded (overridden) by the value of autosupport.enable.

autosupport.support.proxy
Allows the setting of an HTTP-based proxy if autosupport.support.transport is https or http. The default for this option is the empty string; implying that no proxy is necessary. The format for specifying the proxy is user:password@proxyhost:port. If the port is not specified, the default port used is 3128. Basic authentication is the default authentication method used for proxies. Both IPv6 and IPv4 addresses are accepted.

autosupport.support.put_url
This option is used to specify the support URL for HTTP PUT operations. The URL should be entered without an http:// or https:// prefix. If the Web server does not accept the PUT operation, the autosupport.support.url option is used for a POST operation.

autosupport.support.reminder
This option is used to enable or disable a reminder message that is sent when AutoSupport is not configured to send messages to technical support. The default is on.

autosupport.support.to
This option is read only; it shows where autosupport notifications to NetApp Inc are sent if autosupport.support.transport is smtp.

autosupport.support.transport
Allows setting the type of delivery desired for autosupport notifications that are destined for NetApp Inc. Allowed values are https, http (for direct Webbased posting) or smtp (for traditional email). The default value is https. Note that http and https may (depending on local network configuration) require that the autosupport.support.proxy option be set correctly. Also smtp requires that autosupport.mailhosts be configured correctly before autosupport delivery can be successful.

autosupport.support.url
This option is read only, it shows where autosupport notifications to NetApp Inc are sent if autosupport.support.transport is https or http.

autosupport.throttle
Enables autosupport throttling (see na_autosupport(1)). When too many autosupports are sent in too short a time, additional messages of the same type will be dropped. Valid values for this option are on or off. The default value for this option is on.

autosupport.to
Defines the list of recipients for the autosupport email notification. Up to 5 mail addresses are allowed. Enter the addresses as a comma-separated list with no spaces in between. The default is an empty list. Note that it is no longer necessary to use the standard NetApp Inc autosupport email address in this field to direct autosupport messages to NetApp Inc. Please use autosupport.support.enable instead.

autosupport.validate_digital_certificate
Use this parameter with the value true to force the node to validate digital certificates that it receives.

backup.log.enable
Backup logging captures important events during dump/restore and records them in /etc/log/backup on the root volume. The option allows users to enable or disable this feature. By default, the option is on.

cdpd.enable
When this option is set to ON, Cisco Discovery Protocol v1(CDPv1) Daemon is enabled on all physical network ports so that it starts sending and processing CDPv1 advertisements.

cdpd.interval
This option is used to set the interval in seconds at which CDPv1 packets are sent on each physical network port that is up. The storage controller sends CDPv1 advertisements only when cdpd.enable is set to ON.

cdpd.holdtime
This option is used to set the holdtime advertised by the storage controller in each CDPv1 packet. The holdtime is the time in seconds that the neighboring CDPv1 compliant device will cache the storage controller's advertisements.

cf.giveback.auto.after.panic.takeover
This option is used to enable or disable automatic giveback when the partner is ready after it was taken over due to panic. The default value is set to ON.

cf.giveback.auto.cancel.on_network_failure
This option is used to disable automatic giveback when the partner is ready after it was taken over due to network impairment. The default value is set to ON.

This option is only available for 7-mode.

cf.giveback.auto.cifs.terminate.minutes
This options specifies the number of minutes to delay an automatic giveback before terminating CIFS clients that have open files. During the delay, the system will periodically send notices to the affected workstations. If 0 (zero) minutes are specified, then CIFS clients will be terminated immediately.

cf.giveback.auto.delay.seconds
This option specifies a delay before performing automatic giveback. An automatic giveback is invoked when one node of a High Availability (HA) configuration is in takeover mode and the "down" node is repaired and reboots. Using this option makes the outage during takeover and giveback to be two short outages instead of one longer outage. The default value is 600 seconds. The allowed range is to 600 seconds, inclusive. This option does not impact manual giveback.

cf.giveback.auto.enable
This options turns on/off automatic giveback. An automatic giveback is invoked when one node of a High Availability (HA) configuration is in takeover mode and the "down" node is repaired and reboots. The repaired node will boot into Data ONTAP and the node in takeover mode will detect this and initiate a giveback.

This feature is only available on flash booted systems.

cf.giveback.auto.override.vetoes
This option, when on, specifies that automatic giveback should immediately terminate long running operations (dump/restore, vol verify, and so on) and override all partner veto votes when initiating an automatic giveback. When this option is off, the automatic giveback will be deferred until the long running operations have completed and will take into account partner veto votes.

cf.giveback.check.partner
This option turns on/off checking for partner readiness before starting giveback. It's being used on flash booted systems only.

When this option is on, if operator types in "cf giveback", before starting giveback, the node in takeover state checks that partner has actually booted halfway up. If partner is not ready yet, giveback won't start.

When this option is off, if operator types in "cf giveback", giveback starts without checking partner's status.

The default value is on, which reduces downtime caused by a giveback.

Two nodes in a High Availability (HA) configuration can have different settings for this option.

cf.hw_assist.enable
This option turns the hardware-assisted takeover functionality on or off.

When enabled, the hardware module notifies the partner of certain hardware failures such as power-loss, power-cycle, watchdog reset, and so on. This enables the partner to start the takeover immediately upon notification, rather than waiting for the configured detection period.

When the hw_assist option is disabled, or if the hardware failure notification doesn't reach the partner, the partner starts the takeover after waiting for cf.takeover.detection.seconds.

The default value is on. The node must have a Hardware module such as RLM (Remote-LAN-Manager) to enable the hardware-assisted takeover functionality.

cf.hw_assist.partner.address
The hardware failure notification is sent to this partner IP address. If hostname is given, it is converted into an IP address.

cf.hw_assist.partner.port
The hardware failure notification is sent to this partner port.

cf.mode
This is used to set the node either in HA mode or nonHA mode.

cf.remote_syncmirror.enable
This option when set to on in 7-Mode, enables the MetroCluster functionality. By default, it is off. This option is not valid for Cluster-Mode.

cf.sfoaggr_maxtime
This optionally specifies the amount of time, in seconds, the source node has to wait for the destination node to complete the aggregate migration before declaring the migration as failed. The default set- ting is 120 seconds.

This option is only supported in cluster environments.

cf.takeover.bypass_optimization
When set to true, this option bypasses optimized operator-initiated planned takeover. Operatorinitiated planned takeover is optimized by serially relocating SFO aggregates to the partner prior to takeover, thereby reducing client outage.

When this option is true, if the operator types "storage failover takeover",

"storage failover takeover -option normal"
or "storage failover takeover -option allow-version-mismatch", then the node will bypass the above mentioned takeover optimization.

When this option is false, if the operator types "storage failover takeover",
"storage failover takeover -option normal"
or "storage failover takeover -option allow-version-mismatch", then the node will perform the above mentioned takeover optimization.

The default value is false, which reduces client outage during operator-initiated planned takeovers. This option applies only on HA pairs in a cluster.

Two nodes in a High Availability (HA) configuration can have different settings for this option.

cf.takeover.change_fsid
By default (the default is on), Data ONTAP changes the file system IDs (FSIDs) of all partner volumes and aggregates if a disaster takeover occurs in a MetroCluster configuration. When the value is set to off, Data ONTAP does not change the FSIDs, enabling users to continue to access their volumes after a disaster takeover.

CAUTION: Although clients of the disaster node would have read access to partner volumes if the option was set to no, they might experience data loss when attempting to write to the volumes. Disable the change_fsid option with great care.

cf.takeover.detection.seconds
This option provides a knob to tune the timer used in takeover detection.

The timer is used by the High Availability software in monitoring partner node's status. If partner node has not been responding more than n seconds, where n is the value of this option, local node decides to take over.

Two nodes do not need to have same value for this option. This provides asymmetric takeover behavior in terms of aggressiveness.

The default value of this option is 15 seconds. The option can be set to any value between 10 and 180. In case sk.process.timeout.override has been manually set, it is strongly advised that this option is set to a value larger than or equal to sk.process.timeout.override+5.

cf.takeover.on_failure
This option allows automatic takeover to be disabled. By default, this option is set to on and a node will automatically takeover it's partner node if the latter fails. If set to off, automatic takeovers are disabled but operator can still initiate manual takeovers.

This option is available only when cf is licensed and changing the value on one node automatically changes the value on the partner node.

cf.takeover.on_disk_shelf_miscompare
This option allows negotiated takeover to be enabled when the HA nodes detect a mismatch in disk shelf count. By default, this option is set to off.

This option is available only when cf is licensed and changing the value on one node automatically changes the value on the partner node.

Not valid for configurations supporting software-based disk ownership.

cf.takeover.on_network_interface_failure
This option allows negotiated takeover to be enabled when the HA nodes detect failures in network interfaces. Only those network interfaces that have explicitly enabled negotiated failover via the ifconfig command will be monitored. By default, this option is set to off.

This option is available only when cf is licensed and changing the value on one node automatically changes the value on the partner node.

Valid for 7-Mode network interfaces and not for Cluster-Mode network interfaces.

cf.takeover.on_network_interface_failure.policy This option determines what policy to apply for triggering negotiated failover when network interfaces fail. There are two policies that are currently supported: all_nics implying failover when all network interfaces participating in negotiated failover fail and any_nic implying failover when any one of the network interfaces participating in negotiated failover fails. By default, this option is set to all_nics.

This option is available only when cf is licensed.

Valid for 7-Mode network interfaces and not for Cluster-Mode network interfaces.

cf.takeover.on_panic
This option turns on/off the takeover on panic feature. It's available only when cf is licensed. Changing the value on one node automatically changes the value on the partner node.

Users should use caution when manually changing the option value.

cf.takeover.on_reboot

This option determines if a takeover will be initiated when the partner node reboots. If a takeover is done because of the partner node rebooting, then an automatic giveback will be done, regardless of the setting of the cf.giveback.auto.enable option. By default, this option is set to on. Changing the value on one node automatically changes the value on the partner node.

cf.takeover.on_short_uptime
This option determines whether a cf failover will happen if a node fails within sixty seconds of booting up. By default, this option is set to on.

This option is available only when cf is licensed and changing the value on one node automatically changes the value on the partner node.

cf.takeover.use_mcrc_file
This option indicates takeover to read and execute configuration from different file /etc/mcrc of partner, instead of default /etc/rc file

This option is applicable only to 7-Mode MetroCluster environment.

cifs.ipv6.enable
This option controls CIFS IPv6 support. For this option to take effect, networking stack should support IPv6 (option ip.v6.enable). When this option is enabled, node starts accepting new cifs sessions over IPv6. When this option is disabled node stops accepting any new cifs sessions over IPv6, existing IPv6 sessions will remain active and will not be disconnected.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

Values: on, off

cifs.LMCompatibilityLevel
Value of this option controls the different Authentication tokens that the node can accept from the client. It can take values from 1 to 5. With each value, node accepts security tokens as described below.

1 - Accepts LM, NTLM, NTLMv2 session security, NTLMv2, Kerberos.

2 - Accepts NTLM, NTLMv2 session security, NTLMv2, Kerberos.

3 - Accepts NTLMv2 session security, NTLMv2, Kerberos.

4 - Accepts NTLMv2, Kerberos.

5 - Accepts Kerberos only.

Default: 1

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.AD.retry_delay
The time, in seconds, to wait between trying to discover Active Directory DC or AD-LDAP addresses

Default: 15

Min/Max: 0 - 3600 seconds

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.autosave.file.extension
Specifies the type of file extension that will be appended to the "saveas" file name when the autosave feature is enabled. It will append a timestamp or counter value to the saved EVT file. If a value for this option is not specified, a timestamp is used as the file extension; however the value "timestamp" is not displayed.

Default: "" (null)

Effective: Immediately

Values: timestamp, counter

Persistence: Remains in effect across system reboots

cifs.audit.autosave.file.limit
Specifies how many Microsoft Event Log (EVT) files are to be saved before they are rotated. Once the limit of files exists on the node, the oldest file is always overwritten. If the value of this option is 0, then the node will have no limit to how many file are automatically saved on the node. This option needs to have the autosave feature enabled.

Default: "" (null)

Effective: Immediately

Min/Max: 0 - 999 files

Persistence: Remains in effect across system reboots

cifs.audit.autosave.onsize.enable
When this option is on, the CIFS Audit Logging Facility (ALF) daemon will automatically save the cifsaudit.alf file to the corresponding EVT file based on the size of the cifsaudit.alf file. The option cifs.audit.autosave.onsize.threshold is needed to be set to specify the actual threshold to trigger the auto save.

Default: off

Effective: Immediately

Values: on, off

Persistence: Remains in effect across system reboots

cifs.audit.autosave.onsize.threshold
This option specifies the size threshold which should trigger an auto save. The option cifs.audit.autosave.onsize.enable should be enabled for this option to be used. Note that if the suffix is percentage this should be perceived as a percentage of the size of the cifsaudit.alf file which can be specified by the cifs.audit.logsize option.

Default: 75%

Min/Max: 1 - 100% percent

Min/Max: 512k - 64g in kilobytes (k), megabytes (m) or gigabytes (g)

Effective: If the threshold is specified as a percentage of the size of cifsaudit.alf file, then threshold value takes effect only when the absolute threshold value is more than 512k. If absolute threshold value is less than 512k, default value of 512k is used.

Persistence: Remains in effect across system reboots

cifs.audit.autosave.ontime.enable
When this option is on, the CIFS Audit Logging Facility (ALF) daemon will automatically save the cifsaudit.alf file to the corresponding EVT file based on an internal timer. The option cifs.audit.autosave.ontime.interval is needed to be set to specify the timer interval to trigger the auto save.

Default: off

Effective: Immediately

Values: on, off

Persistence: Remains in effect across system reboots

cifs.audit.autosave.ontime.interval
This option specifies the time interval which should trigger an auto save. The option cifs.audit.autosave.ontime.enable should be enabled for this option to be used.

Default: 1d

Min/Max: 1 - 60m minutes

Min/Max: 1 - 24h hours

Min/Max: 1 - 7d days

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.enable
When this option is on, CIFS audit events may be generated during file access and/or during logon and logoff. For file access events to be generated, the option cifs.audit.file_access_events.enable must also be on. For logon and logoff events to be generated, the option cifs.audit.logon_events.enable must also be on.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.file_access_events.enable
When both this option and the cifs.audit.enable option are on, file access events will be audited when a file is accessed by an account for an operation and the file has a System Access Control List (SACL) entry that matches the access. If no SACL entry matches the access, then no event will be generated.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.liveview.enable
When both this option and the cifs.audit.enable option are on, the audit events can be viewed from a CIFS client by connecting to the node using the Event Viewer application. The events might not show up in Event Viewer as they are generated but they show up after some delay, depending on the audit settings.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.liveview.allowed_users
This option specifies the user or group of users who will be allowed access to audit records using the LiveView feature. The user or group can be either local or domain-based. Irrespective of this option value, local administrators always have permission to access audit records using the LiveView feature.

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.logon_events.enable
When both this option and the cifs.audit.enable option are on, logon and logoff events will be generated. Logon and logoff events reflect CIFS session connects and disconnects, respectively.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.account_mgmt_events.enable
When both this option and the cifs.audit.enable option are on, account management events will be generated. Account management events reflect the creation, deletion and modification of local users and groups on the node.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.audit.logsize
Specifies the maximum event log file size in bytes.

Default: 1048576

Min/Max: 524288 - 68719476736 bytes

Effective: If the specified log size is smaller than the current log size, changes will be effective after clearing the log with the `cifs audit clear' command. Otherwise, changes are immediate.

Persistence: Remains in effect across system reboots

cifs.audit.nfs.enable
Enables auditing of NFS file access events. When enabled, auditable events are recorded in the log file. Auditable events are specified by the Windows SACLs set either on the file itself, or on the file specified in the value of cifs.audit.nfs.filter.filename, or on the StorageLevel Access Guard associated with the volume or qtree.

cifs.audit.nfs.filter.filename
Points to the filter file used to identify which NFS file access events get included in the CIFS log by default. SACL set on this file, along with the SACLs set on the file being accessed or the Storage-Level Access Guard associated with the volume or qtree, is used to determine which NFS file access events get logged. SACL set on this file would affect all NFS file access requests irrespective of underlying qtree security style. There is no default value for this option; therefore it must be set before the option cifs.audit.nfs.enable can be enabled. This option does not have to be set if the option cifs.audit.nfs.enable will not be enabled.

cifs.audit.saveas
Specifies the active event log file. The file must be in an existing directory in a network share.

Default: /etc/log/adtlog.evt

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.bypass_traverse_checking
When turned on, directories in the path to a file are not required to have the `X' (traverse) permission. This option does not apply to UNIX qtrees.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.client.dup-detection
Windows servers attempt to detect duplicate sessions in order to terminate any sessions that did not terminate when a client system rebooted. Early versions of Windows servers compare client NetBIOS names to determine duplication, while newer ones use the client IP addresses.

This option determines how the appliance performs duplicate session detection. With this option set to ip-address (the default), the appliance compares client IP addresses. With this option set to name the appliance compares client NetBIOS names. With this option set to off the appliance does not perform duplicate session detection.

Default: ip-address

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.comment
Defines the CIFS server description. CIFS clients see the CIFS server description when browsing servers on the network.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.enable_share_browsing
When this option is turned off, requests from clients to enumerate the list of shares on the CIFS server will result in an empty list.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.gpo.enable
When this option is turned on, the node will attempt to communicate with the Active Directory server that the node is installed into in order to enforce defined group policies that apply to the node.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.gpo.trace.enable
When this option is turned on, messages that are useful for debugging the application of group policies on the node will be printed to the system console.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.guest_account
Enables a user to get access to the node provided that either the node uses a Domain Controller for authentication and the user is not in a trusted domain, or the node uses the /etc/passwd file or the NIS password database for authentication and the user has no entry in the /etc/passwd file or the NIS password database. If this option is set to the name of an account in the password database, a user logging into the node will be assigned to the guest account if their name is not listed in the password database (when using /etc/passwd or NIS) or if the user is not from a trusted domain (when using a domain controller). The configured user name will be used for the UNIX user ID, group ID, and group set of the specified account. If the option is set to "" (null), guest access is disabled.

