- Veeam Support Knowledge Base
- Creating a VMware ESXi extension (VIB) for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing
Creating a VMware ESXi extension (VIB) for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Oops! Something went wrong.
Please, try again later.
Challenge
This article contains instructions on how to create a VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.
To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing over NFS, it is needed to change the ESXi host firewalls. See more background information here.
One of the Methods to change the ESXi host firewall is by a newly created VIB file that can be created with help of the VMware VIB Author Software.
Please follow the next steps to create the VIB.
IMPORTANT: With Cisco HyperFlex 3.0 the needed Firewall changes have been implemented in the OS image. Please follow the KB below only if you are running a HyperFlex version below 3.0. For new customers, we recommend to install the HyperFlex cluster with HX 3.0 and for existing customers we recommend to upgrade to HX 3.0 to benefit from the new Firewall changes.
To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing over NFS, it is needed to change the ESXi host firewalls. See more background information here.
One of the Methods to change the ESXi host firewall is by a newly created VIB file that can be created with help of the VMware VIB Author Software.
Please follow the next steps to create the VIB.
IMPORTANT: With Cisco HyperFlex 3.0 the needed Firewall changes have been implemented in the OS image. Please follow the KB below only if you are running a HyperFlex version below 3.0. For new customers, we recommend to install the HyperFlex cluster with HX 3.0 and for existing customers we recommend to upgrade to HX 3.0 to benefit from the new Firewall changes.
Solution
Create a VIB in SLES11
SLES11 can be downloaded here.
VMware VIB Author can be downloaded here.
All steps are performed as the root user from the root (/) directory.
1. Prepare SLES
2. Install VIB Author
3. Create File Directory
4. Copy the required files to the folder tree
The "descriptor.xml" (link here) must be copied to /stage
descriptor.xml sample:
<vib version="5.0">
<type>bootbank</type>
<name>VeeamCiscoHXFirewall</name>
<version>1.0.0-0.0.1</version>
<vendor>Veeam</vendor>
<summary>Veeam Firewall rule for Cisco HyperFlex</summary>
<description>Adds inbound ports required by Veeam</description>
<relationships>
<depends></depends>
<conflicts/>
<replaces/>
<provides/>
<compatibleWith/>
</relationships>
<software-tags>
</software-tags>
<system-requires>
<maintenance-mode>false</maintenance-mode>
</system-requires>
<file-list>
<file></file>
</file-list>
<acceptance-level>community</acceptance-level>
<live-install-allowed>true</live-install-allowed>
<live-remove-allowed>true</live-remove-allowed>
<cimom-restart>false</cimom-restart>
<stateless-ready>true</stateless-ready>
<overlay>false</overlay>
<payloads>
<payload name="payload1" type="vgz"></payload>
</payloads>
</vib>
The “VeeamCiscoHXFirewall.xml” <download link> must be copied to /stage/payloads/payload1/etc/vmware/firewall
The VeeamCiscoHXFirewall.xml for Cisco HX version < 2.5:
<ConfigRoot>
<service id='9230'>
<id>VeeamCiscoHXFirewall</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>
<begin>0</begin>
<end>65535</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
The VeeamCiscoHXFirewall.xml for Cisco HX version >= 2.5:
<ConfigRoot>
<service id='9230'>
<id>VeeamCiscoHXFirewall</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>111</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>2049</port>
</rule>
<rule id='0002'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>2449</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
5. Create the VIB using vibauthor:
6. Creation finished, ready for download
The VIB is now created and available in the root (/) directory. You can use the SCP client to download the VIB to your local operating system.
7. Install on ESXi
Install the Firewall VIB on ESXi:
Repeat the following steps on all Cisco HyperFlex nodes in your cluster.
a. Enable ssh and log in to your ESXi host using a ssh tool like PuTTY
b. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client
c. Install the VIB
Command:
e. Verify that the new firewall rule is active
Command:
Note: If the VIB installation fails, you may need to set the acceptance level to CommunitySupport and retry the installation.
Command:
Set the Veeam Proxy Servers
1. Enable allowed IP list for the new firewall rule
Command:
2. Set the Veeam proxy server data network IP that is on the Hyperflex "Storage Controller Data Network"
Repeat the following command for each Veeam proxy server:
3. Verify that the IPs are set
Command:
Note: Veeam recommends to set the IPs of each Veeam proxy server that is on the HyperFlex “Storage Controller Data Network” in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. Issue this command once per IP Address. It is important to use the IP Address on the “Storage Controller Data Network”, and not the public, or management IP address.
Check if everything is configured correctly
1. Check the Security Profile on the ESXi hosts
2. Check the VIB
3. Check the ruleset
4. Check which Veeam Proxy IPs are assigned
SLES11 can be downloaded here.
