vcp6 dcv study guide esx virtualization

8/19/2019 VCP6 DCV Study Guide ESX Virtualization

1/211

1

VCP6-DCV STUDY GUIDE

[UNOFFICIAL]

By Vladan SEGET

www.vladan.fr

http://www.vladan.fr/http://www.vladan.fr/http://www.vladan.fr/


2/211

It’s Time to Hyperconverge90% Capacity Savings – Guaranteed.

SimpliVity HyperGuaranteeThe Industry’s Most Complete Guarante

Running out of Capacity Again?

S I M PLIV I T Y

H Y P E R G UA R A

N T E

E

www.simplivity.com/vcp6

https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6


3/211

2

Contents

VCP6-DCV Objective 1.1– Configure and Administer Role-based Access Control .................................................................... 3

VCP6-DCV Objective 1.2 – Secure ESXi, vCenter Server, and vSphere Virtual Machines .......................................................... 9

VCP6-DCV Objective 1.3 - Enable SSO and Active Directory Integration.............................................................................. 17

VCP6-DCV Objective 2.1 - Configure Advanced Policies/Features and Verify Network Virtualization Implementation ................. 26

VCP6-DCV Objective 2.2 - Configure Network I/O Control (NIOC) ...................................................................................... 41

VCP6-DCV Objective 2.3 – Configure vSS and vDS Policies ............................................................................................... 45

VCP6-DCV Objective 3.1 - Manage vSphere Storage Virtualization ..................................................................................... 52

VCP6-DCV Objective 3.2 - Configure Software-defined Storage ......................................................................................... 65

VCP6-DCV Objective 3.3 - Configure vSphere Storage Multi-pathing and Failover ................................................................ 76

VCP6-DCV Objective 3.4 - Perform Advanced VMFS and NFS Configurations and Upgrades ................................................... 83

VCP6-DCV Objective 3.5 - Setup and Configure Storage I/O Control .................................................................................. 93

VCP6-DCV Objective 4.1 - Perform ESXi Host and Virtual Machine Upgrades ....................................................................... 96

VCP6-DCV Objective 4.2 - Perform vCenter Server Upgrade ............................................................................................ 100

VCP6-DCV Objective 5.1 - Configure Advanced/Multilevel Resource Pools ......................................................................... 108

VCP6-DCV Objective 6.1 - Configure and Administer a vSphere Backups/Restore/Replication Solution .................................. 116

VCP6-DCV Objective 7.1 - Troubleshoot vCenter Server, ESXi Hosts, and Virtual Machines ................................................. 132

VCP6-DCV Objective 7.2 - Troubleshoot vSphere Storage and Network Issues................................................................... 139

VCP6-DCV Objective 7.3 - Troubleshoot vSphere Upgrades ............................................................................................. 144

VCP6-DCV Objective 7.4 - Troubleshoot and Monitor vSphere Performance ....................................................................... 149

VCP6-DCV Objective 7.5 - Troubleshoot HA and DRS Configurations and Fault Tolerance .................................................... 156

VCP6-DCV Objective 8.1 - Deploy ESXi Hosts Using Autodeploy ....................................................................................... 166

VCP6-DCV Objective 8.2 - Customize Host Profile Settings .............................................................................................. 172

VCP6-DCV Objective 8.3 - Consolidate Physical Workloads using VMware Converter ........................................................... 177

VCP6-DCV Objective 9.1 - Configure Advanced vSphere HA Features ............................................................................... 181

VCP6-DCV Objective 9.2 - Configure Advanced vSphere DRS Features ............................................................................. 189

VCP6-DCV Objective 10.1 - Configure Advanced vSphere Virtual Machine Settings............................................................. 192

VCP6-DCV Objective 10.2 - Create and Manage Multi-Site Content Library ........................................................................ 200

VCP6-DCV Objective 10.3 - Configure and Maintain a vCloud Air Connection ..................................................................... 205


4/211

3

VCP6-DCV OBJECTIVE 1.1 – CONFIGURE AND ADMINISTER ROLE-BASED ACCESS CONTROL

Today's VCP6-DCV goal is to talk about - VCP6-DCV Objective 1.1 - Configure and Administer Role-based Access

Control. VMware VCP exam is a gold standard of VMware certification exams. VCP exam is the most known VMwareexams, even if it's not the highest technical level.

But it's most recognized. By a future employer, by industry as a whole. We will cover VCP6-DCV exam certification

based on VMware latest VMware VCP6-DCV blueprint. Check VCP6-DCV page for all objectives.

VMware vSphere Knowledge

Identify common vCenter Server privileges and roles

Describe how permissions are applied and inherited in vCenter Server

View/Sort/Export user and group lists

Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

Create/Clone/Edit vCenter Server Roles

Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products

Determine the appropriate set of privileges for common tasks in vCenter Server

IDENTIFY COMMON VCENTER SERVER PRIVILEGES AND ROLES

There are roles and privileges. Role is a collection of privileges assigned to group or a user. There are certain number

of Out-of-the-box (predefined) roles when we look at the vSphere client > Roles. You can keep them, clone them,

delete or edit.

http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/


5/211

4

Four different types of permissions

Not only vCenter server, like the ones above, but also Local permissions for ESXi. The full list:

Global Permissions – Global permissions are applied to a global root object that spans solutions. To assign

permissions via global root allows to propagate them to the other products relying on SSO (vCO, vROPS, vCD..)

vCenter Server Permissions – Hierarchical model. Permission gives you a certain number of privileges. Similar

like in Microft's AD. You Select object > assign role to a group of users > to give them privileges on that object.

Group Membership in vSphere.local Groups – The vsphere.local domain includes several predefined groups.Assign users from AD (if you're using AD) to one of those groups to be able to perform the corresponding

actions.

For some services that are not managed by vCenter Server directly, privileges are determined by membership

to one of the vCenter Single Sign-On groups. For example, a user who is a member of the Administrator group

can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware

Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.

Note: to be able to find the AD groups it's necessary to add Identity sources via:

Home > Administration > Single Sign-ON > Configuration > Identity sources.

The user [email protected] can perform tasks that are associated with services included with the Platform Services

Controller.


6/211

5

ESXi Local Host Permissions – If you are managing a standalone ESXi host that is not managed by a vCenter

Server system, you can assign one of the predefined roles to users.

DESCRIBE HOW PERMISSIONS ARE APPLIED AND INHERITED IN VCENTER SERVER

The global permissions are assigned via web client only (SSO), via Home > Administration > Global permissions.

If you deselect the propagate to children the objects lying down the road won't be accessible by that particular

user/group. (It's like when you manage NTFS permissions on Windows servers and you uncheck the heritage checkbox). Permissions are applicable directly and propagated to children by default.