Default: "" (null)

Effective: Upon CIFS client reconnection

Persistence: Remains in effect across system reboots

cifs.home_dir_namestyle
Specifies how the name portion of the path to a user's home directory is determined. If no argument is supplied, the current value of this option is displayed. Valid values for this option are: a null string, ntname, hidden, mapped, or domain. All user home directory paths begin with one of the CIFS home directory paths, followed by a slash and the user's name. If this option is set to ntname then a user's Windows login name is used and only downward symlinks (in the directory hierarchy) are followed. If this option is set to hidden then a user's Windows login name is used. However, the user must append a dollar sign to their user name when connecting to the node; and the node will append a dollar sign to the user's name when enumerating the homedir share name. If the value of this option is mapped then the user's UNIX name is used. The UNIX name is obtained by mapping the user's Windows login name using the file /etc/usermap.cfg. If this option is set to domain then the user's name includes both the user's domain and Windows login name separated by a slash. If the option is set to "" (null), this acts like ntname with the exception that symlinks are followed in any direction.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.homedirs_public_for_admin
Specifies whether members of the node's Builtin\Administrators group can connect to the CIFS home directories of other users. If no argument is supplied, the current value of this option is displayed. If this option is set to on then an administrator can connect to the CIFS home directory of user username by specifying the share ~username (tilde username). This can be useful when setting a user profile to map the user's CIFS home directory on the node. Windows 2000 Active Directory does not allow a system administrator to set a user's profile to a non-existent share, and normally a user's CIFS home directory can only be accessed by that user and not by the administrator.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.home_dir.generic_share_access_warn
Controls the genertion of EMS message when clients attempt to access any of the to generic homedir shares ( "~", "cifs.homedir" or "~cifs.homedir"). Note that even if this option is set to "off", an EMS will be generated when Data ONTAP detects an actual attempt to perform an unsafe access.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.home_dir.generic_share_access_level
Controls access to generic homedir share named "~", "cifs.homedir" or "~cifs.homedir"

If this options is set to 0, all access using generic home directory share name is denied. Using a value of 0 prevents any possibility of a client with multiple connections, for example a Windows Terminal Server or Citrix, from granting incorrect access to other users of the same generic homedir share who may have files or directories named the same.

When this option is set to 1, access using generic home directory share name is always allowed. Set this option to 1, if you are sure there is no possibility of more than one user on the same client accessing the generic home directory share at the same time.

Setting this option to 2 allows restricted use of the generic home directory share name. Data ONTAP tries to detect conflicting access patterns and reject them. If the clients are SMB 2.1 aware, they are protected from compatibility issues by allowing only one user from a client to access using a particular generic home directory share name. All further attempts to access the same share name from same client by different users are rejected. If the clients are not SMB 2.1 aware, Data ONTAP tries to minimize the compatibility issues by disabling opportunistic locks (aka oplocks) on the files under the generic home directory share. Lack of opportunistic locks can result in performance degradation.

The value 3 for this option behaves similar to value 2 for SMB 2.1 aware clients, but rejects access to clients that are not SMB 2.1 aware. This setting avoids all compatibility issues and provides restricted access to the generic home directory share.

Default: 3

Values: 0, 1, 2, 3

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.idle_timeout
Specifies the amount of idle time (in seconds) before the node disconnects a session. If "-1" is specified idle sessions are never disconnected. An idle session is a session in which a user does not have any files opened on the node.

Default: 900

Min/Max: -1 - 4000000 seconds

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.max_mpx
This option controls how many simultaneous operations the node reports that it can process. An "operation" is each I/O the client believes is pending on the node including outstanding change notify operations. Clients such as Windows Terminal Server or IIS may require that this number be increased to avoid errors and performance delays.

CAUTION - The approved values for this parameter are 50, 126, 253, and 1124. The most accurate way to determine which number to use is to measure the Redirector-Current Commands statistic on the client with NT perfmon and to increase the number until Current Commands does not hit the negotiated limit. For more information see Microsoft Knowledge Base articles Q191370 and Q232890.

CAUTION - This number should only be changed while cifs is terminated.

CAUTION - Only use the approved values to avoid Q232890.

CAUTION - This value affects allocations in the clients. So do not increase the value unless required.

Default: 253

Values: 50, 126, 253, 1124

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.ms_snapshot_mode
Specifies the mode for snapshot access from a Microsoft Shadow Copy client. Valid values for this option are off, pre-xp and xp. off disables snapshot access from all Windows Shadow Copy clients. xp allows access to snapshots from Windows XP and later Shadow Copy clients only. pre-xp, in addition, allows access to snapshots from Windows 2000 Shadow Copy clients. Note that the downlevel pre-xp mode should only be used if Windows 2000 snapshot access is required as it may introduce a very slight performance hit when there is a heavy load on the node and very long pathnames are in use.

Default: xp

Values: off, xp, pre-xp

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.netbios_aliases
Provides a comma-separated list of alternative names for the node. A user can connect to the node using any of the listed names.

This command is deprecated.

System administrators are encouraged to write CIFS NetBIOS aliases to the file /etc/cifs_nbalias.cfg (one alias per line). Use the "cifs nbalias load" command to cause the node to process the /etc/cifs_nbalias.cfg file. For more information, see the CIFS chapter in the System Administrator's Guide.

cifs.netbios_over_tcp.enable
This option enables the use of NetBIOS over TCP, which is the standard protocol used for CIFS prior to Windows 2000. In certain Windows 2000 networks it is desirable to disable that protocol. This option corresponds to the "Enable NetBIOS over TCP" setting in the Windows 2000 Advanced TCP/IP settings tab. If it is set to off, all clients must be Windows 2000 (or above), and only Windows 2000 (or above) domain controllers and virus scanners can be used.

cifs.netbios_over_tcp.enable takes effect when cifs starts. It should not be changed while cifs is running.

Default: on

Effective: Upon CIFS client reconnection

Persistence: Remains in effect across system reboots

cifs.nfs_root_ignore_acl
When on, ACLs will not affect root access from NFS.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.oplocks.enable
When cifs.oplocks.enable is on, the storage system allows clients to use oplocks (opportunistic locks) on files. When set to on, this option also enables lease oplocks. Oplocks are a significant performance enhancement, but have the potential to cause lost cached data on some networks with impaired reliability or latency, particularly wide-area networks. In general, this option should be disabled only to isolate problems.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.oplocks.opendelta
This option defines the length of artificial delay before sending an opportunistic lock break request to a client that has recently sent the storage system an open request. This is done to work around a bug in Microsoft Windows clients that can cause the client to ignore an oplock break request if it is received at a certain time.

For example, when opendelta is 8, the storage system will make sure that at least 8 milliseconds have elapsed after receiving or responding to an open-file request before it sends an oplock break on that session.

CAUTION - This option should not be set higher than 35 milliseconds without consulting NetApp Global Services.

Default: 0

Min/Max: 0 - 1000 milliseconds

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.per_client_stats.enable
Turning this option on causes the storage system to start gathering statistics on a per-client basis. This allows use of the cifs top command, as well as the -u and -h options of cifs stat. Administrators should be aware that there is overhead associated with collecting the per-client stats. This overhead may noticeably affect storage system performance. If the option is turned off, any existing per-client statistics are discarded.

Default: off

Effective: Upon CIFS client reconnection

Persistence: Remains in effect across system reboots

cifs.perfmon.allowed_users
The value for this option determines the user or the group which has access to performance data via Perfmon. The option takes as input either a user or a group name. The user or group can be either local or domain-based. By default the option is not set which allows access only to Administrators. Irrespective of the value of this option Administrators will always have access. To allow all users to access performance data, this option can be set to "Everyone".

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.perm_check_ro_del_ok
NT delete rules do not allow you to delete a file or directory with the DOS read-only bit set. However, a number of multi-protocol applications require UNIX delete semantics (w-x perms in parent dir without regard to the permissions of the file or directory). This option controls this behavior. By default it is off, which yields NT behavior.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.perm_check_use_gid
This option affects security checking for Windows clients of files with UNIX security where the requester is not the file owner. In all cases, Windows client requests are checked against the share-level ACL; then if the requester is the owner, the "user" perms are used to determine the access.

If the requester is not the owner and if perm_check_use_gid is on, it means files with UNIX security are checked using normal UNIX rules. That is, if the requester is a member of the file's owning group, the "group" perms are used; otherwise the "other" perms are used.

If the requester is not the owner and if perm_check_use_gid is off, files with UNIX security style are checked in a way which works better when controlling access via share-level ACLs. In that case the requester's desired access is checked against the file's "group" permissions, and the "other" permissions are ignored. In effect, the "group" perms are used as if the Windows client were always a member of the file's owning group, and the "other" perms are never used.

If you do not plan to use share-level ACLs to control access to UNIX security style files (for example in a UNIX qtree), you should leave this setting on.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.preserve_unix_security
This option preserves UNIX permissions as files are edited and saved by Windows applications that read the security properties of the file, create a new temporary file, apply those properties to the temporary file, and then give the temporary file the original file name. When this option is enabled, Windows clients that perform a security query receive a constructed ACL that exactly represents the UNIX permissions. This same ACL can then be assigned to the temporary file to restore the exact same UNIX permissions that were present in the original file. The constructed ACL is only used to preserve the file's UNIX permissions, as the file is updated and saved by Windows applications; no NTFS ACLs are set using the constructed ACL. This option only affects NFS files in UNIX or mixed-mode qtrees.

Enabling this option also allows you to manipulate a file's UNIX permissions using the Security tab on a Windows client, or using any application that can query and set Windows ACLs. When enabled, this option causes UNIX qtrees to appear as NTFS volumes. Default: off

Values: on, off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.restrict_anonymous
Controls the access restrictions of non-authenticated sessions. Permitted values for this option are 0, 1 and 2. 0 sets no special access restrictions, 1 disallows enumeration of users and shares, and 2 fully restricts access. This option corresponds to the RestrictAnonymous registry entry in Windows. Note that these restrictions do not apply to mapped Null users.

Default: 0

Values: 0, 1, 2

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.restrict_anonymous.enable
Deprecated option, use cifs.restrict_anonymous instead.

cifs.save_case
When this option is on, CIFS will preserve the case when files are created or renamed. If this option is turned off, all filenames will be forced to lower case. This can help with compatibility between certain 16-bit applications and UNIX tools.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.scopeid
NetBIOS scope IDs allow the system administrator to create small workgroups out of a network by partitioning the NetBIOS name space; only clients with the same NetBIOS scope ID as the storage system will be able to use the storage system as a CIFS server. The default scope ID is "" (null), but if the storage system is to run in a NetBIOS scope other than the default one, its scope ID must be set to the scope ID of that scope. The scope ID can be changed only when CIFS is not running.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.search_domains
Specifies a list of domains that trust each other to search for a mapped account. The argument for the option is a comma-separated list that is searched in order. If this option is set to "" (null), all domains are searched. You can use this option to control searches if you used an asterisk for a domain name in the /etc/usermap.cfg file.

Default: "" (null)

Effective: Upon CIFS client reconnection

Persistence: Remains in effect across system reboots

cifs.show_dotfiles
When this option is set to off, all file names with a period (.) as the first character will be hidden. The default value is on.

cifs.show_snapshot
When this option is off, the snapshot directory ~snapshot is no longer shown at the root of a share. This is a change in behavior from previous versions. Setting this to on will restore the old behavior. On Windows NT 4 or Windows 95 clients, the user can access snapshots by entering \\node_name\share\.snapshot (or ~snapshot or ~snapsht) in the Start->Run menu. Snapshots can also be accessed lower in the share by providing a path to a lower directory. Snapshots can be accessed through DOS on any system by changing to the ~snapsht directory.

NOTE: When this option is on, it can confuse programs like FastFind that do not know about snapshots.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.shutdown_msg_level
Normally a message is broadcast to all clients when CIFS is terminating. This option can be set to control this behavior. The value 0 results in never sending such broadcast messages. The value 1 results in sending broadcast messages only to sessions which have open files. The value 2 causes the messages to be sent to all open connections.

Default: 2

Values: 0, 1, 2

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.sidcache.enable
This options controls whether or not CIFS will cache SID-to-name translation information that it has received from the domain controllers.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.sidcache.lifetime
This option controls how long a SID-to-name cache entry is used before it becomes stale. The SID-to-name mapping functions in the storage system will query the appropriate domain controller to update the cached mapping when it is needed, but has become stale.

Default: 1440

Min/Max: 20 - 10080 minutes

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.signing.enable
Signing is a security feature provided by the CIFS protocol that is designed to detect and prevent `manin-the-middle' intrusion into CIFS communications. This is achieved by calculating a security signature value for every incoming and outgoing CIFS packet.

This feature introduces a performance penalty on both the client and the storage system when in use, and thus is disabled by default. In a trusted network where the performance impact of this feature might outweigh the benefits that it provides, it is recommended that this feature remain disabled.

Before enabling signing, terminate CIFS services. This ensures that existing CIFS connections are terminated. After restarting cifs, all new connections will use signing.

Default: off

Effective: Upon CIFS client reconnection

Persistence: Remains in effect across system reboots

cifs.smb2.enable
This option enables SMB 2.0 and SMB 2.1 support on the storage system. When this option is enabled, the storage system uses SMB 2.0 and SMB 2.1 with a Windows client if the client supports SMB 2.0 or SMB 2.1. When this option is disabled, the storage system will not accept any new SMB 2.0 or SMB 2.1 sessions; existing sessions are not terminated.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.smb2.signing.required
This option decides whether the storage system forces the CIFS sessions over SMB 2.0 or SMB 2.1 to be signed. Signing prevents the packets from being tampered with while being sent from the client to the server. When this option is off, either there is no signing, or the client can request for the session to be signed. If set to on, the session is signed.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.smb2_1.branch_cache.enable
This option enables SMB 2.1 BranchCache support on the storage system. When this option is enabled, the storage system uses BranchCache with a Windows client to reduce Wide Area Network (WAN) utilization, if the BranchCache is configured on client. When this option is disabled, the storage system doesn't support BranchCache.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.smb2_1.branch_cache.hash_time_out
Sets the time(in seconds) for which an unused BranchCache hash for a file can be kept in memory of the storage system.

Default: 300s

Min/Max: 0 - 4000000 seconds

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.snapshot_file_folding.enable
This option controls whether or not CIFS will attempt to `fold' files on close with previous snapshot versions of themselves in order to minimize disk usage. Disk space is saved by sharing unchanged file blocks between the active version of the file, and the version of the file in the latest snapshot, if any. The storage system must compare block contents when folding a file, so there is a performance vs. space utilization tradeoff to consider with this option.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.symlinks.cycleguard
This option eliminates the possibility of traversing directories cyclically during the process of following symbolic links. With this option set to on, if the target of the symlink resolves to a directory that is directly above the symlink's parent directory, it is disallowed.

With this option set to off, many standard Windows applications (such as Find in Windows 95 / Windows NT 4.0) will not operate correctly when a symlink points to a parent directory. This is because they do not understand symbolic links and will repeatedly loop on them. Users should use caution when changing this option.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.symlinks.enable
When cifs.symlinks.enable is on, if the object being accessed by a CIFS client is a symbolic link (whether absolute or relative), the storage system follows the link with the proviso that the ultimate target turns out to reside within the originating share (thus ensuring that the client has access permission to the target).

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.trace_dc_connection
When cifs.trace_dc_connection is on, the storage system logs all domain controller address discovery and connection activities. This can be used to diagnose DC connection problems on the storage system.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.trace_login
When cifs.trace_login is on, the storage system logs all login-related activities. This can be used to diagnose access problems on the storage system.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.universal_nested_groups.enable
When cifs.universal_nested_groups.enable is off, the storage system does not include membership in nested groups or membership in universal groups from other domains in the forest. This option is pertinent to all NFS clients accessing a file or directory with Windows-style security and does not affect CIFS clients. This option will be deprecated in a future release when the storage system will always include the above memberships.

CAUTION - ALL group memberships are fetched from Active Directory only when (a) user and storage system are in the same domain tree (b) or else user's domain tree has a two-way transitive trust with the storage system's domain tree.

Default: on

Effective: Upon NFS client reconnection

Persistence: Remains in effect across system reboots

cifs.W2K_password_change
This option only affects storage systems installed in Windows 2000 domains. When on, this option causes the storage system to change its domain password once in every W2K_password_change_interval value duration. The duration is counted in weeks. The password change occurs randomly within the time period specified by option W2K_password_change_within, starting at 01:00 AM on Sunday mornings. For Windows 2000 domains with multiple DCs, a password change may inhibit CIFS connections for a short time while the new password is propagated among the DCs. This option has no effect on storage systems installed in pre-Windows 2000 domains.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.W2K_password_change_interval
This option only affects nodes installed in Windows 2000 domains. Changing this value has no effect if the cifs.W2K_password_change is set to "off". It is used to set the time duration (in weeks) after which the domain password change is triggered. The actual password change is attempted at approximately 01:00 AM on the Sunday morning following the day when the configured time duration expires. This option has no effect on nodes installed in pre-Windows 2000 domains.

Default: 4w

Min/Max: 1w - 8w in weeks

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.W2K_password_change_within
This option only affects node installed in Windows 2000 domains. Changing this value has no effect if the cifs.W2K_password_change set to "off". It is used to set the time duration (in hours) within which the domain password change attempts are made after the expiry of W2K_password_change_interval. In other words, the password change is attempted at a random time between 01:00 AM and W2K_password_change_within duration on the Sunday morning following the expiry of W2K_password_change_interval duration. This option has no effect on nodes installed in pre-Windows 2000 domains.

Default: 1h

Min/Max: 1h - 6h in hours

Effective: Immediately

Persistence: Remains in effect across system reboots

.TP 4 cifs.widelink.ttl When a CIFS client accesses a
"wide symbolic link" (widelink), the storage system returns both a path referral and a time-to-live value. The CIFS client can cache the widelink path referral for the time-to-live time period. This option allows the system administrator to set the value which the storage system returns for time-to-live.

Default: 10m

Min/Max: 0s - 10000m in seconds (s), minutes (m) or hours (h)

Effective: Immediately

Persistence: Remains in effect across system reboots

cifs.wins_servers
This option can display or set the list of WINS servers used by the CIFS service. To set the list, pass a comma-separated list of IPv4 addresses. To see the current list of WINS servers, leave the parameter blank. To clear the list, pass a "" (null) parameter.

Default: "" (null)

Values: Comma-separated list of IPv4 addresses

Effective: Immediately

Persistence: Remains in effect across system reboots

cksum_offload.gbeII
Specifies whether calculation of TCP and UDP checksums is offloaded to network interface cards. Offloading reduces CPU utilization. The value "on" enables offloading, and "off" disables it. The option affects Ethernet Controllers numbered II and higher. TCP checksums are offloaded for TCP packets over IPv4 as well as IPv6, when this option is enabled. Checksums are not offloaded for outbound UDP packets over IPv4 in most cases, regardless of the option setting. Checksums are not offloaded for all UDP packets over IPv6 even when this option is enabled.

On systems initially installed with 6.2 or later releases, the default is "on". Prior to 6.2 the default was "off", and a software upgrade does not change the value.

console.encoding
Specifies how non-ASCII character information is presented. The value can be:

nfs - NFS character set. You can use both NFS extended (> 0x7F) and SGML characters for input.

sgml - SGML character format. You can use both NFS extended (greater than 0x7F) and SGML characters for input.

utf8 - UTF-8 character sets. For input, any character greater than 0x7F is the beginning of a UTF-8 encoding.

The default is nfs.

coredump.dump.attempts
Controls how many attempts should be made to dump a core. Extra attempts are only made if the previous attempt failed due to a disk write error. Legal values range from 0 - 5. If 0 is chosen, no cores will be dumped.

