Offsite Replication with SIRIS Private over MPLS

Topic

This article provides additional information for configuring offsite replication between SIRIS Private devices using MultiProtocol Label Switching. Before performing the steps outlined in this article, see our Getting Started with SIRIS Private article for initial configuration information.

Environment

Datto SIRIS Private

Description

Required Hardware

A SIRIS Private configuration with offsite replication over MPLS requires at least two Datto SIRIS devices:
One SIRIS acts as the source device, which will perform backups of a protected machine on the organization's premises. This must be on a SIRIS Private service plan.
A second SIRIS serves as the target device, which will act as the storage node for replicated copies of the source device's backups at an offsite location. This can be on any service plan.

You will also need the required networking equipment which may consist of:

Networking/security appliance at each site (e.g. router, switch, firewall, etc.)
MPLS-enabled routers (may be provided by your network service provider)

Networking Overview

Multiprotocol Label Switching, or MPLS, is a networking technology that efficiently routes traffic over a private wide area network using “labels” rather than the underlying network IP addresses. If you haven’t already, you will first need to subscribe to MPLS service from your network service provider and ensure that all locations where SIRIS devices will be deployed are added to this MPLS network by your provider. In addition, each SIRIS location will need to be equipped with a router that can perform MPLS functions. These will typically be provided by your MPLS service provider and will connect to your local network/security appliance. The specific configuration and settings will vary depending on your network provider and equipment type. If you are adding a new site to the MPLS network, you should verify connectivity between the source and destination locations, prior to adding the SIRIS devices.

Each location will need to have DHCP and DNS services available to the routers at each location. You can centralize these functions at the hub site or deploy them at each location. Also check with your MPLS service provider to verify what routing services they may already be providing to these locations by default.

Here is a basic example of what a two site MPLS network may look like. Site A is your organization site where the SIRIS (source) is taking backups of Virtual and Physical servers on the same local network. Site B is where the offsite SIRIS (target) is located and will receive regular backup copies from Site A over the wide area network (WAN).

Figure 1: Two site MPLS Network example

In order for the sites to communicate with each other, a route must be established between the two local networks (10.0.1.0/24 and 10.0.2.0/24) at each site. This is accomplished by telling the Site A’s local networking device that all traffic bound for the remote SIRIS’s subnet needs to go to the local MPLS Router (connected to the MPLS CIRCUIT) as the “next hop.” The MPLS router, generally owned by the ISP, will then pass the traffic to the remote site according to MPLS label switching protocols. When the remote Site B MPLS router receives the incoming packets from Site A, it will forward them to the networking device on the remote network.

Most service provider MPLS networks utilize standard routing protocols (e.g. EIGRP, OSPF or iBGP) so that routers can exchange the required routing information for each site attached to the network. Others will require you to configure static routes between your locations. If you are unsure of the features and capabilities of your MPLS service , contact your network service provider for assistance.

Depending on your local device manufacturer, make and model, the configuration process may vary, however a typical process to define a static route would include an entry for the local network at Site A:

Name: SiteA-LAN
Subnet: 10.0.1.0/24
IP: 10.0.1.1

The second entry describes the static route to reach Site B over the MPLS link via the Service Provider Router:

Name: SiteBviaMPLS
Subnet: 10.0.2.0/24
Gateway IP: 10.0.1.2

This will route all traffic originating on subnet 10.0.1.0/24, bound for subnet 10.0.2.0/24 at Site B to the gateway port of 10.0.1.2. From there the traffic will be forwarded by the service provider router over the MPLS link. The provider router will assign the appropriate MPLS tag based on the destination subnet and the traffic will be sent accordingly.

At Site B, a similar configuration is required:

Name: SiteB-LAN
Subnet: 10.0.2.0/24
IP: 10.0.2.1

Again, the second entry describes the static route to reach Site A over the MPLS link via the Service Provider Router:

Name: SiteAviaMPLS
Subnet: 10.0.1.0/24
Gateway IP: 10.0.2.2

Troubleshooting

Network connectivity over MPLS is going to depend completely on establishing the above routes correctly. If traffic is not passing between your sites, the first thing you should do is verify you have correctly configured your routing protocols and that any static routes are also configured correctly and do not conflict or overlap with other existing entries or previous settings. Some devices will require that you first enable the WAN interface for MPLS and/or specify the desired gateway protocol.

Check firewall rules and make sure that SSH is allowed on TCP Port 22 between Site A and Site B (10.0.1.0/24 and 10.0.2.0/24 in the example network above). The SIRIS devices use Port 22 for replication.

Once all of your routes and firewall rules have been verified, if you still have connectivity issues, check DHCP status using ipconfig or other utility and make sure that each site has a reachable DHCP server. If you are not able to pull IP addresses verify ip-helper, or DHCP relay, is configured. Also make sure that you don’t have multiple DHCP servers that may be in conflict. Note that many networking devices may ship with default DHCP services that need to be disabled. Also, many MPLS service providers are already providing DHCP on their routers in their network, so you may want to verify how your carrier is handling DHCP, before configuring your own DHCP servers at each site.

Finally, verify DNS is operating correctly. Verify that the remote site can ping the DNS server. Running a traceroute may help you identify where the traffic is getting blocked. Run ipconfig /flushdns to clear the cache of affected devices, if needed. If remote hosts still cannot resolve local domains, try configuring a second DNS server at the remote location as a forwarder of remote DNS, or create a secondary zone to see if that solves your problem.

Once you have established connectivity between the two locations, refer to KB Article Configuring an appliance for SIRIS Private replication for steps on setting up the replication.

Additional Resources

Best Practices for protecting multiple subnets / multiple sites (MPLS/VPN)

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.