Embed Size (px)
Citation preview
VCP6StudyGuideSECTIONI–Configure&AdministervSphereSecurity1.1 –Configure&AdministerRole-BasedAccessControl
a.Compare&contrastpropagated&explicitpermissionassignments1)Privileges–rightstoperformactionsonanobject2)Role–setofprivilegesgrantingaccesstoperformactiononanobject3)Permissions–role(s)assignedtoauserorgrouptoperformactionsonobjects4)Propagatedpermissions–selectingtheoptionforpermissionstobeassignedtoavSphereobjectandobjectsbelowitinthevSpherehierarchy5)Explicitpermissions–permissionaddedtoanobjectwithoutpropagation6)Notesaboutpermissionsandpropagationingeneral:a)Propagationmustbesetmanually;it’snot‘universally’(automatically)appliedb)Childpermissionsoverrideanypermissionsinheritedbytheparentc)IfvSphereobjectsinheritpermissionsfrommultipleparents,allpermissionsfrombothparentsareappliedd)Ifauserisassignedtoagroup,andboththeuser&thegrouphaspermissionsassignedtoavSphereobject,userpermissionsoverridegrouppermissionsb.View/Sort/ExportUser&GroupLists1)View:selectavSphereobject>Managetab>Permissions,thenview‘DefinedIn’column
2)Exportlist–fromthelowerrightofthePermissionstab,click: 3)SortingisassimpleasclickingonacolumnfromthePermissionstabc.Add/Modify/Removepermissionsforusers&groupsonvCenterServerinventoryobjects1)FromNavigationpaneonleft>Administration>AccessControl>Roles2)Clickgreen“+”toaddaRolebyenteringaRoleName&assigningdesiredPrivilegesfortheRolewantingtogranttoauser/group
Figure1,CreateRole3)ToassigntheRoletoauser/group,clickonavSphereobjectontheleft>Managetabontheright>Permissionstab4)Clickthegreen“+”toaddthecreatedRoleinStep2toauser/group;foreaseofmanagement,andifdeemedappropriate,checkthe‘Propagatetochildren’optionfortheaddedpermissiontobeappliednotonlyonthecurrentobject,butsub-objects(child)inthevSpherehierarchy
Figure2,AddPermission
5)Toeditorremoveapermission,clickthepencil(Edit)orred‘x’iconrespectivelyinthe
permissionstabforagivenvSphereobject NOTE:Ifthe“x”isgreyedoutafterclickingonapermission,thepermissionissetatahigherlevel&thusneedsremovedatthatleveld.Determinehowpermissionsareapplied&inheritedinvCenterServer1)SelectavSphereobject>Managetab>Permissions,thenviewthe‘DefinedIn’column
Thepermissionwillshowwhereit’sdefined(“Thisobject”,“Thisobjectandchildren”,“Global”);also,seefurther‘notes’ina.aboveregardinginheritance,propagation,andoverrides2)Ifanobjectinheritspermissionsfrommorethan1place(i.e.2parentobjects),privilegesfrombotharepropagatedtothat(child)object3)UserpermissionsoverrideGrouppermissions;childpermissionsoverrideparentpermissionse.Create/Clone/EditvCenterServerRoles1)FromRoles,selectaRole,thenclicktheCloneorEditbuttons (Create–see‘c.’above)2)Can’tEditSystemRoles,onlyClonef.ConfigureVMwareDirectoryService1)WebClient([email protected])>Administration>SingleSign-On>Configuration2)SelectIdentitySourcestab,thenclickthegreen“+”toaddtheADIdentitySourcea)AD-Integrated/AD-LDAPformat:Domain=FQDNofdomain;Alias=NetBIOSname;SPN=STS/domain.com;[email protected]\joe;DN=cn=x,ou=x,dc=domain,dc=com3)IfaddingAD-IntegratedAuthenticaion,firstjoinvCentertoActiveDirectory:Administration>Deployment>SystemConfiguration>clickNodes,thenselectthevCenternode>Managetab>Settingstab,selectActiveDirectoryunderAdvanced&clicktheJoinbuttona)Forsimplerprocess,usemachineacctoraddamachinetoADandusethat‘system’g.ApplyaRoletoaUser/Group&toanobjectorgroupofobjects1)See‘b.’aboveh.Changepermissionvalidationsettings1)ThisisforhowoftenvCenterqueriesADforuserpermissions2)Tochange:selectvCenter>Managetab>Settingstab>General>Editbutton,thenselectUserDirectory&Enable(checkbox)Validation;setValidationPeriod(default=1440mins,or24hrs)i.DeterminetheappropriatesetofprivilegesforcommontasksinvCenterServer1)Privilegesaredeterminedbydecidingwhatobject(s)areneedingactionstobeperformedon,thencreateaRole&selectingtheappropriatePrivilegesfortheactiontobeperformed2)Seepp128-129,SecurityGuideforcommontaskandapplicablerole,butsometakeways:
TASK PRIVILEGES MINIMUMDEFAULTUSER
CreateVM DestinationFolderorDatacenter:(severalpriv’s)DestinationHost/Cluster/RP:resource.AssignVMtoResourcePoolDestinationDS:datastore.AllocateSpaceAssigningNetworktoVM:network.AssignNetwork
Folder/DC:AdministratorOnHost,etc:RPAdminDestDS:DatastoreConsumerToAssignNet:NetworkAdmin
DeployVMfromTemplate
Severalpriv’sforDestinationFolderorDC,onTemplate,onDestinatoinHost/Cluster/RP,DestinationDS,andNetwork
Administrator(exceptDatastoreandNetwork)
TakeSnapshot SourceVM/Folder:virtualMachine.SnapshotMgmt.CreateSnapDestinationDSorDSFolder:datastore.AllocateSpace
OnVM:VMPowerUserDestinationDS:DatastoreConsumer
MoveVMintoResourcePool
SourceVM/Folder:resource.AssignVMtoResourcePoolVirtualMachine.Inventory.moveDestinationRP:resource.AssignVMtoResourcePool
OnVM:AdministratorDestRP:Administrator
InstallGuestOS SourceVM:(severalpriv’s)DatastorewithISO:datastore.BrowseDatastore
OnVM:VMPowerUserOnDatastorewithISO:VMPowerUser
MigrateVMwithVMotion
SourceVMorFolder:resource.migratePoweredOffVMDestinationHost/Cluster/RP(ifdifferentthanSource):resource.AssignVMtoResourcePool
OnVM:ResourcePoolAdminDestination:ResourcePoolAdmin
ColdMigrateVM SourceVMorFolder:resource.migratePoweredOffVMDestinationHost/Cluster/RP(ifdifferentthanSource):resource.AssignVMtoResourcePoolDestinationDatastore(ifdifferentthanSource):datastore.AllocateSpace
OnVM:ResourcePoolAdminDestination:ResourcePoolAdminDestinationDS:DatastoreConsumer
MigrateVMwithsVMotion
SourceVMorFolder:resource.migratePoweredOnVMDestinationDatastore:datastore.AllocateSpace
OnVM:ResourcePoolAdminDestination:DatastoreConsumer
MoveHostintoCluster SourceHost:host.inventory.addHostToClusterDestinationHost:host.inventory.addHostToCluster
OnHost:AdministratorDestinationCluster:Administrator
3)Summaryofabovetable-minimumpermissionsforataska)CreateVM/VMotion/ColdMigrate/MigratewithsVMotion–ResourcePoolAdminb)DeployVMfromTemplate/MoveVMinResourcePool/MoveHostinCluster–Administratorc)TakeSnapshot&InstallGuestOS–VMPowerUserj.Compare&contrastdefaultSystem/SampleRoles1)SystemRolesarepermanentPrivileges&arenoteditable–Administrator,NoAccess,ReadOnly2)SampleRolesareprovidedbyVMwareforfrequentlyperformedtasks;canbeedited,cloned,orremoved:a)VirtualMachinePowerUserb)VirtualMachineUserc)ResourcePoolAdministratord)VMwareConsolidatedBackupUsere)DatastoreConsumerf)NetworkAdministratorg)ContentLibraryAdministratork.DeterminethecorrectpermissionsneededtointegratevCenterServerwithotherVMwareproducts1)GlobalpermissionsareappliedtoaglobalrootobjectthatspansmultipleVMwaresolutions;assuch,useGlobalpermissionstogiveusers/groupsaccessforallobjectsinallsolutionhierarchies(pg.122);globalroot->ContentLibrary;vCenter;Tags2)Beawareofhigh-levelprivilegesneededforVMwareservicessuchasVDP,SRM,vRep,VSAN,etc.
1.2 –SecureESXi,vCenterServer,&VirtualMachinesa.HardenVMAccess1)ControlVMwareToolsInstallation–limitVM.Interaction.VMwareToolsInstallprivilege2)ControlVMdataaccess–disablecopy/pastecapabilityviaconsolea)FromvCenterInventory>VM>Managetab>Settingstab>Editbutton>VMOptionstab>Advanced>EditConfigurationbutton;‘AddRow’toaddthedesiredsecuritysetting&value(parameter:isolation.tools.copy/paste.disable;value:true)b)PreventVMsendingconfiginfotoHosts:isolation.tools.setInfo.disable = true3)ConfigureVMsecuritypoliciesa)Commonsecurityconfigurationparameters(ReviewonlineVMSecuritydocforotheritems:http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-6BFA8CA7-610F-4E6B-9FC6-D656917B7E7A.html):1.Disablecopy/pasteinConsole:seeabove2.SetVMXfilesize(default=1MB):tools.setInfo.sizeLimit=12345673.SetVMlogamount#:vmx.log.KeepOld = 104.DisableVM->configuration:isolation.tools.setinfo.disable = true
b.HardenVMsagainstDenialofServiceAttacks1)ControlVM-VMcommunication–VMCIisnolongerasupportedVMconfig;setShares2)ControlVM-devicecommunication–limitVM.Interaction&limitVM.Configurationprivileges3)Configurenetworksecuritypolicies–VLANs,PromiscuousMode,ForgedTransmit,&MACAddressoptionsonvSwitchorPGc.HardenESXiHosts1)Enable/Configure/DisableservicesinESXifirewall–SelectaHost>Managetab>Settingstab>System>SecurityProfile>Editbuttonunder‘Firewall’;disableESXi&Shell(arebydefault)2)Changedefaultaccountaccess–limitrootaccess&use‘leastprivilege’concepta)Modifypasswordsettingcharacterlength,orusepassphrasesb)FormattochangeSecurity.PasswordQualityControladvancedparameteronHosts:retry=#min=N0,N1,N2,N3,N4passphrase=#(thisisoptional,ifN2isused)c)ReviewSecurityGuide,pg.135andthepam_passwdqc“manpage”(http://linux.die.net/man/8/pam_passwdqc)forfurtherexplanationofformatmeaning3)AddanESXiHosttoadirectoryservice–SelectaHost>Managetab>Settingstab>System>AuthenticationServices>‘JoinDomain’button(verifytimeissync’dwithDirSvcs)
Figure3,HostAddDirectoryService4)EnableLockdownMode–SelectaHost>Managetab>Settingstab>System>SecurityProfile>Editbuttonunder‘LockdownMode’a)ChooseNormalorStrict;NOTE:in‘Strict’,DCUIserviceisstoppedb)AddinguserstoDCUI.AccessAdvancedHostoptionorExceptionUserslistenablesabilitytodisablelockdowninNormalModeonlyincaseofcatastrophec)InStrictMode,iftheHostlosesvCenterconnection,theonlwaytoconnectisifSSHisenabled&ExceptionUsersaredefinedd)WhenStrictorNormalisenabled,thoseinExceptionUserslist&whoareAdmins,orthoseintheDCUI.Accessadvancedoptionlist,canusetheDCUI;allotherusersgetterminated5)Controlaccesstohosts(DCUI/Shell/SSH/MOB)–seeStep4ir:access;disableservicesinHost>Managetab,Settingstab>System>Services,thenclickEditbutton&“Start”/“Stop”theservicea)MOBaccess–SelectaHost>Managetab>Settingstab>System>Advanced,searchforConfig.HostAgent.plugins.solo.enableMobandverifyit’ssettofalse
d.HardenvCenterServer1)Controldatastorebrowseraccess–limitDatastore.BrowseDatastoreprivilege2)Create/ManagevCenterServerSecurityCertificates–4options:a)VMCA(Root)–default,ifnothingfurtherisdoneafterinstallingvCenter/ESXib)VMCAIntermediate–makeVMCA(PSC)anIntermediateCAtoorgEnterpriseCA&replaceallPSCcerts;forcertreplacmentorder,reviewSecurityGuide,pg.80c)Custom–donotuseVMCA,butratherawell-trusted/knownCA(Entrust,Verisign,etc)d)Hybrid–acombinationofusingVMCA&Customcertse)ESXi–HostsuseVMCAbydefault;thiscanbechangedtousetheCustommethod,orevenlegacy‘thumbprint’,customizableinvCenterAdvanced“certmgmt”parametersinWebClient3)ControlMOBaccess–thiswasdiscussedinHostSecurityabove(5a);MOBisonlyforHosts4)Changedefaultaccountaccess–defaultRole=NoAccess;grantdifferentRolestousers/groups5)Restrictadministrativeprivileges–don’taddusers/groupstoAdministratorRole(leastpriv’s)e.UnderstandimplicationsofsecuringavSphereenvironment1)Whenmodifyinganyitemsdiscussedtothispoint(i.e.Lockdown,permissions,enabling&disablingadvancedoptions),understandhowthosechangesaffectaccessvsenhancingsecurity
