vcp6 dcv study guide esx virtualization
TRANSCRIPT
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
1/211
1
VCP6-DCV STUDY GUIDE
[UNOFFICIAL]
By Vladan SEGET
www.vladan.fr
http://www.vladan.fr/http://www.vladan.fr/http://www.vladan.fr/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
2/211
It’s Time to Hyperconverge90% Capacity Savings – Guaranteed.
SimpliVity HyperGuaranteeThe Industry’s Most Complete Guarante
Running out of Capacity Again?
S I M PLIV I T Y
H Y P E R G UA R A
N T E
E
www.simplivity.com/vcp6
https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6https://www.simplivity.com/vcp6
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
3/211
2
Contents
VCP6-DCV Objective 1.1– Configure and Administer Role-based Access Control .................................................................... 3
VCP6-DCV Objective 1.2 – Secure ESXi, vCenter Server, and vSphere Virtual Machines .......................................................... 9
VCP6-DCV Objective 1.3 - Enable SSO and Active Directory Integration.............................................................................. 17
VCP6-DCV Objective 2.1 - Configure Advanced Policies/Features and Verify Network Virtualization Implementation ................. 26
VCP6-DCV Objective 2.2 - Configure Network I/O Control (NIOC) ...................................................................................... 41
VCP6-DCV Objective 2.3 – Configure vSS and vDS Policies ............................................................................................... 45
VCP6-DCV Objective 3.1 - Manage vSphere Storage Virtualization ..................................................................................... 52
VCP6-DCV Objective 3.2 - Configure Software-defined Storage ......................................................................................... 65
VCP6-DCV Objective 3.3 - Configure vSphere Storage Multi-pathing and Failover ................................................................ 76
VCP6-DCV Objective 3.4 - Perform Advanced VMFS and NFS Configurations and Upgrades ................................................... 83
VCP6-DCV Objective 3.5 - Setup and Configure Storage I/O Control .................................................................................. 93
VCP6-DCV Objective 4.1 - Perform ESXi Host and Virtual Machine Upgrades ....................................................................... 96
VCP6-DCV Objective 4.2 - Perform vCenter Server Upgrade ............................................................................................ 100
VCP6-DCV Objective 5.1 - Configure Advanced/Multilevel Resource Pools ......................................................................... 108
VCP6-DCV Objective 6.1 - Configure and Administer a vSphere Backups/Restore/Replication Solution .................................. 116
VCP6-DCV Objective 7.1 - Troubleshoot vCenter Server, ESXi Hosts, and Virtual Machines ................................................. 132
VCP6-DCV Objective 7.2 - Troubleshoot vSphere Storage and Network Issues................................................................... 139
VCP6-DCV Objective 7.3 - Troubleshoot vSphere Upgrades ............................................................................................. 144
VCP6-DCV Objective 7.4 - Troubleshoot and Monitor vSphere Performance ....................................................................... 149
VCP6-DCV Objective 7.5 - Troubleshoot HA and DRS Configurations and Fault Tolerance .................................................... 156
VCP6-DCV Objective 8.1 - Deploy ESXi Hosts Using Autodeploy ....................................................................................... 166
VCP6-DCV Objective 8.2 - Customize Host Profile Settings .............................................................................................. 172
VCP6-DCV Objective 8.3 - Consolidate Physical Workloads using VMware Converter ........................................................... 177
VCP6-DCV Objective 9.1 - Configure Advanced vSphere HA Features ............................................................................... 181
VCP6-DCV Objective 9.2 - Configure Advanced vSphere DRS Features ............................................................................. 189
VCP6-DCV Objective 10.1 - Configure Advanced vSphere Virtual Machine Settings............................................................. 192
VCP6-DCV Objective 10.2 - Create and Manage Multi-Site Content Library ........................................................................ 200
VCP6-DCV Objective 10.3 - Configure and Maintain a vCloud Air Connection ..................................................................... 205
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
4/211
3
VCP6-DCV OBJECTIVE 1.1 – CONFIGURE AND ADMINISTER ROLE-BASED ACCESS CONTROL
Today's VCP6-DCV goal is to talk about - VCP6-DCV Objective 1.1 - Configure and Administer Role-based Access
Control. VMware VCP exam is a gold standard of VMware certification exams. VCP exam is the most known VMwareexams, even if it's not the highest technical level.
But it's most recognized. By a future employer, by industry as a whole. We will cover VCP6-DCV exam certification
based on VMware latest VMware VCP6-DCV blueprint. Check VCP6-DCV page for all objectives.
VMware vSphere Knowledge
Identify common vCenter Server privileges and roles
Describe how permissions are applied and inherited in vCenter Server
View/Sort/Export user and group lists
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
Create/Clone/Edit vCenter Server Roles
Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
Determine the appropriate set of privileges for common tasks in vCenter Server
IDENTIFY COMMON VCENTER SERVER PRIVILEGES AND ROLES
There are roles and privileges. Role is a collection of privileges assigned to group or a user. There are certain number
of Out-of-the-box (predefined) roles when we look at the vSphere client > Roles. You can keep them, clone them,
delete or edit.
http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
5/211
4
Four different types of permissions
Not only vCenter server, like the ones above, but also Local permissions for ESXi. The full list:
Global Permissions – Global permissions are applied to a global root object that spans solutions. To assign
permissions via global root allows to propagate them to the other products relying on SSO (vCO, vROPS, vCD..)
vCenter Server Permissions – Hierarchical model. Permission gives you a certain number of privileges. Similar
like in Microft's AD. You Select object > assign role to a group of users > to give them privileges on that object.
Group Membership in vSphere.local Groups – The vsphere.local domain includes several predefined groups.Assign users from AD (if you're using AD) to one of those groups to be able to perform the corresponding
actions.
For some services that are not managed by vCenter Server directly, privileges are determined by membership
to one of the vCenter Single Sign-On groups. For example, a user who is a member of the Administrator group
can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware
Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.
Note: to be able to find the AD groups it's necessary to add Identity sources via:
Home > Administration > Single Sign-ON > Configuration > Identity sources.
The user [email protected] can perform tasks that are associated with services included with the Platform Services
Controller.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
6/211
5
ESXi Local Host Permissions – If you are managing a standalone ESXi host that is not managed by a vCenter
Server system, you can assign one of the predefined roles to users.
DESCRIBE HOW PERMISSIONS ARE APPLIED AND INHERITED IN VCENTER SERVER
The global permissions are assigned via web client only (SSO), via Home > Administration > Global permissions.
If you deselect the propagate to children the objects lying down the road won't be accessible by that particular
user/group. (It's like when you manage NTFS permissions on Windows servers and you uncheck the heritage checkbox). Permissions are applicable directly and propagated to children by default.
If you click the "View Children" link, it'll show you the permission of all the children which permission will apply to (if
"Propagate to children is selected).
