ONTAP 9.15.1 commands

vserver export-policy access-cache show

Display information about the access cache entry

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver export-policy access-cache show command can be used to display the contents of an access cache entry of the specified node for a particular client IP address belonging to an export policy in a Vserver.

The command will display information such as the flags of the access cache entry, the age of the entry, any errors that were encountered when looking up the export policy rules from the management gateway, and the number of policy rules from the export policy that matched the specified client IP address. If an error is encountered when looking up the export policy rules from the management gateway process, the first rule index in the export policy that encountered the error is displayed. The client match string or the anon string in the rule that caused the rule evaluation to fail is also displayed. A more detailed view of the output of this command is available if you specify the -instance switch to the command.

The command output lists the rule indexes of the policy rules that matched. If you are interested in finding out the security settings for each policy rule that matched then you can use the vserver export-policy access-cache show-rules command.

If the client IP address is not cached in the access cache then the command will display an error message stating that the entry does not exist.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-instance ] }

If you specify the -instance parameter, the command displays detailed information about all fields.

-node <nodename> - Node

This parameter specifies the node on which you want to examine the access cache entry.

-vserver <vserver name> - Vserver

This parameter specifies the name of the Vserver on which you want to see the access cache entry.

-policy <export policy name> - Policy Name

This parameter specifies the name of the export policy that is in effect on the export path that the client is trying to access.

-address <IP Address> - IP Address

This parameter specifies the IP address of the client whose access cache entry you want to examine.

[-flags {pending|refreshing|is-abandoned|is-queued-for-update|is-updating|has-usable-data}] - Access Cache Entry Flags

Selects the access cache entries that match the specified flags value. The flags describe the internal state of the access cache entry. The access cache entry could be in 'pending' state. This denotes the initial state of the access cache entry when a client first tries to access the exported mount point and the rules in the export policy are being matched against the IP address of the client. The 'refreshing' state denotes that the access cache entry is being refreshed. The 'abandoned' state denotes that the access cache entry has been cleared as a result of a cache flush operation. If the access cache entry has been successfully evaluated this field will not be set to any value.

[-result <integer>] - Result Code

Selects the access cache entries that match the specified result value. This field describes the error code of the error encountered when matching the IP address of the client against the rules specified in the export policy. If all rules were evaluated successfully this field will be set to 0.

[-first-unresolved-index <integer>] - First Unresolved Rule Index

Selects the access cache entries that match the specified unresolved rule index value. This field describes the rule index of the first rule in the export policy that could not be evaluated successfully when matching the IP address of the client against the rules specified in the export policy. If all rules were evaluated successfully this field will not be set to any value.

[-unresolved-clientmatch <text>] - Unresolved Clientmatch

Selects the access cache entries that match the specified unresolved client match value. This field describes the client match string that caused the rule evaluation to fail at the displayed rule index. Client match strings that denote a netgroup, hostname or a domain name can fail in evaluation if there are problems in contacting the name servers configured to serve them. If all rules were evaluated successfully this field will not be set to any value.

[-num-rules <integer>] - Number of Matched Policy Rules

Selects the access cache entries that match the specified number of matched export rules. This field describes the number of rules in the export policy that were matched successfully against the IP address of the client. If the number of matched rules is 0 and the 'result' field is also 0 then the client will experience an access denied error during mount. If the number of matched rules is non-zero and the 'result' field is 0 then access is granted or denied based on the ro, rw, superuser and other security settings in the matched rules. If the number of matched rules is 0 and the 'result' field has a non-zero value in it the client will experience a hang until the error that caused the rule evaluation to fail is resolved. If the number of matched rules is non-zero and the 'result' field has a non-zero value then this represents a situation where an error was encountered that stopped the match of rules in the export policy against the IP address of the client. The rules that have matched so far are used to make access decisions. (Note that the match of rules follows an ordering precedence determined by the rule index). Access may be granted if the security settings in the rules that have matched so far allow access. The security settings in the partial subset of matched rules are never used to deny access because they represent an incomplete set of matched export rules. Instead the client will experience a hang until the error that caused the rule evaluation to fail is resolved.

[-ruleindex-list <integer>,…​] - List of Matched Policy Rule Indexes

Selects the access cache entries that match the specified list of matched rule indexes. This field describes a comma separated list of the indexes of the rules in the export policy that matched the IP address of the client. If no rules match the IP address of the client or an error was encountered in the client match process then this field will not be set to any value.

[-age <[<integer>h][<integer>m][<integer>s]>] - Age of Entry

Selects the access cache entries that match the specified age of the entry. This field describes the age of the access cache entry.

[-polarity {positive|negative|init}] - Access Cache Entry Polarity

Selects the access cache entries that match the specified polarity of the entry. The polarity of an access cache entry can be positive or negative. A positive polarity denotes that access is granted to the client IP address. A negative polarity denotes that access is denied to the client IP address.

[-duration-since-last-use <[<integer>h][<integer>m][<integer>s]>] - Time Elapsed since Last Use for Access Check

Selects the access cache entries that match the specified time duration since the entry was last used for access determination.

[-duration-since-last-update-attempt <[<integer>h][<integer>m][<integer>s]>] - Time Elapsed since Last Update Attempt

Selects the access cache entries that match the specified time duration since the access cache entry was last updated.

[-last-update-attempt-result <integer>] - Result of Last Update Attempt

Selects the access cache entries that match the specified result obtained when the access cache entry was last updated.

[-clientmatch-list <text>,…​] - List of Client Match Strings

Selects the access cache entries that match the specified list of clientmatch strings that matched the specified client IP address.

Examples

The following example shows the contents of the access cache entry for client IP address '10.22.33.32' in volume 'flex1' having export policy 'testpol' in a Vserver named 'vs1' on node 'vsim1':

cluster1::*> vserver export-policy access-cache show -vserver vs1 -policy testpol -node vsim1 -address 10.22.33.32
Node: vsim1
                                       Vserver: vs1
                                   Policy Name: testpol
                                    IP Address: 10.22.33.32
                      Access Cache Entry Flags: has-usable-data
                                   Result Code: 0
                   First Unresolved Rule Index: -
                        Unresolved Clientmatch: -
                Number of Matched Policy Rules: 1
           List of Matched Policy Rule Indexes: 20
                                  Age of Entry: 77s
                   Access Cache Entry Polarity: positive
        Time Elapsed since Last Update Attempt: 8s
  Time Elapsed since Last Use for Access Check: 3s
                 Result of Last Update Attempt: 7208
                  List of Client Match Strings: 0.0.0.0/0
Top of Page