Veritas NetBackup™ Administrator's Guide, Volume I
- Section I. About NetBackup
- Section II. Configuring hosts
- Configuring Host Properties
- About the NetBackup Host Properties
- Access Control properties
- Bandwidth properties
- Busy File Settings properties
- Client Attributes properties
- Client Settings properties for UNIX clients
- Client Settings properties for Windows clients
- Data Classification properties
- Default Job Priorities properties
- Encryption properties
- Exchange properties
- Exclude Lists properties
- Fibre Transport properties
- Firewall properties
- General Server properties
- Global Attributes properties
- Logging properties
- Login Banner Configuration properties
- Media properties
- Network Settings properties
- Port Ranges properties
- Preferred Network properties
- Resilient Network properties
- Restore Failover properties
- Retention Periods properties
- Scalable Storage properties
- Servers properties
- SharePoint properties
- SLP Parameters properties
- Throttle Bandwidth properties
- Universal Settings properties
- User Account Settings properties
- Configuration options for NetBackup servers
- ECA_CERT_PATH for NetBackup servers and clients
- PREFERRED_NETWORK option for NetBackup servers
- THROTTLE_BANDWIDTH option for NetBackup servers
- Configuration options for NetBackup clients
- IGNORE_XATTR option for NetBackup clients
- VXSS_NETWORK option for NetBackup clients
- Configuring server groups
- Enabling support for NAT clients and NAT servers in NetBackup
- Configuring host credentials
- Managing media servers
- Configuring Host Properties
- Section III. Configuring storage
- Configuring disk storage
- Configuring robots and tape drives
- About configuring robots and tape drives in NetBackup
- Adding a robot to NetBackup manually
- Managing robots
- Adding a tape drive to NetBackup manually
- Adding a tape drive path
- Correlating tape drives and device files on UNIX hosts
- Managing tape drives
- Performing device diagnostics
- Configuring tape media
- About NetBackup volume pools
- About WORM media
- About adding volumes
- Configuring media settings
- Media settings options
- Media type (new media setting)
- Media settings options
- About barcodes
- Configuring barcode rules
- Configuring media ID generation rules
- Adding volumes by using the Actions menu
- Configuring media type mappings
- Managing volumes
- About exchanging a volume
- About frozen media
- About injecting and ejecting volumes
- About rescanning and updating barcodes
- About labeling NetBackup volumes
- About moving volumes
- About recycling a volume
- Managing volume pools
- Managing volume groups
- Inventorying robots
- About showing a robot's contents
- About updating the NetBackup volume configuration
- About the vmphyinv physical inventory utility
- Configuring storage units
- About the Storage utility
- Creating a storage unit
- About storage unit settings
- Absolute pathname to directory or absolute pathname to volume setting for storage units
- Maximum concurrent jobs storage unit setting
- Staging backups
- Creating a basic disk staging storage unit
- Configuring storage unit groups
- Section IV. Configuring storage lifecycle policies (SLPs)
- Configuring storage lifecycle policies
- Storage operations
- Index From Snapshot operation in an SLP
- Snapshot operation in an SLP
- Retention types for SLP operations
- Capacity managed retention type for SLP operations
- Storage lifecycle policy options
- Using a storage lifecycle policy to create multiple copies
- Storage lifecycle policy versions
- Section V. Configuring backups
- Creating backup policies
- Planning for policies
- Policy Attributes tab
- Policy storage (policy attribute)
- Policy volume pool (policy attribute)
- Take checkpoints every __ minutes (policy attribute)
- Backup Network Drives (policy attribute)
- Cross mount points (policy attribute)
- Encryption (policy attribute)
- Collect true image restore information (policy attribute) with and without move detection
- Use Accelerator (policy attribute)
- Enable optimized backup of Windows deduplicated volumes
- Use Replication Director (policy attributes)
- Schedule Attributes tab
- Type of backup (schedule attribute)
- Frequency (schedule attribute)
- Multiple copies (schedule attribute)
- Retention (schedule attribute)
- Media multiplexing (schedule attribute)
- Start Window tab
- Include Dates tab
- How open schedules affect calendar-based and frequency-based schedules
- About the Clients tab
- Backup Selections tab
- Adding backup selections to a policy
- Verifying the Backup Selections list
- Pathname rules for UNIX client backups
