Comprehensive data protection for all workloads
Post Reply
Moltron
Novice
Posts: 4
Liked: never
Joined: Nov 30, 2010 8:11 pm
Full Name: Dave Moulton
Contact:

Direct SAN concerns

Post by Moltron »

Hello,

I am new to Veeam and I'm using the trial install at the moment. I really like it so far, and now I've begun tinkering with Direct SAN copy. I know its much faster, but I have some worries.

Here's my setup breifly. Running ESX 4.0 U2 on 6 HP blades with EMC CX-10 fibre channel storage. Veeam is installed on it's own blade and not virtual. It has a 4GB drive directly connecting to a LUN for backup storage. I created a test LUN and moved a VM into that to mess with Direct SAN, and so far it's worked, but I have best practices in mind... or lack there of.

Concerns:
1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.

2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?

tsightler
VP, Product Management
Posts: 5679
Liked: 2499 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Direct SAN concerns

Post by tsightler »

Moltron wrote: 1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.
This isn't really specific to Veeam, unfortunately that's the way VMware designed vStorage API SAN mode (and VCB SAN mode before it). That being said, VCB (and now vStorage API) has been around for quite a few years at this point, and has been VMware's recommended way to access VMFS volumes for all of that time, so it's well understood and I've not seen anyone on the VMware forums actually have this issue, although I see people ask about it a lot. Some SAN storage systems support presenting the LUN to a host as read-only, which is a good option if your's supports it.
Moltron wrote:2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?
I'd do it the way you have it and ignore the warning. I think I remember the warning message you're talking about (we no longer have EMC storage so my memory is fading), but I think it's basically just a message telling you what you already know, that you have two storage groups that can access the same LUN. This is a useful warning if you did this by accident, but is fine if your doing it on purpose.

Gostev
SVP, Product Management
Posts: 26706
Liked: 4277 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Direct SAN concerns

Post by Gostev »

Moltron wrote:Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS?
Windows security? Do not put that "someone" to Local Administrators group on your Veeam Backup server, and this will never happen. Just like you do not put random people into Domain Administrators group on your DC. As you can imagine, the damage can be quite comparable in both cases.
Moltron wrote:gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done
While I do not know anything about EMC storage (and whether it is better to combine everything into the original storage group), multiple servers access to the same LUN is of course the right thing. Veeam Backup server needs to be able to read from the same LUN that your ESX servers use.

P.S. Tom beat me by a few minutes...

Moltron
Novice
Posts: 4
Liked: never
Joined: Nov 30, 2010 8:11 pm
Full Name: Dave Moulton
Contact:

Re: Direct SAN concerns

Post by Moltron »

A little friendly competition huh? Well I like both of your answers! I'll have to be sure that my backup operators are well informed before they get on the backup server.... or maybe I'll just take care of it for now :)

Thanks for the replies.

vampiret
Lurker
Posts: 1
Liked: never
Joined: Jul 26, 2011 2:10 am
Contact:

[MERGED] Security issue for SAN Direct Access backup

Post by vampiret »

Hi All,

I recently setup a backup server installed with VEEAM B&R for backup my Vmware VMs. Everything is working OK.
The only concern I think of is the security concern.
I am using EVA6400 for my vmware VMs and about 1200 VMs are stored in 80 Vdisks. In order to perform the Direct SAN backup, I need to present the vDisks to both the ESX servers and the new backup server. There is obviously a risk if anyone try to initialise the disk in the backup server and it may erase the disks. I can't find a way in EVA6400 to present the disk to the backup server in read only mode.

Is there any suggestion to miligate the risk?

Thanks

tom11011
Expert
Posts: 160
Liked: 5 times
Joined: Dec 01, 2010 8:40 pm
Full Name: Tom
Contact:

[MERGED] Confused about Direct San Access setup

Post by tom11011 »

Hi there, I've read a few kb's (1446) and blog posts about direct san access but am confused as to the setup.

I'm confused by the difference in "direct storage access" and "virtual appliance" in the proxy config. I'm interested at this point in getting backups off of my lan network stack.

My environment looks like this. I have two physical backup servers. Server A has Veeam 9 installed with the default proxy, Server B is an additional repository with a proxy installed.

Server B houses the majority of our backups and also has an additional 2 10gig network ports ready to go.

Will this setup work or does a proxy need to be installed on a virtual machine? Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?

