vi3 301 201 server config

8/9/2019 Vi3 301 201 Server Config

1/312

Server Configuration GuideESX Server 3.0.1 and VirtualCenter 2.0.1


2/312

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

2 VMware, Inc.

Server Configuration Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

20072009 VMware, Inc. All rights reserved. This product is protected by U.S. and internationalcopyright and intellectual property laws. VMware products are covered by one or more patents listed

at http://www.vmware.com/go/patents.

VMware, the VMware boxes logo and design, Virtual SMP, and VMotion are registered trademarks ortrademarks of VMware, Inc. in the United States and/or other jurisdictions. All other marks and namesmentioned herein may be trademarks of their respective companies.


Revision: 20090814Item: VI-ENG-Q206-215
http://www.vmware.com/supportmailto:[email protected]:[email protected]://www.vmware.com/supporthttp://www.vmware.com/support/


3/312

VMware, Inc. 3

Contents

Preface 11

1 Introduction 15Networking 15

Storage 16

Security 16

Appendixes 17

Networking

2 Networking 21NetworkingConcepts 22

ConceptsOverview 22

VirtualSwitches 23

PortGroups 26

NetworkServices 27

ViewingNetworkingInformationintheVI Client 27

NetworkingTasks 29

VirtualNetworkConfigurationforVirtualMachines 29

VMkernelConfiguration 33

TCP/IPStackattheVirtualMachineMonitorLevel 34

ImplicationsandGuidelines 34

ServiceConsoleConfiguration 37

BasicServiceConsoleConfigurationTasks 37

UsingDHCPfortheServiceConsole 43

3 AdvancedNetworking 45AdvancedNetworkingTasks 46

VirtualSwitchConfiguration 46

VirtualSwitchProperties 46

EditingVirtualSwitchProperties 46


4/312


4 VMware, Inc.

VirtualSwitchPolicies 53

Layer2SecurityPolicy 53

TrafficShapingPolicy 55

LoadBalancingandFailoverPolicy 56

PortGroupConfiguration 60

DNSandRouting 62

SettingUpMACAddresses 64

MACAddressesGeneration 65

SettingMACAddresses 66

UsingMACAddresses 66

NetworkingTipsandBestPractices 67

NetworkingBestPractices 67

MountingNFSVolumes 67

NetworkingTips 68

4 NetworkingScenariosandTroubleshooting 69

NetworkingConfiguration

for

Software

iSCSI

Storage 70

ConfiguringNetworkingonBladeServers 76

Troubleshooting 80

TroubleshootingServiceConsoleNetworking 80

TroubleshootingNetworkAdapterConfiguration 82

TroubleshootingPhysicalSwitchConfiguration 82

TroubleshootingPortGroupConfiguration 82

Storage

5 IntroductiontoStorage 87StorageConcepts 88

StorageOverview 89

Datastores

and

File

Systems 90FileSystemFormats 91

TypesofStorage 91

SupportedStorageAdapters 92

HowVirtualMachinesAccessStorage 92

ViewingStorageInformationintheVirtualInfrastructureClient 93

DisplayingDatastores 94

ViewingStorageAdapters 95

UnderstandingStorageDeviceNamingintheDisplay 96


5/312

VMware, Inc. 5

Contents

VMwareFileSystem 97

VMFSVersions 97

CreatingandGrowingVMFS 98

ConsiderationswhenCreatingVMFS 98

VMFSSharingCapabilities 99

StoringMultipleVirtualMachinesonaVMFSVolume 99

SharingaVMFSVolumeAcrossESXServers 100

ConfiguringandManagingStorage 101

6 Configuring

Storage 103LocalSCSIDiskStorage 104AddingLocalSCSIStorage 104

FibreChannelStorage 106

AddingFibreChannelStorage 108

iSCSIStorage 110

AboutiSCSIStorage 110

iSCSIInitiators 110

NamingRequirements 112

DiscoveryMethods 112

iSCSISecurity 112

ConfiguringHardwareInitiatediSCSIStorage 113

InstallingiSCSIHardwareInitiator 113

ViewingiSCSIHardwareInitiator 113

ConfiguringiSCSI

Hardware

Initiator 115

AddingHardwareInitiatediSCSIStorage 120

ConfiguringSoftwareInitiatediSCSIStorage 121

ViewingSoftwareiSCSIInitiator 122

ConfiguringiSCSISoftwareInitiator 124

AddingSoftwareInitiatediSCSIStorage 129

PerformingaRescan 131

NetworkAttached

Storage 132

SharedStorageCapabilities 133

HowVirtualMachinesUseNFS 133

