Virtualization Adapted Adapting Business Processes for Virtual Infrastrcuture (and vice-versa)

2010/09/10

vsphere security best practices

Filed under: Uncategorized — Tags: , , , , , , — iben @ 07:54

VMware ESX 4.1 and vCenter Server 4.1

Background:

Follow the security principles of:
– separation of duties
– least privilege

Harden the hypervisor: upgrade to vSphere ESXi 4.1

Give the LAN back to the Network Team

Implement the Cisco Nexus 1000v and only assign ports to active systems.

Audit and control access

Use a tool like HyTrust to eliminate configuration drift and track and control system access.

Using Roles to Assign Privileges

A role is a predefined set of privileges. Privileges define individual rights that a user requires to perform actions and read properties.
When you assign a user or group permissions, you pair the user or group with a role and associate that pairing with an inventory object. A single user might have different roles for different objects in the inventory. For example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B. These assignments would allow that user to turn on virtual machines in Pool A, but not those in Pool B. The user would still be able to view the status of the virtual machines in Pool B.
The roles created on an ESX/ESXi host are separate from the roles created on a vCenter Server system. When you manage a host using vCenter Server, the roles created through vCenter Server are available. If you connect directly to the host using the vSphere Client, the roles created directly on the host are available.
vCenter Server and ESX/ESXi hosts provide default roles:

  • System roles
    • System roles are permanent. You cannot edit the privileges associated with these roles.
  • Sample roles
    • VMware provides sample roles for convenience as guidelines and suggestions. You can modify or remove these roles.

You can also create roles.
All roles permit the user to schedule tasks by default. Users can schedule only tasks they have permission to perform at the time the tasks are created.
Note: Changes to permissions and roles take effect immediately, even if the users involved are logged in. The exception is searches, where permission changes take effect after the user has logged out and logged back in.

Details:

Best Practices for vCenter Roles and Permissions

Use best practices for roles and permissions to maximize the security and manageability of your vCenter Server environment.
VMware recommends the following best practices when configuring roles and permissions in your vCenter Server environment:

  • Use folders to group objects to correspond to the differing permissions you want to grant for them.
  • Grant permissions to groups rather than individual users.
  • Grant permissions only where needed. Using the minimum number of permissions makes it easier to understand and manage your permissions structure.
  • If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges. Otherwise, you could unintentionally restrict administrators’ privileges in parts of the inventory hierarchy where you have assigned that group the restrictive role.
  • Use caution when granting a permission at the root vCenter Server level. Users with permissions at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings, and licenses. Changes to licenses and roles propagate to all vCenter Server systems in a Linked Mode group, even if the user does not have permissions on all of the vCenter Server systems in the group.
  • In most cases, enable propagation on permissions. This ensures that when new objects are inserted in to the inventory hierarchy, they inherit permissions and are accessible to users.
  • Use the No Access role to masks specific areas of the hierarchy that you don’t want particular users to have access to.

Use Host Profiles to Apply Permissions to Hosts

When you join a host to an Active Directory domain, you must define roles on the host for a user or group in that domain. Otherwise, the host is not accessible to Active Directory users or groups. You can use host profiles to set a required role for a user or group and to apply the change to one or more hosts.
It is recommended that you follow this procedure for System Administrators (Admin) and Auditors (ReadOnly).

Prerequisites

You must have an existing host profile. See Creating a Host Profile.
Verify that the hosts to which you apply a profile are in maintenance mode.

Procedure

  1. Using the vSphere Client, select View > Management > Host Profiles.
  2. Right-click an existing host profile and select Edit Profile.
  3. Expand the profile tree, and then expand Security configuration.
  4. Right-click the Permission rules folder and select Add Profile.
  5. Expand Permission rules and select Permission.
  6. On the Configuration Details tab in the right pane, click the Configure a permission drop-down menu and select Require a Permission Rule.
  7. Enter the name of the group that should have the role assigned to it.
    1. Use the format DOMAIN\name, where DOMAIN is the name of the Active Directory domain and name is the user name or group name.
  8. Select the Name refers to a group of users check box.
  9. Enter the assigned role name for the user or group (usually Admin or ReadOnly).
    1. The role name is case-sensitive. If this is a system role, you must use the nonlocalized role name. For example, for the Administrator role, enter Admin. For the Read-only role, enter ReadOnly.
  10. Select the Propagate permission check box and click OK.

