Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

zoning Architecture

Created: 16 Jan 2013 • Updated: 25 Feb 2014 | 35 comments
Rami Nasser's picture
This issue has been solved. See solution.

Hi All ,

Could any body provide me with the zoning Architecture between the datasores LUN's and the VMware Backup host HBA?  Any official article or document will be good.

- Linux Vmware backup host ( appliance)

-for windows it is clear but for linux machine not!!

what is main concept of this Architecture.

I know that zoning is type of direct SAN connection (path) between the LUN's and the backup host wher the data store should be visible to the VMware backup host .From the appliance I can see the wwn of the datastores but the path is not shown.Is it mandatory the path should be shown too beside seeing the device?

Comments 35 CommentsJump to latest comment

Marianne's picture

Correct. Manual only says:

The backup host must have access to the datastores of the virtual machines.
and:
Figure 1-2 shows a NetBackup for VMware environment on a SAN. The backup
host accesses the VMware datastore directly over the SAN.
and
To use the SAN transport type, set up the datastore on Fibre
Channel or iSCSI. In this configuration, the VMware backup host must be
able to access the datastore over the SAN.
Note: The NetBackup appliance does not support iSCSI.
plus
■ Ensure that the hardware and the SAN are configured properly. The VMware
datastore where the target virtual machine files exist must be accessible to
the VMware backup host.
Note:ASANconnection between the backup host and the datastore is optional
if you use the NBD transfer type or NBDSSL transfer type.
■ VMware has specific hardware and configuration requirements. VMware SAN
requirements can be found in the appropriate VMware SAN Configuration
guide.
 
My logic says to me that zoned datastores should be visible at OS level, i.e. /dev/sd entries for the luns.
 

 NetBackup never mounts the VMDKs anywhere. It is reading at the raw disk read performance while enabling granular recovery using a time tested mapping technology known as Veritas Mapping Services (VxMS).

and here: https://www-secure.symantec.com/connect/blogs/nuts-and-bolts-netbackup-vmware-netbackup-5220-and-sles-based-backup-hosts#comment-7970251 

 No special configuration is required in most cases. All that you do is to add the FC adapters World Wide Names to SAN such that it can see the datastore LUNs. Use your favorite device scanning tool (or just do cat /dev/scsi/scsi) to make sure that your SLES media server can see datastore LUNs. 

  You may need to adjust max_scsi_luns if you have large number of datastore LUNs. I believe (don't quote me on this) the default number of maximum scsi LUNs for SLES is now 512. This is enough in many cases. 

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

Rami Nasser's picture

Thanksssssssss alot for your efforts

please find attached snapshots. could you see any thing wrong in the zoning here!!

are the path should be visible?

Regards,

new added zone2.png new lscsii2.png
Marianne's picture

Sorry, I don't have access to our demo unit right now to compare.... 

Screen shot is also difficult to read (please rather copy text in future).

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

Rami Nasser's picture

Thats ok .Don't worry, you are always and really trusted advisor. smiley

Yasuhisa Ishikawa's picture

What type of storage are you using as datastore? 3PAR is listed, but it isn't datastore storage, right?

If port WWN is present, it is possible that LUNs is not present to appliance at storage side. Please check if datastore LUNs are mapped to this port WWN and if acccess from appliance's port WWN is allowed.

Authorized Symantec Consultant(ASC) Data Protection in Tokyo, Japan

Rami Nasser's picture

- storage type :3PAR and EVA from HP

you are right .It is shown as device for this I'm fighting with the customer about this but the path is not shown or mapped .As I mentioned  before when I'm running command lsscsi it showing that no path (see snapshot attached)

-SAN team confirmed that there are no previliges for zoning.

 check if datastore LUNs are mapped to this port WWN and if acccess from appliance's port WWN is allowed.

do you mean  to run cat /dev/scsi/scsi as mentioned in Marriane post or there other command showing the mapped path.

the conclusion is that the device is visible to the appliance but the path not mapped to be able to access the VMKD files and read the data inside the LUN's !!!!