Another concern is a blurb I read that says "It is very important you do not allow Windows to initialize any VMFS volumes you are presenting to it". My understanding is this is disabled by default, but want to make sure.

Thank you in advance.

PTide
Product Manager
Posts: 5626
Liked: 549 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Confused about Direct San Access setup

Post by PTide »

Hi,
Will this setup work or does a proxy need to be installed on a virtual machine?
This setup can work in direct-SAN mode just fine. Virtual proxy is required for "virtual appliance" mode.
Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?
Yes, it is as simple as providing the proxy with a block-level access to the LUN where the VMs to be backed up reside at. Please check this article.
My understanding is this is disabled by default, but want to make sure.
Yes, it is disabled by default, this is just a reminder that you must not allow Windows to initialize the volumes if it asks you. Since Veeam B&R automatically sets SAN Policy to Offline/disables disk automount during installation of proxy server, this prevents disks from being initialized.

Thanks

tom11011
Expert
Posts: 160
Liked: 5 times
Joined: Dec 01, 2010 8:40 pm
Full Name: Tom
Contact:

Re: Confused about Direct San Access setup

Post by tom11011 »

Thank you for the assistance, I think I have it setup now. But how can I tell for sure? The real time job logs do not appear to show anything different?

foggy
Veeam Software
Posts: 19465
Liked: 1767 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Confused about Direct San Access setup

Post by foggy »

If direct SAN mode is being used, you should see the corresponding [san] tag in the job session log when you click the particular VM in the list to the left (right after the proxy server name).

tom11011
Expert
Posts: 160
Liked: 5 times
Joined: Dec 01, 2010 8:40 pm
Full Name: Tom
Contact:

Re: Confused about Direct San Access setup

Post by tom11011 »

I see it there thank you!

tom11011
Expert
Posts: 160
Liked: 5 times
Joined: Dec 01, 2010 8:40 pm
Full Name: Tom
Contact:

Re: Confused about Direct San Access setup

Post by tom11011 »

One other question. The windows disks should be left offline though correct?

JoshuaPostSAMC
Expert
Posts: 124
Liked: 21 times
Joined: Jul 30, 2015 7:32 pm
Contact:

Re: Confused about Direct San Access setup

Post by JoshuaPostSAMC »

Yes, leave them offline or you will corrupt the datastore

foggy
Veeam Software
Posts: 19465
Liked: 1767 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Confused about Direct San Access setup

Post by foggy »

Having disks online is also ok, just don't initialize them.

tom11011
Expert
Posts: 160
Liked: 5 times
Joined: Dec 01, 2010 8:40 pm
Full Name: Tom
Contact:

Re: Confused about Direct San Access setup

Post by tom11011 »

Thanks again.

DaStivi
Service Provider
Posts: 145
Liked: 11 times
Joined: Jun 30, 2015 9:13 am
Full Name: Stephan Lang
Location: Austria
Contact:

Re: Confused about Direct San Access setup

Post by DaStivi »

if you would like to double check it, that windows does not auto mount (resignature) it check the san policy on win Server 2008 or greater:
https://technet.microsoft.com/en-us/lib ... 52636.aspx

Veeam setup should disable it on setup... but if more admins are in place or some polices maybe someone/thing enabled it again ;)

tom11011
Expert
Posts: 160
Liked: 5 times
Joined: Dec 01, 2010 8:40 pm
Full Name: Tom
Contact:

Re: Confused about Direct San Access setup

Post by tom11011 »

Thanks.

johm
Lurker
Posts: 1
Liked: never
Joined: Jul 22, 2011 12:45 pm
Full Name: Johan Hammarstrom
Contact:

[MERGED] SAN connected windows server

Post by johm »

Hi,

We have just installed a new VBR server running version 9.5 , we have an existing VBR running version 8.
The version 8 server is SAN connected ( Prior to my employment)

Now its time to present all the existing VMFS to this new server. I don't like the thought of presenting VMFS volumes to windows.... Is it something that can go wrong? Something special I have to think about?
The new version 9.5 server is installed on windows 2016 and my existing VMFS volumes are spread of on 3 different 3par SANs.

Guess i only need some comforting words from you specialist before I dare to press the "present" button :)

Cheers
Johan

DGrinev
Expert
Posts: 1943
Liked: 248 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: SAN connected windows server

Post by DGrinev »

Hi Johan,

Just for you to be calm see FAQ information about Direct Storage Access Mode.

Please review this existing topic for more info.

Thanks!

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 32 guests