Direct SAN concerns

[Moltron]

Hello,

I am new to Veeam and I'm using the trial install at the moment. I really like it so far, and now I've begun tinkering with Direct SAN copy. I know its much faster, but I have some worries.

Here's my setup breifly. Running ESX 4.0 U2 on 6 HP blades with EMC CX-10 fibre channel storage. Veeam is installed on it's own blade and not virtual. It has a 4GB drive directly connecting to a LUN for backup storage. I created a test LUN and moved a VM into that to mess with Direct SAN, and so far it's worked, but I have best practices in mind... or lack there of.

Concerns:
1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.

2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?

[tsightler]

1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.

This isn't really specific to Veeam, unfortunately that's the way VMware designed vStorage API SAN mode (and VCB SAN mode before it). That being said, VCB (and now vStorage API) has been around for quite a few years at this point, and has been VMware's recommended way to access VMFS volumes for all of that time, so it's well understood and I've not seen anyone on the VMware forums actually have this issue, although I see people ask about it a lot. Some SAN storage systems support presenting the LUN to a host as read-only, which is a good option if your's supports it.

2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?

I'd do it the way you have it and ignore the warning. I think I remember the warning message you're talking about (we no longer have EMC storage so my memory is fading), but I think it's basically just a message telling you what you already know, that you have two storage groups that can access the same LUN. This is a useful warning if you did this by accident, but is fine if your doing it on purpose.

[Gostev]

Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS?

Windows security? Do not put that "someone" to Local Administrators group on your Veeam Backup server, and this will never happen. Just like you do not put random people into Domain Administrators group on your DC. As you can imagine, the damage can be quite comparable in both cases.

gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done

While I do not know anything about EMC storage (and whether it is better to combine everything into the original storage group), multiple servers access to the same LUN is of course the right thing. Veeam Backup server needs to be able to read from the same LUN that your ESX servers use.

P.S. Tom beat me by a few minutes...

[Moltron]

A little friendly competition huh? Well I like both of your answers! I'll have to be sure that my backup operators are well informed before they get on the backup server.... or maybe I'll just take care of it for now

Thanks for the replies.

[vampiret]

Hi All,

I recently setup a backup server installed with VEEAM B&R for backup my Vmware VMs. Everything is working OK.
The only concern I think of is the security concern.
I am using EVA6400 for my vmware VMs and about 1200 VMs are stored in 80 Vdisks. In order to perform the Direct SAN backup, I need to present the vDisks to both the ESX servers and the new backup server. There is obviously a risk if anyone try to initialise the disk in the backup server and it may erase the disks. I can't find a way in EVA6400 to present the disk to the backup server in read only mode.

Is there any suggestion to miligate the risk?

Thanks

[tom11011]

Hi there, I've read a few kb's (1446) and blog posts about direct san access but am confused as to the setup.

I'm confused by the difference in "direct storage access" and "virtual appliance" in the proxy config. I'm interested at this point in getting backups off of my lan network stack.

My environment looks like this. I have two physical backup servers. Server A has Veeam 9 installed with the default proxy, Server B is an additional repository with a proxy installed.

Server B houses the majority of our backups and also has an additional 2 10gig network ports ready to go.

Will this setup work or does a proxy need to be installed on a virtual machine? Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?

Another concern is a blurb I read that says "It is very important you do not allow Windows to initialize any VMFS volumes you are presenting to it". My understanding is this is disabled by default, but want to make sure.

Thank you in advance.

[PTide]

Hi,

Will this setup work or does a proxy need to be installed on a virtual machine?

This setup can work in direct-SAN mode just fine. Virtual proxy is required for "virtual appliance" mode.

Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?

Yes, it is as simple as providing the proxy with a block-level access to the LUN where the VMs to be backed up reside at. Please check this article.

My understanding is this is disabled by default, but want to make sure.

Yes, it is disabled by default, this is just a reminder that you must not allow Windows to initialize the volumes if it asks you. Since Veeam B&R automatically sets SAN Policy to Offline/disables disk automount during installation of proxy server, this prevents disks from being initialized.

Thanks

[tom11011]

Thank you for the assistance, I think I have it setup now. But how can I tell for sure? The real time job logs do not appear to show anything different?

[foggy]

If direct SAN mode is being used, you should see the corresponding [san] tag in the job session log when you click the particular VM in the list to the left (right after the proxy server name).

[tom11011]

I see it there thank you!

[tom11011]

One other question. The windows disks should be left offline though correct?

[JoshuaPostSAMC]

Yes, leave them offline or you will corrupt the datastore

[foggy]

Having disks online is also ok, just don't initialize them.

[tom11011]

Thanks again.

[DaStivi]

if you would like to double check it, that windows does not auto mount (resignature) it check the san policy on win Server 2008 or greater:
https://technet.microsoft.com/en-us/lib ... 52636.aspx

Veeam setup should disable it on setup... but if more admins are in place or some polices maybe someone/thing enabled it again

[tom11011]

Thanks.

[johm]

Hi,

We have just installed a new VBR server running version 9.5 , we have an existing VBR running version 8.
The version 8 server is SAN connected ( Prior to my employment)

Now its time to present all the existing VMFS to this new server. I don't like the thought of presenting VMFS volumes to windows.... Is it something that can go wrong? Something special I have to think about?
The new version 9.5 server is installed on windows 2016 and my existing VMFS volumes are spread of on 3 different 3par SANs.

Guess i only need some comforting words from you specialist before I dare to press the "present" button

Cheers
Johan

[DGrinev]

Hi Johan,

Just for you to be calm see FAQ information about Direct Storage Access Mode.

Please review this existing topic for more info.

Thanks!