Yasuhisa Ishikawa's picture

What I suggested in previous post is that the storage used for datastore does not provide any LUNs to the appliance. Modern storage system has its own ACL and mapping mechanism, and it can control which port in SAN can accesss which LUNs in backing store.

I'm not sure 3PAR and EVA have such functionality, but it is worth to check. It is better to ask storage admin or HP engineer to check and review LUN configuration.

Authorized Symantec Consultant(ASC) Data Protection in Tokyo, Japan

Andrew Madsen's picture

You do have masking and mapping inside the 3PAR as well as the EVA, However I have yet to see the zones here. Can your SAN administrator send you the zone information this device is a member of?

The above comments are not to be construed as an official stance of the company I work for; hell half the time they are not even an official stance for me.

Rami Nasser's picture

What I suggested in previous post is that the storage used for datastore does not provide any LUNs to the appliance

Ok , but do you have any idea how  the LUN's should be appear inside the appliance?

Here is the issue that I could not see any LUN's ,only device!! 

Modern storage system has its own ACL and mapping mechanism, and it can control which port in SAN can accesss which LUNs in backing store.

I believe that SAN team should know this mechanism not me .I provided them all documents reletaed to our backup requirment,but they still not understanding what needed.

I explained them many times the same thing that all datastores (LUN's should be visible to the VMware backup host and this host should be able to enter the LUN's and can read and get the snapshot from there.if there are any read /write permission .it should be given . the path between the storage and appliance should exist and visible.

Regards,

Rami Nasser's picture

You do have masking and mapping inside the 3PAR as well as the EVA, However I have yet to see the zones here. Can your SAN administrator send you the zone information this device is a member of?

  Unfortunatly , SAN team only confirmed that the zoning is done , and as you can see the wwn of the storage from the appliance this mean that mean that from thier side nothing to do more.

LUN Mapping/LUN masking  in the 3PAR and EVA I don't know if they complete such configurarion:

Symantec sent me the following and from my side I shared it with the customer.

  • LUN Mapping/LUN masking – Different storage vendors have different terminologies and methods to achieve this. However the idea is that you need to map/mask the VMware DataStore LUNs to the Appliance ports (WWNs). In NetApp, this is achieved by creating an initiator group and then mapping that initiator group to the LUNs of the VMware DataStore.
  • This allows the VMware DataStore LUNs to be visible to the appliance (read-only) and hence appliance can read the VADP snapshots of the VMs for backup.

Regards,

Yasuhisa Ishikawa's picture

Ok , but do you have any idea how  the LUN's should be appear inside the appliance?

Sorry, I have no NetBackup Appliance in my lab so I can not confirm that.
But, by device naming, Applicance is based on Linux(SUSE?). LUN should be visible as /dev/sgX if zoning is correctly done AND LUNs are serviced to Appliance's port as soon as LUNs are present in SAN. Or please reboot appliance if possible. LUNs must be  recognized after reboot if LUNs are present on Appliance.

Well, storage ports are visible from Appliance, so zoning have been already done correclty. But it is still possible that storages does not serve any LUNs to Appliance. It depends on storage configuration. If storage administrators want to allow minimam access to datastore LUNs when initial setup of storages for VMware datastore, they might configure storage ACL or LUN mappings so as to only ESX hosts can access datastore LUNs.

Is SAN team responsible for both SAN switch and 3PAR/EVA configuration, or only for SAN switch? Please ask who is responsible for 3PAR/EVA configuration in this site to check which posts(WWN) can access datastore LUNs. 

Authorized Symantec Consultant(ASC) Data Protection in Tokyo, Japan

Rami Nasser's picture

Appreciate your efforts.

by device naming, Applicance is based on Linux(SUSE?). LUN should be visible as /dev/sgX if zoning is correctly done AND LUNs are serviced to Appliance's port as soon as LUNs are present in SAN. Or please reboot appliance if possible. LUNs must be recognized after reboot if LUNs are present on Appliance.

It is visible as /dev/sgX  .Symantec support saw this but hesaid that no path exist between the appliance and the SAN LUN's under path column and this is the issue.the appliance was rebooted then I scan the FC connection but nothing new.

but LUN's are serviced to appliance's port ,what do you mean here?