NFSVolumesandVirtualMachineDelegateUsers 134

ConfiguringESXServertoAccessNFSVolumes 135

CreatinganNFSBasedDatastore 135


6/312


6 VMware, Inc.

7 ManagingStorage 137ManagingDatastoresandFileSystems 138

Adding

New

Datastores 138RemovingExistingDatastores 139

EditingExistingVMFSbasedDatastores 139

UpgradingDatastores 139

ChangingtheNamesofDatastores 140

AddingExtentstoDatastores 141

ManagingPathsforFibreChannelandiSCSI 143

ViewingtheCurrentMultipathingState 145

ActivePaths 146

SettingMultipathingPoliciesforLUNs 147

DisablingandEnablingPaths 148

SettingthePreferredPath(FixedPathPolicyOnly) 149

ThevmkfstoolsCommands 150

8 RawDeviceMapping 151AboutRawDeviceMapping 152

Terminology 153

BenefitsofRawDeviceMapping 153

LimitationsofRawDeviceMapping 156

RawDeviceMappingCharacteristics 156

VirtualCompatibilityModeVersusPhysicalCompatibilityMode 157

DynamicNameResolution 158

RawDeviceMappingwithVirtualMachineClusters 160ComparingRawDeviceMappingtoOtherMeansofSCSIDeviceAccess 160

ManagingMappedLUNs 161

VMwareVirtualInfrastructureClient 161

MappingaSANLUN 161

ManagingPathsforaMappedRawLUN 163

ThevmkfstoolsUtility 164

FileSystemOperations 164

Security

9 SecurityforESXServerSystems 167ESXServerArchitectureandSecurityFeatures 168

SecurityandtheVirtualizationLayer 168SecurityandVirtualMachines 168


7/312

VMware, Inc. 7

Contents

SecurityandtheServiceConsole 171

SecurityandtheVirtualNetworkingLayer 173

SecurityResourcesandInformation 179

10 SecuringanESXServerConfiguration 181SecuringtheNetworkwithFirewalls 181

FirewallsforConfigurationswithaVirtualCenterServer 182

FirewallsforConfigurationsWithoutaVirtualCenterServer 185

TCPandUDPPortsforManagementAccess 187

ConnectingtoVirtualCenterServerThroughaFirewall 189

ConnectingtotheVirtualMachineConsoleThroughaFirewall 189

ConnectingESXServerHostsThroughFirewalls 191

OpeningFirewallPortsforSupportedServicesandManagementAgents 192

SecuringVirtualMachineswithVLANs 194

SecurityConsiderationsforVLANs 197

VirtualSwitchProtectionandVLANs 199

SecuringVirtualSwitchPorts 201

SecuringiSCSIStorage 203SecuringiSCSIDevicesThroughAuthentication 204

ProtectinganiSCSISAN 208

11 AuthenticationandUserManagement 211SecuringESXServerThroughAuthenticationandPermissions 211

AboutUsers,Groups,Permissions,andRoles 213

UnderstandingUsers 214

UnderstandingGroups 215

UnderstandingPermissions 215

UnderstandingRoles 217

WorkingwithUsersandGroupsonESXServerHosts 219

ViewingandExportingUsersandGroupInformation 219

WorkingwiththeUsersTable 221

WorkingwiththeGroupsTable 224

EncryptionandSecurityCertificatesforESXServer 227

AddingCertificatesandModifyingESXServerWebProxySettings 227

RegeneratingCertificates 232

VirtualMachineDelegatesforNFSStorage 232

12 Service

Console

Security 237GeneralSecurityRecommendations 238


8/312


8 VMware, Inc.

LoggingOntotheServiceConsole 239

ServiceConsoleFirewallConfiguration 239

ChangingtheServiceConsoleSecurityLevel 240

OpeningandClosingPortsintheServiceConsoleFirewall 242

PasswordRestrictions 243

PasswordAging 244

PasswordComplexity 245

ChangingthePasswordPlugin 250

CipherStrength 251

setuidandsetgidApplications 252

DefaultsetuidApplications 252DefaultsetgidApplications 254

SSHSecurity 254

SecurityPatchesandSecurityVulnerabilityScanningSoftware 256

13 SecurityDeploymentsandRecommendations 259SecurityApproachesforCommonESXServerDeployments 259

SingleCustomerDeployment 259

MultipleCustomerRestrictedDeployment 261

MultipleCustomerOpenDeployment 263

VirtualMachineRecommendations 265

InstallingAntivirusSoftware 265

DisablingCopyandPasteOperationsBetweentheGuestOperatingSystemandRemoteConsole 265

RemovingUnnecessaryHardwareDevices 266PreventingtheGuestOperatingSystemProcessesfromFloodingtheESXServer