Inheritance of Multiple Permissions - If user is member of more than one group? Then combined privileges
within the roles apply. Example below showing user member of both groups.
Child permissions override Parent permissions - Permissions applied on a child object always override
permissions that are applied on a parent object. See examples P. 119 of vSphere Security Guide.
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
7/211
6
Ex. Role 1 can power on VMs and Role 2 can take snapshots.
Group A is granted Role 1 on VM folder and permissions propagate to child objects
Group B is granted Role 2 on VM B
User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role
1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B,
but not power it on.
User role overriding group role - if two permissions are defined on the same object.
Permissions are on the same object. One permission is granted to a group, the other to a user which at the same time
is member of the group. Role 1 can power VMs Group A is granted Role 1 on VM folder and at the same time User 1 is
granted No Access role on VM folder.
User 1, who belongs to group A, logs on. The No Access role granted to User 1 on VM Folder overrides the role assigned
to the group. User 1 has no access to VM Folder or VMs A and B.
VIEW /SORT /EXPORT USER AND GROUP LISTS
To check Global permissions you have to go and use Web client > Home > Administration > Global permissions.
You can be export to a CSV file or copy to the Clipboard selected or All items. You can also use CTRL+Click to copy tothe clipboard.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
8/211
7
ADD /MODIFY /REMOVE PERMISSIONS FOR USERS AND GROUPS ON VCENTER SERVER INVENTORYOBJECTS
To modify/add permissions you must Select an object > Manage > Permissions.
Than you can use the delete, edit or Add icons there...
CREATE /CLONE /EDIT VCENTER SERVER ROLES
To edit, create or clone vCenter roles it's necessary to use vSphere Web client > Administration > Roles OR Home >
Roles. Default roles are:
Administrator
Read-Only
No Access
To clone role click the icon...
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
9/211
8
vSphere Security Guide (p. 121).
DETERMINE THE CORRECT ROLES /PRIVILEGES NEEDED TO INTEGRATE VCENTER SERVER WITH
OTHER VMWARE PRODUCTS
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and
vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and
vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.
P. 122
DETERMINE THE APPROPRIATE SET OF PRIVILEGES FOR COMMON TASKS IN VCENTER SERVER
Common tasks Required Privileges - p.127
All privileges - p.229
Tools:
vSphere Installation and Setup Guide
vSphere Security Guide What’s New in the VMware vSphere® 6.0 Platform
vSphere Administration with the vSphere Client Guide
vSphere Client / vSphere Web Client
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
10/211
9
VCP6-DCV OBJECTIVE 1.2 – SECURE ESXI, VCENTER SERVER, AND VSPHERE VIRTUAL
MACHINES
This post covers VCP6-DCV Objective 1.2 - Secure ESXi, vCenter Server, and vSphere Virtual Machines. A very
interesting chapter indeed, where we cover all the "locks" which an admin can put in place to secure his/here
environment. And you don't have to be Linux expert as all this is done without much difficulty!
For whole exam coverage I created a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, youmight just want to look on some how-to, news, videos about vSphere 6 - check out my vSphere 6 page. If you find out
that I missed something, don't hesitate to comment.
Knowledge
Enable/Configure/Disable services in the ESXi firewall
Enable Lockdown Mode
Configure network security policies
Add an ESXi Host to a directory service
Apply permissions to ESXi Hosts using Host Profiles
Configure virtual machine security policies
Create/Manage vCenter Server Security Certificates
ENABLE /CONFIGURE /DISABLE SERVICES IN THE ESXI FIREWALL
HOW TO ENABLE / DISABLE SERVICES IN THE ESX I FIREWALL - T HE HARD WAY ( VIA CLI)
CHECK WHIH SERVICES ARE ACTIVE
esxcli network firewall ruleset list
OPEN FIREWALL PORT VIA CLI:esxcli network firewall ruleset set -e true -r httpClient
HOW TO ENABLE / DISABLE SERVICES IN THE ESX I FIREWALL - T HE EASY WAY ( VIA V SPHERE CLIENT )
Note that you can do the same by selecting the host through vSphere client > configuration > security profile >
Firewall
http://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcv
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
11/211
10
Services can be Started, Stopped, or Restarted. Services can be configured to Start and stop with host, Start and stop
manually, or Start and stop with port usage.
ESXi Shell and SSH are disabled (Set to Start and stop manually) by default. ESXi Shell and SSH can be enabled/disabled
in the DCUI from the Troubleshooting Mode Options menu.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
12/211
11
ENABLE LOCKDOWN MODE
When you enable lockdown mode, you can't connect directly from the console. the host is accessible only through the
vSphere client directly or via vCenter server.
Lockdown Modes:
Disabled - Lockdown mode is disabled.
Normal - Lockdown mode is enabled. The host can only be accessed from vCenter or from the console (DCUI). Strict - Lockdown mode is enabled. The DCUI service is stopped. The host can not be accessed from the console
(DCUI).
[TIP]: You can activate DCUI from within SSH session
Type this after login in with Putty or other SSH client.
dcui
There you see the DCUI screen
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
13/211
12
vSphere 6 introduced "Exception users" which are users with local accounts or Microsoft Active Directory accounts
with permissions defined locally on the host where these users have host access. You can define those exception
locally on the host, but it’s not recommended for normal user accounts, but rather for service accounts. You should
set permissions on these accounts to strict minimum and only what’s required for the application to do its task and
with an account that needs only read-only permissions to the ESXi host.
This is basically the same principle of local server accounts on Windows member server, where you can create local
accounts, but as a best practice to give them only the permissions they need…
Smart Card Authentication to DCUI – There is new function, but apparently it is for U.S. federal customers only. It
allows DCUI login access using a Common Access Card (CAC) and Personal Identity Verification (PIV). In this case
the ESXi host must be part of Microsoft AD.
CONFIGURE NETWORK SECURITY POLICIES
Network security policies are defined on two places:
vSwitch level
Portgroup level
Three different policies:
Promiscuous mode – If set to Accept then it allows the guest OS to receive all traffic observed on the
connected vSwitch or PortGroup (the switch becames a HUB basically - with all the inconveniences, packet
colisions, performance degradation etc... ). By default it's Reject
MAC address changes – A host is able to accepts requests to change the effective MAC address to a different
address than the initial MAC address. By default it's Accept
Forged transmits – A host does not compare source and effective MAC addresses transmitted from a virtual
machine. By default it's Accept
Or via vSphere client (more convenient)
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
14/211
13
MAC address changes and Forged transmits if set to Reject, than it protects against MAC address spoofing. If changing
the settings at the Portgroup level there is an Override checkbox allowing you to set the policy on a portgroup rather
than on the vSwitch.
ADD AN ESXI HOST TO A DIRECTORY SERVICE
Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for
configuration issues that could lead to unauthorized access. You can join or leave domain by selecting a host >
configuration > authentication services > properties. You can also join standalone ESXi hosts to AD. By using AD you
eliminate to manage locally users on ESXi hosts.