The default is 2.

disk.asup_on_mp_loss
Controls whether or not an AutoSupport message is sent if the redundant path to a shelf is lost. The default value is on.

disk.auto_assign
Specifies if disks will be auto assigned on systems with software disk ownership. The default is on. When on, the default behavior is to automatically assign disks at the adapter (stack) level of granularity. If all assigned disks on an adapter (stack) have the same ownership assignment, and there are unowned disks present on that adapter (stack), automatic assignment will assign the unowned disks to match the ownership of the already assigned disks on that adapter (stack).

disk.auto_assign_shelf
Specifies whether disks should be auto assigned at the shelf level of granularity or not. This option is ignored if disk.auto_assign option is off. Otherwise, when disk.auto_assign and disk.auto_assign_shelf options are on, then if there are unowned disks on a shelf and all assigned disks on that shelf have the same ownership assignment, automatic assignment will assign the unowned disks to match the ownership of the already assigned disks on that shelf. The default value is off.

disk.maint_center.allowed_entries
Sets the number of times a disk is allowed to be put into maintenance center testing as a result of reaching a threshold. If a disk reaches another threshold and has already been through maintenance center testing the allowed number of times, the disk is failed. Administrator-initiated testing is not counted. The administrator can test disks any number of times. The default value is 1.

disk.maint_center.enable
Enables/disables maintenance center functionality. The default value is on.

disk.maint_center.max_disks
This option specifies the maximum number of disks that can be running maintenance center tests on a system at the same time. The default value is 84.

disk.maint_center.rec_allowed_entries
Sets the number of times a disk is allowed to be put into maintenance center testing as a result of recovery needed types of errors. If a disk encounters another recovery needed type of error and has already been through maintenance center testing the allowed number of times for recovery needed errors then the disk is failed. The default value is 5.

disk.maint_center.spares_check
This option specifies whether to check the number of available spares before putting a disk into the maintenance center as the result of reaching a threshold. If this option is on and there are fewer than two available spares when a disk reaches a threshold, the disk is not put into the maintenance center. If the option is off or there are at least two available spares, the disk is put into the maintenance center. This option has no effect on administratorinitiated testing of disks. The default value is on.

disk.target_port.cmd_queue_depth
Sets the maximum number of concurrent commands that can be dispatched to any target port on an external RAID array. This is useful on V-Series systems, which support large numbers of LUNs behind a single device ID. If too many commands are issued the overall performance of the external RAID array may be degraded. A value of 0 indicates that no limit is enforced on any target port.

dns.domainname
Sets the DNS domainname to the specified domainname.

dns.enable
Enables DNS client on the storage system. The DNS domain must be set and the /etc/resolv.conf file must exist prior to enabling DNS.

dns.cache.enable
Determines whether the DNS cache is used when looking up names. It is on by default. Turning it off will have the side effect of flushing the dns cache. This option has no effect if DNS is not enabled.

dns.update.enable
Enables or disables DDNS (Dynamic DNS). `on', `off', and `secure' are valid options. exchanged securely if the security protocol is appropriately configured. DNS must be enabled prior to enabling DDNS.

fcp.enable
Determines whether FCP service starts by default on a storage system.

flexcache.access
Restricts FlexCache access to the storage system. The default value is none. For valid values, see na_protocolaccess(8). Note: this is the only way to allow a volume to be cached by a FlexCache volume. The /etc/exports file cannot be used for this.

flexcache.deleg.high_water
A valid value for this option is a number between 0 and 100 and greater than the value of flexcache.deleg.low_water. This option sets the maximum percentage of locks that FlexCache will consume at the origin. Decreasing the number of delegations that are used by FlexCache will result in more requests to the origin to verify attributes and may have an impact on latency.

flexcache.deleg.low_water
A valid value for this option is a number between 0 and 100 and less than the value of flexcache.deleg.high_water. This option sets the minimum percentage of locks that FlexCache will retain at the origin. When the origin reaches the flexcache.deleg.high_water percentage then it will recall enough delegations to reach the flexcache.deleg.low_water percentage.

flexcache.enable
Enables FlexCache server on the storage system. Valid values for this option are on or off. If this option is set to off, no FlexCache volumes can be mapped to any of the volumes on this storage system. Existing FlexCache volumes that are currently mapped to this storage system are no longer serviced. If this option is set to on, FlexCache volumes can be mapped to volumes on this storage system. The default value for this option is off.

flexcache.per_client_stats
Enables FlexCache client statistics on an origin storage system. Valid values for this option are on or off. The default value for this option is on. With this set to on, the flexcache stats -S volume -c command will show statistics by client on an origin storage system.

flexscale.enable
Enables FlexScale on the storage system. Valid values for this option are on or off. If FlexScale hardware is present and licensed then this option will enable the FlexScale functionality in WAFL. If no hardware is present this option will enable FlexScale PCS (Predictive Cache Statistics). The default value for this option is off.

flexscale.normal_data_blocks
Controls whether normal user data blocks should be cached by FlexScale. Valid values for this option are on or off. If this option is set to off then only metadata blocks are cached, except for those volumes that have a FlexShare cache setting of keep. See na_priority(1) for details. The default value for this option is on.

flexscale.lopri_blocks
Controls whether low-priority user data blocks should be cached by FlexScale. Valid values for this option are on or off. This option is only used when flexscale.normal_data_blocks is set to on. If this option is set to on then low-priority user data blocks that are not normally stored by FlexScale will be cached. This may be useful for workloads that fit entirely within FlexScale and consist of write follow by read, or large sequential reads. The default value for this option is off.

flexscale.pcs_size
Controls the size of the cache emulated by FlexScale PCS. Valid values for this option are integers between 16 and 16383. This option is only used when PCS is enabled. The default value of this option is chosen automatically based on the amount of memory in the controller, and the upper limit is further restricted on controllers with smaller amounts of memory.

flexscale.pcs_high_res
Controls the sampling resolution of the FlexScale PCS engine. Valid values for this option are on or off. This option is only used when PCS is enabled. Measurement of workloads with very small hotspots may be improved by setting this value on. The default value for this option is off, which should generally be sufficient.

flexscale.readahead_blocks
This option caches readahead data that the system evicts from buffer cache. Readahead data is data that clients are likely to request.

flexscale.rewarm
Specifies whether a FlexScale cache module (Performance Acceleration Module family or Flash Cache family) should attempt to preserve data across reboots. Valid values for this option are on or off. This option only applies to cache hardware with persistent media. It does not apply to Predictive Cache Statistics (PCS). Enabling this option will marginally increase the duration of system boot and shutdown, but it will reduce or eliminate the time required for cache warming. The default value for this option is determined by cache hardware type. This option is automatically on if it is supported.

fpolicy.enable
When turned off, this disables all file policies on the storage system, overriding the settings for individual file policies. When turned on, the setting of a given file policy determines if that file policy is enabled or disabled.

fpolicy.i2p_ems_interval
Time interval in minutes between two successive fpolicy.fscreen.vol.i2p.off EMS messages.

This EMS occurs when an FPolicy server registers for a file policy with the inode to pathname translation, but a volume monitored by the policy has inode to pathname translation disabled.

Valid values for the interval range from 0 (disabled) to 1440. The default interval is 60 minutes.

fpolicy.multiple_pipes
When enabled, FPolicy engine can open up to 10 instances of the SMB request named pipe simultaneously to an FPolicy server. When disabled, only one instance of the SMB request pipe is opened to an FPolicy server at a time. The default value is on.

ftpd.enable
When enabled (on), this option allows FTP connections on port 21. When disabled (off), connection attempts on port 21 are refused.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.explicit.enable
When enabled (on), this option allows Explicit FTPS (FTP over SSL) connections on port 21. When disabled (off), FTP connections on port 21 are not allowed to enter secure mode.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.explicit.allow_secure_data_conn
When enabled (on), this option allows Explicit FTPS (FTP over SSL) connections to open data connections in secure mode. When disabled (off), Explicit FTPS connections are not allowed to open secure data connections by sending the PROT P command. However connections which already have PROT level set to P will continue to work as is.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.implicit.enable
When enabled (on), this option allows Implicit FTPS (FTP over SSL) connections on port 990. When disabled (off), FTPS connection attempts on port 990 are refused.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.ipv6.enable
When enabled (on), this option allows FTP connections over IPv6. When disabled (off), new connection attempts over IPv6 are refused; existing IPv6 sessions will remain active and will not be disconnected.

For this option to take effect, networking stack should support IPv6 (option ip.v6.enable).

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.3way.enable
Enables/disables third-party file transfers. When enabled (on), this option allows file transfers directly to and from a remote FTP server. When disabled, the IP address specified in the PORT command must match that of the FTP client. In passive mode, only TCP connections from the client will be allowed.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.anonymous.enable
Enables/disables anonymous user logins. An anonymous user will only be allowed to access "anonymous" home directory and its subtrees. Anonymous users are not allowed access to external volumes. Named account users will not have this limitation unless the ftpd.dir.restriction option is enabled. Default anonymous users are "ftp" and "anonymous". To use anonymous ftp, besides turn on ftpd.anonymous.enable, the option ftpd.anonymous.homedir must point to an existing path.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.anonymous.home_dir
Sets the home directory for the anonymous user account.

Default: "" (null)

Effective: Upon FTP client reconnection

Persistence: Remains in effect across system reboots

ftpd.anonymous.name
Specifies the login name for the anonymous user account. Anonymous user can use the username as set by this option or "ftp". The user ftp is defined in /etc/passwd by default. If there is no mapping of the username specified by ftpd.anonymous.name to a UID, UID of the user "ftp" is used. The home directory entry in /etc/passwd file for ftp is overridden by option ftpd.anonymous.homedir.

Default: anonymous

Effective: Upon FTP client reconnection

Persistence: Remains in effect across system reboots

ftpd.auth_style
Sets the ftpd login authentication style. In mixed mode, usernames with "\" or "@" will authenticate via ntlm and those without will authenticate via unix. Setting ntlm or unix explicitly will force the respective authentication type regardless of the format of the username.

Default: mixed

Values: ntlm, unix, mixed

Effective: Upon FTP client reconnection

Persistence: Remains in effect across system reboots

ftpd.bypass_traverse_checking
When turned on, directories in the path to a file are not required to have the `X' (traverse) permission.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.dir.restriction
Sets user home directory restriction. The off (or none) setting indicates that there is no home directory restriction for regular users. When this option is set to on (or homedir), each named account user's access is restricted to that user's own home directory or to the override directory, if one is specified by the ftpd.dir.override option.

Default: on

Values: on, off, none, homedir

Effective: Upon FTP client reconnection

Persistence: Remains in effect across system reboots

ftpd.dir.override
Sets the override path for the user home directory. A "" (null) value indicates no home directory override; users will be placed in their home directory upon login. When the value of this option is a valid directory path, users will be placed in that directory upon login. This option applies only to named user accounts. The behavior of the default user account is not affected by the value of ftpd.dir.override.

Default: "" (null)

Effective: Upon FTP client reconnection

Persistence: Remains in effect across system reboots

ftpd.idle_timeout
Sets the time between requests that an FTP session can be idle before it becomes a candidate for disconnection by the storage system.

Default: 900s

Min/Max: 300s - 2d in seconds (s), hours (h) or days (d)

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.log.enable
Enables/disables the logging of FTP commands and data transfer operations.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.log.filesize
Specifies the maximum file size for FTP and HTTP logs in the /etc/log directory. When one of the active log files, such as ftp.cmd (or ftp.xfer, or httpd.log) reaches this size, it is renamed to ftp.cmd.1 (or ftp.xfer.1 for the transfer log, or httpd.log.1 for the http log) and that renamed log history file is closed. If there is already a historical log file, such as ftp.cmd.1, that file is renamed to ftp.cmd.2. This renaming process continues sequentially for all historical log files, until the maximum number of historical log files (specified by ftpd.log.nfiles) is reached. Once the maximum number of historical log files is reached, the oldest log file is deleted each time a new active log file is opened. See the description of the ftpd.log.nfiles option for more information.

Default: 512k

Min/Max: 1K - 4G in gigabytes (G), megabytes (M), kilobytes (K) or bytes (blank)

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.log.nfiles
Sets the maximum number of log files to be kept for FTP and HTTP. Once an active log file reaches the size limit determined by the ftpd.log.filesize option, a new active log file is created. The old active log file is stored as a historical log file by appending the file name with ".1". All existing historical files are renamed by incrementing the numeric suffix; for example, "ftp.cmd.2" becomes "ftp.cmd.3" and so on. Only the number of files specified by ftpd.log.nfiles are kept. When the maximum number of historical log files is exceeded, the highest-numbered (oldest) log file is deleted. For example, if nfiles is set to 6, ftp.cmd.5 would be deleted rather than renamed.

Default: 6

Min/Max: 1 - 100 files

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.locking
Sets the type of file locking used by the ftpd during file retrieval. Setting this option to none designates that files are not to be locked in any way during file retrieval. When the value of this option is delete, files being retrieved cannot be deleted or renamed. When the value of this option is write, file being retrieved cannot be opened for write or deleted or renamed.

Default: none

Values: none, delete

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.max_connections
Sets the maximum number of concurrent ftpd connections allowed. This option is the limit of the total number of FTP control connections allowed to the storage system, or to all vFilers hosted on the physical storage system. For High Availability configurations, the number of connections permitted is doubled when in takeover mode. If this setting is changed to a value that is lower than the current number of connected FTP sessions, new connections will be refused until the total number of sessions falls below ftpd.max_connections. Existing sessions are unaffected.

Default: 500

Min/Max: 0 - 5000 connections

Effective: Immediately

Persistence: Remains in effect across system reboots

ftpd.tcp_window_size
Sets the TCP window size for FTP operations. The default, 28960 bytes, works for many network environments. Change this value only when required for your network configuration. Changes to this option can strongly affect ftpd performance.

Default: 28960

Values: 1600

Effective: Upon FTP client reconnection

Persistence: Remains in effect across system reboots

gfagent.enable
Enables/disables the Gateway storage system agent.

gfagent.hdm.host
Sets the host address to which Gateway agent will send POST request.

gfagent.hdm.password
User password for Device Manager server.

gfagent.hdm.port
Port number of Device Manager's http server.

gfagent.hdm.user
User name for Device Manager server.

gfagent.hdm.uri
URI to which Gateway agent send POST request.

gfagent.interval.minutes
Time interval between two successive scans/reports in minutes.

httpd.admin.access
Restricts HTTP access to FilerView, the administration area of the storage system, via a private NetApp Inc URL: any URL beginning with /na_admin. If this value is set, trusted.hosts is ignored for FilerView access.

Default: legacy

Values: See na_protocolaccess(8)

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.admin.enable
Enables HTTP access to FilerView, the administration area of the storage system, via a private NetApp Inc URL: any URL beginning with /na_admin is mapped to the directory /etc/http. Thus, a man page on the storage system toaster with the file name /etc/http/man/name can be accessed with the URL http://toaster/na_admin/man/name.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.admin.max_connections
Sets the maximum number of concurrent httpd administration connections allowed per vfiler. Httpd administration connections are defined by http://toaster/na_admin.APIconnectionsfallunderthe httpd administration purview. If this setting is changed to a value that is lower than the current number of httpd administration connections, new connections will be refused until the total number of connections falls below httpd.admin.max_connections. Existing connections are unaffected.

Default: 512

Min/Max: 1 - 1023 connections

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.admin.ssl.enable
Enables HTTPS access to FilerView. To set up ssl, use the secureadmin command. See na_secureadmin(1) for more details. HTTPS and SSL are enabled by default on a factory installed system. Default value is on.

httpd.admin.hostsequiv.enable
Enables the use of /etc/hosts.equiv for administrative HTTP authentication. If enabled, the authentication of administrative HTTP (for APIs) will use the contents of /etc/hosts.equiv in the same way that it is used for rsh authentication. See na_hosts.equiv(5) and na_rshd(8) for more details.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.admin.top-page.authentication
If enabled, the top-level page of FilerView will have authenticated access.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.autoindex.enable
The normal response to an HTTP GET request that specifies a URL corresponding to a directory is to display the contents of an index file contained in that directory. If no index file exists, a directory listing can be generated automatically and returned instead. This option controls whether to generate a directory listing.

The storage system always searches for an index file, which is one of "index.html", "default.htm", "index.htm", "default.html", searched for in that order. If none is found, and this option is on, a directory listing is created and returned. If this option is off (the default), the appliance will respond with a "403" (forbidden) error code.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.access
Restricts HTTP access to the storage system. Setting this value does not affect FilerView access set by httpd.admin.access.

Default: legacy

Values: See na_protocolaccess(8)

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.bypass_traverse_checking
When turned on, directories in the path to a file are not required to have the `X' (traverse) permission.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.enable
Enables HTTP access to the storage system.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.ipv6.enable
This option controls HTTP IPv6 support. For this option to take effect, networking stack should support IPv6 (option ip.v6.enable). When this option is enabled, storage system starts accepting new http connections over IPv6. When this option is disabled storage system stops accepting any new http connections over IPv6, existing IPv6 connections will remain active and will not be disconnected.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

Values: on, off

httpd.log.format
Specifies the log format.

Default: common

Values: common, alt1

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.method.trace.enable
Specifies whether the HTTP TRACE method is enabled. There is a potential security vulnerability associated with the TRACE method, documented in http://www.kb.cert.org/vuls/id/867593. The default for this option is off, thus disabling the TRACE method. If you want to support the TRACE method, set the option to on.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.rootdir
Specifies the complete pathname of the root directory that contains files and subdirectories for HTTP access. The default for this is `XXX' as it is normally set to the appropriate location during http setup.

Default: XXX

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.timeout
Specifies the minimum amount of time (in seconds) before an idle HTTP connection will time out.

Default: 300

Min/Max: 30 - 86400 seconds

Effective: Immediately

Persistence: Remains in effect across system reboots

httpd.timewait.enable
When enabled, the storage system will put HTTP connections that have been closed by the client into the TIME_WAIT state for one minute, which is twice the maximum segment lifetime (2*MSL).

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ic.carnegie.enable
This option enables platform-specific support for FCVI MetroCluster on FAS32x0 (Carnegie) platforms.

