Overview
Before creating protection plans, register both the primary and DR sites with the XDR controller and configure the replication link between them. This establishes the trust relationship and network path that all replication traffic flows through.Prerequisites
- XDR controller deployed and accessible from both sites
- Network connectivity open between primary and DR sites on TCP 7000–7002
- Administrator credentials on both sites
- XDR agent deployed on both sites via XDeploy
Site Registration
- Dashboard
- CLI
Register the primary site
Log in to XDeploy (
https://connect.<your-domain>) and navigate to
Disaster Recovery → Sites → Register Site:| Field | Description |
|---|---|
| Site Name | Unique identifier (e.g., primary-dc1) |
| Role | Primary |
| API Endpoint | XDR agent API URL for this site (e.g., https://10.10.0.1:7002) |
| Auth Token | Site authentication token generated during XDR agent deployment |
| Network CIDR | IP range for this site’s compute and storage network |
| Description | Optional free-text label (e.g., datacenter name, location) |
Register the DR site
Repeat the registration process for the DR site, selecting role
DR.
Provide the DR site’s XDR agent endpoint and its authentication token.Both sites appear in the Sites list with status
REGISTERED.Create replication link
Navigate to Disaster Recovery → Sites → Replication Links → Create Link
and select the primary site as source and DR site as destination.
Configure link settings
| Setting | Recommendation |
|---|---|
| Compression | Enable for WAN links — reduces bandwidth 30–60% for typical storage data |
| Encryption | Always enable — replication traffic crosses network boundaries |
| Bandwidth Limit | Set to 80% of available link capacity to avoid saturation |
| MTU | Match the replication network MTU to avoid fragmentation |
| QoS Priority | Set to high if sharing the link with other traffic types |
Bandwidth Management
Replication bandwidth directly affects how quickly the initial sync completes and how tightly the replication lag tracks the configured RPO. Configure bandwidth policies to balance replication performance against production workload impact.Bandwidth limit policies
Bandwidth limit policies
XDR supports per-link and per-plan bandwidth limits. Per-link limits cap total
replication throughput on the network connection; per-plan limits allocate
bandwidth among multiple plans sharing the same link.Navigate to Disaster Recovery → Sites → Replication Links → [Link] → Bandwidth:
Configure these policies directly in the bandwidth settings panel for each replication link.
| Policy | Description |
|---|---|
| Hard cap | Never exceed this throughput regardless of available capacity |
| Peak hours throttle | Reduce throughput during business hours (cron schedule) |
| Burst allowance | Allow brief bursts above the cap to clear backlog |
Initial sync sizing
Initial sync sizing
The initial sync transfers all protected data to the DR site. Estimate
completion time before enabling a plan:
| Data Volume | 100 Mbps Link | 1 Gbps Link |
|---|---|---|
| 1 TB | ~22 hours | ~2.2 hours |
| 5 TB | ~4.5 days | ~11 hours |
| 10 TB | ~9 days | ~22 hours |
WAN link health
WAN link health
Monitor link statistics to detect degradation before it impacts RPO. Navigate to
Disaster Recovery → Sites → Replication Links → [Link] to view throughput
and error statistics over time.Key indicators of a degraded link:
- Throughput consistently below configured limit without backlog
- Retransmit rate above 1% (network packet loss)
- Round-trip latency increasing over time (congestion)
Replication Modes
| Mode | RPO | Overhead | Use Case |
|---|---|---|---|
| Asynchronous | Seconds to minutes | Low — primary writes complete without waiting for DR acknowledgment | Sites separated by >10ms RTT; most workloads |
| Synchronous | Zero (RPO = 0) | High — primary write latency increases by replication RTT | Databases and financial systems where zero data loss is required; sites under 5ms RTT |
Site Token Management
XDR agents authenticate between sites using site-specific tokens, not user credentials. Manage site tokens from Disaster Recovery → Sites → [Site] → Token Management:- View token status: The token expiry date and status are displayed for each registered site
- Rotate token: Click Rotate Token to generate a new authentication token for the selected site
- Update peer: After rotating a token, update the peer site with the new token in the peer’s site configuration panel
Rotate site tokens at least annually or immediately if a token is suspected
compromised. Token rotation does not interrupt active replication — the old
token remains valid for 15 minutes after rotation to allow the update to propagate.
Next Steps
Recovery Plans
Create ordered recovery groups and automation hooks
DR Automation
Configure automatic failover triggers and runbook scripts
Monitoring
Alert on replication lag and link throughput degradation
Troubleshooting
Diagnose initial sync failures and connectivity issues