Here is my full study guide in entirety for download. Feel free to let me know if there is something that needs correction etc. Hope this helps. Cheers!
Section 7 – Administrative and Operational Tasks in a VMware vSphere Solution
Objective 7.1 – Manage virtual networking
I’ve gone over virtual networking a bit already. But there are two basic types of switches to manage in vSphere. Virtual Standard Switches and Virtual Distributed Switches. They both have the same components. Virtual Ports Groups, VMkernel Ports, and Uplink Ports. Here is a diagram depicting how it might look on a host
VMkernel ports are used for management purposes. When you set it up, you can choose using it for the following purposes
- vMotion – this is used to migrate VMs
- Provisioning – used for VM cold migration, cloning, and snapshot migration.
- Fault Tolerance logging – enables Fault Tolerance logging on the host (you can only have one per host)
- Management – management communication between hosts (should have minimum of two for redundancy)
- vSphere Replication – Handles outgoing replication data sent to the vSphere Replication Server
- vSphere Replication NFC – Handles incoming replication data on the target replication site.
- vSAN – allows for vSAN traffic, every host that is part of a vSAN cluster must have one.
VM Port Groups are for VM network traffic. Each of the VMs have a virtual NIC which will be part of a VM port group.
Uplink ports are connected to physical NICs. A Virtual Distributed Switch will have an uplink port group that physical NICs from multiple hosts.
You can manage your networking from a few locations in the HTML5 client. You can also manage hosts from the host HTML5 client. In the HTML5 client you manage networking from Host > Configure > Networking shown here.
You can then change manage the components as needed. If you need to manage a Virtual Distributed Switch you can do that there as well or you can create a VDS on the networking tab in the navigation pane.
You can configure shares and other settings here as well as you can see. You can find more info here if needed.
There is also managing the virtual networking of the VM. If you right click on the VM and then select Edit Settings. You can edit the networking adapter type and what virtual network the VM is connected to.
You can also migrate multiple VMs to another network if you go to the network tab in the navigation pane. Clicking the following will pop up a wizard.
In the wizard you select the destination network.
Then you select all the VMs you want to migrate.
Then you complete it.
Objective 7.2 – Manage datastores
Datastores are logical storage units that can use disk space on one disk or span several. There are multiple types of datastores:
To manage them, you can navigate to the Datastores tab on the navigation pane and select the datastore you want to manage. Then click on Configure on the object pane in the middle.
From this screen you can increase the capacity. Enable SIOC, and edit Space Reclamation priority. Using the Connectivity and Multipathing, you can edit what hosts have access to this datastore. You can also see what files and VMs are on this datastore. You can perform basic file functions through this as well.
To dig a little deeper though. How did we get here? How do we see the original device? To do that we have to go back to the host configuration. There we look at two main things. Storage Adapters and Storage Devices
This will show us what our host is able to get to. If we don’t have access to something we may need to either add it if it’s ISCSI or NFS or Protocol Endpoint if its a vVOL. Once we can see the RAW device or we have finished setting up the share or protocol endpoint, we can right click on a host and select Storage > New Datastore. This pops up a wizard that looks like this
The next screen will allow us to give the datastore a name and what device we want to use for it. Then we choose a VMFS version. We would choose 5 if we still had older hosts running older vSphere. We would choose 6 if we had all 6.5 or 6.7. Why would you want to use it? Look here for a nice table. You can then partition it if desired and finish.
Objective 7.3 – Configure a storage policy
- To create a storage policy, click on the Menu drop down at the top of your HTML5 client and choose Policies and Profiles
- Click on VM Storage Policies
- Select Create VM Storage Policy and on the popup wizard, give it a name.
- This screen allows you to choose between Host Based Services or Datastore Specific rules. Host based are specific services that particular host may provide such as caching, encryption, etc. These can be used in conjunction with Datastore specific rules which are directed to specific datastores. Such as I tag a specific datastore as “Gold” storage and I create a Storage policy that requires a VM to use “Gold” storage. I am going to use the tag-based placement option.
- I have already created a Tag category called Storage Type and I am going to tell it to Use storage tagged with the “Gold” tag. I could tell it to not use that tag as well. Multiple Rules can be used at the same time.
- I have one Datastore tagged as “Gold” Storage.
- That’s it. Click Finish and you have created a Storage Policy. Just to show you what host based services might look like here is a screenshot
Objective 7.4 – Configure host security
There are several built-in features that can secure a host. Let’s go over them
- Lockdown Mode – When enabled this prevents users from logging directly into the host. It will only be accessible through the local console if you are on an accepted user list or vCenter. You can also turn off the Direct Console UI completely. This can be found under Configure > Security Profile
- Host Image Profile Acceptance Level – This is like driver signing on a Microsoft Windows machine. This will only allow bundles or drivers with an acceptance level you set.
- Host Encryption Mode – This setting encrypts any core dumps from the host.
- Firewall – There is a stateless firewall included in ESXi. Most ports are locked by default. If you want to add a new port not already in the list you will need to do it at command line.
Objective 7.5 – Configure role-based user management
Role-based management allows you to assign a set of permissions to a user or group. This is great as this makes it easier to assign just the permissions you need to a user and no more. This is great for security. VMware provides a number of Roles pre-configured. These can’t be changed. What you can do, is clone them and change the clones. You can also create your own custom role. In order to do this, you click on the Menu and go to Administration
You can see the predefined roles when you select Roles under Access Control
To clone you select one and then click the Clone icon
You need to name it and click ok on the window the pops up. To edit the clone you just made, click on the Pencil icon after selecting the new role. Then select the privileges you want to allow or disallow by clicking on the check boxes.
You can see the privileges already assigned to a role by clicking on the Privileges button on the side.
You then assign the roles under the Global Permissions item. You can use one of the built-in user or groups or you can add a new user/group. You can add the group from any of the Identity sources you have setup already.
When you add or edit the permissions you set the role.
There is a special role called No Access as well that you can assign to a user to keep them from accessing specific objects or privileges.
Objective 7.6 – Configure and use vSphere Compute and Storage cluster options
After you create a cluster, you can right click on it and select settings, or click on the configure tab in the center, object pane
Quickly going through the options available. There is DRS and HA we’ve already gone over. We then have:
- QuickStart – is a wizard to help you configure your cluster.
- General – lets you change the swap file location for your VMs. This will be the default setting for the cluster. Default VM compatibility is the default VM Hardware version for the cluster.
- Licensing – This is only used if you vSAN
- VMware EVC – This was mentioned previously as well. Enhanced vMotion Compatibility. This allows you to use disparate versions of processors and vMotion between them.
- VM/Host Groups – This is the VM Groups and Host groups you can setup to create Affinity or Anti-Affinity rules
- VM Host Rules – These are the Affinity or Anti-Affinity rules.
- VM Overrides – This allows you to override cluster settings for DRS/HA restart or response for individual VMs.
- Host Options – Allows for host power management. You enter in your IPMI settings per Server
- Host Profile – This will be gone over in a few objectives, but creates a settings template for all hosts in the cluster.
- I/O filters – You can install I/O filters here (VAIO) This can be a plugin such as backup or disaster recovery filters.
- Alarm Definitions – This is where you can add/enable/disable/delete alarms for your cluster (applies to objects in the cluster)
- Scheduled Tasks – You can schedule certain tasks for off hours. New Virtual Machine, Add Host, or Edit DRS.
- vSAN – This won’t say much here unless it’s turned on.
A Datastore Cluster or Storage Cluster (unless referring to VSAN cluster) is created by right-clicking on the datacenter in the Storage heading on the object pane.
- This launches a wizard to go through. You will need to enter a Datastore Cluster name and you should turn on Storage DRS
- You then are presented with more options than anyone should be. The first is what level of automation would you like, but then you have all these other options which I will leave at cluster default. Each one of them will check certain metrics or alarms and move the VM storage based on what it sees.
- Now you need to decide storage DRS runtime settings. These are thresholds you set before it takes action to move data around. I’m leaving defaults again.
- You then select your cluster and / or hosts that will participate in sharing their datastores in this.
- Select the datastores that will make up this Datastore cluster
- It gives you final summary screen and you click Finish.
Objective 7.7 – Perform different types of migrations
We’ve already gone over the types of migrations possible. Now let’s see how to accomplish them.
- To migrate a VM, whether you migrate the VM or storage, you need to right click on the VM and choose Migrate.
- You are given the option of 3 types of migration. vMotion = Compute resource only, svMotion = Change storage only, or enhanced or xvMotion is both. The screens after depend on which you choose here. I will choose both so you see both screens.
- For the compute resource to migrate to, I need to choose either a cluster, or individual host. A handy little tidbit that’s nice is the upper right-hand corner. VM origin tells you where this VM is sitting right now, both host and datastore.
- Select storage next.
- Next, select the network for this VM to use.
- vSphere gives a summary, click Finish and it will migrate.
Objective 7.8 – Manage resources of a vSphere environment
There are several resources that can be managed in a vSphere environment. There are mechanisms built-in to vSphere to allow that. You can create resource pools, assign shares for CPU, memory, disk, and network resources. You can also create reservations and limits. Let’s define a few of those and how they work.
- Reservations – this is the amount of the resource that is guaranteed. If the resource can’t be given, the VM will not power on.
- Limits – are the maximum amount of that resource you will allow for that VM. The issue with limits is if you have extra resources vSphere will still not allow that VM to have more resources.
- Shares are used to compete for the resources between. Shares will only come into play when there is contention for it. During regular periods when all the VMs are happy and there is plenty of resources, shares don’t matter.
Resource Pools can also be created to slice off resources. You can have reservations on Resource Pools as well, but you can do a bit more. You can have expandable reservations to borrow resources from its parent if it needs to. This is what you need to configure when you create a CPU and Memory Resource Pool
You can also assign this on an individual VM basis
To assign disk shares you can look at the individual VM
You can also assign shares and manage network resources on Virtual Distributed Switches with Network I/O Control enabled.
