Best Practices for protecting multiple subnets / multiple sites (MPLS/VPN)

Multiple Site / Subnet Configurations

This article discusses best practices for protecting multiple subnets of machines with a Datto appliance.

This article is not meant to be a hard and fast "how to subnet" article, it simply wants to take into account different items to look for when setting a device up for multiple subnets.

Switch configurations

When deploying a Datto device with the intent to protect multiple subnets, inter-subnet communication is key.

If you have agents on a single subnet, a /24 mask (255.255.255.0) is sufficient.

However, if you have agents that extend beyond the subnet, you'll need to make sure that you not only can communicate between the subnets, but that your subnet mask is appropriately set.

Example:

A device is deployed to a Class C network with 3 subnets:

  • 192.168.1.0
  • 192.168.10.0
  • 192.168.100.0

If you want the Datto device to be able to see all 3 subnets, set the appropriate mask and gateway.

If your gateway is 192.168.1.254, make sure that the agents on the .10 and .100 subnets can at least recognize the gateway for the .1 subnet.

This requires a subnet mask of 255.255.0.0 to account for the 3rd octet. Since these are all maintained within a class C space, this allows for all agents to communicate.

You can consolidate the mask to account for different classes and different schemas. Here are some high-level examples:

32 = X-network-bits + Y-host-bits
Addresses = 2 ^ Y-host-bits
--------------------------------------------------------------
CIDR        Total number    Network             Description:
Notation:   of addresses:   Mask:
--------------------------------------------------------------
/0          4,294,967,296   0.0.0.0             Every Address
/1          2,147,483,648   128.0.0.0           128 /8 nets
/2          1,073,741,824   192.0.0.0           64 /8 nets
/3          536,870,912     224.0.0.0           32 /8 nets
/4          268,435,456     240.0.0.0           16 /8 nets
/5          134,217,728     248.0.0.0           8 /8 nets
/6          67,108,864      252.0.0.0           4 /8 nets
/7          33,554,432      254.0.0.0           2 /8 nets
/8          16,777,214      255.0.0.0           1 /8 net
--------------------------------------------------------------
/9          8,388,608       255.128.0.0         128 /16 nets
/10         4,194,304       255.192.0.0         64 /16 nets
/11         2,097,152       255.224.0.0         32 /16 nets
/12         1,048,576       255.240.0.0         16 /16 nets
/13         524,288         255.248.0.0         8 /16 nets
/14         262,144         255.252.0.0         4 /16 nets
/15         131.072         255.254.0.0         2 /16 nets
/16         65,536          255.255.0.0         1 /16
--------------------------------------------------------------
/17         32,768          255.255.128.0       128 /24 nets
/18         16,384          255.255.192.0       64 /24 nets
/19         8,192           255.255.224.0       32 /24 nets
/20         4,096           255.255.240.0       16 /24 nets
/21         2,048           255.255.248.0       8 /24 nets
/22         1,024           255.255.252.0       4 /24 nets
/23         512             255.255.254.0       2 /24 nets
/24         256             255.255.255.0       1 /24
--------------------------------------------------------------
/25         128             255.255.255.128     Half of a /24
/26         64              255.255.255.192     Fourth of a /24
/27         32              255.255.255.224     Eighth of a /24
/28         16              255.255.255.240     1/16th of a /24
/29         8               255.255.255.248     5 Usable addresses
/30         4               255.255.255.252     1 Usable address
/31         2               255.255.255.254     Unusable
/32         1               255.255.255.255     Single host
--------------------------------------------------------------

Different Class Networks

If you have different class networks, you may need to utilize the secondary NIC of the device.

EXAMPLE  A device is deployed to a network that utilizes both Class C and Class B network schemas:

  • 192.168.25.0
  • 172.16.50.0

With this different class network, you may want to set up the primary NIC of the device to one subnet and then utilize the secondary NIC in order to capture traffic from the second network segment.

You can create an address that isn't being used to act as the focal point of backing up the agent. There won't be a gateway assigned to the secondary NIC that is created. That second NIC acts as the gateway for the agent to reach the device. Devices will always check in and send data offsite via the primary NIC (eth 0) of the device.

Backups Over VPN

IMPORTANT  This configuration is discouraged due to the instability of backups over VPN connections

While Datto devices support backups over VPN or MPLS, it is not the recommended configuration and may prove itself unreliable. There are many considerations to be had before deploying this kind of solutions for customers. There are many free VPN clients available for use.

While normal file transfers, desktop sharing, and work operations may be easily executed over a VPN, an image-based backup over a VPN connection brings many more items into consideration:

  • Triggering the backup image
  • Reading the disk to be backed up
  • Returning data to the Datto device.
  • Writing data across the tunnel to the device.

NOTE  Reliable image based backups over VPN require a stable connection with plenty of bandwidth between the site and the Datto device. While a slower connection may be supported, we cannot guarantee the reliability of the backup transfers unless the minimum standards are met.

NOTE  The minimum recommendation is a constant, uninterrupted 50Mbps VPN connection per 1TB of data between the server site and the Datto device.

NOTE  If multiple agents are backing up over a single VPN, they need to be staggered to prevent connectivity loss.

Configuring Firewalls / Connections

Please ensure allowlists exist to allow the server and device to make external connections detailed here: Datto IP Ranges.

When setting up the connection between the Datto appliance and the site where the VPN connection will reside:

  • Firewalls and routers should be configured to have a separate security zone that will allow traffic to and from the site without restriction or deep packet inspection.
  • Any possible WAN accelerators should be enabled to improve the transfer speeds.
  • A single tunnel should be dedicated as much as possible to the connection. No other traffic should be present.
  • Test the reliability of the VPN connection with regular speed tests to ensure that the connection has remained stable.
  • Run backups when activity on the protected machines and the traffic tunnel is at a minimum.