-
- Novice
- Posts: 6
- Liked: 1 time
- Joined: Nov 30, 2010 8:11 pm
- Full Name: Dave Moulton
- Contact:
Direct SAN concerns
Hello,
I am new to Veeam and I'm using the trial install at the moment. I really like it so far, and now I've begun tinkering with Direct SAN copy. I know its much faster, but I have some worries.
Here's my setup breifly. Running ESX 4.0 U2 on 6 HP blades with EMC CX-10 fibre channel storage. Veeam is installed on it's own blade and not virtual. It has a 4GB drive directly connecting to a LUN for backup storage. I created a test LUN and moved a VM into that to mess with Direct SAN, and so far it's worked, but I have best practices in mind... or lack there of.
Concerns:
1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.
2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?
I am new to Veeam and I'm using the trial install at the moment. I really like it so far, and now I've begun tinkering with Direct SAN copy. I know its much faster, but I have some worries.
Here's my setup breifly. Running ESX 4.0 U2 on 6 HP blades with EMC CX-10 fibre channel storage. Veeam is installed on it's own blade and not virtual. It has a 4GB drive directly connecting to a LUN for backup storage. I created a test LUN and moved a VM into that to mess with Direct SAN, and so far it's worked, but I have best practices in mind... or lack there of.
Concerns:
1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.
2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?
-
- VP, Product Management
- Posts: 6034
- Liked: 2859 times
- Joined: Jun 05, 2009 12:57 pm
- Full Name: Tom Sightler
- Contact:
Re: Direct SAN concerns
This isn't really specific to Veeam, unfortunately that's the way VMware designed vStorage API SAN mode (and VCB SAN mode before it). That being said, VCB (and now vStorage API) has been around for quite a few years at this point, and has been VMware's recommended way to access VMFS volumes for all of that time, so it's well understood and I've not seen anyone on the VMware forums actually have this issue, although I see people ask about it a lot. Some SAN storage systems support presenting the LUN to a host as read-only, which is a good option if your's supports it.Moltron wrote: 1. Veeam has to see the LUNS in order to back them up. I know when you install Veeam it turns off some automount feature in Windows but I've noticed in testing that my VMFS datastore that I want to Direct SAN copy from shows up in the Disk Management list on the Veeam server. Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS? Or Windows deciding to do something to it for that matter? I'd really hate to imagine something happening to our production VMFS with 20 VMs in it just dissapear.
I'd do it the way you have it and ignore the warning. I think I remember the warning message you're talking about (we no longer have EMC storage so my memory is fading), but I think it's basically just a message telling you what you already know, that you have two storage groups that can access the same LUN. This is a useful warning if you did this by accident, but is fine if your doing it on purpose.Moltron wrote:2. Before Veeam in my EMC setup I just had 1 storage group with all the ESX servers in it. Now I have 2, the origional one plus one for Veeam which can see the 4 GB storage LUN. To let Veeam see another LUN to Direct SAN copy I had to add that to the second storage group, which gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done, or should I combine everything into the origional storage group?
-
- Chief Product Officer
- Posts: 31779
- Liked: 7279 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Direct SAN concerns
Windows security? Do not put that "someone" to Local Administrators group on your Veeam Backup server, and this will never happen. Just like you do not put random people into Domain Administrators group on your DC. As you can imagine, the damage can be quite comparable in both cases.Moltron wrote:Whats to stop someone from accidentally deleting or formatting that VMFS as NTFS?
While I do not know anything about EMC storage (and whether it is better to combine everything into the original storage group), multiple servers access to the same LUN is of course the right thing. Veeam Backup server needs to be able to read from the same LUN that your ESX servers use.Moltron wrote:gives me a warning every time about multiple servers accessing LUNS at once. Is this how it should be done
P.S. Tom beat me by a few minutes...
-
- Novice
- Posts: 6
- Liked: 1 time
- Joined: Nov 30, 2010 8:11 pm
- Full Name: Dave Moulton
- Contact:
Re: Direct SAN concerns
A little friendly competition huh? Well I like both of your answers! I'll have to be sure that my backup operators are well informed before they get on the backup server.... or maybe I'll just take care of it for now
Thanks for the replies.
