Limitations of VirtualLabs/SureBackup reg. masq networks

[pirx]

I'm now at a dead end after having #07929109 open for some time (and other cases before).

Situation:
Veeam backup jobs based on vSphere clusters. Clusters include VMs connected to different VLANs / IP subnets (4.... Example for one cluster.

Code: Select all

Name	               VLAN 		Prod Subnet		Prod Subnet Maks	Prod GW
cluster28_dvs01_vlan5	5	    10.24.2.0/23		255.255.254.0	10.24.2.1
cluster28_dvs01_vlan11	11	    10.11.0.0/16		255.255.0.0	10.11.8.1
cluster28_dvs01_vlan98	98	    10.24.100.0/22		255.255.252.0	10.24.100.1
cluster28_dvs01_vlan100	100	    10.1.0.0/16			255.255.0.0	10.1.8.1
cluster28_dvs01_vlan181	181	    10.24.70.0/23		255.255.254.0	10.24.70.1
cluster28_dvs01_vlan182	182	    10.24.72.0/23		255.255.254.0	10.24.72.1

I've created a VL with the different networks (and a lot of trial and error to find the right masq network / mask) and vNICs, but all VMs connected to vlan182 fail in SB with network error (destination unreachable) as soon as I add vlan181 to the VL. I also tried using 172.x.x.x. as masq network, no success. I've already reduced it to vlan181/182 for testing.

From L2 support I now got following feedback

These two networks have part of IP addresses overlap so during the tests Virtual lab VM cannot correctly complete the routing and fails to reach the tested VM.
The only workaround here is to create another Virtual lab and SureBackup job to process VMs from the overlapped network.

This confirms my observation on VL appliance where tcpdump shows that packages are not routed the right way (time exceeded).

Can someone confirm this limitation - or provide me information how to implement it? Because if this is a hard limitation, I can stop trying to implement SB for our larger clusters, which all look similar to this regarding VM networks. I don't see how implementing a dedicated VL for each VLAN should work as VLANs in clusters are mixed.

In general I had multiple issues and got errors in settings up the networking part in VL. Support was not able to explain all the errors I got, even the ones that occurred during a remote session (like vNIC with such a masquerade network address already exists - but it did not exist). Nobody could really explain how to setup multiple masq networks properly.

[mdippold]

In our environment I can't use masquerading, because our network architecture doesn't allow static routes.
Fortunately I need only a low number of virtual labs, so we can use static mapping with reserved addresses on the "outside" subnet of the SureBackup proxy.
We had to disable the automatic (ping) tests and use our own testing scripts because SureBackup doesn't care about static mapped addresses for the connection tests and only wants to use masqueraded addresses.

[pirx]

Thx for your feedback. But how does static routes / mapping work for you for SureBackup jobs? As far as In understad https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13 there must be 1 IP in prod network assigend for every VM in Virtual Lab. With ~2000 VMs to test this does not look like a practical workaround.

[mdippold]

We only need about 80-150 addresses. But you could reuse addresses if the virtual labs don't need to run at the same time.

[pirx]

This was not working, is was the VL configuration that was created automatically after entering the mask. According to support because of overlapping IP ranges. All our prod networks are in 10.x range.

Code: Select all

IpNetwork[1].MasqueradeNetworkAddress               | 10.254.128.0   
IpNetwork[2].MasqueradeNetworkAddress               | 10.255.240.0

Next I tried this, moving one masq network to another RFC1918 range, which also did not work - I do not get the thing with the overlapping networks here.

Code: Select all

IpNetwork[0].MasqueradeNetworkAddress               | 172.16.128.0 
IpNetwork[1].MasqueradeNetworkAddress               | 10.255.240.0

Today I tried to move both networks to a different masq network. And it worked in the SB test job.

Code: Select all

IpNetwork[0].MasqueradeNetworkAddress               | 172.16.246.0  
IpNetwork[1].MasqueradeNetworkAddress               | 192.168.244.0

Finally I started the actual SB job with 174 VMs and I did not get any network error anymore. That is nice, but it was trial and error and according to support this should not have worked at all. I've still no clue how to plan a VL properly (or worse, multiple VLs, as we have 10+ clusters and a masq networks must be unique for all VLs) and why certain combinations do not work in masquerading.

Code: Select all

IpNetwork[0].IsolatedApplianceIp                    | 10.24.72.1                             |
IpNetwork[0].IsolatedNetworkAddress                 | 10.24.72.0                             |
IpNetwork[0].IsolatedNetworkMask                    | 255.255.254.0                          |
IpNetwork[0].MasqueradeNetworkAddress               | 172.16.246.0                           |
IpNetwork[0].MasqueradeNetworkMask                  | 255.255.254.0                          |

IpNetwork[1].IsolatedApplianceIp                    | 10.24.70.1                             |
IpNetwork[1].IsolatedNetworkAddress                 | 10.24.70.0                             |
IpNetwork[1].IsolatedNetworkMask                    | 255.255.254.0                          |
IpNetwork[1].MasqueradeNetworkAddress               | 192.168.246.0                          |
IpNetwork[1].MasqueradeNetworkMask                  | 255.255.254.0                          |

IpNetwork[2].IsolatedApplianceIp                    | 10.24.2.1                              |
IpNetwork[2].IsolatedNetworkAddress                 | 10.24.2.0                              |
IpNetwork[2].IsolatedNetworkMask                    | 255.255.254.0                          |
IpNetwork[2].MasqueradeNetworkAddress               | 10.255.246.0                           |
IpNetwork[2].MasqueradeNetworkMask                  | 255.255.254.0                          |

IpNetwork[3].IsolatedApplianceIp                    | 10.24.100.1                            |
IpNetwork[3].IsolatedNetworkAddress                 | 10.24.100.0                            |
IpNetwork[3].IsolatedNetworkMask                    | 255.255.252.0                          |
IpNetwork[3].MasqueradeNetworkAddress               | 10.255.244.0                           |
IpNetwork[3].MasqueradeNetworkMask                  | 255.255.252.0                          |

IpNetwork[4].IsolatedApplianceIp                    | 10.1.8.1                               |
IpNetwork[4].IsolatedNetworkAddress                 | 10.1.0.0                               |
IpNetwork[4].IsolatedNetworkMask                    | 255.255.0.0                            |
IpNetwork[4].MasqueradeNetworkAddress               | 10.251.0.0                             |
IpNetwork[4].MasqueradeNetworkMask                  | 255.255.0.0                            |

[Matts N]

It is difficult to determine overlapping or not without the network mask. Consider the following:

Overlapping:
10.20.30.0/23 - IP range 10.20.30.0 - 10.20.31.255
10.20.31.0/23 - IP range 10.20.31.0 - 10.20.32.255

Not overlapping:
10.20.30.0/24 - IP range 10.20.30.0 - 10.20.30.255
10.20.31.0/24 - IP range 10.20.31.0 - 10.20.31.255

[pirx]

The prod mask is my initial posting.

Code: Select all

cluster28_dvs01_vlan181	181	    10.24.70.0/23		255.255.254.0	10.24.70.1
cluster28_dvs01_vlan182	182	    10.24.72.0 10.24.72.1

In VL I used mask 255.255.254.0 and 255.255.252.0 (or maybe 248 or 240, I've to check later)

Anyway. If they overlap I would expect that I get a warning during creation as I get a lot of warnings/errors for other stuff.

I'm really missing a good documentation with example for more complex setups or more about how to set VL for more than two simple networks.