1.3 –EnableSSO&ActiveDirectoryIntegrationa.DescribeSSOarchitecture&components1)SecurityTokenService(STS)–issuesSAMLtokenstorepresentidentityofhuman/solutionuser2)Administrationserver–allowsconfigurationofSSOserver3)VMwareDirectoryService–associatedwithdomainspecifiedduringSSOinstall&includedwitheachPSCdeployment;alsostorescertificateinfo4)IdentityManagementService–handlesidentitysources&STSauthenticationrequestsb.DifferentiateavailableauthenticationmethodswithVMwarevCenter1)Humanusera)UserlogsinwithWebClientb)WebClientpasseslogininfotoSSO&SSOchecksifWebClienthasavalidtoken&ifuserisinavalidIdentitySourcec)Ifallpasses,SSOsendsbackatokentoWebClientthatrepresentstheuserd)TheWebClientthenpassesthetokenontovCentere)vCentercheckswithSSOfortokenvalidityf)SSOreturnstokentovCenter&authenticationoccurs2)Solutionuser–setofservicesusedinvCenterServera)Machine–usedbyComponentMgr,LicenseServer,&LoggingServiceb)vpxd–usedbyvCenterservicedaemonc)vpxd-extensions–AutoDeploy,InventoryServiced)vsphere-webcliente)Authentication->solutionuserattemptstoconnecttovCenter;solutionuserredirectedtoSSO;ifsolutionuserhasvalidcert,SSOassignsatokenbacktosolutionuser;solutionuserthenconnectstovCenter&performstasksc.PerformaMulti-SiteSSO(PSC)installation1)See:http://kb.vmware.com/kb/2034074&http://kb.vmware.com/kb/2108548fordetails
2)Overall,thereisn’tanythingspecialaboutthis;fromahigh-levelstandpoint,thethingtokeepinmindisorder:installPlatformServicesController(PSC)1stthenvCenter’sattachedtothePSC(canbeeitherWindowsorVCSA);repeatforadditionalPSCs/vCentersd.Configure/ManageActiveDirectoryAuthentication1)UseWebClientorvmdirCLItomanagee.Configure/ManagePlatformServicesController(PSC)1)PSCconsistsof:SSO,LicenseServer,andVMCA;it’sallinstalledtogether..nothingtomanage2)Cannotchangedeploymenttypeafterinstall(i.e.EmbeddedPSCtoExternalPSCorviceversa)3)AbouttheonlythingtobedonewithPSCistouseVMCAviaCLIorreplaceSTScert(seeSecurityGuide,pg.36)f.Configure/ManageVMwareCertificateAuthority(VMCA)1)InstalledwhenPSCisinstalled;nothingneedsconfiguredg.Enable/DisableSingleSign-On(SSO)users1)Logonwith‘vsphere.local’Adminaccout,thenAdministration>SingleSign-On>UsersandGroups;selecttheuserandclickthecheckmark(Enable)or (Disable)h.UpgradeSingle/Multi-SiteSSOinstall1)Upgradefrompre-v6requiresinstallingtothenewPlatformServicesController(PSC),whichnowincorporatesSSO,LicenseServer,&thenewVMwareCertAuthority(VMCA)2)Upgradeprocesswillbedependentonseveralfactors,includinghavingembeddedvsexternalinstall&whetheronWindowsvsappliance3)Ifembedded,justperformtheinstallonthesinglemachine,whichwillupgradeeverything4)Ifexternal,upgradeSSOtoaexternalPSCmachine(VMorphys);afterupgradingSSOtoPSC,upgradeallvCenterinstancespreviouslyconnectedtotheSSOmachine;seeVMwareKB:http://kb.vmware.com/kb/2108548i.ConfigureSSOpolicies1)Administration>SingleSign-On>Configuration>Policiestab(Password,Lockout,TokenPolicy)j.Add/Edit/RemoveSSOIdentityResources1)Administration>SingleSign-On>Configuration>IdentityResourcestabk.AddanESXiHosttoanADdomain1)Host>Managetab>Settingstab>System>AuthenticationServices>JoinDomainbutton
SECTIONII–ConfigureandAdministervSphereNetworking2.1 –ConfigureAdvancedPolicies/FeaturesandVerifyNetworkVirtualizationImplementation
a.Create/DeleteavDS1)Create:Networking>rt-clickDCobject>DistributedSwitch>NewDistributedSwitch…
Figure4,CreateNewvDS2)ChoosevDSName(Next),thenVersion
Figure5,SelectvDSVersion3)Lastly,modifyUplinks,eanbleNetworkI/O,&choosewhethertocreateaPortGroup4)Aftercreation,addHosts&desiredHostadapters5)Delete:beforedeletingavDS,removeallHosts&associatedadapters(Uplinks);rt-clickDistributedSwitch>Deletec.Add/RemoveESXiHoststo/fromavDS1)Add:rt-clickvDS>AddandManageHosts…,select“Addhosts”&followwizard2)Remove:rt-clickvDS>AddandManageHosts…select“Removehosts”&followwizard
Figure6,AddHoststovDS3)NOTE:ifaHost’sVMkernelorVMportsarestillassignedtothevDS,theHostcan’tberemovedd.Add/Configure/RemovedvPortGroups1)Add:Rt-clickvDS>DistributedPortGroup>NewDistributedPG;modifySettingsasneeded
Figure7,ConfiguredvPGSettings2)Configure/Remove:Rt-clickdvPG>Settings>EditSettingsorDelete;NOTE:unassigndvPortsfromHostsbeforedeletingasyoucan’tdeleteadvPGwithdvPortsstillassignede.Add/RemoveUplinkadapterstodvUplinkGroups1)Add:Rt-clickdvPG>EditSettings>Teaming&Failover&add‘Unused’Uplinksbyclickinguparrow2)ToRemove,simplymovetheUplinkto‘Unused’sectionbyclickingthedownarrowf.ConfigurevDSgeneral&dvPGsettings1)Rt-clickvDS>Settings>EditSettingstochangevDSName,numberofUplinks,&NetworkI/O2)Rt-clickdvPG>EditSettingsandeditsettingsasneeded(i.e.Teaming,VLAN,Advanced,
Monitoring,Misc,etc)g.Create/Configure/Removevirtualadapters
1)Create:SelectaHost>Managetab>Networking>VMkernelAdapters>clickAddicon 2)SelectVMkernelNetworkAdapteroption,chooseadvPG,IPsettings,services(VMotion,etc)3)Configure/Delete:selectthe“vmk”fromlist>Edit(pencil)buttonortheDelete(“x”)buttonh.MigrateVMsto/fromavDS1)Rt-clickavDS>MigrateVMtoAnotherNetwork…2)SelecttheSource&aDestinationvDStomigrateVMsfromandto3)SelectVMswantingtomigrateandFinishi.ConfigureLACPonUplinkPGs1)Pre-req’s:minimumof2portsperLAG;UplinksinLAGmustmatchpSwitchPorts;LAG&SwitchHashmustmatch;maxof64LAGspervDS;speed/duplexmatchpSwitchports;1‘Active’LAGinTeaming/Failover;vDS5.5or6.0;notabletodeployviaHostProfiles;reviewallLACPsupport&limitationsonpg.56-57,NetworkingGuide2)CreateaLinkAggregationGroup(LAG):Networking>vDS>Managetab>Settingstab>LACP,thenclick ;setLAGtoStandbyindvPGTeam/Failover;assignpNICstoLAGPorts;setLAGtoActiveindvPG
Figure8,CreateLACPj.DescribevDSSecuritypolicies/settings–onvSS/vDSPortGroups;allaresettoRejectbydefault1)ThesewerediscussedinSection1.2above(MACAddressChg,ForgedTransmit,Promiscuous)a)MACAddressChanges–affectsincomingtraffictoaVMtoeitherchange(Accept)ornotchange(Reject)theVMEffectiveMACaddressb)ForgedTransmits–affectsoutgoingtrafficfromaVMsuchthatanESXiHostcomparesthesourceMACaddresswithaVM’sEffectiveMAC(Reject),ornotcompare(Accept)
c)PromiscuousMode–eliminatesreceptionpacketfilteringsuchthataVMGuestOSreceivesalltraffic(Accept),ortrafficisfiltered(Reject)k.ConfiguredvPGBlockingPolicies1)BlockingcanbedoneoneitherdvPGordvUplinksinSettings>Miscellaneous;select‘Yes’or‘No’fromdrop-downl.ConfigureLoadBalancing/FailoverPolicies1)Networking>rt-clickdvPG>EditSettings>Teaming&Failover2)LoadBalancingoptions:a)Routebasedonoriginatingvirtualport–defaultb)RoutebasedonIPhash–etherchannel(PortChannel)needstobeconfiguredonpSwitchc)RoutebasedonsourceMAChashd)Useexplicitfailover–byorderofUplinksunder‘Active’e)Routebasedonphysicalload–requiresEnt+,andonvDSonly3)Failover–moveUplinksupdownbyup/downarrowtodetermineorderasActive/Standbym.ConfigureVLAN/PVLANsettingsforVMsgivencommunicationrequirements1)Networking>rt-clickdvPG>EditSettings>VLANandselectVLANoptionsfromdrop-down2)PVLAN:Networking>selectvDS>Managetab>Settingstab>PVLAN>Editbutton>Addbutton;oncethisisset,gointodvPG&addPVLAN(s)asneeded3)VLAN&PVLANnotes:a)VLANtaggingtypes–EGT(VLANtaggingdoneonpSwitch);VST(taggingdoneonESXiHost);VGT(taggingdonewithintheGuestOS)b)PVLANtypes–Promiscous=PrimaryPVLAN;Isolated=comm’sonlywithPromiscous;Community=communicateswithPromiscuousports&portsonsamesecondaryPVLANsc)WhenPVLANiscreated&assignedaVLANID,thatsameIDisassignedtothePromiscuous&cannotbechangedd)Only1Promiscuousand1SecondaryIsolatedVLANsperPVLANallowed4)ReviewKB:http://kb.vmware.com/kb/1010691n.ConfigureTrafficShapingPolicies1)Networking>rt-clickdvPG>EditSettings>TrafficShaping,andmodifyIngress/Egressoptions:2)Avgbandwidth(kbits/s),Peakbandwidth(kbits/s),Burstsize(KB)o.EnableTCPSegmentationOffloadsupport(TSO)foraVM1)EnabledbydefaultononESXiHosts(net.UseHwTSO)&onvmxnet2/vmxnet3adapters;inWindowsadapterproperties:Configtab>Adv’d,set‘LargeSendOffloadv2(IPv4)’toEnabled2)Linux:ethtool –K ethY tso onp.EnableJumboFramessupportoncomponents1)EnableonPhysicalSwitch;vDS(Managetab>Settingstab>Propertiesoption>Editbutton>Advancedoption>MTUsizeto9000);virtualadapter(Host>Managetab>Networkingtab>VMkerneloption,selectaVMkernelthentheEdit(pencil)icon>NICSettings&setto9000);withintheGuestOSadaptersettings(Advanced>Configure)q.RecognizebehaviorofvDSAuto-Rollback1)Pg.85-86ofNetworkingGuide
2)RollbackforvCenterisenabledbydefault:config.vpxd.network.rollbackAdvancedsetting3)Or,logintoaHostDCUI>NetworkRestoreOptions>RestorevDS4)Isdonebydeafult,orifdisabled,canbedoneviaDCUI;reviewTroubleshootingGuideforrollbackbehaviorwhenissuesencounteredr.ConfigurevDSacrossmultiplevCenterServerstosupportLongDistanceVMotion1)Requirements–vSphere6,Ent+,WebClient,vCentersinEnhLinkMode&insameSSOdomain,vCenterstimesync’d,andvCentersconnectedtosamesharedstorages.Compare/ContrastvDScapabilities1)http://kb.vmware.com/kb/1010555–describesdifferencesbetweenvSSandvDS2)vDS–Inboundtrafficshaping,centralmgmt,PVLAN,customizedataplan,LLDP,Netflow,NIOC3)IfthismeansdifferencesbetweenvDS5.0/5.1/5.5/6.0,notsurewherethatisdocumented
2.2 –ConfigureNetworkI/OControl(NIOC)a.DefineNIOC1)vDSfeaturethatallowsbandwidthprioritizationfordifferentnetworkresourcepoolsb.ExplainNIOCcapabilities1)IEEE802.1poutboundtagging2)Load-baseduplinkteamingpolicy3)EnforcestrafficbandwidthtrafficlimitsacrossvDSuplinks4)UtilizesDRS&HAadmissioncontrol5)Separatessystemtrafficintopools:FT,iSCSI,VM,VMotion,Mgmt,vRep,NFS6)Configurable(inv3)oneithervDSorVM(v2wasonphysadapter)c.ConfigureNIOCShares/LimitsbasedonVMrequirements(Low,Normal,High)1)SelectavDS>Managetab>ResourceAllocationtab,selectSystemTraffic2)IntheTrafficTypelistatthebottom,selectatype,thentheEdit(pencil)icon;enterinfo3)Sharescanonlybeconfig’d1-100;nomorethan75%ofanadapterbandwidthcanbeReserv’dd.ExplainthebehaviorofagivenNIOCsetting1)NIOCisbasedonShares,Limits,Reservationssoknowwhateachare&,givenresources,configurebasedoffbizrequirements&implicationsofwhatwasimplemented/config’d2)ReadthroughNetworkGuide&knowrequirements&implicationsofcreatingNetworkPools,assigningNPstodvPGs,&settingShare&ReservationbandwidthonVMadapterse.DetermineNIOCrequirements1)ESXiandvDSv.6forNIOCv3;ESXi5.1+andvDS5.1forNIOCv2;Ent+
Figure9,NetworkI/OControlVersionSupportf.DifferentiateNIOCcapabilities1)MaindifferencebetweenNIOCv2andv3isSR-IOVisn’tavailableinv3&user-definedsettingsinv2arenotretainedwhenupgradingtov32)v2bandwidthallocationsaresetatthephysicaladapterlevel;v3onthevDSorVMlevelg.Enable/DisableNIOC1)Enable:Networking>rt-clickvDS>Settings>EditSettings>General,andEnableNIOC2)Disable:sameasabove,butselectDisableh.MonitorNIOC1)Networking>selectvDS>Managetab>ResourceAllocationtab>SystemTraffic
SECTIONIII–Configure&AdministerAdvancedvSphereStorage3.1 –ManagevSphereStorageVirtualization
a.DiscovernewstorageLUNs1)Adaptertypess:a)SCSIb)iSCSIc)RAIDd)FCe)FCoEf)Ethernet2)Devicesa)StorageAdapterdriversarepartoftheVMkernel;assuch,ESXiseeseachdeviceasaSCSIvolume3)DiscoveringnewLUNsgenerallyhappenswhenanadapterrescanoperationisperformed4)Autorescans:creating/deleting/increasingaVMFSDSorRDM;addinganExtent5)Manualrescans:Zoneanewdiskarray;createnewLUNonSAN;changeHostPathMasking;reconnectacable;changeCHAP;add/removeiSCSIdiscovery/staticaddressesb.ConfigureFC/iSCSI/FCoELUNsasESXibootdevices1)FC–createabootLUNforeachHost;maskeachLUNtoitsrespectiveHost;getWWPNforSANfront-endport;configurestorageadapteroneachHosttobootfromSAN(vendor-specific)2)ISCSI–sameasabove,butdetermineiSCSIname/IPfortargetsassignedperHost;softwareordependentiSCSIadaptersmustsupportiBFT(iSCSIBootFirmwareTable)