Host 269

DisablingLoggingfortheGuestOperatingSystem 270

Appendixes

A ESXTechnicalSupportCommands 275OtherCommands 280

B Usingvmkfstools 281vmkfstoolsCommandSyntax 282

vSuboption 283

vmkfstoolsOptions 283FileSystemOptions 284


9/312

VMware, Inc. 9

Contents

CreatingaVMFSFileSystem 284

ExtendinganExistingVMFS3Volume 285

ListingAttributesofaVMFSVolume 285

UpgradingaVMFS2toVMFS3 286

VirtualDiskOptions 287

SupportedDiskFormats 288

CreatingaVirtualDisk 288

InitializingaVirtualDisk 289

InflatingaThinVirtualDisk 289

DeletingaVirtualDisk 289

RenamingaVirtualDisk 289

CloningaVirtualorRawDisk 290

MigratingVMwareWorkstation andVMwareGSXServerVirtualMachines 290

ExtendingaVirtualDisk 291

MigratingaVMFS2VirtualDisktoVMFS3 291

Creating

a

Virtual

Compatibility

Mode

Raw

Device

Mapping 291ListingAttributesofanRDM 292

CreatingaPhysicalCompatibilityModeRawDeviceMapping 292

CreatingaRawDeviceDescriptorFile 292

DisplayingVirtualDiskGeometry 293

DeviceOptions 293

ScanningAdapters 293

ManagingSCSI

Reservations

of

LUNs 294

ExamplesUsingvmkfstools 295

CreateaNewVMFS3FileSystem 295

AddaPartitiontoVMFS3FileSystem 295

CreateaNewVirtualDisk 295

CloneaVirtualDisk 296

CreateaRawDeviceMapping 296

ScananAdapterforChanges 296

Index 297


10/312


10 VMware, Inc.


11/312

VMware, Inc. 11

ThisprefacedescribesthecontentsoftheServerConfigurationGuideandprovidespointerstoVMwaretechnicalandeducationalresources.

This

preface

contains

the

following

topics: AboutThisBookonpage 11

TechnicalSupportandEducationResourcesonpage 14

About This Book

Thismanual,theServerConfigurationGuide,providesinformationonhowtoconfigurenetworkingforESXServer,includinghowtocreatevirtualswitchesandportsandhowtosetupnetworkingforvirtualmachines,VMotion,IPstorage,andtheserviceconsole.

ItalsocoversconfiguringfilesystemandvarioustypesofstoragesuchasiSCSI,Fibre

Channel,andsoforth.TohelpyouprotectyourESXServerinstallation,theguide

providesadiscussionofsecurityfeaturesbuiltintoESXServerandthemeasuresyou

cantaketosafeguarditfromattack.Inaddition,itincludesalistofESXServertechnical

supportcommandsalongwiththeirVIClientequivalentsandadescriptionofthe

vmkfstoolsutility.

Preface


12/312


12 VMware, Inc.

Revision History

Thismanualisrevisedwitheachreleaseoftheproductorwhennecessary.Arevised

versioncan

contain

minor

or

major

changes.

Table P

1provides

you

with

the

revision

historyofthismanual.

Intended Audience

Thismanualisintendedforanyonewhoneedstoinstall,upgrade,oruseESXServer3.

TheinformationinthismanualiswrittenforexperiencedWindowsorLinuxsystem

administratorswhoarefamiliarwithvirtualmachinetechnologyanddatacenteroperations.

Document Feedback

Ifyouhavecommentsaboutthisdocumentation,submityourfeedbackto:

[email protected]

VMware Infrastructure Documentation

TheVMwareInfrastructuredocumentationconsistsofthecombinedVirtualCenterand

ESXServerdocumentationset.

Youcanaccessthemostcurrentversionsofthismanualandotherbooksbygoingto:

http://www.vmware.com/support/pubs

Table P-1. Revision History

Revision Description

20060615 ESXServer3.0andVirtualCenter2.0versionoftheVMwareInfrastructure3ServerConfigurationGuide.Thisisthefirsteditionofthismanual.

20060925 ESXServer

3.0.1

and

VirtualCenter

2.0.1

version

of

the

VMware

Infrastructure 3ServerConfigurationGuide.Thiseditionincludesminorchangestostorageandnetworkingconfigurationinformation.
mailto:[email protected]://www.vmware.com/support/pubshttp://www.vmware.com/support/pubsmailto:[email protected]


13/312

VMware, Inc. 13

Preface

Conventions

Table P2illustratesthetypographicconventionsusedinthismanual.

Abbreviations Used in Graphics

Thegraphics

in

this

manual

use

the

abbreviations

listed

in

Table P

3.

Table P-2. Conventions Used in This Manual

Style Elements

Blue(onlineonly) Crossreferencesandemailaddresses

Blueboldface(onlineonly) Links

Blackboldface Userinterfaceelementssuchasbuttonnamesandmenuitems

Monospace Commands,filenames,directories,andpaths

Monospace bold Userinput

Italic Documenttitles,glossaryterms,andoccasionalemphasis

Variableandparameternames

Table P-3. Abbreviations

Abbreviation Description

VC VirtualCenter

VI VirtualInfrastructureClient

server VirtualCenterServer

database VirtualCenterdatabase

hostn VirtualCentermanagedhosts

VM# Virtualmachinesonamanagedhost

user# Userwithaccesspermissions

dsk# Storagediskforthemanagedhost

datastore Storageforthemanagedhost

SAN Storageareanetworktypedatastoresharedbetweenmanagedhosts

tmplt Template


14/312


14 VMware, Inc.

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.

Self-Service Support

UsetheVMwareTechnologyNetwork(VMTN)forselfhelptoolsandtechnical

information:

Productinformationhttp://www.vmware.com/products/

Technologyinformationhttp://www.vmware.com/vcommunity/technology

Documentationhttp://www.vmware.com/support/pubs

VMTNKnowledgeBasehttp://www.vmware.com/support/kb

Discussionforumshttp://www.vmware.com/community

Usergroupshttp://www.vmware.com/vcommunity/usergroups.html

FormoreinformationabouttheVMwareTechnologyNetwork,goto

http://www.vmtn.net.