A special AD group named "ESX Admins" shall be manually created before host is joined to AD. Why?
Because like this All members of this group (ESX admins) are automatically assigned with the Administrator
role on the host when this host is joined to AD. If not the permissions has to be applied manually.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
15/211
14
vSphere web client > Hosts and clusters > Select ESXi host > Manage > Settings > Authentication services.
APPLY PERMISSIONS TO ESXI HOSTS USING HOST PROFILES
Host profiles are very cool feature allowing to homogenize configuration across ESXi hosts and automate compliance.
In some cases, host profiles can be also useful when for example you need to reset esxi root password on a host.
Check vSphere Security guide (PDF) on p. 133, but basically this procedure apply:
1. Set up the reference host to specification and create a host profile.
2. Attach the profile to a host or cluster.
3. Apply the host profile of the reference host to other hosts or clusters.
If you haven't done yet, go to Home > Host profiles > Extract profile from host. Once you have that profile you can
apply it to a host...
Select the host profile > Click Actions > Edit Host Profile (or right click > edit settings)
Expand Security and Services
Select the Permission Rules folder > click the Plus Sign
http://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/http://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/http://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vladan.fr/how-to-reset-esxi-5-x-root-password-and-under-which-conditions/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
16/211
15
Root password is encrypted within the host profile, however by joining hosts to AD via Host profiles leaves password
in plain text... -:(.
Configure virtual machine security policies
VMs are fragile. The same for Guest OS. Treat them accordingly ... -:). Seriously, you should patch to the latest release
for the OS patches, Antivirus patches and/or Malware patches.... That's a bare minimum to prevent system corruption.
Be organized - Use templates to deploy virtual machines Minimize use of virtual machine console
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
17/211
16
Prevent virtual machines from taking over resources
Disable unnecessary functions inside virtual machines - usually Windows/Linux services can be stopped, to put
them on manual instead of automatic startup, etc..
Remove unnecessary hardware devices - floppy, printers, sound devices... All you don't need you can remove
to have lower overhead.
Disable unused display features
Disable unexposed features
Disable HGFS file transfers
Disable copy and past operations between guest operating system and remote console (by default is disabled- on per host level, but you can add an advanced settings:)
isolation.tools.copy.disable = true
isolati on .tools.paste.disable = tr ue
Limiting exposure of sensitive data copied to the Clipboard
Restrict users from running commands within a virtual machine
1. Click Administration and select Roles > click create role > NO Guest Access > select all privileges
2. Deselect All Privileges >Virtual machine > Guest Operations to remove the Guest Operations set of privileges >validate OK.
Prevent a virtual machine user or process from disconnecting devices
Modify guest operating system variable memory limit
Prevent guest operating system process from sending configuration messages to the host
Avoid using Independent Nonpersistent Disks - keep in mind non persistent disks are not affected by
snapshots. If you use snapshots. A redo log is created to capture all subsequent writes to that disk. However,
if the snapshot is deleted, or the virtual machine is powered off, the changes captured in that redo log are
discarded for that Independent Non-persistent VMDK.
CREATE /MANAGE VCENTER SERVER SECURITY CERTIFICATES
Certificates got easier with vSphere 6 as those can be viewed and renewed within vSphere Web client.
There are two operations modes:
Root CA - (by default)
Issuer CA – possibility integrate Microsoft Certification authority. In this case you’ll create the CSR (request) >
Go to Microsoft Cert Server and get certificate.
To view certificates:
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
18/211
17
The VMware Certificate Authority (VMCA) provisions vCenter Server components and ESXi hosts with certificates that
use VMCA as the root certificate authority by default.
The vSphere Certificate Manager utility allows you to perform most certificate management tasks interactively from
the command line.
Example. On Windows you must go to this directory:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
Link to Online documentation for using vSphere Certificate manager utility.
vSphere Certificate Manager prompts you for the task to perform, for certificate locations and other information as
needed, and then stops and starts services and replaces certificates for you.
vCenter Certificate Utilities:
vSphere Certificate Manager utility – certificate replacement tasks from a command line utility.
Certificate management CLIs – dir-cli, certool, and vecs-cli command line utilities.
o
certool can Generate and manage certificates and keys. Part of VMCA.o dir-cli is a able to create and update certificates in VMware Directory Service. Part of VMAFD.
o ves-cli can manage the contents of VMware Certificate Store instances. Part of VMAFD
vSphere Web Client certificate management – view certificate information in the Web Client
Tools
vSphere Installation and Setup Guide
vSphere Security Guide
What’s New in the VMware vSphere® 6.0 Platform
Security of the VMware vSphere® Hypervisor vSphere Administration with the vSphere Client Guide
VMware Hardened Virtual Appliance Operations Guide added to Tech Resource Directory
vSphere Client / vSphere Web Client
VCP6-DCV OBJECTIVE 1.3 - ENABLE SSO AND ACTIVE DIRECTORY INTEGRATION
In no particular order I'll start covering VCP6-DCV sections to help out folks learning towards VCP6-DCV VMware
certification exam. Due to VMware recertification policy the VCP exam has now an expiration date. You can renew by
passing delta exam while still holding current VCP or pass VCAP. The topic today - VCP6-DCV Objective 1.3 - Enable
SSO and Active Directory Integration.
For whole exam coverage I created a dedicated VCP6-DCV Wordpress page. If you just look on some how-to, news,
videos about vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release,
but simplified the deployment and management. vSphere Web client is more present and used in this release as the
legacy C# client does not allow to configure advanced configuration options and functions like SSO, FT, VSAN
You'll need certain knowledge that we'll try to cover today:
Configure/Manage Active Directory Authentication
Configure/Manage Platform Services Controller (PSC)
Configure/Manage VMware Certificate Authority (VMCA) Enable/Disable Single Sign-On (SSO) Users
http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-E1D35792-ED03-468A-966B-362BED18021A.htmlhttp://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-E1D35792-ED03-468A-966B-362BED18021A.htmlhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdfhttp://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/VMWare-Hardened-Appliance-Operations-Guide.pdfhttp://www.vmware.com/files/pdf/techpaper/VMWare-Hardened-Appliance-Operations-Guide.pdfhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcvhttp://www.vmware.com/files/pdf/techpaper/VMWare-Hardened-Appliance-Operations-Guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-client-administration-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/vmw-wp-secrty-vsphr-hyprvsr-uslet-101.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-E1D35792-ED03-468A-966B-362BED18021A.html
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
19/211
18
Identify available authentication methods with VMware vCenter
CONFIGURE /MANAGE ACTIVE DIRECTORY AUTHENTICATION
Step 1: Connect to your vCenter server by entering the ip address you have entered during the deployment
process:
https://vCenter Server IP/vsphere-client
and by using the [email protected] as a user name and your password you have used during the
deployment.