If you click the "View Children" link, it'll show you the permission of all the children which permission will apply to (if

"Propagate to children is selected).

Inheritance of Multiple Permissions - If user is member of more than one group? Then combined privileges

within the roles apply. Example below showing user member of both groups.

Child permissions override Parent permissions - Permissions applied on a child object always override

permissions that are applied on a parent object. See examples P. 119 of vSphere Security Guide.

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdf


7/211

6

Ex. Role 1 can power on VMs and Role 2 can take snapshots.

Group A is granted Role 1 on VM folder and permissions propagate to child objects

Group B is granted Role 2 on VM B

User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role

1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B,

but not power it on.

User role overriding group role - if two permissions are defined on the same object.

Permissions are on the same object. One permission is granted to a group, the other to a user which at the same time

is member of the group. Role 1 can power VMs Group A is granted Role 1 on VM folder and at the same time User 1 is

granted No Access role on VM folder.

User 1, who belongs to group A, logs on. The No Access role granted to User 1 on VM Folder overrides the role assigned

to the group. User 1 has no access to VM Folder or VMs A and B.

VIEW /SORT /EXPORT USER AND GROUP LISTS

To check Global permissions you have to go and use Web client > Home > Administration > Global permissions.

You can be export to a CSV file or copy to the Clipboard selected or All items. You can also use CTRL+Click to copy tothe clipboard.


8/211

7

ADD /MODIFY /REMOVE PERMISSIONS FOR USERS AND GROUPS ON VCENTER SERVER INVENTORYOBJECTS

To modify/add permissions you must Select an object > Manage > Permissions.

Than you can use the delete, edit or Add icons there...

CREATE /CLONE /EDIT VCENTER SERVER ROLES

To edit, create or clone vCenter roles it's necessary to use vSphere Web client > Administration > Roles OR Home >

Roles. Default roles are:

Administrator

Read-Only

No Access

To clone role click the icon...


9/211

8

vSphere Security Guide (p. 121).

DETERMINE THE CORRECT ROLES /PRIVILEGES NEEDED TO INTEGRATE VCENTER SERVER WITH

OTHER VMWARE PRODUCTS

Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and

vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.

Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and

vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.

P. 122

DETERMINE THE APPROPRIATE SET OF PRIVILEGES FOR COMMON TASKS IN VCENTER SERVER

Common tasks Required Privileges - p.127

All privileges - p.229

Tools:

vSphere Installation and Setup Guide

vSphere Security Guide What’s New in the VMware vSphere® 6.0 Platform

vSphere Administration with the vSphere Client Guide

vSphere Client / vSphere Web Client

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdf


10/211

9

VCP6-DCV OBJECTIVE 1.2 – SECURE ESXI, VCENTER SERVER, AND VSPHERE VIRTUAL

MACHINES

This post covers VCP6-DCV Objective 1.2 - Secure ESXi, vCenter Server, and vSphere Virtual Machines. A very

interesting chapter indeed, where we cover all the "locks" which an admin can put in place to secure his/here

environment. And you don't have to be Linux expert as all this is done without much difficulty!

For whole exam coverage I created a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, youmight just want to look on some how-to, news, videos about vSphere 6 - check out my vSphere 6 page. If you find out

that I missed something, don't hesitate to comment.

Knowledge

Enable/Configure/Disable services in the ESXi firewall

Enable Lockdown Mode

Configure network security policies

Add an ESXi Host to a directory service

Apply permissions to ESXi Hosts using Host Profiles

Configure virtual machine security policies

Create/Manage vCenter Server Security Certificates

ENABLE /CONFIGURE /DISABLE SERVICES IN THE ESXI FIREWALL

HOW TO ENABLE / DISABLE SERVICES IN THE ESX I FIREWALL - T HE HARD WAY ( VIA CLI)

CHECK WHIH SERVICES ARE ACTIVE

esxcli network firewall ruleset list

OPEN FIREWALL PORT VIA CLI:esxcli network firewall ruleset set -e true -r httpClient

HOW TO ENABLE / DISABLE SERVICES IN THE ESX I FIREWALL - T HE EASY WAY ( VIA V SPHERE CLIENT )

Note that you can do the same by selecting the host through vSphere client > configuration > security profile >

Firewall

http://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcv


11/211

10

Services can be Started, Stopped, or Restarted. Services can be configured to Start and stop with host, Start and stop

manually, or Start and stop with port usage.

ESXi Shell and SSH are disabled (Set to Start and stop manually) by default. ESXi Shell and SSH can be enabled/disabled

in the DCUI from the Troubleshooting Mode Options menu.


12/211

11

ENABLE LOCKDOWN MODE

When you enable lockdown mode, you can't connect directly from the console. the host is accessible only through the

vSphere client directly or via vCenter server.

Lockdown Modes:

Disabled - Lockdown mode is disabled.

Normal - Lockdown mode is enabled. The host can only be accessed from vCenter or from the console (DCUI). Strict - Lockdown mode is enabled. The DCUI service is stopped. The host can not be accessed from the console

(DCUI).

[TIP]: You can activate DCUI from within SSH session

Type this after login in with Putty or other SSH client.

dcui

There you see the DCUI screen


13/211

12

vSphere 6 introduced "Exception users" which are users with local accounts or Microsoft Active Directory accounts

with permissions defined locally on the host where these users have host access. You can define those exception

locally on the host, but it’s not recommended for normal user accounts, but rather for service accounts. You should

set permissions on these accounts to strict minimum and only what’s required for the application to do its task and

with an account that needs only read-only permissions to the ESXi host.

This is basically the same principle of local server accounts on Windows member server, where you can create local

accounts, but as a best practice to give them only the permissions they need…

Smart Card Authentication to DCUI – There is new function, but apparently it is for U.S. federal customers only. It

allows DCUI login access using a Common Access Card (CAC) and Personal Identity Verification (PIV). In this case

the ESXi host must be part of Microsoft AD.

CONFIGURE NETWORK SECURITY POLICIES

Network security policies are defined on two places:

vSwitch level

Portgroup level

Three different policies:

Promiscuous mode – If set to Accept then it allows the guest OS to receive all traffic observed on the

connected vSwitch or PortGroup (the switch becames a HUB basically - with all the inconveniences, packet

colisions, performance degradation etc... ). By default it's Reject

MAC address changes – A host is able to accepts requests to change the effective MAC address to a different

address than the initial MAC address. By default it's Accept

Forged transmits – A host does not compare source and effective MAC addresses transmitted from a virtual

machine. By default it's Accept

Or via vSphere client (more convenient)


14/211

13

MAC address changes and Forged transmits if set to Reject, than it protects against MAC address spoofing. If changing

the settings at the Portgroup level there is an Override checkbox allowing you to set the policy on a portgroup rather

than on the vSwitch.

