VCP6 DCV Study Guide ESX Virtualization

(1)

1

VCP6-DCV STUDY GUIDE

[UNOFFICIAL]

By Vladan SEGET

(2)

It’s Time to Hyperconverge

90% Capacity Savings – Guaranteed.

SimpliVity HyperGuarantee

The Industry’s Most Complete Guarante

Running out of Capacity Again?

SIMPLIVITY H

YP

E R GUARANTEE

(3)

2

VCP6-DCV

O

BJECTIVE

1.1 –

C

ONFIGURE AND

A

DMINISTER

R

OLE

-

BASED

A

CCESS

C

ONTROL

Today's VCP6-DCV goal is to talk about - VCP6-DCV Objective 1.1 - Configure and Administer Role-based Access Control. VMware VCP exam is a gold standard of VMware certification exams. VCP exam is the most known VMware exams, even if it's not the highest technical level.

But it's most recognized. By a future employer, by industry as a whole. We will cover VCP6-DCV exam certification based on VMware latest VMware VCP6-DCV blueprint. Check VCP6-DCV page for all objectives.

VMware vSphere Knowledge

 Identify common vCenter Server privileges and roles

 Describe how permissions are applied and inherited in vCenter Server

 View/Sort/Export user and group lists

 Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

 Create/Clone/Edit vCenter Server Roles

 Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products

 Determine the appropriate set of privileges for common tasks in vCenter Server

IDENTIFY COMMON VCENTER SERVER PRIVILEGES AND ROLES

There are roles and privileges. Role is a collection of privileges assigned to group or a user. There are certain number of Out-of-the-box (predefined) roles when we look at the vSphere client > Roles. You can keep them, clone them, delete or edit.

(5)

4 Four different types of permissions

Not only vCenter server, like the ones above, but also Local permissions for ESXi. The full list:

 Global Permissions – Global permissions are applied to a global root object that spans solutions. To assign permissions via global root allows to propagate them to the other products relying on SSO (vCO, vROPS, vCD..)

 vCenter Server Permissions – Hierarchical model. Permission gives you a certain number of privileges. Similar like in Microft's AD. You Select object > assign role to a group of users > to give them privileges on that object.

 Group Membership in vSphere.local Groups – The vsphere.local domain includes several predefined groups. Assign users from AD (if you're using AD) to one of those groups to be able to perform the corresponding actions.

For some services that are not managed by vCenter Server directly, privileges are determined by membership to one of the vCenter Single Sign-On groups. For example, a user who is a member of the Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.

Note: to be able to find the AD groups it's necessary to add Identity sources via: Home > Administration > Single Sign-ON > Configuration > Identity sources.

The user [email protected] can perform tasks that are associated with services included with the Platform Services Controller.

(6)

5

 ESXi Local Host Permissions – If you are managing a standalone ESXi host that is not managed by a vCenter Server system, you can assign one of the predefined roles to users.

DESCRIBE HOW PERMISSIONS ARE APPLIED AND INHERITED IN VCENTER SERVER

The global permissions are assigned via web client only (SSO), via Home > Administration > Global permissions. If you deselect the propagate to children the objects lying down the road won't be accessible by that particular user/group. (It's like when you manage NTFS permissions on Windows servers and you uncheck the heritage check box). Permissions are applicable directly and propagated to children by default.

If you click the "View Children" link, it'll show you the permission of all the children which permission will apply to (if "Propagate to children is selected).

 Inheritance of Multiple Permissions - If user is member of more than one group? Then combined privileges within the roles apply. Example below showing user member of both groups.

 Child permissions override Parent permissions - Permissions applied on a child object always override permissions that are applied on a parent object. See examples P. 119 of vSphere Security Guide.

(7)

6 Ex. Role 1 can power on VMs and Role 2 can take snapshots.

Group A is granted Role 1 on VM folder and permissions propagate to child objects Group B is granted Role 2 on VM B

User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role 1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B, but not power it on.

 User role overriding group role - if two permissions are defined on the same object.

Permissions are on the same object. One permission is granted to a group, the other to a user which at the same time is member of the group. Role 1 can power VMs Group A is granted Role 1 on VM folder and at the same time User 1 is granted No Access role on VM folder.

User 1, who belongs to group A, logs on. The No Access role granted to User 1 on VM Folder overrides the role assigned to the group. User 1 has no access to VM Folder or VMs A and B.

VIEW/SORT/EXPORT USER AND GROUP LISTS

To check Global permissions you have to go and use Web client > Home > Administration > Global permissions. You can be export to a CSV file or copy to the Clipboard selected or All items. You can also use CTRL+Click to copy to the clipboard.

(8)

7

ADD/MODIFY/REMOVE PERMISSIONS FOR USERS AND GROUPS ON VCENTER SERVER INVENTORY

OBJECTS

To modify/add permissions you must Select an object > Manage > Permissions. Than you can use the delete, edit or Add icons there...

CREATE/CLONE/EDIT VCENTER SERVER ROLES

To edit, create or clone vCenter roles it's necessary to use vSphere Web client > Administration > Roles OR Home > Roles. Default roles are:

 Administrator

 Read-Only

 No Access

(9)

8 vSphere Security Guide (p. 121).

DETERMINE THE CORRECT ROLES/PRIVILEGES NEEDED TO INTEGRATE VCENTER SERVER WITH

OTHER VMWARE PRODUCTS

Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies. Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.

P. 122

DETERMINE THE APPROPRIATE SET OF PRIVILEGES FOR COMMON TASKS IN VCENTER SERVER

 Common tasks Required Privileges - p.127

 All privileges - p.229 Tools:

 vSphere Installation and Setup Guide

 vSphere Security Guide

 What’s New in the VMware vSphere® 6.0 Platform

 vSphere Administration with the vSphere Client Guide

(10)

9

VCP6-DCV

O

BJECTIVE

1.2 –

S

ECURE

ESX

I

,

V

C

ENTER

S

ERVER

,

AND V

S

PHERE

V

IRTUAL

M

ACHINES

This post covers VCP6-DCV Objective 1.2 - Secure ESXi, vCenter Server, and vSphere Virtual Machines. A very interesting chapter indeed, where we cover all the "locks" which an admin can put in place to secure his/here environment. And you don't have to be Linux expert as all this is done without much difficulty!

For whole exam coverage I created a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, you might just want to look on some how-to, news, videos about vSphere 6 - check out my vSphere 6 page. If you find out that I missed something, don't hesitate to comment.

