DPM isolated VLAN for backup traffic best practices

%3CLINGO-SUB%20id%3D%22lingo-sub-181367%22%20slang%3D%22en-US%22%3EDPM%20isolated%20VLAN%20for%20backup%20traffic%20best%20practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-181367%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20DPM%20users%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20talk%20about%20an%20isolated%20VLAN%20for%20the%20DPM%20backup%20traffic.%26nbsp%3B%20I've%20set%20up%20a%20new%20Failover%20Cluster%20for%20Hyper-V.%26nbsp%3B%20It's%20for%20a%20completely%20private%20network%20(no%20customer%20tenants)%2C%20so%20the%20VMs%20and%20the%20hosts%20are%20on%20the%20same%20VLAN%20and%20in%20the%20same%20Active%20Directory%20domain.%26nbsp%3B%20I%20am%20leveraging%20LBFO%20and%20Management%20OS%20interfaces%20on%20the%20Hyper-V%20switch%20to%20isolate%20the%20Live%20Migration%20traffic%2C%20plus%20another%20cluster%20network%20for%20CSV%20redirection%2C%20etc.%2C%20on%20their%20own%20VLANs.%26nbsp%3B%20The%20iSCSI%20shared%20storage%20is%20also%20completely%20isolated%2C%20on%20separate%20physical%20NICs.%26nbsp%3B%20So%2C%26nbsp%3Bwhile%20my%20users%20can%20see%20the%20Hyper-V%20hosts%20like%20any%20domain%20member%20server%20on%20layer%202%2C%20they%20can't%20see%20any%20of%20the%20underlying%20raw%20VM%20traffic%20(RAM%20contents%2C%20storage%20blocks)%20without%20breaking%20through%20the%20VLAN%20segmentation%20first.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOK%2C%20so%20what%20about%20DPM%3F%26nbsp%3B%20I%20want%20to%20have%20the%20backup%20traffic%20invisible%20to%20the%20production%20VLAN%2C%20not%20just%20for%20that%20extra%20layer%20of%20security%2C%20but%20for%20better%20traffic%20management%20(jumbo%20frames%2C%20trunking%20priority%2C%20etc.).%26nbsp%3B%20Since%20DPM%26nbsp%3Bcommunicates%20with%20the%20VM's%20guest%20operating%20system%2C%20it%20appears%20we%20need%20to%20set%20up%20a%20separate%20NIC%20on%20each%20protected%20VM%2C%20put%20that%20on%26nbsp%3Ban%26nbsp%3Bisolated%20VLAN%2C%20and%20use%20%3CSTRONG%3EAdd-BackupNetworkAddress%3C%2FSTRONG%3E%20on%20the%20DPM%20server%20to%20tell%20it%20to%20use%20that%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%20regarding%20DNS%2C%20and%20I%20wonder%20if%20anyone%20with%20experience%20setting%20this%20up%20has%20any%20ideas.%26nbsp%3B%20Naturally%20I%20would%20ensure%20the%20IP%20address%20on%20the%20isolated%20backup%20VLAN%20for%20the%20VMs%20or%20the%20DPM%20server%20are%20not%20entered%20into%20DNS%2C%20so%20that%20workstations%20don't%20decide%20to%20use%20that%20address%20for%20whatever%20reason%2C%20and%20fail%20to%20reach%20the%20server%20they're%20looking%20for.%26nbsp%3B%20But%20then%20I%20found%26nbsp%3Bsome%26nbsp%3Bposts%20describing%20setting%20up%20isolated%20VLANs%20for%20DPM%2C%20and%20they%20conflict.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%2C%20Microsoft%20TechNet%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh757982(v%3Dsc.12).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh757982(v%3Dsc.12).aspx%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20says%20specifically%20that%20the%26nbsp%3BDPM%20server%20and%20protected%20server%20have%20to%20be%20able%20to%20resolve%20each%20other's%20addresses%20by%20FQDN%2C%20including%20those%20on%20the%20backup%20network.%26nbsp%3B%20It%20doesn't%20mention%20DNS%20or%20HOSTS%20files%2C%20but%20it%20does%20say%20you%20should%20get%20both%20IP%20addresses%20returned%20when%20using%20%3CSTRONG%3Enslookup%3C%2FSTRONG%3E%2C%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3Ewhich%26nbsp%3Bonly%20uses%20DNS.%26nbsp%3B%20So%2C%20this%20article%20is%20telling%20us%20to%20have%20the%20backup%20address%20in%20DNS.%26nbsp%3B%20If%20you%20do%20this%2C%20you%20might%20have%20a%20bunch%20of%20traffic%20from%20user%20workstations%2C%20printers%2C%20scanners%2C%20user%20devices%2C%20etc.%2C%20possibly%20trying%20to%20hit%20your%20servers%26nbsp%3Bon%20the%20backup%20network%20address%2C%20and%20network%20communications%20will%20fail%2C%20since%20it%20won't%20be%20reachable.%26nbsp%3B%20Maybe%20each%20workstation%20or%20device%20will%20be%20smart%20enough%20to%20pick%20the%20IP%20address%26nbsp%3Bthat%20it%20is%20directly%20connected%20to%20every%20time%2C%20but%20should%20we%20really%20count%20on%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%2C%20look%20here%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.itprotoday.com%2Fsystem-center%2Fhow-configure-backup-network-microsoft-s-dpm-2010%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.itprotoday.com%2Fsystem-center%2Fhow-configure-backup-network-microsoft-s-dpm-2010%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20one%20says%2C%20correctly%2C%20about%20the%20isolated%20IP%20address%2C%20that%20%22There%20will%20be%20negative%20consequences%20to%20AD%20if%20its%20IP%20address%20is%20registered%20in%20DNS.%22%26nbsp%3B%20Their%20recommended%20solution%20is%20to%20keep%20those%20IPs%20out%20of%20your%20DNS%20zone%2C%20and%20set%20up%26nbsp%3Bthe%20HOSTS%20file%20on%20the%20DPM%20server%20to%20point%20to%20the%20protected%20servers%20using%20their%20IP%20address%20on%20the%20isolated%20network.%26nbsp%3B%20This%20seems%20to%20solve%20the%20problem%2C%20but%20it%20seems%26nbsp%3Blike%20a%20bit%20of%20a%20hack%2C%20that%20will%20cause%20manageability%20and%20scalability%20problems.%26nbsp%3B%20Also%2C%20if%20you're%20backing%20up%20a%26nbsp%3Bdomain%20controller%2C%20the%20DPM%20server%20will%20contact%20the%20domain%20controller%20on%20its%20backup%20network%20for%20its%20routine%20domain%20communications%2C%20which%20isn't%20what%20we%20want.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20blogger%20says%20he%20did%20the%20same%2C%20but%20used%20the%20HOSTS%20file%20on%20each%20protected%20server%20as%20well%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcharbelnemnom.com%2F2014%2F04%2Fisolate-dpm-backup-traffic-in-hyper-v%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcharbelnemnom.com%2F2014%2F04%2Fisolate-dpm-backup-traffic-in-hyper-v%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20what%20is%20the%20best%20way%20to%20do%20this%3F%26nbsp%3B%20What%20works%20and%20what%20doesn't%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20have%20to%20consider%20recovery%2C%20and%20what%20challenges%20this%20setup%20might%20create%2C%20both%20for%20bare%20metal%20recovery%20of%20VMs%20and%20Hyper-V%20hosts%20themselves.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20anticipation%20for%20your%20input.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJeffrey%20Fox%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hello DPM users,

