Dedicated Veeam Backup network in VCF8+

[Lopese]

Hello
I am designing a dedicated back-up network to include two different vsphere clusters existing on the same management LAN.

My goal is to route all backup traffic through a dedicated network.
How to i achieve this goal?

Esxi hosts have default host managent vmkernal1 (172.30.80.0/24)

Do I create a separate vmkernal2, with service as management for each esxi host in (10.50.10.0/25).
Create Veeam proxy server with nic in same subnet as vmk2.
Create a static route pointing traffic in (10.50.10.0/25) through veeam proxy VM, join veeam management server with backup lan network ip for hosts (10.50.10.0/25).?

Thank you.

[vnikiforov]

Hello, Eddie,

Deploy one proxy VM per cluster that leverages the HotAdd backup method; this is the recommended option. Give each proxy two vNICs: one on the management LAN (so VBR can task it and reach vCenter), one on 10.50.10.0/25 (the backup VLAN). Each host in the cluster already has a second VMKernel in that same subnet with the Management service enabled. And VMDK reads should then happen internally via hot-add.

On the repository side, give the repo (or you may use a single repository gateway for the repositories for example) server a NIC in 10.50.10.0/25 as well.
Add 10.50.10.0/25 as a Preferred Network in VBR.
Specifying Preferred Networks

That's what forces the proxy>repo data stream onto the backup VLAN.
Without a repo-side NIC on that subnet, Veeam Backup & Replication has nowhere to route it and it will fall back to management network.
If that implementation doesn't work for some reason, I'd recommend you to open a case with Veeam Technical support on that matter, who can analyze the setup with the logs.

[Lopese]

Thank you very much. This was exactly what I needed fir guidance. I will report back once implementation has completed successfully.

[torteflo]

Hello,
I read this thread and am fully interested in it
As I am trying to design something really close, too.

Purpose is the same for me : to have a dedicated backup network.
My environment is a brand new Veeam 13 + one main vSphere cluster in v8u3i, and other existing clusters in v7u3.

I wonder, in order to get a dedicated vlan for backup...
On which machine would it be better to put a dual network? here Vladimir you put it on Proxies.
I explain.
Lets say my production vlan ID is 100, and my new backup vlan is 500.
My ESX and vCenter servers are in 100.
I first plan to add a new vmk to each ESX in 500 (no need to enable management on it IMHO ; either tick nothing in VMware on that vmk, or maybe NFC ?).

So I could do as you say here, Vladimir.
1. And will have every proxies with a vnic in vlan 100 and another vnic in 500.
2. Or I could do that on my Veeam server, and have all proxies in 500 only.
3. Or I could do that on vCenter server, and have all my veeam machines (server, proxies, repo) in vlan 500 only.
4. Or, I am not network expert, but I could do level 3 routing I suppose, maybe between Veeam and vCenter?

What do you think would be the best please ? I think mostly in terms of security, but maybe elsewhere. Performane would not change I think.

And could I put 2 vnic on the Veeam server appliance in v13 nowadays ?

Any opinion will matter to me

[torteflo]

Hi,
any inputs ?
or should I raise a new topic with that.

[vnikiforov]

Hello,

The dual NIC has to live on the components that actually move data.
Per the Specifying Preferred Networks page, that list includes the gateway server, the VMware backup proxy, the backup repository. Veeam Backup & Replication server itself could also have a data-mover role (gateway for SMB/NFS, mount server, WAN accelerator host, or the integrated proxy and integrated repository inside the v13 Veeam Software Appliance). vCenter is not in that list - it only carries API traffic.

If you have a specific infrastructure environment, where not all of the interconnections are clear, I'd recommend consulting with Veeam Accredited Service Partners (VASP) or Veeam System Engineers.
Alternatively, you may want to contact your sales partner\account manager for assistance in finding a VASP in your region or for contracting Veeam System Engineers.

From your description, I may assume this setup, which is basically identical to the previous question:

Option 1 A HotAdd proxy per cluster with one vNIC in VLAN 100 and one in VLAN 500, a NIC in VLAN 500 on the repository (or its gateway server), and the VLAN 500 subnet added to Preferred Networks in VBR. The rule will direct the proxy-to-repo data movers onto VLAN 500 and fall back to VLAN 100 only if the preferred path cannot be established.

Option 2 (L3 routing) probably could work, but adds latency, firewall scope and complexity for no gain over a flat L2 backup VLAN.

NOTE: if you use Veeam Software Appliance all-in-one, with integrated proxy and integrated repository on the same VM, Preferred Networks has nothing inter-component to redirect because both data-mover endpoints are on the same host. You need at least one external proxy or external repository on VLAN 500 for the rule to actually shift traffic.
Veeam Software Appliance supports multiple network interfaces, configurable from the Veeam Host Management web UI or Text UI (TUI) in console (the TUI's "Advanced network" entry for VLANs, bonds and tunnels).

[torteflo]

Hello Vladimir,
OK, thank you for your time & answer.
It clarifies several key points for me.

[torteflo]

Hello again,

So reading your message again, I have one more question, please.
If I have :
- Veeam server as a physical server, with VBR server + repository roles / with dual nic one vlan 100 and another in 500
- VM proxies / only one nic in 500
- ESXi with its vmk0 in vlan 100, and for example a vmk2 dedicated to backup, in vlan 500
- vCenter / only one nic in vlan 100

And also note that we have a dedup appliance (dell data domain) to make backup copy job to it. Which would be in vlan 500 only too.
And in this example I would not configure the Specifying Preferred Networks parameter.

Then I think it will work. Or am I wrong and do I need the dual nic on Veeam proxies VMs, and the Specifying Preferred Networks parameter ?