3)FCoE–enableSpanningTreeonpSwitch,dedicatewholebootLUNsolelytoFCoEAdapter;reviewremainingconceptsinStorageGuide,pg.55c.CreateNFSshareforusewithvSphere1)Createastoragevolume2)Createfolderonthevolume3)ShareafolderonvolumeallowingHost(s)IPR/Waccesstoshare4)AddNFSStorageinvSphered.Enable/Configure/DisablevCenterServerstoragefilters(allareconfiguredbydefault)1)config.vpxd.filter.vmfsFilter–filtersLUNsalreadyusedbyVMFSDatastoreonanyHostusedbyvCenter2)config.vpxd.filter.rdmFilter–filtersLUNsalreadyreferencedasRDM3)config.vpxd.filter.SameHostAndTransportsFilter–filtersLUNsunabletobeusedasExtent4)config.vpxd.filter.hostRescanFilter–autorescanenabledafterperformingcertainstoragefunctions(seeScan/Rescansectionabove)e.Configure/EditIndependent/Dependenthardwareinitiators1)DependentHW–justneedtomakesuredeviceisonVMware’sHCL;vmk’sneeded2)IndependentHW–completelyoffloadstotheadapter;vmk’snotneeded3)Host>Managetab>Storagetab>StorageAdapters,selectnewadapterinthelistthenclickEditbutton4)FCoE–disableSTPonpSwitch(preventpossibleAPD),turnonPriority-BasedFlowControl(PFC)&settoAUTOf.Enable/DisablesoftwareiSCSIinitiator1)Host>Managetab>Storagetab>StorageAdapters,&click“+”(Add)>SoftwareiSCSIAdapter2)Afteradded,selectit&inthebottomAdapterDetailssection,clicktheEnable(Disable)buttong.Configure/EditsoftwareiSCSIinitiator1)IntheHostStorageAdapters,selectthesoftwareadapterthenchoosetaboptionsatbottomunderAdapterDetails;clicktheEditbuttontomodifysettingsh.ConfigureiSCSIportbinding1)HostStorageAdapters,selectthesoftwareadapter,thenNetworkPortBindingtabatbottomandclick“+”toaddvmk’si.Enable/Configure/DisableiSCSICHAP1)HostStorageAdapter,selectthesoftwareadapter,thenPropertiestabatbottom>Authentication>Editbutton;configureCHAPoptions(seebelow)
Figure10,EnableiSCSICHAPj.DetermineusecaseforFCZoning1)Securityandsegregation;doneontheSAN/arraysidek.Compare/Contrastarraythinprovisioningandvirtualdiskthinprovisioning1)Array–attheSAN(LUN)level;ESXiHostisnotawareUNLESSarrayisVAAIcapable;diskgrowsasdataaddedevenifaVMDKisthick-provisioned2)VMDK–atVMlevel;diskgrowsasdatawrittentodiskonly3)Bothcanleadtoover-provisioningstorage
3.2 –ConfigureSoftware-DefinedStoragea.ExplainVSANandVVOLarchitecturalcomponents1)VSAN:a)vCenter5.5U1,minimumof3ESXi5.5Hosts,&WebClientb)UsesDiskGroupscontainingonly1Flash&upto7HDDs(min1HDDrequired);eachESXiHostcanhaveupto5DiskGroups(DGs)c)VSANStorage=(#ofHDDsinaDGx#ofDGx#ofHosts)–Overhead(1%perHDDx#ofDGsx#ofHosts)d)Witnesses–componentcontainingonlymetadatae)VMStoragePolicies/StoragePolicyBasedManagement(SPBM)f)VSANStorageObjects–VMDKs,VMHome,VMSwap,SnapshotDeltag)AggregatesstorageacrossESXiHostsinaClustertocreateasingleDS;canlaterbeexpandedbyaddingHDDstoVSANDGs,orsimplyaddingHostswithdevicesh)FaultDomains–usedasaredundancymechanisminVSANdispersingobjectsacrossracks(i.e.otherfaultdomains)2)VVOL:a)VirtualVolumes–encapsulationsofVMfiles,virtualdisks(VMDKs),&theirderivativesstorednativelyonthestoragesystem1.IdentifiedbyauniqueGUID
2.CreatedautomaticallywhenperformingaVMoperation(creation,cloning,snapshotting)3.TwoVVOLtypes–dataVVOL(VMDKs);configurationVVOL(vmx,logs,deltas,etc);VMFSb)StorageProvider–VASAprovider;softwarecomponentactingasavSpherestorageawarenessservice,mediatingout-of-bandcommunicationbetweenvC/ESXi&storagesystem1.ImplementedwithVMwareAPIsforStorageAwareness(VASA)&integrateswithvSphereStorageMonitoringService(SMS)2.Deliversinformationfromstoragesystem(storagecontainer)tovCenter&ESXic)StorageContainers–poolofrawstoragecapacity/aggregationofstoragecapabilities1.MinimumofoneContainerisrequired;Containercannotspanmultiplearrays2.SingleContainercanexportmultiplecapabilityprofilesthusVMswithdiverseneeds&differingstoragepolicysettingscanbeapartofsameContainer3.MustbemappedtovSphereasVirtualDatastoresd)ProtocolEndpoints–logicalI/OproxyforESXiHoststocommunicatewithVVOLs/VMDKs1.EstablishesadatapathondemandfromVMstotheVMsrespectiveVVOL2.DiscoveredbyESXiHostsonceContainersaremappedviaVirtualDatastorecreation
Figure11,VVOLArchitectureDiagramb.DeterminetheroleofstorageprovidersinVSAN1)ReportunderlyingstoragecapabilitiestovCenter;communicatesVMstoragereq’swithVSAN2)ViewprovidersbyselectingvCenter>Managetab>StorageProviders;allHostshaveSPbutonly1isactive
c.DeterminetheroleofstorageprovidersinVVOLs1)VMwareAPIforStorageAwaremess(VASA)provider;asoftwarecomponentactingasastorageawarenessservice,mediatingout-of-bandcommunicationbetweenvC/ESXi&storagesystemd.ExplainVSANfailuredomains(FD)functionality1)FDsinstructsVSANtodistributeredundantcomponentsacrossserversinseparateracks(FDs)2)Insimplestterms,aFDconsistsof1ormoreHostsinasingleserverrack;minimumFD=33)IfaHostina3-HostFDfails,otherHostsarestilloperationalandcanreceivedatafromthefailedHost;VMscanberestartedviaHAontheother2FDHostsorHostsinotherFDse.Configure/ManageVSAN1)AddaVSANNetwork(VMkernelorvmk)toeachHostparticipatinginVSANCluster2)EnableVSANonavSphereCluster(selectCluster>Managetab>Settingstab>Editbuttonandclicktoselect‘TurnOnVSAN’;NOTE:HAmustbeturnedofffirst;and,VSANDatastorescanNOTbeusedforHADSHeartbeating3)CreateaDG(inClustersettings),of1SSD&atleast1HD(butupto7HDs)foreachESXiHostinVSANCluster;NOTE:NotallparticipatingHostsneedtohaveaDG4)Addminof3HoststotheVSANCluster;VSANDSwilldisplaytotalofallHostDG’sHDstorage5)Ifnotalreadydone,addaVSANlicensetotheCluster:selecttheCluster>Managetab>Settingstab>Configurationsection&selectLicensingandclicktheAssignLicensebuttonf.Create/ModifyVVOLs1)VerifytimesyncamongESXiHostsparticipatinginVVOLs2)RegistervendorStorageProvider–vCenter>Managetab>StorageProviderstab>clickRegisterstorageprovidericon(“+”),thenOK3)CreateaVirtualDatastore–Inventory>Datastores>AddDSicon>selectVVOLtype>selectappropriateStorageContainerinlist&Hostsrequiringaccess,thenFINISH
Figure12,CreateVirtualDatastoreWizard4)ReviewProtocolEndpointMultipathingPolicy&changeifneeded:Host>Managetab>
Storagetab>ProtocolEndpoints5)CreateVMStoragePolicy–Home>Policies/Profiles>VMStoragePolicies>CreatenewVMStoragePolicy6)CreateVMsandassignPoliciestoVMVMDKs(VM>EditSettings>VirtualHardware>expandHardDisk#,andassign‘VMStoragePolicy’fromdrop-downmenu)g.ConfigureStoragePolicies1)Home>Policies/Profiles>VMStoragePolicies>CreatenewVMStoragePolicy2)AssignpolicytoVMdisk(s)h.Enable/DisableVSANFaultDomains1)SelectVSANCluster>Managetab>Settingstab,VSANsectionandselectFaultDomains2)Click“+”toaddaHost(s)toFDsi.CreateVVOLsgiventheworkloadandavailabilityrequirements1)Pre-req’s:verifySANisVASAcompliant;verifyNTPconfig’d;SANStorageContainersconfig’d2)RegisterStorageProviders:vCenter>Managetab>StorageProviders&click‘RegisterNewStorageProvider’icon3)CreateaVVOLDatastore:Datastores>CreateDSiconandselectVVOLasDS‘Type’;addlistedStorageContainers,thenFinish4)Review/changeanyProtocolEndpoints:Host>Managetab>Storagetab>ProtocolEndpointsj.CollectVSANObserveroutput1)LaunchviaRubyvSphereConsole(RVC)ESXiHostCLI:vsan.observer -–<parameter>2)Oncelaunched,gotoawebbrowser&entervCenterIPwithport8010toviewinfo/graphs3)TocollectObserverlogs:vsan.observer <cluster> -–run-webserver --force -- generate-html-bundle /tmp --interval ## --max-runtime 1k.CreateStoragePoliciesappropriateforgivenworkloadsandavailabilityrequirements1)CreatingStoragePoliciesisdiscussedabove.Createpoliciesbasedonperformance,SLAs,etc,thenjustassignagivenSPtoaVMVMDKasrequiredl.ConfigureVVOLsProtocolEndpoints1)Host>Managetab>Storagetab>ProtocolEndpoints>selecttheEndpoint>Propertiestab>EditMultipathingbuttonunder‘Policies’
3.3 –ConfigurevSphereStorageMulti-pathingandFailovera.Explaincommonmulti-pathingcomponents1)Theadapter(FC,iSCSI,physicalNIC)2)SANorNetworkSwitch3)SANStorageProcessors(SPs)4)PSA–PluggableStorageArchitecture5)NMP–NativeMultipathingPlug-in;genericVMwaremutlipathingmodule6)PSP–PathSelectionPlug-in(Policy);handlespathselectionforagivendevice7)SATP–StorageArrayTypePlug-in(Policy);handlespathfailoverforagivendevice
Figure13,PSP/Multi-pathingArchitectureb.DifferentiateAPDandPDLstates1)APD–AllPathsDown;conditionwhenastoragedevicebecomesinaccessibletotheHost&nopathstodeviceareavailable;transientcondition,meaningit’stemporary;APDtimer=140secs2)PDL–PermanentDeviceLoss;condtionwhenastoragedevicepermanentlyfailsorisadministrativelyremoved/excludedc.Givenascenario,compare/contrastActiveOptimizedvsActivenon-OptimizedPGstates1)ThedefaultPSPfordevicesclaimedbyVMW_SATP_ALUAisVMW_PSP_MRU,whichselectsan“active/optimized”pathreportedbyVMW_SATP_ALUA,oran“active/unoptimized”pathifthere’sno“active/optimized”path;willreverttoactive/optimizedwhenavailabled.ExplainfeaturesofthePluggableStorageArchitecture(PSA)1)SeeFigure12above2)PSP–responsibleforchoosingphysicalpathI/Oa)MRU:selectsapathuponboot;whenpathunavailableselectsalternate,&doesnotrevert(active/passive)b)FIXED:selectspreferredpathuponboot;whenunavailableselectsalternate,&doesrevert(active/active)c)RR:I/Orotatesthroughactivepaths3)SATP–responsibleforarray-specificoperations,monitoringpathhealth,changesinpathstate,&failoveroperationse.Understandtheeffectsofagivenclaimruleonmultipathing&failover1)Claimrulesindicatewhichmultipathingplug-inNMPor3rdpartyMPPmanagesagivenpath2)WhenaHostisstartedorrescanperformed,itdiscoversallphysicalpathstostoragedevices,andbasedonclaimrulesdetermineswhichMPPclaimsthepathtoadevice3)ThesystemsearchesSATPrulestoassigntodevicesfirstbydriverrules,thenvendorormodelrules,andlastlybytransportrulesa)IfnoSATPmatchisfound,thedefaultSATPforFCandiSCSIisVMW_SATP_DEFAULT_AAandthedefaultPSPforthatSATPisVMW_PSP_FIXEDb)IfadeviceisclaimedbyVMW_SATP_DEFAULT_ALUA,thedefaultPSPisVMW_PSP_MRUf.Explainthefunctionofclaimruleelements1)Vendor
2)Model3)DeviceID4)SATP5)PSP*Notsurewhatisreallyrequiredhere.TheStorageGuidementionsClaimRuleelements(vendor,etc),butdoesn’tstate‘function’perse.SATP&PSPwerediscussedaboveg.ChangethePathSelectionPolicy(PSP)usingtheUI1)Host>Storagetab>StorageDevices>Propertiestab>MutipathingPoliciessection,clickEditMultipathingbutton,andselectaPSPfromdrop-down,thenclickOKh.DeterminerequiredclaimruleelementstochangethedefaultPSP1)PSAplugintouse(-P);Type(-t;values=vendor,location,driver,transport,device,target)2)Seepg.194-195esxcliclaimruleparameters(note‘required’byeachparameterdescription)i.DeterminetheeffectofchangingPSPonMultipathingandFailover1)UseWebUIoresxclicmd,thenaHostrebootisrequired2)Pathsmust1stbeunclaimed,thenreclaimedtobeabletomakethechangej.DeterminetheeffectsofchangingSATPonrelevantdevicebehavior1)VMwareprovidesaSATPforeveryarrayVMwaresupportsontheHCL2)SATPmonitorspathhealth,,respondstoerrorsfromarray,andhandlesfailover3)ChangingtheSATPmaychangethePSPwhichmaycreateunexpectedfailoverresultsk.Configure/ManageStorageLoadBalancing1)Datastores>selectaDS>Managetab>Settingstab>Connectivity&Multipathing>selectHostfromthelistandviewMPdetailsandchangeifneededl.DifferentiateavailableStorageLoadBalancingoptions1)Thiswasdiscussedearlier(MRU,FIXED,RR)ind.abovem.DifferentiateavailableStorageMulti-PathingPolicies1)RR,MRU,FIXEDwerediscussedind.2)aboven.ConfigureStoragePolicies1)Home>VMStoragePolicies,thenassigntoaVMHardDisko.LocatefailovereventsintheUI1)selectthevCenterServer>Monitortab>Eventstab
