Direct SAN concerns

Availability for the Always-On Enterprise

Direct SAN concerns

Veeam Logoby Moltron » Sun Dec 19, 2010 10:19 pm

Hello,

I am new to Veeam and I'm using the trial install at the moment. I really like it so far, and now I've begun tinkering with Direct SAN copy. I know its much faster, but I have some worries.

Here's my setup breifly. Running ESX 4.0 U2 on 6 HP blades with EMC CX-10 fibre channel storage. Veeam is installed on it's own blade and not virtual. It has a 4GB drive directly connecting to a LUN for backup storage. I created a test LUN and moved a VM into that to mess with Direct SAN, and so far it's worked, but I have best practices in mind... or lack there of.

Concerns:
1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.

2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?
Moltron
Lurker
 
Posts: 2
Liked: never
Joined: Tue Nov 30, 2010 8:11 pm
Full Name: Dave Moulton

Re: Direct SAN concerns

Veeam Logoby tsightler » Mon Dec 20, 2010 12:46 am

Moltron wrote:1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.


This isn't really specific to Veeam, unfortunately that's the way VMware designed vStorage API SAN mode (and VCB SAN mode before it). That being said, VCB (and now vStorage API) has been around for quite a few years at this point, and has been VMware's recommended way to access VMFS volumes for all of that time, so it's well understood and I've not seen anyone on the VMware forums actually have this issue, although I see people ask about it a lot. Some SAN storage systems support presenting the LUN to a host as read-only, which is a good option if your's supports it.

Moltron wrote:2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?


I'd do it the way you have it and ignore the warning. I think I remember the warning message you're talking about (we no longer have EMC storage so my memory is fading), but I think it's basically just a message telling you what you already know, that you have two storage groups that can access the same LUN. This is a useful warning if you did this by accident, but is fine if your doing it on purpose.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: Direct SAN concerns

Veeam Logoby Gostev » Mon Dec 20, 2010 12:55 am

Moltron wrote:Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS?

Windows security? Do not put that "someone" to Local Administrators group on your Veeam Backup server, and this will never happen. Just like you do not put random people into Domain Administrators group on your DC. As you can imagine, the damage can be quite comparable in both cases.

Moltron wrote:gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done

While I do not know anything about EMC storage (and whether it is better to combine everything into the original storage group), multiple servers access to the same LUN is of course the right thing. Veeam Backup server needs to be able to read from the same LUN that your ESX servers use.

P.S. Tom beat me by a few minutes...
Gostev
Veeam Software
 
Posts: 21390
Liked: 2349 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Direct SAN concerns

Veeam Logoby Moltron » Wed Dec 22, 2010 7:49 pm

A little friendly competition huh? Well I like both of your answers! I'll have to be sure that my backup operators are well informed before they get on the backup server.... or maybe I'll just take care of it for now :)

Thanks for the replies.
Moltron
Lurker
 
Posts: 2
Liked: never
Joined: Tue Nov 30, 2010 8:11 pm
Full Name: Dave Moulton

[MERGED] Security issue for SAN Direct Access backup

Veeam Logoby vampiret » Tue Jul 26, 2011 6:18 am

Hi All,

I recently setup a backup server installed with VEEAM B&R for backup my Vmware VMs. Everything is working OK.
The only concern I think of is the security concern.
I am using EVA6400 for my vmware VMs and about 1200 VMs are stored in 80 Vdisks. In order to perform the Direct SAN backup, I need to present the vDisks to both the ESX servers and the new backup server. There is obviously a risk if anyone try to initialise the disk in the backup server and it may erase the disks. I can't find a way in EVA6400 to present the disk to the backup server in read only mode.

Is there any suggestion to miligate the risk?

Thanks
vampiret
Lurker
 
Posts: 1
Liked: never
Joined: Tue Jul 26, 2011 2:10 am

[MERGED] Confused about Direct San Access setup

Veeam Logoby tom11011 » Tue Nov 15, 2016 11:26 am

Hi there, I've read a few kb's (1446) and blog posts about direct san access but am confused as to the setup.

I'm confused by the difference in "direct storage access" and "virtual appliance" in the proxy config. I'm interested at this point in getting backups off of my lan network stack.