Knowledge

 Enable/Configure/Disable services in the ESXi firewall

 Enable Lockdown Mode

 Configure network security policies

 Add an ESXi Host to a directory service

 Apply permissions to ESXi Hosts using Host Profiles

 Configure virtual machine security policies

 Create/Manage vCenter Server Security Certificates

ENABLE/CONFIGURE/DISABLE SERVICES IN THE ESXI FIREWALL

HOW TO ENABLE/DISABLE SERVICES IN THE ESXI FIREWALL - THE HARD WAY (VIA CLI)

CHECK WHIH SERVICES ARE ACTIVE

esxcli network firewall ruleset list

OPEN FIREWALL PORT VIA CLI:

esxcli network firewall ruleset set -e true -r httpClient

HOW TO ENABLE/DISABLE SERVICES IN THE ESXI FIREWALL - THE EASY WAY (VIA VSPHERE CLIENT)

Note that you can do the same by selecting the host through vSphere client > configuration > security profile >

(11)

10

Services can be Started, Stopped, or Restarted. Services can be configured to Start and stop with host, Start and stop manually, or Start and stop with port usage.

ESXi Shell and SSH are disabled (Set to Start and stop manually) by default. ESXi Shell and SSH can be enabled/disabled in the DCUI from the Troubleshooting Mode Options menu.

(12)

11

ENABLE LOCKDOWN MODE

When you enable lockdown mode, you can't connect directly from the console. the host is accessible only through the vSphere client directly or via vCenter server.

Lockdown Modes:

 Disabled - Lockdown mode is disabled.

 Normal - Lockdown mode is enabled. The host can only be accessed from vCenter or from the console (DCUI).

 Strict - Lockdown mode is enabled. The DCUI service is stopped. The host can not be accessed from the console (DCUI).

[TIP]: You can activate DCUI from within SSH session

Type this after login in with Putty or other SSH client. dcui

(13)

12

vSphere 6 introduced "Exception users" which are users with local accounts or Microsoft Active Directory accounts with permissions defined locally on the host where these users have host access. You can define those exception locally on the host, but it’s not recommended for normal user accounts, but rather for service accounts. You should set permissions on these accounts to strict minimum and only what’s required for the application to do its task and with an account that needs only read-only permissions to the ESXi host.

This is basically the same principle of local server accounts on Windows member server, where you can create local accounts, but as a best practice to give them only the permissions they need…

Smart Card Authentication to DCUI – There is new function, but apparently it is for U.S. federal customers only. It allows DCUI login access using a Common Access Card (CAC) and Personal Identity Verification (PIV). In this case the ESXi host must be part of Microsoft AD.

CONFIGURE NETWORK SECURITY POLICIES

Network security policies are defined on two places:

 vSwitch level

 Portgroup level Three different policies:

 Promiscuous mode – If set to Accept then it allows the guest OS to receive all traffic observed on the connected vSwitch or PortGroup (the switch becames a HUB basically - with all the inconveniences, packet colisions, performance degradation etc... ). By default it's Reject

 MAC address changes – A host is able to accepts requests to change the effective MAC address to a different address than the initial MAC address. By default it's Accept

 Forged transmits – A host does not compare source and effective MAC addresses transmitted from a virtual machine. By default it's Accept

(14)

13

MAC address changes and Forged transmits if set to Reject, than it protects against MAC address spoofing. If changing the settings at the Portgroup level there is an Override checkbox allowing you to set the policy on a portgroup rather than on the vSwitch.

ADD AN ESXI HOST TO A DIRECTORY SERVICE

Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for configuration issues that could lead to unauthorized access. You can join or leave domain by selecting a host > configuration > authentication services > properties. You can also join standalone ESXi hosts to AD. By using AD you eliminate to manage locally users on ESXi hosts.

A special AD group named "ESX Admins" shall be manually created before host is joined to AD. Why? Because like this All members of this group (ESX admins) are automatically assigned with the Administrator

(15)

14

vSphere web client > Hosts and clusters > Select ESXi host > Manage > Settings > Authentication services.

APPLY PERMISSIONS TO ESXI HOSTS USING HOST PROFILES

Host profiles are very cool feature allowing to homogenize configuration across ESXi hosts and automate compliance. In some cases, host profiles can be also useful when for example you need to reset esxi root password on a host. Check vSphere Security guide (PDF) on p. 133, but basically this procedure apply:

1. Set up the reference host to specification and create a host profile. 2. Attach the profile to a host or cluster.

3. Apply the host profile of the reference host to other hosts or clusters.

If you haven't done yet, go to Home > Host profiles > Extract profile from host. Once you have that profile you can apply it to a host...

 Select the host profile > Click Actions > Edit Host Profile (or right click > edit settings)

 Expand Security and Services

(16)

15

Root password is encrypted within the host profile, however by joining hosts to AD via Host profiles leaves password in plain text... -:(.

Configure virtual machine security policies

VMs are fragile. The same for Guest OS. Treat them accordingly ... -:). Seriously, you should patch to the latest release for the OS patches, Antivirus patches and/or Malware patches.... That's a bare minimum to prevent system corruption.

 Be organized - Use templates to deploy virtual machines

(17)

16

 Prevent virtual machines from taking over resources

 Disable unnecessary functions inside virtual machines - usually Windows/Linux services can be stopped, to put them on manual instead of automatic startup, etc..

 Remove unnecessary hardware devices - floppy, printers, sound devices... All you don't need you can remove to have lower overhead.

 Disable unused display features

 Disable unexposed features

 Disable HGFS file transfers

 Disable copy and past operations between guest operating system and remote console (by default is disabled - on per host level, but you can add an advanced settings:)

isolation.tools.copy.disable = true

isolation.tools.paste.disable = true

 Limiting exposure of sensitive data copied to the Clipboard

 Restrict users from running commands within a virtual machine

1. Click Administration and select Roles > click create role > NO Guest Access > select all privileges

2. Deselect All Privileges >Virtual machine > Guest Operations to remove the Guest Operations set of privileges > validate OK.

 Prevent a virtual machine user or process from disconnecting devices

 Modify guest operating system variable memory limit

 Prevent guest operating system process from sending configuration messages to the host

 Avoid using Independent Nonpersistent Disks - keep in mind non persistent disks are not affected by snapshots. If you use snapshots. A redo log is created to capture all subsequent writes to that disk. However, if the snapshot is deleted, or the virtual machine is powered off, the changes captured in that redo log are discarded for that Independent Non-persistent VMDK.

CREATE/MANAGE VCENTER SERVER SECURITY CERTIFICATES

Certificates got easier with vSphere 6 as those can be viewed and renewed within vSphere Web client. There are two operations modes:

 Root CA - (by default)

 Issuer CA – possibility integrate Microsoft Certification authority. In this case you’ll create the CSR (request) > Go to Microsoft Cert Server and get certificate.