Objective 7.9 – Create and manage VMs using different methods
There are several methods to create VMs. You can:
You can also deploy from an OVF template, use the OVF Tool or create a VM from a physical using the P2V tool. For the purposes of the exam they more than likely just want you to know about the ones in the picture and deploying from an OVF template.
You can manage VMs through the HTML5 client, API, PowerCLI (PowerShell) or even through the ESXi host console. There are even some options you can only do using PowerCLI. Creating a new VM via PowerCLI isn’t hard either, it can be done with command like the following:
New-VM -Name ‘TestVM’ –VMHost ‘VMHost-1’ -Datastore ‘TestDatastore’ -DiskGB 40 -MemoryGB 8 -NumCpu 2 -NetworkName ‘Virtual Machine Network’
That creates a new VM with the name TestVM on VMHost-1 storing its 40GB VMDK on the TestDatastore. A lot simpler than going through a long wizard to me.
Objective 7.10 – Create and manage templates
Templates are VMs that have been converted so that they can’t be turned on. They are used as base server machines or VDI base workstations. Creating them is a simple process. You can do this with a running VM by cloning it (creating a copy) and making the copy a Template. If you want to convert the machine you are working on, it will need to be turned off. I will go over both ways to do this.
- Right click on the VM to be converted. We will start with a running VM.
- Give the VM Template a name
- Choose a location for the template
- Choose storage for the template
- Complete by clicking Finish.
For a machine that is turned off you can clone it as well, but you have the option of turning that VM into a template. To do that:
- Right click on the VM you want to change to a template.
- If you choose Convert to template, it asks you if you are sure and then does it. If you Export OVF this will save an OVF file to your desktop that is the VM in template format that you can import like an appliance.
Objective 7.11 – Manage different VMware vCenter Server objects
I’ve gone over how to manage different types of objects so I will take a stab here and guess that they are referring to the actual vCenter Server objects and not clusters, hosts, etc.
To manage the vCenter Server object, there is a couple of places to go to. The first is Administration > System Configuration. This location will allow you to export a support bundle, converge an external PSC to embedded, and decommission PSC. Oh, you can also reboot it.
The next place you can configure the vCenter is by clicking on the vCenter in the navigation pane and then go to the configure tab in the object pane. You can see that here
This is just changing the settings on the vCenter server itself and not the object.
If anyone has a thought on what they may be looking here if I didn’t cover it, reach out to me.
Objective 7.12 – Setup permissions on datastores, clusters, vCenter, and hosts
Permissions can be set on most objects in the vSphere environment. To do that you need to navigate to the Permissions tab in the object pane. Here is an example
You can see how you can assign permissions to it. Click on the ‘+’ in order to add another user or group to it. You can also edit an existing permission by clicking on the pencil icon. You can also propagate this permission to its children with the Propagate to children checkbox.
If a user has conflicting permissions, the explicit permissions will win over general. This allows you to assign a user “No Access” to an object and it will win over having group rights to it. The user documentation has this really well. (From the VMware Documentation here)
If multiple group permissions are defined on the same object and a user belongs to two or more of those groups, two situations are possible:
No permission for the user is defined directly on the object. In that case, the user has the privileges that the groups have on that object.
A permission for the user is defined directly on the object. In that case, the user’s permission takes precedence over all group permissions.
Objective 7.13 – Identify and interpret affinity/anti affinity rules
Affinity and Anti-Affinity rules exist on a DRS enabled cluster. They are typically used for the following reasons:
- Affinity Rules – Used for multi-tier app VMs or other VMs that communicate heavily or depend on each other in order to run. It can also be used to keep a VM running on a specific host for licensing or other purposes.
- Anti-Affinity Rules – Use to keep VMs separate from each other or keep them from running on separate hosts.
These rules can be setup as “Must” rules or “Should” rules. Just like it sounds the Must will prevent the machines from doing what is instructed and if they can’t comply with the rule they won’t start. The Should rules will try everything they can to comply but for example, you are down to one host, the machines will still run there as that is their only option.
You create groups that are made up of either VMs or hosts and then create a rule that defines the relationship between them. You set them up underneath the Configure tab under your cluster. Here is what that looks like:
You would create the VM and/or host groups. Then you create the rules that will govern them.
Objective 7.14 – Understand use cases for alarms
Use cases for alarms are plentiful. You don’t want errors and issues happening in the background without you knowing. Even better, it would be great to get notice of these events before they happen. That is what alarms can do for you. They can notify you in response to events or conditions that occur to objects in your vSphere environment. There are default alarms setup for hosts and virtual machines already existing for you. You can also setup alarms for many objects. An alarm requires a trigger. This can be one of two things.
- Condition or State. This is monitoring the condition or state of an object. And example of this would be a datastore is using 80 percent of its storage. Or a host is experiencing high CPU usage.
- Event. This would be something like a host hardware changes, or leaves a cluster.
You can setup an alarm by right clicking on the object and then click on Alarms > New Alarm Definition.
Objective 7.15 – Utilize VMware vSphere Update Manager (VUM)
VUM (vSphere Update Manager) is VMware’s server and management utility to patch and upgrade its software. While there were many requirements to get VUM working on previous versions of vSphere, in 6.7 its pretty easy. Though its not completely simple, it does make more sense once you use it for a little bit. First, we need to define a few terms.
Baseline – is one or more patches, extension or upgrade that you want to apply to your vSphere Infrastructure. You can have dynamic patches or static. Dynamic baselines will automatically download and add new patches. I don’t necessarily recommend this as you don’t know how a patch will affect your environment without testing. Now if it’s a test environment go for it! VMware includes two dynamic baselines for patches predefined for you. You can create your own.
Baseline Group – Includes multiple baselines. The pre-defined ones are Non-Critical and Critical Patches. Unless one causes an issue, it would be good to have both of those. I created a group that includes both called Baseline Group 1.
You can create a baseline that includes an upgrade say from 6.5 to 6.7 as well. There are settings that go along with this service and here is what they look like.
- Patch Downloads concerns itself with getting your updates.
- Patch Setup concerns itself with where it is getting them from. Do you need a proxy?
- Recall Notification. Occasionally VMware needs to recall a patch that isn’t up to par. This setting will notify you there is a recall and what it is and make sure it doesn’t apply that patch to any hosts.
- Network Connectivity. Connectivity for VUM. Mainly port numbers and host name.
- Patch Downloads concerns itself with getting your updates.
- Hosts – When you apply the baselines to a host, what do you want it with the VMs, host if it uses PXE to boot, and retries.
- VMs – If you are remediating VMs do you want to take a snapshot automatically and how long do you want to keep them.
- Hosts – When you apply the baselines to a host, what do you want it with the VMs, host if it uses PXE to boot, and retries.
The setup of the server is just the first step though. You now need to get these patches to the hosts and VMs. You have two options when you apply them. You can Stage, or Remediate. Stage will just load the patches on it and wait for you to tell it to take action. Remediate takes immediate action. You can do this by going to the update tab for the object. Here is the update for the cluster.
At the bottom you notice I attached the baseline. This is needed to stage or remediate your hosts and VMs. You can then check them by Checking Compliance. You may also notice you can update VMware Tools and VM Hardware versions en masse. (may require VM reboot)
Objective 7.16 – Configure and manage host profiles
Host profiles provide a mechanism to automate and create a base template for your hosts. Using host profiles, you can make all your hosts exactly the same. VMware will inform you if your host is not in compliance yet and then you can take steps to remediate it.
You access it under Policies and Profiles
There is a process to it. Here it is:
- Click on Host Profiles on the navigation pane on the left.
- Next is Extract Host Profile. This is going to be taking a host you select and that will be the “baseline”
- This will pop up a wizard. This is where you select the host.
- Give it a name and a description and then Finish
- Once that is done, you now have a window that looks like this
- Yes, its small. The point is when you click on the host profile you now have additional options above. Notice as well that the profile is also a hyperlink. Click on it.
- Click on the Actions to attach to hosts or clusters.
So that is the end of this study guide. If you find something incorrect in it or I didn’t understand the Blueprint from VMware, let me know. I appreciate you taking the time to read through and hope you were able to use it. I really appreciate the community and all the things its done for me, which is why I love doing things like this. Thanks!!
Mike Wilson (IT-Muscle.com / @IT_Muscle )
Section 5 – Performance-tuning and Optimizing a VMware vSphere Solution
Objective 5.1 – Determine effective snapshot use cases
Many companies use the term snapshot. There are numerous definitions for snapshots that vary on the company. We should first define what VMware does with snapshots.
VMware preserves a Point in Time or PIT for a VM. This process freezes the original virtual disk and creates a new Delta disk. All I/O is now routed to the Delta disk. If data is needed that still exists on the original disk it will need to go back to that to retrieve data. So now you are accessing two disks. Over time you can potentially double the size of the original disk as you make changes and new I/O. The original 10 GB disk becomes 20 GB over 2 disks. If you create more snapshots, you create new Delta disks and it continues.
Now that we understand a bit more about them, we see the limitations inherent. This tool was never meant to be a backup. It was designed to be used for reverting back to the original (if needed) after small changes. Most backup tools DO use snapshots as part of their process, but it is only used for the amount of time needed to copy the data off and then the snapshot is consolidated back again. Here are a few Best Practices from VMware on how to use them.
- Don’t use snapshots as backups – major performance degradation can occur and I have seen people lose months of data or more when the chain got too long.
- 32 snapshots are supported, but it’s better not to test this.
- Don’t use a snapshot longer than 72 hrs.
- Ensure if you are using a 3rd Party backup that utilizes the snapshot mechanism, they are getting consolidated and removed after the backup is done. This may need to be checked via CLI
- Don’t attempt to increase disk size if the machine has a snapshot. You risk corrupting your snapshot and possible data loss.
Most use cases involve you changing the VM or upgrading and once you find out it does or doesn’t work, you remove the snapshot. A good example of this is Microsoft Windows Updates. Create a snapshot, install the updates and test. If the updates haven’t broken anything, consolidate. Another use case might be installation or upgrade of an important program. Or a Dev use case of changing code and executing to determine if it works. The common thread between all the use cases is temporariness. These use cases are for snapshots running a very short period of time.