- About the directives on the Backup Selections list
- ALL_LOCAL_DRIVES directive
- Files that are excluded from backups by default
- Disaster Recovery tab
- Active Directory granular backups and recovery
- Synthetic backups
- Using the multiple copy synthetic backups method
- Protecting the NetBackup catalog
- Parts of the NetBackup catalog
- Protecting the NetBackup catalog
- Archiving the catalog and restoring from the catalog archive
- Estimating catalog space requirements
- About the NetBackup relational database
- About the NetBackup relational database (NBDB) installation
- Using the NetBackup Database Administration utility on Windows
- Using the NetBackup Database Administration utility on UNIX
- Post-installation tasks
- About backup and recovery procedures
- Managing backup images
- Configuring immutability and indelibility of data in NetBackup
- Creating backup policies
- Section VI. Deployment Management
- Deployment Management
- Adding or changing schedules in a deployment policy
- Deployment Management
- Section VII. Configuring replication
- About NetBackup replication
- About NetBackup Auto Image Replication
- Viewing the replication topology for Auto Image Replication
- About the storage lifecycle policies required for Auto Image Replication
- Removing or replacing replication relationships in an Auto Image Replication configuration
- About NetBackup replication
- Section VIII. Monitoring and reporting
- Monitoring NetBackup activity
- About the Jobs tab
- About the Daemons tab
- About the Processes tab
- About the Drives tab
- About the jobs database
- About pending requests and actions
- Reporting in NetBackup
- Email notifications
- Monitoring NetBackup activity
- Section IX. Administering NetBackup
- Management topics
- Accessing a remote server
- Using the NetBackup Remote Administration Console
- Run-time configuration options for the NetBackup Administration Console
- About improving NetBackup performance
- About adjusting time zones in the NetBackup Administration console
- Alternate server restores
- About performing alternate server restores
- Managing client backups and restores
- About client-redirected restores
- Powering down and rebooting NetBackup servers
- About Granular Recovery Technology
- About configuring Services for Network File System (NFS)
PREFERRED_NETWORK examples
Table: Basic examples
Description | Entry |
---|---|
Allows connectivity to the host names that resolve to 12.34.0.0 through 12.34.255.255. It does not affect outbound interface selection: | PREFERRED_NETWORK = 12.34.0.0/16 MATCH |
Allows connectivity to the host name that resolves to 12.34.56.78, and requests that the operating system use 98.76.54.32 as the outbound interface. | PREFERRED_NETWORK = 12.34.56.78 MATCH 98.76.54.32 |
Instructs the host to use the interface IPs of Host_A for all IPv4 and IPv6 addresses. | PREFERRED_NETWORK = 0/0 MATCH Host_A |
Prevents NetBackup from connecting to any destination address outside the range of 12.34.56.0 through 12.34.56.255. The source interface will be ANY unless one or more are PROHIBITED. | PREFERRED_NETWORK = 12.34.56.78/24 ONLY |
Prevents NetBackup from connecting to any destination address outside the range of 12.34.56.0 through 12.34.56.255. Requests that the operating system use 98.76.54.32 as the outbound interface. | PREFERRED_NETWORK = 12.34.56.78/24 ONLY 98.76.54.32 |
Prevents NetBackup from connecting to any destination addresses outside of the indicated IPv6 subnet. The source interface will be ANY unless one or more are PROHIBITED. | PREFERRED_NETWORK = 2001:1234:1efc::/48 ONLY |
Prevents NetBackup from using any address between 12.34.0.0 and 12.34.255.255 as the source or destination for a connection. If it matches a local interface, NetBackup will provide an ordered list of the remaining interfaces as the source binding list for the outbound interface when other entries do not specify a source. Using PROHIBITED with local interfaces is discouraged. See the details in the following topic: See directive. | PREFERRED_NETWORK = 12.34.56.78/16 PROHIBITED |
Prevents the host from using IPv4 addresses. | PREFERRED_NETWORK = 0.0.0.0 PROHIBITED |
Prevents the host from using IPv6 addresses. | PREFERRED_NETWORK = 0::0 PROHIBITED |
Prevents the host from using the address of the production_server. | PREFERRED_NETWORK = production_server PROHIBITED |
Use the bplocaladdrs command to observe the local interfaces that are provided to NetBackup by the operating system and the order in which they are provided.
bplocaladdrs returns the following output for the host (bob) in the examples in the following topics.
