Hello, community! I'd like to backup clients from some VLANs via dedicated media server interfaces connected to same VLANs (as it shown on a pictrue). My aim is to exclude undesireable routed traffic through main server management interface as it goes by long way to core router on remote DC while traffic within one VLAN is processed on the local switch.
If there is a way to configure it with usage of a DNS service but not local 'hosts' files on all servers and clients? To make each client communicate with the master and media server interface from its own VLAN, using ts additional hostname corresponding to situable IP address (unique for each VLAN).
The master and media servers are multihomed for the best backup performance, otherwise will be the firewall the bottleneck.
For that use case use shortnames for the NBU hosts, not FQDN. Makes it much easier.
Core: master1, media1 and media2, Windows Server 2012 R2, DomainA joined
Windows: master1.domainA.local / NBU: master1
IP Config of the interfaces:
- IP address and subnet, windows does not like more information for the add. interfaces (client VLANs) :-)
- disable DNS resolve / do not make DNS record for your clients VLANs
Client VLAN: DomainB, add DNS hosts to DomainB
The DNS from DomainB resolve (static A record, manual added), master1.domainB.local --> IP address of the interface which you have added to the master1 for the client VLAN.
NBU Client setup: master1, media1 ....
Enable the windows firewall on the master and media server and open just the necessary ports.
Thank you, Tobias
If i've got your advice correctly, I can't use it since all clients and NBU servers are already members of one AD domain and it is not suppoused to be changed, and DNS zones too.
I only can create some new records in DNS for additional master and media IP addresses and also i can try some NBU settings and options like Preferred Networks ot make servers and clients communicate via situable interfaces. Probably, new interface names should be added to 'servers' section of client Properties, or some additional steps to be done.
So still the question is - if it is possible? And if the how-to and best practice exists for such case?
Does somebody have such expirience?
The "Preferred Networks" setting is for something totally unrelated. (I wish the documentation explains it better, but let's not keep our hopes up).
Let's say you have a Master/Media Server with 2 network interfaces, each with their own VLAN IP. E.g.,:
Nbu.VLAN111.com - 10.10.111.1/24 - Gateway is 10.10.111.254 (Default Gateway of server)
Nbu.VLAN222.com - 10.10.222.1/24 - Gateway is 10.10.222.254
As you can see, each subnet has its own gateway router/firewall.
Suppse we have a Client in a different VLAN:
Client101.VLAN101.com - 10.10.101.101/24 - Gateway is 10.10.101.254 (Default Gateway of server)
Suppose all 3 VLAN networks have access to each other through their own respective layer 3 routing gateway/firewall.
Then the question is, when the Master/Media and the Client communicate, which VLAN networks would be used?
Client101 only has access to one link-local VLAN network, VLAN101, so it's the one it's going to use.
But Nbu has access to two link-local VLAN networks, VLAN111 and VLAN222, both capable of routing access to the Client's VLAN101. So which one is it going to use to communicate with Client101?
By default, NetBackup will use the Default Gateway configured at the OS level. Which, in this case is 10.10.111.254. This tells us that Nbu would use VLAN111 to send its packets to Client101, because its IP in VLAN111 is in the same network as the OS's Default Gateway IP. (Assuming you didn't mess up the OS's routing table metrics).
Suppose for some reason you want Nbu to use VLAN222's gateway instead to communicate with Client101, this is when you can use NetBackup's "Preferred Networks" setting. It can make NetBackup communicate with Client101 using it's IP in VLAN222, and therefore, using the "non-default" gateway 10.10.222.254 that is also in VLAN222.
I never found a common use for this feature tbh.
Doing this using DNS without touching local 'hosts' file is completely possible.
Although I generally recommend only giving a single IP for a NetBackup server (KISS principle), many customers' networks just can't accommodate allowing a single IP routing access to every VLAN that has data that needs backing up.
My highest record (and nightmare, do not recommend) was configuring for a customer a Media Server with 35 different VLAN IP addresses through its 2x10Gb LACP teamed VLAN trunk/tag interface.
One thing to remember is that you also have to give the Master server IP addresses to the same VLANs, because a Client in a VLAN cannot just communicate with the Media Server, it also has to be able to communicate with the Master Server. So in my case there were 70 IP addresses just between the Master and the Media alone. *PTSD shivers*
Note: some other competing backup product that-shall-not-be-named allows 'Clients' to communicate with the 'Master' by proxying through the 'Media' servers. Effectively, that means you only have to give the 'Master' a single IP that has access to the 'Media' servers with multiple VLAN IPs that have access to Clients in those VLANs. Not having to give the 'Master' the same number of IPs as the 'Media' servers help simplify things alot. But i digress.
Suppose you have 3 VLANs:
VLAN111 - 192.168.11.x/24 - Where the default gateway router/firewall is. But we're not passing backup traffic through that.