ADD AN ESXI HOST TO A DIRECTORY SERVICE

Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for

configuration issues that could lead to unauthorized access. You can join or leave domain by selecting a host >

configuration > authentication services > properties. You can also join standalone ESXi hosts to AD. By using AD you

eliminate to manage locally users on ESXi hosts.

A special AD group named "ESX Admins" shall be manually created before host is joined to AD. Why?

Because like this All members of this group (ESX admins) are automatically assigned with the Administrator

role on the host when this host is joined to AD. If not the permissions has to be applied manually.


15/211

14

vSphere web client > Hosts and clusters > Select ESXi host > Manage > Settings > Authentication services.

APPLY PERMISSIONS TO ESXI HOSTS USING HOST PROFILES

Host profiles are very cool feature allowing to homogenize configuration across ESXi hosts and automate compliance.

In some cases, host profiles can be also useful when for example you need to reset esxi root password on a host.

Check vSphere Security guide (PDF) on p. 133, but basically this procedure apply:

1. Set up the reference host to specification and create a host profile.

2. Attach the profile to a host or cluster.

3. Apply the host profile of the reference host to other hosts or clusters.

If you haven't done yet, go to Home > Host profiles > Extract profile from host. Once you have that profile you can

apply it to a host...

Select the host profile > Click Actions > Edit Host Profile (or right click > edit settings)

Expand Security and Services

Select the Permission Rules folder > click the Plus Sign

http://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/http://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/http://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/


16/211

15

Root password is encrypted within the host profile, however by joining hosts to AD via Host profiles leaves password

in plain text... -:(.

Configure virtual machine security policies

VMs are fragile. The same for Guest OS. Treat them accordingly ... -:). Seriously, you should patch to the latest release

for the OS patches, Antivirus patches and/or Malware patches.... That's a bare minimum to prevent system corruption.

Be organized - Use templates to deploy virtual machines Minimize use of virtual machine console


17/211

16

Prevent virtual machines from taking over resources

Disable unnecessary functions inside virtual machines - usually Windows/Linux services can be stopped, to put

them on manual instead of automatic startup, etc..

Remove unnecessary hardware devices - floppy, printers, sound devices... All you don't need you can remove

to have lower overhead.

Disable unused display features

Disable unexposed features

Disable HGFS file transfers

Disable copy and past operations between guest operating system and remote console (by default is disabled- on per host level, but you can add an advanced settings:)

isolation.tools.copy.disable = true

isolati on .tools.paste.disable = tr ue

Limiting exposure of sensitive data copied to the Clipboard

Restrict users from running commands within a virtual machine

1. Click Administration and select Roles > click create role > NO Guest Access > select all privileges

2. Deselect All Privileges >Virtual machine > Guest Operations to remove the Guest Operations set of privileges >validate OK.

Prevent a virtual machine user or process from disconnecting devices

Modify guest operating system variable memory limit

Prevent guest operating system process from sending configuration messages to the host

Avoid using Independent Nonpersistent Disks - keep in mind non persistent disks are not affected by

snapshots. If you use snapshots. A redo log is created to capture all subsequent writes to that disk. However,

if the snapshot is deleted, or the virtual machine is powered off, the changes captured in that redo log are

discarded for that Independent Non-persistent VMDK.

CREATE /MANAGE VCENTER SERVER SECURITY CERTIFICATES

Certificates got easier with vSphere 6 as those can be viewed and renewed within vSphere Web client.

There are two operations modes:

Root CA - (by default)

Issuer CA – possibility integrate Microsoft Certification authority. In this case you’ll create the CSR (request) >

Go to Microsoft Cert Server and get certificate.

To view certificates:


18/211

17

The VMware Certificate Authority (VMCA) provisions vCenter Server components and ESXi hosts with certificates that

use VMCA as the root certificate authority by default.

The vSphere Certificate Manager utility allows you to perform most certificate management tasks interactively from

the command line.

Example. On Windows you must go to this directory:

C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat

Link to Online documentation for using vSphere Certificate manager utility.

vSphere Certificate Manager prompts you for the task to perform, for certificate locations and other information as

needed, and then stops and starts services and replaces certificates for you.

vCenter Certificate Utilities:

vSphere Certificate Manager utility – certificate replacement tasks from a command line utility.

Certificate management CLIs – dir-cli, certool, and vecs-cli command line utilities.

o

certool can Generate and manage certificates and keys. Part of VMCA.o dir-cli is a able to create and update certificates in VMware Directory Service. Part of VMAFD.

o ves-cli can manage the contents of VMware Certificate Store instances. Part of VMAFD

vSphere Web Client certificate management – view certificate information in the Web Client

Tools


vSphere Security Guide

What’s New in the VMware vSphere® 6.0 Platform

Security of the VMware vSphere® Hypervisor vSphere Administration with the vSphere Client Guide

VMware Hardened Virtual Appliance Operations Guide added to Tech Resource Directory


VCP6-DCV OBJECTIVE 1.3 - ENABLE SSO AND ACTIVE DIRECTORY INTEGRATION

In no particular order I'll start covering VCP6-DCV sections to help out folks learning towards VCP6-DCV VMware

certification exam. Due to VMware recertification policy the VCP exam has now an expiration date. You can renew by

passing delta exam while still holding current VCP or pass VCAP. The topic today - VCP6-DCV Objective 1.3 - Enable

SSO and Active Directory Integration.

For whole exam coverage I created a dedicated VCP6-DCV Wordpress page. If you just look on some how-to, news,

videos about vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release,

but simplified the deployment and management. vSphere Web client is more present and used in this release as the

legacy C# client does not allow to configure advanced configuration options and functions like SSO, FT, VSAN

You'll need certain knowledge that we'll try to cover today:

Configure/Manage Active Directory Authentication

Configure/Manage Platform Services Controller (PSC)

Configure/Manage VMware Certificate Authority (VMCA) Enable/Disable Single Sign-On (SSO) Users

http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-E1D35792-ED03-468A-966B-362BED18021A.htmlhttp://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-E1D35792-ED03-468A-966B-362BED18021A.htmlhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdfhttp://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/VMWare-Hardened-Appliance-Operations-Guide.pdfhttp://www.vmware.com/files/pdf/techpaper/VMWare-Hardened-Appliance-Operations-Guide.pdfhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcvhttp://www.vmware.com/files/pdf/techpaper/VMWare-Hardened-Appliance-Operations-Guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-E1D35792-ED03-468A-966B-362BED18021A.html


19/211

18

Identify available authentication methods with VMware vCenter

CONFIGURE /MANAGE ACTIVE DIRECTORY AUTHENTICATION

Step 1: Connect to your vCenter server by entering the ip address you have entered during the deployment

process:

https://vCenter Server IP/vsphere-client

and by using the [email protected] as a user name and your password you have used during the

deployment.