(18)

17

The VMware Certificate Authority (VMCA) provisions vCenter Server components and ESXi hosts with certificates that use VMCA as the root certificate authority by default.

The vSphere Certificate Manager utility allows you to perform most certificate management tasks interactively from the command line.

Example. On Windows you must go to this directory:

C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat Link to Online documentation for using vSphere Certificate manager utility.

vSphere Certificate Manager prompts you for the task to perform, for certificate locations and other information as needed, and then stops and starts services and replaces certificates for you.

vCenter Certificate Utilities:

 vSphere Certificate Manager utility – certificate replacement tasks from a command line utility.

 Certificate management CLIs – dir-cli, certool, and vecs-cli command line utilities.

o certool can Generate and manage certificates and keys. Part of VMCA.

o dir-cli is a able to create and update certificates in VMware Directory Service. Part of VMAFD.

o ves-cli can manage the contents of VMware Certificate Store instances. Part of VMAFD

 vSphere Web Client certificate management – view certificate information in the Web Client

Tools

 Security of the VMware vSphere® Hypervisor

 vSphere Administration with the vSphere Client Guide

 VMware Hardened Virtual Appliance Operations Guide added to Tech Resource Directory

 vSphere Client / vSphere Web Client

VCP6-DCV OBJECTIVE 1.3 - ENABLE SSO AND ACTIVE DIRECTORY INTEGRATION

In no particular order I'll start covering VCP6-DCV sections to help out folks learning towards VCP6-DCV VMware certification exam. Due to VMware recertification policy the VCP exam has now an expiration date. You can renew by passing delta exam while still holding current VCP or pass VCAP. The topic today - VCP6-DCV Objective 1.3 - Enable SSO and Active Directory Integration.

For whole exam coverage I created a dedicated VCP6-DCV Wordpress page. If you just look on some how-to, news, videos about vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release, but simplified the deployment and management. vSphere Web client is more present and used in this release as the legacy C# client does not allow to configure advanced configuration options and functions like SSO, FT, VSAN

You'll need certain knowledge that we'll try to cover today:

 Configure/Manage Active Directory Authentication

 Configure/Manage Platform Services Controller (PSC)

 Configure/Manage VMware Certificate Authority (VMCA)

(19)

18

 Identify available authentication methods with VMware vCenter

CONFIGURE/MANAGE ACTIVE DIRECTORY AUTHENTICATION

Step 1: Connect to your vCenter server by entering the ip address you have entered during the deployment

process:

https://vCenter Server IP/vsphere-client

and by using the [email protected] as a user name and your password you have used during the deployment.

Step 2: Click the Administration button on the left and

And then go to Single Sign-On > Configuration > Identity Sources > Click the "+" sign to add your AD as an identity source. Normally it will populate your local AD automatically, so you just have to click the OK button...

(20)

19

You can also click the globe icon to make the AD as the default while you're there... Screenshot showing the Identity source where we added our AD - lab.local

NEXT STEP: PERMISSIONS

You'll need to assign permissions to users which will administer the vSphere infrastructure. Usually it's domain admin, but not always... Also keep in mind where you assign those permissions. If it's at the Datacenter level, vCenter level or at the cluster level... Usually you'll want to do it at the vCenter Level.

Go to Home > vCenter Inventory Lists > vCenter Servers > vCenter.lab.local (in my case) > Click the Manage Tab > Permissions

There you click the "+" sign > Add button > make sure that you select the drop-down for your Microsoft Ad to make appear the Domain admin user...

(21)

20

Click OK to validate. You can disconnect and connect as domain admin now... Note that in case your workstation is part of Microsoft AD, you just have to check the box and no need to enter your domain user password... -:)

Some of you might wonder why there is this Single Sign-On. The vCenter Single Sign On is an authentication service which allows the different vSphere software components present in the vCloud suite, to communicate between each other via a secure token exchange mechanism.

CONFIGURE/MANAGE PLATFORM SERVICES CONTROLLER (PSC)

The Platform Services Controller (PSC) provides:

 Single Sign-On (SSO)

(22)

21

 Certificate Authority (VMCA)

You can deploy it on at the same time or a part and you can deploy it as Windows based or Appliance based (VCSA). It's important to know that PSO is completely transparent working with Windows or VCSA based vCenter!

PSC Deployment Options - A two different type installation are allowed:

 Embedded (in the same VM)

 External

The embedded PSC is meant to be used for standalone sites where vCenter server will be the only SSO integrated solution. In this case a replication to another PSC is not necessary.

External PSC shall be deployed in anvironments where there is more then one SSO enabled solution (vCenter Server, vRealize Automation, etc…) OR where replication to another PSC (another site) is necessary.

Here is the screenshot from the installation process (VCSA) showing the different options and changing the options also changes the different phases of the deployment (on the left).

PSC features:

 Manages and generates SSL certificates for your vSphere environment.

 Stores and replicates VMware License Keys

 Stores and replicates permissions via the Global Permissions layer.

 Manages the storage and replication of TAGS and CATEGORIES.

 There is a Built-in automatic replication between different, logical SSO sites. (if any)

 There is only one single default domain for the identity sources.

(23)

22

 Embedded Platform Service Controller

All services bundled with the Platform Services Controller are deployed on the same virtual machine or physical server as vCenter Server.

 External Platform Service Controller

The services bundled with the Platform Services Controller and vCenter Server are deployed on different virtual machines or physical servers.

Recommended reads:

VMware vSphere Blog - vCenter Server 6 Deployment Topologies and High Availability. VMware KB - Recommended topologies for vSphere 6.0.x (2108548).

Configure/Manage VMware Certificate Authority (VMCA)

When you first install vSphere, the default certificates are deployed with 10 years of life span. The VMCA generates those self-signed certs during the installation process, and provisions each of the ESXi host with a signed certificate by this root certificate authority. Earlier versions of vSphere with self-signed certificates are automatically replaced by new self-signed certificates by VMCA.

There are different ESXi Certificate replacement modes:

 Default - VMCA as cert authority where VMCA issues certs for your hosts.

 Custom - you can override and do and issue certs manually via VMCA

 Thumbprint mode - this way you keep certs from vSphere 5.5

(24)

23

WHERE TO CHECK THE CERTIFICATES IN WEB CLIENT?

Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority

Note: If you're not a member of SystemConfiguration.Administrators group than you might want to add yourself there. If of course you're connecting as an domain administrator....