Step 2: Click the Administration button on the left and
And then go to Single Sign-On > Configuration > Identity Sources > Click the "+" sign to add your AD as an identitysource. Normally it will populate your local AD automatically, so you just have to click the OK button...
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
20/211
19
You can also click the globe icon to make the AD as the default while you're there...
Screenshot showing the Identity source where we added our AD - lab.local
NEXT STEP : PERMISSIONS
You'll need to assign permissions to users which will administer the vSphere infrastructure. Usually it's domain admin,
but not always..... Also keep in mind where you assign those permissions. If it's at the Datacenter level, vCenter level
or at the cluster level... Usually you'll want to do it at the vCenter Level.
Go to Home > vCenter Inventory Lists > vCenter Servers > vCenter.lab.local (in my case) > Click the Manage Tab >
Permissions
There you click the "+" sign > Add button > make sure that you select the drop-down for your Microsoft Ad to make
appear the Domain admin user...
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
21/211
20
Click OK to validate. You can disconnect and connect as domain admin now... Note that in case your workstation is
part of Microsoft AD, you just have to check the box and no need to enter your domain user password... -:)
Some of you might wonder why there is this Single Sign-On. The vCenter Single Sign On is an authentication service
which allows the different vSphere software components present in the vCloud suite, to communicate between each
other via a secure token exchange mechanism.
CONFIGURE /MANAGE PLATFORM SERVICES CONTROLLER (PSC)
The Platform Services Controller (PSC) provides:
Single Sign-On (SSO) Licensing
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
22/211
21
Certificate Authority (VMCA)
You can deploy it on at the same time or a part and you can deploy it as Windows based or Appliance based (VCSA). It's
important to know that PSO is completely transparent working with Windows or VCSA based vCenter!
PSC Deployment Options - A two different type installation are allowed:
Embedded (in the same VM)
External
The embedded PSC is meant to be used for standalone sites where vCenter server will be the only SSO integrated
solution. In this case a replication to another PSC is not necessary.
External PSC shall be deployed in anvironments where there is more then one SSO enabled solution (vCenter Server,
vRealize Automation, etc…) OR where replication to another PSC (another site) is necessary.
Here is the screenshot from the installation process (VCSA) showing the different options and changing the options
also changes the different phases of the deployment (on the left).
PSC features:
Manages and generates SSL certificates for your vSphere environment.
Stores and replicates VMware License Keys
Stores and replicates permissions via the Global Permissions layer.
Manages the storage and replication of TAGS and CATEGORIES.
There is a Built-in automatic replication between different, logical SSO sites. (if any)
There is only one single default domain for the identity sources.
DEPLOYMENT OPTIONS:
http://www.vladan.fr/wp-content/uploads/images/vcenter-vcsa4.png
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
23/211
22
Embedded Platform Service Controller
All services bundled with the Platform Services Controller are deployed on the same virtual machine or
physical server as vCenter Server.
External Platform Service Controller
The services bundled with the Platform Services Controller and vCenter Server are deployed on different
virtual machines or physical servers.
Recommended reads:
VMware vSphere Blog - vCenter Server 6 Deployment Topologies and High Availability.
VMware KB - Recommended topologies for vSphere 6.0.x (2108548).
Configure/Manage VMware Certificate Authority (VMCA)
When you first install vSphere, the default certificates are deployed with 10 years of life span. The VMCA generatesthose self-signed certs during the installation process, and provisions each of the ESXi host with a signed certificate
by this root certificate authority. Earlier versions of vSphere with self-signed certificates are automatically replaced
by new self-signed certificates by VMCA.
There are different ESXi Certificate replacement modes:
Default - VMCA as cert authority where VMCA issues certs for your hosts.
Custom - you can override and do and issue certs manually via VMCA
Thumbprint mode - this way you keep certs from vSphere 5.5
To check this go to the View Support Information after logging to your ESXi host:
http://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.htmlhttp://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.htmlhttp://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.htmlhttp://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548http://blogs.vmware.com/vsphere/2015/03/vcenter-server-6-topology-ha.html
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
24/211
23
W HERE TO CHECK THE CERTIFICATES IN W EB CLIENT ?
Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority
Note: If you're not a member of SystemConfiguration.Administrators group than you might want to add yourself there.
If of course you're connecting as an domain administrator....
Back to where to check the certificates on vSphere Web Client:
Home > System Configuration > Nodes > Node > Manage > Certificate Authority
ENABLE /DISABLE SINGLE SIGN-ON (SSO) USERS
The VMware SSO uses different configuration policy which can be found via vSphere Web client only:
Administration > Single Sign-On > Configuration Policies
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
25/211
24
Password Policy
Lockout Policy
Token Policy
P ASS WOR D POLICY
You can configure the following parameters:
Description – Password policy description. Required.
Maximum lifetime – Maximum number of days that a password can exist before it has to be changed.
Restrict re-use – Number of the user’s previous passwords that cannot be set again.
Maximum length – Maximum number of characters that are allowed in the password.
Minimum length – Minimum number of characters required in the password.
Character requirements – Minimum number of different character types required in the password.
Identical adjacent characters – Maximum number of identical adjacent characters allowed in the password.
To get to this screen You must click Administration > Single Sign-On > Configuration
By clicking the Edit button you are able to change values there…
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
26/211
25
If you leave the default values and after 90 days you will want to log-in you might end up with messages saying that:
User Account is locked.
User Account is disabled.
Those SSO policies are pretty much the same as in vSphere 5.5, but with a difference that in vSphere 5.5 we also had
an administrator password expiry on the vCenter server appliance (VCSA). The VCSA 6.0 is pretty much locked out and
the GUI we use to manage VCSA accessible via the port 5480 is no longer available.
Lockout Policy
Specifies the condition under which a vCenter SSO account is locked when the user attempts to log in with incorrect
credentials. Five login attempts and three minutes between failures are set by default. This policy also specifies the
time that must elapse before the account is automatically unlocked.
Description – Description of the lockout policy. Required.
Max. number of failed login attempts – Maximum number of failed login attempts that are allowed before
the account is locked.
Time interval between failures (seconds) – Time period in which failed login attempts must occur to trigger a
lockout.
Unlock time (seconds) – Amount of time that the account remains locked. If you enter 0, the account must beexplicitly unlocked by an administrator.
To see the lockout policy parameters, click on the Policies tab and select Lockout Policy:
Token Policy - also interesting as for example the Clock tolerance shows time difference, in milliseconds, that vCenter
Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than
the specified value, vCenter Single Sign-On declares the token invalid.
http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/http://www.vladan.fr/how-to-change-the-default-password-policies-in-vsphere-5-5/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
27/211
26
Other configuration options:
Maximum token renewal count – Maximum number of times that a token can be renewed. After the
maximum number of renewal attempts, a new security token is required.