Thanks for the replies.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Jul 26, 2011 2:10 am
- Contact:
[MERGED] Security issue for SAN Direct Access backup
Hi All,
I recently setup a backup server installed with VEEAM B&R for backup my Vmware VMs. Everything is working OK.
The only concern I think of is the security concern.
I am using EVA6400 for my vmware VMs and about 1200 VMs are stored in 80 Vdisks. In order to perform the Direct SAN backup, I need to present the vDisks to both the ESX servers and the new backup server. There is obviously a risk if anyone try to initialise the disk in the backup server and it may erase the disks. I can't find a way in EVA6400 to present the disk to the backup server in read only mode.
Is there any suggestion to miligate the risk?
Thanks
I recently setup a backup server installed with VEEAM B&R for backup my Vmware VMs. Everything is working OK.
The only concern I think of is the security concern.
I am using EVA6400 for my vmware VMs and about 1200 VMs are stored in 80 Vdisks. In order to perform the Direct SAN backup, I need to present the vDisks to both the ESX servers and the new backup server. There is obviously a risk if anyone try to initialise the disk in the backup server and it may erase the disks. I can't find a way in EVA6400 to present the disk to the backup server in read only mode.
Is there any suggestion to miligate the risk?
Thanks
-
- Expert
- Posts: 192
- Liked: 9 times
- Joined: Dec 01, 2010 8:40 pm
- Full Name: Tom
- Contact:
[MERGED] Confused about Direct San Access setup
Hi there, I've read a few kb's (1446) and blog posts about direct san access but am confused as to the setup.
I'm confused by the difference in "direct storage access" and "virtual appliance" in the proxy config. I'm interested at this point in getting backups off of my lan network stack.
My environment looks like this. I have two physical backup servers. Server A has Veeam 9 installed with the default proxy, Server B is an additional repository with a proxy installed.
Server B houses the majority of our backups and also has an additional 2 10gig network ports ready to go.
Will this setup work or does a proxy need to be installed on a virtual machine? Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?
Another concern is a blurb I read that says "It is very important you do not allow Windows to initialize any VMFS volumes you are presenting to it". My understanding is this is disabled by default, but want to make sure.
Thank you in advance.
I'm confused by the difference in "direct storage access" and "virtual appliance" in the proxy config. I'm interested at this point in getting backups off of my lan network stack.
My environment looks like this. I have two physical backup servers. Server A has Veeam 9 installed with the default proxy, Server B is an additional repository with a proxy installed.
Server B houses the majority of our backups and also has an additional 2 10gig network ports ready to go.
Will this setup work or does a proxy need to be installed on a virtual machine? Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?
Another concern is a blurb I read that says "It is very important you do not allow Windows to initialize any VMFS volumes you are presenting to it". My understanding is this is disabled by default, but want to make sure.
Thank you in advance.
-
- Product Manager
- Posts: 6550
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Confused about Direct San Access setup
Hi,
Thanks
This setup can work in direct-SAN mode just fine. Virtual proxy is required for "virtual appliance" mode.Will this setup work or does a proxy need to be installed on a virtual machine?
Yes, it is as simple as providing the proxy with a block-level access to the LUN where the VMs to be backed up reside at. Please check this article.Is it as simple as just configuring these two network ports with ip addresses from my iscsi network and then setting them up in my server B's MS iscsi initiator (windows 2012 standard)?
Yes, it is disabled by default, this is just a reminder that you must not allow Windows to initialize the volumes if it asks you. Since Veeam B&R automatically sets SAN Policy to Offline/disables disk automount during installation of proxy server, this prevents disks from being initialized.My understanding is this is disabled by default, but want to make sure.
Thanks
-
- Expert
- Posts: 192
- Liked: 9 times
- Joined: Dec 01, 2010 8:40 pm
- Full Name: Tom
- Contact:
Re: Confused about Direct San Access setup
Thank you for the assistance, I think I have it setup now. But how can I tell for sure? The real time job logs do not appear to show anything different?