Step 2: Click the Administration button on the left and

And then go to Single Sign-On > Configuration > Identity Sources > Click the "+" sign to add your AD as an identitysource. Normally it will populate your local AD automatically, so you just have to click the OK button...


20/211

19

You can also click the globe icon to make the AD as the default while you're there...

Screenshot showing the Identity source where we added our AD - lab.local

NEXT STEP : PERMISSIONS

You'll need to assign permissions to users which will administer the vSphere infrastructure. Usually it's domain admin,

but not always..... Also keep in mind where you assign those permissions. If it's at the Datacenter level, vCenter level

or at the cluster level... Usually you'll want to do it at the vCenter Level.

Go to Home > vCenter Inventory Lists > vCenter Servers > vCenter.lab.local (in my case) > Click the Manage Tab >

Permissions

There you click the "+" sign > Add button > make sure that you select the drop-down for your Microsoft Ad to make

appear the Domain admin user...


21/211

20

Click OK to validate. You can disconnect and connect as domain admin now... Note that in case your workstation is

part of Microsoft AD, you just have to check the box and no need to enter your domain user password... -:)

Some of you might wonder why there is this Single Sign-On. The vCenter Single Sign On is an authentication service

which allows the different vSphere software components present in the vCloud suite, to communicate between each

other via a secure token exchange mechanism.

CONFIGURE /MANAGE PLATFORM SERVICES CONTROLLER (PSC)

The Platform Services Controller (PSC) provides:

Single Sign-On (SSO) Licensing


22/211

21

Certificate Authority (VMCA)

You can deploy it on at the same time or a part and you can deploy it as Windows based or Appliance based (VCSA). It's

important to know that PSO is completely transparent working with Windows or VCSA based vCenter!

PSC Deployment Options - A two different type installation are allowed:

Embedded (in the same VM)

External

The embedded PSC is meant to be used for standalone sites where vCenter server will be the only SSO integrated

solution. In this case a replication to another PSC is not necessary.

External PSC shall be deployed in anvironments where there is more then one SSO enabled solution (vCenter Server,

vRealize Automation, etc…) OR where replication to another PSC (another site) is necessary.

Here is the screenshot from the installation process (VCSA) showing the different options and changing the options

also changes the different phases of the deployment (on the left).

PSC features:

Manages and generates SSL certificates for your vSphere environment.

Stores and replicates VMware License Keys

Stores and replicates permissions via the Global Permissions layer.

Manages the storage and replication of TAGS and CATEGORIES.

There is a Built-in automatic replication between different, logical SSO sites. (if any)

There is only one single default domain for the identity sources.

DEPLOYMENT OPTIONS:

http://www.vladan.fr/wp-content/uploads/images/vcenter-vcsa4.png


23/211

22

Embedded Platform Service Controller

All services bundled with the Platform Services Controller are deployed on the same virtual machine or

physical server as vCenter Server.

External Platform Service Controller

The services bundled with the Platform Services Controller and vCenter Server are deployed on different

virtual machines or physical servers.

Recommended reads:

VMware vSphere Blog - vCenter Server 6 Deployment Topologies and High Availability.

VMware KB - Recommended topologies for vSphere 6.0.x (2108548).

Configure/Manage VMware Certificate Authority (VMCA)

When you first install vSphere, the default certificates are deployed with 10 years of life span. The VMCA generatesthose self-signed certs during the installation process, and provisions each of the ESXi host with a signed certificate

by this root certificate authority. Earlier versions of vSphere with self-signed certificates are automatically replaced

by new self-signed certificates by VMCA.

There are different ESXi Certificate replacement modes:

Default - VMCA as cert authority where VMCA issues certs for your hosts.

Custom - you can override and do and issue certs manually via VMCA

Thumbprint mode - this way you keep certs from vSphere 5.5

To check this go to the View Support Information after logging to your ESXi host:

http://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.htmlhttp://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.htmlhttp://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.htmlhttp://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.html


24/211

23

W HERE TO CHECK THE CERTIFICATES IN W EB CLIENT ?

Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority

Note: If you're not a member of SystemConfiguration.Administrators group than you might want to add yourself there.

If of course you're connecting as an domain administrator....

Back to where to check the certificates on vSphere Web Client:

Home > System Configuration > Nodes > Node > Manage > Certificate Authority

ENABLE /DISABLE SINGLE SIGN-ON (SSO) USERS

The VMware SSO uses different configuration policy which can be found via vSphere Web client only:

Administration > Single Sign-On > Configuration Policies


25/211

24

Password Policy

Lockout Policy

Token Policy

P ASS WOR D POLICY

You can configure the following parameters:

Description – Password policy description. Required.

Maximum lifetime – Maximum number of days that a password can exist before it has to be changed.

Restrict re-use – Number of the user’s previous passwords that cannot be set again.

Maximum length – Maximum number of characters that are allowed in the password.

Minimum length – Minimum number of characters required in the password.

Character requirements – Minimum number of different character types required in the password.

Identical adjacent characters – Maximum number of identical adjacent characters allowed in the password.

To get to this screen You must click Administration > Single Sign-On > Configuration

By clicking the Edit button you are able to change values there…


26/211

25

If you leave the default values and after 90 days you will want to log-in you might end up with messages saying that:

User Account is locked.

User Account is disabled.

Those SSO policies are pretty much the same as in vSphere 5.5, but with a difference that in vSphere 5.5 we also had

an administrator password expiry on the vCenter server appliance (VCSA). The VCSA 6.0 is pretty much locked out and

the GUI we use to manage VCSA accessible via the port 5480 is no longer available.

Lockout Policy

Specifies the condition under which a vCenter SSO account is locked when the user attempts to log in with incorrect

credentials. Five login attempts and three minutes between failures are set by default. This policy also specifies the

time that must elapse before the account is automatically unlocked.

Description – Description of the lockout policy. Required.

Max. number of failed login attempts – Maximum number of failed login attempts that are allowed before

the account is locked.

Time interval between failures (seconds) – Time period in which failed login attempts must occur to trigger a

lockout.

Unlock time (seconds) – Amount of time that the account remains locked. If you enter 0, the account must beexplicitly unlocked by an administrator.