My environment looks like this. I have two physical backup servers. Server A has Veeam 9 installed with the default proxy, Server B is an additional repository with a proxy installed.

Server B houses the majority of our backups and also has an additional 2 10gig network ports ready to go.

Will this setup work or does a proxy need to be installed on a virtual machine? Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?

Another concern is a blurb I read that says "It is very important you do not allow Windows to initialize any VMFS volumes you are presenting to it". My understanding is this is disabled by default, but want to make sure.

Thank you in advance.
tom11011
Expert
 
Posts: 124
Liked: never
Joined: Wed Dec 01, 2010 8:40 pm
Full Name: Tom

Re: Confused about Direct San Access setup

Veeam Logoby PTide » Tue Nov 15, 2016 11:40 am

Hi,

Will this setup work or does a proxy need to be installed on a virtual machine?
This setup can work in direct-SAN mode just fine. Virtual proxy is required for "virtual appliance" mode.

Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?
Yes, it is as simple as providing the proxy with a block-level access to the LUN where the VMs to be backed up reside at. Please check this article.

My understanding is this is disabled by default, but want to make sure.
Yes, it is disabled by default, this is just a reminder that you must not allow Windows to initialize the volumes if it asks you. Since Veeam B&R automatically sets SAN Policy to Offline/disables disk automount during installation of proxy server, this prevents disks from being initialized.

Thanks
PTide
Veeam Software
 
Posts: 3019
Liked: 246 times
Joined: Tue May 19, 2015 1:46 pm

Re: Confused about Direct San Access setup

Veeam Logoby tom11011 » Tue Nov 15, 2016 8:03 pm

Thank you for the assistance, I think I have it setup now. But how can I tell for sure? The real time job logs do not appear to show anything different?
tom11011
Expert
 
Posts: 124
Liked: never
Joined: Wed Dec 01, 2010 8:40 pm
Full Name: Tom

Re: Confused about Direct San Access setup

Veeam Logoby foggy » Wed Nov 16, 2016 10:01 am

If direct SAN mode is being used, you should see the corresponding [san] tag in the job session log when you click the particular VM in the list to the left (right after the proxy server name).
foggy
Veeam Software
 
Posts: 14742
Liked: 1080 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Confused about Direct San Access setup

Veeam Logoby tom11011 » Wed Nov 16, 2016 1:03 pm

I see it there thank you!
tom11011
Expert
 
Posts: 124
Liked: never
Joined: Wed Dec 01, 2010 8:40 pm
Full Name: Tom

Re: Confused about Direct San Access setup

Veeam Logoby tom11011 » Fri Nov 18, 2016 7:17 pm

One other question. The windows disks should be left offline though correct?
tom11011
Expert
 
Posts: 124
Liked: never
Joined: Wed Dec 01, 2010 8:40 pm
Full Name: Tom

Re: Confused about Direct San Access setup

Veeam Logoby JoshuaPostSAMC » Fri Nov 18, 2016 9:36 pm

Yes, leave them offline or you will corrupt the datastore
JoshuaPostSAMC
Expert
 
Posts: 116
Liked: 16 times
Joined: Thu Jul 30, 2015 7:32 pm

Re: Confused about Direct San Access setup

Veeam Logoby foggy » Fri Nov 18, 2016 10:09 pm

Having disks online is also ok, just don't initialize them.
foggy
Veeam Software
 
Posts: 14742
Liked: 1080 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Confused about Direct San Access setup

Veeam Logoby tom11011 » Fri Nov 18, 2016 10:36 pm

Thanks again.
tom11011
Expert
 
Posts: 124
Liked: never
Joined: Wed Dec 01, 2010 8:40 pm
Full Name: Tom

Re: Confused about Direct San Access setup

Veeam Logoby DaStivi » Tue Nov 22, 2016 10:00 am

if you would like to double check it, that windows does not auto mount (resignature) it check the san policy on win Server 2008 or greater:
https://technet.microsoft.com/en-us/lib ... 52636.aspx

Veeam setup should disable it on setup... but if more admins are in place or some polices maybe someone/thing enabled it again ;)
DaStivi
Enthusiast
 
Posts: 50
Liked: 4 times
Joined: Tue Jun 30, 2015 9:13 am
Full Name: Stephan Lang

Next

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Google [Bot] and 34 guests