3.4 –PerformAdvancedVMFS&NFSConfiguration&Updatesa.DescribeVAAIprimitivesforblockdevicesandNAS1)Blockprimitives:ATS(VMFSlock);ThinProvisioning;FullCopy(Cloning);BlockZero2)NASprimitives:FullFileClone(Cloning);ReserveSpace(VMDKthickprov);NativeSnapSupport;ExtendedStatistics3)Forexample,toreclaim‘free’spaceonaThinLUN/DS,usetheesxclicmdwithUNMAP(see:http://kb.vmware.com/kb/2057513)
b.DifferentiateVMwarefilesystemtechnologies1)VMFS–block-based2)NFS–filesystem-basedc.UpgradeVMFS3toVMFS51)Datastores>selectaDSonleft>Managetab>Settingstab>clickUpgradetoVMFS5link,OK2)PerformDSrescanforallHostsconnectedtotheupgradedDSd.ComparefunctionalityofnewlycreatedvsupgradedVMFS5datastores1)New–64TBdatastores;1MBblock;VM=62TBdisks;smallfilesuppt;storagereclamation;GPT2)Upgraded–1/2/4/8MBblock;MBR;ATS+SCSI;64KBsubblocksize;VM=2TBVMDKse.DifferentiatePhysicalModeRDMs&VirtualModeRDMs1)Physical–passesallSCSIcmds,exceptREPORTLUNstomappingdevice;usedforNPVI&MSCS;Nosnapshotting2)Virtual–passesallREAD&WRITEcmdstomappingdevice,notSCSIcmds3)Paynotetowhatfeatures/functionscanbeusedwitheachRDMtypewhenreviewingtheGuidesf.CreateVirtual/PhysicalModeRDM1)NewVMwizard>onCustomizeHardwarewindow>Newdevicedrop-down,andselectRDM>selectadevice/LUN>expandNewHardDisk&selectRDMmode(diskmode),thenOKg.DifferentiateNFS3.xand4.1capabilities1)NFS4.1doesnotsupportlegacyFTorhardwareacceleration(i.e.can’tcreatethickdisks);multipathingthatsupportssessiontrunking;kerberos;sharereservations;filelocking;nonrootusers;non-Kerberosmounts;simultaneousAUHT_SYSnotsupported2)NFS3doesn’tencrypt;nodelegateuserfunction;supportsh/wacceleration
Figure14,NFSProtocolFeatureSupporth.Compare/ContrastVMFS&NFSdatastoreproperties1)Sharedalreadyabitabove
i.ConfigureBusSharing1)Rt-clickVM>EditSettings>VirtualHardwaretab>expandSCSIController,selectSCSIBusSharingtypefromdrop-down(None,Virtual[disksharedbyVMsonsameHost],Physical[disksharedbyVMsondiffHosts])j.ConfigureMulti-WriterLocking1)Rt-clickVM>EditSettings>VMOptionstab>expandAdvanced,clickEditConfiguration>AddRows>addParameterforeachHDwithnameofdisk(i.e.scsi:0:sharing;scsi:1:sharing)andseteachSCSIparameter’svaluetomulti-writer2)Or,inVirtualH/Wtab>expandHardDisk#>configurethe“Sharing”optiondrop-downtomulti-writerk.ConnectanNFS4.1datastoreusingkerberos1)PerHost,andsetDNS,time,andaddeachHosttoanADDomain(Settingstab)l.Create/Rename/Delete/UnmountVMFSdatastore1)Create:Host/Clusters>RelatedObjectstab>Datastorestab>AddDSicon&followwizard2)Fromsamearea,rt-clickDS&Rename,orDelete,orUnmount;Delete/Unmountpre-req’s=noVMs;notinSDRSCluster;SIOCisdisabled;notusedforHADSHeartbeatm.Mount/UnmountNFSdatastore1)Datastores>AddDSwizard>specifylocation>selectNFSastype>selectNFSversion>enterDSName>enterNFSsharedetails(server,folder)
Figure15,AddNFS(Mount)Wizard2)Unmount–rt-clickDS>Unmount;NOTE:anUnmountedNFS(orVVOL)disappearsfromInventory;DSunmountchecks/pre-req’s:noVMs,notinSDRS,SIOCdisabled,notusedinHAheartbeating
n.Extend/ExpandVMFSdatastore1)Datastores>clickIncreaseDSCapacityicono.PlaceaVMFSdatastoreinMaintenanceMode1)Rt-clickaDS>MaintenanceMode>EnterMaintenanceMode2)Pre-req’sforDStobeinMM:StorageDRSenabled;noCDImageFilesstoredonDSp.SelectthePreferredPath/DisableaPathtoVMFSdatastore1)PreferredpathcanonlybesetondeviceswithFIXEDPSPset2)Host>Managetab>StorageDevices>Propertiestab(below)>MPPolicies>EditMultipathingbutton>clicktoselectthePrefPath,thenclickOK(nothingdefinitivelyshowsverifyingthepathasPref)q.Enable/DisablevStorageAPIforArrayIntegration(VAAI)1)Enable:PerHost>Managetab>Settingstab>Advanced>searchfordatamover optionsandverifyvalueissetto1;setto0todisabler.Givenascenario,determineaproperusecaseformultipleVMFS/NFSdatastores1)HA–DSheartbeating2)StoragePolicieswithdifferentservicelevels(i.e.performance)3)Preventdiskcontention
3.5 –SetupandConfigureStorageI/OControl(SIOC)a.DescribebenefitsofSIOC1)Cluster-widestorageI/Oprioritizationallowingbetterworkloadconsolidation&reducesoverprovisioningcosts;extendsconstructsofShares/LimitsperVMduringI/Ocontentionb.Enable/ConfigureSIOC1)AlreadyenabledbydefaultonSDRSClusterDS’s2)Req’s:vCenter;RDMnotsupported;multipleDSextentsnotsupported,Ent+,ESXi4.1+c.Configure/ManageSIOC1)GotoDatastores>selectit>Managetab>Settings>General,andselectEditbutton,then
checktheboxtoenableSIOC;configuresettingsasneeded
Figure16,EnableSIOC
2)SetShare/LimitsettingsonVMdisk(s)d.MonitorSIOC1)Storage>selectaDS>Monitortab>Performancetab,clickOverviewandsettoRealtimee.DifferentiatebetweenSIOCandDynamicQueueDepthThrottlingfeatures1)SIOCisamechanisminthehypervisorthatcontrolsI/OviaShares/Limits2)QueueDepthThrottlingisanalgorithmthatadjustsLUNqueuedepthintheVMkernelI/Ostackthatreducesqueuedepthwhenthere’scontention(i.e.queueisfull)f.Givenascenario,determineaproperusecaseforSIOC1)Anytimedisklatencyaverages15+msoflatency2)Alowermsthreshold=lesslatency(i.e.higherperformance),butalsolessthroughput;higherms=potentialformorelatency(degradedperformance),buthashigherthroughput;defaultlatencythresholdsbasedonstoragemedia/protocols:FC=20-30ms;SAS=20-30ms;SSD=10-15ms;SATA=30-50msg.Compare/contrasttheeffectsofI/Ocontentioninenvironmentswith/withoutSIOC1)WithoutSIOC,a‘noisyneighbor’VMcouldattainmorestorageI/OthanitsallotmentSECTIONIV–UpgradeavSphereDeploymentto6.x4.1 –PerformESXiHostandVirtualMachineUpgrades
a.Configuredownloadsources1)UsingC#Client>Home>SolutionsandApplications>UpdateManager>Configurationtab>Settings>DownloadSettings3)InDownloadSourcespane,select‘DirectconnectiontoInternet’>clickAddDownloadSource4)EnterthedownloadsourceURL,(optional)description,thenclick‘Validate’>OK,thenApplyb.SetupaUMDSdownloadrepository1)UsingC#Client>Home>SolutionsandApplications>UpdateManager>PatchRepositorytabc.ImportESXiimages1)UpdateManager>ESXiImagestab>ImportESXiImage,browsetotheISO&selectFinishd.CreateBaselinesandBaselineGroups1)UpdateManager>Baselines&Groupstab>clickbuttonforHostorVM,thentheCreatelink2)Insamearea,inthebottomBaselineGroupspane,clicktheCreatelinke.AttachBaselinestovSphereobjects1)SelectavSphereobject>UpdateManagertabonright,thenclicktheAttachlink2)Youcandoobjectsolely,orviaCluster,Datacenter,folder,etc.formultipleobjectsf.ScanvSphereobjects1)SelectavSphereobjecttoscan>UpdateManagertabonright,thenclickScan&followwizard
g.Stagepatchesandextensions1)SelectavSphereHosttostage>UpdateManagertabonright,thenclickStage&followwizardh.Remediateanobject1)SelectavSphereobjecttoremediate>UpdateManagertabonright,thenclickRemediate
Figure17,UpdateManagerWindowi.UpgradeavDS1)Networking>rt-clickavDS>Upgrade>UpgradeaDistributedSwitchj.UpgradeVMwareTools(severalmethods)1)Selecttoautomatically‘CheckandupgradeVMwareToolsbeforepoweron’inVMOptionstab2)UseVUM3)ListVMs>selectseveral(withsameOS)>GuestOS>UpgradeVMwareTools4)Silentinstall(see:http://kb.vmware.com/kb/1018377)k.UpgradeVMhardware1)PowerdownVM(s)>rt-clickandselectUpgradeVMCompatibiltiy(orchoosefromActions)
l.UpgradeanESXiHostusingvCenterUpdateManager(VUM)1)ConfigureUMSettingsinConfigurationtab(MaintMode,Cluster,etc.)2)ConfigureBaseline/BaselineGroupifnotalreadydone3)AttachBL/BLGtoinventoryobject(explicitHost,orDC/Folderobjects)4)ManuallyperformUMScan&reviewresultsofinventoryobjects’compliance5)SelectHostorvSphereobject>UMtab>Remediatem.StagemultipleESXiHostupgrades1)Sameasl.above,butperformonaHost‘container’object(Cluster,DC,orfolder)n.AssignappropriateBaselineswithtargetinventoryobjects1)Discussedabove
4.2 –PerformvCenterUpgradesa.ComparemethodsofupgradingvCenterServer1)WindowsorapplianceinstallwithembeddedorexternalPlatformServicesController(PSC)
Figure18,vCenterUpgradePathb.BackupvCenterServerdatabase,configuration,andcertificatedatastore1)DBbackup:dependentonDBtype(SQL,Oracle,PostgreSQL)2)Configbackup:didn’tseeanydocumentationonthis,butthinkthereisanoptionforWininstall3)Certstorebackup:sameas2;or,ifusingVCSA,justsnaptheVMappliancec.PerformupdateasprescribedforApplianceorInstallable1)Installable:upgradeSSOtoPSCfirst,thenvCenter(whichnowhousesInv,Web,&vCsvcs,etc);ifyourinstallisalready‘Embedded’(everythingon1server),justruninstalleronvCenter2)Appliance:alwaysupgradedtoanEmbeddedinstall;ifwantingtouseexternalPSC,anewVCSAmustbedeployed3)DBinfo:WindowsembeddedcanusebundledPostgreSQLforupto20Hosts/200VMs;VCSA
bundledPostgreSQLsupportsupto1000Hosts/10000VMs,orexternalOracled.UpgradeVCSA1)VCSAmustbeminimumofVCSA5.1U3toupgradetov6;VCSAminESXiHostversion=5.02)DownloadVCSAISOandinstalltheClientIntegrationPlugina)OnWin2012server,justdouble-clicktheISOto‘extract’theISOcontents>gointothevcsafolderanddouble-click‘ClientIntegrationPlugin-6.0.0.exe’3)ExportcurrentVCSAconfiguration–didn’tfindhowthisisdone;justsnapshottheVCSA4)Afterplug-ininstall,runvcsa-setup.html;NOTE:ifplug-inisn’tinstalled,youwon’tbeabletoviewthewebpagecorrectlytoperformtheVCSAupgrade/install;minbrowser>FF30+,Chrome35+,IE10/115)Fillinappropriateinfowhenrequestede.Givenascenario,determinetheupgradecompatibilityofanenvironment1)Windowsinstalliscompatibletoupgradetov6directlyfrom5,.x;VCSAmin5.1U32)VCSAupgradeisalwaysembedded;tohaveexternalPSC,anewVCSAmustbeinstalled3)vCentersizing;NOTE:addthePSCrequirementtothevCenterrequirementfortotalminresourcesneededforinstall:
Figure19,vCenterResourceRequirements4)vCenterforWindows–OSrequirement=Win2K8SP2;localDBcansupport20Hosts/200VMsf.DeterminecorrectorderofstepstoupgradeavSphereimplementation1)SSO→PlatformServicesController(PSC);PSCconsolidatesLicenseSvr,SSO,&VMCA2)vCenter→consolidatesWebClient,InventorySvc,DumpCollector,Syslog,AutoDep,vCenter2)VUM(ifused)3)ESXiHosts4)vSphereClient(onlyneededifVUMisused;orvCloudConnector)5)VMwareTools6)Virtualhardware(optional;onlyneededifh/wupgradeprovidesfeaturesorgneeds)
SECTIONV–AdministerandManagevSphere6.xResources5.1 –ConfigureAdvanced/MultilevelResourcePools
a.Understand/Apply(ResourcePools)1)Parent–top-level2)Child–subtoaParent3)Sibling–insamelevel4)Root–topmostlevelforstandaloneHostorCluster(notviewableinvCenter)
Figure20,ResourcePoolHierarchyb.DetermineeffectofExpandableReservationparameteronresourceallocatoin1)AllowsachildRPtoaskitsdirectparentRPtoborrowresourceswhenthechildrunsout2)Recursive–ifdirectparenthasnoavailableresources,theparentRPcanaskitsparentRPc.CreateaResourcePool(RP)hierarchicalstructure1)Inventory>rt-clickaDRS-enabledClusterorstandaloneHost>NewResourcePool2)Enterinfo–Name,Shares/Limits/Reservation,Expandability3)ForaSiblingRP,repeatsteps;forachildRP,rt-clicknewlycreated(parent)RPandcreated.ConfigurecustomRPattributes1)Rt-clickaRP>EditResourceSettingsandchangeoptionsasneeded(Name,CPU,Memory)e.DeterminehowRPsapplytovApps1)vAppsarecontainerslikeRPs;assuch,vAppsactlikeRPsastheyalsohaveresourcesallocatedinthesamemannerasRPs(Shares/Limits/Reserv,ExpandableReserv,etc.)f.DescribevFlasharchitecture1)ReadCache;enablespoolingofmultiplelocalFlash-baseddevicesintoasingleconsumablevSphereconstructcalledaVirtualFlashResource(VFR)2)VFRisconsumedandmanagedinthesamewayCPU/memoryareinvSphere;consumablebyVirtualHostSwapCacheforvSphereHypervisorandVirtualFlashReadCacheforVMs3)GoodcandidatesofvFlash–VDI,DBWarehouse,&read-intensiveWeborMonitoringservers4)RequiresEnt+5.5+;max16TB;max8SSDsperVFR;workswithVMotion,HA,DRS;allowswrite-through(readcache)mode
Figure21,vFlashArchitectureg.Create/RemoveaRP1)See“c”above;toRemove,simplyrt-clickandDelete(removeanyVMsinRP)h.Add/RemoveVMsfromaRP1)Add:rt-clickVM(s)>MoveTo..>expandInventoryuntilRPisshown,thenclickOK;drag/drop2)Remove:sameprocessasabovei.Create/DeletevFlashRP1)Host>Managetab>Settingstab>VirtualFlashResourceManagement,‘AddCapacity’button2)SelectVirtualFlashHostSwapCacheConfiguration,‘Edit’button
Figure22,EnablevFlashperHost
j.AssignvFlashresourcestoVMDKs1)Rt-clickVM>EditSettings>VMHardware,expandHardDiskwantingtoassignvFlashandconfigureamount(inGBbydefault)nexttoVirtualFlashReadCachek.Givenascenario,determineappropriateShares,Reservations,Limits,forhierarchicalRPs1)Thisisusuallya‘depends’situation2)Knowwhateachare→Limits=upperbound;Reservation=guaranteed/min;Share=allocationwhencontention(defaultCPUShare=2000[High],1000[Normal],500[Low])3)Tocalculate&allocateSharesforobjects:a)TotalallShareamountforallVMsb)(HighSharevaluex#ofVMswithHighvalue)/(TotalShares)=%ofresource(CPUorRAM)neededtobeallocatedtohighShareVMs;this%willthenneedtobedividedby#ofVMswithhighSharevaluec)Repeatb)formedium(Normal)andlowSharevalues4)UnderstandhowSharesandresourcesworkinRPswithExpandableReservation
SECTIONVI–Backup&RecoveravSphereDeployment6.1 –ConfigureandAdministeravSphereBackups/Restore/ReplicationSolution
a.Compare/contrastvSphereReplication(vR)compressionmethods1)vReputilizesFastLZopensourcecompressionlibrary,providingbalanceofspeed,minimalCPUoverheard,&compressionefficiency2)Thisbulletmayrefertohowcompressionishandleddependingonsource/targetHostversion:
SOURCEESXiHOST TARGETESXiHOST COMPRESSIONSUPPORTPre-ESXi6 AnyvRsupportedversion NocompressionsupportESXi6 Pre-ESXi6 Sourcecompression/vR
appliancedecompressionESXi6 ESXi6 Sourcecompression/target
Hostdecompressionb.DifferentiateVMwareDataProtection(VDP)capabilities1)Virtualappliance2)Webclientmanaged(FlashPlayer16+);IE10.0.19,FF34,Chrome39&ClientPlug-in3)Dedupcapability;wholeimageorfilelevelrestore;usesVADP4)vSphereEssentialsPlus5.0(vCenter5.5)andhighereditions5)NoPhys/IndepVirtRDMorVVOLsupport6)VMHardware7+tosupportCBTc.Configurerecoverypointobjective(RPO)foraprotectedVM1)Thisisself-explanatory;configureinvRepbasedonRPOreq’sforaVM2)Thekeyhereisyoucanhaveonlyamaxof24restorepoints,soconfigwillbebasedonbizrequirementscoupledwithmaxrestorepointsallowed
d.ExplainVDPsizingguidelines1)400VMsperVDPappliance(about25VMsperVDPcapacitytype)2)20VDPappliancespervCenter3)upto8TBstorage(.5TB,1TB,2TB,4TB,6TB,8TB)
Figure23,VDPCapacity&Resources
Figure24,VDPSizingGuideline4)Basically,sizingwilldependuponNumber&TypeofVMs,amtofdata,retention,&chgratee.Create/Delete/ConsolidateVMsnapshots1)Create:rt-clickVM>Snapshots>TakeSnapshot..2)Delete:rt-clickVM>SnapshotsManageSnapshot>selectsnap&delete/deleteall;doingsoretainsalldataacquiredsincesnapwastaken&removesthesnap
Figure25,DeleteSnapshot3)Consolidate:rt-clickVM>Snapshots>Consolidatef.InstallandconfigureVDP1)Rt-clickDC,Cluster,Host>DeployOVFTemplate…
2)AfterdeploymentgotoURLhttp://VDP-IP:8543/vdp-configure&loginwithroot/changeme3)ConfigurestaticIPsettings,DNS,Hostname,Domain,Timezone,etc
Figure26,VDPApplianceConfigurationg.CreateabackupjobwithVDP1)SelectvSphereDataProtectiononleftpaneinWebClient>Backuptab>BackupJobActions,thenselectNew2)Options:a)JobType=GuestImages(ApplicationsisforExchange,SQL,Sharepoint)b)DataType=FullImage(alldisks)orIndividualDisksc)BackupSources→selectindividualVM(s)orcontainers(DC,Cluster,Folder)d)SelectaSchedule(Next),thenRetentionPolicyh.Backup/RestoreaVMwithVDP1)Seeg.aboveforBackup2)FromVDPRestoretab,selectaVM>Restoreiconandsetrestoreoptionsa)RestoretooriglocationnotallowedifVMDKnotpresent…only‘newlocation’allowedi.Install/Configure/UpgradevRep1)VirtualapplianceOVFinstall&WebClientconfigurationviaplug-in;vSphereReplicationwillbeaWebClientHomeleftpaneoption;usetheVAMI(https://vR-IP:5480)toregisterwithSSO2)FirstvROVFisthevRMgmtServer;additionalvROVFsarevRServers(nomgmt)3)10totalOVFscanbedeployedpervCenter(1vRMgmt&9vRSrvrs)4)vRepnetworktrafficcanbeisolatedutilizingvmkforReplicationservice5)Componentsthattransmitreplicationdata–vRagent&vSCSIfilter;arebuiltintovSphere6)RPOrangeis15minsto24hrsonaper-VMbasis;NOTE:VSAN>VSANreplicRPOcanbe5min,andmaximumrestorepointsretainedallowedis247)UpgradevRepAppliancesbymountinganISO;forvR6appliances,youcanusetheVAMI(https://vR-IP:5480)
j.ConfigureVMwareCertificateAuthority(VMCA)integrationwithvR1)VAMI(https://vR-IP:5480)>vReptab>Security>Configuration,select‘AcceptonlySSLcertificatessignedbyatrustedCertificateAuthority’2)Save&RestartServicetoapplychangesk.ConfigurevRepforsingle/multipleVMs1)BrowsetolistofVMsinWebClient2)SelectsingleormultipleVMs>rt-clickVM(s)>AllvSphereReplicationActions>ConfigureReplication3)AcknowledgeVMnumber,selectTargetSite&Datastore,configureRPO&Quiesce,Finishl.RecoveraVMusingvRep1)Canonlyrecover1VMatatimemanually;SRMcanbeusedformultiple-VMrecovery;sourceVMmustbepoweredoff2)FromvRinWebClient>IncomingReplicationtab,rt-clickaVM>Recover3)Tworecoveryoptions:a)SynchronizeRecentChanges–sourceVMisoff/accessible&vRreplicateslatestchgstotargetbeforerecovery;increasedrecoverytimebutensuresnodatalossb)UseLatestDataAvailable–basically,nofinalsyncbeforerecovery;sourceVMnotaccessible4)Selectafolder&resourcetorecovertheVM5)Networkmustbemanuallyconfigured,&choosewhethertopoweronrecoveredVMornot6)AllrestorepointsarerecoveredforVMs,sotoreverttoaspecificRP,useSnapshotManagerto‘revert’m.PerformafailbackoperationusingvRep1)Manual2)AftervRRecoverytoatarget,fromthattargetsite,configureanewreplicationinreversebacktothesourcesite3)ThesourceVMmustbeunregisteredfrominventorybeforeconfiguringreversefailovern.DeployapairofvRepvirtualappliances1)Asnotedabove,the1stvRapplianceistheMgmtserver&subsequentonesarevRservers2)AllareOVFssothere’snodifferenceininstall3)Configure‘sites’inthevReppluginintheWebClient;reviewvRepAdminGuideforsteps&privilegesneededtodoso
SECTIONVII–TroubleshootavSphereDeployment7.1 –TroubleshootvCenterServer,ESXi,&VMs
a.MonitorstatusofvCenterservice1)FromWebClientHome>Administration>SystemConfiguration>Service,thenselectVMwarevCenterServerfromlistandviewSummarytabonright2)Or,fromSystemConfiguration>Nodes>RelatedObjectstab
Figure27,MonitorvCenterServerServiceb.PerformbasicmaintenanceofvCenterServerdatabase1)IfvCenterServerServiceisstopped,couldbeissueswithDBconnectivityauthentication2)CheckDBdiskspaceusage;performLogfileShrinkoperation(SQL)ifneededc.MonitorstatusofESXimanagementagents1)SSHintoHost>/etc/init.d/hostd status2)ForthevCenterServeragent:/etc/init.d/vpxa status3)RestartESXiManagementAgentsfromDCUIifneeded(orreplacestatusabovewithrestart)d.DetermineESXiHoststabilityissues&gatherdiagnosticinformation1)ProbablybestwaytodetermineHoststabilityislookatEventsorLogBrowser(Host>Monitortab),Performancetab,and/oresxtopinfo2)Togatherlogs,clickonvCenterinWebClient>Monitortab>SystemLogstab,thenExportSystemLogsbutton3)Also,ifHostdoesn’tmeeth/wrequirements,issuesarise–4GBRAM,64bit,NX/XDenabled,Intel-VD/AMD-RVIenabled,GbNICse.MonitorESXisystemhealth1)FromaHost>Monitortab>HealthStatustab2)Checkpowerconsumptionsettingsa)High–don’tdisableanypowerresources(increasedhostperformance)b)Balanced–somepowerreductionwithouthinderingperformancec)Low–enablepowersavingssettingswithpotentialofhinderingperformanced)Customf.Locate&analyzevCenterServer&ESXiLogs1)Mgmt/vCenterNodeLogsarelocatedin:/var/log/vmware/ (VCSA)orC:\Program Data\VMware\vCenterServer\Logs(seeKB:http://kb.vmware.com/kb/2110014)a)vpxd.log–mainvCenterlogb)vpxd-profiler.log–profilemetricsforvCenteroperationsperformedc)eam.log–ESXAgentManagerd)stats.log–performancechartse)vsphere-client.log–WebClientf)vws–system&h/whealthmanagerg)OtherMgmtNodelogs:vpostgres(DBlog),workflow(workflmgr),vapi,netdump,invsvc,vmware-sps(Profiledrivenstorage),vmdird(DirSvcDaemon)h)PSCNode:SSO(STSlog),cis-license(LicSvc),VMCA(CertSvc),vmdir(DirSvc)2)ESXiLogscanbeviewedinDCUI&arelocatedin:/var/run/loga)hostd.log–hostd/managementservicesb)vpxa.log–vCenterServerinteraction
c)fdm.log–HA d)syslog.log–default‘catch-all’ e)usb.log f)hostprofiletrace.logg)sdrsinjector.log–StorgeDRSh)vmkernel.log–VMkernel,devicediscovery,storage/networkdriverevents,VMstartupi)DCUIlogs–Syslog,VMkernel,Config,MgmtAgent(hostd),vCenter(vpxa),Observation(vobd)
Figure28,ViewESXiSystemLogsg.DetermineappropriateCLIcommandforagiventroubleshootingtask1)Diversetopic;anywherefromesxclicmds,toesxtop,torestartingagents;vimtop=VCSAesxtop2)ThisKBreferencescommonVMtasks:http://kb.vmware.com/kb/20129643)WhatIrecommendisSSHintoaHostandjustrunesxcli,pressENTER,&viewcmds;then,viewwhateachsub-cmddoesbyonlyrunning‘get’and‘list’esxclicmds;befamiliarwithwhatcmddisplayswhatoutputh.Troubleshootcommontasks1)vCenterServerservice–restartservice;maybeneededafterCertsreplaced2)SSO–verifyIdentitySourcesconfig(domaininfo/credentials);SSOuserpermissions;areservicesorfirewallsdisruptingcommunication(Windowsversion;port7444)3)vCenterServerconnectivity–checkvpxa.logonHosts;validpermissions4)VMresourcecontention,config,&operation–VM>Performancetab;checkShares/Res/Limits5)PSC–see#2(anyissueswithSSO,VMCA,&License)6)Installproblems–ESXi→alongwithinstallreq’ssharedind.above,isHostonHCL?..installoncorrectdisk?...nothavingatleast4GBRAMfailsinstalltoo;changeBIOSboottoUEFI–“vmwarebootbank”error;VMDirectoryServiceorDBerrors?7)VMwareToolsinstall–eitherdoarepairoruninstall/reinstallTools8)FTnetworklatency–maincausehereiseitheronlatencysaturatednetworkorinsufficientbandwidthonFTloggingvmk;useadedicated10GbNIC;also,Hostresourcescouldbelow,somanualVMotionmayberequired(VMperformancedegragationnoticed);or,ifanyVMisonaresource-constrainedHost..useVMotiontorectifyand/orconfigureresourcereservations9)ReviewthescenariosintheTroubleshootingGuideforcommonissuesinrelationtoeachaboveitem
7.2 –TroubleshootvSphereStorage&NetworkingIssuesa.Identify&isolatenetworkandstorageresourcecontention&latencyissues1)Networkmetricstobeawareof:a)%DRPTX/%DRPRX-%oftransmittedorreceivedpacketsdropped;threshold=1b)SPEED/UP/FDUPLX–self-explanatory;differentconfigthanswitchportcancauseissuesc)MbTX/s(orMbRX/s)–Megabitstransmitted(orreceived)persecond2)Storagemetricstobeawareof:a)DAVG–timeinmspercmdbeingsenttodevice(HBA);threshold=15msb)KAVG–timeinmscmdspendsinVMkernel;threshold=4msc)GAVG–responsetimeasperceivedbyguest(DAVG+KAVG);threshold=20ms3)ToresolveSCSIReservationissues:increaseLUNs,reducesnapshots,updateHostBIOS,lessVMsonLUNb.MonitornetworkingandstorageresourcesusingVROpsalertsandallbadges1)“Major”Badges,alongwiththeirsubsequent“Minor”Badgesa)Health→(score=0[bad]-100[good])Workload,Anomaly,Faultb)Risk→TimeRemaining,CapacityRemaining,Stressc)Efficiency→(score=0[bad]-100[good])ReclaimableWaste(resources),Density(consolidationratios)c.Verifynetworkandstorageconfiguration1)Thinkthisisself-explanatory.Viewinfoinappropriateareas–vDS,iSCSIconfigs,vmkconfigs,JumboFramesconfig’dend-to-end,IPsettings,VLAN,etc.Justknowwheretolook2)WhatisneededtoconfigureFC?pg.39,StorageGuide;toconfigureiSCSI?pg.69,StorageGuide;toconfigureFCoE?pg.45,StorageGuide;NFS?pg.152,StorageGuided.VerifyagivenVMisconfiguredwithcorrectnetworkresources1)Rt-clickVM>EditSettings>VirtualHardwaretab>expandNetworkAdapter#2)LookatconnectedPG/Network;isIPconfig’d;isvmnicconnected;connecttodiffvporte.Monitor/TroubleshootStorageDistributedResourceScheduler(SDRS)issues1)SDRSdisableddiskcauses:VMistemplate,VMisFTenabled,VMconfig’dforbussharing,manualSDRSconfig’d,VMhasindependentorhiddendisks,diskisaCDROM/ISOs2)MaintModefailure:SDRSdisabledondiskduetoreasonsaboveoraffinityrulesset/violationf.Recognizeimpactofnetwork&storageI/Ocontrolconfigurations1)Bothcanbebasedonconfig’dShares,meaningnothingisimpacteduntilthereiscontention2)IfReservationsareset,thenresourcesarealreadyusedfortheobjectconfig’dandmayaffectsiblingobjects(proportionally)3)Knowrequirements–Ent+license&atleastvSphere4.1(SIOC)toEnable;isIOCenabledonvDSorDS(Perfchartwon’tshow)g.RecognizeaconnectivityissuecausedbyVLAN/PVLAN1)AVLANisolatesnetworks,soafewbasicissuesherecouldbemistypedVLAN#intheVMkerneladapter,noVLANconfigured,ortrunkingnotconfig’donpSwitchport;reviewSection2.1
h.Troubleshootcommonissueswith:1)Storage&network–seeitemsabove2)VirtualSwitchandPGconfiguration–spellingmatchamongHosts(vSS);SecurityPoliciessimilar3)Physicalnetworkadapterconfiguration–notassignedtoPGordvPG;mis-config’dLoadBalance(i.e.IPHash>physLinkAg);physswitchTrunkingenabled;VLANconfig;SecurityPol’s4)VMFSmetadataconsistency(VMwareOn-DiskMetaDataAnalyzer[VOMA])–viaCLI&usedforVMFSDSsonly(voma -m vmfs -d /vmfs/path/naa.###)
7.3 –TroubleshootvSphereUpgradesa.Collectupgradediagnosticinformation1)Logdirectorymaybedisplayedonscreen,orsimplyinloglocation(seeSection7.1)b.RecognizecommonupgradeissueswithvCenterServer/VCSA1)DBnotconfiguredproperly(Windowsinstall);pwdreset:vpxd –P <pwd)2)DNSorNTPnotconfiguredproperly3)Compatibility(vSphereversions;min5.xforWin&5.1U3forVCSA)andDBversion4)SSO–IdentitySourcesnotconfiguredproperly;unabletospeakwithvCenter(LookupService)..firewallorportconflictissues,etc.5)Sizingnotcompatible(tiny,small,etc.)withHost/VMs6)Asstatedalreadyabove,reviewscenarios/examplesintheTroubleshootingGuideforspecificprobleminstancesc.Create/Locate/AnalyzeVMwarelogbundles1)ThiswasdiscussedinSection7.1d.DeterminealternativemethodstoupgradeESXiHostsineventoffailure1)Methodstoinstall–Interactive(directlyonHostviaUSB/CD),scripted,Auto-Deploy,PXE-BOOT,ImageBuilder,VUM2)ReviewtheInstall&SetupGuideforeachsetupmethodrequirementse.ConfigurevCenterServerLoggingoptions1)SelectvCenternodeinWebClient>Managetab>Settingstab>General,thenEditButton
Figure29,vCenterLoggingOptionsConfiguration
7.4 –Troubleshoot&MonitorvSpherePerformancea.MonitorCPU&memoryusageincludingvROpsbadgesandalerts
1)BadgeswerediscussedbrieflyinSection7.22)Formetrics&theirthresholds,seebelow(d.)b.Identify&isolateCPUandmemorycontentionissues1)Asmentionedwithotherresources,lookatHost/VMMonitortab>Performancetabandlookatcountersvaluestoverifyunderthreshold;orviaesxtopc.RecognizeimpactofusingCPU/memorylimits,reservations,&shares1)Reservations–minimalamountofphysRAMreservedforVMs(guaranteed)2)Limit–upperlevel(max)3)Shares–amountofresourcesproportionallygivenwhenundercontentiond.Describeanddifferentiatecriticalperformancemetrics1)CPUa)%USED–%physCPUtimeusedbyworldsb)%RDY–%timevCPUwasreadytorunbutunableduetocontention;threshold=10%c)%CSTP–%timevCPUsinSMPVMstoppedfromexecuting;threshold=3%d)%SYS–%timespentinVMkernelonbehalfofworldorRP;threshold=20%2)Memorya)MCTLSZ(Balloonsize)–amtofguestphysmemoryreclaimedbyballoon;threshold=1b)SWCUR–amtofguestphysmemoryswappedouttoVMswapfile;threshold=1c)SWR/s–ratewhichmachinememoryswappedinfromdisk;threshold=1d)SWW/s–ratewhichmachinememoryswappedoutfromdisk;threshold=13)Disk–coveredin7.2above(DAVG,KAVG,GAVG)a)VMDKLatency–(physcialread/writelatency)threshold<20ms4)Network–coveredinSection7.2e.Describeanddifferentiatecommonmetricsincluding:1)Memory,CPU,Network,Disk–Seed.abovef.Monitorperformancethroughesxtop1)SSHintoaHostandtypeesxtop2)Viewdifferentresourceviewsbytypinglettercorrespondingtotheresource
Figure30,ESXTOPResourceOptionsListg.TroubleshootEnhancedvMotionCompatibility(EVC)issues1)EVCisaClustersettingallowingforVMvMotionbetweendifferentCPUgenerations;CPUsmusthavesameinstructionset2)Issuescanbecausedby:a)DifferentCPUvendor-HostsinClusterb)VerifyCPUEVCcompatiblemodesagainstVMwareCompatibilityGuidec)IfchangingEVCmode(raise)VMsneedtobepoweredoff/ontogetnewCPUfeaturesetd)AreHostsatleastESX/i3.5U2
h.TroubleshootVMperformancewithvROps1)Sameaspreviouslydiscussed;guessIdidn’tmentionwhattodoinvROps,butbasicallyallthatisneededistoviewcolor-codedicons(orange/red=bad)&clickonthemtodrilldowntoviewtheproblemdetailsi.Compare/ContrastOverview&Advancedcharts1)Overview–displaysseveralresourcecharts2)Advanced–displayssingleresourcechart&areconfigurableandexportable
7.5 –TroubleshootHA&DRSConfigurationsandFaultTolerancea.Troubleshootissueswith:1)DRSworkloadbalancing–Hostfailure;vCenteroff;affinityrulesset;connecteddevices2)HAfailover/redundancy,capacity,&networkconfiga)ClusterhaveresourcesbasedonAdmissionControlPolicy–HostFailuresClusterTolerates,PercentageofClusterResourcesReservedasFailoverSpareCapacity,SpecifyFailoverHostsb)LookforoversizedVMsorfailedHosts3)HA/DRSClusterconfigurationa)Bothrequiresharedstorage&properlicensing(StdforHA;EntforDRS)b)DRSrequiresVMotionnetwork–IPsettingsinsamesubnet;vmknamingmatchamongHostsc)VMwareToolsinstalledforVMMonitoringd)Minimumof2-HostClustere)HAconfig:uninitializedstate,unreachablestate,initializeerror=>reconfigureHAonHostsand/orcheckifport8182isused;networkpartition=>checkVLANs,pNIC/pSwitchfailure;forconfigtimoutsetvCenteradvancedsettingto240(secs):config.vpxd.das.electionWaitTimeSecf)HAerrors–unabletopoweronVMs,HAwarnings,etc->checkVMreservations&migrateVMstootherClustersthathavehighresourcesthatdistortslotsizeg)VMrestartfailure:verifyHAenabledfortheVM;sufficientHostresourcesforVMrestart;VMfile(s)inaccessibleonVSANduringrestart4)vMotion/sVMotionconfigurationandmigrationa)Checkvmksubnet,naming,IP,&serviceset;correctlicense;sharedstorageb)IfVMmigrationwithattachedUSBfailsvalidation,re-addUSB&enableitforVMotion,aswellasmakesuredataisn’tbeingtransferredtoUSBattimeofmigration5)FTconfiguration&failoverissues–verifyFTreq’smet->thickdisk;2vCPUsforStd/Ent&4forEnt+;FT&VMotionvmk’sconfig’d;H/WVirtinHostBIOSon;featuresbelowareoffforFTVM:a)VSAN,sVMotion,VMCP,VVOLs,SBPM,SIOC,pRDM,USB,&snapshotsarenotsupportedb)Latency->VMotionsecondaryVM;verifydedicated10GbNIC;manuallyloadbalance(FTnotsupportedbyDRS);verifymemoryavailableonHostturningFTVMon(req’d=reserv+o/h)b.ExplainDRSResourceDistributionGraph&Target/CurrentHostLoadDeviation1)DRSResourceDistrGraph–displaysmemory&CPUmetricsforeachHostinaClusteras%orsize(MB/MHz),witheachchartrepresentingaVMontheHost2)Target/CurrentHostLoadDeviation–representationofbalanceofresourcesacrossallHostsinDRSClusters;runsevery5mins;Target=DRSvalueset,Current=Hostcalculationa)(VMEntitlements)/(HostCapacity)=CurrentStdDeviation;ifCurrentDeviationishigherthanTargetDeviation,theClusterisunbalanced&DRSrecommnedsVMmigrations
c.ExplainvMotionResourceMaps1)AvisualrepresentationofHosts,Datastores,&NetworksassociatedwithaVMandalsoindicatewhichHostarecompatibleVMotiontargets
SECTIONVIII–DeployandConsolidateavSphereDataCenter8.1 –DeployESXiHostsUsingAutoDeploy
a.Describecomponents&architectureofAutoDeployenvironment1)AutoDeployserver–servesimages&hostprofilestoESXiHosts(partofvCenter)2)AutoDeployrulesengine–sendinfotoAutoDeployserverforwhichimage/profiletoservewhichHost;mapssoftware&configtoHostbasedontheHostattributesa)Rules–identifiestargetHostsbyrootMAC,SMBIOS,BIOSUUID,Vendor,Model,fixedDHCPIPandassignsimageprofiles&hostprofilestoHostsb)ActiveRuleSet–hasaddedRules&appliedtonewlystartedHostsc)WorkingRuleSet–allowsforRuletestingbeforemakingchangesactive3)Imageprofile–definessetofVIBstobootESXiHostswith4)Hostprofiles–definemachine-specificconfigssuchasnetworking&storagesetup5)Hostcustomization–storesinfotheuserprovideswhenhostprofilesareappliedtoaHost(IPinfo[previouslycalled‘answerfile’])
Figure31,AutoDeployArchitectureb.UseAutoDeployImageBuilder&PowerCLIscripts1)ImageBuilderispartofPowerCLI&usedtocreatecustomimageprofiles(seecmdsbelow)c.ImplementHostProfileswithanAutoDeploy’dESXiHost1)CreateaHostProfilefromthe1stprovisionedAutoDeploy’dHost
2)ToimplementwithAutoDeploy,createaRulewiththeProfileand‘activate’it(ActiveRuleSet)d.Install&configureAutoDeploy1)AutoDeployisinstalledautomaticallywithvCenter(mgmtnode;notonPSC)2)ChangetheAutoDeployvCenterservicestartuptypeasneeded&startit3)DownloadtheTFTPBootZipfilefromvCenter>Managetab>Settingstab>AutoDeploy,downloadtheundionly.kpxe.vmw-hardwiredfile&placeonTFTPserver4)ConfigureDHCPtopointtoTFTPserver(option66;next-server)&file(option67;boot-filename:undionly.kpxe.vmw-hardwired)5)SetHoststoPXEbootinBIOS6)WriteaPowerCLIRulethatassignsanimageprofiletoHosts7)WriteaPowerCLIRulethatassignsahostprofiletoHosts(optional)8)WriteaPowerCLIRulethatassignsaHosttoavCenterlocation(Cluster,folder,[optional])e.UnderstandPowerCLIcmdletsforAutoDeploy(see:https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.install.doc/GUID-2D4D27BB-727F-4706-9DBE-49C41A108A8F.html)1)New-DeployRule–cmdlettowritearulethatassignsanimageprofile&hostprofiletoHosts2)Add-DeployRule–addsnewlycreatedRuletoWorkingandActiveSet;useNoActivateparametertoonlyaddtoWorkingSet3)Remove-DeployRule–usewith-DeleteparametertocompletelyremoveRule4)Copy-DeployRule–basicallyrecreatesapreviousRule;usedwhenupdatingimageprofile,anduse-ReplaceItemparameterwithit5)Add-EsxSoftwareDepot–addthesoftwaredepotcontainingimageprofiles6)Get-EsxImageProfile–usedtofinddesiredimageprofile(standardhasVMwareTools)7)New-EsxImageProfile–usedtocreatenewHostimagetoinstall(use-cloneprofile)8)Export-EsxImageProfile–preservecurrentprofileforsubsequentPowerCLIsessions8)Test-DeployRuleSetCompliance–testnewRuleagainstaHostwithoutdeployingit9)Repair-DeployRuleSetCompliance–RemediateaHosttousenewRulesetf.DeploymultipleESXiHostsusingAutoDeploy(OverviewofprocessforFirst&SubsequentBoot)1)FirstBoot:a)Hostispoweredon&startsaPXEbootprocess(configuredinHostBIOS)b)DHCPserverassignsanIPtotheHost&instructstheHosttocontacttheTFTPserverc)TheHostcontactstheTFTPserver&downloadstheiPXEfile(bootloader)&iPXEconfigfiled)TheiPXEconfigfileinstructstheHosttomakeaHTTPbootrequest(whichincludesHosth/wandnetworkinfo)totheAutoDeployservere)AutoDeployserverqueriesrulesengineforhostinformation&streamscomponentsspecifiedintheimageprofile,hostprofile,andvCenterlocationf)TheHostbootswiththeimageprofile,&thehostprofileisapplied(ifoneisprovided)g)AutoDeployaddstheHosttovCenterregisteredwithitandplacestheHostinatargetfolderorClusterifspecifiedbyaRule;ifnoRule,willaddtofirstDCdisplayedinWebClientUIh)Ifuserimputisreq’d,theHostisplacedinMaintMode;reapplyhostprofile&updatehostcustomizationtoexitMainMode;answerquestionswhenpromptedbyhostcustomizationi)VMsmaybemigratedtoHostifplacedinDRSClusterj)EachsubsequentHostreboot,theHostgetsreprovisionedbyvCenter2)SubsequentBoot:a)HostispoweredonandHostgetsreprovisionedbyvCenter
g.Givenascenario,explaintheAutoDeploydeploymentmodelneededtomeetabizrequirement1)Ithinkwhatthismeansis,basedon#ofHoststodeploy,isAutoDeployaviablesolutiontoinstallvSphere.TodeploymanyHosts,yes;forsmall&evenmediumenvironments,notreally
8.2 –CustomizeHostProfileSettingsa.Editanswerfile(Hostcustomization)tocustomizeESXiHostsettings1)PlaceHostinMaintMode2)Attachthehostprofilethatrequiresuserinputandprovidedifferentsettingsb.ModifyandapplyastoragePathSelectPlugin(PSP)toadeviceusingHostProfiles1)InHostProfiletree>StorageConfiguration>NativeMulti-Pathing(NMP)>PSPandSATPConfigurationforNMPDevices>PSPConfigurationFor…2)EnterthePSPname/valueontheright,thenNext>Finish3)ApplyprofiletodesiredHost(s)c.ModifyandapplyswitchconfigurationsacrossmultipleHostsusingaHostProfile1)InHostProfiletree>NetworkConfiguration>vSwitchorvSphereDistributedSwitch>makechangestosub-componentsasneeded,thenNext>Finish2)ApplyprofiletodesiredHost(s)d.Create/Edit/RemoveaHostProfilefromanESXiHost1)Create–Home>Monitorsection>HostProfiles,thenclickgreen“+”tocreateanewprofile2)Edit–fromsameareaasin1.above,selectaprofile,clickActions>EditSettings3)Delete–fromsameareaasin1.above,selectaprofile,clickActions>Deletee.Import/ExportaHostProfile1)Import–fromHostProfilessection,selectaprofile&click icon2)Export–fromHostProfilessection,selectaprofile,clickActions>Exportf.AttachandapplyaHostProfiletoESXiHostsinaCluster1)Attach-fromHostProfilessection,selectaprofile&click icon2)SelecttheHost(s),Cluster(s),orDC(s)toattachtheprofileto3)ClickAttachbuttontomoveobjectstotherightpane4)Enteradditionalcustomizationifrequired,thenFinishg.Performcompliancescanning&remediationofESXiHostsandClustersusingHostProfiles1)Compliancescan–fromHostProfilessection,selectaprofile&click icon2)Remediate–placeHostinMaintMode;fromHostProfiles,selectprofileinleftpane>Monitortab>Compliancetab/button,thenrt-clicktheHost(s)>HostProfile>Remediate;exitMModeh.EnableordisableHostProfilecomponents1)ToenableitemsinHostProfiles,placeacheckmarkinthecomponentbox;todisable,removethecheckmark
8.3 –ConsolidatePhysicalWorkloadsUsingVMwareConvertera.InstallvCenterConverterstandaloneinstance1)Download.exefromVMware&installonWindows2)BeawareofsoftwareinstallrequirementsforConverter(afew‘main’onesbelow):a)Min.OS’s–WinXPProSP3&Win2K3R2SP2;RHEL3.x;SUSEEnt9.x;Ubuntu10.04LTSb)Thin/Thickdisktypes;Basic/Dynamicvolumes;MBR&GPTpartitions(noRAIDorhybrid)c)IPv4andIPv6supportedb.ConvertphysicalworkloadsusingvCenterConverter1)InstallConverterondevicetobeconvertedoracentralWindowsmachine2)Openapplication&clickConvertMachinebuttonjustbelowtheFileMenu;selectLocal(ifcurrentlyonmachinetobeconverted)orRemotetobrowsethenetworkforthemachine3)Formachinedestination,selectVMwareInfrastructureVM,andproivdetheIP/HostnameoftheESXiHostorvCenterServer4)NametheVM5)Configureoptions:DatatoCopy(typicallyalldisks);diskcontroller;networksettings;etc6)Chooseoptionalsettings:sysprep,installVMwareTools,startupmode,sync,ormodifyh/wc.Modifyserverresourcesduringconversion1)Intheconversionwizard,youhaveabilitytomodifyresources&storaged.Interpret&correcterrorsduringconversion1)Failureat2%(hangs)istypicalofacommunicationerror,typicalofWindowsFirewall2)VMfailstoboot–checkdiskcontroller(inconverterwizard,changeanyIDEtoSCSI)3)Logs:C:\ProgramData\ApplicationData\VMware\VMwareConverterEnterprise\Logse.DeployaphysicalhostasaVMusingvCenterConverter1)Seeasb.abovef.Collectdiagnosticinformationduringconvesionoperation1)Loglocationisind.above2)Or,youcanexportlogsviaTaskMenu>ExportLogs…g.Resizepartitionsduringconversionprocess1)Self-explanatory;duringconversionwizard,resizedisks→maintainsize,minsize(copiesonlyusedspace),typesizeinGBorMB(customsize);ahot-cloneprocesschg’ingfromblocktofileh.Givenascenario,determinewhichvirtualdiskformattouse1)IthinkthisisreferringtoThickorThin;thelargerthedisk/volume,it’sbesttouseThin
SECTIONIX–ConfigureandAdministervSphereAvailabilitySolutions9.1 –ConfigureAdvancedvSphereHAFeatures
a.ModifyvSphereHAadvancedClustersettings1)Idon’tthinkthisiswhatsomemaythink…i.e.AdvancedOPTIONS(i.e.parameters),butrather
justsettingsthatareabitdeeperthan‘normal’HAsettings;I’llshareafewwhatIbelieveareAdvancedbelow:a)VMRestartPriority–althoughthisiswhatIconsidera‘basic’setting,amoreadvancedsettingwouldbetosetindividualVM(s)RestartPriorityintheCluster>Managetab>Settingstab>VMOverridessectionb)VM(&App)Monitoring–restartingaVMifVMwareToolsheartbeatsarenolongerreceivedc)VMComponentProtection(VMCP)–protectsVMsagainst‘split-brain’situationwhenaHostisisolatedorpartitioned&mastercan’tcommunicatewithfailedHost’sdatastoreheartbeats1.IfHostMonitoringorVMRestartPriorityis‘Disabled’,VMCPwon’tperformrestarts2.ProtectsVMsagainstdatastoreaccessibilityfailures(PDLorAPD)
Figure32,AdvancedHASettings(VMCP)d)ApplicationMonitoring–requiresobtainingSDKtosetupappheartbeatingb.ConfigureanetworkforusewithHAheartbeats1)3HostFailureTypesa)Failure–Hostdoesn’trespondtoICMP&doesn’tsendnetwork/datastoreheartbeatsb)Isolated–mgmtnetworkheartbeatnotseenbymaster,butdatastoreheartbeatsare;can’tpinggatewayisolationaddressc)Partitioned–asubsetofHostsunabletocommunicateviamgmtnetwork;DSheartbeatsareseen2)HAusesthemanagementnetworkforagentheartbeating,orVSANntwkwhenusedwithVSAN3)Bothmgmt&VSANnetworksrequireavmktobecreated&appropriateservice(mgmtorVSAN)selected4)WhenperformingnetworkmaintenanceinHAClusters,disableHostMonitoring,makenetworkchange,rt-clickHost(s)>reconfigureHA,thenturnHostMonitoringbackonc.ApplyanAdmissionControlPolicy(ACP)forHA1)HostFailuresClusterTolerates–calculates‘slotsize’forCPU(reservationor32MHz)&Mem(largestconfig’dvalue+overhead);determinesmax#ofslotsperHostbasedonmaxofeitherCPUorMem;‘currentfailovercapacity’ofclusterdeterminedbytakingoutHostwithlargest
slot,addremainingClusterHostslots,andifslots>=#oftotalClusterVMs,you’reset2)PercentageofClusterResourcesReserved–basedonCPU&Memreservation(or32MHz/0MB+overhead,ifnone);failovercapacityiscalculatedby[(TotalHostCPU-VMCPUreq)/TotalHostCPU],thendoingsameforMem;seta%(e.g.25%)andsubtractthisfromthecapacitycalctodeterminehowmuchClusterresourcesareavailableforaddt’lVMs(nonHost-failedVMs..i.e.prod);NOTE:ifyouset25%,butneed30%tocoverallVMs,someVMsmaynotgetrestarted3)SpecifyFailoverHosts–self-explanatory;aHostinaClusterisnotusedforprod,butisinsteadcompletely‘setaside’tobeusedforVMstoberestartedonintheeventofaHostfailure;VM-VMaffinitiyruleswillnotapplywiththispolicy4)DecidingwhichPolicytouse–resourcefragmentation→whenaVMneedsmorethan1‘slot’orHosttosatisfyitsresourcereq’s.TheonlyPolicythataddressesthisisFailoverHosts;Clusterheterogeneity→PercentageandFailoveraddressthis..Toleratesistooconservativeaapproachd.Enable/DisableadvancedvSphereHAsettings(see:http://kb.vmware.com/kb/2033250)1)HASettings(Editbutton)>Advancedoptions,andAddbutton;somecommondparameters:2)das.isolationaddressX–setstheIPaddresstopingifahostisisolatedfromthenetwork3)das.iostatsinterval–I/OstatsintervalforVMMonitoring(default=120secs)4)das.slotcpuinmhz–(orslotmeminmb)definesCPUslotsizemaximum5)das.ignoreRedundantNetWarning–settoignore‘noHAnetworkredundancy’warning6)das.usedefaultisolationaddress–useDefaultGatewayastheisolationaddressornot7)das.heartbeatDsPerHost–configureifwantingmorethandefaultof28)das.ignoreInsufficientHbDatastore–if,forexample,notenoughDS’sforthe2mine.ConfiguredifferentheartbeatdatastoresforanHACluster1)Usuallyit’sbesttohaveHAdeterminedatastoresautomatically,determinedbymaximum#ofClusterHostshavingaccesstoaheartbeatingdatastore;NOTE:VSANnotsupported2)Default#selectedis2(valuecanbechg’dwithdas.heartbeatdsperhost&maxvalueis5)3)Cluster>Managetab>Settingstab>vSphereHA,Editbuttonthenexpand‘DatastoreforHeartbeating’andselectappropriateoption(Auto,OnlyFromList,orList&ComplementAuto)f.ApplyVMmonitoringforaCluster1)Cluster>Managetab>Settingstab>vSphereHA,EditbuttonthenselectVMMonitoringOnlyfromdrop-downin‘VirtualMachineMonitoring’section2)RequiresVMwareToolstobeinstalledg.ConfigureVMComponentProtection(VMCP)settings1)Cluster>Managetab>Settingstab>vSphereHA,Editbuttonthenexpand‘FailureConditions…’sectionandchoosefromResponseforDatastorewithPDLandAPDdrop-downs2)NotsupportedwithFTVMs,orVMsonVSANorVVols,orRDMs;supportsonlyvSphere63)UnderstandPDLandAPDsettings/responses(referenceFig.32above)h.ImplementvSphereHAonaVSANCluster1)Requirements–minimumof3HostClusterandvSphere5.52)NetworktrafficusesVSANnetwork,notmanagement(usedonlyifVSANisdisabled)3)VSANdatastorescannotbeusedforHAdatastoreheartbeating
Figure33,HANetworkingDifferences4)Toimplement/enablesimplyconfigureClustersettings&turnHAoni.ExplainhowHAcommunicateswithDRSandDPM1)DRS–DRSload-balancesVMsafterHAperformsVMrestarts(Hostfailover);DRSaffinityrulescanbesettobeenforced,orenforcedifpossible(“must”or“should”settings);VMsmaynotauto-VMotionoffaHostbeingplacedinMainModeduetoresourcesreservedforfailure2)DPM–ifenabled&HAadmissioncontroldisabled,VMsmaynotfailover
9.2 –ConfigureAdvancedDRSFeaturesa.ConfigureVM-Hostaffinity/anti-affinityrules1)Affinity–selectedVMsmustrunonselectedHosts2)Anti-Affinity–selectedVMscannotrunonselectedHosts3)Tocreatethisrule,aHostGroup&VMGroupmust1stbecreated(Cluster>Managetab>Settingstab,selectVM/HostGroupsandaddaHostGroup(withHosts)&VMGroup(withVMs)4)Cluster>Managetab>Settingstab,selectVM/HostRules,andinthe‘Type’drop-downselectVirtualMachinetoHosts;finalizeremainingbottomoptions(groupsassigned&must/should)b.ConfigureVM-VMaffinity/anti-affinityrules1)Affinity–selectedVMsmustbeonthesameHost2)Anti-Affinity–selectedVMscannotrunonthesameHost3)Nogroupsneeded;justgotoCluster>Managetab>Settingstab,selectVM/HostRules,andinthe‘Type’drop-downselect“KeepVirtualMachinesTogether”(affinity)or“Separate…”(anti)c.Add/RemoveHostDRSGroup1)alreadycoveredina.aboved.Add/RemoveVMDRSGroup1)alreadycoveredina.abovee.Enable/DisableDRSaffinityrules1)AfteryoucreateaRule,thereisacheckboxintheRulesettingstoEnable;eithercheck(Enable)oruncheck(Disable)thisboxf.ConfigureproperDRSautomationlevelbasedonbusinessrequirements1)Manual–vCentersuggestsmigrationrecommendationbutadminmustmanuallyperformtask2)PartiallyAutomated–VMsauto-placedonHostsatpower-on;vCentersuggestsrecommendationafterward3)FullyAutomated–VMsauto-placedonHostsatpower-on&auto-migratedafterward
a)Fullyautohas5levels(1-5)toset;1isHighestpriority&meanswouldmakemostdifferenceinClusterbalance,while5islowest&migrationwouldmakelittledifferenceg.ExplainhowDRSaffinityruleseffectVMplacement1)Discussedina.&b.above
SECTIONX–AdministerandManagevSphereVirtualMachines10.1 –ConfigureAdvancedvSphereVirtualMachine(VM)Settings
a.DeterminehowusingasharedUSBdeviceimpactstheenvironment1)USBdevicesattachedtoaESXiHostcanbe“passedthrough”toVMssuchthattheVMhasdirectaccesstothedevice;notsupportedwithDPM&FT2)ToconfigurepassthroughofHost-attachedUSBdevicestoaVM:a)VM>EditSettings>VirtualHardwaretab>NewDevice,thenselectUSBController;NOTE:USB2.0isforWindowsOS’sand3.0iscurrentlyonlyforLinuxOS’sb)Addanotherdevice>HostUSBDevice,thenselectfromthedrop-downtheHost-attacheddevicewantingtoaddtotheVM;enableVMotionsupportaswell3)IftheVMwithanattachedUSBismigrated&powereddown,theVMwillneedtobemigratedbacktotheHostwiththeUSBdeviceattached&re-addedbeforeturningtheVMbackon(besttoconfigureanDRSAffinityRule)b.ConfigureVMsforvGPUs,DirectPathI/O&SR-IOV1)vGPU–installgraphicscardinHost(s);installVIBontheESXiHost(s),aswellasgraphicsdriverinGuestOS;powerdowntheVM>EditSettings>VirtualHardwaretab>AddNewSharedPCIDevice,selectthePCIdevicetoaddfromdrop-down2)DirectPathI/O–havingdirectaccesstoaPCIdevice;powerdownaVM>EditSettings>AddaPCIDeviceintheVirtualHardwaretaba)FeaturesnotavailablewithDirectPathI/O–VMotion,suspend/resume,snapshots3)SR-IOV–forESXi5.5+;representationofaVFonapNICwithSR-IOVsuchthattheVM&pNICexchangedatawithoutVMkernelasanintermediarywherelatencymaycausefailurea)Host>Managetab>Networkingtab,selectPhysicalAdapters>EditAdaptericon(pencil)andselectEnabledfromStatusdrop-downb)EditaVM>VirtualHardware&addaNetworkdevice;expandthenewsectionandfromAdapterTypedrop-downchooseSR-IOVpassthroughc.ConfigureVMsformulticorevCPUs1)Rt-clickVM>EditSettings>VirtualHardware,expandCPUandselectCoresfromdrop-down;NOTE:VMmustbepoweredofftochangeCores,evenifHotAddenabled2)IfvCPUHotPlugisenabled,vNUMAsupportisdisabledandinsteadVMusesUMAwithinterleavedmemoryaccess(see:http://kb.vmware.com/kb/2040375)d.DifferentiateVMconfigurationsettings1)VirtualHardware,GuestOS,vCPU,VirtualMemory,Swaplocation,HotAdd,BusSharing,HDs2)NotethesecurityconfigurationsfromSection1e.InterpretVMconfigurationfile(.vmx)settings
1)Thesettingsinthe.vmxfilearebasicallythesameitemsyouhaveconfiguredfortheVM;belowaresomesampleentries,mostareobviouswhattheyare/do:virtualHW.version = "11" floppy0.present = "true" scsi0.present = "true" scsi0.sharedBus = "none" sched.cpu.units = "mhz" sched.cpu.shares = "normal" ethernet0.present = "true” ethernet0.virtualDev = "vmxnet3” guestOS = "windows7srv-64"
f.Enable/DisableadvancedVMsettings1)PoweroffVM,rt-click>EditSettings>VMOptionstab,expandAdvancedsectionandclickEditConfigurationbutton2)ClicktoAddarowwithaparameteranditsassociatedvalue;typically,a“1”valueenablesand“0”disables;reviewsecurityoptionsdiscussedinSection1
10.2 –Create&ManageaMulti-SiteContentLibrarya.Publishacontentcatalog1)ContentLibrariesarecontainersforVM&vAppTemplatesorotherfiles(i.e.ISOs,txt,etc.)2)Requirementsa)CanbesharedacrossvCenterServerinstances,butallvC’smustbeinsameSSOdomainb)UsersinothervCenterSSOdomainscannotsubscribetotheLibraryc)Althoughonlyasinglefile(i.e.OVF)isshownintheWebClient,multiplefilesareactuallyloaded;eachtypeoffile(e.g.VM/vAppTemplate)arelibraryitems3)TwoLibrarytypes:a)LocalLibrary–usedtostoreitemsinasinglevCenterinstancewherecreated(notPublished)b)SubscribedLibrary–createaSubscribedLibrarytosubscribetoaPublishedLibrary4)Publishacontentcatalog:a)CreateaLocalLibrary(seeh.below)&checkthe‘Publishcontentlibraryexternally’boxb)Optionallyenableauthenticationbycheckingthe‘Enableauthentication’boxb.Subscribetoapublishedcatalog1)CreateaSubscribedLibrary(seeh.below)&select‘SubscribedContentLibrary’option2)EntertheSubscriptionURL&choosethedownloadoption(immediatelyorwhenneeded)c.Determinewhichprivilegesarerequiredtogloballymanageacontentcatalog1)ThisdependsonbusinessrequirementsforagivenContentLibraryadmin,poweruser,oruser2)NotethatCL’sarenothierarchicalfromvCenter,butratherfromtheglobalroot3)Whenprivilegesaredecidedupon(listofareundertheContentLibraryareawhencreatingaRole);createaRolewiththedesiredCLpriv’s4)AddauserorgrouptotheRoleatthegloballevel5)Becauseoftheheirarchy‘issue’,ifsomeonehasappropriateprivilegesatthevCenterlevel,tobeabletomanageCLs,theyneedatleastRead-Onlyglobalpermission
d.ComparethefunctionalityofAutomaticSync&On-DemandSync1)On-Demand/ManualSyncdownloadsonlymetadataofthePublishedLibrarysubscribedto2)AutomaticSyncdownloadsfullcopiesofallPublishedLibraryitemslocallye.ConfigureContentLibrarytoworkacrosssites1)ThisisnothingmorethanPublishingaconfigured/createdLibrary;justselecttheLibraryinthelist>ActionItems>EditSettingsandcheckthebox‘PublishThisLibraryExternally’2)Optional–enabledauthenticationbycheckingthebox&addingapasswordf.ConfigureContentLibraryauthentication1)Seee.aboveg.Set/ConfigureContentLibraryroles1)ContentLibrariesarenot‘children’ofthevCentertheyarecreated,butrathertheGlobalroot2)LoginvCenterSSO>Administration>GlobalPermissions>Addicon(“+”);Addbuttontoaddauser,thenassign‘ContentLibraryAdministrator(sample)’Rolefromdrop-down3)Or,createacustomrolefromAdministration>Roles,andassignprivilegesfromtheContentLibrary“tree”;assignusertocustomroleasdescribedin‘2)’above4)Thereare22itemsyoucanselectwhenconfiguringacustomContentLibraryrole:
Figure34,ContentLibraryPrivilegeOptions
h.Add/RemoveContentLibraries1)Create:Home>Inventories>ContentLibraries>CreateaNewLibraryicon 2)ConfigureLibraryitems–Name,LocalorSubscribed,andStorage(FileSysorDatastore)
Figure35,CreateContentLibrary3)ToRemoveaLibrary,selectitintheInventory>ContentLibrarieslist>clickActions>Delete
10.3 –Configure&MaintainavCloudAirConnectiona.CreateaVPNconnectionbetweenvCloudAir&anon-premisesite(http://vcloud.vmware.com/using-vcloud-air/tutorials/creating-an-ipsec-vpn)1)CreatedusingthevCloudDirector>EdgeGatewaystab,rt-clicktheGatewaylisted>GatewayServices2)Firewalltabtoverifyrequiredportsareopen(50,51,500,4500)3)VPNtab>Addbuttonandenterappropriateinfo;NOTE:localheremeansvCloudAirsite4)Fromon-premisevCD>EdgeGatewaystab,rt-clickGateway>Gatewayservices&repeat3.b.DeployaVMusingvCloudAir(http://vcloud.vmware.com/using-vcloud-air/tutorials/deploying-a-virtual-machine-from-a-catalog)1)FromvCDinvCAir>selectaVDC,andinDashboardclickVirtualMachinestab>AddOnec.MigrateaVMusingvCloudAir1)FromvCC(openwithC#>Home>Solutions&Applications>vCC)>Cloudtab&addbothlocalvCenter/vSphere“Cloud”&remoteCloud(vCloudAir)2)SelectVirtualMachinestab>Actions>Copyandfollowwizard;NOTE:VirtualH/W11currentlynotsupportedonvCloudAird.VerifyVPNconnectionconfigurationtovCloudAir1)FromtheVPNtabinEdgeGatewayServices(seea.above),thereshouldbeagreencheckmarke.ConfigurevCenterServerconnectiontovCloudAir
1)DosousingvCloudConnector(vCC);somevCCrequirements:a)vSphere4U3b)IE8-11orChrome22/23c)Ports80,443,5480,81902)InstallvCCServerOVFviaC#client;NOTE:vCCUInotsupportedwithWebClient3)InstallvCCNodeOVF4)GotoNodeUI(https://IPorFQDN:5480)andconfigurea)RegisterNodewithvCenter:Nodetab>Cloudtab>CloudTypeandenter‘vSphere’;thenentervCenterhttpsURL(IPorFQDN)b)ConfigureProxyifneededc)Configureothersettingsasneeded(Name,NTP,TimeZone,adminpwd,etc)5)GotoServerUI(https://IPorFQDN:5480)&configurea)RegistervCCNode(s)withvCCServer:Nodestab>RegisterNode,&provideNodeinfo/URLb)Enter“Cloud”info,whichislocalvSphere(justCloudTypeof‘vSphere’thenuser/pwd) c)ClickRegister,thenrepeatforadditionalvCCNodesifneeded d)RegistervCloudAirvCCNode–sameasabovebutwhenregistering,select‘Public’(don’t selectPublicforon-premiseNoderegistering)e)EntervCloudAir“Cloud”info&forTypeenter‘vCloudDirector’f)RegistervCCServerwithvSphereC#Client:Servertab>vSphereClienttabandaddinfog)Configureothersettingsasneeded(ntp,DHCP,etc)f.ConfigurereplicatedobjectsinvCloudAirDisasterRecoveryservice(http://vcloud.vmware.com/using-vcloud-air/tutorials/disaster-recovery-configuring-virtual-machine-replication)1)InstallvSphereReplication(vR)2)AddvCloudAirsitetovR:Managetab,selectCloudConnectionicon&entervCAirinfo3)WebClient>rt-clickaVM>AllvSphereReplicationActions>ConfigureReplication4)EnterinfoinReplicationwizard:‘ReplicatetoaCloudProvider’(targetsite,VDC,etc) 5)SelectvApp&RPOsettings,thenFinishthewizard6)RepeatforotherVMsasneededg.Givenascenario,determinetherequiredsettingsforVMsdeployedinvCloudAir1)Self-explanatoryIthink;basedofbizrequirements,configureVMsettingsneededwhendeployingtovCloudAir(network,cpu,memory,etc)CONFIGMAXIMUMS–GeneralMaximums(notinclusive;reviewactualGuideforfullmax’s)VMsvCPUs–128;RAM–4TB;VMDK–62TB SCSIControllers–4 TargetsperController–15(60totalSCSIdevices) AHCI(SATA)Controllers–4 TargetsperController–30(120totalSATAdevices) vNICs–10 Floppy,USBController,IDE–1 ConcurrentConsoleconnections–40
HOSTCPUs–480 RAM–6TB VMs–1024 TotalVMvCPUs–4096 FT–4VMs;4vCPU;16VMDKs;64GBRAM VMDKs–2048 iSCSI/FC/NFSLUNs&VMFSVolumes–256 HBAs/FCoEAdapters–4 pNICsassociatedwithSoftwareiSCSI–8 FileSize/VirtualRDM–62TB PhysicalRDM&LUN/VolumeSize–64TB VMDirectPathPCILimit–8 NICs–24(e10001Gb);16(bnx21Gb);8formost10Gb;4for40GbvSSorvDSports–4096;4088creationports;Activeports–1016 CLUSTERHosts–64 VMs–8000(VMsperHostinaClusterissameasabove:1024) ResourcePoolsperHost&Cluster–1600withadepthof8
VCENTERHosts–1000 Powered-onVMs–10000(RegisteredVMs–15000) LinkedVCs–10 HostsinLinkedVCs–4000 PoweredonVMsinLinkedVCs–30000(RegisteredVMs–50000) ConcurrentvSphereClientConnections–100 ConcurrentWebClientConnections–180 HostsperDC–500 ConcurrentvMotions:1Gb–4;10Gb–8 ConcurrentsvMotions:Host–2;Datastore–8 Appliance–Hosts:1000;VMs:15000
VUMVMwareTools&HardwareScans/Host–90 VMwareTools&HWUpgrades/Host–24 HostScans/VUMServer–75 HostRemediation&Upgrades/VUMServer–71(NOTE:1HostUpgradeperCluster)vSPHEREFLASHREADCACHEFlashResourceperHost–1;Virtualdisksize–16TB;Hostswapcache–4TB FlashdevicesperFlashResource-8 Maximumcachepervirtualdisk–400GB CumulativecachedperHost–2TB CreatedbyShaneWillifordJuly2016.IfyoureferencethisStudyGuide,pleasegivecredittotheauthor
![Course Catalog - VMware Blogs - VMware Blogs · VMware vSphere: Install, Configure, Manage plus Virtual SAN Fast Track [V6]..... 10 VMware vSphere: Troubleshooting Workshop [V6](https://img.pdfslide.net/doc/110x75/5b5f0dd97f8b9a6d448d9385/course-catalog-vmware-blogs-vmware-blogs-vmware-vsphere-install-configure.jpg)