Online and Telephone Support

Useonlinesupporttosubmittechnicalsupportrequests,viewyourproductand

contractinformation,andregisteryourproducts.Goto

http://www.vmware.com/support .

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseonpriority1issues.Goto

http://www.vmware.com/support/phone_support.html .

Support Offerings

FindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds.Goto

http://www.vmware.com/support/services.

VMware Education Services

VMwarecoursesofferextensivehandsonlabs,casestudyexamples,andcourse

materialsdesignedtobeusedasonthejobreferencetools.Formoreinformationabout

VMwareEducationServices,gotohttp://mylearn1.vmware.com/mgrreg/index.cfm.
http://www.vmware.com/products/http://www.vmware.com/vcommunity/technologyhttp://www.vmware.com/support/pubshttp://www.vmware.com/support/kbhttp://www.vmware.com/communityhttp://www.vmware.com/vcommunity/usergroups.htmlhttp://www.vmware.com/vcommunityhttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://mylearn1.vmware.com/mgrreg/index.cfmhttp://mylearn1.vmware.com/mgrreg/index.cfmhttp://mylearn1.vmware.com/mgrreg/index.cfmhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supporthttp://www.vmware.com/vcommunityhttp://www.vmware.com/vcommunity/usergroups.htmlhttp://www.vmware.com/communityhttp://www.vmware.com/support/kbhttp://www.vmware.com/support/pubshttp://www.vmware.com/vcommunity/technologyhttp://www.vmware.com/products/


15/312

VMware, Inc. 15

1

TheServerConfigurationGuidedescribesthetasksyouneedtocompletetoconfigureESXServerhostnetworking,storage,andsecurity.Inaddition,itprovidesoverviews,

recommendations,andconceptualdiscussionstohelpyouunderstandthesetasksand

howtodeployanESXServerhosttomeetyourneeds.BeforeusingtheinformationintheServerConfigurationGuide,readtheIntroductiontoVirtualInfrastructureforanoverviewofsystemarchitectureandthephysicalandvirtualdevicesthatmakeupa

VirtualInfrastructuresystem.

Thisintroductionsummarizesthecontentsofthisguidesothatyoucanfindthe

informationyouneed.Thisguidecoversthesesubjects:

ESX

Server

network

configurations ESXServerstorageconfigurations

ESXServersecurityfeatures

ESXcommandreference

Thevmkfstoolscommand

Networking

TheESXServernetworkingchaptersprovideyouwithaconceptualunderstandingof

physicalandvirtualnetworkconcepts,adescriptionofthebasictasksyouneedto

completetoconfigureyourESXServerhostsnetworkconnections,andadiscussionof

advancednetworkingtopicsandtasks.Thenetworkingsectioncontainsthefollowing

chapters:

Introduction

1


16/312


16 VMware, Inc.

NetworkingIntroducesyoutonetworkconceptsandguidesyouthroughthe

mostcommontasksyouneedtocompletewhensettingupthenetworkfortheESX

Serverhost.

AdvancedNetworkingCoversadvancednetworkingtaskssuchassettingup

MACaddresses,editingvirtualswitchesandports,andDNSrouting.Inaddition,

itprovidestipsonmakingyournetworkconfigurationmoreefficient.

NetworkingScenariosandTroubleshootingDescribescommonnetworking

configurationandtroubleshootingscenarios.

StorageTheESXServerstoragechaptersprovideyouwithabasicunderstandingofstorage,a

descriptionofthebasictasksyouperformtoconfigureandmanageyourESXServer

hostsstorage,andadiscussionofhowtosetuprawdevicemapping.Thestorage

sectioncontainsthefollowingchapters:

IntroductiontoStorageIntroducesyoutothetypesofstorageyoucan

configurefortheESXServerhost.

ConfiguringStorageExplainshowtoconfigurelocalSCSIstorage,Fibre

Channelstorage,andiSCSIstorage.ItalsoaddressesVMFSstorageand

networkattachedstorage.

ManagingStorageExplainshowtomanageexistingdatastoresandthefile

systemsthatcomprisedatastores.

Raw

Device

MappingDiscusses

raw

device

mapping,

how

to

configure

this

typeofstorage,andhowtomanagerawdevicemappingsbysettingup

multipathing,failover,andsoforth.

Security

TheESXServersecuritychaptersdiscusssafeguardsVMwarehasbuiltintoESXServer

andmeasuresyoucantaketoprotectyourESXServerhostfromsecuritythreats.These

measuresincludeusingfirewalls,leveragingthesecurityfeaturesofvirtualswitches,andsettingupuserauthenticationandpermissions.Thesecuritysectioncontainsthe

followingchapters:

SecurityforESXServerSystemsIntroducesyoutotheESXServerfeatures

thathelpyouensureasecureenvironmentforyourdataandgivesyouan

overviewofsystemdesignasitrelatestosecurity.