Maximum token delegation count – Holder-of-key tokens can be delegated to services in the vSphere
environment. A service that uses a delegated token performs the service on behalf of the principal that
provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a
solution token or a reference to a solution token. This value specifies how many times a single holder-of-key
token can be delegated. Maximum bearer token lifetime – Bearer tokens provide authentication based only on possession of the
token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the
identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer
token before the token has to be reissued.
Maximum holder-of-key token lifetime – Holder-of-key tokens provide authentication based on security
artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain
a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the
originator and the delegate. In the vSphere environment, a vCenter Server obtains delegated tokens on a
user’s behalf and uses those tokens to perform operations. This value determines the lifetime of a holder-of-
key token before the token is marked invalid.
IDENTIFY AVAILABLE AUTHENTICATION METHODS WITH VMWARE VCENTER
We have already saw that at the beginning of the post. The possible identity sources can be found via web client >
Administration > Single Sign-On > Configuration > Identity Sources
And we can see that there are four of them:
AD integrated (preferred)
Active Directory LDAP
Open LDAP
Local OS
Yep, you can obviously use Local OS option only if you don't want to interconnect with your AD (for security reasons
or isolation purposes).
Check How-to, news, videos and tutorials at my vSphere 6 page too or check Free VMware tools page.
Tools to get the knowledge and further reading:
vSphere Installation and Setup Guide
vSphere Security Guide
What’s New in the VMware vSphere® 6.0 Platform VMware vCenter Server™ 6.0 Deployment Guide
Direct Console User Interface (DCUI)
vSphere Client / vSphere Web Client
VCP6-DCV OBJECTIVE 2.1 - CONFIGURE ADVANCED POLICIES/FEATURES AND VERIFY
NETWORK VIRTUALIZATION IMPLEMENTATION
Today's VCP6-DCV topic Objective 2.1: Configure Advanced Policies/Features and Verify Network Virtualization
Implementation is the core of virtualization networking. Together with 2 other chapters it covers all vSphere 6
networking.
http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/free-tools-vmware/http://www.vladan.fr/free-tools-vmware/http://www.vladan.fr/free-tools-vmware/http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdfhttp://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-security-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://www.vladan.fr/free-tools-vmware/http://www.vladan.fr/vsphere-6-0/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
28/211
27
You can follow the VCP6-DCV study guide built through my VCP6-DCV page. When finished, there will be a PDF version
which will get its proper formatting for better reading experience. We're more than half way through right now, and
the work continues. Let's kick on with this chapter!
vSphere Knowledge
Identify vSphere Distributed Switch (vDS) capabilities
Create/Delete a vSphere Distributed Switch Add/Remove ESXi hosts from a vSphere Distributed Switch
Add/Configure/Remove dvPort groups
Add/Remove uplink adapters to dvUplink groups
Configure vSphere Distributed Switch general and dvPort group settings
Create/Configure/Remove virtual adapters
Migrate virtual machines to/from a vSphere Distributed Switch
Configure LACP on Uplink portgroups
Describe vDS Security Polices/Settings
Configure dvPort group blocking policies
Configure load balancing and failover policies
Configure VLAN/PVLAN settings Configure traffic shaping policies
Enable TCP Segmentation Offload support for a virtual machine
Enable Jumbo Frames support on appropriate components
Determine appropriate VLAN configuration for a vSphere implementation
IDENTIFY VSPHERE DISTRIBUTED SWITCH (VDS) CAPABILITIES
VMware vSphere Distributed Switch (vDS) is in its version 6 and packed in more feature than in previous relase of VDS.
If you're upgrading you shall upgrade vDS to version 6.0 as well to benefit the latest features.
The vDS separates the data plane and management plane to separate them. The data plane resides on ESXi host, but
the management plane moves to vCenter server. The data plane is called host proxy switch.
NetFlow Support - Netflow is used for troubleshooting, it picks a configurable number of samples of network
traffic for monitoring..
PVLAN Support - PVLAN is able to get more from VLANs (which are limited in numbers) and you can use these
PVLANS to further segregate your traffic and increase security. (Note: Enterprise plus licensing required! Check
my detailed post on PVLANs here.
Ingress and egress traffic shaping - Inbound/outbound traffic shaping, which allows you throttle bandwidth
to the switch.
VM Port Blocking - can block VM ports in case of viruses or troubleshooting...
Load Based Teaming - LBT is an additional load balancing that works off the amount of traffic a queue is
sending Central Management across cluster - vDS can create the config once and push it to all attached hosts...so you
don't have to go to each host one-by-one...
Per Port Policy Settings - It's possible to override policies at a port level which gives you more controll
Port State Monitoring - This feature allows each port to be monitored separately from other ports
LLDP - Allows supports for link layer discovery protocol
Network IO Control - possibility to set priority on port groups and reserve bandwidth for VMs connected to
this port group. Check the detailed chapter on NIOC here: Objective 2.2: Configure Network I/O Control (NIOC)
LACP Support - LACP (Link aggregation control protocol) ability to aggregate links together into a single link
(your physical switch must support it!)
Backup/Restore Network config - It's possible to backup/restore network config at the vDS level (Not new!
It's here since 5.1! - save and restore network config...) Port Mirroring - Allows monitoring and can send all traffic from one port to another
http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/vmware-vsphere-5-1-networking-backup-and-restore/http://www.vladan.fr/vmware-vsphere-5-1-networking-backup-and-restore/http://www.vladan.fr/vmware-vsphere-5-1-networking-backup-and-restore/http://www.vladan.fr/vcp6-dcv-objective-2-2-configure-network-io-control-nioc/http://www.vladan.fr/private-vlans-vmware-vsphere/http://www.vladan.fr/vcp6-dcv/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
29/211
28
Stats stays at the VM level - statistics move with the VM even after vMotion.
CREATE /DELETE A VSPHERE DISTRIBUTED SWITCH
Create a vSphere vDS - Networking Guide on p27. vSphere Web client > Networking > Rigt click datacenter >
Distributed switch > New Distributed switch
Put a name and then select the version...
Select how many uplinks, specify if you want to enable Network I/O control and rename the default port group (not
mandatory)...
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
30/211
29
ADD /REMOVE ESXI HOSTS FROM A VSPHERE DISTRIBUTED SWITCH
You can add/remove ESXi hosts from vDS to manage their networking (or not) from a central location. The good thing
is that you can analyse impact before breaking a connectivity, so you're able to see the impact. The impact can be as
follows:
No Impact
Important impact Critical Impact
Next...
ADD /CONFIGURE /REMOVE DVPORT GROUPS
Right click on the vDS > New Distributed Port Group.
To remove a port group. Simple. Right click on the port group > delete...
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
31/211
30
ADD /REMOVE UPLINK ADAPTERS TO DVUPLINK GROUPS
Again, right click is your friend... -:)
If you want to add/remove (increase or decrease) number of uplinks you can do so by going to the properties of thevDS.
