Operational Defect Database
BugZero found this defect 2539 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb2298
Usage of a predefined VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing
Last update date:
9/1/2021
Affected products:
Veeam Backup & Replication
Affected releases:
10
Fixed releases:
No fixed releases provided.
Description:
Challenge
This article describes the usage of a predefined VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing. For details on how to perform these firewall changes manually please review KB2299.
Cause
To achieve optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing, it is needed to change the ESXi host firewall. See more background information here. One of the Methods to change the ESXi host firewall is by a pre-defined VIB found on the Veeam Community GitHub site. To implement this, follow the below instructions.
Solution
Install the Firewall VIB on ESXi:Repeat the following steps on all Cisco HyperFlex nodes in your cluster.1. Enable ssh and log in to your ESXi host by using a tool like PuTTY2. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client3. Install the VIBCommand: esxcli software vib install -v /tmp/VeeamCiscoHXFirewall.vib -f 4. Verify the VIB was installedCommand: esxcli software vib list | grep 'Veeam' 5. Verify the new firewall rule is activeCommand: esxcli network firewall ruleset list Note: If the VIB installation fails, you might need to set the acceptance level to CommunitySupport and retry the installation.Command: esxcli software acceptance set --level=CommunitySupported Set the Veeam Proxy Servers1. Enable allowed IP list for the new firewall ruleCommand: esxcli network firewall ruleset set -r "VeeamCiscoHXFirewall" -a false2. Set the Veeam proxy server data network IP that is on the Hyperflex ("Storage Controller Data Network")Repeat the following command for all Veeam proxy server or set a subnet: esxcli network firewall ruleset allowedip add -r "VeeamCiscoHXFirewall" -i "172.17.53.53." 3. Verify the IPs are setCommand: esxcli network firewall ruleset allowedip list | grep -v "All" Note: Veeam recommends to set the all IPs of Veeam proxy servers in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. You can specify either the IP address or a subnet. Use one command per proxy.Check if everything is configured correctly1. Check the Security Profile on the ESXi hostsFor HX systems < HX2.5 using the relevant VIB.For HX system >= HX2.5 using the relevant VIB.2. Check the VIBCommand: esxcli software vib list | grep 'Veeam' 3. Check the rulesetCommand: esxcli network firewall ruleset list 4. Check which Veeam Proxy IPs are assignedCommand: esxcli network firewall ruleset allowedip list | grep -v "All"