Securing

an

ESX

Server

Configuration

Explains

how

to

configure

firewall

portsforESXServerhostsandVMwareVirtualCenter,howtousevirtualswitches


17/312

VMware, Inc. 17

Chapter 1 Introduction

andVLANstoensurenetworkisolationforvirtualmachines,andhowtosecure

iSCSIstorage.

Authentication

and

User

Management

Discusses

how

to

set

up

users,

groups,

permissions,androlestocontrolaccesstoESXServerhostsandVirtualCenter.It

alsodiscussesencryptionanddelegateusers.

ServiceConsoleSecurityDiscussesthesecurityfeaturesbuiltintotheservice

consoleandshowsyouhowtoconfigurethesefeatures.

SecurityDeploymentsandRecommendations Providessomesample

deploymentstogiveyouanideaoftheissuesyouneedtoconsiderwhensetting

upyourownESXServerdeployment.Thischapteralsotellsyouaboutactionsyoucantaketofurthersecurevirtualmachines.

Appendixes

TheServerConfigurationGuideincludesappendixesthatprovidespecializedinformationyoumayfindusefulwhenconfiguringanESXServerhost.

ESXTechnical

Support

CommandsCoverstheESXServerconfiguration

commandsthatcanbeissuedthroughacommandlineshellsuchasSSH.While

thesecommandsareavailableforyouruse,youshouldnotconsiderthemtobean

APIuponwhichyoucanbuildscripts.Thesecommandsaresubjecttochangeand

VMwaredoesnotsupportapplicationsandscriptsthatrelyonESXServer

configurationcommands.ThisappendixprovidesyouwithVMwareVirtual

InfrastructureClientequivalentsforthesecommands.

UsingvmkfstoolsCoversthevmkfstoolsutility,whichyoucanusetoperform

managementandmigrationtasksforiSCSIdisks.


18/312


18 VMware, Inc.


19/312

VMware, Inc. 19

Networking

S C fi ti G id


20/312


20 VMware, Inc.


21/312

VMware, Inc. 21

2

ThischapterguidesyouthroughthebasicconceptsofnetworkingintheESX Server

environmentandhowtosetupandconfigureanetworkinavirtualinfrastructure

environment.

UsetheVirtualInfrastructure(VI)Clienttoaddnetworkingbasedonthreecategories

thatreflectthethreetypesofnetworkservices:

Virtualmachines

VMkernel

Serviceconsole

Thischaptercoversthefollowingtopics:

NetworkingConceptsonpage 22

NetworkServicesonpage 27

ViewingNetworkingInformationintheVI Clientonpage 27

NetworkingTasksonpage 29

VirtualNetworkConfigurationforVirtualMachinesonpage 29

VMkernelConfigurationonpage 33

ServiceConsoleConfigurationonpage 37

Networking

2


22/312

Chapter 2 Networking


23/312

VMware, Inc. 23

p g

tothenetwork.Intypicaluse,oneormoreportgroupsisassociatedwithasingle

vSwitch.Formoreinformationonportgroups,seePortGroupsonpage 26.

NICteamingoccurswhenmultipleuplinkadaptersareassociatedwithasinglevSwitchtoformateam.Ateamcaneithersharetheloadoftrafficbetweenphysicalandvirtual

networksamongsomeorallofitsmembersorprovidepassivefailoverintheeventof

ahardwarefailureoranetworkoutage.

VLANsenableasinglephysicalLANsegmenttobefurthersegmentedsothatgroups

ofportsareisolatedfromoneanotherasiftheywereonphysicallydifferentsegments.

802.1Qisthestandard.

TheVMkernelTCP/IPnetworkingstacksupportsiSCSI,NFS,andVMotion.VirtualmachinesruntheirownsystemsTCP/IPstacks,andconnecttotheVMkernelatthe

Ethernetlevelthroughvirtualswitches.TwonewfeaturesinESX Server3,iSCSIand

NFS,arereferredasIPstorageinthischapter.IPstoragereferstoanyformofstoragethatusesTCP/IPnetworkcommunicationasitsfoundation.iSCSIcanbeusedasa

virtualmachinedatastore,andNFScanbeusedasavirtualmachinedatastoreandfor

directmountingof.ISOfiles,whicharepresentedasCDROMstovirtualmachines.

MigrationwithVMotionenablesapoweredonvirtualmachinetobetransferredfromoneESX Serverhosttoanotherwithoutshuttingdownthevirtualmachine.The

optionalVMotionfeaturerequiresitsownlicensekey.

Virtual Switches

VirtualInfrastructure(VI)Clientletsyoucreateabstractednetworkdevicescalled

virtualswitches(vSwitches).AvSwitchcanroutetrafficinternallybetweenvirtual

machinesandlinktoexternalnetworks.

Usevirtualswitchestocombinethebandwidthofmultiplenetworkadaptersand

balancecommunicationstrafficamongthem.Theycanalsobeconfiguredtohandle

physicalNICfailover.