Reference:

vSphere Datacenter Administration Guide : Setting Up Your Virtual Infrastructure : Managing Users, Groups, Roles, and Permissions : Best Practices for Roles and Permissions
http://pubs.vmware.com/vsphere-esx-4-1/wwhelp/wwhimpl/js/html/wwhelp.htm

2010/09/09

VMworld 2010 Fun Facts

Filed under: Uncategorized — Tags: , — iben @ 20:46
  • VMworld.com set an all time high with 21,000 unique visitors on August 30
  • Over 29,000 tweets on VMworld over 5 days
  • 5,670 attendees came through registration during the first 3 hours of the show on Monday August 30
  • 21,643 pieces of candy consumed at the VMworld Roadside Stop (How many M&Ms in a bag?)
  • 101,470 sodas and 4,852 coffees consumed over 4 days (How many beers?)
  • In 1 day 4,954 granola bars, 3,500 bags trail mix consumed!
  • 718 people who enjoyed the Bungee and Hamster Ball activities at the VMworld Party (I missed this fun.)
  • Just under 11 miles of CAT 5 cable used for the Labs
  • 13,188 attendees used the WiFi (does this mean unique MAC addresses?)
  • 160 VMware spokespeople trained on ITaaS story  (What are the qualifications of a “Spokesperson”?)
  • Announced six products, services and two acquisitions globally (Integrien and TriCipher)
  • LabCloud delivered 15,344 labs compared to 4,500 labs in 2009
  • Delivered Over 21,000 lab hours
  • Deployed a total of 145,097 VMs
  • Every hour LabCloud was creating and destroying approximately 4,000 Virtual Machines

2010/06/09

ESX Partitioning

Filed under: virtualization — iben @ 16:28

ESX Partitioning

https://docs.google.com/Doc?docid=0AQRs60J__1-TZGY5bXg1NjNfMTI3MjI0ZnB2ZGo&hl=en


Rename the local VMFS partition during installation. The default name is “Storage1″, but should be “local-<hostname>”.

ESX hosts have required and optional partitions. These are suggestions and can be increased if more disk space is available.
Mount Point Size(m) Description
/ 5120 The / (or “root”) partition stores the ESX system and all files not stored in another custom partition. If this partition is filled to capacity, the ESX host could crash. This is bad.
swap 1600
/var 2048 The /var partition stores most system logs. Creating a custom /var partition provides substantial, dedicated log storage space (/var/log) while protecting the / partition from being filled by log files. Normally /var is part of the / partition.
/var/log 4096 The /var partition stores most system logs. Creating a custom /var partition provides substantial, dedicated log storage space (/var/log) while protecting the / partition from being filled by log files. Normally /var is part of the / partition.
/var/core 15360 The /var partition stores most system logs. Creating a custom /var partition provides substantial, dedicated log storage space (/var/log) while protecting the / partition from being filled by log files. Normally /var is part of the / partition.
/opt 2048
/home 2048 The /home partition is created as a failsafe to help prevent / from filling up. Service console accounts (not vCenter) each have an associated /home folder. As a best practice, administrators should not use these folders for storage. If service console accounts are to be used and there are multiple users requiring access, the size of this partition may need to be increased. By default, /home is part of the / partition. By creating a custom partition for it the / partition will be protected if /home fills to capacity.
/vmimages 1024 Traditionally, /vmimages was used to store CD-ROM images (.ISOs) and Floppy Disk images (.flp, .img). However, most organizations following best-practices have moved this from each individual host to a single shared-storage location. However, by default ESX creates a /vmimages folder within / . This makes it dangerously easy for an Administrator to mistake it for the shared-storage repository and copy images into it that will fill / . As a failsafe to help prevent this, a small custom /vmimages partition can be created. If the local /vmimages folder is actually used, this size may need to be increased.
/tmp 2048 The /tmp partition is also created as a failsafe to help prevent filling the / partition. /tmp is often used to untar support files, temporarily store copied logs and stage patches. By default, /tmp is part of the / partition. By creating a custom partition for it the / partition will be protected if /tmp fills to capacity.
/boot and vmkcore are physical partitions. /, swap, /var/log, and all the optional partitions are stored on a virtual disk called esxconsole-<system-uuid>/esxconsole.vmdk. The virtual disk is stored in a VMFS volume.
You cannot define the sizes of the /boot, vmkcore, and /vmfs partitions when you use the graphical or text installation modes. You can define these partition sizes when you do a scripted installation.
ESX Required Partitions
/boot ext3 The ESX boot disk requires 1.25GB of free space and includes the /boot and vmkcore partitions. The /boot partition alone requires 1100MB.
The boot drive usually defaults to the specified /boot partition location.
Stores information required to boot the ESX host system.
/ ext3 Calculated dynamically based on the size of the /usr partition. By default, the minimum size is 5GB and no /usr partition is defined.
Contains the ESX operating system and services, accessible through the service console. Also contains third-party add-on services or applications you install.
The service console must be installed on a VMFS datastore that is resident on a host’s local disk or on a SAN disk that is masked and zoned to that particular host only.
Used to store virtual machines.
You can create any number of VMFS volumes on each LUN if the space is available.
vmkcore The ESX boot disk requires 1.25GB of free space and includes the /boot and vmkcore partitions. The /boot partition alone requires 1100MB.
Used to store core dumps for debugging and technical support.
If multiple ESX hosts share a SAN, configure a vmkcore partition with 100MB for each host.
Optional Partitions
You can create optional partitions during or after the ESX installation procedure.
/home ext3 512MB Virtual disk in a VMFS volume Used for storage by individual users.
/tmp ext3 1024MB Virtual disk in a VMFS volume Used to store temporary files.
/usr ext3 Virtual disk in a VMFS volume Used for user programs and data.
/var/log ext3 2000MB Virtual disk in a VMFS volume Used to store log files.