To see the lockout policy parameters, click on the Policies tab and select Lockout Policy:

Token Policy - also interesting as for example the Clock tolerance shows time difference, in milliseconds, that vCenter

Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than

the specified value, vCenter Single Sign-On declares the token invalid.

http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/


27/211

26

Other configuration options:

Maximum token renewal count – Maximum number of times that a token can be renewed. After the

maximum number of renewal attempts, a new security token is required.

Maximum token delegation count – Holder-of-key tokens can be delegated to services in the vSphere

environment. A service that uses a delegated token performs the service on behalf of the principal that

provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a

solution token or a reference to a solution token. This value specifies how many times a single holder-of-key

token can be delegated. Maximum bearer token lifetime – Bearer tokens provide authentication based only on possession of the

token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the

identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer

token before the token has to be reissued.

Maximum holder-of-key token lifetime – Holder-of-key tokens provide authentication based on security

artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain

a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the

originator and the delegate. In the vSphere environment, a vCenter Server obtains delegated tokens on a

user’s behalf and uses those tokens to perform operations. This value determines the lifetime of a holder-of-

key token before the token is marked invalid.

IDENTIFY AVAILABLE AUTHENTICATION METHODS WITH VMWARE VCENTER

We have already saw that at the beginning of the post. The possible identity sources can be found via web client >

Administration > Single Sign-On > Configuration > Identity Sources

And we can see that there are four of them:

AD integrated (preferred)

Active Directory LDAP

Open LDAP

Local OS

Yep, you can obviously use Local OS option only if you don't want to interconnect with your AD (for security reasons

or isolation purposes).

Check How-to, news, videos and tutorials at my vSphere 6 page too or check Free VMware tools page.

Tools to get the knowledge and further reading:


vSphere Security Guide

What’s New in the VMware vSphere® 6.0 Platform VMware vCenter Server™ 6.0 Deployment Guide

Direct Console User Interface (DCUI)


VCP6-DCV OBJECTIVE 2.1 - CONFIGURE ADVANCED POLICIES/FEATURES AND VERIFY

NETWORK VIRTUALIZATION IMPLEMENTATION

Today's VCP6-DCV topic Objective 2.1: Configure Advanced Policies/Features and Verify Network Virtualization

Implementation is the core of virtualization networking. Together with 2 other chapters it covers all vSphere 6

networking.

http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/free-tools-vmware/http://www.vladan.fr/free-tools-vmware/http://www.vladan.fr/free-tools-vmware/http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://www.vladan.fr/free-tools-vmware/http://www.vladan.fr/vsphere-6-0/


28/211

27

You can follow the VCP6-DCV study guide built through my VCP6-DCV page. When finished, there will be a PDF version

which will get its proper formatting for better reading experience. We're more than half way through right now, and

the work continues. Let's kick on with this chapter!

vSphere Knowledge

Identify vSphere Distributed Switch (vDS) capabilities

Create/Delete a vSphere Distributed Switch Add/Remove ESXi hosts from a vSphere Distributed Switch

Add/Configure/Remove dvPort groups

Add/Remove uplink adapters to dvUplink groups

Configure vSphere Distributed Switch general and dvPort group settings

Create/Configure/Remove virtual adapters

Migrate virtual machines to/from a vSphere Distributed Switch

Configure LACP on Uplink portgroups

Describe vDS Security Polices/Settings

Configure dvPort group blocking policies

Configure load balancing and failover policies

Configure VLAN/PVLAN settings Configure traffic shaping policies

Enable TCP Segmentation Offload support for a virtual machine

Enable Jumbo Frames support on appropriate components

Determine appropriate VLAN configuration for a vSphere implementation

IDENTIFY VSPHERE DISTRIBUTED SWITCH (VDS) CAPABILITIES

VMware vSphere Distributed Switch (vDS) is in its version 6 and packed in more feature than in previous relase of VDS.

If you're upgrading you shall upgrade vDS to version 6.0 as well to benefit the latest features.

The vDS separates the data plane and management plane to separate them. The data plane resides on ESXi host, but

the management plane moves to vCenter server. The data plane is called host proxy switch.

NetFlow Support - Netflow is used for troubleshooting, it picks a configurable number of samples of network

traffic for monitoring..

PVLAN Support - PVLAN is able to get more from VLANs (which are limited in numbers) and you can use these

PVLANS to further segregate your traffic and increase security. (Note: Enterprise plus licensing required! Check

my detailed post on PVLANs here.

Ingress and egress traffic shaping - Inbound/outbound traffic shaping, which allows you throttle bandwidth

to the switch.

VM Port Blocking - can block VM ports in case of viruses or troubleshooting...

Load Based Teaming - LBT is an additional load balancing that works off the amount of traffic a queue is

sending Central Management across cluster - vDS can create the config once and push it to all attached hosts...so you

don't have to go to each host one-by-one...

Per Port Policy Settings - It's possible to override policies at a port level which gives you more controll

Port State Monitoring - This feature allows each port to be monitored separately from other ports

LLDP - Allows supports for link layer discovery protocol

Network IO Control - possibility to set priority on port groups and reserve bandwidth for VMs connected to

this port group. Check the detailed chapter on NIOC here: Objective 2.2: Configure Network I/O Control (NIOC)

LACP Support - LACP (Link aggregation control protocol) ability to aggregate links together into a single link

(your physical switch must support it!)

Backup/Restore Network config - It's possible to backup/restore network config at the vDS level (Not new!

It's here since 5.1! - save and restore network config...) Port Mirroring - Allows monitoring and can send all traffic from one port to another

http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/vmware-vsphere-5-1-networking-backup-and-restore/http://www.vladan.fr/vmware-vsphere-5-1-networking-backup-and-restore/http://www.vladan.fr/vmware-vsphere-5-1-networking-backup-and-restore/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/vcp6-dcv/


29/211

28

Stats stays at the VM level - statistics move with the VM even after vMotion.

CREATE /DELETE A VSPHERE DISTRIBUTED SWITCH

Create a vSphere vDS - Networking Guide on p27. vSphere Web client > Networking > Rigt click datacenter >

Distributed switch > New Distributed switch

Put a name and then select the version...

Select how many uplinks, specify if you want to enable Network I/O control and rename the default port group (not

mandatory)...

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf


30/211

29

ADD /REMOVE ESXI HOSTS FROM A VSPHERE DISTRIBUTED SWITCH

You can add/remove ESXi hosts from vDS to manage their networking (or not) from a central location. The good thing

is that you can analyse impact before breaking a connectivity, so you're able to see the impact. The impact can be as

follows:

No Impact

Important impact Critical Impact

Next...

ADD /CONFIGURE /REMOVE DVPORT GROUPS

Right click on the vDS > New Distributed Port Group.

To remove a port group. Simple. Right click on the port group > delete...