VLAN222 - 192.168.22.x/24 - Client22 located here
VLAN333 - 192.168.33.x/24 - Client33 located here
Assuming everyone from any VLAN/IP has access to the same DNS server(s) (This is important), then the following two methods would work.
Method 1 (Best):
Create 3 different DNS zones, one for each VLAN.
Refrain from adding IP addresses from a different VLAN in to the wrong DNS zone (DNS would not stop you from doing this, so you have to remind yourself).
Note: Remember to add matching Reverse lookup zones too, in addition to Forward lookup. You could say we technically should have a total of 6 DNS zones, 3 Forward and 3 Reverse, but lets keep things simple in this text...
~ Nbu - 192.168.11.1
~ Nbu - 192.168.22.1
~ Client22 - 192.168.22.22
~ Nbu - 192.168.33.1
~ Client33 - 192.168.33.33
So, we have the following FQDNs and IP addresses, from the point-of-view of the Nbu server and all clients alike:
Nbu.Comany.com - 192.168.11.1
Nbu.VLAN222.com - 192.168.22.1
Nbu.VLAN333.com - 192.168.33.1
Client22.VLAN222.com - 192.168.22.22
Client33.VLAN333.com - 192.168.33.33
When you install the Nbu Client on Client22, when it asks you for the Master/Media DNS name, enter FQDN Nbu.VLAN222.com. On the Master, when you create a backup policy for Client22, add the FQDN Client22.VLAN222.com.
When you install the Nbu Client on Client33, when it asks you for the Master/Media DNS name, enter FQDN Nbu.VLAN333.com. On the Master, when you create a backup policy for Client33, add the FQDN Client33.VLAN333.com.
And... That's it. Every time the Master/Media ask for the IP for a specific client, DNS will give back the IP for that client's VLAN, forcing the Master to use it's own IP on that same VLAN to send packets to the client. (Assuming you didn't mess up the Master/Media's local routing table metrics).
Same things happen on the Client in reverse.
Client22 will ask DNS for Nbu.VLAN222.com and get 192.168.22.1
Client33 will ask DNS for Nbu.VLAN333.com and get 192.168.33.1
Method 2 (Not recommended):
In this method you only have to create 1 DNS zone. (4, if you count the 3 Reverse lookup zones too. Never forget the Reverse lookup zones! Note: Reverse lookup zones are grouped by networks/subnets.)
~ Nbu - 192.168.11.1
~ Nbu22 - 192.168.22.1
~ Nbu33 - 192.168.33.1
~ Client22 - 192.168.22.22
~ Client33 - 192.168
When you install the Nbu Client on Client22, when it asks you for the Master/Media DNS name, enter FQDN Nbu22.Company.com. On the Master, when you create a backup policy for Client22, add the FQDN Client22.Company.com.
When you install the Nbu Client on Client33, when it asks you for the Master/Media DNS name, enter FQDN Nbu33.Company.com. On the Master, when you create a backup policy for Client33, add the FQDN Client33.Company.com.
This method can get messy. As you can imagine if you have many more IP addresses for the Master/Media Server, then you need to think of many more names for it, because there is only one DNS zone.
The problem with this is that the different DNS names for the same server is not standardized. I.e., with method 1 you'd know all Nbu.x.x DNS records are for the same server. But with method 2 you'd have to keep track of the names for the same server manually.
Another potential problem is with the 15 character NetBIOS Computer name limit in Windows. Some environments already use all 15 characters to begin with, so you can't really do the Nbu/Nbu22/Nbu33 trick because you're already out of characters. You'd have to change some other characters inside the first 15. And as you could imagine, that could become messy for some environments. Method 1 does not have this problem.
Depending on the subnet mask of the different zones (blue,yellow etc etc), you may need static routes on the master and media servers and clients. This is to prevent network connection going to the default gateway.
Hi everybody, here is some account of my tests
In my simple setup the only thing really neccessary to do is to add on master (=media) interfaces connected to target VLANs (IP address and Netmask only set). It allows NB to use them for data flow. All the rest is for improvement:
Some test results are in attachement. Feel free to ask your questions, if have.
Additional step may be neccessary or not (i'm not sure):
Also i found somethig interesting and not clear for me:
When my master has three interfaces to three VLANs, and i disable any of them, it cause a lot of problems between NB processes. Even stopping NB before and startin after does not help. The only fast way is to reboot whole server. So i was disconnecting and connecting "cable" for tests. Any suggestions? I didn't find situable manuals or other docs.
is there any way to bind nb processes internal communication to one network interface?
according to your method 1 .
Lets say if i have 20 VLAN's for master/media server then how many DNS entries we need to maintain to backup 20 VLAN's customers clients ?