CAUTION: This option is deprecated. Do not modify its value.

interface.blocked.cifs
The option is set to a comma-separated list of interface names for which CIFS is blocked. The default is the empty list, "", which means that CIFS is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.iscsi
The option is set to a comma-separated list of interface names for which iSCSI is blocked. The default is the empty list, "", which means that iSCSI is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.ftpd
The option is set to a comma-separated list of interface names for which FTP is blocked. The default is the empty list, "", which means that FTP is not blocked on any interface. The interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.mgmt_data_traffic
This option controls the protocol filter for dedicated mgmt ports, such as e0M on many platforms (not all platforms have a dedicated mgmt port). If the option is set to on (the default for new installs), then NDMP, NFS, CIFS, iSCSI and the SNAP* family of data protocols will be blocked by the dedicated mgmt port. "On" is the recommended setting because a dedicated mgmt port is a low-bandwidth port that does not support jumbo frames, vlans, or ifgrps. If a dedicated mgmt port is used for data traffic, it can hide misconfigurations that might lead to a serious loss of storage system throughput. A dedicated mgmt port should only be configured with addresses that are on isolated management-only subnets. See the NMG for details.

interface.blocked.ndmp
The option is set to a comma-separated list of interface names for which NDMP is blocked. The default is the empty list, "", which means that NDMP is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.nfs
The option is set to a comma-separated list of interface names for which NFS is blocked. The default is the empty list, "", which means that NFS is not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The interface list cannot include TOE-enabled interfaces or iSCSI HBAs. See the NMG for details.

interface.blocked.snapmirror
The option is set to a comma-separated list of interface names for which snap* protocols are blocked. The default is the empty list, "", which means that snap* protocols are not blocked on any interface (unless option interface.blocked.mgmt_data_traffic is set to "on"). The interface list cannot include TOEenabled interfaces or iSCSI HBAs. See the NMG for details.

ip.fastpath.enable
If the option is on, the storage system will attempt to use MAC address and interface caching ("Fastpath") so as to try to send back responses to incoming network traffic using the same interface as the incoming traffic and (in some cases) the destination MAC address equal to the source MAC address of the incoming data. This allows for automatic loadbalancing between multiple interfaces of a trunk and between multiple storage system interfaces on the same subnet. Valid values for this option are on or off. The default value for this option is on. For TCP connections, the system will also automatically detect if this optimization is not feasible in a specific environment or for a specific connection and turn Fastpath off automatically for those connections for which using Fastpath is inappropriate. The netstat command with the -x option can be used to see if Fastpath is enabled for a specific connection.

ip.match_any_ifaddr
If the option is on, the storage system will accept any packet that is addressed to it even if that packet came in on the wrong interface. If you are concerned about security, you should turn this off. Valid values for this option are on or off. The default value for this option is on.

ip.path_mtu_discovery.enable
Enables/disables path MTU discovery; it is currently used only by TCP. Path MTU discovery, described in RFC 1191, allows a host to discover the ``maximum transmission unit'', that is, the largest link-level packet that can be transmitted over a path from that host to another host. This means that the storage system needn't choose a conservative packet size for a TCP connection to a host not on the same net as the storage system, but can attempt to discover the largest packet size that can make it to the other host without fragmentation. Valid values for this option are on or off. The default value for this option is on.

ip.ping_throttle.drop_level
Specifies the maximum number of ICMP echo or echo reply packets (ping packets) that the storage system will accept per second. Any further packets within one second are dropped to prevent ping flood denial of service attacks. The default value is 150.

ip.ping_throttle.alarm_interval
Specifies how often dropped pings will be syslogged in minutes. This prevents a ping flood denial of service attack from flooding the syslog with messages. A value of 0 turns off logging of ping floods. The default value is 0.

ip.tcp.newreno.enable
Enables/disables the use of the NewReno modification to TCP's fast recovery Algorithm (described in RFC 2582). Valid values for this option are on or off. The default value for this option is on.

ip.tcp.sack.enable
Enables/disables the use of TCP Selective Acknowledgements (described in RFC 2018). Valid values for this option are on or off. The default value for this option is on.

ip.tcp.abc.enable
Enables/disables the use of Appropriate Byte Counting in TCP Congestion Control following RFC 3465. Valid values for this option are on or off. The default value for this option is on.

ip.tcp.abc.l_limit
This option is used only when Appropriate Byte Counting is used in TCP Congestion Control. It specifies the value of the limit L used to increase congestion window during slow start. Valid values for this option are 1 and 2. The default value for this option is 2.

ip.tcp.rfc3390.enable
Enables/disables the use of RFC 3390 to increase the initial window used by TCP connections. The default value for this option is on.

ip.ipsec.enable
Enables/disables the Internet Security Protocol (ipsec) support on the storage system. Valid values for this option are on or off. The default value for this option is off.

ip.v6.enable
Enables/disables the IPv6 support on the storage system. Valid values for this option are on or off. The default value for this option is off. When ip.v6.enable is turned off, existing TCP and UDP connections will get closed. The configuration files like /etc/rc, /etc/resolv.conf, /etc/hosts, /etc/dgateways and /etc/resolve.conf which include IPv6 addresses are not reset and must be cleaned up manually. Interfaces will be configured down if they have no IPv4 addresses assigned. Enabling IPv6 will not enable the use of IPv6 for some protocols (for example CIFS, NFS). Those protocols have their own IPv6 enable option that must be set in addition to the global option ip.v6.enable.

ip.v6.ra_enable
Accepts/rejects the Router Advertisement messages that can facilitate auto-configuration of addresses and learning of prefixes and routes. Valid values for this option are on or off. The default value for this option is off. When ra_enable is turned off, router advertisements will be dropped so no default routes will be learned, default route failover will be disabled and link mtu updates will be stopped but existing auto-configured IPv6 addresses and default routes will be retained (Duplicate address detection, network discovery, and IPv6 path mtu discovery will all continue to work).

iscsi.auth.radius.enable
Determines whether iSCSI service uses RADIUS for CHAP authentication.

iscsi.enable
Determines whether iSCSI service starts by default on a storage system.

iscsi.isns.rev
Determines the draft level of the iSNS specification with which the iSNS service on the storage system is compatible. There are two possible values: 18 and 22. The default value is 22. A value of 18 allows compatibility with older iSNS servers that support draft 18 of the iSNS specification. A value of 22 provides compatibility with both draft 22 of the iSNS specification and with RFC 4171, the final iSNS specification. For example, if the iSNS server that the storage system will connect to is compatible with RFC 4171, set the iscsi.isns.rev to 22. This ensures that the iSNS service on the storage system is compatible with the iSNS server. If this setting is not properly set, the storage system may not be able to successfully register with the iSNS server.

iscsi.tcp_window_size
CAUTION - This number will affect iSCSI performance, and defines the node's receive TCP window size for all iSCSI connections. The default setting is 131400 bytes. In general, for best performance, the value of this option should be set according to your network configuration, taking into account the latency of the underlying network. However, improved performance may be obtained with certain iSCSI initiators by tuning this value beyond the normal network calculations involving latency and round-trip time. You must stop/start the iSCSI service for a change in this value to take effect.

iscsi.max_connections_per_session
The option specifies the number of connections per session allowed by the storage system. You can specify between 1 and 32 connections, or you can accept the default value: use_system_default. The maximum number of connections allowed for each session is from 1 to 32. use_system_default currently equals 4.

Note that this option specifies the maximum number of connections per session supported by the storage system. The initiator and storage system negotiate the actual number allowed for a session when the session is created; this is the smaller of the initiator's maximum and the storage system's maximum. The number of connection actually used also depends on how many connections the initiator establishes.

iscsi.max_error_recovery_level
The option specifies the maximum error recovery level allowed by the storage system. You can specify 0, 1, or 2, or you can accept the default value: use_system_default. The maximum error recovery level allowed is 0, 1, or 2. use_system_default currently equals 0.

iscsi.ip_based_tpgroup
This option enables the IP-based tpgroup management for iSCSI on the specified vFiler.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ifgrp.failover.link_degraded
This option is meaningful in configurations of a second-level single-mode ifgrp containing two or more multi-mode ifgrps where one is favored (see na_ifgrp(1)). The active ifgrp is always the one with highest aggregate bandwidth. If the underlying ifgrps have equal bandwidth and one is favored, then the favored ifgrp will be active. When this option is on, and one or more links in the active favored multi-mode ifgrp fails or is deleted, or a link in a non-active ifgrp comes up or is added to increase its aggregate bandwidth, failover to a multi-mode ifgrp that has the highest aggregate bandwidth will occur. If this option is off, no failover will occur and the favored degraded interface will remain active. The default value for this option is off.

For example,
A second-level single-mode ifgrp sif is configured over two multi-mode ifgrps mif1 and mif2, where mif1 is active. When one or more links in mif1 goes down and,

Case 1: No ifgrp is favored.
Failover occurs if mif2 has a higher aggregate bandwidth than mif1, irrespective of the value of ifgrp.failover.link_degraded option.

Case 2: mif1(active ifgrp) is favored and

a) ifgrp.failover.link_degraded is on.
Failover occurs if mif2 has a higher aggregate bandwidth than mif1. mif2 will become active.
If mif1 has a higher aggregate bandwidth than mif2 even after the links go down, mif1 remains active.

b) ifgrp.failover.link_degraded is off.
There is no failover in this case and mif1 remains active until all the underlying links of mif1 go down even though mif2 has a higher aggregate bandwidth than mif1.

Value of this option is overwritten during takeover and behaves according to the value set for the host that is up.

kerberos.replay_cache.enable
This option enables the Kerberos replay cache feature. This feature prevents passive replay attacks by storing user authenticators on the storage system for a short time, and by insuring that the authenticators are not reused in subsequent Kerberos tickets by attackers. Storing and comparing the user authenticators can result in a substantial performance penalty for higher workloads on the storage system. The default value for this option is off.

ldap.enable
Turns LDAP lookup off or on. An entry must also be made in the /etc/nsswitch.conf file to use LDAP for this purpose.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.fast_timeout.enable
This option is used to control the time-out behavior of LDAP client operations. If enabled, after a failure occurs the system will wait for ldap.retry_delay seconds before making another attempt to connect to LDAP servers.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.minimum_bind_level
Specifies the minimum binding level that is allowed. It can take the following values: anonymous anonymous bind, simple - simple bind sasl - SASL bind.

Default: 0

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.retry_delay
The time, in seconds, to wait before trying to connect to LDAP servers after a failed attempt. Effective only if ldap.fast_timeout.enable is on. Range: between 0 and 3600, inclusive.

Default: 120

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.timeout
Timeout used for LDAP searches. This is the period (in seconds), after which an LDAP search request is timed out on the LDAP server, if incomplete.

Default: 20

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.ssl.enable
Turns LDAP over SSL support off or on. Only server authentication is supported. The root certificate must be installed on the storage system to have SSL authentication to succeed. This is the trusted certificate that is obtained from any of the recognized signing authorities. Multiple trusted certificates maybe installed on the storage system. Keymgr is used to install root certificates on the storage system. Please refer to na_keymgr for additional information. Ensure that ldap.port is set to 636.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.ADdomain
The Active Directory Domain name in DNS format to use for LDAP queries. Typically this will be something like "group.company.com".

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.base
The base distinguished name to use for common ldap lookups, which include user passwd lookup, group lookup and netgroup lookup. The format of the base string is: "(filter1):scope1;(filter2):scope2;". Typically the storage system is something like "cn=company,cn=uk". The scope can be one of those three choices: BASE, ONELEVEL or SUBTREE. The default scope is SUBTREE if it is not specified.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.base.passwd
The base distinguished name to use for user passwd lookups, this option will override the ldap.base option. The format of the base string is: "(filter1):scope1;(filter2):scope2;". Typically the storage system is something like "cn=company,cn=uk". The scope can be one of those three choices: BASE, ONELEVEL or SUBTREE. The default scope is SUBTREE if it is not specified.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.base.group
The base distinguished name to use for group lookups, this option will override the ldap.base option. The format of the base string is: "(filter1):scope1;(filter2):scope2;". Typically the storage system is something like "cn=company,cn=uk". The scope can be one of those three choices: BASE, ONELEVEL or SUBTREE. The default scope is SUBTREE if it is not specified.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.base.netgroup
The base distinguished name to use for netgroup lookups, this option will override ldap.base option. The format of the base string is: "(filter1):scope1;(filter2):scope2;". Typically the storage system is something like "cn=company,cn=uk". The scope can be one of those three choices: BASE, ONELEVEL or SUBTREE. The default scope is SUBTREE if it is not specified.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.name
The username to use for the administrative queries necessary to look up UIDs and GIDs given a username. Best practice is to make this a user with read-only access to the database.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.gecos
The substitution for RFC 2307 gecos attribute.

Default: gecos

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.gidNumber
The substitution for RFC 2307 gidNumber attribute.

Default: gidNumber

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.groupname
The substitution for RFC 2307 group name attribute.

Default: cn

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.homeDirectory
The substitution for RFC 2307 homeDirectory attribute.

Default: homeDirectory

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.loginShell
The substitution for RFC 2307 loginShell attribute.

Default: loginShell

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.memberNisNetgroup
The substitution for RFC 2307 memberNisNetgroup attribute.

Default: memberNisNetgroup

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.memberUid
The substitution for RFC 2307 memberUid attribute.

Default: memberUid

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.netgroupname
The substitution for RFC 2307 netgroup name attribute.

Default: cn

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.nisNetgroupTriple
The substitution for RFC 2307 nisNetgroupTriple attribute.

Default: nisNetgroupTriple

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.uid
The substitution for RFC 2307 uid attribute.

Default: uid

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.uidNumber
The substitution for RFC 2307 uidNumber attribute.

Default: uidNumber

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.attribute.userPassword
The substitution for RFC 2307 userPassword attribute.

Default: userPassword

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.objectClass.nisNetgroup
The substitution for RFC 2307 nisNetgroup object class.

Default: nisNetgroup

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.objectClass.posixAccount
The substitution for RFC 2307 posixAccount object class.

Default: posixAccount

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.nssmap.objectClass.posixGroup
The substitution for RFC 2307 posixGroup object class.

Default: posixGroup

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.passwd
The password to use for the administrative user. This will always display as six `*'s when listing the options.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.port
The port to use for LDAP queries. This defaults to 389, LDAP's well-known port assignment. When changing this value, the storage system will connect to LDAP servers using the new value. Requests that are in process will continue to use the old value until they complete.

Default: 389

Min/Max: 1 - 65535 port

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.servers
List of servers to use for LDAP queries. To enter multiple server names use a space separated list enclosed in quotes. When changing this value, the storage system will connect to the specified LDAP servers for new requests. Requests that are in process will continue to use the old values until they complete. Note that if the LDAP Server is Windows AD and if it uses SASL bind, then the value for this option should have the server name instead of the IP Address. The information regarding the mapping of the server name with the IP Addresses should be in the /etc/hosts file. For Simple binding, the value for the option can be the IP Address of the server.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.servers.preferred
List of preferred LDAP servers. To enter multiple server names use a space separated list enclosed in quotes. Use this list to indicate servers that are on faster links if any of the servers listed in ldap.servers is on a WAN link or is for some other reason considered slower or less reliable. When changing this value, the storage system will connect to the specified LDAP servers for new requests. Requests that are in process will continue to use the old values until they complete.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.usermap.attribute.unixaccount
Specify the LDAP account attribute name for the ldap usermapping search.

Default: unixaccount

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.usermap.attribute.windowsaccount
Specify the windows account attribute name for the ldap usermapping search.

Default: windowsaccount

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.usermap.base
The base distinguished name to use for ldap usermapping. The format of the base string is: "(filter1):scope1;(filter2):scope2;". Typically the storage system is something like "cn=company,cn=uk". The scope can be one of those three choices: BASE, ONELEVEL or SUBTREE. The default scope is SUBTREE if it is not specified.

Default: "" (null)

Effective: Immediately

Persistence: Remains in effect across system reboots

ldap.usermap.enable
Enable the storage system to search an LDAP database for the user mapping between UNIX users and Windows accounts.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

licensed_feature.disk_sanitization.enable
Allows the operation of the Disk Sanitization functionality. Note: once enabled, this option cannot be turned off, this option cannot be accessed remotely and must be configured via the console. The default value isoff.

licensed_feature.fcp.enable
Allows the operation of FCP functionality. Enabling FCP via this option is not available on all platforms. Some platforms may require the installation of an fcp license key instead of using this option. The default value isoff.

licensed_feature.flexcache_nfs.enable
Allows operation of the FlexCache NFS fuctionality. This feature is not available on all plaforms. The default value isoff.

licensed_feature.flex_clone.enable
Enables the FlexClone functionality. The default value is off.

licensed_feature.iscsi.enable
Allows the operation of iSCSI functionality. Enabling iSCSI via this option is not available on all platforms. Some platforms may require the installation of an iscsi license key instead of using this option. The default value isoff.

licensed_feature.multistore.enable
Allows the operation of MultiStore functionality. Enabling MultiStore via this option is not available on all platforms. Some platforms may require the installation of a multistore license key instead of using this option. The default value isoff.

licensed_feature.nearstore_option.enable
Allows operation as a NearStore. This feature is not available on all plaforms. The default value isoff.

licensed_feature.snaplock.enable
Enables the SnapLock Compliance functionality. The default value is off.

licensed_feature.snaplock_enterprise.enable Enables the SnapLock Enterprise functionality. The default value is off.

licensed_feature.vld.enable
Allows the operation of the Virtualized Local Disk (VLD) functionalty. This feature is not avaliable on all platforms and requires a reboot to disable the functionality. The default value is off.

locking.grace_lease_seconds
Sets the grace period for clients to reclaim file locks after a server failure. The grace period is expressed in seconds. For lease-based lock protocols (currently NFSv4), it also sets the locking lease period. Clients that have been inactive for a period equal or longer to the lease period may lose all their locking state on a storage system.

lun.partner_unreachable.*
These options control the behavior of the SCSI Target when the HA interconnect is down, or when a takeover or giveback is in progress. Do not change these options unless directed by technical support.

These options are usually hidden, but they can become visible if manually changed, or during the normal upgrade process.

lun.use_partner.cc.enable
Enables the SCSI Target Partner Path config checker. Turning the option on causes the config checker to issue the FCP PARTNER PATH MISCONFIGURED AutoSupport message when there is too much FCP traffic over the HA interconnect. This option can be turned off in those cases where excessive FCP Partner Path traffic is expected/needed, but normally it should be left on so that the storage system will complain when there is too much Partner Path I/O, which is probably a sign of something wrong on the SAN.

lun.use_partner.cc.warn_limit
This option allows the administrator to control the threshold window ( in seconds ) for which period the config checker would check whether the FCP traffic over the interconnect has exceeded their respective threshold values. A FCP PARTNER PATH MISCONFIGURED AutoSupport message would be issued if there was too much FCP traffic for the threshold window over the interconnect.

These options are usually hidden, but they can become visible if manually changed, or during the normal upgrade process.

lun.use_partner.cc.ops
This option allows the administrator to control the number of FCP read and write ops threshold, which the config checker would use to check whether the FCP traffic ( in ops ) over the interconnect has exceeded this specified threshold. A FCP PARTNER PATH MISCONFIGURED AutoSupport message would be issued if there was too much FCP traffic for the threshold window over the interconnect.

These options are usually hidden, but they can become visible if manually changed, or during the normal upgrade process.

lun.use_partner.cc.bytes
This option allows the administrator to control the number of FCP read and write bytes threshold, which the config checker would use to check whether the FCP traffic (in bytes ) over the interconnect has exceeded this specified threshold. A FCP PARTNER PATH MISCONFIGURED AutoSupport message would be issued if there was too much FCP traffic for the threshold window over the interconnect.