Storytime. I had a company that called in once that was creating snapshots for their Microsoft Exchange Server. They were taking one every day and using it as a backup. When I was called, they were at about a year of snapshots. Their server wasn’t turning on and trying to remove the snapshots wasn’t working. Consolidation takes time and a bit more space. We tried to consolidate but you can only merge 32 snapshots at a time. They got impatient about 25% through the process and tried to turn it on again. When that didn’t work, they had to restore from tape backup and lost a decent amount of data.
Objective 5.2 – Monitor resources of VCSA in a vSphere environment
Monitoring resources can be done from more than one place. The first place is in the vCenter appliance management page at :5480. After you log into it, you have the option on the navigation pane called Monitor. This is what it looks like:
Notice the subheadings. You can monitor CPU and Memory, Disks, Networking, and the database. You can change the time period to include metrics up to the last year. Since the VCSA is also a VM, you can view this from inside the vSphere HTML5 client. This view allows you to get a bit more granular. You are looking at it from the hosts perspective whereas the Appliance Management page is from within the VM. Both are important places to give you a full look at how the vCenter is performing. Here is a screenshot of inside the HTML5 client of my vCenter Appliance.
You can attach to the vCenter via SSH or console and run TOP for a per process view of the appliance. Here is what that looks like
These are the most common ways you would monitor resources of your VCSA.
Objective 5.3 – Identify impacts of VM configurations
There much to unpack with this objective. I will work through best practices and try to stay brief.
- While you want to allocate the resources that your VM needs to perform, you don’t want to over-allocate as this can actually perform worse. Make sure there are still enough resources for ESXi itself as well.
- Unused or unnecessary hardware on VM can affect performance of both the host and all VMs on it.
- As mentioned above, over allocation of vCPU and memory resources will not necessarily increase performance and it might lower it.
- For most workloads, hyperthreading will increase performance. Hyperthreading is like a person trying to eat food. You have one mouth to consume the food, but if you are only using one arm to put the food in, it isn’t as fast as it could be. If you use both arms (enabling hyperthreading) you still only have one mouth (one core) but you aren’t waiting for more food and just keep constantly chewing. Certain workloads that keep CPU utilization high, benefit less from hyperthreading.
- Be aware of NUMA (Non-Uniform Memory Access). Memory is “owned” by sockets. If you use more memory than that socket owns, you need to use memory from the other socket (if available). This causes a small delay because it has to move across the bus vs right next to the processor. This can add up. (Oversimplified but the idea is there). There are policies that can be set that could help if needed. Not in the scope of this certification though.
- Not having enough physical memory can cause VMs to use slower methods of memory reclamation all the way to disk caching. This causes performance degradation.
- Creating shares and limits on your machine may not have the result you believe. Weigh those options carefully before you apply them.
- Make sure you use VM Tools in your VMs as they add a number of useful and performance increasing solutions.
- The hardware you use in the configuration can also change performance. For example, using PVSCSI vs LSI SAS or using VMXNET vs E1000 NICs can make a decent performance jump.
- Make sure you use VMware snapshots how they were intended and not for long periods of time.
- There are different types of VMDKS you can create. They include thin provisioned, thick (lazy zeroed), and thick (eager zeroed). There are reasons you might utilize them. Thin disks are the best in a scenario where you may not have all the space yet. You may need to buy more disks or they may be already on their way. Eventually you will have this space. It is important that you monitor your space to make sure you don’t consume it before you have it. If you do, the VM will be suspended best case, worst case you can lose data. Thick (lazy zero) is when you fence all that space off for that disk up front. You can’t over-provision this, you have to already have the disk space. The “lazy zero” comes in play when you go to use the space. VMware will need to format the disk block before using it. This can potentially be a slow down if there are a high number of writes to the disk. If the VM is more read heavy, you are just fine. Thick (eager zero) will take more time to create, because it formats the whole disk up front before use. This type if best for a VM with heavy writes and reads such as a DB server etc.
Keep these in mind when creating VMs and also take a look at the VMware Performance Best Practices guide here.
Section 2 – VMware Products and Solutions
Objective 2.1 – Describe vSphere integration with other VMware products
VMware has just a few products on the market (/sarcasm), and they show no letup in acquiring other companies and expanding to new technologies. One thing I appreciate about them is their ability to take what they buy, make it uniquely theirs, and integrate it with their current solutions. While this is not always done quickly and it make take a few versions, it usually pays dividends. Other products such as their Software Defined Networking product, NSX-V and T, and vSAN (SDS storage) and more, round out their offerings making it a complete solution for their customers. While definitely not altruistic, having a single place to get a complete solution can make life easier. Let’s look at some of the VMware products that are commonly used with vSphere core products.
If you look at products grouped together on VMware’s download site, you’ll see the core vSphere products of ESXi and vCenter. You also see Log Insight, NSX, Operations, and Orchestrator. I will try to give you a high-level of each of those products and how they fit into the vSphere world.
vRealize Log Insight
vRealize Log Insight is a syslog server on steroids. It is described as a Log Management and Analytics Tool by VMware. It integrates with vCenter Server and vRealize Operations. Log Insight can be used as a regular syslog server for other solutions not in VMware. Using it as a single logging repository and being able to search across your entire company’s infrastructure is its true superpower. But wait… there’s more.
You can also load content packs to manage specific solutions. One example of this is I am using a specially created Rubrik content pack that allows me to create specific dashboards to monitor my backups. Log Insight has the ability to have multiple users and assign them separate permissions to create their own dashboards and metrics. You can see my walkthrough on Log Insight (albeit 4.3 instead of 4.6) here. I also have a few videos to show you how you might customize dashboards here and how you can track a error in the logs here.
What VMware did for Server hardware they did with Networking as well. While ESXi and vCenter Server already have VSS and VDS, this is the next step in networking evolution. Using NSX you can implement normally difficult configurations such as micro-segmentation in your datacenter with ease. Being able to do this all from a single UI makes it easy and saves time. Once the initial configuration of the physical networking is done, everything thereafter can be accomplished in VMware’s HTML5 client. Creating switches, routers, load balancers, firewalling, you name it.
Because NSX’s technology, ESXi essentially believes it is on a large L2 network allowing you to do things impossible before, such as vMotion over large geographic distances. NSX brings a lot to the table. There is a lot to learn about it, however and it has its own certification track.
vRealize Operations is a tool used to facilitate performance optimization, capacity management, forecasting, remediation, and compliance. It integrates right into the HTML5 client and keeps you constantly aware of how your environment is performing. Not only does vRealize Operations integrate with ESXi and vCenter, it also integrates with NSX and Log Insight. Here is a pic of what it looks like in the HTML5 client
I also have a few videos on how to perform actions in vSphere Operations here. While this is an old version it serves well to show you some of the things you can use vRealize Operations for.
You have a large number of dashboards to choose from and monitor. You can see things like disk usage and capacity graphically making it easy to pick out potential problems at a quick glance. Doing this paper vRealize notified I’ve been running my Plex Server on a snapshot for a long period of time… I didn’t have any idea until it told me. (Snapshot was created by Update Manager upgrade). Short story, you need this in your life.
Most people know about the app IFTTT for your phone. This is kind of like that but way more powerful. Using vRealize Orchestrator you can create workflows that can perform a plethora of different tasks. It also integrates with vRealize Automation to create even more complex jobs. Using vRealize Orchestrator, you can:
- Configure software or virtual hardware
- Update databases
- Generate work order tickets
- Initiate system backups
And much more. This integrates with all of VMware’s other products and is a drag and drop worklflow solution.
Objective 2.2 – Describe HA solutions for vSphere
We already went over this, but we’ll touch on it again. The main High Availability solutions VMware provides are vMotion, svMotion and HA using clusters. I will include both HA parts so that you can read about HA in one fell swoop.
HA works by pooling hosts and VMs into a single resource group. Hosts are monitored and in the event of a failure, VMs are re-started on another host. When you create a HA cluster, an election is held and one of the hosts is elected master. All others are slaves. The master host has the job of keeping track of all the VMs that are protected and communication with the vCenter Server. It also needs to determine when a host fails and distinguish that from when a host no longer has network access. HA has other important jobs. One is determining priority and order that VMs will be restarted when an event occurs. HA also has VM and Application Monitoring. Using this prompts HA to restart a VM if it doesn’t detect a heartbeat received from VM Tools. Application Monitoring will do the same with heartbeats from an application. VM Component Monitoring or VMCP allows vSphere to detect datastore accessibility and restart the VM if a datastore is unavailable. One last thing to note. In the past, VMware tried to trick people by using the old name for HA which was FDM or Fault Domain Manager
There are a several configuration options to configure. Most defaults work without drama and don’t need to be changed unless you have a specific use case. They are:
- Proactive HA – This feature receives messages from a provider like Dell’s Open Manage Integration plugin. Based on those messages HA will migrate VMs to a different host due to possible impending doom of the original host. It makes recommendations in Manual mode or automatically moves them in Automatic mode. After VMs are off the host, you can choose how to remediate the sick host. You can place it in maintenance mode, which prevents running any future workloads on it. Or you could put it in Quarantine mode which allows it to run some workloads if performance is low. Or a mix of those with…. Mixed Mode.
- Failure Conditions and responses – This is a list of possible host failure scenarios and how you want vSphere to respond to them. This is better and gives you way more control then in the past.
- Admission Control – What good is a feature to restart VMs if you don’t have enough resources to do so? Not very. Admission Control is the gatekeeper that makes sure you have enough resources to restart your VMs in the case of host failure. You can ensure this a couple of ways. Dedicated failover hosts, cluster resource percentage, slot policy, or you can disable it (not good unless you have a specific reason). Dedicated hosts are dedicated hot spares. They do no work or run VMs unless there is a host failure. This is the most expensive (other than a failure itself). Slot policy takes the largest VM’s CPU and the largest VM’s memory (can be two different VMs) and makes that into a “slot” then it determines how many slots your cluster can satisfy. Then it looks at how many hosts can fail and still keep all VMs powered on based off that base slot size. Cluster Resources Percentage looks at total resources needed and total available and tries to keep enough resources to permit you to lose the number of hosts you specify (subtracting amount of resources of those hosts). You can also override this and set aside a specific percentage. For any of these policies, if the cluster can’t satisfy resources for more than existing VMs in the case of a failure, it prevents new VMs from turning on.
