#1 Global Leader in Data Resilience

Creating a VMware ESXi extension (VIB) for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

KB ID: 2291
Product: Veeam Backup & Replication
Published: 2017-06-07
Last Modified: 2020-08-13
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Challenge

This article contains instructions on how to create a VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.

To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing over NFS, it is needed to change the ESXi host firewalls. See more background information here.

One of the Methods to change the ESXi host firewall is by a newly created VIB file that can be created with help of the VMware VIB Author Software.
Please follow the next steps to create the VIB.

IMPORTANT: With Cisco HyperFlex 3.0 the needed Firewall changes have been implemented in the OS image. Please follow the KB below only if you are running a HyperFlex version below 3.0. For new customers, we recommend to install the HyperFlex cluster with HX 3.0 and for existing customers we recommend to upgrade to HX 3.0 to benefit from the new Firewall changes.

Solution

Create a VIB in SLES11

SLES11 can be downloaded here.
VMware VIB Author can be downloaded here.
All steps are performed as the root user from the root (/) directory.

1. Prepare SLES
zypper install python-lxml
zypper install python-urlgrabber

2. Install VIB Author
cd /tmp
rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm
cd /

 3. Create File Directory
mkdir stage
mkdir stage/payloads
mkdir stage/payloads/payload1
mkdir stage/payloads/payload1/etc
mkdir stage/payloads/payload1/etc/vmware
mkdir stage/payloads/payload1/etc/vmware/firewall

4. Copy the required files to the folder tree
The "descriptor.xml" (link here) must be copied to /stage

descriptor.xml sample:
<vib version="5.0">
 
<type>bootbank</type>
<name>VeeamCiscoHXFirewall</name>
<version>1.0.0-0.0.1</version>
 
 <vendor>Veeam</vendor>
 <summary>Veeam Firewall rule for Cisco HyperFlex</summary>
 <description>Adds inbound ports required by Veeam</description>
 
 <relationships>
  <depends></depends>
  <conflicts/>
  <replaces/>
  <provides/>
  <compatibleWith/>
 </relationships>
 <software-tags>
 </software-tags>
 <system-requires>
  <maintenance-mode>false</maintenance-mode>
 </system-requires>
 <file-list>
  <file></file>
 </file-list>
 <acceptance-level>community</acceptance-level>
 <live-install-allowed>true</live-install-allowed>
 <live-remove-allowed>true</live-remove-allowed>
 <cimom-restart>false</cimom-restart>
 <stateless-ready>true</stateless-ready>
 <overlay>false</overlay>
 <payloads>
  <payload name="payload1" type="vgz"></payload>
 </payloads>
 
</vib>

The “VeeamCiscoHXFirewall.xml” <download link> must be copied to /stage/payloads/payload1/etc/vmware/firewall

The VeeamCiscoHXFirewall.xml for Cisco HX version < 2.5:
<ConfigRoot>
  <service id='9230'>
    <id>VeeamCiscoHXFirewall</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>0</begin>
        <end>65535</end>
      </port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>           
  </service>
</ConfigRoot> 
 
The VeeamCiscoHXFirewall.xml for Cisco HX version >= 2.5:
<ConfigRoot>
       <service id='9230'>
              <id>VeeamCiscoHXFirewall</id>
              <rule id='0000'>
                <direction>inbound</direction>
                <protocol>tcp</protocol>
                <porttype>dst</porttype>
                <port>111</port>
              </rule>
              <rule id='0001'>
                <direction>inbound</direction>
                <protocol>tcp</protocol>
                <porttype>dst</porttype>
                <port>2049</port>
              </rule>
              <rule id='0002'>
                <direction>inbound</direction>
                <protocol>tcp</protocol>
                <porttype>dst</porttype>
                <port>2449</port>
              </rule>
       <enabled>true</enabled>
       <required>false</required>
       </service>
</ConfigRoot> 

5. Create the VIB using vibauthor:
vibauthor -C -t stage -v VeeamCiscoHXFirewall -f

6. Creation finished, ready for download
The VIB is now created and available in the root (/) directory. You can use the SCP client to download the VIB to your local operating system.

7. Install on ESXi

Install the Firewall VIB on ESXi:

Repeat the following steps on all Cisco HyperFlex nodes in your cluster.

a. Enable ssh and log in to your ESXi host using a ssh tool like PuTTY
User-added image

b. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client
User-added image

c. Install the VIB
Command:
esxcli software vib install -v /tmp/VeeamCiscoHXFirewall.vib -f

User-added image

d. Verify that the VIB was installed
Command:

esxcli software vib list | grep 'Veeam'
User-added image

e. Verify that the new firewall rule is active
Command:
esxcli network firewall ruleset list
User-added image

Note: If the VIB installation fails, you may need to set the acceptance level to CommunitySupport and retry the installation.
Command:
esxcli software acceptance set --level=CommunitySupported

 Set the Veeam Proxy Servers

1. Enable allowed IP list for the new firewall rule
Command:
esxcli network firewall ruleset set -r "VeeamCiscoHXFirewall" -a false 
User-added image

2. Set the Veeam proxy server data network IP that is on the Hyperflex "Storage Controller Data Network"
Repeat the following command for each Veeam proxy server:
esxcli network firewall ruleset allowedip add -r "VeeamCiscoHXFirewall" -i "172.16.3.10"
User-added image

3. Verify that the IPs are set
Command:
esxcli network firewall ruleset allowedip list | grep -v "All"
User-added image


Note: Veeam recommends to set the IPs of each Veeam proxy server that is on the HyperFlex “Storage Controller Data Network” in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. Issue this command once per IP Address. It is important to use the IP Address on the “Storage Controller Data Network”, and not the public, or management IP address.

Check if everything is configured correctly

1. Check the Security Profile on the ESXi hosts
User-added image

2. Check the VIB
esxcli software vib list | grep 'Veeam'
User-added image

3. Check the ruleset
esxcli network firewall ruleset list
User-added image

4. Check which Veeam Proxy IPs are assigned
esxcli network firewall ruleset allowedip list | grep -v "All"
User-added image
 

More Information

With HyperFlex 3.0 you may need to enable NFS access on all hosts. 
To do this, navigate to: vSphere Web Client > Host Config > Security Profile > Edit > NFS access and Enable this setting.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.