-
- Veeam Software
- Posts: 21137
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Confused about Direct San Access setup
If direct SAN mode is being used, you should see the corresponding [san] tag in the job session log when you click the particular VM in the list to the left (right after the proxy server name).
-
- Expert
- Posts: 192
- Liked: 9 times
- Joined: Dec 01, 2010 8:40 pm
- Full Name: Tom
- Contact:
Re: Confused about Direct San Access setup
I see it there thank you!
-
- Expert
- Posts: 192
- Liked: 9 times
- Joined: Dec 01, 2010 8:40 pm
- Full Name: Tom
- Contact:
Re: Confused about Direct San Access setup
One other question. The windows disks should be left offline though correct?
-
- Expert
- Posts: 124
- Liked: 22 times
- Joined: Jul 30, 2015 7:32 pm
- Contact:
Re: Confused about Direct San Access setup
Yes, leave them offline or you will corrupt the datastore
-
- Veeam Software
- Posts: 21137
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Confused about Direct San Access setup
Having disks online is also ok, just don't initialize them.
-
- Expert
- Posts: 192
- Liked: 9 times
- Joined: Dec 01, 2010 8:40 pm
- Full Name: Tom
- Contact:
Re: Confused about Direct San Access setup
Thanks again.
-
- Service Provider
- Posts: 293
- Liked: 45 times
- Joined: Jun 30, 2015 9:13 am
- Full Name: Stephan Lang
- Location: Austria
- Contact:
Re: Confused about Direct San Access setup
if you would like to double check it, that windows does not auto mount (resignature) it check the san policy on win Server 2008 or greater:
https://technet.microsoft.com/en-us/lib ... 52636.aspx
Veeam setup should disable it on setup... but if more admins are in place or some polices maybe someone/thing enabled it again
https://technet.microsoft.com/en-us/lib ... 52636.aspx
Veeam setup should disable it on setup... but if more admins are in place or some polices maybe someone/thing enabled it again
-
- Expert
- Posts: 192
- Liked: 9 times
- Joined: Dec 01, 2010 8:40 pm
- Full Name: Tom
- Contact:
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Jul 22, 2011 12:45 pm
- Full Name: Johan Hammarstrom
- Contact:
[MERGED] SAN connected windows server
Hi,
We have just installed a new VBR server running version 9.5 , we have an existing VBR running version 8.
The version 8 server is SAN connected ( Prior to my employment)
Now its time to present all the existing VMFS to this new server. I don't like the thought of presenting VMFS volumes to windows.... Is it something that can go wrong? Something special I have to think about?
The new version 9.5 server is installed on windows 2016 and my existing VMFS volumes are spread of on 3 different 3par SANs.
Guess i only need some comforting words from you specialist before I dare to press the "present" button
Cheers
Johan
We have just installed a new VBR server running version 9.5 , we have an existing VBR running version 8.
The version 8 server is SAN connected ( Prior to my employment)
Now its time to present all the existing VMFS to this new server. I don't like the thought of presenting VMFS volumes to windows.... Is it something that can go wrong? Something special I have to think about?
The new version 9.5 server is installed on windows 2016 and my existing VMFS volumes are spread of on 3 different 3par SANs.
Guess i only need some comforting words from you specialist before I dare to press the "present" button
Cheers
Johan
-
- Veteran
- Posts: 1943
- Liked: 247 times
- Joined: Dec 01, 2016 3:49 pm
- Full Name: Dmitry Grinev
- Location: St.Petersburg
- Contact:
Re: SAN connected windows server
Hi Johan,
Just for you to be calm see FAQ information about Direct Storage Access Mode.
Please review this existing topic for more info.
Thanks!
Just for you to be calm see FAQ information about Direct Storage Access Mode.
Please review this existing topic for more info.
Thanks!
Who is online
Users browsing this forum: Baidu [Spider] and 56 guests