Back to where to check the certificates on vSphere Web Client:

Home > System Configuration > Nodes > Node > Manage > Certificate Authority

ENABLE/DISABLE SINGLE SIGN-ON (SSO) USERS

The VMware SSO uses different configuration policy which can be found via vSphere Web client only:

(25)

24

 Password Policy

 Lockout Policy

 Token Policy

PASSWORD POLICY

You can configure the following parameters:

 Description – Password policy description. Required.

 Maximum lifetime – Maximum number of days that a password can exist before it has to be changed.

 Restrict re-use – Number of the user’s previous passwords that cannot be set again.

 Maximum length – Maximum number of characters that are allowed in the password.

 Minimum length – Minimum number of characters required in the password.

 Character requirements – Minimum number of different character types required in the password.

 Identical adjacent characters – Maximum number of identical adjacent characters allowed in the password. To get to this screen You must click Administration > Single Sign-On > Configuration

(26)

25

If you leave the default values and after 90 days you will want to log-in you might end up with messages saying that:

 User Account is locked.

 User Account is disabled.

Those SSO policies are pretty much the same as in vSphere 5.5, but with a difference that in vSphere 5.5 we also had an administrator password expiry on the vCenter server appliance (VCSA). The VCSA 6.0 is pretty much locked out and the GUI we use to manage VCSA accessible via the port 5480 is no longer available.

Lockout Policy

Specifies the condition under which a vCenter SSO account is locked when the user attempts to log in with incorrect credentials. Five login attempts and three minutes between failures are set by default. This policy also specifies the time that must elapse before the account is automatically unlocked.

 Description – Description of the lockout policy. Required.

 Max. number of failed login attempts – Maximum number of failed login attempts that are allowed before the account is locked.

 Time interval between failures (seconds) – Time period in which failed login attempts must occur to trigger a lockout.

 Unlock time (seconds) – Amount of time that the account remains locked. If you enter 0, the account must be explicitly unlocked by an administrator.

To see the lockout policy parameters, click on the Policies tab and select Lockout Policy:

Token Policy - also interesting as for example the Clock tolerance shows time difference, in milliseconds, that vCenter Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than the specified value, vCenter Single Sign-On declares the token invalid.

(27)

26

Other configuration options:

 Maximum token renewal count – Maximum number of times that a token can be renewed. After the maximum number of renewal attempts, a new security token is required.

 Maximum token delegation count – Holder-of-key tokens can be delegated to services in the vSphere environment. A service that uses a delegated token performs the service on behalf of the principal that provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a solution token or a reference to a solution token. This value specifies how many times a single holder-of-key token can be delegated.

 Maximum bearer token lifetime – Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued.

 Maximum holder-of-key token lifetime – Holder-of-key tokens provide authentication based on security artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the originator and the delegate. In the vSphere environment, a vCenter Server obtains delegated tokens on a user’s behalf and uses those tokens to perform operations. This value determines the lifetime of a holder-of-key token before the token is marked invalid.

IDENTIFY AVAILABLE AUTHENTICATION METHODS WITH VMWARE VCENTER

We have already saw that at the beginning of the post. The possible identity sources can be found via web client > Administration > Single Sign-On > Configuration > Identity Sources

And we can see that there are four of them:

 AD integrated (preferred)

 Active Directory LDAP

 Open LDAP

 Local OS

Yep, you can obviously use Local OS option only if you don't want to interconnect with your AD (for security reasons or isolation purposes).

Check How-to, news, videos and tutorials at my vSphere 6 page too or check Free VMware tools page. Tools to get the knowledge and further reading:

 VMware vCenter Server™ 6.0 Deployment Guide

 Direct Console User Interface (DCUI)

VCP6-DCV

O

BJECTIVE

2.1 -

C

ONFIGURE

A

DVANCED

P

OLICIES

/F

EATURES AND

V

ERIFY

N

ETWORK

V

IRTUALIZATION

I

MPLEMENTATION

Today's VCP6-DCV topic Objective 2.1: Configure Advanced Policies/Features and Verify Network Virtualization Implementation is the core of virtualization networking. Together with 2 other chapters it covers all vSphere 6 networking.

(28)

27

You can follow the VCP6-DCV study guide built through my VCP6-DCV page. When finished, there will be a PDF version which will get its proper formatting for better reading experience. We're more than half way through right now, and the work continues. Let's kick on with this chapter!

vSphere Knowledge

 Identify vSphere Distributed Switch (vDS) capabilities

 Create/Delete a vSphere Distributed Switch

 Add/Remove ESXi hosts from a vSphere Distributed Switch

 Add/Configure/Remove dvPort groups

 Add/Remove uplink adapters to dvUplink groups

 Configure vSphere Distributed Switch general and dvPort group settings

 Create/Configure/Remove virtual adapters

 Migrate virtual machines to/from a vSphere Distributed Switch

 Configure LACP on Uplink portgroups

 Describe vDS Security Polices/Settings

 Configure dvPort group blocking policies

 Configure load balancing and failover policies

 Configure VLAN/PVLAN settings

 Configure traffic shaping policies

 Enable TCP Segmentation Offload support for a virtual machine

 Enable Jumbo Frames support on appropriate components

 Determine appropriate VLAN configuration for a vSphere implementation

IDENTIFY VSPHERE DISTRIBUTED SWITCH (VDS) CAPABILITIES

VMware vSphere Distributed Switch (vDS) is in its version 6 and packed in more feature than in previous relase of VDS. If you're upgrading you shall upgrade vDS to version 6.0 as well to benefit the latest features.

The vDS separates the data plane and management plane to separate them. The data plane resides on ESXi host, but the management plane moves to vCenter server. The data plane is called host proxy switch.

 NetFlow Support - Netflow is used for troubleshooting, it picks a configurable number of samples of network traffic for monitoring..

 PVLAN Support - PVLAN is able to get more from VLANs (which are limited in numbers) and you can use these PVLANS to further segregate your traffic and increase security. (Note: Enterprise plus licensing required! Check my detailed post on PVLANs here.

 Ingress and egress traffic shaping - Inbound/outbound traffic shaping, which allows you throttle bandwidth to the switch.

 VM Port Blocking - can block VM ports in case of viruses or troubleshooting...

 Load Based Teaming - LBT is an additional load balancing that works off the amount of traffic a queue is sending

 Central Management across cluster - vDS can create the config once and push it to all attached hosts...so you don't have to go to each host one-by-one...

 Per Port Policy Settings - It's possible to override policies at a port level which gives you more controll

 Port State Monitoring - This feature allows each port to be monitored separately from other ports

 LLDP - Allows supports for link layer discovery protocol

 Network IO Control - possibility to set priority on port groups and reserve bandwidth for VMs connected to this port group. Check the detailed chapter on NIOC here: Objective 2.2:Configure Network I/O Control (NIOC)

 LACP Support - LACP (Link aggregation control protocol) ability to aggregate links together into a single link (your physical switch must support it!)