These options are usually hidden, but they can become visible if manually changed, or during the normal upgrade process.

ndmpd.access
Allows the administrator to restrict access to NDMP operations based on the hostname or the IP address. The default value for this option is all. See na_protocolaccess(8) for details.

ndmpd.authtype
Allows the administrator to control which authentication methods the storage system will accept. NDMP supports two authentication types: challenge and plaintext. The default type is challenge. Challenge was MD5 and plaintext was text prior to Data ONTAP 6.4.

ndmpd.connectlog.enabled
Allows NDMP to track all the NDMP connection events for security purposes. Turning the option on allows all the NDMP connection events to be recorded in the syslog(/etc/messages) file. The default value for this option is being changed from on to off. By default, Data ONTAP 6.4 NDMP connection logging allows NDMP connection events for security audit purposes. This optional logging support causes all NDMP connection events to be recorded in the /etc/messages file. When used in conjunction with standard intrusion detection software NDMP connection logging provides a powerful security audit mechanism. However NDMP connection logging significantly increased the number of log messages written to the /etc/messages file. If NDMP connection auditing is not desired, it is advisable to disable NDMP connection logging option to reduce the size of the /etc/messages file. NDMP connection logging can be disabled by issuing the following command at the storage system console: options ndmpd.connectlog.enabled off. NDMP connection logging can be enabled by issuing the following command at the storage system console: options ndmpd.connectlog.enabled on.

ndmpd.data_port_range
This option allows administrators to specify a port range on which the NDMP server can listen for data connections.

Syntax: options ndmpd.data_port_range { <start_port>-<end_port> | all }. start_port, end_port can have values between [1024-65535]; start_port must be lesser than or equal to end_port.

If a valid range is specified, NDMP uses a port within that range to listen for data connections. A listen request fails if no ports in the specified range are free.

The value `all' implies that any available port can be used to listen for data connections. The default value for this option is `all'.

This option is persistent across reboots.

ndmpd.enable
If on the NDMP daemon accepts requests. Turning the option off disables request handling by the NDMP daemon. The default is off. Enabling and disabling this option is equivalent to executing ndmpd on and ndmpd off respectively.

ndmpd.ignore_ctime.enabled
This option, when on, allows user to exclude files with ctime changed from node incremental dumps since other processes like virus scanning often alter the ctime of files. When this option is off, backup on the node will include all files with a change or modified time later then the last dump in the previous level dump. This option is persistent across reboots.

Most WIN32 APIs are often unaware of the "last changed time", ctime; they often incorrectly set a later time for files, causing these files to be included in the node's incremental dumps, and making the incremental dump very large. This is partially defying the purpose of having incremental dumps, since one uses incremental dumps to speed up the backup by only dumping files that were "changed" since the last backup.

ndmpd.maxversion
This option can be used to set the highest NDMP protocol version supported by the NDMP server. The default value is 4.

ndmpd.offset_map.enable
This option is used to enable or disable generation of the inode offset map during NDMP based dump backups. The offset map is required to perform Enhanced Direct Access Restore (DAR) on the backup data. Enhanced DAR provides support for directory DAR and DAR of files with NT streams.

The default value is on.

This option persists across reboots.

ndmpd.password_length
Allows administrator to select either 8-byte or 16-byte NDMP specific passwords. The default value is 16. This is the length in all existing versions of ONTAP that support this feature, so it will be backwards compatible. This option is persistent and the only legal values are 8 and 16. If an illegal value is entered, the following message will be prompted: options ndmpd.password_length: Length must be either 8 or 16. The options ndmpd.password_length controls password length during both generation and authentication. Supporting multiple concurrent NDMP specific password lengths is NOT required, and will not be possible. That is, if this options is set to 8, all NDMP applications managing backups for that node MUST use an 8-byte password for authentication.

ndmpd.preferred_interface
You can specify the node network interface to be used when establishing an NDMP data connection to another node. This option is not available on no-default vfilers.

By default, an NDMP data connection uses the same network interface as the NDMP control connection established by the NDMP backup application. However, when a data connection between NDMP-enabled devices needs to be established over an alternate network, it is necessary to specify the node's interface through which the alternate network will be accessed.

For example, a UNIX or NT resident NDMP backup application and multiple NDMP-enabled nodes can be interconnected via a corporate network. The same NDMP-enabled devices can also be interconnected via an isolated private network. To minimize load on the corporate network, the ndmpd.preferred_interface option can be used to direct all NDMP data connections over the isolated private network.

To specify the preferred network interface to be used for NDMP data connections, issue the following command: options ndmpd.preferred_interface interface. interface identifies the network interface to be used for all NDMP data connections. Any network interface providing TCP/IP access can be specified. If no argument is specified, the command returns the name of the interface currently configured for data connections. If no interface is currently set, it reports disable. You can find the available network interfaces by using the ifconfig -a command.

To disable a preferred network interface specification and force the NDMP default interface to be used for data connections, issue the following command: options ndmpd.preferred_interface disable. The default value for the ndmp.preferred_interface option is disable.

Note: The ndmpd.preferred_interface option is persistent across node reboots.

ndmpd.tcpnodelay.enable
Enables/Disables the TCPNODELAY configuration parameter for the socket between the storage system and the DMA. When set to true, the Nagle algorithm is disabled and small packets are sent immediately rather than held and bundled with other small packets. This optimizes the system for response time rather than throughput.

The default value is false.

This option becomes active when the next NDMP session starts. Existing sessions are unaffected.

This option is persistent across reboots.

ndmpd.tcpwinsize
This option can be used to change the TCP buffer size of the NDMP data connection. The minimum and maximum values are 8192(8K) and 262,144(256K), respectively. The default value is 32768.

nfs.acache.persistence.enabled
The default for this option is "on" (enabled). This option controls whether the vfiler's access cache is periodically saved on disk. A persistently-stored access cache is restored into memory on reboot or failover, avoiding the need to resolve access requests which have been saved in the cache. To disable this feature, the option can be set to "off".

nfs.export.exportfs_comment_on_delete
This option controls the deletion behavior for exportfs -z. It controls whether entries are removed or commented from the /etc/exports file. The default value is true and entries are commented out. To remove entries on deletion set it to false.

nfs.export.allow_provisional_access
The default for this option is enabled. This option controls whether provisional access is granted in the event that a name service outage prevents the node from determining if a given client has access to an exported path.

For example, the client in question may have readwrite access to an exported path. In this situation access is provided in IP address format. The client however could also be part of a netgroup that is given read-only access to the same path. Under normal circumstances the client would not be given write access because of how access rules are applied. In the event that the netgroup could not be resolved or expanded, the client would provisionally be granted write access since an entry for it could be found in IP form.

This example illustrates a security issue in that it is possible for clients to be given more access rights than originally intended. Therefore, the option is provided to disable provisional access. This has the effect of delaying access until it is possible for the node to definitively determine access rights for the client.

nfs.assist.queue.limit
The default for this option is 40. This option controls the percentage of NFS asynchronous messages which can be placed onto the NFS assist queue. Once this limit has been reached, further NFS requests which need to undergo a name service transaction will instead have permissions granted based on nfs.export.allow_provisional_access. The number of available NFS asynchronous messages can be determined with nfsstat -d.

nfs.export.auto-update
The default for this option is enabled. This option controls whether automatic updates are performed on the /etc/exports file. If it is not set, then the commands vol create, vol delete, and vol rename will not automatically rewrite the file. Instead they will syslog the need to edit the file. When volumes are moved between vfilers, automatic updates on the /etc/exports file of the source and destination vfilers are dependent on this option.

nfs.export.harvest.timeout
The default for this option is 1800 seconds (30 minutes). This option sets the idle expiration time for entries in the export access cache. This timer resets every time the export is accessed from the host. The minimum value is 60 seconds and the maximum is 7 days.

nfs.export.neg.timeout
The default for this option is 3600 seconds (one hour). This option sets the refresh time for entries which were denied access in the export access cache. The minimum value is 60 seconds and the maximum is 7 days.

nfs.export.pos.timeout
The default for this option is 36000 seconds (ten hours). This option sets the refresh time for entries granted access in the export access cache. The minimum value is 60 seconds and the maximum is 7 days.

nfs.export.resolve.timeout
The default for this option is 8 seconds. This option had been hidden before and may have had a default of either 30 or 15 seconds. This option controls how long a name service lookup is allowed to proceed before the NFS export code will determine that the name servers are not responding in a timely fashion.

nfs.kerberos.enable
This option is off by default. It's not a configurable option. It will be turned on when you do kerberos setup.

nfs.kerberos.file_keytab.enable
The default for this option is off. When enabled, the vfiler is directed to use a file based Kerberos key table (in /etc/krb5.keytab), with a format equal to that generated by an MIT-based kadmin command.

nfs.kerberos.principal
The default for this string option is a zero length string. If nfs.kerberos.file_keytab.enable is enabled, then the nfs.kerberos.principal option must be set to the host specific part of an NFS server's Kerberos principal name. For example, if nfs.kerberos.principal is set to elrond.mycompany.com, then the resulting principal name of the NFS server will be nfs/elrond.mycompany.com@realm, where realm is the value of nfs.kerberos.realm. Note that nfs/elrond.mycompany.com@realm must appear as an entry in /etc/krb5.keytab.

nfs.kerberos.realm
The default for this string option is a zero length string. If nfs.kerberos.file_keytab.enable is enabled, then the nfs.kerberos.realm option must be set to the host specific part of an NFS server's Kerberos principal name. For example, if nfs.kerberos.realm is set to MYCOMPANY.COM, then the resulting principal name of the NFS server will be nfs/principal@MYCOMPANY.COM, where principal is value of nfs.kerberos.principal. Note that nfs/principal@MYCOMPANY.COM must appear as an entry in /etc/krb5.keytab.

nfs.locking.check_domain
The default for this option is on. If this option is set to off, then the NFS version 2 and 3 lock manager (NLM) and the NFS version 2 and 3 status monitor (NSM) will ignore the domain suffix when comparing the client host name in an NSM request with that of client host name associated with an outstanding lock. One might want to set the nfs.locking.check_domain to off if one has NFS version 2 or 3 clients that issue NLM requests with fully qualified domain names (FQDNs) and NSM requests with non-FQDNs. Similarly, if the converse is true, one might want to turn nfs.locking.check_domain off. Otherwise, clients that send hostnames inconsistently will leave locks held on the node, requiring manual intervention even after the client reboots (and sends the NSM recovery message).

If nfs.locking.check_domain is off, then one must take care to make sure than the non-FQDNs of each client are unique, lest two clients with different domains cause each other to lose locks. For example, if the option is off, then two NFS clients, one named wally.eng.mycompany.com and the other named wally.corp.mycompany.com will be considered as the same for purposes of processing the NSM recovery message when either client reboots. It is strongly recommended that clients be fixed and/or reconfigured to obviate the need for setting nfs.locking.check_domain to off.

Because NFS version 4 uses schemes for locking and lock recovery that are completely different than NLM and NSM, the nfs.locking.check_domain option and the associated issue, do not apply to NFS version 4.

nfs.mount_rootonly
When enabled, the mount server will deny the request if the client is not root user using privileged ports. Valid values for this option are on (enabled) or off (disabled). The default value for this option is on for more secure access.

nfs.mountd.trace
When enabled, all mount requests are logged. This option is intended to help debug denied mount requests. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off to avoid generating too many messages. The logging output is stored in /etc/messages.

nfs.max_num_aux_groups
The default value for this option is 32. This option controls the maximum number of auxiliary UNIX groups of which a UNIX user can be a member. Valid values: 32 or 256.

nfs.netgroup.strict
When enabled, all entries in the export access lists which do not have a `@' prepended are considered to not be netgroups. This setting will bypass a potentially spurious netgroup lookup for each nonnetgroup entry in the access lists. Entries in the export access lists, which do not have a `@' prepended, need to be unexported and re-exported, for this option to take effect.

nfs.notify.carryover
This is set to on by default. When set to off, the hosts present in the /etc/sm/notify file are not sent NSM reboot notifications after a node panic/reboot. A zero-byte file /etc/sm/.dontcarryover is created after atleast one round of notifications or after one hour passes since the notifications began (whichever comes later). If the /etc/sm/.dontcarryover file exists and the above option is false, then the existing /etc/sm/notify file is truncated. In all other cases, the exisiting /etc/sm/notify file is used for subsequent notifications.

nfs.per_client_stats.enable
Enables/disables the collection and display of perclient NFS statistics, as described in na_nfsstat(1). Valid values for this option are on or off. The default value for this option is off.

nfs.require_valid_mapped_uid
If this option is "on" it forces all NFS requests to be successfully mapped via the /etc/usermap.cfg mechanism. This allows NFS requests to be selectively validated by UID or IP address. This mapping is described in na_usermap.cfg(5). Valid values for this option are on or off. The default value for this option is off.

nfs.response.trace
If this option is "on", it forces all NFS requests which have exceeded the time set in nfs.response.trigger to be logged. If this option is "off", only one message will be logged per hour. The default value for this option is off.

nfs.response.trigger
Any NFS request which takes longer to complete than the time set by this option will be logged, according to the state of nfs.response.trace. The results of this option can be used to determine if the client side message "NFS Server not responding" is due to the server or the network. The default value for this option is 60 seconds.

nfs.rpcsec.ctx.high
The default is zero. If set to a value other than zero it sets a high-water mark on the number of stateful RPCSEC_GSS (see RFC2203) authentication contexts (today, only Kerberos V5 produces stateful authentication state in NFS). If it is zero, then no explicit high-water mark is set.

nfs.rpcsec.ctx.idle
Default is 360 seconds. This is the amount of time, in seconds, an RPCSEC_GSS context (see the description for the nfs.rpcsec.ctx.high option) will be permitted to be unused before it is deleted.

nfs.rpcsec.trace
When enabled, all rpcsec_gss authenticaion requests are logged. This option is intended to help debug denied rpcsec_gss requests. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off to avoid generating too many messages. The logging output is stored in /etc/messages.

nfs.tcp.enable
When enabled, the NFS server supports NFS over TCP. By default, the feature is disabled since some clients which support NFS over TCP do so with performance inferior to UDP. It can be enabled if this is not an issue in your environment. Valid values for this option are on or off. The default value for this option is on.

nfs.udp.enable
When enabled, the NFS server supports NFS over UDP. Valid values for this option are on or off. The default value for this option is on.

nfs.thin_prov.ejuke
This option is on by default. When enabled, the NFS server sends EJUKEBOX to the client. The client can then resend the request after some delay. When the option is disabled, the NFS server sends EOFFLINE and terminates the connection.

nfs.ipv6.enable
When enabled, the NFS server supports IPv6 based services. By default, the feature is disabled. Enabling NFS over IPv6 requires a restart of the nfs services with an nfs off and nfs on. Disabling NFS IPv6 support would not affect the IPv4 traffic. The ONTAP IPv6 stack should be turned on with the ip.v6.enable option before NFS can run over IPv6. Valid values for this option are on or off. The default value for this option is off.

nfs.ifc.rcv.high
The option nfs.ifc.rcv.high controls the high watermark after which the NFS level flow control will kick in. This option is also controlled by nfs.tcp.recvwindowsize. Changing the nfs.tcp.recvwindowsize option will automatically change the value of nfs.ifc.rcv.high.

nfs.ifc.rcv.low
The option sets lower limit for NFS flow control window.

nfs.ifc.xmt.high
NFS goes into transmit flow control when the send window is full and the number of outstanding requests increases beyond nfs.ifc.xmt.high. At that time NFS will stop reading from the TCP input window. The default value for this option is set to 16. Its maximum limit is 64. This is a persistent option.

nfs.ifc.xmt.low
NFS comes out of flow control when the number of outstanding requests goes below nfs.ifc.xmt.low. The default value for this option is set to 8. Its minimum value is 0. This is a persistent option.

nfs.hide_snapshot
This is off by default and is persistent across reboots. This is effective only when nosnapdir is disabled. Setting this option to on allows snapshots to be hidden in the NFS directory listings. The .snapshot directory itself is visible, but the actual snapshots will be hidden. At the same time, an explicit access to snapshots is allowed even though they are not visible in the directory listings.

Also, when this option is set to on, a hidden ".snapshot" directory is available within the ".snapshot" directory. This new entry is not visible in the directory listings of parent ".snapshot" but when accessed, will give the list of named snapshots that were hidden in the parent ".snapshot" directory. Basically, this provides a convenient way to see the list of snapshots available in the parent ".snapshot" directory, even when this option is set to on.

NOTE: When this option is on and if you have mounted a path ending with ".snapshot", `pwd' may not work correctly in such a mounted path and its directory tree on the client. As a result, any applications that depend on obtaining the current working directory using the standard UNIX library calls like getpwd(3C) may not function correctly. The exact result reported when asked for current working directory is dependent on the client's `pwd' implementation.

nfs.udp.xfersize
The maximum transfer size (in bytes) that the NFS mount protocol will negotiate with the client for UDP transport. Larger transfer sizes often result in better NFS performance. The default is 32768. The maximum value for this option is 57344 (56K).

nfs.v2.df_2gb_lim
Causes the node to return replies to the "file system statistics" NFS version 2 request that shows no more than (2**31)-1 (or 2,147,483,647) total, free, or available bytes (i.e., 2GB) on the file system.

Some NFS clients require this option because, if they get return values from the "file system statistics" request with more than the specified number of bytes, they'll incorrectly compute the amount of free space on the file system, and may think that there's no free space on a file system that has more than 2GB free. Valid values for this option are on or off. The default value for this option is off.

nfs.v2.enable
When enabled, the NFS server supports NFS version 2. Valid values for this option are on (enabled) or off (disabled). The default value for this option is on.

In certain cases, enabling this option does not automatically enable MOUNT support at version 2 level, causing a subsequent mount operation to fail. If this occurs - or to avoid the issue - stop and restart the NFS server after enabling this option.

nfs.v3.enable
When enabled, the NFS server supports NFS version 3. Disable this option if there is a problem with some client when using NFS version 3, and that client can be configured to use NFS version 2. Valid values for this option are on (enabled) or off (disabled). The default value for this option is on.