Reference

Kickstart Example:

#System bootloader configuration

#bootloader –driveorder=/dev/sda –location=mbr

#Disk partitioning information

part /boot –fstype=ext3 –size=250 –ondisk=/dev/sda

part :storage1 –fstype=vmfs3 –size=10000 –grow –ondisk=/dev/sda

part none –fstype=vmkcore –size=110 –ondisk=/dev/sda

# Create the .vmdk for the cos on the vmfs partition.

virtualdisk esxconsole –size=7712 –onvmfs=$host:storage1

# Partitioning the cos virtual disk.

part swap –fstype=swap –size=800 –onvirtualdisk=esxconsole

part /var/log –fstype=ext3 –size=2048 –onvirtualdisk=esxconsole

part / –fstype=ext3 –size=3030 –grow –onvirtualdisk=esxconsole

2010/04/27

Run Windows 7 from your iPad

Filed under: virtualization — Tags: , , , , — iben @ 08:43

Run Windows 7 Desktop from your iPad

Introduction

Got (want) a new iPad but not sure how to justify it for business reasons?

Follow this recipe for a sure fire winner that will please everyone who tries it!

Low calorie, safe and secure, and surprisingly reasonable for the budget conscious coupon clippers among us.

Ingredients:

  • 1 Handheld Device – any of these will work
    • iPad 1st or 2nd generation either wifi or 3G will be fine
    • Andriod Tablet device – tested with Dell Streak 5 on Froyo 2.2
  • 1 Bluetooth Keyboard (Optional)
  • Wyse PocketCloud App
  • Wyse PocketCloud Windows Companion application

Directions:

WARNING: Be sure to read entire recipe prior to beginning work. Failure to follow directions could cause your expense report to be rejected by the finance department.

NOTE: We take a detailed bottom up approach. This is less about instant gratification but ensures your first experience is successful. Once you’ve got it working once in a POC (Proof of Concept) then adapt this recipe to fit your own environment. Contact me and I can help you get setup based on your business needs.

Configure your Windows 7 Desktop to be accessed via RDP from the Internet.

This can be done at home on a physical machine however most businesses will choose to do this with Virtual Machines hosted on VMware ESX and brokered by VMware View 4 Manager for controlled access from the Internet with RSA 2 Factor Authentication One Time Password Tokens. Be sure the ESX hosts are protected with a tool like the HyTrust Appliance (HTA).

Install the Wyse PocketCloud Windows Companion software on the Windows 7 Desktop.

Pair the bluetooth keyboard with the iPad.

Configure wireless access on the iPad.

Download the PocketCloud App on the iPad.

Use the PocketCloud App on the iPad to connect over the Internet to the Windows 7 Desktop.

Login to the Windows 7 Desktop.

Start the Wyse PocketCloud Companion software on the Windows 7 Desktop

Use the iPad as a remote thin terminal screen.

Use the bluetooth keyboard to give you a real computer like experience.