AvSwitchmodelsaphysicalEthernetswitch.Thedefaultnumberoflogicalportsfora

vSwitchis56.However,avSwitchcanbecreatedwithupto1016portsinESX Server

3.0.Youcanconnectonenetworkadapterofavirtualmachinetoeachport.Eachuplink

adapterassociated

with

avSwitch

uses

one

port.

Each

logical

port

on

the

vSwitch

is

a

NOTE ThenetworkingchapterscoverhowtosetupnetworkingforiSCSIandNFS.To

configurethestorageportionofiSCSIandNFS,seethestoragechapters.

NOTE Youcancreateamaximumof248vSwitchesonasinglehost.(SEEUPDATE)



24/312

24 VMware, Inc.

memberofasingleportgroup.EachvSwitchcanalsohaveoneormoreportgroups

assignedtoit.SeePortGroupsonpage 26.

Beforeyoucanconfigurevirtualmachinestoaccessanetwork,youmustcreateatleast

onevSwitch.WhentwoormorevirtualmachinesareconnectedtothesamevSwitch,

networktrafficbetweenthemisroutedlocally.Ifanuplinkadapterisattachedtothe

vSwitch,eachvirtualmachinecanaccesstheexternalnetworkthattheadapteris

connectedtoasshowninFigure 21.

Figure 2-1. Virtual Switch Connections

IntheVI Client,thedetailsfortheselectedvSwitcharepresentedasaninteractive

diagramasshowninFigure 22.ThemostimportantinformationforeachvSwitchis

alwaysvisible.



25/312

VMware, Inc. 25

Figure 2-2. Virtual Switch Interactive Diagram

Clickthebluespeechicontoselectivelyrevealsecondaryandtertiaryinformation.

ApopupwindowdisplaysdetailedpropertiesasshowninFigure 23.

blue speech icon



26/312

26 VMware, Inc.

Figure 2-3. Virtual Switch Detailed Properties

Port GroupsPortgroupsaggregatemultipleportsunderacommonconfigurationandprovidea

stableanchorpointforvirtualmachinesconnectingtolabelednetworks.Eachport

groupisidentifiedbyanetworklabel,whichisuniquetothecurrenthost.AVLANID,

whichrestrictsportgrouptraffictoalogicalEthernetsegmentwithinthephysical

network,isoptional.

Labelednetworksareproperlyconfiguredonlywhenallportgroupsusingthesame

networklabelareabletoseethesamebroadcasttraffic.BecauseaVLANcanrestrict

visibilityonaphysicalnetwork,itmightbenecessarytosynchronizethenetworklabel

andVLANIDcontrolswhenoneofthemischanged.Morethanoneportgroupcanuse

thesameVLANID.

NOTE Youcan

create

amaximum

of

512

port

groups

on

asingle

host.

NOTE InorderforaportgrouptoreachportgroupslocatedonotherVLANs,youmustset

theVLANIDto4095.



27/312

VMware, Inc. 27

Network Services

YouneedtoenabletwotypesofnetworkservicesinESX Server:

Connectingvirtualmachinestothephysicalnetwork

ConnectingVMkernelservices(suchasNFS,iSCSI,orVMotion)tothephysical

network

Theserviceconsole,whichrunsthemanagementservices,issetupbydefaultduring

theinstallationofESX Server.

Viewing Networking Information in the VI ClientTheVIClientdisplaysbothgeneralnetworkinginformationandinformationspecific

tonetworkadapters.

To view general networking information in the VI Client

1 LogontotheVMwareVI Clientandselecttheserverfromtheinventorypanel.

Thehardwareconfigurationpageforthisserverappears.

2 ClicktheConfigurationtab,andclickNetworking.

ThenetworkingpaneldisplaysthefollowinginformationasshowninFigure 24:

Virtualswitches

Adapterinformationforeachadapter

Linkstatus

Apparentspeedandduplex

ServiceconsoleandVMkernelTCP/IPservices

IPaddress

Serviceconsole

Virtualdevicename

Virtualmachines

Powerstatus

Connectionstatus

Portgroup

Networklabelcommontoallthreeportconfigurationtypes


28/312



29/312

VMware, Inc. 29

vSwitchvSwitchthatthenetworkadapterisassociatedwith

NetworksIPaddressesthatthenetworkadapterhasaccessto

Networking Tasks

Thischapteroutlineshowtoperformthefollowingnetworkingtasks

Tocreateoraddavirtualnetworkforavirtualmachineonpage 30

Settingtheconnectiontypeforavirtualmachine.

Addingthevirtualnetworktoaneworanexistingvirtualswitch.

ConfiguringthenetworklabelandVLANIDconnectionsettings.

TosetuptheVMkernelonpage 34

SettingtheconnectiontypefortheVMkernel.


Configuringthenetworklabel,VLANID,TCP/IP,andgatewayconnection

settings.

Toconfigureserviceconsolenetworkingonpage 37

Settingtheconnectiontypefortheserviceconsole.


Configuringthenetworklabel,VLANID,DHCP/StaticIP,andgateway

connectionsettings.

Tosetthedefaultgatewayonpage 41

Todisplayserviceconsoleinformationonpage 43

Virtual Network Configuration for Virtual Machines

TheVI ClientAddNetworkWizardstepsyouthroughthetaskstocreateavirtual

networkforavirtualmachine.Thesetasksinclude:

Settingtheconnectiontypeforavirtualmachine

AddingthevirtualnetworktoaneworanexistingvSwitch

ConfiguringtheconnectionsettingsforthenetworklabelandtheVLANID

Whensettingupvirtualmachinenetworks,considerwhetheryouwanttomigratethe

virtualmachinesinthenetworkbetweenESXServerhosts.Ifso,besurethatbothhostsareinthesamebroadcastdomainthatis,thesameLayer2subnet.



30/312

30 VMware, Inc.

ESXServerdoesntsupportvirtualmachinemigrationbetweenhostsindifferent

broadcastdomainsbecausethemigratedvirtualmachinemightrequiresystemsand

resourcesthatitwouldnolongerhaveaccesstobyvirtueofbeingmovedtoaseparate

network.Even

if

your

network

configuration

is

set

up

as

ahigh

availability

environmentorincludesintelligentswitchescapableofresolvingthevirtualmachines

needsacrossdifferentnetworks,youmayexperiencelagtimesastheARPtable

updatesandresumesnetworktrafficforthevirtualmachines.

To create or add a virtual network for a virtual machine




3 Ontherightsideofthescreen,clickAddNetworking.

Virtualswitchesarepresentedinanoverviewplusdetailslayout.

4 Click

Add

Networking

from

the

Configuration

tab.TheAddNetworkWizardappears.

5 Acceptthedefaultconnectiontype,VirtualMachines.

VirtualMachinesletsyouaddalabelednetworktohandlevirtualmachine

networktraffic.

NOTE TheAddNetworkWizardisreusedfornewportsandportgroups.



31/312

VMware, Inc. 31

6 ClickNext.

TheNetworkAccessscreenappears.

Virtualmachinesreachphysicalnetworksthroughuplinkadapters.AvSwitchis

abletotransferdataonlytoexternalnetworkswhenoneormorenetworkadapters

areattachedtoit.WhentwoormoreadaptersareattachedtoasinglevSwitch,they

aretransparentlyteamed.

7 SelectCreateavirtualswitch.

YoucancreateanewvSwitchwithorwithoutEthernetadapters.

IfyoucreateavSwitchwithoutphysicalnetworkadapters,thenalltrafficonthat

vSwitchwillbeconfinedtothatvSwitch.Nootherhostsonthephysicalnetwork

orvirtualmachinesonothervSwitcheswillbeabletosendorreceivetrafficover

thisvSwitch.Youmightdothisifyouwantagroupofvirtualmachinestobeable

tocommunicatewitheachother,butnotwithotherhostsorwithvirtualmachines

outsidethegroup.

Changesappear

in

the

Preview

pane.

8 ClickNext.

TheConnectionSettingsscreenappears.



32/312

32 VMware, Inc.

9 UnderPortGroupProperties,enteranetworklabelthatidentifiestheportgroup

thatyouarecreating.

Usenetworklabelstoidentifymigrationcompatibleconnectionscommontotwoormorehosts.

10 IfyouareusingaVLAN,intheVLANIDfield,enteranumberbetween1and

4094.

Ifyouareunsurewhattoenter,leavethisblankoraskyournetworkadministrator.

Ifyouenter0orleavethefieldblank,theportgroupcanseeonlyuntagged

(nonVLAN)traffic.Ifyouenter4095,theportgroupcanseetrafficonanyVLANwhileleavingtheVLANtagsintact.



33/312

VMware, Inc. 33

11 ClickNext.

TheReadytoCompletescreenappears.

12 AfteryouhavedeterminedthatthevSwitchisconfiguredcorrectly,clickFinish.

VMkernel ConfigurationMovingavirtualmachinefromonehosttoanotheriscalledmigration.Migratinga

poweredonvirtualmachineiscalledVMotion.MigrationwithVMotion,designedto

beusedbetweenhighlycompatiblesystems,letsyoumigratevirtualmachineswithno

downtime.YourVMkernelnetworkingstackmustbesetupproperlytoaccommodate

VMotion.

IPStoragereferstoanyformofstoragethatusesTCP/IPnetworkcommunicationasitsfoundation,whichincludesiSCSIandNASforESX Server.Becausebothofthese

storagetypesarenetworkbased,bothtypescanusethesameportgroup.

ThenetworkservicesprovidedbytheVMkernel(iSCSI,NFS,andVMotion)usea

TCP/IPstackintheVMkernel.ThisTCP/IPstackiscompletelyseparatefromthe

TCP/IPstackusedintheserviceconsole.EachoftheseTCP/IPstacksaccessesvarious

networksbyattachingtooneormoreportgroupsononeormorevSwitches.

NOTE Toenablefailover(NICteaming),bindtwoormoreadapterstothesameswitch.If

oneuplinkadapterisnotoperational,networktrafficisroutedtoanotheradapter

attachedtotheswitch.NICteamingrequiresbothEthernetdevicestobeonthe

sameEthernetbroadcastdomain.