 

Let's talk about an isolated VLAN for the DPM backup traffic.  I've set up a new Failover Cluster for Hyper-V.  It's for a completely private network (no customer tenants), so the VMs and the hosts are on the same VLAN and in the same Active Directory domain.  I am leveraging LBFO and Management OS interfaces on the Hyper-V switch to isolate the Live Migration traffic, plus another cluster network for CSV redirection, etc., on their own VLANs.  The iSCSI shared storage is also completely isolated, on separate physical NICs.  So, while my users can see the Hyper-V hosts like any domain member server on layer 2, they can't see any of the underlying raw VM traffic (RAM contents, storage blocks) without breaking through the VLAN segmentation first.

 

OK, so what about DPM?  I want to have the backup traffic invisible to the production VLAN, not just for that extra layer of security, but for better traffic management (jumbo frames, trunking priority, etc.).  Since DPM communicates with the VM's guest operating system, it appears we need to set up a separate NIC on each protected VM, put that on an isolated VLAN, and use Add-BackupNetworkAddress on the DPM server to tell it to use that address.

 

My question is regarding DNS, and I wonder if anyone with experience setting this up has any ideas.  Naturally I would ensure the IP address on the isolated backup VLAN for the VMs or the DPM server are not entered into DNS, so that workstations don't decide to use that address for whatever reason, and fail to reach the server they're looking for.  But then I found some posts describing setting up isolated VLANs for DPM, and they conflict.

 

First, Microsoft TechNet:

 

https://technet.microsoft.com/en-us/library/hh757982(v=sc.12).aspx

 

This says specifically that the DPM server and protected server have to be able to resolve each other's addresses by FQDN, including those on the backup network.  It doesn't mention DNS or HOSTS files, but it does say you should get both IP addresses returned when using nslookup, which only uses DNS.  So, this article is telling us to have the backup address in DNS.  If you do this, you might have a bunch of traffic from user workstations, printers, scanners, user devices, etc., possibly trying to hit your servers on the backup network address, and network communications will fail, since it won't be reachable.  Maybe each workstation or device will be smart enough to pick the IP address that it is directly connected to every time, but should we really count on that?

 

Then, look here:

 

http://www.itprotoday.com/system-center/how-configure-backup-network-microsoft-s-dpm-2010

 

This one says, correctly, about the isolated IP address, that "There will be negative consequences to AD if its IP address is registered in DNS."  Their recommended solution is to keep those IPs out of your DNS zone, and set up the HOSTS file on the DPM server to point to the protected servers using their IP address on the isolated network.  This seems to solve the problem, but it seems like a bit of a hack, that will cause manageability and scalability problems.  Also, if you're backing up a domain controller, the DPM server will contact the domain controller on its backup network for its routine domain communications, which isn't what we want.

 

This blogger says he did the same, but used the HOSTS file on each protected server as well:

 

https://charbelnemnom.com/2014/04/isolate-dpm-backup-traffic-in-hyper-v/

 

So, what is the best way to do this?  What works and what doesn't?

 

We also have to consider recovery, and what challenges this setup might create, both for bare metal recovery of VMs and Hyper-V hosts themselves.

 

 

Thanks in anticipation for your input.

 

Jeffrey Fox

 

 

 

 

 

0 Replies