- Veeam Support Knowledge Base
- Usage of a predefined VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing
Usage of a predefined VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Oops! Something went wrong.
Please, try again later.
Challenge
This article describes the usage of a predefined VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.
For details on how to perform these firewall changes manually please review KB2299.
Please follow the KB below only if you are running a HyperFlex version below 3.0.
Starting with Cisco HyperFlex 3.0, the needed Firewall changes have been implemented in the OS image. Please review KB3075.
For new customers, we recommend installing HyperFlex cluster with that latest HX version, and for existing customers, we recommend upgrading to HX 3.0 or higher to benefit from the new Firewall changes.
Cause
To achieve optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing, it is needed to change the ESXi host firewall.
See more background information here.
One of the Methods to change the ESXi host firewall is by a pre-defined VIB found on the Veeam Community GitHub site.
To implement this, follow the below instructions.
Solution
Repeat the following steps on all Cisco HyperFlex nodes in your cluster.
1. Enable ssh and log in to your ESXi host by using a tool like PuTTY
2. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client
3. Install the VIB
Command:
esxcli software vib install -v /tmp/VeeamCiscoHXFirewall.vib -f
4. Verify the VIB was installed
Command:
esxcli software vib list | grep 'Veeam'
5. Verify the new firewall rule is active
Command:
esxcli network firewall ruleset listNote: If the VIB installation fails, you might need to set the acceptance level to CommunitySupport and retry the installation.
Command:
esxcli software acceptance set --level=CommunitySupported
Set the Veeam Proxy Servers
1. Enable allowed IP list for the new firewall rule
Command:
esxcli network firewall ruleset set -r "VeeamCiscoHXFirewall" -a false
2. Set the Veeam proxy server data network IP that is on the Hyperflex ("Storage Controller Data Network")
Repeat the following command for all Veeam proxy server or set a subnet:
esxcli network firewall ruleset allowedip add -r "VeeamCiscoHXFirewall" -i "172.17.53.53."
3. Verify the IPs are set
Command:
esxcli network firewall ruleset allowedip list | grep -v "All"
Note: Veeam recommends to set the all IPs of Veeam proxy servers in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. You can specify either the IP address or a subnet. Use one command per proxy.
Check if everything is configured correctly
1. Check the Security Profile on the ESXi hosts
For HX systems < HX2.5 using the relevant VIB.
For HX system >= HX2.5 using the relevant VIB.
2. Check the VIB
Command:
esxcli software vib list | grep 'Veeam'
3. Check the ruleset
Command:
esxcli network firewall ruleset list
4. Check which Veeam Proxy IPs are assigned
Command:
esxcli network firewall ruleset allowedip list | grep -v "All"
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please, try again later.
You have selected too large block!
Please try select less.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please, try again later.