31/211

30

ADD /REMOVE UPLINK ADAPTERS TO DVUPLINK GROUPS

Again, right click is your friend... -:)

If you want to add/remove (increase or decrease) number of uplinks you can do so by going to the properties of thevDS.

Right click on the vDS > Edit settings

And on the next screen you can do that... Note that at the same time you can give a different names to your uplinks...


32/211

31

CONFIGURE VSPHERE DISTRIBUTED SWITCH GENERAL AND DVPORT GROUP SETTINGS

General properties of vDS can be reached via Right click on the vDS > Settings > Edit settings

Port binding properties (at the dvPortGroup level - Right click port group > Edit Settings)

Static binding - Assigns a port to a VM when the virtual machine is connected to the PortGroup.

Dynamic binding - it's kind of deprecated. For best performance use static binding

Ephemeral – no binding

Port allocation:


33/211

32

Elastic - Increase or decreas on-the-fly..... 8 at the beginning (default). Increases by 8 when needed.

Fixed - There is 128 by default.

CREATE /CONFIGURE /REMOVE VIRTUAL ADAPTERS

VMkernel adapters can be add/removed at the Networking level

vSphere Web Client > Host and Clusters > Select Host > Manage > Networking > VMkernel adapters

Different VMkernel Services, like :

vMotion traffic

Provisioning traffic

Fault Tolerance (FT) traffic

Management traffic

vSphere Replication traffic

vSphere Replication NFC traffic

VSAN traffic

MIGRATE VIRTUAL MACHINES TO /FROM A VSPHERE DISTRIBUTED SWITCH

Migrate VMs to vDS. Right click vDS > Migrate VM to another network

Make sure that you previously created a distributed port group with the same VLAN that the current VM is running...

(in my case the VMs run at VLAN 7)


34/211

33

Pick a VM...

Done!

CONFIGURE LACP ON UPLINK PORTGROUPS

LACP can be found in the Networking guide on p.65.

vSphere Web Client > Networking > vDS > Manage > Settings > LACP

Create Link Aggregation Groups (LAG)

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf


35/211

34

LAG Mode can be:

Passive - where the LAG ports respond to LACP packets they receive but do not initiate LACP negotiations.

Active - where LAG ports are in active mode and they initiate negotiations with LACP Port Channel.

LAG load balancing mode (LNB mode):

Source and destination IP address, TCP/UDP port and VLAN

Source and destination IP address and VLAN

Source and destination MAC address

Source and destination TCP/UDP port

Source port ID

VLAN

Note that you must configure the LNB hashing same way on both virtual and physical switch, at the LACP port channel

level.

Migrate Network Traffic to Link Aggregation Groups (LAG)


36/211

35

DESCRIBE VDS SECURITY POLICES /SETTINGS

Note that those security policies exists also on standard switches.

There are 3 different network security policies:

Promiscuous mode – Reject is by default. In case you set to Accept > the guest OS will receive all traffic

observed on the connected vSwitch or PortGroup.

MAC address changes – Reject is by default. In case you set to Accept > then the host will accepts requests to

change the effective MAC address to a different address than the initial MAC address.

Forged transmits – Reject is by default. In case you set to Accept > then the host does not compare source

and effective MAC addresses transmitted from a virtual machine.


37/211

36

Network security policies can be set on each vDS PortGroup.


Port blocking can be enabled on a port group to block all ports on the port group

or you can configure the vDS or uplink to be blocked at the vDS level...

vSphere Web Client > Networking > vDS > Manage > Ports

And then select the port > edit settings > Miscellaneous > Override check box > set Block port to yes.


38/211

37

CONFIGURE LOAD BALANCING AND FAILOVER POLICIES

Load balancing algos can be found in the Networking Guide on p. 91.

vDS load balancing (LNB):

Route based on IP hash - The virtual switch selects uplinks for virtual machines based on the source and

destination IP address of each packet.

Route based on source MAC hash - The virtual switch selects an uplink for a virtual machine based on the

virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual

machine MAC address and the number of uplinks in the NIC team.

Route based on originating virtual port - Each virtual machine running on an ESXi host has an associated

virtual port ID on the virtual switch. To calculate an uplink for a virtual machine, the virtual switch uses the

virtual machine port ID and the number of uplinks in the NIC team. After the virtual switch selects an uplink

for a virtual machine, it always forwards traffic through the same uplink for this virtual machine as long as the

machine runs on the same port. The virtual switch calculates uplinks for virtual machines only once, unless

uplinks are added or removed from the NIC team.

Use explicit failover order - No actual load balancing is available with this policy. The virtual switch always

uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover

detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the

Standby list.

Route based on physical NIC load (Only available on vDS) - based on Route Based on Originating Virtual Port,

where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on overloaded

uplinks. Available only for vSphere Distributed Switch. The distributed switch calculates uplinks for virtual

machines by taking their port ID and the number of uplinks in the NIC team. The distributed switch tests the

uplinks every 30 seconds, and if their load exceeds 75 percent of usage, the port ID of the virtual machine with

the highest I/O is moved to a different uplink.

Virtual switch failover order:

Active uplinks

Standby uplinks

Unused uplinks



39/211

38

CONFIGURE VLAN/PVLAN SETTINGS

private VLANs allows further segmentation and creation of private groups inside each of the VLAN. By using private

VLANs (PVLANs) you splitting the broadcast domain into multiple isolated broadcast “subdomains”.

Private VLANs needs to be configured at the physical switch level (the switch must support PVLANs) and also on the

VMware vSphere distributed switch. (Enterprise Plus is required). I’ts more expensive and takes a bit more work to

setup.

THERE ARE DIFFERENT TYPES OF PVLANS:

PRIMARY

Promiscuous Primary VLAN – Imagine this VLAN as a kind of a router. All packets from the secondary VLANS

go through this VLAN. Packets which also goes downstream and so this type of VLAN is used to forward packets

downstream to all Secondary VLANs.

SECONDARY

Isolated (Secondary) – VMs can communicate with other devices on the Promiscuous VLAN but not with otherVMs on the Isolated VLAN.

Community (Secondary) – VMs can communicate with other VMs on Promiscuous and also w those on the

same community VLAN.

The graphics shows it all…

CONFIGURE TRAFFIC SHAPING POLICIES

Networking Guide p.105

vDS supports both ingress and egress traffic shaping.



40/211

39

Traffic shaping policy is applied to each port in the port group. You can Enable or Disable the Ingress or egress traffic

Average bandwidth in kbits (Kb) per second - Establishes the number of bits per second to allow across a port,

averaged

over time. This number is the allowed average load.

Peak bandwidth in kbits (Kb) per second - Maximum number of bits per second to allow across a port when

it is sending or receiving a burst of traffic. This number limits the bandwidth that a port uses when it is using

its burst bonus.

