Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Understanding VM with GRT Backups in a DMZ

Created: 19 Feb 2013 • Updated: 05 Apr 2013 | 6 comments
This issue has been solved. See solution.

Hey All,

 

Hoping someone can help me get my head around how this would work as we are seeing large amounts of traffic on our firewall.

 

We have a number virtual machines that sit in a DMZ (which are hosted on a host inside our permiter). We backup these servers to disk using VM backup with GRT. When these backups run, we see a signficant amount of activity on our firewall, as if the entire backup is running from the DMZ, through the firewall to the NAS (where our B2D backups are kept).

 

Is this correct behaviour? My understanding would be that the VM would be backed up from the host (on the SAN), to the NAS, and then the backup job catalogs or indexes the files using the Remote Agent on the VM. If that is true, then surely only the indexing would be going through the firewall and the bulk of the job would be all local?

 

Hopefully that makes sense

 

We are using Backup Exec 2010 R3

Cheers

Garry

Comments 6 CommentsJump to latest comment

teiva-boy's picture

If you have configured properly the BackupExec server to access the VMFS LUN's, and selected SAN as the preferred transport method...  What you assume in your description is correct.

If you are seeing all of your traffic over the LAN, something is not configure right.  In the job logs, you can find what transport was used for the backup job.

 

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

ttdgaz's picture

@tevia-boy, thanks for the reply. Unfortunately we need to go over the LAN as we are doing the B2D to an old NAS where we have plenty of storage (the SAN doesn't have heaps at this stage with tight bugets). it's a bit of a backwards design I know, but you have to work with what you got right? :)

 

When I look at the transport mode is says it is 'NBD'.

 

I don't have any issue with the data going over the LAN, the problem I have is it seems to be going through the firewall for our DMZ servers. Any thoughts?

ttdgaz's picture

Sorry, should have mentioned. The problem with all that data going through the firewall is that it is impacting our other services (mainly our site-to-site vpn) as the firewall cannot handle all that load.

teiva-boy's picture

So if you use NBD, or Network Based DIsk, all traffic flows over Ethernet via the service console ports on an ESX/ESXi host.  Same goes for NBDSSL

If you choose SAN transport, this assumes the VM's are hosted on a SAN, that backupexec can access this SAN volume through zoning, and the VMFS LUN is accessible in the disk manager within Windows of the BackupExec server.  (Don't just blindly do this, there are specific steps that have to happen, or you'll lose the entire VMFS volume)

If you setup the SAN correctly for BackupExec to access VMFS, then BackupExec mounts the VMDK snapshot file, backs it up over the SAN.  The agent in the guest would be responsible for all GRT catalog operations, that would happen post the VMDK being backed up.

So is your VMware server on a SAN volume, and can BackupExec access that volume via zoning?

If your answer is yes to both, I see no problem with doing a SAN based backup.

 

 

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

ttdgaz's picture

Sorry for the late reply Teiva-Boy, been out of the office.

 

Thanks for the detailed response, that makes sense. My VMWare Server is on a SAN volume, however I am not sure if BackupExex can acess that volume via zoning - will try to suss it out.

 

Just so I have it clear (sorry for dumbing it down a bit), if I can configure SAN based backup, the BackupExec Media Server would copy the VMDK file from the SAN to the NAS over internal LAN, and then after that is done the GRT Catalog would take place from the Remote Agent through the Firewall (as it is in the DMZ). Currently, all is going through the Firewall - Is that right?

teiva-boy's picture

So on your BackupExec server go to a CMD prompt

get into diskpart

type "automount disable" (Without the quotes)

and "automount scrub"

What this means is that your server when zoned properly to the VMFS LUN will have the disk in the disk manager as an online disk or healthy disk, but will not write a disk signature to the volume, which would KILL your VMFS volume.

DO NOT assign a drive letter, label it, no disk signature, nothing.  Make good notes and change control that this is not touched.  That disk will just be there and look pretty.  The VMware integration API's are able to work with it and do what needs to be done.

That said, when that is done, you should be able to use the SAN transport for the bulk of the VMDK image backup, with just GRT level information going over the LAN. Just a fraction of the size of the VMDK, thus working through your firewalls.

There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."

SOLUTION