Right click on the vDS > Edit settings
And on the next screen you can do that... Note that at the same time you can give a different names to your uplinks...
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
32/211
31
CONFIGURE VSPHERE DISTRIBUTED SWITCH GENERAL AND DVPORT GROUP SETTINGS
General properties of vDS can be reached via Right click on the vDS > Settings > Edit settings
Port binding properties (at the dvPortGroup level - Right click port group > Edit Settings)
Static binding - Assigns a port to a VM when the virtual machine is connected to the PortGroup.
Dynamic binding - it's kind of deprecated. For best performance use static binding
Ephemeral – no binding
Port allocation:
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
33/211
32
Elastic - Increase or decreas on-the-fly..... 8 at the beginning (default). Increases by 8 when needed.
Fixed - There is 128 by default.
CREATE /CONFIGURE /REMOVE VIRTUAL ADAPTERS
VMkernel adapters can be add/removed at the Networking level
vSphere Web Client > Host and Clusters > Select Host > Manage > Networking > VMkernel adapters
Different VMkernel Services, like :
vMotion traffic
Provisioning traffic
Fault Tolerance (FT) traffic
Management traffic
vSphere Replication traffic
vSphere Replication NFC traffic
VSAN traffic
MIGRATE VIRTUAL MACHINES TO /FROM A VSPHERE DISTRIBUTED SWITCH
Migrate VMs to vDS. Right click vDS > Migrate VM to another network
Make sure that you previously created a distributed port group with the same VLAN that the current VM is running...
(in my case the VMs run at VLAN 7)
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
34/211
33
Pick a VM...
Done!
CONFIGURE LACP ON UPLINK PORTGROUPS
LACP can be found in the Networking guide on p.65.
vSphere Web Client > Networking > vDS > Manage > Settings > LACP
Create Link Aggregation Groups (LAG)
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
35/211
34
LAG Mode can be:
Passive - where the LAG ports respond to LACP packets they receive but do not initiate LACP negotiations.
Active - where LAG ports are in active mode and they initiate negotiations with LACP Port Channel.
LAG load balancing mode (LNB mode):
Source and destination IP address, TCP/UDP port and VLAN
Source and destination IP address and VLAN
Source and destination MAC address
Source and destination TCP/UDP port
Source port ID
VLAN
Note that you must configure the LNB hashing same way on both virtual and physical switch, at the LACP port channel
level.
Migrate Network Traffic to Link Aggregation Groups (LAG)
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
36/211
35
DESCRIBE VDS SECURITY POLICES /SETTINGS
Note that those security policies exists also on standard switches.
There are 3 different network security policies:
Promiscuous mode – Reject is by default. In case you set to Accept > the guest OS will receive all traffic
observed on the connected vSwitch or PortGroup.
MAC address changes – Reject is by default. In case you set to Accept > then the host will accepts requests to
change the effective MAC address to a different address than the initial MAC address.
Forged transmits – Reject is by default. In case you set to Accept > then the host does not compare source
and effective MAC addresses transmitted from a virtual machine.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
37/211
36
Network security policies can be set on each vDS PortGroup.
Configure dvPort group blocking policies
Port blocking can be enabled on a port group to block all ports on the port group
or you can configure the vDS or uplink to be blocked at the vDS level...
vSphere Web Client > Networking > vDS > Manage > Ports
And then select the port > edit settings > Miscellaneous > Override check box > set Block port to yes.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
38/211
37
CONFIGURE LOAD BALANCING AND FAILOVER POLICIES
Load balancing algos can be found in the Networking Guide on p. 91.
vDS load balancing (LNB):
Route based on IP hash - The virtual switch selects uplinks for virtual machines based on the source and
destination IP address of each packet.
Route based on source MAC hash - The virtual switch selects an uplink for a virtual machine based on the
virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual
machine MAC address and the number of uplinks in the NIC team.
Route based on originating virtual port - Each virtual machine running on an ESXi host has an associated
virtual port ID on the virtual switch. To calculate an uplink for a virtual machine, the virtual switch uses the
virtual machine port ID and the number of uplinks in the NIC team. After the virtual switch selects an uplink
for a virtual machine, it always forwards traffic through the same uplink for this virtual machine as long as the
machine runs on the same port. The virtual switch calculates uplinks for virtual machines only once, unless
uplinks are added or removed from the NIC team.
Use explicit failover order - No actual load balancing is available with this policy. The virtual switch always
uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover
detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the
Standby list.
Route based on physical NIC load (Only available on vDS) - based on Route Based on Originating Virtual Port,
where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on overloaded
uplinks. Available only for vSphere Distributed Switch. The distributed switch calculates uplinks for virtual
machines by taking their port ID and the number of uplinks in the NIC team. The distributed switch tests the
uplinks every 30 seconds, and if their load exceeds 75 percent of usage, the port ID of the virtual machine with
the highest I/O is moved to a different uplink.
Virtual switch failover order:
Active uplinks
Standby uplinks
Unused uplinks
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
39/211
38
CONFIGURE VLAN/PVLAN SETTINGS
private VLANs allows further segmentation and creation of private groups inside each of the VLAN. By using private
VLANs (PVLANs) you splitting the broadcast domain into multiple isolated broadcast “subdomains”.
Private VLANs needs to be configured at the physical switch level (the switch must support PVLANs) and also on the
VMware vSphere distributed switch. (Enterprise Plus is required). I’ts more expensive and takes a bit more work to
setup.
THERE ARE DIFFERENT TYPES OF PVLANS:
PRIMARY
Promiscuous Primary VLAN – Imagine this VLAN as a kind of a router. All packets from the secondary VLANS
go through this VLAN. Packets which also goes downstream and so this type of VLAN is used to forward packets
downstream to all Secondary VLANs.
SECONDARY
Isolated (Secondary) – VMs can communicate with other devices on the Promiscuous VLAN but not with otherVMs on the Isolated VLAN.
Community (Secondary) – VMs can communicate with other VMs on Promiscuous and also w those on the
same community VLAN.
The graphics shows it all…
CONFIGURE TRAFFIC SHAPING POLICIES
Networking Guide p.105
vDS supports both ingress and egress traffic shaping.
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
40/211
39
Traffic shaping policy is applied to each port in the port group. You can Enable or Disable the Ingress or egress traffic
Average bandwidth in kbits (Kb) per second - Establishes the number of bits per second to allow across a port,
averaged
over time. This number is the allowed average load.
Peak bandwidth in kbits (Kb) per second - Maximum number of bits per second to allow across a port when
it is sending or receiving a burst of traffic. This number limits the bandwidth that a port uses when it is using
its burst bonus.