But it is still possible that storages does not serve any LUNs to Appliance

they might configure storage ACL or LUN mappings so as to only ESX hosts can access datastore LUNs

This is very close to the fact what we looking for .There are limitation to access the LUN's .why?

when I informed them that after the snapshot is done the appliance shpould access the LUN's and will open the VMDK to read that snapshot then send it to the storage,thier answer was impossible there are a security risk to give you such access

Regards,

Rami Nasser's picture

Do any one believe that this is not zoning issue ,but appliance issue? Should the appliance netbackup version be in the same version as master server?

-master server version is 7.5.0.4

-appliance version 2.5 (netbackup 7.5.0.2)

please advice!!

Regards,

Rami Nasser's picture

appliance version upgraded to 2.5.1b

Regards,

Yasuhisa Ishikawa's picture

Sorry to be late.

Do any one believe that this is not zoning issue ,but appliance issue?

SAN transport is common use case, so I believe it must have been reported in Late Breaking News or Alerts if Appliance or NetBackup has such defect.
We don't have complete information about your environment, so what we can only to do is providing sugestions and possible scenarios.

BTW, we can not confirm that /dev/sgX is device file for datastore because you masked WWN in screenshots. WWN and LU Number(1 and 2) of /dev/sgX is exactly same with that of datastore LUN shown in ESXs? Does it provide Mirror/Copy/Seconday LUs to the appliance that can not be allowed to read while syncing with original LUs used for datastore?

when I informed them that after the snapshot is done the appliance shpould access the LUN's and will open the VMDK to read that snapshot then send it to the storage,thier answer was impossible there are a security risk to give you such access

This means that your customer does not give the appliance access to datastore LUNs for security reason, right? If so, the reason of this issue is simple. If access from the appliance to datastore LUNs are not allowed, SAN transport is not possible.

Authorized Symantec Consultant(ASC) Data Protection in Tokyo, Japan

Rami Nasser's picture

do you have any update !!!!!!!!!!!!it still not solved

Marianne's picture

I believe that you have more than enough information in above posts.

As per Yasuhisa's last comment:

This means that your customer does not give the appliance access to datastore LUNs for security reason, right? If so, the reason of this issue is simple. If access from the appliance to datastore LUNs are not allowed, SAN transport is not possible.

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

Rami Nasser's picture

Really I believe now that this issue related to the appliance it self ,because this is third customer where I worked and facing the same issue.the luns are presented andshown but SAN method still not functioning properly

Regards,

Untitled.png
Marianne's picture

If you believe this is Appliance issue, please log a support call with Symantec.

You will see many users in Appliance forum using Appliance as fibre transport media server.

Are you 100% sure you have model "D" appliances?

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

Rami Nasser's picture

Ofcourse sure of the model!!

I reviewed almost all the posts in the appliance forum ,and I saw the only one how has the same issue noti'm trying to contact him.

Using appliance as fibre transport media server is deffent than using the appliance as vmware backup host,where in the first situtaion the hba ports in slot 2 and 4 will be used as initiater and target,but in the second the ports will be initiater

Thanks

Marianne's picture

SO Sorry! I am totally on the wrong track here!

Models B and C are perfectly fine for VM backups!

I still feel that you should log a Support call.
You need someone to Webex in and see what is wrong.

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

Rami Nasser's picture

Mariane , for me you are  a trusted Advisor in all aspects,,,I could not forget your support in many issues i faced in Symantec Netbackup for more than one year,,yesyesyes

I created support case 2 times with out solving the issue. Also here in our region Symantec team are escaping from finding solution for this issue.I escalated this issue to highest level but nothing.I believe that if this appliance not support such feature so will be easier to me to have a windows machine to work as backup host were it working perfect.

My Best regards,

RLeon's picture

when I informed them that after the snapshot is done the appliance shpould access the LUN's and will open the VMDK to read that snapshot then send it to the storage,thier answer was impossible there are a security risk to give you such access

Is there a chance that although the zoning was done correctly between the Nbu Appliance and the HP SAN device, your SAN team simply hasn't configured the ESX Datastore LUNs to be visible to the Appliance?

