Skip to main content
Solved

Automatic Tunneling and Encryption for Network Traffic


neuwiesener
Byte
Forum|alt.badge.img+7

Hello Community

Is this procedure https://documentation.commvault.com/commvault/v11/article?p=129268.htm equivalent to using a network topology (network gateway for instance so that the traffic is tunneled through a single port 8403) and enabling the checkbox “encrypt network traffic” on the network topologies dialog box? Also what should one observe in the network summary on the commcell level to verify that these settings “automatic tunneling and encryption for network traffic”  are in place? 

Best answer by Damian Andre

Hey @neuwiesener,

Yes, I would say it would achieve the same objective - this forces a two-way network topology via the use of an additional setting via the automatic tunneling feature that was added a while back.

Personally, I think it would be very edge case to need to do this via setting rather than controlling via network topology, and would recommend to use the topology instead - on your point about ‘observing’ it in the commcell, you won't be able to if you use this setting as it will not generate network configuration since the additional setting forces a client-side function. The only way I think you would be able to observe the correct behavior is by looking at netstat on the respective machines are looking for established connections. This is the same for automatic tunneling today - if the client detects network restrictions are in place, it will automatically try a tunnel - but you won't see a route generated in the network config for it since it's a client-side decision. 

 

I’m curious to know your situation around why you are considering the additional setting rather than relying on the automatic tunneling to work by itself or applying a network topology.

View original
Did this answer your question?

10 replies

Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1207 replies
  • Answer
  • January 27, 2021

Hey @neuwiesener,

Yes, I would say it would achieve the same objective - this forces a two-way network topology via the use of an additional setting via the automatic tunneling feature that was added a while back.

Personally, I think it would be very edge case to need to do this via setting rather than controlling via network topology, and would recommend to use the topology instead - on your point about ‘observing’ it in the commcell, you won't be able to if you use this setting as it will not generate network configuration since the additional setting forces a client-side function. The only way I think you would be able to observe the correct behavior is by looking at netstat on the respective machines are looking for established connections. This is the same for automatic tunneling today - if the client detects network restrictions are in place, it will automatically try a tunnel - but you won't see a route generated in the network config for it since it's a client-side decision. 

 

I’m curious to know your situation around why you are considering the additional setting rather than relying on the automatic tunneling to work by itself or applying a network topology.


neuwiesener
Byte
Forum|alt.badge.img+7
  • Author
  • Byte
  • 38 replies
  • January 27, 2021

Thanks @Damian Andre I am already using the network topology and was going through the steps to harden the commvault environment to protect against ransomware and this was one of the recommendations. https://documentation.commvault.com/commvault/v11/article?p=4801.htm 

So I am good to go without the additional setting. I am just going to have to set the check box to allow network traffic encryption. Now might have adverse effects on the HPE Catalyst dedupe if all primary copies are on catalyst? “ Do not enable compression, encryption, or deduplication in the Commvault software.” https://documentation.commvault.com/commvault/v11/article?p=101856.htm 


Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1207 replies
  • January 27, 2021

The good news is that if you define a topology then severs will always adhere to it unless it’s configured as ‘roaming’, which is only really used for laptops. So the policy is enforced by default.

I believe the catalyst callout is referring to setting encryption on the storage rather than the network traffic.  Storage devices are not affected by topologies as they have their own communication protocols - it’s only commvault software that use them. That being said I am fairly sure that catalyst uses encrypted SSL out of the box!


neuwiesener
Byte
Forum|alt.badge.img+7
  • Author
  • Byte
  • 38 replies
  • January 27, 2021

@Damian Andre Thanks. I understand that the check box on network topologies will only encrypt the data in-flight. Settings for data at rest will be governed by the storage policy copy setting. The hpe catalyst callout refers to not enabling it for the storage policy copy because HPE provides ecryption. However this needs an additional license. :)


Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1207 replies
  • January 27, 2021
neuwiesener wrote:

@Damian Andre Thanks. I understand that the check box on network topologies will only encrypt the data in-flight. Settings for data at rest will be governed by the storage policy copy setting. The hpe catalyst callout refers to not enabling it for the storage policy copy because HPE provides ecryption. However this needs an additional license. :)

I think commvault encryption will cause issues with the native deduplication that catalyst uses hence the recommendtation, although I am not an expert on that. We have the great @Winston W that could maybe help answer during his timezone (APJ) :slight_smile:


Forum|alt.badge.img+4
  • Vaulter
  • 8 replies
  • January 27, 2021

Hi neuwiesener

 

You are correct, when leveraging HPE StoreOnce Catalyst as a target library within Commvault we leverage all the native HPE Client Binary to write to the Object Library. When using this feature we disable Compression/Encryption/Deduplication from Commvault perspective and leverage all the native capability on the HPE. Unfortunately for all the additional feature on HPE additional license is required. 