Burst size in kbytes (KB) per second - Maximum number of bytes to allow in a burst. If set, a port might gain
a burst bonus if it does not use all its allocated bandwidth. When the port needs more bandwidth than
specified by the average bandwidth, it might be allowed to temporarily transmit data at a higher speed if a
burst bonus is available
ENABLE TCP SEGMENTATION OFFLOAD SUPPORT FOR A VIRTUAL MACHINE
Use TCP Segmentation Offload (TSO) in VMkernel network adapters and virtual machines to improve the network
performance in workloads that have severe latency requirements.
When TSO is enabled, the network adapter divides larger data chunks into TCP segments instead of the CPU. The
VMkernel and the guest operating system can use more CPU cycles to runapplications.
By default, TSO is enabled in the VMkernel of the ESXi host , and in the VMXNET 2 and VMXNET 3 virtual machine
adapters
ENABLE JUMBO FRAMES SUPPORT ON APPROPRIATE COMPONENTS
There are many places where you can enable Jumbo frames and you should enable jumbo frames end-to-end. If not
the performance will not increase, but rather the opposite. Jumbo Frames can be enabled on a vSwitch, vDS, and
VMkernel Adapter.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
41/211
40
Jumbo frames maximum value = 9000.
DETERMINE APPROPRIATE VLAN CONFIGURATION FOR A VSPHERE IMPLEMENTATION
There are three main places or three different ways to tag frames in vSphere.
External Switch Tagging (EST) - VLAN ID is set to None or 0 and it is the physical switch that does the VLAN
tagging.
Virtual Switch Tagging (VST) - VLAN set between 1 and 4094 and the virtual switch does the VLAN tagging.
Virtual Guest Tagging (VGT) - the tagging happens in the guest OS. VLAN set to 4095 (vSwitch) or VLAN
trunking on vDS.
The best to understand this is I guess this document from VMware called Best Practices for Virtual Networking and
from there I also "borrowed" this screenshot...
Networking is big chapter. If I missed something, just comment or email me your suggestion. Thanks...
vSphere documentation tools
vSphere Installation and Setup Guide
vSphere Networking Guide
What’s New in the VMware vSphere® 6.0 Platform Leveraging NIC Technology to Improve Network Performance in VMware vSphere
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/VMware-vSphere-PNICs-perf.pdfhttp://www.vmware.com/files/pdf/VMware-vSphere-PNICs-perf.pdfhttp://www.vmware.com/files/pdf/VMware-vSphere-PNICs-perf.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
42/211
41
VDS Network Health Check
vSphere Client / vSphere Web Client
VCP6-DCV OBJECTIVE 2.2 - CONFIGURE NETWORK I/O CONTROL (NIOC)
VCP6-DCV Study time... In no particular order I start covering VCP6-DCV section of the VMware blueprint to help outfolks learning towards VCP6-DCV VMware certification exam. Due to VMware recertification policy the VCP exam has
now an expiration date. You can renew by passing delta exam while still holding current VCP or pass VCAP. If you're
new to virtualization and do not have any VMware certification exam, the VCP is the exam to have. Today's topic?
VCP6-DCV Objective 2.2 - Configure Network I/O Control (NIOC) .
For whole exam coverage I created a dedicated VCP6-DCV page. If you just look on some how-to, news, videos about
vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release, but simplified
the deployment and management. "White boxing" got more complicated as drivers for unsupported hardware not
always works. vSphere Web client is more present and used in this release as the legacy C# client does not allow to
configure advanced configuration options and functions like SSO, FT, VSAN. Let's get started.
vSphere Knowledge
Identify Network I/O Control requirements
Identify Network I/O Control capabilities
Enable/Disable Network I/O Control
Monitor Network I/O Control
IDENTIFY NETWORK I/O CONTROL REQUIREMENTS
What is network I/O control? It's a mechanism which allows to prioritize certain data flows on distributed switch over
others. It allows to allocate more network bandwidth to business critical applications/VMs where those have to "fight"
for bandwidth. (similarly like SIOC for storage).
THE REQUIREMENTS:
Licensing - Enterprise + license required because it uses vSphere Distributed Switch.
VDS Only - the Network I/O control can be enabled only on VDS
Network I/O control v3 possible only on VDS 6.0
SR-IOV is not available for virtual machines configured to use Network I/O Control version 3.
IDENTIFY NETWORK I/O CONTROL CAPABILITIES When enabled NIOC divides the traffic into resource pools. Bandwidth reservations can be used to isolate network
resources for a class of traffic, for example in VSAN cluster you'd want to reserve part of the traffic only for VSAN
traffic no matter what happens to the other traffic.
ENABLE /DISABLE NETWORK I/O CONTROL
Where to enable? In vSphere 6 when creating new VDS it gets enabled by default.
vSphere Web Client > Networking > vDS > Manage > Resource Allocation > System traffic
Note: If you have previous version of vSphere and you upgraded, than you might see previous version of NIOC (version
2) and so there is not the menu "system traffic". Make sure that you upgrade your VDS to v 6.0.
http://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vcp6-dcvhttp://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vcp6-dcv-objective-3-5-setup-and-configure-storage-io-control/http://www.vladan.fr/vsphere55/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcv
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
43/211
42
So in our case we can see the menu system traffic... The traffic types are all set to 50 shares except the VMtraffic. No reservation or limits are set by default.
Management traffic - VM traffic
NFS traffic
Virtual SAN traffic
iSCSI
vMotion
vSphere Replication (VR)
Fault tolerance (FT)
vSphere Data protection (VDP) backup traffic
Shares and reservations at their default state. No limits or Reservations.
B AND WID TH ALLOCATION FOR V IRTUAL M ACH IN E T RAFFIC
Version 3 of Network I/O Control lets you configure bandwidth requirements for individual virtual machines. You can
also use network resource pools where you can assign a bandwidth quota from the aggregated reservation for the
virtual machine traffic and then allocate bandwidth from the pool to individual virtual machines.
http://www.vladan.fr/vcp6-dcv-objective-6-1-configure-and-administer-a-vsphere-backupsrestorereplication-solution/http://www.vladan.fr/vcp6-dcv-objective-6-1-configure-and-administer-a-vsphere-backupsrestorereplication-solution/http://www.vladan.fr/vcp6-dcv-objective-6-1-configure-and-administer-a-vsphere-backupsrestorereplication-solution/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
44/211
43
Individual VMs can be configured according to bandwidth requirements through VM options at the network level...
Shares - The relative priority, from 1 to 100, of the traffic through this VM network adapter against the capacity of the
physical adapter that is carrying the VM traffic to the network.
Reservation - The minimum bandwidth, in Mbps, that the VM network adapter must receive on the physical adapter.
Limit - The maximum bandwidth on the VM network adapter for traffic to other virtual machines on the same or on
another host.
Enable/Disable Network I/O Control - at the vDS level..
To enable bandwidth allocation for virtual machines by using Network I/O Control, configure the virtual machine
system traffic. The bandwidth reservation for virtual machine traffic is also used in admission control. When you poweron a virtual machine, admission control verifies that enough bandwidth is available.