In other words, the Appliance has a clear path to the HP SAN (via zoning), but the HP SAN simply hasn't allowed the ESX Datastore LUNs through this path (via LUN "Export")?

Also, how are the LUNs connected and presented to to the VMware ESX hosts?
As NFS Datastores, iSCSI VMFS Datastores, or FC SAN VMFS Datastores?

Rami Nasser's picture

Thanks Rleon for response.

FYI now I'm working with different customer so different SAN Team.

If you review my last snapshot ,you will see that the LUN's are presented and there are no problem with zoning it self.

SAN team simply hasn't configured the ESX Datastore LUNs to be visible to the Appliance?

from your word ,one idea came to my head :is it possible that the vm client what i'm taking backup not located in the Lun's that was zoned??blush

Also, how are the LUNs connected and presented to to the VMware ESX hosts?
As NFS Datastores, iSCSI VMFS Datastores, or FC SAN VMFS Datastores?

could you give more details about this and how it related to zoning with the appliance??

Regards,

RLeon's picture

Having zoned the Appliance and the SAN storage device together does not necessarily mean the specific LUNs you required are presented. It just means the Appliance has a path(s) to the SAN storage device, as shown in your screenshots.

Can you verify by looking at the EVA / 3PAR configuration interfaces that it really has presented the VMware Datastore LUNs - via the already established zoning paths - to the Nbu Appliance? I think HP calls this "exporting" LUNs to a host, or something. Please post the screenshots of the EVA / 3PAR config interface that shows this, if possible.

The reason why I'm asking is because your SAN people told you that it was a "security risk to give you such access". So they might have done the zoning for you (begrudgingly), but not the LUN presenting/exporting.

The vmdk snapshots you wish to backup via SAN Transport must exist in the Datastore LUNs that the Appliance has SAN visibility to.

could you give more details about this and how it related to zoning with the appliance?

For one, if ESX hosts are running their VMs off NFS connections to the storage (I.e., NFS Datastores), then SAN Transport backup is not possible.

SOLUTION
Mark_Solutions's picture

I have seen a similar issue where the datastores were zoned but the LUNS did not actually have host mappings setup and so the volumes thenselves were not visible to the appliance

This showed just a few LUNS as per your screenshot but none of the actual volumes within those datastores

Perhaps that is related or your issue?

The ports should be in default mode - if you are not using Fibre Transport then any of the fibre ports can be used for VMWare LUN mapping

Hope this helps

Authorised Symantec Consultant

Don't forget to "Mark as Solution" if someones advice has solved your issue - and please bring back the Thumbs Up!!.

Rami Nasser's picture

Thanks Mark for contienuis support.

I have seen a similar issue where the datastores were zoned but the LUNS did not actually have host mappings setup and so the volumes thenselves were not visible to the appliance

could you give me more info about host mapping setup? where it should be configured (is it SAN admin responsibilty?)

This showed just a few LUNS as per your screenshot but none of the actual volumes within those datastores Perhaps that is related or yoru issue?

what you can see is the screenshot is test zoning for some luns where the test VM machine located inside it, and there you can see that the luns are presented!!

The posts should be in default mode - if you are not using Fibre Transport then any of the fibre ports can be used for VMWare LUN mapping

I'm using the appliance with default mode (all ports in initiator mode) and starting from version 2.5 you can use any port for vmware.

appreciate your support

Regards,

Mark_Solutions's picture

Not sure exactly where it was configured but the Datastore were mapped to the appliances but not the volumes themselves - not sure if that is a SAN or vCenter thing (SAN i would have thought)

If you are happy that all datastore volumes are actually visible then the only other thing that i have seen stop SAN transport working is the vCenter credentials not being good enough (and several times the password having been changed)

Authorised Symantec Consultant

Don't forget to "Mark as Solution" if someones advice has solved your issue - and please bring back the Thumbs Up!!.