- Heartbeat Datastores – Used to monitor hosts and VMs when the HA network as failed. It determines if the host is still running or if a VM is still running by looking for lock files. This automatically uses at least 2 datastores that all the hosts are connected to. You can specify more or specific datastores to use.
- Advanced Options – You can use this to set advanced options for the HA Cluster. One might be setting a second gateway to determine host isolation. To use this you will need to set two options. 1) das.usedefaultisolationaddress and 2) das.isolationaddress[…] The first specifies not to use the default gateway and the second sets additional addresses.
There are a few other solutions that touch more on Fault Tolerance and Disaster Recovery.
Fault Tolerance or FT creates a second live shadow copy of a VM. In the even the primary goes down, the secondary kicks in and it then creates a new shadow VM.
Disaster Recovery options include vSphere Replication and Site Recovery Manager. Both of these can be used in conjunction to replicate a site or individual VMs to another site in case of failure or disaster.
Objective 2.3 – Describe the options for securing a vSphere environment
There are a number of options available to secure your vSphere environment. We will start with ESXi and move on to a few others.
- Limit access to ESXi – this goes for both the physical box but also any other way of accessing it. SSH, DCUI, or remote console via IPMI or iDRAC/iLO etc. You can also take advantage of lockdown modes to limit access to just vCenter.
- Use named users and least privilege – If everyone is root than no one is special. Only give users that need it, access. Even then only give them the access and rights they need to do their job. Make sure they all log in as the user you give them. This allows for tracking and accounting.
- Minimize open ports – your ESXi host has a stateless firewall but if all the ports are open, it’s not providing any protection for you.
- Smart Card authentication – ESXi now supports smart cards for logging on instead of user name and passwords.
- Account lockouts – After a number of incorrect tries to log in, have the account lock.
- Manage ESXi certificates – While there is a Certificate Authority in vCenter, you might want look into using third-party or enterprise CA certificates.
- VIB Integrity – try to use and only allow your ESXi hosts to accept VMware accepted or VMware Certified VIBs.
vCenter Server Security
- Harden all vCenter host machines – make sure all security patches and the host machines are up to date.
- Assign roles to users or groups – This allows you to better keep track of what users are allowed to do if they are part of a role.
- Setup NTP – time stamps will be accurate and allow you to better track what is going on in your environment.
- Configure Single Sign On – Keep track of the identity sources you allow to authenticate to your vSphere environment.
- vCenter Certificates – remove expired or revoked certificates and failed installations.
- Protect the guest operating system – Keep your OS up to date with patches and any anti-malware or anti-spyware. Most OSs also have a firewall built-in. Use that to keep only necessary ports open.
- Disable unnecessary functionality – Turn off and disable any services not needed. Turn off things like HGFS (host-guest filesystem) that allows you to copy and paste between the VM and remote console.
- Use templates and scripted installations – After you spend all the time making an OS secure, use that as a template so that you don’t have to perform the same on the next machine. This also makes sure you don’t forget settings or configurations that may end up being disastrous. Script management of machines and installations for the same reason.
- Minimize use of the virtual machine console – Just like you would secure access to the physical machine, you should secure access and use sparingly the console.
- Use UEFI secure boot when possible – If the OS supports it, you can use this to prevent changes to the VM.
- Isolate network traffic – Separation of network traffic into segments allows you to isolate important networks. A prime example of this is creating a management network that is separate from regular VM traffic. You can perform this easily using VMware NSX or even as simple as creating a separate subnet and locking that down virtually or physically to ports.
- Use firewalls – Again using NSX this becomes really simple to create firewall and micro-segmentation. Mentioned above, you can also utilize firewalls in the OS but that can get unwieldy with 1,000s of VMs. Physical firewalls are a staple as well.
- Consider Network Policies – Switches in your virtual environment have security policies you can implement to prevent malicious attacks. These are promiscuous mode, MAC address changes, and forged transmits.
- Secure VM networking – same as above with securing OSs and firewalling.
- VLANs – These can be used to segment your network and provide additional security. This also breaks up your broadcast domain which can cut down on unwanted broadcast traffic.
- Secure connection to your Storage – Usually companies setup separate networks for their storage. This is for security but also performance. You can also implement authentication on your storage array such as CHAP. Fibre Channel is particularly secure as it is difficult to tap a fibre cable.
It’s been a while since I’ve done one of these. I did one for the VCP 6.0 and kind of miss it. I’ve decided to take a little different approach this time. I’m going to actually write it completely up as a single document and then slowly leak it out on my blog but also have the full guide available for people to use if they want. I’m not sure the usable life of this since there is a looming version on the horizon for VMware, but it will be a bit before they update the cert.
I’m also changing which certification I’m writing for. I originally did one for the delta. This time it will be the full. There shouldn’t be an issue using this for the delta, however. The certification, 2V0-21.19 is for vSphere version 6.7 and is a 70-question exam. You are required to pass with a score of no less than 300 and you are given 115 minutes to take it. This gives you about 40 seconds per question. Study well and if you don’t know something, don’t agonize over it. Mark it and come back. It is very possible a later question will job your memory or give you possible hints to the answer.
You will need to venture outside and interact with real people to take this test. No sitting at home in your pjs, unfortunately. You will need to register for the test on Pearson Vue’s Website here.
Standard disclaimer, I am sure I don’t cover 100% of the topics needed on the exam, as much as I might try. Make sure you use other guides and use your own research to help out. In other words, you can’t hold me liable if you fail
Section 1 – VMware vSphere Architectures and Technologies
Objective 1.1 – Identify the pre-requisites and components for vSphere implementation
The first part starts with installation requirements. There are two core components that make up vSphere. ESXi and vCenter. There several requirements for ESXi and for vCenter Server. I’ll cover them here one component at a time to better understand them.
vSphere ESXi Server
The ESXi Server is the server that does most of the work. This server is where you install virtual machines (VMs) and provides the needed resources for all your VMs to run. The documentation also talks about virtual appliances. Virtual appliances are nothing more than preconfigured VMs, usually running some variant of Linux.
There is an order to installation of vSphere, and the ESXi server is installed first. There are a number of requirements for installation. Some of them I will generalize, as otherwise this would be a Study Textbook and not a guide.
- Supported server platform. The best way to determine if your server is supported is to check against the VMware Compatibility Guide here.
- At least two CPU cores. This shouldn’t be that big of an issue these days when you have companies such as AMD having mainstream 16-core processors and 64-core Server processors.
- 64-bit processor released after 2006.
- The NX/XD bit to be enabled in the BIOS. This is also known as the No-Execute bit (or eXecute Disable) and allows you to segregate areas of memory for use with code or data. Enabling this protects against certain forms of malware exploits.
- Minimum of 4 GB of RAM. You hopefully will have at least 6-8 in order to give adequate space for VMs to run.
- Support for Intel VT-x or AMD RVI. This isn’t an issue for most current processors. Only extremely inexpensive or old processors would not have this option in the BIOS.
- 1+ Gigabit or faster Ethernet controllers. Same as above, make sure it is a supported model.
- SCSI disk or RAID LUN. These are seen as local drives. This allows you to use them as “scratch” partitions. A scratch partition is a disk partition used by VMware to host logs, updates, or other temporary files.
- SATA drives. You can use a SATA drive but by default these are considered “remote” not local. This prevents them from being used for that scratch partition.
You can use UEFI BIOS mode with vSphere 6.7+ or just regular BIOS mode. Once you have installed ESXi, you should not change the mode from one to the other in the BIOS, or you may need to re-install (it won’t boot). The actual display message is “Not a VMware boot bank” that you might encounter.
VMware requires a minimum boot device with 1 GB of storage. When booting from a local disk, 5.2 GB is needed to allow creation for the scratch disk and the VMFS (VMware File System) volume. If you don’t have enough space, or you aren’t using a local drive, the scratch partition will be placed in a RAMDISK or all in RAM. This is not persistent through reboots of the physical machine, and will give you a message (nagging you) until you do provide a location for it. It actually is a good thing to have though, as any dump files (code from ESXi describing what went wrong when a crash occurs) are stored there.
You can Auto Deploy a host as well – this is when you have no local disks at all and are using shared storage to install and run ESXi software. If you do use this method, you don’t need to have a separate LUN or shared disk, set aside for each host. You can share a single LUN across multiple hosts.
Actual installation of the ESXi software is straightforward. You can perform an Interactive, scripted or Auto Deploy installation. The latter requires a bit of preparation before you can do that and a number of other components. You will need to have TFTP server setup and make changes to your DHCP server to allow this to happen. There is more that goes into the Auto Deploy, but I won’t cover that here as the cert exam shouldn’t go too far in depth. For interactive installation you can create a customized ISO if you require specific drivers that aren’t included on the standard VMware CD
vSphere vCenter Server
The vCenter Server component of vSphere allows you to manage and aggregate your server hardware and resources. vCenter is where a lot of the magic lies. Using vCenter Server you can migrate running VMs between hosts and so much more. VMware makes available the vCenter Server Appliance or VCSA. This is a preconfigured Linux-based VM that is deployed into your environment. There are two main group of services that run on the appliance, vCenter Server and the Platform Services Controller. You run both of those together in what is known as an “embedded” installation or you can separate the Platform Services Controller (PSC) for larger environments. While you can install vCenter on Windows as well, VMware will no longer support that model for the next major release of vSphere.
There are a few software components that make up the vCenter Server Appliance. They include:
- Project Photon OS 1.0 – This is the Linux variant used for the operating system.