$ bplocaladdrs 10.82.105.11 10.82.105.8 10.82.10.10
Use the bptestnetconn command to observe the order in which entries are evaluated and the evaluation results. The TGT or SRC indicates whether the destination is permitted and which source binding list NetBackup provides to the operating system. A value of ANY indicates that the outbound interface is not constrained by NetBackup.
$ bptestnetconn -asp -v6 ... FL: mymaster -> 10.82.105.14 : 5 ms FAST (< 5 sec) TGT PROHIBITED FL: mymedia -> 10.81.40.61 : 6 ms FAST (< 5 sec) SRC: 10.82.10.10 ...
PREFERRED_NETWORK rules are applied in this order:
[0] PREFERRED_NETWORK = 10.82.105.14 PROHIBITED [1] PREFERRED_NETWORK = 10.81.40.0/24 MATCH 10.82.10.10 $ bptestnetconn -asp -v6 -H myclient ... FL: myclient -> 10.81.40.127 : 6 ms FAST (< 5 sec) SRC: ANY
PREFERRED_NETWORK rules are applied in this order:
[0] PREFERRED_NETWORK = 10.82.105.15/32 MATCH 10.82.105.0/24 [1] PREFERRED_NETWORK = 10.82.105.0/29 PROHIBITED [2] PREFERRED_NETWORK = 10.82.104.0/24 MATCH 10.82.105.5
The following examples are more complex and use a NetBackup server (bob), that uses the following network interfaces:
eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 10.82.105.11 netmask fffff800 broadcast 10.82.111.255 eri0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 10.82.105.8 netmask fffff800 broadcast 10.255.255.255 eri1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 10.82.10.10 netmask fffff800 broadcast 10.82.15.255
Normal outbound connectivity to the following four hosts (billcat, muzzy, beetle, lilo), uses the first interface. Internal connections use the destination interface as the source interface.
$ bptestbpcd -host billcat 10.82.105.11:54129 -> 10.82.105.15:13724 $ bptestbpcd -host muzzy 10.82.105.11:54152 -> 10.82.105.14:13724 $ bptestbpcd -host beetle 10.82.105.11:54135 -> 10.82.104.249:13724 $ bptestbpcd -host lilo 10.82.105.11:54139 -> 10.82.56.79:1556 $ bptestbpcd -host 10.82.105.11 10.82.105.11:54144 -> 10.82.105.11:1556 $ bptestbpcd -host 10.82.105.8 10.82.105.8:52148 -> 10.82.105.8:1556
Using a local interface as the target for MATCH entries has no affect. In this example, the source interface is unaffected by the local MATCH entry.
PREFERRED_NETWORK = 10.82.105.8/32 MATCH $ bptestbpcd -host billcat 10.82.105.11:54202 -> 10.82.105.15:13724 $ bptestbpcd -host muzzy 10.82.105.11:54206 -> 10.82.105.14:13724 $ bptestbpcd -host beetle 10.82.105.11:54300 -> 10.82.104.249:13724 $ bptestbpcd -host lilo 10.82.105.11:54302 -> 10.82.56.79:1556 $ bptestbpcd -host 10.82.105.11 10.82.105.11:54306 -> 10.82.105.11:1556 $ bptestbpcd -host 10.82.105.8 10.82.105.8:54309 -> 10.82.105.8:1556
Similar to Example 1, using a local interface as the target for ONLY entries has no affect on source binding. It does, however, prevent connections to destination addresses (in the absence of other directives that more closely MATCH the destinations). Connections internal to the host are not affected.
PREFERRED_NETWORK = 10.82.105.8/32 ONLY
$ bptestbpcd -host billcat <16> bptestbpcd main: ConnectToBPCD(billcat) failed: 25 cannot connect on socket $ bptestbpcd -host muzzy <16> bptestbpcd main: ConnectToBPCD(muzzy) failed: 25 cannot connect on socket $ bptestbpcd -host beetle <16> bptestbpcd main: ConnectToBPCD(beetle) failed: 25 cannot connect on socket $ bptestbpcd -host lilo <16> bptestbpcd main: ConnectToBPCD(lilo) failed: 25 cannot connect on socket $ bptestbpcd -host 10.82.105.11 10.82.105.11:54306 -> 10.82.105.11:1556 $ bptestbpcd -host 10.82.105.8 10.82.105.8:54309 -> 10.82.105.8:1556
Using MATCH entries, the outbound connections to a specific host or network can be preferred over the defaults. In this example, connections to a specific host and a separate network are requested to use the second outbound network interface.