No mouse? No Problem – just use your fingers to click, double-click, right click, select, copy and paste, etc.

References:

VMware View 4.6 released 2/24 – over 160 bugs fixed and supports  Windows 7 SP1 RC 64 bit ODBC DSN http://ht.ly/436ut

http://iben.users.sonic.net/wp//2011/01/review-win7-view-optimization-guide/ <– Windows 7 DVM Setup Guide

Get the Wyse PocketCloud App from the Apple App Store. Many companies will simply purchase a $50 Apple iTunes Gift card and have their employees expense it. Learn more from this this web site:

http://www.wyse.com/products/software/pocketcloud/index.asp

http://itunes.apple.com/app/wyse-pocketcloud-remote-desktop/id326512817

  • Updated: Feb 18, 2011
  • Current Version: 2.1.217
  • Support for multi-tasking (background mode)
  • Optional support for Japanese language key entry mechanism.
  • Support for physical keyboard command key mappings (copy, cut, paste)
  • Full screen mode supported for both iPhone and iPad (removal of iPhone/iPad status bar).
  • Application fully supports all device orientations.
  • When connecting at iPad native resolution, screen auto-locks for ease of use.

Wyse PocketCloud Windows Companion:

http://www.wyse.com/supportdownload/PocketCloud/PocketCloud%20Windows%20Companion.exe

Bluetooth keyboards are pretty cheap now. Models are available from Apple, Logitech, and Micro$oft:

http://www.zagg.com/accessories/logitech-ipad-2-keyboard-case <– #1 recommendation! Very Nice @ $100

http://www.engadget.com/2009/12/16/microsoft-bluetooth-mobile-keyboard-6000-the-perfect-travel-key/

http://www.sonyinsider.com/2009/10/25/vaio-bluetooth-keyboard-vgp-bkb1/

News reports on iPad and Windows 7:

http://www.crn.com/mobile/224201173

http://iben.users.sonic.net/wp//2010/04/win7ipad/

2010/04/20

vSphere Network Isolation Addresses

Filed under: virtualization — Tags: , , , , , , — iben @ 14:45

http://www.vmware.com/pdf/vsphere4/r40_u1/vsp_40_u1_availability.pdf

Network Isolation Addresses

A network isolation address is an IP address that is pinged to determine if a host is isolated from the network. This address is pinged only when a host has stopped receiving heartbeats from all other hosts in the cluster. If a host can ping its network isolation address, the host is not network isolated, and the other hosts in the cluster have failed. However, if the host cannot ping its isolation address, it is likely that the host has become isolated from the network and no failover action is taken.

By default, the network isolation address is the default gateway for the host. There is only one default gateway specified, regardless of how many service console networks have been defined, so you should use the das.isolationaddress[…] advanced attribute to add isolation addresses for additional networks. For example,  das.isolationAddress2 to add an isolation address for your second network, das.isolationAddress3 for the third, up to a maximum of das.isolationAddress9 for the ninth.

When you specify additional isolation address, VMware recommends that you increase the setting for the das.failuredetectiontime advanced attribute to 20000 milliseconds (20 seconds) or greater. A node that is isolated from the network needs time to release its virtual machine’s VMFS locks if the host isolation response is to fail over the virtual machines (not to leave them powered on.) This must happen before the other nodes declare the node as failed, so that they can power on the virtual machines, without getting an error that the virtual machines are still locked by the isolated node.

For more information on VMware HA advanced attributes, see “Customizing VMware HA Behavior,” on page 26.

das.isolationaddress
Sets the address to ping to determine if a host is isolated from the network. This address is pinged only when heartbeats are not received from any other host in the cluster. If not specified, the default gateway of the console network is used. This default gateway has to be a reliable address that is available, so that the host can determine if it is isolated from the network. You can specify multiple isolation addresses (up to 10) for the cluster: das.isolationaddressX, where X = 1-10. Typically you should specify one per service console. Specifying too many addresses makes isolation detection take too long and can affect VMware HA behavior.

das.usedefaultisolationaddress
By default, VMware HA uses the default gateway of the console network as an isolation address. This attribute specifies whether or not this default is used (true|false).

2010/04/01

Updated Security for home network

Filed under: home — Tags: , , — iben @ 18:07

Follow these steps to upgrade your home network for improved security.