- Platform Services Controller group of infrastructure services
- vCenter Server group of services
- PostgreSQL – This is the database software used.
- VMware vSphere Update Manager Extension or VUM. This is one way you can keep your vSphere software up to date.
While past versions of vCenter Server Appliance were a bit less powerful, since 6.0 they have been considerably more robust. This one is no exception, with it scaling to 2,000 hosts and 35,000 VMs.
If you do decide to separate the services it is good to know what services are included with which component. They are:
- vCenter Platform Services Controller or PSC – contains Single Sign On, Licensing, Lookup service, and the Certificate Authority.
- vCenter Server – contains vCenter Server, vSphere client, vSphere Web Client, Auto Deploy, and the Dump Collector. It also contains the Syslog Collector and Update Manager.
If you go with a distributed model, you need to install the PSC first, since that machine houses authentication services. If there is more than one PSC, you need to setup them one at a time before you create the vCenter Server/s. Multiple vCenter Servers can be setup at the same time.
The installation process consists of two parts for the VCSA when using the GUI installer, and one for using CLI. For the GUI installation, the first stage deploys the actual appliance. The second guides you through the configuration and starts up its services.
If using CLI to deploy, you run a command against a JSON file that has all the values needed to configure the vCenter Server. The CLI installer grabs values inside the JSON file and generates a CLI command that utilizes the VMware OVF Tool. The OVF Tool is what actually installs the appliance and sets the configuration.
Hardware Requirements vary depending on the deployment configuration. Here are a few tables to help guide you:
Embedded vCenter with PSC
|Tiny (up to 10 hosts or 100 VMs)||2||10 GB|
|Small (up to 100 hosts or 1,000 VMs)||4||16 GB|
|Medium (up to 400 hosts or 4,000 VMs||8||24 GB|
|Large (up to 1,000 hosts or 10,000 VMs)||16||32 GB|
|X-Large (up to 2,000 hosts or 35,000 VMs)||24||48 GB|
If you are deploying an external PSC appliance you need 2 vCPUs and 4 GB RAM and 60 GB storage for each.
|Environment||Default Storage Size||Large Storage Size||X-Large Storage Size|
|Tiny (up to 10 hosts or 100 VMs)||250 GB||775 GB||1650 GB|
|Small (up to 100 hosts or 1,000 VMs)||290 GB||820 GB||1700 GB|
|Medium (up to 400 hosts or 4,000 VMs||425 GB||925 GB||1805 GB|
|Large (up to 1,000 hosts or 10,000 VMs)||640 GB||990 GB||1870 GB|
|X-Large (up to 2,000 hosts or 35,000 VMs)||980 GB||1030 GB||1910 GB|
Both the vCenter Server and PSC appliance must be installed on a minimum ESXi 6.0 host or later.
Make sure that DNS is working and the name you choose for your vCenter Server Appliance is resolvable before you start installation.
Installation happens from a client machine and needs certain requirements. If using Windows, you can use Windows 7-10, or Server 2012-2016 (x64). Linux users can use SUSE 12 and Ubuntu 14.04. If Mac OS, 10.9-11 and Sierra are all supported.
Installation on Microsoft Windows
This may be covered on the test, but I can’t imagine too many questions since it is being deprecated. That being said, vCPUs and Memory are the same as the appliance. Storage sizes are different. They are:
|Program Files||6 GB||6 GB||1 GB|
|ProgramData||8 GB||8 GB||2 GB|
|System folder (to cache the MSI installer)||3 GB||3 GB||1 GB|
As far as OS’s, it requires a minimum of Microsoft Windows 2008 SP2 x64. For databases you can use the built-in PostgreSQL for up to 20 hosts and 200 VMs. Otherwise you will need Oracle or Microsoft SQL Server.
Objective 1.2 – Identify vCenter high availability (HA) requirements
vCenter High Availability is a mechanism that protects your vCenter Server against host and hardware failures. It also helps reduce downtime associated with patching your vCenter Server. This is from the Availability guide. Honestly, I’m not sure on the last one as it seems as if you are upgrading with an embedded installation, your vCenter might be unavailable for a bit but not very long (unless there is a failure). If distributed, you have other PSCs and vCenter Servers to take up the load. So, I’m not sure if it really works for me in that scenario or not. Perhaps someone might enlighten me later and I’m not thinking it all the way through. Either way…..
vCenter Server High Availability uses 3 VCSA nodes. It uses two full VCSA nodes and a witness node. One VCSA node is active and one passive. They are connected by a vCenter HA network that is created when you set this up. This network is used to replicate data across and connectivity to the witness node. Requirements are:
- ESXi 5.5 or later is required. 3 Hosts are strongly recommended to house all the appliances on different physical hosts. Using DRS is also recommended.
- If using a management vCenter (for the management cluster), vCenter Server 5.5+ is required
- vCenter Server Appliance 6.5+ is required. Your Deployment size should be “Small” at a minimum. You can use VMFS, NFS, or vSAN datastores.
- Latency on the network used for the HA network must be less than 10 ms. It should be on a separate subnet than the regular Management Network.
- A single vCenter Server Standard license is required.
Objective 1.3 – Describe storage types for vSphere
vSphere supports multiple types of storage. I will go over the main types. Local and Networked Storage.
Local storage is storage connected directly to the server. This can include a Direct Attached Storage (DAS) enclosure that is connected to an external SAS card or storage in the server itself. ESXi supports SCSI, IDE, SATA, USB, SAS, flash, and NVMe devices. You cannot use IDE/ATA or USB to store virtual machines. Any of the other types can host VMs. The problem with local storage is the server is a single point of failure or SPOF. If the server fails, no other server can access the VM. There is a special configuration that you can use that would allow sharing local storage however, and that is vSAN. vSAN requires flash drives for cache and either flash or regular spinning disks for capacity drives. These are aggregated across servers and collected into a single datastore or drive. VM’s are duplicated across servers so if one goes down, access is still retained and the VM can still be started and accessed.
Network Storage consists of dedicated enclosures that have controllers that run a specialized OS on them. There are several types but they share some things in common. They use a high-speed network to share the storage, and they allow multiple hosts to read and write to the storage concurrently. You connect to a single LUN through only one protocol. You can use multiple protocols on a host for different LUNs
Fibre Channel or FC is a specialized type of network storage. FC uses specific adapters that allow your server to access it, known as Fibre Channel Host Bus Adapters or HBAs. Fibre Channel typically uses cables of glass to transport their signal, but occasionally use copper. Another type of Fibre Channel can connect using a regular LAN. It is known as Fibre Channel over Ethernet or FCoE.
ISCSI is another storage type supported by vSphere. This uses regular ethernet to transport data. Several types of adapters are available to communicate to the storage device. You can use a hardware ISCSI adapter or a software. If you use a hardware adapter, the server offloads the SCSI and possibly the network processing. There are dependent hardware and independent hardware adapters. The first still needs to use the ESXi host’s networking. Independent hardware adapters can offload both the ISCSI and networking to it. A software ISCSI adapter uses a standard ethernet adapter and all the processing takes place in the CPU of the hosts.
VMware supports a new type of adapter known as iSER or ISCSI Extensions for RDMA. This allows ESXI to use RDMA protocol instead of TCP/IP to transport ISCSI commands and is much faster.
Finally, vSphere also supports the NFS 3 and 4.1 protocol for file-based storage. Unlike the rest of the storage mentioned above, this is presented as a share to the host instead of block-level raw disks. Here is a small table on networked storage for easier perusal.
|Fibre Channel||FC/SCSI||Block access||FC HBA|
|Fibre Channel over Ethernet (FCoE)||FCoE / SCSI||Block access||
|NAS||IP / NFS||File level||Network adapter|
Objective 1.4 – Differentiate between NIOC and SIOC
NIOC = Network I/O Control
SIOC = Storage I/O Control
Network I/O Control allows you to determine and shape bandwidth for your vSphere networks. They work in conjunction with Network Resource Pools to allow you to determine bandwidth for specific types of traffic. You enable NIOC on a vSphere Distributed Switch and then set shares according to needs in the configuration of the VDS. This is a feature requiring Enterprise Plus licensing or higher. Here is what it looks like in the UI.
Storage I/O Control allows cluster wide storage I/O prioritization. You can control the amount of storage I/O that is allocated to virtual machines to get preference over less important virtual machines. This is accomplished by enabling SIOC on the datastore and set shares and upper limit IOPS per VM. SIOC is enabled by default on SDRS clusters. Here is what the screen looks like to enable it.
Objective 1.5 – Manage vCenter inventory efficiently
There are several tools you can use to manage your inventory easier. vSphere allows you to use multiple types of folders to hold your vCenter inventory. Folders can also be used to assign permissions and set alarms to objects. You can put multiple types of objects inside of a folder but only one type per folder. For example, if you had VMs inside a folder, you wouldn’t be able to add a host to it.
vApps is another way to manage objects. They can be used to manage other attributes as well. You can assign resources and even startup order with vApps.
You can use Tags and Categories to better organize and make your inventory searchable. You create them off the main menu. There is a menu item called Tags and Custom Attributes
You can create Categories such as “Operating Systems” and then Tags such as “Window 2012” and others. This sort of action will make your VMs easier to manage and search for things. You then can see the tags on the summary of the VM as shown here.
Tags can be used for rules on VMs too. You can see this (although a bit branded) by reading a blog post I wrote for Rubrik here.
Objective 1.6 – Describe and differentiate among vSphere HA, DRS, and SDRS functionality
HA is a feature designed for VM resilience. The other two, DRS and SDRS are for managing resources. HA stands for High Availability. HA works by pooling all the hosts and VMs into a cluster. Hosts are monitored and in the event of a failure, VMs are re-started on another host.
DRS stands for Distributed Resource Scheduling. This is also a feature used on a host cluster. DRS is a vSphere feature that will relocate VMs and make recommendations on host placement based on current load.
Finally, SDRS is Distributed Resource Scheduling for Storage. This is enabled on a Datastore cluster and just like DRS will relocate the virtual disks of a VM or make recommendations based on usage and I/O Load.
