This is a very frequent topic for me and I always get questions from customers and partners about it… so I thought: “let’s make this a blog post!” 🙂
Background
Generally, when designing backup infrastructures, it is preferable to set up a direct connection between the data mover (“Backup Server” or “Proxy”, in Veeam terminology) and the production storage where your data resides. This is commonly referred to as “LAN-Free” configuration, because the backup traffic does not impact on your LAN. Actually, what I described is only half of the job: a direct access to the production storage ensures LAN-Free read operations – to obtain a real 100% LAN-Free backup, also the target storage (“Repository” in Veeam terms) must be directly connected.
As you might already know, Veeam Backup & Replication supports both VMware vSphere and Microsoft Hyper-V environments. The backup and recovery mechanics are quite different between the two hypervisors, as well as the steps needed to configure a LAN-Free backup. So I wrote a separate blog post about configuring LAN-Free backup for Hyper-V environments.
It should be noted that by default, when you install Veeam Backup & Replication, the backup server is automatically configured as a backup proxy and repository. So it is perfectly possible to have a single machine holding all roles – this is of course suggested only in small environments.
The good thing about this approach is that you can grow and scale as you like, plus you can easily adapt the backup/replication infrastructure to your needs, for example if you have a distributed infrastructure among different sites.
LAN-Free backups in VMware vSphere
Configuring LAN-Free data reading
In vSphere environments, Veeam Backup & Replication leverages the VADP framework to read VM data. VADP offers the “Direct SAN” transport mode among others. To enable LAN-Free reading of VM data, the Veeam Backup & Replication Proxy component must have visibility of the vSphere shared datastores on which it resides (either FC or iSCSI – NFS and local storage are not supported).
The steps to configure your B&R Proxy to access the shared storage vary depending on your infrastructure (storage vendor and model, protocol, switches…) and is out of this post’s scope.
Play it safe!
Giving a Windows system access to your VMFS datastore can potentially lead to trouble – if Windows mounts and initializes (re-signatures) the volume, it becomes corrupted and unreadable from the vSphere hosts. If it happens, don’t panic! It can usually be fixed quite easily from VMware support, or you can even fix it yourself (not recommended).
If your SAN and/or switch infrastructure allows it, you should give the Windows server read-only access to the VMFS volumes. But it’s not always possible. A common approach is disabling the automatic mounting of new volumes in Windows.
In Windows 2003, it was required to disable the Automount feature and there was no distinction between shared volumes and local, non-shared volumes (such as removable or directly-attached ones).
Starting from Windows 2008 and upwards, only the SAN Policy setting, accessible via diskpart, is needed. The policy can either be “Online All”, “Offline All” or “Offline Shared”. Even if AutoMount is enabled, new volumes/LUNs will not be automatically online if SAN Policy is set to “Offline Shared”.
You can check your current SAN policy settings using the san command within diskpart. Note that this does not completely remove the risk of someone manually onlining the volume, so you should be careful about who has administrative access to that Windows system.
-
In Windows Server 2012 (any edition) the default value for SAN Policy is “Offline Shared”
- In Windows Server 2008 / 2008 R2, the default setting depends on the edition:
- Enterprise/Datacenter Edition: “Offline Shared”
- Standard Edition: “Online All” (potentially “dangerous”)
You can see an example from one of the tests in my lab here. I attached a 40GB iSCSI LUN (hosting a VMFS datastore) to a Windows 2012 VM, AutoMount was enabled, but the volume wasn’t brought automatically online.
For many backup products, these steps have to be done manually and (hopefully) they are explained in the user’s guide. In Veeam B&R, starting with v6.1, the software automatically checks the SAN Policy and sets it to “Offline Shared”, if needed, during installation.
So the suggestion is: give the Windows server access to the VMFS volumes only after having installed Veeam B&R (or configured the machine as a backup proxy)!
Configuring the Veeam B&R infrastructure
Once you have configured the LAN-Free data reading part, you’re almost good to go – Veeam automatically detects available transport modes and, if automatic selection is enabled, will always use Direct SAN mode when possible.
Before launching your backup job, only the first time after configuring LAN-Free access, you should launch a rescan of the volumes for the backup proxy. By default the discovery process runs once every 24 hours – by running it manually, you ensure your newly configured volumes are picked up by Veeam.
To do this, in the Backup Infrastructure section of the UI, right-click on the backup proxy under Managed Servers -> Windows machines and select the Rescan option.
Configuring LAN-Free data writing
As stated before, to have a fully LAN-Free backup infrastructure you have to ensure the data flow between the backup proxy and repository does not go through the production network.
For example, in an “all-in-one” configuration (a single machine being a backup server, proxy and repository) could be totally LAN-Free using Direct SAN transport mode for reading and a directly attached or a SAN-connected volume for writing. Or in other cases, a separate LAN dedicated to backups can be set up… you get the point.
The following diagram, from Veeam B&R’s user’s guide article about Direct SAN transport mode explains the process and data flow. It is taken from Veeam’s Help Center, a great resource with a lot of useful information about Veeam products.
Testing it out!
Now that everything is ready, let’s launch our backup job!
In the statistics window (or frame) Veeam B&R always indicates the transport mode it used. If everything was configured correctly, in the job statistics for every VM you should see the following text:
Using backup proxy <name> for Hard disk <n> [san]
Well, that’s all, folks!
Hope you enjoy this post and find it useful! Any feedback / comment is welcome.
Found this really to be a really good overview, something I struggled to find on Veeam.
Thank you for this.
Hi Danilo,
do you know if Direct SAN Access is supported with SAS Storage?
Or only with FC/iSCSI protocol?
Thanks a lot!
Marco
Ciao Marco and thanks for your comment.
Yes, as far as I know Direct SAN is supported by VDDK for SAS storage too.
Source: http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vddk55_programming.pdf (page 23)
Cheers
Thanks very much Danilo!
Mine starts off saying [san] but then starts transferring in [nbd]? Even though I have told the proxy it can only use SAN and no failover to network transfer?
Hi Bilal, sorry for the long delay, somehow I wasn’t notified of your comment. I’d say the behaviour you see is not expected, your best bet would probably be opening a case with Veeam support to investigate.
Hi
I agree, well explained. As I have found several sites explaining how to set Direct SAN Access up yours is very accurate even though the part about setting up MS iSCSI Initiator would have made it more complete.
Anyway, I’ve faced some oddness setting this up. I have presented four VMFS volumes via MS iSCSI. When I look at the job it tells me “Direct SAN connection is not available, failing over to network mode”
I would have expected this on the VM’s that have vRDM’s since I have not presented the vRDM volumes to the backup server. But it is failing over to network mode with VM’s that only resides on the VMFS volumes that are presented to the backup server.
What can I check? I must have missed something.
Thanks
Hello Rod and thanks for your comment.
Did you do a rescan of the backup proxy as explained in my post above?
If everything seems to be OK but you still get network mode backups, you may want to open a case and check with Veeam’s support team (http://cp.veeam.com)
Thanks
Good stuff Danilo! Very well explained.