 Backup/Restore Network config - It's possible to backup/restore network config at the vDS level (Not new! It's here since 5.1! - save and restore network config...)

(29)

28

 Stats stays at the VM level - statistics move with the VM even after vMotion.

CREATE/DELETE A VSPHERE DISTRIBUTED SWITCH

Create a vSphere vDS - Networking Guide on p27. vSphere Web client > Networking > Rigt click datacenter > Distributed switch > New Distributed switch

Put a name and then select the version...

Select how many uplinks, specify if you want to enable Network I/O control and rename the default port group (not mandatory)...

(30)

29

ADD/REMOVE ESXI HOSTS FROM A VSPHERE DISTRIBUTED SWITCH

You can add/remove ESXi hosts from vDS to manage their networking (or not) from a central location. The good thing is that you can analyse impact before breaking a connectivity, so you're able to see the impact. The impact can be as follows:

 No Impact

 Important impact

 Critical Impact

Next...

ADD/CONFIGURE/REMOVE DVPORT GROUPS

Right click on the vDS > New Distributed Port Group.

(31)

30

ADD/REMOVE UPLINK ADAPTERS TO DVUPLINK GROUPS

Again, right click is your friend... -:)

If you want to add/remove (increase or decrease) number of uplinks you can do so by going to the properties of the vDS.

Right click on the vDS > Edit settings

(32)

31

CONFIGURE VSPHERE DISTRIBUTED SWITCH GENERAL AND DVPORT GROUP SETTINGS

General properties of vDS can be reached via Right click on the vDS > Settings > Edit settings

Port binding properties (at the dvPortGroup level - Right click port group > Edit Settings)

 Static binding - Assigns a port to a VM when the virtual machine is connected to the PortGroup.

 Dynamic binding - it's kind of deprecated. For best performance use static binding

 Ephemeral – no binding

(33)

32

 Elastic - Increase or decreas on-the-fly... 8 at the beginning (default). Increases by 8 when needed.

 Fixed - There is 128 by default.

CREATE/CONFIGURE/REMOVE VIRTUAL ADAPTERS

VMkernel adapters can be add/removed at the Networking level

vSphere Web Client > Host and Clusters > Select Host > Manage > Networking > VMkernel adapters

Different VMkernel Services, like :

 vMotion traffic

 Provisioning traffic

 Fault Tolerance (FT) traffic

 Management traffic

 vSphere Replication traffic

 vSphere Replication NFC traffic

 VSAN traffic

MIGRATE VIRTUAL MACHINES TO/FROM A VSPHERE DISTRIBUTED SWITCH

Migrate VMs to vDS. Right click vDS > Migrate VM to another network

Make sure that you previously created a distributed port group with the same VLAN that the current VM is running... (in my case the VMs run at VLAN 7)

(34)

33 Pick a VM...

Done!

CONFIGURE LACP ON UPLINK PORTGROUPS

LACP can be found in the Networking guide on p.65.

vSphere Web Client > Networking > vDS > Manage > Settings > LACP

(35)

34

LAG Mode can be:

 Passive - where the LAG ports respond to LACP packets they receive but do not initiate LACP negotiations.

 Active - where LAG ports are in active mode and they initiate negotiations with LACP Port Channel.

LAG load balancing mode (LNB mode):

 Source and destination IP address, TCP/UDP port and VLAN

 Source and destination IP address and VLAN

 Source and destination MAC address

 Source and destination TCP/UDP port

 Source port ID

 VLAN

Note that you must configure the LNB hashing same way on both virtual and physical switch, at the LACP port channel level.

(36)

35

DESCRIBE VDS SECURITY POLICES/SETTINGS

Note that those security policies exists also on standard switches. There are 3 different network security policies:

 Promiscuous mode – Reject is by default. In case you set to Accept > the guest OS will receive all traffic observed on the connected vSwitch or PortGroup.

 MAC address changes – Reject is by default. In case you set to Accept > then the host will accepts requests to change the effective MAC address to a different address than the initial MAC address.

 Forged transmits – Reject is by default. In case you set to Accept > then the host does not compare source and effective MAC addresses transmitted from a virtual machine.

(37)

36 Network security policies can be set on each vDS PortGroup. Configure dvPort group blocking policies

Port blocking can be enabled on a port group to block all ports on the port group

or you can configure the vDS or uplink to be blocked at the vDS level...

vSphere Web Client > Networking > vDS > Manage > Ports

(38)

37

CONFIGURE LOAD BALANCING AND FAILOVER POLICIES

Load balancing algos can be found in the Networking Guide on p. 91.

vDS load balancing (LNB):

 Route based on IP hash - The virtual switch selects uplinks for virtual machines based on the source and destination IP address of each packet.

 Route based on source MAC hash - The virtual switch selects an uplink for a virtual machine based on the virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual machine MAC address and the number of uplinks in the NIC team.

 Route based on originating virtual port - Each virtual machine running on an ESXi host has an associated virtual port ID on the virtual switch. To calculate an uplink for a virtual machine, the virtual switch uses the virtual machine port ID and the number of uplinks in the NIC team. After the virtual switch selects an uplink for a virtual machine, it always forwards traffic through the same uplink for this virtual machine as long as the machine runs on the same port. The virtual switch calculates uplinks for virtual machines only once, unless uplinks are added or removed from the NIC team.

 Use explicit failover order - No actual load balancing is available with this policy. The virtual switch always uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the Standby list.

 Route based on physical NIC load (Only available on vDS) - based on Route Based on Originating Virtual Port, where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on overloaded uplinks. Available only for vSphere Distributed Switch. The distributed switch calculates uplinks for virtual machines by taking their port ID and the number of uplinks in the NIC team. The distributed switch tests the uplinks every 30 seconds, and if their load exceeds 75 percent of usage, the port ID of the virtual machine with the highest I/O is moved to a different uplink.

Virtual switch failover order:

 Active uplinks

 Standby uplinks

(39)

38

CONFIGURE VLAN/PVLAN SETTINGS

private VLANs allows further segmentation and creation of private groups inside each of the VLAN. By using private VLANs (PVLANs) you splitting the broadcast domain into multiple isolated broadcast “subdomains”.

Private VLANs needs to be configured at the physical switch level (the switch must support PVLANs) and also on the VMware vSphere distributed switch. (Enterprise Plus is required). I’ts more expensive and takes a bit more work to setup.