You can adjust whether or not DRS/SDRS takes any actions or just makes recommendations.
Objective 1.7 – Describe and identify resource pools and use cases
The official description of a resource pool is a logical abstraction for flexible management of resources. My unofficial description is a construct inside vSphere that allows you to partition and control resources to specific VMs. Resource pools partition memory and CPU resources.
You start with the root resource pool. This is the pool of resources that exists at the host level. You don’t see it, but it’s there. You create a resource pool under that that cords off resources. It’s also possible to nest resource pools. For example, if you had a company and inside that company you had departments, you could partition resources into the company and departments. This works as a hierarchy. When you create a child resource pool from a parent you are further diminishing your resources unless you allow it to draw more from further up the hierarchy.
Why use resource pools? You can delegate control of resources to other people. There is isolation between pools so resources for one doesn’t affect another. You can use resource pools to delegate permissions and access to VMs. Resources pools are abstracted from the hosts’ resources. You can add and remove hosts without having to make changes to resource allocations.
You can identify resources pools by their icon.
When you create a resource pool, you have a number of options you will need to make decisions on.
Shares – Shares can be any arbitrary number you make up. All the shares from all the resource pools added up will equal to a total number. That total number will be total of the root pool. For example. If you have two pools that each have 8000 shares, there are a total of 16,000 shares and each resource pool makes up half of the total, or 8,000/16,000. There are default options available as well in the form of Low, Normal, and High. Those will equal 1,000/2,000, and 4,000 shares respectively.
Reservations – This is a guaranteed allocation of CPU or memory resources you are giving to that pool. Default is 0. Reserved resources are held by that pool regardless if there are VMs inside it or not.
Expandable Reservation is a check box that allows the pool to “borrow” resources from its parent resource pool. If this is the parent pool, then it will borrow from the root pool.
Limits – specify the upper limit of what a resource pool can grab from either CPU or memory resources. When teaching VMware’s courses, unless there is a definite reason or need for it, you shouldn’t use limits. While shares only work when there is contention (fighting among VMs for resources) limits create a hard stop for the VM even if resources are high. Usually there is no reason to limit how much resources a VM would be able to use if there is no contention.
In past exams, there were questions asking you calculate resources given a number of resource pools. Make sure you go over how to do that.
Objective 1.8 – Differentiate between VDS and VSS
VDS and VSS are networking constructs in vSphere. VDS is Virtual Distributed Switch and VSS is Virtual Standard Switch.
Virtual Standard Switch is the base switch. It is what is installed by default when ESXi is deployed. It has only a few features and requires you to configure a switch on every host. As you can imagine, this can get tedious and difficult to make these exactly the same. Which is what you need to do in order for VM’s to seamlessly move across hosts. You could create a host profile template to make sure they are the same, but then you lose the dynamic nature of switches.
Standard Switches create a link between physical NICs and virtual NICs. You can name them essentially whatever you want, and you can assign VLAN IDs. You can shape traffic but only outbound. Here is a picture I lifted from the official documentation for a pictorial representation of a VSS.
VDSs on the other hand add a management plane to your networking. Why is this important? It allows you to control all your host networking through one UI. This does require a vCenter and a certain level of licensing. Enterprise Plus or higher unless you buy vSAN licensing. Essentially you are still adding a switch to every host, just a little bit fancier one that can do more things and you only have to change once.
There are different versions of VDS you can create which are based on the version they were introduced with. Each version has its own features. A higher version retains all the features of the lower one and adds to it. Some of those features include Network I/O Control (NIOC) which allows you to shape your bandwidth incoming and outgoing. VDS also includes a rollback ability so that if you make a change and it loses connectivity, it will revert the changes automatically.
Here is a screenshot of me making a new VDS and some of the features that each version adds:
Here is a small table showing the differences between the switches.
|Feature||vSphere Standard Switch||vSphere Distributed Switch|
|Outbound traffic shaping||Yes||Yes|
|Inbound traffic shaping||No||Yes|
|VM port blocking||No||Yes|
|Private VLANs||No||Yes (3 Types – Promiscuous, Community, Isolated)|
|Load Based Teaming||No||Yes|
|Backup and restore network configuration||No||Yes|
|Link Layer Discovery Protocol||No||Yes|
Objective 1.9 – Describe the purpose of cluster and the features it provides
A vSphere cluster is a group of ESXi host machines. When grouped together, vSphere aggregates all of the resources of each host and treats it like a single pool. There are a number of features and capabilities you can only do with clusters. Here is a screenshot of what you have available to you. I will now go over them.
Under Services you can see DRS and vSphere Availability (HA). You also see vSAN on the list, as vSAN requires a cluster as well. We’ve already covered HA and DRS a bit but there are more features in each.
DRS Automation – This option lets vSphere make VM placement decisions or recommendations for placement. I trust them with Fully Automated as you can see in the window above. There are a few situations here and there where you might not want to, but 90% of the time I would say trust it. The small use cases where you might turn it off might be something like vCD deployments, but you could also just turn down the sensitivity instead. You have the following configuration options:
- Automation Level – options are Fully Automated, Partially Automated and Manual. Fully automated provides placement at VM startup and moves VMs as needed based on Migration Threshold. Partially Automated places the VM at startup and makes recommendations for moving but doesn’t actually move without approval. Manual will only make recommendations and requires you to accept them (or ignore).
- Migration Threshold – This is how sensitive the cluster is to resource imbalance. It is based on a scale of 1-5, 5 being the most sensitive. If you set it to 5, if vSphere thinks there is any benefit to moving the VM to a different host, it will do so. 1 is lazy and won’t move anything unless it has to satisfy cluster constraints. 3 is default and usually a good balance.
- Predictive DRS – Using real-time metrics and metrics pulled in through vRealize Operations Manager, vSphere tried to predict (based on past performance) when additional resources might be needed by a VM and move it to a host that can provide them.
- Virtual Machine Automation – This allows you to override DRS settings for individual VMs.
- VM Distribution – This allows you to try to spread the number of VMs evenly through your cluster hosts. This prevents any host from being too heavy with VMs even though it might have the resources to support them.
- Memory Metric for Load Balancing – This load balances your VMs across hosts based on consumed memory instead of active memory. This can bite you if you overcommit a host’s memory if all your hosts actually start using the memory you have assigned to them. So don’t overcommit if you use this setting.
- CPU Over-Commitment – You can limit the amount of over-commitment for CPU resources. This is done on a ratio basis. (20 vCPUs : 1 physical CPU for example)
- DPM – Distributed Power Management (should be Dynamic Power Management ). This allows you to keep the hosts turned off unless they are needed to satisfy resource needs. This saves power in your datacenter. It will use Wake-On-LAN, IPMI, iDRAC, or iLO to turn the hosts on. You can override individual hosts.
- Automation Level – You can set this to Manual or Automatic
- DPM Threshold – Just like DRS Migration Threshold, this changes sensitivity on a scale of 1-5, with 5 being the most sensitive. If resource utilization gets high, DPM will turn on another host to help with the load.
vSphere Availability (HA)
There are a number of configuration options to configure. Most defaults are decent if you don’t have a specific use case. Let’s go through them.
- Proactive HA – This feature receives messages from a provider like Dell’s Open Manage Integration plugin and based on those messages will migrate VMs to a different host due to impending doom of the original host. It can make recommendations on the Manual mode or Automatically. After all VMs are off the host, you can choose how to remediate the sick host. You can either place it in maintenance mode, which prevents running any workloads on it. You can also put it in Quarantine mode which will allow it to run some workloads if performance is affected. Or a mix of those with…. Mixed Mode.
- Failure Conditions and responses – This is a list of possible host failure scenarios and how you want vSphere to respond to them. This is better and give you wayyy more control than in the past.
- Admission Control – What good is a feature to restart VMs if you don’t have enough resources to do so? Not very. Admission Control is the gatekeeper that makes sure you have enough resources to restart your VMs in the case of host failure. You can ensure this a couple of ways. Dedicated failover hosts, cluster resource percentage, slot policy, or you can disable it. Dedicated hosts are like a dedicated hot spare in a RAID. They do no work or run no VMs until there is a host failure. This is the most expensive (other than a failure itself). Slot policy takes the largest VM’s CPU and the largest VM’s memory (can be two different VMs) and makes that into a “slot” then it determines how many slots your cluster can satisfy. Then it looks at how many hosts can fail and still keep all VMs powered on. Cluster Resources Percentage looks at total resources needed and total available and tries to keep enough to lose a certain number of hosts you specify. You can also override and set a specific percentage to reserve. For any of these policies, if the cluster can’t satisfy needed VMs it will prevent new VMs from turning on.
- Heartbeat Datastores – This is used to monitor hosts and VMs when the HA network as failed. Using this it can determine if the host is still running or if a VM is still running by seeing the lock files. This automatically tries to make sure that it has at least 2 datastores that all the hosts have connectivity to. You can specify more or specific datastores to use.
- Advanced Options – You can use this to set advanced options for the HA Cluster. One might be setting a second gateway to determine host isolation. To use this you will need to set two options. 1) das.usedefaultisolationaddress and 2) das.isolationaddress[…] The first specifies not to use the default gateway and the second sets additional addresses.
Clusters allow for more options then I’ve already listed. You can set up Affinity and Anti-Affinity rules. These are rules setup to keep VMs on certain hosts, or away from others. You might want a specific VM running on a certain host due to licensing or for a specific piece of hardware only a specific host has. Anti-affinity rules might be setup for something like Domain Controllers. You wouldn’t place them on the same host for availability reasons, so you would setup an Anti-Affinity rule so that both of them would always be on different hosts.
EVC Mode is also a cool option enabled by clusters. EVC or Enhanced vMotion Compatibility allows you to take different generation hosts and still allows you to migrate them. Different generation processors have different features and options on them. EVC masks the newer ones so there is a level feature set. This means you might not receive all the benefits of a newer processors though. And a lot of newer processors are more efficient therefore lower clock speed. If you mask off those efficiencies, then you are just left with the lower clock speeds. Be mindful of that when you use it. You can enable it on a per VM basis making it more useful.