PREFERRED_NETWORK = 10.82.105.15/32 MATCH 10.82.105.8 PREFERRED_NETWORK = 10.82.104.0/24 MATCH 10.82.105.8
$ bptestbpcd -host billcat (Preferred by the first entry)
10.82.105.8:54192 -> 10.82.105.15:13724
$ bptestbpcd -host muzzy (Implicitly permitted using defaults)
10.82.105.11:54196 -> 10.82.105.14:13724
$ bptestbpcd -host beetle (Preferred by the second entry)
10.82.105.8:54200 -> 10.82.104.249:13724
$ bptestbpcd -host lilo (Implicitly permitted using defaults)
10.82.105.11:54202 -> 10.82.56.79:1556
Adding an ONLY entry prevents connections to any other hosts that are not on the specified network, or matched by prior entries.
PREFERRED_NETWORK = 10.82.105.15/32 MATCH 10.82.105.8 PREFERRED_NETWORK = 10.82.104.0/24 MATCH 10.82.105.8 PREFERRED_NETWORK = 10.82.56.0/24 ONLY
$ bptestbpcd -host billcat (Preferred by first entry)
10.82.105.8:54209 -> 10.82.105.15:13724
<16> bptestbpcd -host 10.82.105.14 (Does not match 1 or 2, excluded by 3)
<16> bptestbpcd main: ConnectToBPCD(muzzy) failed: 25 cannot connect on socket
$ bptestbpcd -host beetle (Preferred by second entry)
10.82.105.8:54214 -> 10.82.104.249:13724 (Required by third entry)
10.82.105.11:54216 -> 10.82.56.79:1556
Changing the ONLY to PROHIBITED explicitly excludes connections with those destination hosts and implicitly allows connections to unspecified hosts. The PROHIBITED network is non-local and does not affect source binding.
PREFERRED_NETWORK = 10.82.105.15/32 MATCH 10.82.105.8 PREFERRED_NETWORK = 10.82.104.249/32 MATCH 10.82.105.8 PREFERRED_NETWORK = 10.82.56.0/24 PROHIBITED
$ bptestbpcd -host billcat (Preferred by the first entry)
10.82.105.8:54224 -> 10.82.105.15:13724
$ bptestbpcd -host muzzy (Implicitly permitted)
10.82.105.11:54228 -> 10.82.105.14:13724
$ bptestbpcd -host beetle (Preferred by the second entry)
10.82.105.8:54232 -> 10.82.104.249:13724
$ bptestbpcd -host 10.82.56.79 (Does not match 1 or 2, prohibited by 3)
<16> bptestbpcd main: ConnectToBPCD(lilo) failed: 25 cannot connect on socket
Conversely, moving the ONLY to the top of the list does not prevent the MATCH entries from being evaluated because the ONLY is for a less restrictive IP range than the MATCH entries. The latter are evaluated first for those hosts.
PREFERRED_NETWORK = 10.82.104.0/24 ONLY PREFERRED_NETWORK = 10.82.105.15/32 MATCH 10.82.105.11 PREFERRED_NETWORK = 10.82.104.249/32 MATCH 10.82.105.8
$ bptestbpcd -host billcat (Preferred by the second entry)
10.82.105.11:54392 -> 10.82.105.15:13724
$ bptestbpcd -host 10.82.105.14 (Does not match 2 or 3, excluded by 1)
<16> bptestbpcd main: ConnectToBPCD(muzzy) failed: 25 cannot connect on socket
$ bptestbpcd -host beetle (Preferred by 3 before required by 1)
10.82.105.8:54396 -> 10.82.104.249:13724
$ bptestbpcd -host 10.82.56.79 (Does not match 2 or 3, excluded by 1)
<16> bptestbpcd main: ConnectToBPCD(lilo) failed: 25 cannot connect on socket
The subnet on this ONLY entry matches both billcat and muzzy, but does not affect the outbound interface confirming that ONLY is used for destination address filtering and not source address filtering. Otherwise, all connections would fail because both local interfaces, 10.82.105.11 and 10.82.105.8, are not in that subnet.