THERE ARE DIFFERENT TYPES OF PVLANS:

PRIMARY

 Promiscuous Primary VLAN – Imagine this VLAN as a kind of a router. All packets from the secondary VLANS go through this VLAN. Packets which also goes downstream and so this type of VLAN is used to forward packets downstream to all Secondary VLANs.

SECONDARY

 Isolated (Secondary) – VMs can communicate with other devices on the Promiscuous VLAN but not with other VMs on the Isolated VLAN.

 Community (Secondary) – VMs can communicate with other VMs on Promiscuous and also w those on the same community VLAN.

The graphics shows it all…

CONFIGURE TRAFFIC SHAPING POLICIES

Networking Guide p.105

(40)

39

Traffic shaping policy is applied to each port in the port group. You can Enable or Disable the Ingress or egress traffic

 Average bandwidth in kbits (Kb) per second - Establishes the number of bits per second to allow across a port, averaged

over time. This number is the allowed average load.

 Peak bandwidth in kbits (Kb) per second - Maximum number of bits per second to allow across a port when it is sending or receiving a burst of traffic. This number limits the bandwidth that a port uses when it is using its burst bonus.

 Burst size in kbytes (KB) per second - Maximum number of bytes to allow in a burst. If set, a port might gain a burst bonus if it does not use all its allocated bandwidth. When the port needs more bandwidth than specified by the average bandwidth, it might be allowed to temporarily transmit data at a higher speed if a burst bonus is available

ENABLE TCP SEGMENTATION OFFLOAD SUPPORT FOR A VIRTUAL MACHINE

Use TCP Segmentation Offload (TSO) in VMkernel network adapters and virtual machines to improve the network performance in workloads that have severe latency requirements.

When TSO is enabled, the network adapter divides larger data chunks into TCP segments instead of the CPU. The VMkernel and the guest operating system can use more CPU cycles to run applications.

By default, TSO is enabled in the VMkernel of the ESXi host , and in the VMXNET 2 and VMXNET 3 virtual machine adapters

ENABLE JUMBO FRAMES SUPPORT ON APPROPRIATE COMPONENTS

There are many places where you can enable Jumbo frames and you should enable jumbo frames end-to-end. If not the performance will not increase, but rather the opposite. Jumbo Frames can be enabled on a vSwitch, vDS, and VMkernel Adapter.

(41)

40

Jumbo frames maximum value = 9000.

DETERMINE APPROPRIATE VLAN CONFIGURATION FOR A VSPHERE IMPLEMENTATION

There are three main places or three different ways to tag frames in vSphere.

 External Switch Tagging (EST) - VLAN ID is set to None or 0 and it is the physical switch that does the VLAN tagging.

 Virtual Switch Tagging (VST) - VLAN set between 1 and 4094 and the virtual switch does the VLAN tagging.

 Virtual Guest Tagging (VGT) - the tagging happens in the guest OS. VLAN set to 4095 (vSwitch) or VLAN trunking on vDS.

The best to understand this is I guess this document from VMware called Best Practices for Virtual Networking and from there I also "borrowed" this screenshot...

Networking is big chapter. If I missed something, just comment or email me your suggestion. Thanks... vSphere documentation tools

 vSphere Networking Guide

(42)

41

 VDS Network Health Check

VCP6-DCV

O

BJECTIVE

2.2 -

C

ONFIGURE

N

ETWORK

I/O

C

ONTROL

(NIOC)

VCP6-DCV Study time... In no particular order I start covering VCP6-DCV section of the VMware blueprint to help out folks learning towards VCP6-DCV VMware certification exam. Due to VMware recertification policy the VCP exam has now an expiration date. You can renew by passing delta exam while still holding current VCP or pass VCAP. If you're new to virtualization and do not have any VMware certification exam, the VCP is the exam to have. Today's topic? VCP6-DCV Objective 2.2 - Configure Network I/O Control (NIOC).

For whole exam coverage I created a dedicated VCP6-DCV page. If you just look on some how-to, news, videos about vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release, but simplified the deployment and management. "White boxing" got more complicated as drivers for unsupported hardware not always works. vSphere Web client is more present and used in this release as the legacy C# client does not allow to configure advanced configuration options and functions like SSO, FT, VSAN. Let's get started.

vSphere Knowledge

 Identify Network I/O Control requirements

 Identify Network I/O Control capabilities

 Enable/Disable Network I/O Control

 Monitor Network I/O Control

IDENTIFY NETWORK I/O CONTROL REQUIREMENTS

What is network I/O control? It's a mechanism which allows to prioritize certain data flows on distributed switch over others. It allows to allocate more network bandwidth to business critical applications/VMs where those have to "fight" for bandwidth. (similarly like SIOC for storage).

THE REQUIREMENTS:

 Licensing - Enterprise + license required because it uses vSphere Distributed Switch.

 VDS Only - the Network I/O control can be enabled only on VDS

 Network I/O control v3 possible only on VDS 6.0

 SR-IOV is not available for virtual machines configured to use Network I/O Control version 3.

IDENTIFY NETWORK I/O CONTROL CAPABILITIES

When enabled NIOC divides the traffic into resource pools. Bandwidth reservations can be used to isolate network resources for a class of traffic, for example in VSAN cluster you'd want to reserve part of the traffic only for VSAN traffic no matter what happens to the other traffic.

ENABLE/DISABLE NETWORK I/O CONTROL

Where to enable? In vSphere 6 when creating new VDS it gets enabled by default.

vSphere Web Client > Networking > vDS > Manage > Resource Allocation > System traffic

Note: If you have previous version of vSphere and you upgraded, than you might see previous version of NIOC (version 2) and so there is not the menu "system traffic". Make sure that you upgrade your VDS to v 6.0.

(43)

42

So in our case we can see the menu system traffic... The traffic types are all set to 50 shares except the VM traffic. No reservation or limits are set by default.

 Management traffic - VM traffic

 NFS traffic

 Virtual SAN traffic

 iSCSI

 vMotion

 vSphere Replication (VR)

 Fault tolerance (FT)

 vSphere Data protection (VDP) backup traffic

Shares and reservations at their default state. No limits or Reservations.

BANDWIDTH ALLOCATION FOR VIRTUAL MACHINE TRAFFIC

Version 3 of Network I/O Control lets you configure bandwidth requirements for individual virtual machines. You can also use network resource pools where you can assign a bandwidth quota from the aggregated reservation for the virtual machine traffic and then allocate bandwidth from the pool to individual virtual machines.

(44)

43

Individual VMs can be configured according to bandwidth requirements through VM options at the network level...