  1. Change wireless settings on ISP router to use WPA instead of WEP.
  2. Change wireless settings on laptop to use WPA instead of WEP.
  3. Setup a second wireless router on the LAN port and change wireless settings on ISP router to use WPA instead of WEP. Do not use the WAN port.
  4. Disable the DHCP server on the second wireless router.
http://www.gliffy.com/pubdoc/2052413/L.png

Home Wireless Network Diagram

2010/03/30

Application Performance Testing Method

Filed under: virtualization — Tags: , , , , , , , , , — iben @ 12:46

Are certain applications running slowly occasionally? Sometimes things are superfast and then they slow to a crawl. What’s going on?

First of all – do all you can to ensure the environment is configured according to established Best Practices. One of the benefits of VMware’s acquisition of the Zimbra email / collaboration server software is that they need to ensure users optimize the deployments on their Hypervisor. This document here covers the main settings to check on a Virtual Machine that needs to perform well under load: http://iben.users.sonic.net/wp//2011/05/performance-recommendations-for-virtualizing-anything-with-vmware-vsphere-4/

Any tool that uses SNMP to gather performance metrics can be used to baseline and stress test infrastructure and determine where the bottle necks are.

Basic methodology could go something like this…

1 – identify end to end system components from end user terminal through network to virtual machines, esx hosts, and storage.

2 – configure SNMP for all devices (keep in mind that the latest ESX/ESXi vSphere versions don’t have many performance counters exposed via SNMP and you’ll need to use their APIs)

3 – verify use patterns and confirm data collection over time (1 week or month). Tune alerts for normal use.

4 – schedule stress test for each component to determine performance ceiling and baseline throughput capacity.

5 – make changes as needed to improve end user experience.

6 – verify changes had desired effect.

Performance Troubleshooting for VMware vSphere

vsphere4-performance-troubleshooting.pdf (2.1 MB)

http://communities.vmware.com/docs/DOC-10352

Possible tools that could be used to poll for performance metrics include:

http://www.scriptlogic.com/Products/perspective/

http://www.vizioncore.com/products/vFoglight/features.php

http://www.whatsupgold.com/technology/network-management/monitoring-technologies/index.aspx

http://www.quest.com/Quest_Site_Assets/PDF/DSA-FoglightNetworkDevice-US-VC.pdf

http://network-optimisation.com/technology/network_monitoring/snmp_monitoring.php

http://www.microsoft.com/systemcenter/operationsmanager/en/us/default.aspx

http://www.manageengine.com/products/opmanager/index.html

http://www.managementsoftware.hp.com

http://www.solarwinds.com/products/orion/modules.aspx

http://www.veeam.com/vmware-esx-monitoring.html

http://www.monitorsnmp.com/

http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a008011fde2.shtml

http://www.sage.org/lists/sage-members-archive/2002/msg01878.html

Do you know of a tool that should be added to this list? Please send it to me.

 

Using Cryptographic Hashes to verify file download integrity

Filed under: virtualization — Tags: , , , , , , , , , , — iben @ 10:58

The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm.

Vendors provide a sha-1 hash for software downloads. This enables you to verify that your downloaded files are unaltered from the original.

To confirm file integrity, use an sha-1 utility on your computer to calculate your own hash for files downloaded from the VMware web site.

If your calculated hash matches the message digest we provide, you are assured that the file was downloaded intact.

sha-1 utilities are available for Windows and Linux and Mac. Most UNIX installations provide a sha1sum command for sha-1 hashes. You may need a newer linux kernel to calculate the checksums for larger files.

The File Checksum Integrity Verifier (FCIV) can be used on Windows based products to verify sha-1 values. Please see http://support.microsoft.com/kb/841290 for details on FCIV.

Mac OS X: How to Verify a SHA-1 Digest http://support.apple.com/kb/HT1652

Instructions on checking an sha-1 checksum on a Mac:
In Finder, browse to /Applications/Utilities.
Double-click on the Terminal icon. A Terminal window will appear.
In the Terminal window, type: “openssl sha1 ” (sha1 followed by a space).
Drag the downloaded file from the Finder into the Terminal window.
Click in the Terminal window, press the Return key, and compare the checksum displayed to the screen to the one on the vendor’s download page.

From TechNet

Windows Server 2008 R2 Standard, Enterprise, Datacenter, and Web (x64) – DVD (English)
File Name: en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
Size: 2,858 (MB)
Date Published (UTC): 8/31/2009 10:22:24 AM
Last Updated (UTC): 1/11/2010 4:31:40 PM
SHA1: A548D6743129F2A02C907D2758773A1F6BB1BCD7
 ISO/CRC: 8F94460B

About MD5

MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found also to be vulnerable). In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable; specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity.