Rami Nasser's picture

What I saw when he configured the zoning is :The SAN guy ask the VMware guy to provide him with the datastore where the test vm located,then the SAN guy asked me to provide him with wwn of the appliance port then he created a zone contains the appliance port and the datastore that contains the luns which are visible to the appliance. This what i saw,but I dont know exactly what else need to be requested from the SAN guy to perform!!!(As he said :tell me exactly what you want!!!!!!!) really I embbarased that Symantec could not provide us with fixed occured prerequieities and real preactice to solve this issue.

regarding the credentials : in this project the admin really supportive and from the begining he gave me the super admincredentials for vcenter with full privilages.

stop SAN transport working is the vCenter credentials not being good enough

I didnt get this point. Do you mean the backup roles in the Vcenter or the services in the windows machine it self or the credentials used for vmware backup??

As mentioned before that Symantec in this issue trying not to talk about this issue and al the time requesting :ok use   NBD it working fine ,and put the reason on SAN teams.

Regards,

Mark_Solutions's picture

Ok - i have checked out with my last job and they had the SAN administrator add mappings (maskings) of the datastore volumes to the appliance ports - so it was done on a volume by volume basis.

Hope this helps

#edit#

So more at storage level than just zoning level - you need both zoning and luns mapping / masking to get it to work

Authorised Symantec Consultant

Don't forget to "Mark as Solution" if someones advice has solved your issue - and please bring back the Thumbs Up!!.

Rami Nasser's picture

Thanks Mark for support .Tommorow I will visit the customer and hope that we can work on this mapping .You know that customers some times not giving you chances to try some configuration on thier production.

Appreciate your support

Rami Nasser's picture

Hi All ,

I added a new windows physical machine with HBA as vmware backup host ,then I added the server to master server list .I asked the SAN guy to do the zoning between this new machine and the SAN LUNs, Ofcource i asked him to show me how he did this and verified that mapping also done were he put the hosts and datastores and the appliance 5220 and the new machine.When using LAN all the clients inside the vcenter completed sussefully but using SAN getting the same error .I removed all policies and then restarted the services in the master and all media servers then added anew vmware policy for other client from another esx host under the vcenter and used the LAN transport mode it was finished susseccfully,then I changed the mode to SAN transport mode,I found that i didnt got the same error related to transport mode and the job completed succesfully within 3 minutes where the same backup using NBD mode finished during 45 minutes.the speed for lan was about 8000KB but the seconed was about 150000 Kb.

I was very happy to get this result but I was surprised that the job in activty monitor showing both transport LAN (where I'm sure that only SAN tranport was selected.

I saw that there are one post about this from AbdulRashid about this:

The transport type you see in the Activity monitor represents the transport mechanism between client and media server. In your case, it is likely to be LAN unless your VMware backup host (the client where bpbkar is running) is a SAN Client. You will see the transport type as SAN if your backup host is a SAN Client sending data to a FT media server.

The transport from VMware datastore to VMware backup host is not displayed in Activity Monitor. The only way to confirm the transport type used is to look at bpbkar log.

If this is right so this is bad because the customer want to see SAN for SAN and LAN for LAN !!!

Kindly find the attached snapshot

Appreciate your Support

snapshot for transport mode.png
Mark_Solutions's picture

So is your VMWare Host your media server or are they different servers?

In the text of the backup job on that detailed tab it should say whether SAN or LAN is used - I cannot see that part on your screen shots, could you check or paste it on here.

It would appear that that section indicates whether it uses Fibre Transport or not but the text of the job detail should say whether the job used LAN or SAN to do the backup

I guess this "feature" may be corrected in the future!

Authorised Symantec Consultant

Don't forget to "Mark as Solution" if someones advice has solved your issue - and please bring back the Thumbs Up!!.

Rami Nasser's picture

VMware host is the media server appliance.

You know Mark I missed to copy the details of this job and just took snapshoot for transport type.

I 'm unavailable on site to copy the deatails ,,Sorry

Regards,

Mark_Solutions's picture

OK - when back on site you should find that the details of the job do say whether SAN or nbd (which is LAN) is being used during the backup

Authorised Symantec Consultant

Don't forget to "Mark as Solution" if someones advice has solved your issue - and please bring back the Thumbs Up!!.