Objective 1.10 – Describe virtual machine (VM) file structure
A VM is nothing more than files and software. Hardware is emulated. It makes sense to understand the files that make up a VM then. Here is a picture depicting files you might see in a VM folder lifted from VMware’s book.
Now as for an explanation of those files.
- .vmx file – This is the file vSphere uses to know what hardware to present. This is essentially a list of the hardware and locations of other files (like the virtual disk). It is also the file used when adding a VM to vSphere inventory.
- .vswp – This file is what vSphere uses much the same way Microsoft uses a page file. When it runs out of actual physical memory or experiences contention on the host, it will use this file to make up the difference. As expected, since this is using a disk instead of RAM, it will be much slower.
- .nvram – This file emulates a hardware BIOS for a VM.
- .log – These are log files for the individual VM. It captures actual errors from the VM such as when a Microsoft Windows machine blue screens (crashes). These can be used for troubleshooting purposes. The file name increments vSphere maintains up to 6 log files at a time. vSphere will delete the oldest file first as it needs to.
- .vmtx – This only occurs if the VM is a template. In that case the. vmx will change to a. vmtx
- .vmdk – This is the disk descriptor file. No actual data from the VM is housed here. Rather the location of the blocks of the actual disk and other information about it are found inside.
- -flat.vmdk – This is the actual data of the VM. This is hidden unless you look in the CLI. If the VM has multiple disks there will be more than one of this and the. vmdk
- .vmsd – This is the snapshot list. If there are no snapshots, then this file is empty.
- -delta.vmdk – this file is the delta disk if there is a active snapshot. The original flat-vmdk is frozen and all I/O is routed to this -delta instead.
- -.ctk – Not shown in the graphic above, this is the Change block tracking file. This is used for programs like vSphere Data Protection or other backup programs.
- -.lck – Also not shown in the graphic, this is a lock file placed in the directory showing that the VM is turned on (or the host thinks it is).
Objective 1.11 – Describe vMotion and Storage vMotion technology
There are several ways to move VMs around in your environment. vMotion and Storage vMotion are two types of migration. The first thing I do, when I taught this, was ask, what do you really need to move to move a VM? The main piece of what make up a VM is the memory. CPU resources are used briefly. When you perform a vMotion, what you are really doing is just moving active memory to a different host. The new host will then start working on tasks with the CPU. All pointers in the files that originally point to the first host have to be changed as well. So how does this work?
- First copy pass of the memory is moved over the new host. All users continue to use the VM on the old host and possibly make changes. vSphere will note these changes in a modified memory bitmap on the source host.
- After the first pass happens, the VM is quiesced or paused. During this pause, the modified memory bitmap data is copied to the new host.
- After the copy, the VM begins running on the new host. A reverse ARP is sent that notifies everyone that this is where the VM is now and forward requests to the new address.
- Users now use the VM on the new host.
Storage vMotion is moving the VM files to another datastore. Let’s go through the steps
- Initiate the svMotion in the UI.
- vSphere uses something called the VMkernel data mover or if you have a storage array that supports vSphere Storage APIs Array Integration or VAAI to copy the data.
- A new VM process is started
- Ongoing I/O is split using a “mirror driver” to be sent to the old and new vmdks while this is ongoing.
- vSphere cuts over to the new VM files.
This is slightly different than the vMotion process as it only needs one pass to copy all the files due to using the mirror driver.
There is one other type of migration called Cross-Host vSphere vMotion or Enhanced vMotion depending on who you ask. This is a combination of vMotion and svMotion at the same time. This is also notable because this allows you to migrate a VM while using local storage.
There are limitations on vMotion and svMotion. You need to be using the same type of CPUs (Intel or AMD) and the same generation, unless you are using EVC. You should also make sure you don’t have any hardware that the new host can’t support. CD-ROMs etc. vMotion will usually perform checks before you initiate it and let you know if there are any issues. You can migrate up to 4 VMs at the same time on a 1Gbps or 8 VMs on a 10Gbps network per host. 128 concurrent vMotion is the limit per VMFS datastore.
While brainstorming about one of our labs, the question was raised on whether you can upsize your VCSA while upgrading to a newer version. Specifically, from 6.5u2 to 6.7U1 (build 8815520 to 11726888). We wanted to upgrade to the latest version but we also believe we had outgrown the original VCSA size that we deployed. VMware has made this really simple. I did a quick test in my home lab, and that is what this post will be based on.
To start you obtain the VCSA .iso that you are going to upgrade to. After you download it, you go ahead and mount it. Just like you would with a normal install/upgrade, run the appropriate installer. For me it is the Windows one which is located under the \vcsa-ui-installer\win32 directory. The installer.exe launches the following window:
We chose the Upgrade icon here. The next screen lets you know this is a 2-stage process. How it will perform this is:
- It will deploy a new appliance that will be your new vCenter.
- All of your current data and configurations will be moved over from the old VCSA to the new.
After the copy process is complete it will power off the old VCSA but not delete it. Move to the next screen and accept the License Agreement. The third screen looks like this:
You need to put in the information of the source VCSA that you will be migrating from here. Once you click Connect To Source it will ask you for more info. Specifically, what is your source VCSA being hosted on. This could be a single host or it could be another vCenter.
You will be asked to accept the SSL Certificates. The next screen will ask you for where you are going to put the new appliance. This can be either a host or a vCenter instance.
Step 5 is setting up the target appliance VM. This is the new VCSA that you will be deploying. Specifically, what do you want to name it and what the root password is.
Step 6 is where we can change the size of the deployment. I had a tiny in the previous deployment and I decided that was too small. This time I want to go one step up to the “Small” size. You can see the deployment requirements listed below in a table.
Next step is configuring your network settings.
And the last screen to this stage is just to confirm all your settings. This will then deploy the appliance (during which you grab a nice glass of scotch and wait…preferably something nice like my Macallan 12yr)
Once that has been finished, you are off to Part 2 of the process: Moving your information over. The first screen you will be presented with (after running checks) is Select Upgrade Data. You will be given a list of the data you can move over and approximate number of scotches you will need for the wait. (Maybe that last part is made up, but hey you can find out anyway amirite?)
Since my environment that I am moving is relatively pristine, I don’t have much data to move. It is estimating 39 min but it actually took less time. You make your decision (seems pretty straightforward what kind of data you would be interested in) and move to the next screen which is whether you join VMware’s CEIP program or Customer Experience Program. The last screen before the operation kicks off is a quick summary and then a check box at the bottom asking you to make sure you were a decent sysadmin and backed up the source vCenter before you start this process. I personally did not on this, but like I said there was no data on it anyways. So we kick off the operation.
Clicking Finish gives you notification box that the source vCenter will be shutdown once this is complete. Acknowledge that and away we go!
Once completed successfully, you are given the prompt to enter into your new vCenter which I have done here and here is the brand new shiny.
I will also link the video here to the process. The video is about 15 min long (truncated from about 45 min total) Disclaimers include: There are many more things you will need to think about before doing this to a production environment. Among them are, will all the versions of VMware products I have work together. You can find that out by referencing here:
Interoperability Matrix for VMware products
You also need to make sure you can Upgrade from your current version to the selected version by going to the same page above but on the Upgrade Path
Another really important thing to consider is what order you need to upgrade your products. You can find that for 6.7 here.
Update sequence for vSphere 6.7 and its compatible VMware products (53710)
Wow, so there was a ton of activity that happened last week. VMworld 2018 US edition has now passed and was amazing. This particular one was pretty sweet for me as this marked a number of firsts for me. While I’ve been before, this is the first time I’ve played a role other than just visiting sessions and HOL’s. While that was enjoyable and a great learning experience, being able to experience the setup, breakdown and behind the scenes of what goes on for a company’s booth, was completely eye-opening. The sheer amount of work involved was completely exhausting. Not to mention the work continued after hours as well. There were parties, customer dinners, and planning sessions non-stop. I can’t even begin to say how much I enjoyed working with the Rubrik marketing team and also being able to socialize with all the great community that is always there at these events. But what actually went on? I will describe some of the activities I was able to be part of, but also some of the highlights that happened.
Saturday – I arrived mid-morning and was able to get to my hotel, through check-in, and back to the expo around 10:30-11am. This is where some of the work began for our team. I helped setup the servers and environment for the booth that would be used for demos. Other members of our team were already there and working hard before I even got there. The expo floor looks really weird at this point as there is not much put together and just lots of equipment and building blocks lying around. While the construction crew worked on the booth itself, we continued working on the demo environment until about 6ish (with the 2hr time change for me, ended up being a long day having started around 5am CST). We were well taken care of as most nights we had dinners already planned for us.
Sunday – We continued working on finishing the demo environment and worked on setting up the demo stations. The construction on the booth was nearing completion and things were really starting to take shape. As a side note, the team that worked on our booth did really considering I think our booth was one of the best-looking and ambitious ones there – no bias of course . Everything was ready to go when the expo floor opened up at 5pm for the Welcome Reception. The welcome reception went well and I was able to mill around a bit finding friends I haven’t seen for a while. After dinner I pretty much passed out.
Monday – This was another great day, lots of check in’s through the day back at the booth and seeing great friends and getting ready for that night. I had my first ever booth presentation at the Pure booth as well. Been a while since I’ve spoke in front of strangers in this capacity so it was a bit unnerving. In full disclosure, even when I was an Instructor at Dell, I still was a bundle of nerves. Always been a bit of an introvert but constantly working on trying to change that. What made it even more exciting was that I was allowed to raffle a couple of VIP passes to bypass the line getting into our party later that night. The presentation went well and was able to present Rubrik’s tech and how we integrate with Pure to about 50 attendees.
Moving on from there we had the big party that night. Run DMC and The Roots were the main attraction. Even the DJ music leading up to it was good. Everyone had a lot of fun and we ended up with about 1500+ attendees for the party. There were large lines waiting to get in so the employee bands came in handy.