Forum|alt.badge.img

Hi There.

I have to implement this very soon for the first time and was asked if CVLT dedup is disabled, clients with large amount of data will transfer over the LAN non-dedup data.

When reading the BOL on this link: https://documentation.commvault.com/commvault/v11/article?p=99429.htm 

it states at the bottom the page that client side dedup is supported.

Not sure if I understand it properly. Does anyone already implemented HPE SO catalyst with DR copy using Catalyst Copy ?

Thanks

 


Forum|alt.badge.img+4
  • Vaulter
  • 8 replies
  • January 28, 2021

Hi Abdel 

For HPE StoreOnce Catalyst integration, the Client or the MediaAgent can be the Data Mover to write directly to the Catalyst Store.

So for the first Full Backup the Client/MA will most likely need to stream majority of the data across to the Catalyst Store. However for subsequent backups StoreOnce Catalyst enables the identification of duplicate data chunks by the Catalyst client as part of the backup process. This enables low-bandwidth backup by only sending unique chunks to the Catalyst store, which significantly reduces network bandwidth consumption.

In regards to Catalyst Copy (between two HPE StoreOnce):

  • Catalyst copy is an operation that must be initiated on the Source StoreOnce Appliance. So, when closing chunks, destination Media Agent will contact the Source StoreOnce Appliance to initiate the Catalyst Copy.

  • As a result of the Catalyst Copy Operation, the Destination Media Agent will also need to have access (over IP or FC) to the Source StoreOnce and configured as a Sharing Path.

So if the Source StoreOnce is configured with IP, the same protocol will need to be used on the destination and the replication network. 

Feel free to reach out if you require any further details or clarification on HPE StoreOnce integration 

Kind Regards

WW


neuwiesener
Byte
Forum|alt.badge.img+7
  • Author
  • Byte
  • 38 replies
  • February 1, 2021
Damian Andre wrote:

The good news is that if you define a topology then severs will always adhere to it unless it’s configured as ‘roaming’, which is only really used for laptops. So the policy is enforced by default.

I believe the catalyst callout is referring to setting encryption on the storage rather than the network traffic.  Storage devices are not affected by topologies as they have their own communication protocols - it’s only commvault software that use them. That being said I am fairly sure that catalyst uses encrypted SSL out of the box!


Hi Damian wonder how these options are set for a network topology: the settings from

https://documentation.commvault.com/commvault/v11/article?p=59417.htm like the tunnel connection protocol. Does the encryption checkbox only encrypt outgoing or incoming connections as well?


Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1207 replies
  • February 1, 2021
neuwiesener wrote:
Damian Andre wrote:

The good news is that if you define a topology then severs will always adhere to it unless it’s configured as ‘roaming’, which is only really used for laptops. So the policy is enforced by default.

I believe the catalyst callout is referring to setting encryption on the storage rather than the network traffic.  Storage devices are not affected by topologies as they have their own communication protocols - it’s only commvault software that use them. That being said I am fairly sure that catalyst uses encrypted SSL out of the box!


Hi Damian wonder how these options are set for a network topology: the settings from

https://documentation.commvault.com/commvault/v11/article?p=59417.htm like the tunnel connection protocol. Does the encryption checkbox only encrypt outgoing or incoming connections as well?

Topologies are simplified network configurations so only expose the common options - the encryption option will force encryption on any outgoing routes for associated infrastructure included in this topology - similar to setting “Encrypted” in the outgoing route protocol. It won't force encryption for connections made outside of this topology though, or require encryption for incoming connections outside of the topology, and in that case, you could use the advanced option in the CommCell to force that option upon media agents (most common).


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings