Pages

Sunday, 30 March 2014

Traffic Filtering and DSCP Marking in vSphere 5.5

In a vSphere distributed switch 5.5 and later, by using the traffic filtering and marking policy, you can protect the virtual network from unwanted traffic and security attacks or apply a QoS tag to a certain type of traffic.

The traffic filtering and marking policy represents an ordered set of network traffic rules for security and for QoS tagging of the data flow through the ports of a distributed switch. In general, a rule consists of a qualifier for traffic, and of an action for restricting or prioritizing the matching traffic.

The vSphere distributed switch applies rules on traffic at different places in the data stream. The distributed switch applies traffic filter rules on the data path between the virtual machine network adapter and distributed port, or between the uplink port and physical network adapter for rules on uplinks.

This is in additional to being able to tag traffic and pass Quality of Service (QoS) or Differentiated services Code Point (DSCP) values up to the physical network for prioritization.

ACL’s allow you to create fine grain control of what traffic is allowed in or out of a VM, set of VM’s or an entire port group. The feature is configured at the port group level and allows for an unlimited number of rules. The rules are processed in the VMkernel, meaning no external appliance is needed which equates to no single point of failure and faster processing of rules and in some cases reduced network traffic since rule processing happens before the traffic leaves the ESXi host.

You can create this at the VM Portgroup Level and Uplink Portgroup Level.

How to Create Traffic Filtering Rules

1. Traffic filtering refers to the ability to allow or disallow different types of traffic. vSphere Distributed Switch can also pass class of service information on to a physical switch with Traffic Filtering. Begin by logging on to vSphere Web Client and navigate to the [Networking] section.





2. Click on a port group that is on the distributed switch. In this example, we select [Marketing-Test]. Click on [Manage] and click on [Edit].


3. Click on [Traffic Filtering and Marking], and then change the Status to [Enabled]. Then click on the Add [+] icon to set the filtering rule.


4. By default, “Tag” is selected as the preferred action. Change it to [Drop] so as to add an access control list to the port group.


5. Select the type of traffic direction preferred, here we retain the default selection. Then click on the Add [+] icon and click on [New IP Qualifier].

The VDS supports packet classification, based on the following three different types of qualifiers:
  • MAC SA and DA qualifiers
  • System traffic qualifiers
  • vSphere vMotion, vSphere management, vSphere FT, and so on
  • IP qualifiers
  • Protocol type, IP SA, IP DA, and port number
After the qualifier has been selected and packets have been classified, users have the option to either filter or tag those packets. When the classified packets have been selected for filtering, users have the option to filter ingress, egress, or traffic in both directions.


6. Here you have options to change protocols, source ports and destination ports. We change the Protocol from TCP(6) to [ICMP (1)].


7.  In this example, we retain the default Source Address and change the Destination Address. We enter the IP address of a server named esxi01, apply the changes and click on [OK].


8. The new qualifier has been successfully created. Click on [OK].


9. We now opened the VM Console and attempt to ping esxi01. Notice that the pings are failing because we the traffic filter is in place.


10. Change the Action to [Allow] and click on [OK].


11. We switch back to the VM Console and see that the pings are now successful. To summarize, traffic filtering gives the ability to do create Access Control Lists at the Distributed Port Group level.


Where are the Storage Profiles in vSphere 5.5?


So now the question is that in vSphere 5.5 where are the Storage Profiles?????  Storage Profiles are now renamed to Storage Policies.

Storage policies that you define for virtual machines, capture storage characteristics that virtual machine home files and virtual disks require to run applications within the virtual machine.
When you create a storage policy, you can reference storage capabilities advertised by a storage system. You can also reference user-defined datastore tags.
Although storage policies and storage capabilities have similar semantics, policies describe what users require for their virtual machines, while storage capabilities refer to what the system can offer.
You can create several storage policies to define different types and classes of storage requirements.
Each storage policy is not only a set of constraints that apply simultaneously. A single policy can include alternative sets of subpolicies, or rule-sets, that represent equally acceptable storage requirements.
The virtual machine home files (.vmx.vmsd.nvram.log, and so on) and the virtual disks (.vmdk) can have separate storage policies as shown in the following table.

Example Storage Policy for a Virtual Machine
Example Virtual Machine Files
Example for a Storage Policy
Example for a Datastore Compliant with the Storage Policy
windows_2008r2_test.vmx
Storage Policy 2
datastore02, datastore05, datastore10
windows_2008r2_test.vmxf
windows_2008r2_test.log
windows_2008r2_test.nvram
windows_2008r2_test.vmem
windows_2008r2_test.vmsd
windows_2008r2_test.vmdk
Storage Policy 3
datastore05
windows_2008r2_test_1.vmdk
Storage Policy 5
datastore10
When you create, clone, or migrate a virtual machine, you can apply the storage policy to the virtual machine. You can then place the virtual machine to one of the datastores that has capabilities compatible with the policy requirements.
If you select a datastore that does not match the policy, the Policy shows that the virtual machine is using noncompliant storage.
So how to create storage policies in vSphere 5.5. So let's start with demo:-

1. First, Open the Web Client UI and then Click on VM Storage Policies Icon:-


2. Then enable the VM Storage Policies on your Cluster/ESXi Host:-
     First Click on Enable VM Storage Policies Icon --> Select ESXi Host --> Click on Enable Button --> Once Enabled Click on Close Button.


3. Now what we need to create Storage Policies

So in this demo i will demonstrate how to create these storage policies with the Help of Storage Tags

4. To Create a new storage tag and storage category and assign it to datastore follow the instructions



5. Then to Create a new VM Storage Policy click on Create a new VM Storage Policy button


6. Give the Name and Description to VM Storage Policy then Click on Next


7. Click on Next


8. Then Select the category and Tag for Creating the VM Storage Policy 



9. You will get the datastores list with whom this Tag is linked --> Click on Next


10. Click on Finish to finally create the policy


11. Then while Creating the New VM / Cloning the VM or while performing the Storage vMotion of the VM you will get the option to select the storage policy then after that you will two categories one is Compatible and another is Incompatible.  Select the appropriate datastore from Compatible list and even for the existing VM you can select the appropriate storage policy to check that whether that VM is in right storage according to the Workload requirement


To link storage policy with the existing VM


If the VM has multiple vDisks then you can select different storage policies for the different vDisks as per the workload requirement.

Wednesday, 26 March 2014

Processor States (P-State and C-State)

Processor performance states (P-states) and processor operating states (C-states) are the capability of a processor to switch between different supported operating frequencies and voltages to modulate power consumption. The Advanced Configuration and Power Interface (ACPI) specification (http://www.acpi.info/spec.htm) defines the CPU P-states power management states. The number of P-states is processor specific. If configured properly according to system workload, this feature provides power savings. Higher P-state numbers represent slower processor speeds. Power consumption is lower at higher P-states. For example, a P3 state is higher than a P1 state. A processor in P3 state will run more slowly and use less power than a processor running at P1 state. To operate at any P-state, the processor must be in the C0 operational state where the processor is working and not idling.
The ACPI specification also defines the CPU C-states power management states. CPU operating states (C-states) are the capability of an idle processor to turn off unused components to save power. When a processor runs in the C0 state it is working. A processor running in any other C-state is idle. Higher C-state numbers represent deeper CPU sleep states. At higher C-states, more components shut down to save power. Some components that are shut down include stopping the processor clock and stopping interrupts. A disadvantage is that deeper sleep states have slower wake up times.
  • P-States are responsible for lowering the CPU multiplier and CPU voltage when there is no work load. These are configured in the BIOS as PPM or Speed Step. They are passed onto the OS and configured in Power Options control panel (in Windows).
  • S-States are sleep states. These are set in the BIOS and then configured in the power options control panel (timeout in minutes). There are various sleep technologies such as S1 sleep, S3 sleep, Hybrid sleep and Hibernation (which is a laptop sleep technology).
  • G-States are global operating states and are not configurable by the user. These are just used in documentation to specify certain system states such as on, off, sleeping.
  • C-States are advanced CPU current lowering technologies. These are configured in the BIOS and are automatically used by the OS.

vCenter Server Appliance large scale deployment requirements

For a large scale deployment of vCenter Server Appliance to manage more than 400 hosts or 4000 virtual machines, you must modify the virtual machine settings so that they can meet large scale requirements.

Log into the vCenter Server Appliance administration interface at https://IP address or FQDN of vCenter Server Appliance:5480 and navigate to Services. In the Inventory Size drop-down menu, select large and click Save Settings.




Source:-
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2057376

Saturday, 22 March 2014

Become VCP5-DT Certified

There are two paths to earning your VCP5-DT certification.

Path 1
  1. Attend a qualifying course
  2. Pass the VMware VCP-Desktop (VCPD510) Exam
Exam Blueprint:-
http://mylearn.vmware.com/lcms/web/portals/certification/VCP_Blueprints/VCP-Desktop-Exam-Blueprint-v1_5.pdf
Path 2
  1. Hold VCP5-Data Center Virtualization or VCP-Cloud certification
  2. Pass the VMware View (VCP510-DT) Exam
Exam Blueprint:-
http://mylearn.vmware.com/lcms/web/portals/certification/VCP_Blueprints/VCP5-DT-Exam-Blueprint-v3_2.pdf

VMware vCenter Server Heartbeat FAQ (2044902)

Purpose

This article provides answers to frequently asked questions about VMware vCenter Heartbeat.

Resolution

What are the benefits of using VMware vCenter Server Heartbeat?

VMware vCenter Server Heartbeat is used to provide high availability for VMware vCenter Server in case of hardware, network, application, and OS failure.


Where can I download VMware vCenter Server Heartbeat?

You can download VMware vCenter Server Heartbeat on the VMware download page.

How do I install VMware vCenter Server Heartbeat?

For information on installing vCenter Server Heartbeat, see the VMware vCenter Server Heartbeat Documentation page.

What deployment method is used for VMware vCenter Server Heartbeat?
  • Recommended deployment methods: P2V and V2V
  • Supported deployment method: P2P
VMware vCenter Server Heartbeat can be deployed in a LAN or WAN.


What are the protection levels that VMware vCenter Server Heartbeat provides?

VMware vCenter Server Heartbeat monitors server availability, applications and application performance, network and server performance, and data protection.


What vCenter Server components can be protected with VMware vCenter Server Heartbeat?

See page 17 of the VMware vCenter Server Heartbeat installation guide, Installation on Windows Server 2008 When the Secondary Server is Virtual.


How do active and passive servers work?

Protected applications are running on active servers and services can be accessed by service name or public IP. Passive servers can be accessed by the management IP. Protected services are not running on passive servers. The server role can be changed from an active server to a passive server using manual failover.

A public IP is packet-filtered on passive servers and is passthrough when it becomes active.


How does VMware vCenter Server Heartbeat communicate?

VMware vCenter Server Heartbeat supports multi or single NIC configurations.

Public IP address: This IP address is used by a client to connect to an active server and move between primary and secondary servers in the event of a failover or switchover.

Channel IP address: This is for communication between the active and passive servers. This is used for control and data transfer from an active to passive server, and monitoring of an active server's status.

In a WAN, static routes are used over switches to maintain continuous communication.

Management IP address: This address is used to access servers in a passive role. In a multi NIC configuration, one NIC will have the Public IP and Management IP addresses, and another NIC will have the channel IP address. In a single NIC configuration, all IP addresses are on the same NIC.

Also see: Implementing vCenter Server Heartbeat on a single subnet using dual NICs (1036355)


What are the requirements for a WAN environment?

VMware vCenter Server Heartbeat supports sites with different subnets. In a WAN, the primary and secondary servers will have unique IP addresses in each subnet. Requirements are:
  • A routable IP address for the channel network
  • Minimum of 1 MB of spare bandwidth available
  • Ability to add/remove DNS hostname records
For more information, see:

How do I upgrade VMware vCenter Server Heartbeat from a previous version?

See:
How do I install and uninstall VMware vCenter Server Heartbeat packet filter drivers?
For more information on packet filters, see the Working with packet filters in vCenter Heartbeat post on the VMware Support Insider blog.


How do I apply Windows patches with VMware vCenter Server Heartbeat installed?

See Applying operating system patches or hotfixes with minimal interrupt when using vCenter Server Heartbeat (1010803)


How do I apply Service Packs to protected SQL Server?

See Upgrading and applying Service Packs to SQL Server protected by vCenter Server Heartbeat when the vCenter Server database is remote from the vCenter Server (1034077)


What databases can be protected with VMware vCenter Server Heartbeat?

VMware vCenter Server Heartbeat can protect Microsoft SQL Server, but cannot protect Oracle and IBM DB2 databases.

You can protect Microsoft SQL Server whether it is local to the vCenter Server or on a separate (remote) server with the same VMware vCenter Server Heartbeat license.

For more information, see vCenter Server Heartbeat SQL Server Plug-in Feature List (2041620).


Can I protect VMware vCenter Site Recovery Manager (SRM) with VMware vCenter Server Heartbeat?

See Using vCenter Heartbeat With SRM (1014266)


How do I protect View components using VMware vCenter Server Heartbeat?

See Installing and protecting View Composer after vCenter Server Heartbeat is installed (1034079)


How do I adjust protected applications and data?

See:

How do I join or isolate a vCenter Server instance from a Linked Mode Group when it is protected by VMware vCenter Server Heartbeat?

See Joining or isolating a vCenter Server instance from a Linked Mode Group when protected by vCenter Server Heartbeat (1022869)


How do I use custom SSL certificates with VMware vCenter Server Heartbeat?

See Replacing the SSL certificate in vCenter Server Heartbeat with a new certificate (2013041)


Where are the VMware vCenter Server Heartbeat executables located?

See Locating the VMware vCenter Server Heartbeat executables and icons (1030677)


How do I configure alerts in VMware vCenter Server Heartbeat?

See Configuring and testing alerts in VMware vCenter Server Heartbeat (1008607)


How do I collect VMware vCenter Server Heartbeat logs?

See Retrieving the VMware vCenter Server Heartbeat Logs and other useful information for support purposes (1008124)


Do I need a separate license for VMware vCenter Server Heartbeat for a remote SQL Server database?

Only a single vCenter Server Heartbeat license is required to protect vCenter Server components installed remotely, including SQL Server. A single license is also used for multiple SSO servers for protected vCenter Server services. One license is required per instance of vCenter Server.


Where can I find the documentation for VMware vCenter Server Heartbeat?

See the VMware vCenter Server Heartbeat Documentation page and the vCenter Heartbeat Installation and Validation post on the VMware Support Insider blog.
Source:-
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2044902