VMware VIB Author can be downloaded here.
All steps are performed as the root user from the root (/) directory.
1. Prepare SLES
zypper install python-lxml zypper install python-urlgrabber
2. Install VIB Author
cd /tmp rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm cd /
3. Create File Directory
mkdir stage mkdir stage/payloads mkdir stage/payloads/payload1 mkdir stage/payloads/payload1/etc mkdir stage/payloads/payload1/etc/vmware mkdir stage/payloads/payload1/etc/vmware/firewall
4. Copy the required files to the folder tree
The "descriptor.xml" (link here) must be copied to /stage
descriptor.xml sample:
<vib version="5.0">
<type>bootbank</type>
<name>VeeamCiscoHXFirewall</name>
<version>1.0.0-0.0.1</version>
<vendor>Veeam</vendor>
<summary>Veeam Firewall rule for Cisco HyperFlex</summary>
<description>Adds inbound ports required by Veeam</description>
<relationships>
<depends></depends>
<conflicts/>
<replaces/>
<provides/>
<compatibleWith/>
</relationships>
<software-tags>
</software-tags>
<system-requires>
<maintenance-mode>false</maintenance-mode>
</system-requires>
<file-list>
<file></file>
</file-list>
<acceptance-level>community</acceptance-level>
<live-install-allowed>true</live-install-allowed>
<live-remove-allowed>true</live-remove-allowed>
<cimom-restart>false</cimom-restart>
<stateless-ready>true</stateless-ready>
<overlay>false</overlay>
<payloads>
<payload name="payload1" type="vgz"></payload>
</payloads>
</vib>
The “VeeamCiscoHXFirewall.xml” <download link> must be copied to /stage/payloads/payload1/etc/vmware/firewall
The VeeamCiscoHXFirewall.xml for Cisco HX version < 2.5:
<ConfigRoot>
<service id='9230'>
<id>VeeamCiscoHXFirewall</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>
<begin>0</begin>
<end>65535</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
The VeeamCiscoHXFirewall.xml for Cisco HX version >= 2.5:
<ConfigRoot>
<service id='9230'>
<id>VeeamCiscoHXFirewall</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>111</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>2049</port>
</rule>
<rule id='0002'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>2449</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
5. Create the VIB using vibauthor:
vibauthor -C -t stage -v VeeamCiscoHXFirewall -f
6. Creation finished, ready for download
The VIB is now created and available in the root (/) directory. You can use the SCP client to download the VIB to your local operating system.
7. Install on ESXi
Install the Firewall VIB on ESXi:
Repeat the following steps on all Cisco HyperFlex nodes in your cluster.
a. Enable ssh and log in to your ESXi host using a ssh tool like PuTTY
b. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client
c. Install the VIB
Command:
esxcli software vib install -v /tmp/VeeamCiscoHXFirewall.vib -f
d. Verify that the VIB was installed
Command:
esxcli software vib list | grep 'Veeam'
e. Verify that the new firewall rule is active
Command:
esxcli network firewall ruleset list
Note: If the VIB installation fails, you may need to set the acceptance level to CommunitySupport and retry the installation.
Command:
esxcli software acceptance set --level=CommunitySupported
Set the Veeam Proxy Servers
1. Enable allowed IP list for the new firewall rule
Command:
esxcli network firewall ruleset set -r "VeeamCiscoHXFirewall" -a false
2. Set the Veeam proxy server data network IP that is on the Hyperflex "Storage Controller Data Network"
Repeat the following command for each Veeam proxy server:
esxcli network firewall ruleset allowedip add -r "VeeamCiscoHXFirewall" -i "172.16.3.10"
3. Verify that the IPs are set
Command:
esxcli network firewall ruleset allowedip list | grep -v "All"
Note: Veeam recommends to set the IPs of each Veeam proxy server that is on the HyperFlex “Storage Controller Data Network” in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. Issue this command once per IP Address. It is important to use the IP Address on the “Storage Controller Data Network”, and not the public, or management IP address.
Check if everything is configured correctly
1. Check the Security Profile on the ESXi hosts
2. Check the VIB
esxcli software vib list | grep 'Veeam'
3. Check the ruleset
esxcli network firewall ruleset list
4. Check which Veeam Proxy IPs are assigned
esxcli network firewall ruleset allowedip list | grep -v "All"
More Information
With HyperFlex 3.0 you may need to enable NFS access on all hosts.
To do this, navigate to: vSphere Web Client > Host Config > Security Profile > Edit > NFS access and Enable this setting.
To do this, navigate to: vSphere Web Client > Host Config > Security Profile > Edit > NFS access and Enable this setting.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please, try again later.
You have selected too large block!
Please try select less.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Verify your email to continue your product download
We've sent a verification code to:
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please, try again later.