Shares - The relative priority, from 1 to 100, of the traffic through this VM network adapter against the capacity of the

physical adapter that is carrying the VM traffic to the network.

Reservation - The minimum bandwidth, in Mbps, that the VM network adapter must receive on the physical adapter. Limit - The maximum bandwidth on the VM network adapter for traffic to other virtual machines on the same or on another host.

Enable/Disable Network I/O Control - at the vDS level..

To enable bandwidth allocation for virtual machines by using Network I/O Control, configure the virtual machine system traffic. The bandwidth reservation for virtual machine traffic is also used in admission control. When you power on a virtual machine, admission control verifies that enough bandwidth is available.

(45)

44 Check the following requirements:

 vSphere Distributed Switch is version 6.0.0 and later.

 Network I/O Control on the switch is version 3.

 Network I/O Control is enabled.

Network Resource Pools - You can create new network resource pools to reserve part of the aggregated bandwidth for VMs system trafic on all the physical adapters connected to the VDS.

For example, if the virtual machine system traffic has 0.5 Gbps reserved on each 10 GbE uplink on a distributed switch that has 10 uplinks, then the total aggregated bandwidth available for VM reservation on this switch is 5 Gbps. Each network resource pool can reserve a quota of this 5 Gbps capacity.

Example from vSphere Networking Guide p.167

Create network resource pool: Distributed switch > Manage > Resource allocation > Network resource pools > Add Once you create network resource pool you can add distributed port group so you an allocate bandwidth to the VMs that are connected to that portgroup.

Monitor Network I/O Control

You can check and monitor Network I/O Control through vSphere web client. Networking > vDS > Manage > Resource Allocation

(46)

45

 Network I/O Control Status (state is Enabled/Disabled)

 NIOC Version

 Physical network adapters details

 Available bandwidth capacity

 Total bandwidth capacity

 Maximum reservation allowed

 Configured reservation

 Minimum link speed

Documentation and Tools

 Performance Evaluation of Network I/O Control in VMware vSphere 6

VCP6-DCV OBJECTIVE 2.3 – CONFIGURE VSS AND VDS POLICIES

VCP6-DCV Study guide continues today by covering the VCP6-DCV Objective 2.3 - Configure vSS and vDS Policies. vSphere networking is one of the tough parts to know and this part is where any IT admins have difficulties. This chapter works hand in hand with the VCP6-DCV Objective 2.1 – Configure Advanced Policies/Features and Verify Network Virtualization Implementation.

You can also check the vSphere 6 page where you'll find many how-to, videos, and tutorials about vSphere 6. Let's get back to our today's objective.

vSphere Knowledge

 Identify common vSS and vDS policies

 Describe vDS Security Polices/Settings

 Configure dvPort group blocking policies

 Configure load balancing and failover policies

 Configure VLAN/PVLAN settings

 Configure traffic shaping policies

 Enable TCP Segmentation Offload support for a virtual machine

 Enable Jumbo Frames support on appropriate components

 Determine appropriate VLAN configuration for a vSphere implementation

IDENTIFY COMMON VSS AND VDS POLICIES

Since vSphere 4 we have had vSphere distributed switches. But let's start with virtual standard switches first. The virtual standard switches (vSS) can have following policies and settings:

 Traffic shaping (outbound only)

 VLANs (none, VLAN ID, All) - at the portgroup level config

 MTU

 Teaming and failover

(47)

46

If you set VLAN policy to 4095 (All) it allows you to pass All VLANs, and the tagging is done at the Guest OS level

vSphere distributed switches (vDS) policies and settings:

 Traffic filtering and marking

 MTU

 VLANs (none, VLAN ID, VLAN trunking, PVLANs)

 Monitoring (netflow)

 Security

 Traffic Shaping - inbound and outbount (ingress / egress)

 LACP

 Port mirroring

 Health check for VLAN and MTU, teaming and failover - allows to check the status of the overall config.

 And Teaming and failiover like on vSS swiches.

DESCRIBE VDS SECURITY POLICES/SETTINGS

There are three network security policies on vDS. Those are promiscuous mode, MAC address changes and Forged transmits.

 Promiscuous Mode - Default settings are set to reject for both (VSS and VDS). If you change to accept then the guest OS can receive all traffic which passes through the vSwitch or Portgroup.

 MAC address change - The default setting is reject for VDS but accept on VSS. If set to allow then the host accepts requests to change the effective MAC address to a different one than the original.

 Forged transmits - The default settings is Reject for VDS but accept on VSS. The host do not compare source and effective MAC addresses which are transmitted from a VM.

Each settings can be set to Accept or Reject and it can be done at the virtual switch level or at the port group level. More granular ist's obviously at the port group level.

CONFIGURE DVPORT GROUP BLOCKING POLICIES

Ports can be blocked to prohibit them from sending or receiving data. Only available for distributed switches.

The port blocking policy is done at the portgroup level. vSphere web client > Networking > Right click a portgroup > Edit settings.

(48)

47

You can also block individual distributed switch or uplink port. It can be done by selecting the VDS > Manage > Ports > Select Port > Edit > check the box and select Yes.

CONFIGURE LOAD BALANCING AND FAILOVER POLICIES

vSphere Networking Guide on p. 93

You can configure various load balancing algorithms on a virtual switch to determine how network traffic is distributed between the physical NICs in a team.

 Route Based on Originating Virtual Port - The virtual switch selects uplinks based on the virtual machine port IDs on the vSphere Standard Switch or vSphere Distributed Switch.

(49)

48

 Route Based on Source MAC Hash - The virtual switch selects an uplink for a virtual machine based on the virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual machine MAC address and the number of uplinks in the NIC team.

 Route Based on IP Hash - The virtual switch selects uplinks for virtual machines based on the source and destination IP address of each packet

 Route Based on Physical NIC Load - Route Based on Physical NIC Load is based on Route Based on Originating Virtual Port, where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on overloaded uplinks.

And for VDS there is another one called Use Explicit Failover Order.

 Use Explicit Failover Order - No actual load balancing is available with this policy. The virtual switch always uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the Standby list.

NETWORK FAILOVER DETECTION OPTIONS:

 Link Status only - check link availability. Is the adapter is physically up or down? Depending on the result it can possibly detects physical switch failures.

 Beacon Probing - Sends out and listens for beacon probes on all NICs in the team. Can be used together with link status and get better results to determine if there is a link failure. Beacon probing should not be used with IP hash load balancing policy or on vSwitches which has less than 3 uplinks. Unused NICs do not participate in beacon probing. Active/active or active/standby only.