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
45/211
44
Check the following requirements:
vSphere Distributed Switch is version 6.0.0 and later.
Network I/O Control on the switch is version 3.
Network I/O Control is enabled.
Network Resource Pools - You can create new network resource pools to reserve part of the aggregated bandwidth
for VMs system trafic on all the physical adapters connected to the VDS.
For example, if the virtual machine system traffic has 0.5 Gbps reserved on each 10 GbE uplink on a distributed switch
that has 10 uplinks, then the total aggregated bandwidth available for VM reservation on this switch is 5 Gbps. Each
network resource pool can reserve a quota of this 5 Gbps capacity.
Example from vSphere Networking Guide p.167
Create network resource pool: Distributed switch > Manage > Resource allocation > Network resource pools > Add
Once you create network resource pool you can add distributed port group so you an allocate bandwidth to the VMs
that are connected to that portgroup.
Monitor Network I/O Control
You can check and monitor Network I/O Control through vSphere web client. Networking > vDS > Manage > Resource
Allocation
Concerning the system traffic it's possible to have a look a those metrics and details:
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
46/211
45
Network I/O Control Status (state is Enabled/Disabled)
NIOC Version
Physical network adapters details
Available bandwidth capacity
Total bandwidth capacity
Maximum reservation allowed
Configured reservation
Minimum link speed
Documentation and Tools
vSphere Installation and Setup Guide
vSphere Networking Guide
What’s New in the VMware vSphere® 6.0 Platform
Performance Evaluation of Network I/O Control in VMware vSphere 6
vSphere Client / vSphere Web Client
VCP6-DCV OBJECTIVE 2.3 – CONFIGURE VSS AND VDS POLICIES
VCP6-DCV Study guide continues today by covering the VCP6-DCV Objective 2.3 - Configure vSS and vDS Policies.
vSphere networking is one of the tough parts to know and this part is where any IT admins have difficulties. This
chapter works hand in hand with the VCP6-DCV Objective 2.1 – Configure Advanced Policies/Features and Verify
Network Virtualization Implementation.
You can also check the vSphere 6 page where you'll find many how-to, videos, and tutorials about vSphere 6. Let's get
back to our today's objective.
vSphere Knowledge
Identify common vSS and vDS policies
Describe vDS Security Polices/Settings
Configure dvPort group blocking policies
Configure load balancing and failover policies
Configure VLAN/PVLAN settings
Configure traffic shaping policies
Enable TCP Segmentation Offload support for a virtual machine
Enable Jumbo Frames support on appropriate components
Determine appropriate VLAN configuration for a vSphere implementation
IDENTIFY COMMON VSS AND VDS POLICIES
Since vSphere 4 we have had vSphere distributed switches. But let's start with virtual standard switches first.
The virtual standard switches (vSS) can have following policies and settings:
Traffic shaping (outbound only)
VLANs (none, VLAN ID, All) - at the portgroup level config
MTU
Teaming and failover
Security
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://www.vmware.com/files/pdf/techpaper/Network-IOC-vSphere6-Performance-Evaluation.pdfhttp://www.vmware.com/files/pdf/techpaper/Network-IOC-vSphere6-Performance-Evaluation.pdfhttp://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vsphere-6-0/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv/http://www.vmware.com/files/pdf/techpaper/Network-IOC-vSphere6-Performance-Evaluation.pdfhttp://www.vmware.com/files/pdf/vsphere/VMware-vSphere-Platform-Whats-New.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
47/211
46
If you set VLAN policy to 4095 (All) it allows you to pass All VLANs, and the tagging is done at the Guest
OS level
vSphere distributed switches (vDS) policies and settings:
Traffic filtering and marking
MTU
VLANs (none, VLAN ID, VLAN trunking, PVLANs)
Monitoring (netflow)
Security
Traffic Shaping - inbound and outbount (ingress / egress)
LACP
Port mirroring
Health check for VLAN and MTU, teaming and failover - allows to check the status of the overall config.
And Teaming and failiover like on vSS swiches.
DESCRIBE VDS SECURITY POLICES /SETTINGS
There are three network security policies on vDS. Those are promiscuous mode, MAC address changes and Forged
transmits.
Promiscuous Mode - Default settings are set to reject for both (VSS and VDS). If you change to accept then
the guest OS can receive all traffic which passes through the vSwitch or Portgroup.
MAC address change - The default setting is reject for VDS but accept on VSS. If set to allow then the host
accepts requests to change the effective MAC address to a different one than the original.
Forged transmits - The default settings is Reject for VDS but accept on VSS. The host do not compare source
and effective MAC addresses which are transmitted from a VM.
Each settings can be set to Accept or Reject and it can be done at the virtual switch level or at the port group level.
More granular ist's obviously at the port group level.
CONFIGURE DVPORT GROUP BLOCKING POLICIES
Ports can be blocked to prohibit them from sending or receiving data. Only available for distributed switches.
The port blocking policy is done at the portgroup level. vSphere web client > Networking > Right click a portgroup >
Edit settings.
Then you get the Miscelaneous option
http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/http://www.vladan.fr/vcp6-dcv-objective-2-1-configure-advanced-policiesfeatures-and-verify-network-virtualization-implementation/
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
48/211
47
You can also block individual distributed switch or uplink port. It can be done by selecting the VDS > Manage > Ports
> Select Port > Edit > check the box and select Yes.
CONFIGURE LOAD BALANCING AND FAILOVER POLICIES
vSphere Networking Guide on p. 93
You can configure various load balancing algorithms on a virtual switch to determine how network traffic is
distributed between the physical NICs in a team.
Route Based on Originating Virtual Port - The virtual switch selects uplinks based on the virtual machine port
IDs on the vSphere Standard Switch or vSphere Distributed Switch.
http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdfhttp://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-networking-guide.pdf
-
8/19/2019 VCP6 DCV Study Guide ESX Virtualization
49/211
48
Route Based on Source MAC Hash - The virtual switch selects an uplink for a virtual machine based on the
virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual
machine MAC address and the number of uplinks in the NIC team.
Route Based on IP Hash - The virtual switch selects uplinks for virtual machines based on the source and
destination IP address of each packet
Route Based on Physical NIC Load - Route Based on Physical NIC Load is based on Route Based on Originating
Virtual Port, where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on
overloaded uplinks.
And for VDS there is another one called Use Explicit Failover Order.
Use Explicit Failover Order - No actual load balancing is available with this policy. The virtual switch always
uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover
detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the
Standby list.
NETWORK F AILOVER DETECTION OPTIONS:
Link Status only - check link availability. Is the adapter is physically up or down? Depending on the result it can
possibly detects physical switch failures.
Beacon Probing - Sends out and listens for beacon probes on all NICs in the team. Can be used together with
link status and get better results to determine if there is a link failure. Beacon probing should not be used with
IP hash load balancing policy or on vSwitches which has less than 3 uplinks. Unused