Best Practices for protecting multiple subnets / multiple sites (MPLS/VPN)
Multiple Site / Subnet Configurations
This article discusses best practices for protecting multiple subnets of machines with a Datto appliance.
This article is not meant to be a hard and fast "how to subnet" article, it simply wants to take into account different items to look for when setting a device up for multiple subnets.
Switch configurations
When deploying a Datto device with the intent to protect multiple subnets, inter-subnet communication is key.
If you have agents on a single subnet, a /24 mask (255.255.255.0) is sufficient.
However, if you have agents that extend beyond the subnet, you'll need to make sure that you not only can communicate between the subnets, but that your subnet mask is appropriately set.
Example:
A device is deployed to a Class C network with 3 subnets:
- 192.168.1.0
- 192.168.10.0
- 192.168.100.0
If you want the Datto device to be able to see all 3 subnets, set the appropriate mask and gateway.
If your gateway is 192.168.1.254, make sure that the agents on the .10 and .100 subnets can at least recognize the gateway for the .1 subnet.
This requires a subnet mask of 255.255.0.0 to account for the 3rd octet. Since these are all maintained within a class C space, this allows for all agents to communicate.
You can consolidate the mask to account for different classes and different schemas. Here are some high-level examples:
32 = X-network-bits + Y-host-bits Addresses = 2 ^ Y-host-bits -------------------------------------------------------------- CIDR Total number Network Description: Notation: of addresses: Mask: -------------------------------------------------------------- /0 4,294,967,296 0.0.0.0 Every Address /1 2,147,483,648 128.0.0.0 128 /8 nets /2 1,073,741,824 192.0.0.0 64 /8 nets /3 536,870,912 224.0.0.0 32 /8 nets /4 268,435,456 240.0.0.0 16 /8 nets /5 134,217,728 248.0.0.0 8 /8 nets /6 67,108,864 252.0.0.0 4 /8 nets /7 33,554,432 254.0.0.0 2 /8 nets /8 16,777,214 255.0.0.0 1 /8 net -------------------------------------------------------------- /9 8,388,608 255.128.0.0 128 /16 nets /10 4,194,304 255.192.0.0 64 /16 nets /11 2,097,152 255.224.0.0 32 /16 nets /12 1,048,576 255.240.0.0 16 /16 nets /13 524,288 255.248.0.0 8 /16 nets /14 262,144 255.252.0.0 4 /16 nets /15 131.072 255.254.0.0 2 /16 nets /16 65,536 255.255.0.0 1 /16 -------------------------------------------------------------- /17 32,768 255.255.128.0 128 /24 nets /18 16,384 255.255.192.0 64 /24 nets /19 8,192 255.255.224.0 32 /24 nets /20 4,096 255.255.240.0 16 /24 nets /21 2,048 255.255.248.0 8 /24 nets /22 1,024 255.255.252.0 4 /24 nets /23 512 255.255.254.0 2 /24 nets /24 256 255.255.255.0 1 /24 -------------------------------------------------------------- /25 128 255.255.255.128 Half of a /24 /26 64 255.255.255.192 Fourth of a /24 /27 32 255.255.255.224 Eighth of a /24 /28 16 255.255.255.240 1/16th of a /24 /29 8 255.255.255.248 5 Usable addresses /30 4 255.255.255.252 1 Usable address /31 2 255.255.255.254 Unusable /32 1 255.255.255.255 Single host --------------------------------------------------------------
Different Class Networks
If you have different class networks, you may need to utilize the secondary NIC of the device.
EXAMPLE A device is deployed to a network that utilizes both Class C and Class B network schemas:
- 192.168.25.0
- 172.16.50.0
With this different class network, you may want to set up the primary NIC of the device to one subnet and then utilize the secondary NIC in order to capture traffic from the second network segment.
You can create an address that isn't being used to act as the focal point of backing up the agent. There won't be a gateway assigned to the secondary NIC that is created. That second NIC acts as the gateway for the agent to reach the device. Devices will always check in and send data offsite via the primary NIC (eth 0) of the device.
Backups Over VPN
IMPORTANT This configuration is discouraged due to the instability of backups over VPN connections
While Datto devices support backups over VPN or MPLS, it is not the recommended configuration and may prove itself unreliable. There are many considerations to be had before deploying this kind of solutions for customers. There are many free VPN clients available for use.
While normal file transfers, desktop sharing, and work operations may be easily executed over a VPN, an image-based backup over a VPN connection brings many more items into consideration:
- Triggering the backup image
- Reading the disk to be backed up
- Returning data to the Datto device.
- Writing data across the tunnel to the device.
NOTE Reliable image based backups over VPN require a stable connection with plenty of bandwidth between the site and the Datto device. While a slower connection may be supported, we cannot guarantee the reliability of the backup transfers unless the minimum standards are met.
NOTE The minimum recommendation is a constant, uninterrupted 50Mbps VPN connection per 1TB of data between the server site and the Datto device.
NOTE If multiple agents are backing up over a single VPN, they need to be staggered to prevent connectivity loss.
Configuring Firewalls / Connections
Please ensure allowlists exist to allow the server and device to make external connections detailed here: Datto IP Ranges.
When setting up the connection between the Datto appliance and the site where the VPN connection will reside:
- Firewalls and routers should be configured to have a separate security zone that will allow traffic to and from the site without restriction or deep packet inspection.
- Any possible WAN accelerators should be enabled to improve the transfer speeds.
- A single tunnel should be dedicated as much as possible to the connection. No other traffic should be present.
- Test the reliability of the VPN connection with regular speed tests to ensure that the connection has remained stable.
- Run backups when activity on the protected machines and the traffic tunnel is at a minimum.