PREFERRED_NETWORK = 10.82.105.14/31 ONLY PREFERRED_NETWORK = 10.82.105.15/32 MATCH 10.82.105.8
$ bptestbpcd -host billcat (Preferred by second entry)
10.82.105.8:54209 -> 10.82.105.15:13724
$ bptestbpcd -host muzzy (Preferred by first entry)
10.82.105.11:45662 -> 10.82.105.14:13724
$ bptestbpcd -host 10.82.104.249 (Excluded by first entry)
<16> bptestbpcd main: ConnectToBPCD(beetle) failed: 25 cannot connect on socket
Here, all three remote hosts are reachable, but notice that the source interface is the one remaining after 10.82.105.11 is PROHIBITED. This includes the apparent target MATCH for billcat, which actually failed to match because the source was previously PROHIBITED. Notice that internal connections are not affected by PROHIBITED.
PREFERRED_NETWORK = 10.82.105.11/32 PROHIBITED PREFERRED_NETWORK = 10.82.105.15/32 MATCH 10.82.105.11
$ bptestbpcd -host billcat (Matched second, but first prohibited that source)
10.82.105.8:54202 -> 10.82.105.15:13724
$ bptestbpcd -host muzzy (Implicit match and pruned source)
10.82.105.8:54206 -> 10.82.105.14:13724
$ bptestbpcd -host beetle (Implicit match and pruned source)
10.82.105.8:54300 -> 10.82.104.249:13724
$ bptestbpcd -host 10.82.105.11 (Not affected by first entry)
10.82.105.11:54306 -> 10.82.105.11:1556 $ bptestbpcd -host 10.82.105.8 10.82.105.8:54309 -> 10.82.105.8:1556
This example demonstrates two nuances of source binding evaluation that result in the use of ANY interface instead of the non-prohibited interfaces. The second entry removes the 10.82.10.10 local interface from the source binding list before the third entry is processed making that source unavailable. The source on the first entry causes the shortened list created by the second entry to be ignored during all evaluations.
PREFERRED_NETWORK = 10.82.104.249 MATCH 10.82.105.0/24 PREFERRED_NETWORK = 10.82.10.10 PROHIBITED PREFERRED_NETWORK = 10.82.56.0/24 MATCH 10.82.10.10
FL: billcat -> 10.82.105.15 ... SRC: ANY (First source implicitly negates second target)
FL: muzzy -> 10.82.105.14 ... SRC: ANY (First source implicitly negates second target)
FL: beetle -> 10.82.104.249 ... SRC: 10.82.105.11 (Matched first, used first in range)
FL: lilo -> 10.82.56.79 ... SRC: ANY (Second target explicitly negates third source)
In Example 8, the source on the first entry matches two local interfaces. The 10.82.105.11 interface was chosen over 10.82.105.8 as the source when connecting to beetle because that interface was returned first by the operating system as shown in the bplocaladdrs output for this example. (See Using bplocaladdrs to troubleshoot.)
This example shows how the binding list is shortened by prohibiting a local interface. When ANY was the default source binding list, the outbound interface for these destinations was 10.82.105.11. (See Example 1.) Prohibiting a different local interface causes NetBackup to provide a shortened list and the operating system selected 10.82.10.10 as the source IP. Because this operating system uses the strong host model, that interface is not valid for these destination IPs and the connection attempts fail.
PREFERRED_NETWORK = 10.82.105.8 PROHIBITED FL: billcat -> 10.82.105.15 ... SRC: 10.82.10.10,10.82.105.11 FL: lilo -> 10.82.56.79 ... SRC: 10.82.10.10,10.82.105.11 $ bptestbpcd -host billcat <16> bptestbpcd main: ConnectToBPCD(billcat) failed: 25 cannot connect on socket $ bptestbpcd -host lilo <16> bptestbpcd main: ConnectToBPCD(lilo) failed: 25 cannot connect on socket
If the operating system is changed to the weak host model, the TCP SYN for each connection is transmitted out the default interface (10.10.82.105.11) onto the 10.82.104.0 network, but with a source IP of 10.82.10.10. If there is a network route from the 10.82.104.0 network to the destination hosts, then the SYN will reach the destinations. But the reply is only successful if there is an asymmetrical route back to the 10.82.8.0 network from the destination host. Notice the spoofed source IP in the successful connection which does not reflect the network onto which the TCP SYN packet was actually sent.
$ bptestbpcd -host billcat <16> bptestbpcd main: ConnectToBPCD(billcat) failed: 25 cannot connect on socket $ bptestbpcd -host lilo 10.82.10.10:52842 -> 10.82.56.79:1556