Skip to main content
commvault.com commvault.com
Answer

Managament network for Commvault

  • May 15, 2025
  • 4 replies
  • 58 views
M
Byte
Forum|alt.badge.img+6

Hi,

I want to add to all Commvault servers (Commserves, media agents etc) dedicated second interface and VLAN to have managament network (ssh, RDP, webconsole and java console) with identity access. Then restrict default interface to allow only backup traffic.

Do I need to do anything on Commvault level in this case? I’m not sure if login to java console / web console to Commserve will work on the second IP / hostname out of the box (because login to actual hostname will be blocked).

Best answer by Damian Andre

Yeah I’d only reserve the sBindToInterface key for specific circumstances.

If it works out of the box really depends on your OS configuration. If you find Commvault is trying to use the wrong adapter for communication, there is a concept that allows you to specify which network adapter to use when communicating with any particular remote server

https://documentation.commvault.com/2024e/essential/dedicated_backup_network.html

 

But yeah, depending on your default routes, route weighting etc. It may just work out of the box. The network selection really comes from the OS, but we can override what the OS tells us by using the data interface pair (network pair)

4 replies

sbhatia
Vaulter
Forum|alt.badge.img+9
  • sbhatiaVaulter
  • Vaulter
  • May 15, 2025

To set up a dedicated management network and isolate backup traffic in Commvault, a few key configurations are needed across the OS and Commvault :

  • Add a second NIC on a separate VLAN for management tasks like SSH, RDP, and console access, and assign it a unique IP/hostname.

  • Use the sbindtointerface additional setting to bind Commvault services to this management NIC, so all admin access routes through it.

  • For backup traffic, configure Data Interface Pairs (DIPs) to ensure it flows through the default/data NIC.

  • Limit firewall rules so only management ports are allowed on the management NIC, and ports like 8400–8403 are open on the backup NIC.

This is the typical setup approach, but since it depends on your environment specifics, I'd strongly recommend opening a Support Case so the full setup can be reviewed and fine-tuned accordingly.

M
Byte
Forum|alt.badge.img+6
  • mateusznitka
  • Author
  • Byte
  • May 15, 2025

Thank you ​@sbhatia for your anserw!

Few additional questions:

  1. Is binding services really necessary? I mean default behavior is to provide all services to all interfaces right? So I can skip it and just block ports 80, 443, 8401 etc on external firewall? I know that it will be probably safer but for now I just need to know wheter console will be avaiable with this second NIC out of the box.
  2. Is configuring DIPs necessary? I mean default network will be the same (IP, hostname etc) so nothing will change for the clients and backup traffic should be only on this NIC. I have few DIPs configured but only in situations where I don’t want to use default NIC (for example for MA ↔ MA traffic). Configuring DIPs for all clients will be a bit pain...
Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Damian AndreVaulter
  • Vaulter
  • Answer
  • May 15, 2025

Yeah I’d only reserve the sBindToInterface key for specific circumstances.

If it works out of the box really depends on your OS configuration. If you find Commvault is trying to use the wrong adapter for communication, there is a concept that allows you to specify which network adapter to use when communicating with any particular remote server

https://documentation.commvault.com/2024e/essential/dedicated_backup_network.html

 

But yeah, depending on your default routes, route weighting etc. It may just work out of the box. The network selection really comes from the OS, but we can override what the OS tells us by using the data interface pair (network pair)

M
sbhatia
Vaulter
Forum|alt.badge.img+9
  • sbhatiaVaulter
  • Vaulter
  • May 16, 2025

Your approach should work without sBindToInterface or DIPs if firewall rules and OS routing are correctly configured. Test console access via the management NIC first. If backup traffic inadvertently uses the management NIC, implement DIPs for affected clients/MAs. Reserve sBindToInterface for scenarios where service ports are still exposed on the backup NIC despite firewall rules. 

M
Terms & ConditionsCookie settingsAccessibility statement