Tuesday – Recovering from the night before was a little difficult but was able to get up and checked on demo machines to make sure everything was running smooth for the demos. Then I went to see more people I haven’t seen in forever. Evening was taken up with team meetings and other fun stuff.
Wednesday – Brought an end to the solutions expo. That meant we could start packing everything up. Which we did. We ended up needing to run over some to the next day, but we were able to get the majority of equipment turned off and organized for packing. Later that night I went to what started as a LAN party but ended up as a Cards Against Humanity. There may have been a few incidents that involved security being called .
Thursday – We finished up and then I was able to grab a flight out at 1.50pm and made it home around 9pm-ish. Ended up inside for the weekend as I caught some sort of flu or cold bug (yay planes and conferences) and still trying to get over it as I’m writing this. Some of the things I enjoyed as far as announcements:
20TH Anniversary for VMware!
Tattoos on Pat G./Sanjay P./Yanbing Li. – Though the permanence of some of them is questioned
vSphere 6.7 Update 1 – This is bringing a bunch of updates most notable Full Featured HTML5 client and vMotion and snapshot capabilities for vGPUs.
vSphere Platinum Edition – This new licensing includes AppDefense
New versions of vRealize Operations (7.0) and Automation (7.5)
Amazon RDS on vSphere – Relational DBs on VMware AWS. This will allow companies to run RDS and not have to worry about the management of it. Management can be done through a single, simple interface. You can also use it to create a hybrid setup between on-site and cloud enabling all sorts of use cases. SQL, Oracle, PostgreSQL, MySQL, and MariaDB will all be supported.
Amazon AWS expansion to Asia Pacific Region and Sydney – This marks that VMware’s presence extends to all major geographies.
Lower price of Entry for VMC on AWS – 3 Host min, license optimization for MS/Oracle apps. There is also a single host SDDC to test with and play around with. (This was intro’d a bit before VMworld.) You can specify host affinity for VMs and number of cores that an application requires.
VSAN on EBS – Scale from 15-35TB per host in increments of 5TB.
Accelerated live migration – VMware HCX now allows you to migrate just about any VM from on-premises to VMC
Project Dimension – Combines VMware Cloud Foundation (in HCI) with a Cloud Control Plane. So far this is looking like something like Azure Dev Stack, where VMware will take care of the hardware and software patching for the SDDC and the customer worries about apps at the customer site.
ESXi on 64-Bit ARM – details are still light.
These are not every single one of the announcements but the ones I most relate to.
My info was sourced from the following places and …. Being there.
Underneath todays objective we have the following topics:
- Add Layer 2 Bridging
- Connect Layer 2 Bridging to the appropriate distributed virtual port group
So first let’s do a little background on what we are doing and more importantly the why. Layer 2 bridging in this case, is an ability we have in NSX to take a workload that currently only exists in our NSX world and “bridge” that with the outside world. We could use this to reach a physical server being used as a proxy or gateway for example. We create this bridge between a logical switch inside NSX and it routes out to a VLAN. I am going to borrow the picture from the NSX guide to try to simplify it a bit more. (credit to VMware for the pic)
In the above picture you have the NSX VXLAN 5001 that is running our workload inside ESXi. We have a need to communicate to a physical workload labeled as such. In order to do that, we have an NSX Edge logical router that has L2 bridging enabled on it. The Bridging tab itself will allow us to choose a logical switch and distributed port group that will be connected together. To do this here are the following steps:
- If you don’t already have one, you will need to deploy a new Logical Router. To do that, you will need to go to the NSX Edges subsection of the Networking and Security screen of NSX.
- Click on the green + icon on the middle pane
- The first information you will need to fill out will be Install Type, and Name. The rest of the options we won’t go over in this walkthrough.
- We will need to select Logical Router as the Install Type and then type in a name.
- On the next screen, we will need to input a password for the Edge device.
- On the Configure Deployment Screen, we will need to add an actual appliance here by clicking on the green + icon.
- This popups with a screen for us to select where we wish to place the device’s compute and storage resources.
- On the Configure Interfaces screen, I’ve chosen to connect it to my management network. You don’t really need to configure an interface as the actual bridging work will be done by a different mechanism.
- You can click past the Default Gateway screen.
- Click Finish on the Ready to Complete screen and away you go.
Now the actual bridging mechanism is found by going into the Edge itself
- Double click on the Edge device you are going to use for bridging.
- Click on Manage, then on Bridging tabs in the center pane.
- To add a bridge, click on the green + arrow
- Give the Bridge a name, select the Logical Switch you are bridging, and the VLAN Port Group you will be bridging to. (Just as a side note, none of the normal dv Port Groups will show up unless you have a VLAN assigned to them. Something I discovered while writing this )
- Once you click Ok, you will exit out to the Bridging screen again, and you will now need to publish your changes to make it work.
- Once published, you will have a Bridging ID
- You can have more than one Bridge using the same Edge device, but they won’t be able to bridge the same networks. In otherwords you can’t use a bridge to connect the same VXLAN to two different VLAN Port Groups.
And that covers this objective. Stay tuned for the next objective!
So I can’t take really any credit for this blog post as the original work was all done by William Lam. I have my own homelab and also maintain a few labs at work that are hidden off in their own networks. This little trick comes in real handy. Mainly because I have quite a few environments to log into and it makes it simple when I don’t need to remember which domain they are under. The location of the file has changed under 6.5 and 6.7 so I just figured I would update his original post with the location in the new versions.
The file in question is unpentry.jsp that needs to be modified. In version 6.0 the file is located at /usr/lib/vmware-sso/vmware-sts/webapps/websso/WEB-INF/views/unpentry.jsp. The new file is located at /usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/views/unpentry.jsp.
Obviously, the actual login info will match your environment. Once those are modified and saved, you will see the wonderful screen when pulling up your environment:
You may need to click on the fields for the Login button to light up, but hey….no more typing username and passwords in!
Thanks again to William for the info. Now if we could just get a skin creator/ theme engine for the HTML5 client………
Recovering from dual hernia surgery and changing job roles…….it’s me and I’m back. Moving back into the Blueprint, we are working on Objective 2.1 – Create and Manage Logical Switches. We will be covering the following points in this blog post.
- Create and Delete Logical Switches
- Assign and configure IP addresses
- Connect a Logical Switch to an NSX edge
- Deploy services on a Logical Switch
- Connect/Disconnect virtual machines to/from a Logical Switch
- Test Logical Switch connectivity
First it would probably be appropriate to make sure that we know what a logical switch can do. Just like its physical counterpart, an NSX switch can create a logical broadcast domain and segment. This keeps broadcasts from one switch from spilling over to another and saving network bandwidth. Feasibly you can argue that the network bandwidth is a bit more precious than real network bandwidth because it requires not only real network bandwidth but also requires processing on the side of the hosts (whereas normal network bandwidth would be processed by the ASIC on the physical network switch).
A logical switch is mapped to a unique VXLAN which then encapsulates the traffic and carries it over the physical network medium. The NSX controllers are the main center where all the logical switches are managed.
In order to add a logical switch, you must obviously have all the needed components setup and installed (NSX manager, controllers, etc) I am guessing you have already done that.
- In the vSphere Web Client, navigate to Home > Networking & Security > Logical Switches.
- If your environment has more than one NSX Manager, you will need to select the one you wish to create the switch on, and if you are creating a Universal Logical Switch, you will need to select the primary NSX Manager.
- Click on the green ‘+’ symbol.
- Give it a name and optional description
- Select the transport zone where you wish this logical switch to reside. If you select a Universal Transport Zone, it will create a Universal Logical Switch.
- You can click Enable IP Discovery if you wish to enable ARP suppression. This setting is enabled by default. This setting will minimize ARP flooding on this segment.
- You can click Enable MAC learning if you have VMs that have multiple MAC addresses or Virtual NICs that are trunking VLANs.
The next point, assign and configure IP addresses, is a bit confusing. There is no IP address you can “assign” to just the logical switch. There is no interface on the switch itself. What I am guessing they meant to say here was that you should be familiar with adding an Edge Gateway interface to a switch, and adding a VM to the switch. Both of these would in a roundabout way assign and configure a subnet or IP address to a logical switch. That’s the only thing I can think of anyways.
The next bullet point is, connecting a logical switch to an NSX Edge. This is done quickly and easily.
- While you are in the Logical Switches section (Home > Networking & Security > Logical Switches), you would then click on the switch you want to add the Edge device to.
- Next, click the Connect an Edge icon.
- Select the Edge device that you wish to connect to the switch.
- Select the interface that you want to use.
- Type a name for the interface
- Select whether the link will be internal or uplink
- Select the connectivity status. (Connected or not)
- If the NSX Edge you are connecting has Manual HA Configuration selected, you will need to input both management IP addresses in CIDR format.
- Optionally, edit the MTU
- Click Next and then Finish
The next bullet point covers deploying services on a logical switch. This is accomplished easily by:
- Click on Networking & Security and then click on Logical Switches.
- Select the logical switch you wish to deploy services on.
- Click on the Add Service Profile Icon.
- Select the service and service profile that you wish to apply.
There is an important caveat here, the icon will not show up unless you have already installed the third party virtual appliance in your environment. Otherwise your installation will look like mine and not have that icon.
The next bullet point, Connecting and Disconnecting VMs from a Logical Switch is also simply done.
- While in the Logical Switch section (kind of a theme here huh?), right click on the switch you wish to add the VM to.
- You have the option to Add or Remove VMs from that switch – as shown here in the pic
The final point, testing connectivity, can be done numerous ways. The simplest way would just be to test a ping from one VM to another. This could be done on pretty much any VM with an OS on it. You can even test connectivity between switches (provided there is some sort of routing setup between them. If you only had one VM on that segment (switch) but you had a Edge on it as well, you could pin the Edge interface from the VM as well. There are many ways to test connectivity. And with that, this post draws to a close. I will be back soon with the next Objective Point 2.2 Configure and Manage Layer 2 Bridging.