US-CERT says MD5 “should be considered cryptographically broken and unsuitable for further use,”and most U.S. government applications now require the SHA-2 family of hash functions.

VMware Data Recovery

Filed under: virtualization — Tags: , , , , , , — iben @ 10:49

VMware Data Recovery (CD ISO)
Released 11/19/09 | Version 1.1 | Size 418 MB | Binary (.iso)
Deploy VMware Data Recovery virtual appliance plus management components.
SHA1SUM 44dc0cd0c3e774d4912412b51dabeadf28d959b9

2010/03/26

Host Profiles N1KV VDS

Filed under: virtualization — Tags: , , , , , , , , , , , — iben @ 06:21

Background to Using Host Profiles

The vDS UI also allows a phased migration of vmnics from vSS to vDS without disruption to an operational environment. VMs can be migrated from a vSS to a vDS on the fly so long as the vDS and vSS have connectivity to the same network at the same time and the origin Port Group on the vSS and destination DV Port Group on the vDS are configured to the same VLAN.

Host Profiles provide a way to migrate multiple hosts at one time. Host Profiles use a golden profile from a migrated host to propagate a configuration to a number of other hosts.

When applying a Host Profile to a host, the host must be in Maintenance Mode. This requires VMs to be either powered down or migrated to another host.

Host Profiles are most appropriate for new installations of similarly configured hosts (i.e. same number of vmnics, same vmnic to physical switch configuration, no active VMS).

The table below summarizes the deployment situations and suggested methods for migration from vSS to vDS. Note: These are suggestions only; both methods will work within the guidelines mentioned above.

Summary of Migration Methods

Table 1 – Summary of vSS to vDS Migration Methods

DeploymentSituation SuggestedMethod Details
New servers, same vmnic config, no active VMs vDS UI + HP Migrate first host with vDS UI. Take host profile and apply to remaining hosts
<5 Existing Servers, no active VMs vDS UI Small number of servers. Can use host profiles, but possibly easier to continue with vDS UI
>5 Existing servers, same vmnic configs, no active VMs vDS UI + HP Larger number of servers with similar vmnic configuration. No active VMs so can enter maintenance mode and use Host Profiles
Existing Servers, active/operational VMs vDS UI Cannot use Maintenance Mode as VMs active. Phased vmnic migration suggested to ensurecontinuity of VM communications
 Existing Servers, dissimilar vmnic configurations vDS UI Enables per host tailoring of vmnic to dvUplink PortGroup mapping
Ongoing Compliance Checking HP Non-disruptively check network settings are compliant with approved “golden” configuration

Note: vDS UI = Use vDS UI; HP = use Host Profiles; vDS + HP = use vDS UI to deploy first host and Host Profiles for remaining hosts.

Applying NIC Teaming Policies to DV Port Groups With a vSS, NIC teaming policies are defined on the virtual switch with an optional override on each Port Group definition.  With vDS, NIC teaming policies are only defined on the DV Port Groups and apply to dvUplinks, not vmnics.  The vmnics are mapped to the dvUplinks on a per host basis.  This enables each host to have a different vmnic to physical host configuration and yet use the same NIC teaming policy over all hosts spanned by the vDS.

Monitoring Hash vmnic Selection in NIC Teams

The esxtop command from the ESX console can reveal the physical NIC (vmnic) used by virtual port or VM within a NIC team.

Use esxtop to see the following information:

  • PORT-ID represents an internal port number on the virtual switch
  • USED-BY column shows what that port number is used by (e.g. VMkernel, VM, etc)
  • TEAM-PNIC column shows what physical nic (vmnic) is being used for traffic from that virtual port (the result of the hash within the NIC team)
  • The remaining columns indicate the Receive and Transmit traffic rates on those ports.

To use esxtop, type esxtop from the ESX console and then type n.

A list of commands for the ESX command line interface is published in Chapter 6 of the ESX 4.0 Configuration Guide (available at http://www.vmware.com/support/pubs/). To control console output to one page at a time by adding the | more suffix to the commands. For example:
esxcfg-vswitch –l | more

 Reference: http://vmware.com/files/pdf/vsphere-vnetwork-ds-migration-configuration-wp.pdf 

(See page 8)

« Newer PostsOlder Posts »

Powered by WordPress