FAILOVER ORDER:

It can be specified at the vSwitch level or at the port group level, where you basically override the vSwitch level policy (VSS). If there is a failover, then standby NIC became active in order that they're specified/listed. You must define if during failback the physical adapter is returned to active state (and if it is!).

CONFIGURE VLAN/PVLAN SETTINGS

3 types of VLAN:

 None - no tags. Physical switch ports are configured as an access ports or VLAN is configured as native VLAN on trunk port

 VLAN - in this case, the VLAN ID Tag is done on the virtual switch level.

 VLAN Trunking - VLANs are tagged at the guest OS level.

 PVLAN - private VLANs

Note: Same for vSphere web client. You’ll be doing it at the vDS level, so select and right click the vDS > Edit Settings > Private VLAN tab. Once there you can add some PVLANs. Notice the Secondary Promiscuous was created automatically when you created the Primary private VLAN.

(50)

49

So in my example above I created Primary Private VLAN 500 which automatically created secondary PVLAN 500. Then I only could create an Isolated Secondary VLAN 501 and Community VLAN 502.

Now we have those PVLANs created and this gives us the possibility to use them for new or existing port groups. Example below I’m creating new port group with some name and after selecting the PVLAN, a new drop-down menu appears which gives the option to choose an entry between the Isolated, or Community.

THERE ARE DIFFERENT TYPES OF PVLANS:

PRIMARY

 Promiscuous Primary VLAN – Imagine this VLAN as a kind of a router. All packets from the secondary VLANS go through this VLAN. Packets which also goes downstream and so this type of VLAN is used to forward packets downstream to all Secondary VLANs.

SECONDARY

 Isolated (Secondary) – VMs can communicate with other devices on the Promiscuous VLAN but not with other VMs on the Isolated VLAN.

 Community (Secondary) – VMs can communicate with other VMs on Promiscuous and also w those on the same community VLAN.

(51)

50

CONFIGURE TRAFFIC SHAPING POLICIES

On vDS there are Ingress and Egress traffic shaping policies.

 Average bandwidth in kbits (Kb) per second - Bits per second to allow across a port, averaged over time.

 Peak bandwidth in kbits (Kb) per second - Maximum number of bits per second to allow across a port when it is sending or receiving a burst of traffic.

 Burst size in kbytes (KB) per second - Maximum number of bytes to allow in a burst.

At the port group level (both Web client or vSphere client). Home > Networking > right click the port group > traffic shaping.

ENABLE TCP SEGMENTATION OFFLOAD SUPPORT FOR A VIRTUAL MACHINE (TSO)

TCP segmentation offload is used for reducing a CPU overhead of TCP/IP on fast networks. TSO breaks down large groups of data sent over a network into smaller segments that pass through all the network elements between the source and destination.

Only on enhanced vmxnet adapters. If you using just vmxnet you must replace the adapter by enhanced vmxnet adapter.

From VMware KB Enabling TSO in a Windows virtual machine

To use TSO, enable it in three places: the VMkernel, the virtual machine, and the guest operating system.

1. TSO is enabled for the VMkernel by default. If it is disabled on your system, you can enable it in the VMware Management Interface Advanced Settings page. Access this page by clicking the Options tab.

2. Enable TSO for the virtual machine by powering off the virtual machine and adding the following line to the configuration file (.vmx):ethernetn.features = "0x2"

In this example, n is the number of the virtual Ethernet adapter. How to check If a physical network adapter supports TSO?

(52)

51 Via CLI - Run this command

to see if TSO is supported on the physical network adapter on a host:

esxcli network nic tso get lab output:

ENABLE JUMBO FRAMES SUPPORT ON APPROPRIATE COMPONENTS

Jumbo frames (MTU 9000) shall be enabled end-to-end if not they will ont raise the network performance, but the opposite will happens. By defaul the MTU is 1500. Jumbo Frames can be enabled on a vSwitch, vDS, and VMkernel Adapter.

DETERMINE APPROPRIATE VLAN CONFIGURATION FOR A VSPHERE IMPLEMENTATION

You should check further the vSphere Networking guide (p.131)

VLAN configuration in a vSphere environment provides certain benefits.

 Integrates ESXi hosts into a pre-existing VLAN topology.

 Isolates and secures network traffic.

 Reduces congestion of network traffic

Tools

 Leveraging NIC Technology to Improve Network Performance in VMware vSphere

(53)

52

VCP6-DCV

O

BJECTIVE

3.1 -

M

ANAGE V

S

PHERE

S

TORAGE

V

IRTUALIZATION

VMware VCP certification exam for vSphere 6 is now available and you can register for the exam. We'll start to cover VCP6-DCV sections to help out folks learning towards VCP6-DCV VMware certification exam. Today’s topic is VCP6-DCV Objective 3.1 - Manage vSphere Storage Virtualization. It's quite large chapter but it' broken into several sections, always with screenshots. We will use vSphere Web Client only (I know not everyone's favorite, but new features aren't exposed to the old C# client anymore...).

Due to VMware re-certification policy the VCP exam has now an expiration date. You can renew by passing delta exam while still holding current VCP or pass VCAP. For whole exam coverage I created a dedicated VCP6-DCV page. Or if you’re not preparing to pass a VCP6-DCV, you might just want to look on some how-to, news, videos about vSphere 6 – check out my vSphere 6 page.

vSphere Knowledge

 Identify storage adapters and devices

 Identify storage naming conventions

 Identify hardware/dependent hardware/software iSCSI initiator requirements

 Compare and contrast array thin provisioning and virtual disk thin provisioning

 Describe zoning and LUN masking practices

 Scan/Rescan storage

 Configure FC/iSCSI LUNs as ESXi boot devices

 Create an NFS share for use with vSphere

 Enable/Configure/Disable vCenter Server storage filters

 Configure/Edit hardware/dependent hardware initiators

 Enable/Disable software iSCSI initiator

 Configure/Edit software iSCSI initiator settings

 Configure iSCSI port binding

 Enable/Configure/Disable iSCSI CHAP

 Determine use case for hardware/dependent hardware/software iSCSI initiator

 Determine use case for and configure array thin provisioning

IDENTIFY STORAGE ADAPTERS AND DEVICES

We will be heavily using one document - vSphere 6 Storage Guide PDF.

VMware vSphere 6 supports different classes of adapters: SCSI, iSCSI, RAID, Fibre Channel, Fibre Channel over Ethernet (FCoE), and Ethernet. ESXi accesses adapters directly through device drivers in the VMkernel.

Note that you must enable certain adapters (like the software iSCSI), but this isn't new as it's been the case already in previous release.

WHERE TO CHECK STORAG E ADAPTERS?

VCP6 DCV Study Guide ESX Virtualization