Burst size in kbytes (KB) per second - Maximum number of bytes to allow in a burst. If set, a port might gain

a burst bonus if it does not use all its allocated bandwidth. When the port needs more bandwidth than

specified by the average bandwidth, it might be allowed to temporarily transmit data at a higher speed if a

burst bonus is available

ENABLE TCP SEGMENTATION OFFLOAD SUPPORT FOR A VIRTUAL MACHINE

Use TCP Segmentation Offload (TSO) in VMkernel network adapters and virtual machines to improve the network

performance in workloads that have severe latency requirements.

When TSO is enabled, the network adapter divides larger data chunks into TCP segments instead of the CPU. The

VMkernel and the guest operating system can use more CPU cycles to runapplications.

By default, TSO is enabled in the VMkernel of the ESXi host , and in the VMXNET 2 and VMXNET 3 virtual machine

adapters

ENABLE JUMBO FRAMES SUPPORT ON APPROPRIATE COMPONENTS

There are many places where you can enable Jumbo frames and you should enable jumbo frames end-to-end. If not

the performance will not increase, but rather the opposite. Jumbo Frames can be enabled on a vSwitch, vDS, and

VMkernel Adapter.


41/211

40

Jumbo frames maximum value = 9000.

DETERMINE APPROPRIATE VLAN CONFIGURATION FOR A VSPHERE IMPLEMENTATION

There are three main places or three different ways to tag frames in vSphere.

External Switch Tagging (EST) - VLAN ID is set to None or 0 and it is the physical switch that does the VLAN

tagging.

Virtual Switch Tagging (VST) - VLAN set between 1 and 4094 and the virtual switch does the VLAN tagging.

Virtual Guest Tagging (VGT) - the tagging happens in the guest OS. VLAN set to 4095 (vSwitch) or VLAN

trunking on vDS.

The best to understand this is I guess this document from VMware called Best Practices for Virtual Networking and

from there I also "borrowed" this screenshot...

Networking is big chapter. If I missed something, just comment or email me your suggestion. Thanks...

vSphere documentation tools


vSphere Networking Guide

What’s New in the VMware vSphere® 6.0 Platform Leveraging NIC Technology to Improve Network Performance in VMware vSphere

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/VMware-vSphere-PNICs-perf.pdfhttp://www.vmware.com/files/pdf/VMware-vSphere-PNICs-perf.pdfhttp://www.vmware.com/files/pdf/VMware-vSphere-PNICs-perf.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdf


42/211

41

VDS Network Health Check


VCP6-DCV OBJECTIVE 2.2 - CONFIGURE NETWORK I/O CONTROL (NIOC)

VCP6-DCV Study time... In no particular order I start covering VCP6-DCV section of the VMware blueprint to help outfolks learning towards VCP6-DCV VMware certification exam. Due to VMware recertification policy the VCP exam has

now an expiration date. You can renew by passing delta exam while still holding current VCP or pass VCAP. If you're

new to virtualization and do not have any VMware certification exam, the VCP is the exam to have. Today's topic?

VCP6-DCV Objective 2.2 - Configure Network I/O Control (NIOC) .

For whole exam coverage I created a dedicated VCP6-DCV page. If you just look on some how-to, news, videos about

vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release, but simplified

the deployment and management. "White boxing" got more complicated as drivers for unsupported hardware not

always works. vSphere Web client is more present and used in this release as the legacy C# client does not allow to

configure advanced configuration options and functions like SSO, FT, VSAN. Let's get started.

vSphere Knowledge

Identify Network I/O Control requirements

Identify Network I/O Control capabilities

Enable/Disable Network I/O Control

Monitor Network I/O Control

IDENTIFY NETWORK I/O CONTROL REQUIREMENTS

What is network I/O control? It's a mechanism which allows to prioritize certain data flows on distributed switch over

others. It allows to allocate more network bandwidth to business critical applications/VMs where those have to "fight"

for bandwidth. (similarly like SIOC for storage).

THE REQUIREMENTS:

Licensing - Enterprise + license required because it uses vSphere Distributed Switch.

VDS Only - the Network I/O control can be enabled only on VDS

Network I/O control v3 possible only on VDS 6.0

SR-IOV is not available for virtual machines configured to use Network I/O Control version 3.

IDENTIFY NETWORK I/O CONTROL CAPABILITIES When enabled NIOC divides the traffic into resource pools. Bandwidth reservations can be used to isolate network

resources for a class of traffic, for example in VSAN cluster you'd want to reserve part of the traffic only for VSAN

traffic no matter what happens to the other traffic.

ENABLE /DISABLE NETWORK I/O CONTROL

Where to enable? In vSphere 6 when creating new VDS it gets enabled by default.

vSphere Web Client > Networking > vDS > Manage > Resource Allocation > System traffic

Note: If you have previous version of vSphere and you upgraded, than you might see previous version of NIOC (version

2) and so there is not the menu "system traffic". Make sure that you upgrade your VDS to v 6.0.

http://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcv


43/211

42

So in our case we can see the menu system traffic... The traffic types are all set to 50 shares except the VMtraffic. No reservation or limits are set by default.

Management traffic - VM traffic

NFS traffic

Virtual SAN traffic

iSCSI

vMotion

vSphere Replication (VR)

Fault tolerance (FT)

vSphere Data protection (VDP) backup traffic

Shares and reservations at their default state. No limits or Reservations.

B AND WID TH ALLOCATION FOR V IRTUAL M ACH IN E T RAFFIC

Version 3 of Network I/O Control lets you configure bandwidth requirements for individual virtual machines. You can

also use network resource pools where you can assign a bandwidth quota from the aggregated reservation for the

virtual machine traffic and then allocate bandwidth from the pool to individual virtual machines.

http://www.vladan.fr/vcp6-dcv-objective-6-1-configure-and-administer-a-vsphere-backupsrestorereplication-solution/http://www.vladan.fr/vcp6-dcv-objective-6-1-configure-and-administer-a-vsphere-backupsrestorereplication-solution/http://www.vladan.fr/vcp6-dcv-objective-6-1-configure-and-administer-a-vsphere-backupsrestorereplication-solution/


44/211

43

Individual VMs can be configured according to bandwidth requirements through VM options at the network level...

Shares - The relative priority, from 1 to 100, of the traffic through this VM network adapter against the capacity of the

physical adapter that is carrying the VM traffic to the network.

Reservation - The minimum bandwidth, in Mbps, that the VM network adapter must receive on the physical adapter.

Limit - The maximum bandwidth on the VM network adapter for traffic to other virtual machines on the same or on

another host.

