In our previous backup setup with Microsoft Data Protection Manager. Each backup server had access to all vlans that clients were on. For example if a client was on the 8 network. The backup server had a 8 network IP. That way when backups occurred, no data was routed between networks and it was all layer 2. This required the backup team to put host files on each client pointing the client to the right IP address that was local to its subnet.
With Avamar we have one IP address and all clients connect to that IP no matter what network they are on. My network department states this is causing extra logs on our server firewalls and supposedly slowing down backups. They were under the impression that since the 40gb switch that the IDPA came with had access to all VLANs no data would be routed between VLANs. I was wondering if adding additional IP addresses to the Avamar server is even a supported configuration or best practice. I enjoy having the one IP address because it makes everything simpler. I also believe Avamar is sending less traffic across the wire because of its network deduplication.
Diagram of network: 2 sites
IDPA Avamar #1 Server is at Site1 and backups all servers and virtual machines at both Sites.
IDPA Avamar #2 Server at Site2 has all data replicated to it from Site #1
Site1 Avamar server has 1 IP address that all clients and proxies backup to. Lets say Avamar is using 192.168.10.0/24. Now we have clients that are on 192.168.11.0/24, 192.168.12.0/24 etc. All those clients have to route their data through the server firewall (gateway) to get to the Avamar server for backup traffic.
Looking forward to hearing from people. Is anyone out there running this type of configuration?
I was wondering if adding additional IP addresses to the Avamar server is even a supported configuration or best practice. I enjoy having the one IP address because it makes everything simpler. I also believe Avamar is sending less traffic across the wire because of its network deduplication.
Having IP addresses on multiple networks is fully supported in both Avamar and Data Domain. Which approach you use will likely comes down to who can make a better argument that their approach is less work / risk overall. Putting hosts entries on every client sounds like a management nightmare to me.
In any case, on the Avamar side, the additional IPs have to be configured on the node(s) at the OS level, then added to probe.xml. Depending on node configuration (single node or multi-node), the server software might have to be restarted. Once the server has been configured to listen on those IPs, the clients would likely have to be re-activated, depending on your DNS configuration.
On the DD side, this would be handled by configuring ifgroups. I believe this is well documented but I'm more familiar with the Avamar side of things.
Of the two, it's the DD side that's more important since the majority of the traffic flows between the clients and DD. In an Avamar / DD integrated configuration, only metadata is sent to the Avamar and this is generally less than 0.1% of the traffic.
I don't know for certain that this is supported for IDPA systems but I can't think of a good reason it wouldn't be. I'd recommend having a quick chat with your account SE just to confirm.