In certain cases, enabling this option does not automatically enable MOUNT version 3 of the NFS server. Hence, a fresh mount over NFS version 3 may not be successful. A workaround would be to switch NFS server off followed by switching it on.

nfs.v4.enable
When enabled, the NFS server supports NFS version 4. NFS version 4 support is only over the TCP protocol. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off.

nfs.nfs_rootonly
When enabled, the NFS server will reject client requests from the non-reserved ports(>=1024) except for the NULL call. Ports lower than 1024 can only be used by the root user. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off.

nfs.v4.read_delegation
Read delegations allow NFS version 4 clients to do read operations locally without contacting the server. These include open for read, read locks and file read operations. Both the server and client must support read delegations for this feature to work. When enabled, read delegations are supported for NFS version 4. This feature is not supported for NFS versions 2 and 3. The default value for this option is off.

nfs.v4.write_delegation
Write delegations allow NFS version 4 clients to do write operations locally without contacting the server. These include open for write, write locks and writing to files. Both the server and client must support write delegations for this feature to work. When enabled, write delegations are supported for NFS version 4. This feature is not supported over NFS versions 2 and 3. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off.

nfs.v4.id.domain
This option controls the domain portion of the string form of user and group names as defined in the NFS version 4 protocol. The domain name is normally taken from the NIS domain in use, or otherwise from the DNS domain. However if this option is set, it will override this default behavior.

nfs.v4.id.allow_numerics
This option allows numeric string identifiers in NFSv4 owner attributes. The default value for this option is off. Numeric string identifiers in NFSv4 owner attributes will be treated as NOBODY if this option is off.

nfs.v4.acl.enable
When enabled, ACLs are supported for NFS version 4. The ACL option controls setting and getting NFSV4 ACLs. It does not control enforcement of these ACLs for access checking. This feature is not supported over NFS versions 2 and 3. The default value for this option is off.

nfs.vstorage.enable
When enabled, NFS vStorage feature is supported. The vStorage option provides Copy Offload (server side copy) feature. The default value for this option is off.

nfs.ntacl_display_permissive_perms
This option controls the permissions that are displayed to NFS version 3 and NFS version 4 clients on a file/directory that has an NT ACL set. When enabled, the permissions displayed are based on the maximum access granted by the NT ACL to any user. When disabled, the permissions displayed are based on the minimum access granted by NT ACL to any user. The default value for this option is off.

nfs.webnfs.enable
When enabled, the NFS server supports WebNFS lookups. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off.

nfs.webnfs.rootdir
Specifies the WebNFS rootdir. Once the rootdir is set, WebNFS clients can issue lookups relative to the rootdir using the public filehandle. The default value for this option is `XXX'. This option is only used when nfs.webnfs.rootdir.set is on, and nfs.webnfs.rootdir.set can only be on if this option contains the fully qualified pathname to a valid, existing directory.

nfs.webnfs.rootdir.set
This option needs to be enabled for the rootdir setting to take effect. Disabling this option disables the existing rootdir setting. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off. Note that this option can only be enabled if the nfs.webnfs.rootdir option contains a fully qualified pathname to a valid, existing directory.

nis.domainname
Sets the NIS domain to the specified domainname. The default for value for this option is the null string.

nis.enable
Enables NIS client on the node. The NIS domain must be set prior to enabling NIS. Valid values for this option are on or off. The default value for this option is off.

nis.group_update.enable
Enables the local caching of the NIS group files. Valid values for this option are on or off. The default value for this option is off.

nis.group_update_schedule
Specifies the hours of the day when the local NIS group cache has to be updated. `now' will update the cache immediately. The valid value for this option is a comma separated list of hours, in the range of 1 to 24. The default value for this option is 24.

nis.netgroup.domain_search.enable
Specifies whether netgroup entry comparisons will consider the domainnames in the search directive from /etc/resolv.conf. The default value for this option is on.

nis.netgroup.legacy_nisdomain_search.enable Specifies whether netgroup entry comparisons will consider the legacy SUNOS compatible nisdomainname in the search directive. The default value for this option is on.

nis.servers
Specifies the list of preferred NIS servers. Valid values for this option is `*' or a comma separated list of ip addresses. The default value for this option is `*'.

nis.slave.enable
Enables NIS slave on the node. Valid values for this option are on or off. The default value for this option is off.

nlm.cleanup.timeout
This timeout value controls the max duration for which nlm tries to clean-up stale objects. The default value for this option is 100 milli-seconds.

nlm.trace
When enabled, all asynchronous nlm requests and server callbacks are logged. This option is intended to help debug asynchronous nlm requests and all lock requests which were blocked on the server because of a conflict and require the server to send a callback to the client. This option is persistent across reboots so it should be used carefully. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off to avoid too many messages.

pcnfsd.access_check
If on, enables synchronization between PCNFSD and NFS locks (shared vs byte locks) on the file objects. See burt 249076. Any changes done to this option, needs a node reboot to become effective.

pcnfsd.enable
Enables/disables the PCNFSD (PC)NFS authentication request server (see na_pcnfsd(8)). Valid values for this option are on or off. The default value for this option is off.

rquotad.enable
Enables/disables the RQUOTA daemon (see na_rquotad(8)). Valid values for this option are on or off. The default value for this option is on.

pcnfsd.umask
Specifies the default umask for files created by (PC) NFS clients. The value of this option is a threedigit octal number, and the digits correspond to the read, write, and execute permissions for owner, group, and other, respectively. The default value for this option is 022, which means that files normally created with mode 666 effectively will have mode 644. ("644" means that the file owner has read and write permissions, but the members of the group and others have only read permission.).

nfs.always.deny.truncate
This option controls whether NFSv2 and NFSv3 clients can truncate a file in UNIX qtree when the same file is also opened from a CIFS client with DENY write permissions. Valid values for this option are on (enabled) or off (disabled). The default value for this option is on.

If you enable this option, NFSv2 and NFSv3 clients cannot modify a file when the file is opened from a CIFS client with DENY write permissions. This protects the file's integrity in such a scenario.

If you disable this option, NFSv2 and NFSv3 clients can modify a file when the file is opened from a CIFS client with DENY write permissions. You might want to disable this option in an environment where UNIX semantics need to prevail on a UNIX qtree for stateless clients like NFSv2 and NFSv3. However, in some situations this can lead to the file's integrity being compromised.

ra.path_switch.threshold
When excessive errors are encountered on a device within a short enough time period to raise concern that there might be a faulty component between the Fibre Channel initiator and backend storage, a scsi.path.excessiveErrors EMS event is logged and the associated path will be avoided by Data ONTAP.

This option controls the sensitivity of intermittent path error detection. Setting this option to a lower value will reduce the number of errors required to trigger the avoidance functionality. Setting it to a higher value requires more errors to trigger this event and decreases the sensitivity of path failure detection.

Valid values for this threshold range from 1 to 2000. The default value for this option is 100 and should only be changed when recommended by service personnel.

raid.background_disk_fw_update.enable
Determines the behavior of automatic disk firmware update. Valid values for this option are on or off. The default value for this option is on. If the option is set to on, firmware updates to spares and filesystem disks within RAID-DP, mirrored RAID-DP and mirrored RAID4 volumes is performed in a nondisruptive manner via a background process. Firmware updates for disks within RAID4 volumes will however be done at boot. If the option is turned off then disk firmware update is run manually. When disk firmware update runs manually it makes disks inaccessible for up to 2 minutes, so network sessions using the node should be closed down before running it. This is particularly true for CIFS sessions, which will normally be terminated while disk firmware update command executes. This whole process is very disruptive to the operation of the node and is highly discouraged.

raid.disk.copy.auto.enable
Determines the action taken when a disk reports a predictive failure. Valid values for this option are on or off. The default value for this option is on.

Sometimes, it is possible to predict that a disk will fail soon based on a pattern of recovered errors that have happened on the disk. In such cases, the disk will report a predictive failure to Data ONTAP. If this option is set to on, Data ONTAP will initiate Rapid RAID Recovery to copy data from the failing disk to an available spare. When data is copied, the disk will be failed and placed in the pool of broken disks. If a spare is not available, the node will continue to use the prefailed disk until the disk fails.

If the option is set to off, the disk will be failed immediately and placed in the pool of broken disks. A spare will be selected and data from the missing disk will be reconstructed from other disks in the RAID group. The disk will not be failed if the RAID group is already degraded or reconstructing so that another disk failure would lead to a failure of the whole RAID group.

raid.disktype.enable
This option is obsolete. Use options

raid.mix.hdd.disktype.capacity
and raid.mix.hdd.disktype.performance instead.

raid.mix.hdd.disktype.performance
Controls mixing of FCAL and SAS disk types. The default value is off, which prevents mixing.

If you set this option to on, FCAL and SAS disk types are considered interchangeable for all aggregate operations, including aggregate creation, adding disks to an aggregate, and replacing disks within an existing aggregate, whether this is done by the administrator or automatically by Data ONTAP.

When this option is set to off, FCAL and SAS disks cannot be combined within the same aggregate. If you have existing aggregates that combine those disk types, those aggregates will continue to function normally and accept either disk type.

raid.mix.hdd.disktype.capacity
Controls mixing of SATA, BSAS, FSAS and ATA disk types. The default value is on, which allows mixing.

When this option is set to on, SATA, BSAS, FSAS and ATA disk types are considered interchangeable for all aggregate operations, including aggregate creation, adding disks to an aggregate, and replacing disks within an existing aggregate, whether this is done by the administrator or automatically by Data ONTAP.

If you set this option to off, SATA, BSAS, FSAS and ATA disks cannot be combined within the same aggregate. If you have existing aggregates that combine those disk types, those aggregates will continue to function normally and accept any of those disk types.

raid.media_scrub.enable
Enables/disables continuous background media scrubs for all aggregates (including those embedded in traditional volumes) in the system. Valid values for this option are on or off. The default value for this option is on. When enabled, a low-overhead version of scrub which checks only for media errors runs continuously on all aggregates in the system. Background media scrub incurs negligible performance impact on user workload and uses aggressive disk and CPU throttling to achieve that.

raid.media_scrub.spares.enable
Enables/Disables continuous background media scrubs for all spares drives within the system. Valid values for this option are on or off. The default value for this option is on. When enabled a low overhead version of scrub which checks only for media errors runs continuously on all spare drives of the system. Background media scrub incurs negligible performance impact on user workload and uses aggressive disk and CPU throttling to achieve that. This option is used in conjunction with raid.media_scrub.enable which enables/disables media_scrub on a system-wide basis. The value for this option has no effect if the systemwide option is set to off.

raid.media_scrub.rate
Sets the rate of media scrub on an aggregate (including those embedded in traditional volumes). Valid values for this option range from 300 to 3000 where a rate of 300 represents a media scrub of approximately 512 MBytes per hour, and 3000 represents a media scrub of approximately 5 GBytes per hour. The default value for this option is 600, which is a rate of approximately 1 GByte per hour.

raid.min_spare_count
Specifies the minimum number of spare drives required to avoid warnings for low spares. If there are at least raid.min_spare_count spare drives that are appropriate replacements for any filesystem disk, then there will be no warnings for low spares. This option can be set from 0 to 4. The default setting is 1. Setting this option to 0 means that there will be no warnings for low spares even if there are no spares available. This option can be set to 0 only on systems with 16 or fewer attached drives and that are running with RAID-DP aggregates. A setting of 0 is not allowed on systems with RAID4 aggregates.

raid.mirror_read_plex_pref
Specifies the plex preference when reading from a mirrored traditional volume or aggregate on a MetroCluster-configured system. There are three possible values -- `local' indicates that all reads are handled by the local plex (plex consisting of disks from Pool0), `remote' indicates that all reads are handled by the remote plex (plex consisting of disks from Pool1), and `alternate' indicates that the handling of read requests is shared between the two plexes. This option is ignored if the system is not in a MetroCluster configuration, that is, option cf.remote_syncmirror.enable is not enabled. The option setting applies to all traditional volumes and aggregates on the node.

raid.mirror_skip_config_checks
Enables/disables the enforcement of disk pool separation in RAID SyncMirror. Valid values are on or off. The default value is off. When set to off, RAID checks when the first mirrored aggregate is created that disks are separated into pools based on the adapter loop they are attached to. When set to on, these checks are bypassed. Disk pool separation is important for SyncMirror robustness. Therefore, this option should be used with care.

raid.reconstruct_speed
This option is obsolete. See raid.reconstruct.perf_impact for the option that controls the effect of RAID reconstruction.

raid.reconstruct.perf_impact
Sets the overall performance impact of RAID reconstruction. When the CPU and disk bandwidth are not consumed by serving clients, RAID reconstruction consumes as much as it needs. If the serving of clients is already consuming most or all of the CPU and disk bandwidth, this option allows control over how much of the CPU and disk bandwidth will be taken away for reconstruction, and hence how much of a negative performance impact it will be to the serving of clients. As the value of this option is increased, the speed of reconstruction will also increase. The possible values for this option are low, medium, and high. The default value is medium. There is also a special value of default, which will use the current default value. When mirror resync and reconstruction are running at the same time, the system does not distinguish between their separate resource consumption on shared resources (like CPU or a shared disk). In this case, the resource utilization of these operations taken together is limited to the maximum of their configured individual resource entitlements.

raid.reconstruct.wafliron.enable
Enables starting wafliron (see na_vol(1)) when reconstruction encounters a medium error. Valid values for this option are on and off. The default value for this option is on. When a medium error is encountered in an aggregate during reconstruction, access to the volume(s) it contains is temporarily restricted and reconstruction proceeds, bypassing media errors. If this option is enabled, wafliron is started automatically, thus bringing the aggregate and its volume(s) back online. If this option is disabled, the volume(s) stay restricted.

raid.resync.perf_impact
Sets the overall performance impact of RAID mirror resync (whether started automatically by the system or implicitly by an operator-issued command). When the CPU and disk bandwidth are not consumed by serving clients, a resync operation consumes as much as it needs. If the serving of clients is already consuming most or all of the CPU and disk bandwidth, this option controls how much of the CPU and disk bandwidth will be taken away for resync operations, and hence how much of a negative performance impact it will be to the serving of clients. As the value of this option is increased, the speed of resync will also increase. The possible values for this option are low, medium, and high. The default value is medium. There is also a special value of default, which will use the current default value. When RAID mirror resync and reconstruction are running at the same time, the system does not distinguish between their separate resource consumption on shared resources (like CPU or a shared disk). In this case, the resource utilization of these operations taken together is limited to the maximum of their configured individual resource entitlements.

raid.rpm.ata.enable
This option is obsolete. Use option raid.mix.hdd.rpm.capacity instead.

raid.mix.hdd.rpm.capacity
Controls separation of capacity-based hard disk drives (ATA, SATA, BSAS, FSAS, MSATA) by uniform rotational speed (RPM). If you set this option to off, Data ONTAP always selects disks with the same RPM when creating new aggregates or when adding disks to existing aggregates using these disk types. If you set this option to on, Data ONTAP does not differentiate between these disk types based on rotational speed. For example, Data ONTAP might use both 5400 RPM and 7200 RPM disks in the same aggregate. The default value is on.

raid.rpm.fcal.enable
This option is obsolete. Use option raid.mix.hdd.rpm.performance instead.

raid.mix.hdd.rpm.performance
Controls separation of performance-based hard disk drives (SAS, FCAL) by uniform rotational speed (RPM). If you set this option to off, Data ONTAP always selects disks with the same RPM when creating new aggregates or when adding disks to existing aggregates using these disk types. If you set this option to on, Data ONTAP does not differentiate between these disk types based on rotational speed. For example, Data ONTAP might use both 10K RPM and 15K RPM disks in the same aggregate. The default value is off.

raid.scrub.duration
Sets the duration of automatically started scrubs, in minutes. If this is not set or set to 0, it defaults to 6 hours (360 minutes). If set to `-1', all automatic scrubs will run to completion.

raid.scrub.enable
Enables/disables the RAID scrub feature (see na_disk(1)). Valid values for this option are on or off. The default value for this option is on. This option only affects the scrubbing process that gets started from cron. This option is ignored for userrequested scrubs.

raid.scrub.perf_impact
Sets the overall performance impact of RAID scrubbing (whether started automatically or manually). When the CPU and disk bandwidth are not consumed by serving clients, scrubbing consumes as much as it needs. If the serving of clients is already consuming most or all of the CPU and disk bandwidth, this option controls how much of the CPU and disk bandwidth will be taken away for scrubbing, and hence how much of a negative performance impact it will be to the serving of clients. As the value of this option is increased, the speed of scrubbing will also increase. The possible values for this option are low, medium, and high. The default value is low. There is also a special value of default, which will use the current default value. When scrub and mirror verify are running at the same time, the system does not distinguish between their separate resource consumption on shared resources (like CPU or a shared disk). In this case, the resource utilization of these operations taken together is limited to the maximum of their configured individual resource entitlements.

raid.scrub.schedule
Specifies the weekly schedule (day, time, and duration) for scrubs started automatically by the raid.scrub.enable option. The default schedule is Sunday 1 a.m. for the duration specified by the raid.scrub.duration option. If an empty string ("") is specified as an argument, it will delete the previous scrub schedule and add the default schedule. One or more schedules can be specified using this option. The syntax is duration[h|m]@weekday@start_time,[duration[h|m]@weekday@start_time,...] where duration is the time period for which scrub operation is allowed to run, in hours or minutes ('h' or `m' respectively). If duration is not specified, the raid.scrub.duration option value will be used as duration for the schedule.

weekday is the day when scrub operation should start. Valid values are sun, mon, tue, wed, thu, fri, sat.

start_time is the time when scrub should start, specified in 24 hour format. Only the hour (0-23) needs to be specified.

For example, options raid.scrub.schedule 240m@tue@2,8h@sat@22 will cause scrub to start on every Tuesday at 2 a.m. for 240 minutes, and on every Saturday at 10 p.m. for 480 minutes.

raid.timeout
Sets the time, in hours, that the system will run after a single disk failure in a RAID4 group or a two disk failure in a RAID-DP group has caused the system to go into degraded mode or double degraded mode respectively, or after NVRAM battery failure has occurred. The default is 24, the minimum acceptable value is 0 and the largest acceptable value is 4,294,967,295. If the raid.timeout option is specified when the system is in degraded mode or in double degraded mode, the timeout is set to the value specified and the timeout is restarted. If the value specified is 0, automatic system shutdown is disabled.

raid.verify.perf_impact
Sets the overall performance impact of RAID mirror verify. When the CPU and disk bandwidth are not consumed by serving clients, a verify operation consumes as much as it needs. If the serving of clients is already consuming most or all of the CPU and disk bandwidth, this option controls how much of the CPU and disk bandwidth will be taken away for verify, and hence how much of a negative performance impact it will be to the serving of clients. As you increase the value of this option, the verify speed will also increase. The possible values for this option are low, medium, and high. The default value is low. There is also a special value of default, which will use the current default value. When scrub and mirror verify are running at the same time, the system does not distinguish between their separate resource consumption on shared resources (like CPU or a shared disk). In this case, the resource utilization of these operations taken together is limited to the maximum of their configured individual resource entitlements.

replication.logical.reserved_transfers
This option guarantees that the specified number of qtree SnapMirror or SnapVault source/destination transfers can always be run. Setting this option will reduce the maximum limits for all other transfer types. The default value for this option is 0.

replication.throttle.enable
Enables global network throttling of SnapMirror and SnapVault transfers. The default value for this option is off.

replication.throttle.incoming.max_kbs
This option specifies the maximum total bandwidth used by all the incoming (applied at destination) SnapMirror and SnapVault transfers, specified in kilobytes/sec. The default value for this option is unlimited, which means there is no limit on total bandwidth used. This option is valid only when the option replication.throttle.enable is on.

replication.throttle.outgoing.max_kbs
This option specifies the maximum total bandwidth used by all the outgoing (applied at source) SnapMirror and SnapVault transfers specified in kilobytes/sec. The default value for this option is unlimited, which means there is no limit on total bandwidth used. This option is valid only when the option replication.throttle.enable is on.

replication.volume.reserved_transfers
This option guarantees that the specified number of volume SnapMirror source/destination transfers can always be run. Setting this option will reduce the maximum limits for all other transfer types. The default value for this option is 0.

replication.volume.use_auto_resync
This option enables auto resync functionality for Synchronous SnapMirror relations. This option if enabled on Synchronous SnapMirror, destination will update from the source using the latest common base snapshot deleting all destination side snapshots newer than the common base snapshot. The default value for this option is off.

rlm.setup
Displays whether the RLM has been configured. The RLM is configured through the setup or the rlm setup command.

rlm.autologout.enable
Enables or disables the automatic logout of idle RLM SSH connections. The default is on, which causes RLM SSH connections to be disconnected after the number of minutes specified by the rlm.autologout.timeout value. Any change to this option requires a logout from the RLM before it takes effect.

rlm.autologout.timeout
The number of minutes after which RLM SSH idle connections are The number of minutes after which telnet connections are disconnected if rlm.autologout.enable is on. The default is 60 minutes. Any change to this option requires a logout from the RLM before it takes effect.

rlm.ssh.access
Restricts SSH access to the RLM. For valid values, see na_rlmaccess(8).

rmc.setup
If LAN settings have been provided for a remote management controller, this will be set to on and the presence of its dedicated LAN interface and external power supply is periodically verified.

rpc.nlm.tcp.port
This option allows the NLM rpc service over TCP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.nlm.udp.port
This option allows the NLM rpc service over UDP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.nsm.tcp.port
This option allows the NSM rpc service over TCP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.nsm.udp.port
This option allows the NSM rpc service over UDP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.mountd.tcp.port
This option allows the MOUNTD rpc service over TCP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.mountd.udp.port
This option allows the MOUNTD rpc service over UDP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.pcnfsd.tcp.port
This option allows the PCNFSD rpc service over TCP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.pcnfsd.udp.port
This option allows the PCNFSD rpc service over UDP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. The results are undefined if more than one RPC services are registered on the same port.

rpc.rquotad.udp.port
This option allows the RQUOTAD rpc service over UDP to be registered on a port other than the default. nfs off followed by nfs on is required to re-register the service on the new port. This is a per host option and is persistent across reboots. This service is only registered over UDP. The results are undefined if more than one RPC services are registered on the same port.

rsh.access
Restricts rsh access to the node. For valid values, see na_protocolaccess(8).

rsh.enable
Enables the RSH server on the node. Valid values for this option are on or off. The starting default value on a factory install for this option is off.

security.admin.authentication
This option controls where the node finds authentication information for admins. Authentication can be done via the local administrative repository or through repositories found in the nsswitch.conf file. Authentication via nsswitch.conf allows ldap and nis centralized administration. The value of this option can be `internal', `nsswitch', `internal,nsswitch', or `nsswitch,internal'. The repositories are searched in the order specified. The default value is `internal'.

security.admin.nsswitchgroup
This option specifies which group found in the nsswitch.conf file has administrative access to the node. This option must be set to a valid group to give any nsswitch users login privileges. See na_useradmin(1) for more information about the admin role. The default value is no group.

security.passwd.firstlogin.enable
This option controls whether all admins (except for root) must change their passwords upon first login. A value of on means that newly created admins, or admins whose passwords were changed by another admin, may only run the passwd command until the password is changed. Default value is off.

security.passwd.lockout.numtries
This option controls how many attempts an admin can try a login before the account is disabled. This account may be re-enabled by having a different admin change the disabled admin's password. If this value is default, then failing to login will never disable an account. The default value for this option is 4294967295.

security.passwd.rootaccess.enable
This option controls whether root can have access to the system. A value of off means that root cannot login or execute any commands. This option is reset to on if a user changes root's password, or during a boot without etc/rc. By default, this option is on.

security.passwd.rules.enable
This option controls whether a check for password composition is performed when new passwords are specified. See na_passwd(1) and/or na_useradmin(1) for additional information on relevant effected functionality. A value of on means that the check will be made, and the password rejected if it doesn't pass the check. A value of off means that the check won't be made. The default value for this option is on. By default, this option does not apply to the users "root" or "Administrator" (the NT Administrator account).

security.passwd.rules.everyone
This option controls whether a check for password composition is performed for all users, including "root" and "Administrator". A value of off means that the checks do not apply to "root" or "Administrator" (but still may apply to all other users). The starting default value on a factory install or a newly created vfiler for this option is on. security.passwd.rules.enable must have the value on or this option is ignored.

security.passwd.rules.history
This option controls whether an administrator can reuse a previous password. A value of 5 means that the appliance will store 5 passwords, none of which an admin can re-use. A value of 0 means that an admin is not restricted by any previous password. The starting default value on a factory install or a newly created vfiler is 6. security.passwd.rules.enable must have the value on or this option is ignored. To prevent administrators from abusing this option by cycling through the password history, see the `-m' option in na_useradmin(1).

security.passwd.rules.maximum
This option controls the maximum number of characters a password can have. Though there is no default value for this option, only the first 16 characters are saved. Users with passwords greater than 14 characters will not be able to log in via the Windows interfaces, so if you are using Windows, we recommend this value to be 14.) security.passwd.rules.enable must have the value on or this option is ignored.

security.passwd.rules.minimum
This option controls the minimum number of characters a password must have. The default value for this option is 8. security.passwd.rules.enable must have the value on or this option is ignored.

security.passwd.rules.minimum.alphabetic
This option controls the minimum number of alphabetic characters a password must have. (NOTE: A password cannot be just digits and symbols.) These are capital and lowercase letters from a to z. The default value for this option is 2. security.passwd.rules.enable must have the value on or this option is ignored.

security.passwd.rules.minimum.uppercase
This option controls the minimum number of uppercase alphabetic characters ("A" to "Z") that a password must contain. If set to a non-zero value, a password cannot be comprised only of digits, symbols and lowercase characters. The default value for this option is 0 (zero). security.passwd.rules.enable must have the value on or this option is ignored.

security.passwd.rules.minimum.lowercase
This option controls the minimum number of lowercase alphabetic characters ("a" to "z") that a password must contain. If set to a non-zero value, a password cannot be comprised only of digits, symbols and uppercase characters. The default value for this option is 0 (zero). security.passwd.rules.enable must have the value on or this option is ignored.

security.passwd.rules.minimum.digit
This option controls the minimum number of digit characters a password must have. These are numbers from 0 to 9. The default value for this option is 1. security.passwd.rules.enable must have the value on or this option is ignored.

security.passwd.rules.minimum.symbol
This option controls the minimum number of symbol characters a password must have. These are whitespace and punctuation characters. The default value for this option is 0. security.passwd.rules.enable must have the value on or this option is ignored.

sftp.enable
When enabled (on), this option allows SFTP(SSH File Transfer Protocol) connections on port 22. When disabled (off), SFTP connection attempts are refused.

SFTP can be started only if SSH2 is enabled.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.auth_style
Sets the SFTP(SSH File Transfer Protocol) login authentication style. In mixed mode, usernames with "\" or "@" will authenticate via ntlm and those without will authenticate via unix. Setting ntlm or unix explicitly will force the respective authentication type regardless of the format of the username.

Default: mixed

Values: ntlm, unix, mixed

Effective: Upon SFTP client reconnection

Persistence: Remains in effect across system reboots

sftp.bypass_traverse_checking
When turned on, directories in the path to a file are not required to have the `X' (traverse) permission.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.dir_restriction
Sets user home directory restriction. The off (or none) setting indicates that there is no home directory restriction for regular users. When this option is set to on (or homedir), each named account user's access is restricted to that user's own home directory or to the override directory, if one is specified by the sftp.dir.override option.

Default: on

Values: on, off, none, homedir

Effective: Upon SFTP client reconnection

Persistence: Remains in effect across system reboots

sftp.dir_override
Sets the override path for the user home directory. A "" (null) value indicates no home directory override; users will be placed in their home directory upon login. When the value of this option is a valid directory path, users will be placed in that directory upon login. This option applies only to named user accounts. The behavior of the default user account is not affected by the value of sftp.dir.override.

Default: "" (null)

Effective: Upon SFTP client reconnection

Persistence: Remains in effect across system reboots

sftp.idle_timeout
Sets the time between requests that a SFTP(SSH File Transfer Protocol) session can be idle before it becomes a candidate for disconnection by the node.

Default: 900s

Min/Max: 300s - 48h in seconds (s), minutes(m) or hours (h)

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.log_enable
Enables/disables the logging of SFTP(SSH File Transfer Protocol) packets and data transfer operations.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.log_filesize
Specifies the maximum file size for SFTP(SSH File Transfer Protocol) logs in the /etc/log directory. When one of the active log files, such as sftp.cmd reaches this size, it is renamed to sftp.cmd.1, and that renamed log history file is closed. If there is already a historical log file, such as sftp.cmd.1, that file is renamed to sftp.cmd.2. This renaming process continues sequentially for all historical log files, until the maximum number of historical log files (specified by sftp.log.nfiles) is reached. Once the maximum number of historical log files is reached, the oldest log file is deleted each time a new active log file is opened. See the description of the sftp.log.nfiles option for more information.

Default: 512k

Min/Max: 1K - 4G in gigabytes (G), megabytes (M), kilobytes (K) or bytes (blank)

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.log_nfiles
Sets the maximum number of log files to be kept for SFTP(SSH File Transfer Protocol). Once an active log file reaches the size limit determined by the sftp.log.filesize option, a new active log file is created. The old active log file is stored as a historical log file by appending the file name with ".1". All existing historical files are renamed by incrementing the numeric suffix; for example, "sftp.cmd.2" becomes "sftp.cmd.3" and so on. Only the number of files specified by sftp.log.nfiles are kept. When the maximum number of historical log files is exceeded, the highest-numbered (oldest) log file is deleted. For example, if nfiles is set to 6, sftp.cmd.5 would be deleted rather than renamed.

Default: 6

Min/Max: 1 - 100 files

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.locking
Sets the type of file locking used by the SFTP(SSH File Transfer Protocol) during file retrieval. Setting this option to none designates that files are not to be locked in any way during file retrieval. When the value of this option is delete, files being retrieved cannot be deleted or renamed. When the value of this option is write, file being retrieved cannot be opened for write or deleted or renamed.

Default: none

Values: none, delete

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.max_connections
Sets the maximum number of concurrent SFTP(SSH File Transfer Protocol) connections allowed. This option is the limit of the total number of SFTP control connections allowed to the node, or to all vFilers hosted on the physical node. For HA configurations, the number of connections permitted is doubled when in takeover mode. If this setting is changed to a value that is lower than the current number of connected SFTP sessions, new connections will be refused until the total number of sessions falls below sftp.max_connections. Existing sessions are unaffected.

Default: 15

Min/Max: 0 - 15 connections

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.max_connections_threshold
This option allows an administrator to set a threshold on the number of concurrent SFTP(SSH File Transfer Protocol) connections. When this threshold is reached an EMS message sftp.connections.threshold, warning the administrator that the number of concurrent SFTP connections is approaching the maximum limit allowed by the option sftp.max_connections, is generated.

This option is set as a percentage of the maximum concurrent SFTP connections allowed by the option sftp.max_connections. If the value is set to zero, then this EMS generation is disabled.

Default: 75%

Min/Max: 0 - 99% percent

Effective: Immediately

Persistence: Remains in effect across system reboots

sftp.override_client_permissions
Enables/disables the override of permissions sent by SFTP(SSH File Transfer Protocol) client. If enabled, the UNIX permissions set on a newly created file/directory would be 0755, irrespective of the permissions sent by the client.

Default: off

Effective: Immediately

Persistence: Remains in effect across system reboots

shelf.atfcx.auto.reset.enable
This option controls the automatic power-cycle feature of capable AT-FCX shelf enclosures. If enabled, capable shelf enclosures automatically power-cycle to recover from certain failures in a non-disruptive manner. Valid settings are on, off, and auto. The default value is auto. auto behaves the same as off in a Single Path HA storage configuration. auto behaves the same as on in any other storage configurations.

This option will only have effect on DS14mk2-AT shelf enclosures equipped with HE Power Reset Capable power supplies and NDR Capable AT-FCX Shelf Firmware.

shelf.esh4.auto.reset.enable
This option controls the automatic power-cycle feature of capable ESH4 shelf enclosures. If enabled, capable shelf enclosures automatically power-cycle to recover from certain failures in a non-disruptive manner. Valid settings are on, off, and auto. The default value is auto. auto behaves the same as off in a Single Path HA storage configuration. auto behaves the same as on in any other storage configurations.

This option will only have effect on DS14mk2-FC and DS14mk4-FC shelf enclosures equipped with HE Power Reset Capable power supplies and NDR Capable ESH4 Shelf Firmware Revision.

snaplock.autocommit_period
This option can be used to specify a time delay to be used with the SnapLock auto-commit feature. This feature automatically converts to WORM status any file on any SnapLock volume if the file has not changed during the delay period. The retention date on the committed file will be determined by the volume's default retention period.

To specify a time delay, set this option to a value consisting of an integer count followed by an indicator of the time period: `h' for hours, `d' for `days, `m' for months, or `y' for years. For example, to specify an auto-commit delay period of 4 hours, set this option to `4h'.

To disable the SnapLock auto-commit feature, set this option to none. This is the default value.

The minimum delay that can be specified is two hours. Because auto-commits are performed by a scanner, it could take some time after the delay period ends for the file to be committed to WORM.

snaplock.compliance.write_verify
This option is used to verify all disk writes to snaplock compliance volumes. It is used when immediate verification of the recording process is required. By default the options is `off'.

Using this option will have a negative impact on volume performance.

snaplock.log.default_retention
This option can be used to specify a default retention policy for a secure log file. The default value is 6 months `6m' and cannot be set to less than 6 months. The option may be specified in m|y.

The default retention is used only when operations that are being logged do not specify a retention period. A secure log will be retained for the maximum retention time necessary to verify secure operations performed on files in the log.

snaplock.log.maximum_size
This option specifies the maximum size for a secure log before the file is closed and a new log file is generated for use by the secure logging infrastructure. The default value is `10m' and the possible values for units are `k', `m', `g' and `t'. If no unit is specified, given size is assumed to be in bytes.

The minimum size of any log file is 100k and the maximum size is (4t-1).

snapmirror.access
This option determines which SnapMirror destination nodes may initiate transfers, and over which network interfaces. When set to "legacy", SnapMirror uses the older snapmirror.allow to determine access. The option value is a string containing an expression which provides the access filter. An example of the options command for snapmirror.access is options snapmirror.access host=toaster,fridge. The default value is "legacy". See na_snapmirror(1) , na_snapmirror.allow(5) and na_protocolaccess(8) for more details.

snapmirror.checkip.enable
Enables IP address based verification of SnapMirror destination nodes by source nodes. Valid values are on or off. The default value is off. See na_snapmirror.allow(5) for more details.

snapmirror.delayed_acks.enable
Enables TCP/IP delayed acknowledgements. Disabling this can improve performance of SnapMirror network connections in high latency networks. Valid values are on or off. The default value is on.

This uses the slow start and congestion avoidance algorithms as described in RFC 2581. Do note that disabling this option can be disruptive to other clients on the same network as the SnapMirror connection.

snapmirror.volume.local_nwk_bypass.enable
Enables bypassing network for local Volume SnapMirror transfers. Valid values for this option are on or off. The default value for this option is on. When option is off, local Volume SnapMirror transfers use the network stack to transfer data.

snapmirror.enable
Enable or disable SnapMirror operations. Valid values for this option are on or off. The default value for this option is off. When on (SnapMirror must be licensed), SnapMirror data transfers and SnapMirror scheduler are enabled. The command snapmirror on and snapmirror off has the same effect as this option. See na_snapmirror(1) for more details.

snapmirror.log.enable
Determines whether SnapMirror activity is logged to the SnapMirror log file. The setting does not affect syslog output from SnapMirror. Valid values for this option are on or off. The default value for this option is on. When on, all the SnapMirror activities will be logged in /etc/log/snapmirror. See na_snapmirror(5) for more details.

snapvalidator.version
Determines the version of Oracle that will be validated for by SnapValidator. This setting applies to all volumes that have the `svo_enable' option set to on. For more information on the this options see na_vol(1). Valid values for this option are 9 or 10. The default value for this option is 9.

snapvault.access
Restricts/allows client and server access to snapvault from a different node. The default value is "none" For valid values, see na_protocolaccess(8).

snapvault.enable
Enable or disable snapvault operation. Valid values for this option are on or off. The default value for this option is off.

snapvault.lockvault_log_volume
Configures the LockVault Log Volume. Valid values for this option are online SnapLock volume names. See na_snapvault(1) for details.

snapvault.nbu.archival_snap_default
Sets the default value for the vol option nbu_archival_snap on new volumes. The nbu_archival_snap vol option will be initialized according to the value of

snapvault.nbu.archival_snap_default.
This initialization occurs when the first SnapVault for NetBackup backup to that volume starts, unless the nbu_archival_snap vol option is already configured manually. Valid values for this option are on or off. The default value for this option is on.

snapvault.snapshot_for_dr_backup
This option is applicable at Volume SnapMirror destination only, while using SnapVault to backup Volume SnapMirror destination. This option allows SnapVault to choose the primary snapshot for the backup. Valid values are vsm_base_only, named_snapshot_only and named_snapshot_preferred.

When the option is set to vsm_base_only, SnapVault does the backup of most recent Volume SnapMirror created snapshot.

When the option is set to named_snapshot_only, SnapVault does the backup of destination requested snapshot. If the requested snapshot is not available at the Volume SnapMirror destination, then the backup will fail.

When the option is set to named_snapshot_preferred, SnapVault tries to backup destination requested snapshot. If the destination requested snapshot is not available, then it backs up the most recent Volume SnapMirror created snapshot.

