Skip to main content

Design question, how to not overload the firewall.

Customer has a physical B&R server on LAN1, and a physical Linux Hardened Repo on LAN1.

They also have like 100 Physical servers on LAN2, 3 and 4.

Traffic goes through the firewall obviously, and the fear is that it will overload it, affecting production.

Since we can’t use Proxy Servers for Agent backups (no such thing apparently), how can I avoid pulling the traffic through the Firewall?

The B&R Server and LHR are 10Gbit and use tagged VLANs, so I can quite simply add VLAN2,3,4 to the VLAN trunk and give them a link into the Agent VLANs.
 

  • Will that work? Do I need to add both the B&R server and the LHR, or just the LHR?
  • Can an LHR have several IP’s like that and still work? 
  • Will the traffic go from the agent directly to the LHR or via the B&R server?

Other ideas welcome...

Thanks!

Yes, a dedicated network is my preferred solution for this, too.

And you can spread the agent backups to different hours to decrease the amount of backup data at a given time frame.


I would think that if you could do some layer 3 switching here, the VBR/Repo would be able to talk to the VM’s/servers on their respective networks at switch/line speed without having to go though the firewall, but I’d set limitations so that only the servers are going to only the required backup infrastructure.  Not sure though if you have the capability of making network changes like that.


Hello @magnusvr ,
how many data / files will be backed up every day?
100 servers does not sound that much…

Have the other servers 10Gbit connections, too?


@magnusvr hi

  • In order not to pass traffic over the firewall, I dedicated a network to backup and configured on veeam Specifying Preferred Networks

Specifying Preferred Networks - User Guide for VMware vSphere (veeam.com)

  • Alternatively, you can control the flow of the Veeem Agent data backup with the Limiting Bandwidth Consumption

Limiting Bandwidth Consumption - Veeam Agent for Microsoft Windows Guide

regards


hello @magnusvr 
100 physical servers is a lot but it only depends on the change rate.
not very helpful but maybe think about a virtualization project for your customer?

anyway; 
if you try to avoid or bypass the firewall please think about that now “all” ports are reachable in this specific “local lan”. how you will restrict network communication to your critical backup infrastructure?

some options are:
- use a dedicaded backup network (add ports) and like @Link State said use the “preferred network” option. maybe some dns trickery (with an additionally alias) is helpful.
- another firewall (different hardware for the backup traffic)
- use another repository concept (sobr with a small “performance tier” and copy/move to the LHR after 1/a few days). for example a proxy/repository “near” the systems you want to backup with iscsi or fc disks from another system in the backup environment.

but these are also budget topics and if the customer is willing to invest. i would first recommend try the “out of the box” options and see how it goes.

best regards
daniel


Can I put an extra IP/LAN on the B&R server and have the traffic go from the Agent to the B&R, and the B&R will then ship the traffic to the LHR? Or do I always need a connection from the Agent to the LHR?

 


the backup traffic will go directly from the agents to the repo:

https://helpcenter.veeam.com/docs/agentforwindows/userguide/used_ports.html?ver=50

Veeam Agent Computer

Veeam Backup Server

TCP

10001

Default port used by Veeam Agent for Microsoft Windows operating in the standalone mode for communication with the Veeam Backup server.

Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers.

 

https://helpcenter.veeam.com/docs/agentforlinux/userguide/used_ports.html?ver=50

Veeam Agent computer

Veeam backup server

TCP

10006

Default port used for communication with the Veeam backup server.

Data between the Veeam Agent for Linux computer and backup repositories is transferred directly, bypassing Veeam backup servers.

 

the vbr server in this case do just management.

 

best regards

daniel


I don’t have a hardened Repository server with multiple IPs, but some “normal” repository server. Veeam was every time intelligent enough to route the traffic about the correct interface.

Even if an agent cannot reach the repository server directly. Then the traffic is routed over the VBR server. I think the direct connection is an option not a must-have...


@dloseke Excellent Idea, the thought had crossed my mind, I’m also unsure if that is possible. I think they are running Cisco, possibly Nexus switches at the site, but I guess it would require a redesign of the whole network… I will add that as a suggestion.


@dloseke Excellent Idea, the thought had crossed my mind, I’m also unsure if that is possible. I think they are running Cisco, possibly Nexus switches at the site, but I guess it would require a redesign of the whole network… I will add that as a suggestion.

I’ve converted a Cisco nexus 3k from L2 to L3 using vPC for gateway redundancy with VRRP/HSRP can’t remember which protocol they used sorry! Was easy enough, can either do it “Big Bang”by swapping your gateway IP from being configured for your firewall to your switch, or create a new gateway IP and move everything one device at a time.

 

In either scenario for security you can use ACLs to have more basic firewall style filtering.

 

As an alternative to maintain security without production impact. Why not a virtual firewall such as pfSense?


Hi JM,

I’m not sure actually, the Agent servers are varying, 1 or 10Gbit, and I’m guessing they are around 10-20TB of Frontend data, and it will decrease to a large degree in the next 1-12 months.

I don’t think there is much of change rate, these are application, sql and webhosting servers, no users.

The Firewall is probably 1 Gbit but I’m not sure it can actually throughput 1 Gbit, and it will probably affect the 24/7 webhosting traffic.


Thank you all for your thoughts. The background is that they are running a lot of VMs in Proxmox, which means Agent backups. Only a few Agents are actually Physical servers. They have a new AHV cluster and are migrating to it, but it will be some time before they are all migrated. Once in AHV, the problem is gone.

A Backup Network is hard to suggest now, and I feel that security wise, that would also connect all the servers together in one LAN, perhaps even more so that putting an IP on the backup server.

I’m kind of assuming that I can’t get the Agent to connect directly to the LHR without segmenting it up into many, which sounds like a hassle.

Can I put an extra IP/LAN on the B&R server and have the traffic go from the Agent to the B&R, and the B&R will then ship the traffic to the LHR? Or do I always need a connection from the Agent to the LHR?

Complicated to explain my thoughts...thanks!


Thank you Daniel,

And as Veeam has the LHR registered with an IP in LAN1, it won’t help if I assign an IP in LAN2 on the VBR, since Veeam server won’t know that IP?

I would have to add the LHR two times in Veeam (?), one for each IP, and control which agents from which network, that stores in what Repo instance. 


Interesting. I will experiment a little bit and see. Thanks all!

 


@magnusvr 

these are the target repositories supported by the Windows agent

Alternatively you can use as target repository a share server
dedicated


Thanks Link State,

since the customer has a brand new Veeam setup with a 300TB LHR, that’s what we want to use, to get the benefit och immutability and XFS pointers.. Also, the Agents will be server managed.

I will move forward with suggesting to run the traffic through the firewall after all, and work with speed limits, distributed schedules, and possibly QoS in the FW.

/Magnus


Comment