Enable/Disable Network I/O Control - at the vDS level..

To enable bandwidth allocation for virtual machines by using Network I/O Control, configure the virtual machine

system traffic. The bandwidth reservation for virtual machine traffic is also used in admission control. When you poweron a virtual machine, admission control verifies that enough bandwidth is available.


45/211

44

Check the following requirements:

vSphere Distributed Switch is version 6.0.0 and later.

Network I/O Control on the switch is version 3.

Network I/O Control is enabled.

Network Resource Pools - You can create new network resource pools to reserve part of the aggregated bandwidth

for VMs system trafic on all the physical adapters connected to the VDS.

For example, if the virtual machine system traffic has 0.5 Gbps reserved on each 10 GbE uplink on a distributed switch

that has 10 uplinks, then the total aggregated bandwidth available for VM reservation on this switch is 5 Gbps. Each

network resource pool can reserve a quota of this 5 Gbps capacity.

Example from vSphere Networking Guide p.167

Create network resource pool: Distributed switch > Manage > Resource allocation > Network resource pools > Add

Once you create network resource pool you can add distributed port group so you an allocate bandwidth to the VMs

that are connected to that portgroup.

Monitor Network I/O Control

You can check and monitor Network I/O Control through vSphere web client. Networking > vDS > Manage > Resource

Allocation

Concerning the system traffic it's possible to have a look a those metrics and details:



46/211

45

Network I/O Control Status (state is Enabled/Disabled)

NIOC Version

Physical network adapters details

Available bandwidth capacity

Total bandwidth capacity

Maximum reservation allowed

Configured reservation

Minimum link speed

Documentation and Tools


vSphere Networking Guide

What’s New in the VMware vSphere® 6.0 Platform

Performance Evaluation of Network I/O Control in VMware vSphere 6


VCP6-DCV OBJECTIVE 2.3 – CONFIGURE VSS AND VDS POLICIES

VCP6-DCV Study guide continues today by covering the VCP6-DCV Objective 2.3 - Configure vSS and vDS Policies.

vSphere networking is one of the tough parts to know and this part is where any IT admins have difficulties. This

chapter works hand in hand with the VCP6-DCV Objective 2.1 – Configure Advanced Policies/Features and Verify

Network Virtualization Implementation.

You can also check the vSphere 6 page where you'll find many how-to, videos, and tutorials about vSphere 6. Let's get

back to our today's objective.

vSphere Knowledge

Identify common vSS and vDS policies

Describe vDS Security Polices/Settings


Configure load balancing and failover policies

Configure VLAN/PVLAN settings

Configure traffic shaping policies

Enable TCP Segmentation Offload support for a virtual machine

Enable Jumbo Frames support on appropriate components

Determine appropriate VLAN configuration for a vSphere implementation

IDENTIFY COMMON VSS AND VDS POLICIES

Since vSphere 4 we have had vSphere distributed switches. But let's start with virtual standard switches first.

The virtual standard switches (vSS) can have following policies and settings:

Traffic shaping (outbound only)

VLANs (none, VLAN ID, All) - at the portgroup level config

MTU

Teaming and failover

Security

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/techpaper/Network-IOC-vSphere6-Performance-Evaluation.pdfhttp://www.vmware.com/files/pdf/techpaper/Network-IOC-vSphere6-Performance-Evaluation.pdfhttp://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv/http://www.vmware.com/files/pdf/techpaper/Network-IOC-vSphere6-Performance-Evaluation.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdf


47/211

46

If you set VLAN policy to 4095 (All) it allows you to pass All VLANs, and the tagging is done at the Guest

OS level

vSphere distributed switches (vDS) policies and settings:

Traffic filtering and marking

MTU

VLANs (none, VLAN ID, VLAN trunking, PVLANs)

Monitoring (netflow)

Security

Traffic Shaping - inbound and outbount (ingress / egress)

LACP

Port mirroring

Health check for VLAN and MTU, teaming and failover - allows to check the status of the overall config.

And Teaming and failiover like on vSS swiches.

DESCRIBE VDS SECURITY POLICES /SETTINGS

There are three network security policies on vDS. Those are promiscuous mode, MAC address changes and Forged

transmits.

Promiscuous Mode - Default settings are set to reject for both (VSS and VDS). If you change to accept then

the guest OS can receive all traffic which passes through the vSwitch or Portgroup.

MAC address change - The default setting is reject for VDS but accept on VSS. If set to allow then the host

accepts requests to change the effective MAC address to a different one than the original.

Forged transmits - The default settings is Reject for VDS but accept on VSS. The host do not compare source

and effective MAC addresses which are transmitted from a VM.

Each settings can be set to Accept or Reject and it can be done at the virtual switch level or at the port group level.

More granular ist's obviously at the port group level.

CONFIGURE DVPORT GROUP BLOCKING POLICIES

Ports can be blocked to prohibit them from sending or receiving data. Only available for distributed switches.

The port blocking policy is done at the portgroup level. vSphere web client > Networking > Right click a portgroup >

Edit settings.

Then you get the Miscelaneous option

http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/


48/211

47

You can also block individual distributed switch or uplink port. It can be done by selecting the VDS > Manage > Ports

> Select Port > Edit > check the box and select Yes.

CONFIGURE LOAD BALANCING AND FAILOVER POLICIES

vSphere Networking Guide on p. 93

You can configure various load balancing algorithms on a virtual switch to determine how network traffic is

distributed between the physical NICs in a team.

Route Based on Originating Virtual Port - The virtual switch selects uplinks based on the virtual machine port

IDs on the vSphere Standard Switch or vSphere Distributed Switch.



49/211

48

Route Based on Source MAC Hash - The virtual switch selects an uplink for a virtual machine based on the

virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual

machine MAC address and the number of uplinks in the NIC team.

Route Based on IP Hash - The virtual switch selects uplinks for virtual machines based on the source and

destination IP address of each packet

Route Based on Physical NIC Load - Route Based on Physical NIC Load is based on Route Based on Originating

Virtual Port, where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on

overloaded uplinks.

And for VDS there is another one called Use Explicit Failover Order.

Use Explicit Failover Order - No actual load balancing is available with this policy. The virtual switch always

uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover

detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the

Standby list.

NETWORK F AILOVER DETECTION OPTIONS:

Link Status only - check link availability. Is the adapter is physically up or down? Depending on the result it can

possibly detects physical switch failures.

Beacon Probing - Sends out and listens for beacon probes on all NICs in the team. Can be used together with

link status and get better results to determine if there is a link failure. Beacon probing should not be used with

IP hash load balancing policy or on vSwitches which has less than 3 uplinks. Unused

vcp6 dcv study guide esx virtualization

Documents