The default value for this option is vsm_base_only.

snapvault.stale_config_cleanup_enable
This option enables or disables the cleanup of stale SnapVault configurations. The valid values for this option are on and off.The default value for this option is on.

snapvault.ossv.compression
This option enables or disables network compression for Open System SnapVault transfers. The valid values are on and off. The default value for this option is off. For a specific relationship this option is overridden by the per-relationship compression option when the per-relationship compression option has been set to values other than the default. See na_snapvault(1) for setting the per-relationship compression option.

snapvault.preservesnap
This option allows a user to enable/disable recycling of the SnapVault archival snapshots. The valid values are on and off. It applies only when the number of SnapVault archival snapshots reaches the retention count. When it is set to off, SnapVault will create room for a new snapshot by deleting the oldest SnapVault archival snapshot. When it is set to on, SnapVault will just preserve all the existing SnapVault archival snapshots and fail the new snapshot creation. So, further snapshots and SnapVault updates by that schedule will not be possible until the user deletes any older archived snapshot(s) to bring the count to less than retention count or increase the retention count or turns off this option. The default value for this option is off. For a specific relationship this option is overridden by the perrelationship preserve option when the per-relationship preserve option has been set to values other than the default. See na_snapvault(1) for setting the perrelationship preserve option.

snmp.access
Restricts SNMP access to the node. For valid values, see na_protocolaccess(8).

snmp.enable
Enables the SNMP server on the node. Valid values for this option are on or off. The default value for this option is on.

sparse.tcp_windowsize
Sets the TCP window size for sparse operations, including FlexCache. The default, 262144 bytes, works for many network environments. Change this value only when required for your network configuration. Changes to this option can strongly affect FlexCache performance. The option can be used on both the FlexCache node and the origin node.

sp.autologout.enable
Enables or disables the automatic logout of idle SP SSH connections. The default is on, which causes SP SSH connections to be disconnected after the number of minutes specified by the sp.autologout.timeout value. Any change to this option requires a logout from the SP before it takes effect.

sp.autologout.timeout
The number of minutes after which SP SSH idle connections are disconnected if sp.autologout.enable is on. The default is 60 minutes. Any change to this option requires a logout from the SP before it takes effect.

sp.setup
Displays whether the SP has been configured. The SP is configured through the setup or the sp setup command.

sp.ssh.access
Restricts SSH access to the SP. For valid values, see na_spaccess(8).

ssh.access
Restricts ssh access to the node. For valid values, see na_protocolaccess(8).

ssh.enable
Enables or disables the SSH 2.0 protocol on the node. Valid values for this option are on or off. The starting default value on a factory install for this option is on.

ssh.idle.timeout
Timeout value for ssh sessions in seconds. For example, options ssh.idle.timeout 300 will set the timeout value for ssh sessions to 300 seconds. The default value for this option is 600 seconds. A value of zero, the default setting, is interpreted as 600 seconds.

ssh.passwd_auth.enable
Enables or disables the password authentication on the ssh server. Valid values for this option are on or off. The default value for this option is on.

ssh.port
Changes the port of the ssh daemon. The default value for this option is 22.

ssh.pubkey_auth.enable
Enables or disables the public key authentication on the ssh server. Valid values for this option are on or off. The default value for this option is on.

ssh1.enable
Enables or disables the SSH 1.x protocol on the node. Valid values for this option are on or off. The default value for this option is off.

ssh2.enable
Enables or disables the SSH 2.0 protocol on the node. Valid values for this option are on or off. The starting default value on a factory install for this option is on. This option is equivalent to the ssh.enable option.

ssl.v2.enable
Enables or disables the SSLv2 protocol on https and ldap connections. Valid values for this option are on or off. The default value for this option is on. This setting takes effect immediately and is persistent across reboots.

ssl.v3.enable
Enables or disables the SSLv3 protocol on https and ldap connections. Valid values for this option are on or off. The default value for this option is on. This setting takes effect immediately and is persistent across reboots.

tape.persistent_reservations
Deprecated option. Use option tape.reservations instead.

tape.reservations
Enables SCSI reservations or persistent reservations for all tape drives, medium changers, bridges, and tape libraries (including those with embedded bridges) attached to the node via Fibre Channel, including those attached through switches. Only the initiator which holds the reservation may change the position or state of the device, protecting it from other initiators. This option determines which type of reservation is applied when a device open operation requests a reservation. The device is released when it is closed.

Standard "classic" SCSI reservation isolates well under normal conditions, but reservations can be lost during interface error recovery procedures, allowing device access by initiators other than the erstwhile owner. Error recovery mechanisms such as loop reset do not affect persistent reservations.

This option replaces option tape.persistent_reservations, which is no longer used. Valid values are off, scsi, or persistent. The default value is off. This option has no effect on devices attached to parallel SCSI adapters, since the adapter already has exclusive access to the devices.

Tape drives, medium changers, tape libraries, or bridges do not all implement persistent reservations correctly. If persistent does not protect a device properly, then use scsi instead, or turn the option off.

telnet.access
Restricts telnet access to the node. For valid values, see na_protocolaccess(8). If this value is set, trusted.hosts is ignored for telnet.

telnet.enable
Enables the Telnet server on the node. Valid values for this option are on or off. The default value for this option is off. If this option is toggled during a telnet session, then it goes into effect on the next telnet login.

telnet.distinct.enable
Enables making the telnet and console separate user environments. If it is off, then telnet and console share a session. The two sessions view each other's inputs/outputs and both acquire the privileges of the last user to login. If this option is toggled during a telnet session, then it goes into effect on the next telnet login. Valid values for this option are on or off. The starting default value on a factory install for this option is on. This option is set to on if a user belonging to "Compliance Administrators" is configured and cannot be set to off till the user is configured.

telnet.hosts
Deprecated option, use trusted.hosts instead.

tftpd.enable
Enables the tftp (Trivial File Transfer Protocol) server on the node. Valid values for this option are on or off. The default value for this option is off. When enabled, the node's tftp server allows get requests, but does not allow put requests.

tftpd.logging
Enables console logging of accesses for files via tftp. Valid values for this option are on or off. The default value for this option is off.

tftpd.max_connections
This option controls the maximum number of simultaneous tftpd connections that will be served. The minimum value is 4 and the maximum is 32. The default value for this option is 8. If this setting is changed to a value that is lower than the current number of connected TFTP sessions, new connections will be refused until the total number of sessions falls below ftpd.max_connections. Existing sessions are unaffected.

tftpd.rootdir
Specifies the tftpd rootdir. All relative accesses to files via tftp are considered relative to this directory. All absolute accesses via tftp can only access a file if it lies in the filesystem tree rooted at this directory. A valid value for this option is the fully qualified pathname to a valid, existing directory on any volume on the node. The default value of this option is /etc/tftpboot.

timed.enable
If on and a remote protocol is specified the time daemon (timed) synchronizes to an external source. If off, time is not synchronized to an external source. Valid values for this option are on or off. The default value for this option is on.

HA pair considerations: To keep time synchronized across the nodes in the HA pair, timed should be enabled on both nodes.

timed.log
Specifies whether time changes initiated by timed should be logged to the console.

This option is obsolete and does not have an effect in Data ONTAP 8.0 or later. However, if this option is modified, the changes would take effect if the system is reverted to a release that does support this option.

timed.max_skew
Specifies the maximum amount of skew between the time reported by the time server and the node's time that we will allow when synchronizing the time. If the difference in the time reported by the server and the node's time is greater than this value, the node will not synchronize to the time reported by the time server. The maximum skew is specified in seconds (suffix s), minutes (suffix m), or hours (suffix h). Defaults to "30m".

This option is obsolete and does not have an effect in Data ONTAP 8.0 or later. However, if this option is modified, the changes would take effect if the system is reverted to a release that does support this option.

HA pair considerations: Specifies the maximum amount of skew between the time reported by the time master and the time slave's time.

timed.min_skew
Specifies the minimum amount of skew between the time reported by the time server and the node's time that is required to trigger the process of time correction into action. If the difference in the time reported by the server and the node's time is less than this value, the node will not attempt to correct the time. The minimum skew is specified in seconds (suffix s), minutes (suffix m), or hours (suffix h). Defaults to "0".

This option is obsolete and does not have an effect in Data ONTAP 8.0 or later. However, if this option is modified, the changes would take effect if the system is reverted to a release that does support this option.

Cluster considerations: Specifies the minimum amount of skew between the time reported by the time master and the time slave's time.

timed.proto
Specifies the protocol used to synchronize time. Valid values for this option are rdate, ntp or rtc. rdate specifies the rdate (RFC 868) protocol. ntp specifies the Network Time Protocol (RFC 1305). rtc specifies the internal Real-Time Clock chip. The default value for this option is ntp.

Note that sntp can be used as an alias for the ntp setting. Releases before Data ONTAP 8 use the Simple Network Time Protocol (RFC 2030) instead of the Network Time Protocol.

The option to use the rdate and rtc protocols is no longer supported in Data ONTAP 8.0 or later. However, if this protocol is specified, the changes would take effect if the system is reverted to a release that does support the protocols.

timed.sched
Specifies the timed synchronization schedule. There are several pre-defined schedules:

hourly
synchronize every hour (the default)

multihourly
synchronize every 6 hours

daily
synchronize every day at midnight

Custom schedules may also be specified by giving the number of minutes or hours between time synchronization. Minutes are specified by digits followed by an "m"; hours are specified by digits followed by an "h". For example, options timed.sched 2h will cause time to be synchronized every two hours.

To avoid overburdening the time server, the node randomly selects the exact time of the synchronization within a window specified by timed.window.

After timed.sched is set, timed.window is capped at ten percent of timed.sched.

This option is obsolete and does not have an effect in Data ONTAP 8.0 or later. However, if this option is modified, the changes would take effect if the system is reverted to a release that does support this option.

HA pair considerations: specifies the time synchronization schedule for the time slave.

timed.servers
Defines the list of up to five Network Time Protocol (NTP) time servers to be used. Enter the time server names as a comma-separated list with no spaces in between. The default is an empty list. Both IPv6 and IPv4 addresses are accepted.

It is a best practice to use at least three time servers for redundancy and for detection of disagreement of time servers.

HA pair considerations: The timed.servers option must be configured on both nodes in the HA pair. For best results, the servers specified should be identical.

timed.window
Specifies a window around the synchronization time set by timed.sched. The actual synchronization time is randomly chosen from within this window. timed.window is specified in seconds (suffix s) or minutes (suffix m). The value may be 0, but it may not exceed ten percent of timed.sched. timed.window defaults to "0s".

This option is obsolete and does not have an effect in Data ONTAP 8.0 or later. However, if this option is modified, the changes would take effect if the system is reverted to a release that does support this option.

HA pair considerations: Specifies a window around the synchronization time set by timed.sched for the time slave.

tls.enable
Enables or disables the TLS (Transport Layer Security) protocol on https, ftps and ldap connections. Valid values for this option are on or off. The default value for this option is off. This setting takes effect immediately and is persistent across reboots.

trusted.hosts
Specifies up to 5 clients that will be allowed telnet, rsh, and administrative HTTP (that is FilerView) access to the server. The host names should be entered as a comma-separated list with no spaces in between. Enter a "*" to allow access to all clients; this is the default. Enter a "-" to disable access to the server. NOTE: this option used to be called telnet.hosts, and in fact that is still an alias for this option. This value is ignored for telnet if telnet.access is set, and is ignored for administrative HTTP if httpd.admin.access is set. See na_protocolaccess(8) for more details.

vol.copy.throttle
Specifies the default speed of all volume copy operations. The speed can be a number in the range from 1 to 10, with 10 being the highest speed and the default. When a vol copy operation is started, its throttle is set to this value. See na_vol(1) for more details on the vol copy command.

wafl.default_nt_user
Specifies the NT user account to use when a UNIX user accesses a file with NT security (has an ACL), and that UNIX user would not otherwise be mapped. If this option is set to the null string, such accesses will be denied. The default value for this option is the null string.

wafl.default_security_style
Specifies the default security style assigned to a new volume. All qtrees created on the volume get this as their security style. Legal values for this option are `unix', `ntfs', or `mixed'. The default value for this option is `unix', unless the node is an NTFS-only node, in which case the default is `ntfs'.

wafl.default_unix_user
Specifies the UNIX user account to use when an authenticated NT user did not match an entry in the usermap.cfg file. If this option is set to the null string, NT users which are not matched in the usermap.cfg file will not be allowed to log in. The default value for this option is `pcuser'.

wafl.group_cp
Specifies the WAFL behavior for coordinating consistency points between groups of volumes in an appliance. If the WAFL Group-CP feature is active then WAFL will coordinate updates across multiple traditional volumes and aggregates during a WAFL consistency point. If WAFL Group-CP is not active then consistency points are not coordinated across traditional volumes and aggregates during recovery. The allowed values for this option are `on', `off' or `default'. If the value is set to `default' then the option is set based on whether MetroCluster is enabled for the appliance; if MetroCluster is enabled then the default is on, otherwise the default is off.

wafl.inconsistent.asup_frequency.blks:
If the number of unique bad user data blocks encountered by WAFL since last AutoSupport message of this type exceeds the value specified by this option, a new AutoSupport message is sent.

The supported values for the option include integers from 0 to 100. The default value of this option is 10.

wafl.inconsistent.asup_frequency.time:
If WAFL encounters a bad user data block, a new AutoSupport message is sent, provided that the time since last AutoSupport message exceeds the value specified by this option.

The supported values for the option include values from 60s to 604800s (seconds in 7 days). The default value of this option is 24h (86400 seconds).

wafl.inconsistent.ems_suppress
This option suppress EMS messages that are related to bad blocks. The default value of this option is FALSE (which can be entered as 0, off, OFF, no, NO, false, or FALSE). The default means EMS messages are not suppressed. The value can be overwritten with TRUE (which can be entered as 1, on, ON, yes, YES, true, or TRUE) to suppress EMS messages.

wafl.nt_admin_priv_map_to_root
When on (the default), an NT administrator is mapped to UNIX root.

wafl.root_only_chown
When enabled, only the root user can change the owner of a file. When disabled, non-root users can change the owner of files that they own. When a non-root user changes the owner of a file they own, both the set-UID and set-GID bits of that file are cleared for security reasons. A non-root user is not allowed to give away a file if it would make the recipient overrun its user quota. wafl.root_only_chown is enabled by default.

wafl.wcc_minutes_valid
Specifies the number of minutes a WAFL credential cache entry is valid. The value can range from 1 through 20160. The default is 20.

webdav.enable
Enables WebDAV access to the node. Valid values for this option are on or off.

Default: on

Effective: Immediately

Persistence: Remains in effect across system reboots

Multiple options can be set at once in an options command. For example:

   options nfs.tcp.enable on nfs.v2.df_2gb_lim on raid.timeout 48

sets nfs.tcp.enable to on, sets nfs.v2.df_2gb_lim to on, and sets raid.timeout to 48.

EXAMPLES

options cifs.trace_login on

Turns on the logging for all CIFS login related activities.

options cifs

Prints all the options that start with cifs.

HA CONSIDERATIONS

In general, each node in a High Availability (HA) configuration has its own options that are independent of the options of its partner. After a takeover, the live node uses its own option settings or its partner's option settings, depending on whether the live node operates in partner mode.

However, a few options must have the same setting for both nodes in a HA configuration for takeover to work properly. If you change the setting for one of these options on one node, the node displays a message reminding you to make the same change on the other node. In takeover mode, the same option values are used for both nodes.

The following list of options must have the same values on both nodes in a HA configuration:

  snmp.enable
  telnet.enable
  trusted.hosts
  wafl.group_cp

It is recommended that the following list of options have the same values on both nodes in a HA configuration:

  timed.enable
  timed.log
  timed.max_skew
  timed.proto
  timed.sched
  timed.servers
  timed.window

During takeover, certain partner option values are overridden by those of the live node. Whether the live node is operating in partner mode or not, the live node's value will be used when an option must be consulted.

The following list of options is overwritten by the live node's values during takeover:

  auditlog.enable
  auditlog.max_file_size
  autologout.telnet.enable
  autologout.telnet.timeout
  dns.domainname
  dns.enable
  httpd.log.format
  httpd.timeout
  httpd.timewait.enable
  ip.match_any_ifaddr
  ip.path_mtu_discovery.enable
  nfs.per_client_stats.enable
  nfs.v2.df_2gb_lim
  nfs.v3.enable
  nis.domainname
  nis.enable
  nis.group_update.enable
  nis.group_update_schedule
  nis.servers
  nis.slave.enable
  pcnfsd.enable
  nfs.always.deny.truncate
  raid.disk.copy.auto.enable
  raid.disktype.enable
  raid.media_scrub.enable
  raid.reconstruct.perf_impact
  raid.reconstruct.wafliron.enable
  raid.resync.perf_impact
  raid.rpm.ata.enable
  raid.rpm.fcal.enable
  raid.timeout
  raid.verify.perf_impact
  rmc.setup
  sparse.tcp_windowsize
  vol.copy.throttle
  wafl.root_only_chown
  wafl.wcc_minutes_valid

After takeover, the options command can be used in partner mode to modify an option setting for the failed node. However, the change is lost after the giveback operation.

VFILER CONSIDERATIONS

Each vfiler has its own set of options. Vfilers, however, recognize only a subset of the options recognized by a node. The list of options recognized by a vfiler is:

  cifs.AD.retry_delay
  cifs.audit.enable
  cifs.audit.file_access_events.enable
  cifs.audit.logon_events.enable
  cifs.audit.logsize
  cifs.audit.saveas
  cifs.bypass_traverse_checking
  cifs.comment
  cifs.guest_account
  cifs.home_dir_namestyle
  cifs.homedirs_public_for_admin
  cifs.idle_timeout
  cifs.max_mpx
  cifs.netbios_aliases
  cifs.netbios_over_tcp.enable
  cifs.nfs_root_ignore_acl
  cifs.oplocks.enable
  cifs.oplocks.opendelta
  cifs.perm_check_ro_del_ok
  cifs.perm_check_use_gid
  cifs.preserve_unix_security
  cifs.restrict_anonymous.enable
  cifs.save_case
  cifs.scopeid
  cifs.search_domains
  cifs.show_snapshot
  cifs.shutdown_msg_level
  cifs.sidcache.enable
  cifs.sidcache.lifetime
  cifs.snapshot_file_folding.enable
  cifs.symlinks.cycleguard
  cifs.symlinks.enable
  cifs.trace_login
  cifs.universal_nested_groups.enable
  dns.domainname
  dns.enable
  ndmpd.access
  ndmpd.authtype
  ndmpd.connectlog.enabled
  ndmpd.enable
  ndmpd.ignore_ctime.enabled
  ndmpd.password_length
  nfs.mount_rootonly
  nfs.per_client_stats.enable
  nfs.require_valid_mapped_uid
  nfs.tcp.enable
  nfs.udp.xfersize
  nfs.v2.df_2gb_lim
  nfs.v3.enable
  nfs.webnfs.enable
  nfs.webnfs.rootdir
  nfs.webnfs.rootdir.set
  nis.domainname
  nis.enable
  nis.group_update.enable
  nis.group_update_schedule
  nis.servers
  nis.slave.enable
  pcnfsd.enable
  pcnfsd.umask
  nfs.always.deny.truncate
  rsh.access
  rsh.enable
  security.passwd.rules.enable
  snapmirror.enable
  snapmirror.checkip.enable
  snapmirror.access
  snapvault.access
  snapvault.enable
  wafl.default_nt_user
  wafl.default_unix_user
  wafl.nt_admin_priv_map_to_root
  wafl.wcc_max_entries
  wafl.wcc_minutes_valid

These options only affect the operation of the concerned vfiler. When run in the context of a vfiler, (for example via the vfiler run command), the options command only prints the options recognized by a vfiler, and can only change these options.

SEE ALSO

na_disk(1), na_nfsstat(1), na_partner(1), na_snap(1), na_passwd(1), na_secureadmin(1), na_useradmin(1), na_vfiler(1), na_vol(1), na_autosupport(1), na_auditlog(5), na_pcnfsd(8), na_protocolaccess(8).


Table of Contents