34/312

34 VMware, Inc.

TCP/IP Stack at the Virtual Machine Monitor Level

TheVMwareVMkernelTCP/IPnetworkingstackhasbeenextendedtohandleiSCSI,

NFS,andVMotioninthefollowingways:

iSCSIasavirtualmachinedatastore.

iSCSIforthedirectmountingof.ISOfiles,whicharepresentedasCDROMsto

virtualmachines.

NFSasavirtualmachinedatastore.

NFSforthedirectmountingof.ISOfiles,whicharepresentedasCDROMsto

virtualmachines.

MigrationwithVMotion.

Implications and Guidelines

Referto

the

following

guidelines

when

configuring

VMkernel

networking:

TheIPaddressthatyouassigntotheserviceconsoleduringinstallationmustbe

differentfromtheIPaddressthatyouassigntoVMkernelsTCP/IPstackfromthe

Configuration>NetworkingtaboftheVirtualInfrastructureClient.

BeforeconfiguringsoftwareiSCSIfortheESX Serverhost,openafirewallportby

enablingtheiSCSIsoftwareclientservice.Formoreinformation,seeOpening

FirewallPortsforSupportedServicesandManagementAgentsonpage 192.

UnlikeotherVMkernelservices,iSCSIhasaserviceconsolecomponent,so

networksthatareusedtoreachiSCSItargetsmustbeaccessibletobothservice

consoleandVMkernelTCP/IPstacks.

To set up the VMkernel




3 ClicktheAddNetworkinglink.

TheAddNetworkWizardappears.

4 SelectVMkernelandclickNext.

NOTE ESXsupportsonlyNFSversion3overTCP/IP.



35/312

VMware, Inc. 35

SelectingVMotionandIPStorageletsyouconnecttheVMkernel,whichruns

servicesforVMotionandIPstorage(NFSoriSCSI),tothephysicalnetwork.

TheNetworkAccesspageappears.

5 SelectthevSwitchyouwouldliketouse,orselecttheCreateavirtualswitchradio

buttontocreateanewvSwitch.

6 SelectthecheckboxesforthenetworkadaptersyourvSwitchwilluse.

YourchoicesappearinthePreviewpane.

SelectadaptersforeachvSwitchsothatvirtualmachinesorotherservicesthat

connectthroughtheadaptercanreachthecorrectEthernetsegment.Ifnoadapters

appearunderCreateanew

virtual

switch,allthenetworkadaptersinthesystem

arebeingusedbyexistingvSwitches.YoucaneithercreateanewvSwitchwithout

anetworkadapterorselectanetworkadapterusedbyanexistingvSwitch.

ForinformationonmovingnetworkadaptersbetweenvSwitches,seeToadd

uplinkadaptersonpage 50.

7 ClickNext.

TheConnectionSettingspageappears.



36/312

36 VMware, Inc.

8 UnderPortGroupProperties,selectorenteranetworklabelandaVLANID.

NetworkLabelAnamethatidentifiestheportgroupthatyouarecreating.

Thisisthelabelthatyouspecifywhenconfiguringavirtualadaptertobe

attachedtothisportgroup,whenconfiguringVMkernelservices,suchasVMotionandIPstorage.

VLANIDIdentifiestheVLANthattheportgroupsnetworktrafficwill

use.

9 SelecttheUsethisportgroupforVMotioncheckboxtoenablethisportgroupto

advertiseitselftoanotherESX ServerasthenetworkconnectionwhereVMotion

trafficshould

be

sent.

YoucanenablethispropertyforonlyoneVMotionandIPstorageportgroupfor

eachESX Serverhost.Ifthispropertyisnotenabledforanyportgroup,migration

withVMotiontothishostisnotpossible.

10 UnderIPSettings,clickEdittosettheVMkernelDefaultGatewayforVMkernel

services,suchasVMotion,NAS,andiSCSI.

NOTE Makesurethatyousetadefaultgatewayfortheportthatyoucreated.

VirtualCenter2behavesdifferentlyherefromVirtualCenter1.x.Youmustusea

validIPaddresstoconfiguretheVMkernelIPstack,notadummyaddress.


Th DNS d R ti C fi ti di l b U d h DNS


37/312

VMware, Inc. 37

TheDNSandRoutingConfigurationdialogboxappears.UndertheDNS

Configurationtab,thenameofthehostisenteredintothenamefieldbydefault.

TheDNSserveraddressesthatwerespecifiedduringinstallationarealso

preselectedas

is

the

domain.

UndertheRoutingtab,theserviceconsoleandtheVMkerneleachneedtheirown

gatewayinformation.Agatewayisforneededifconnectivitytomachinesnoton

thesameIPsubnetastheserviceconsoleorVMkernel.

StaticIPsettingsisthedefault.

11 ClickOKtosaveyourchangesandclosetheDNSConfigurationandRouting

dialogbox.

12 ClickNext.

13 UsetheBackbuttontomakeanychanges.

14 ReviewyourchangesontheReadytoCompletepageandclickFinish.

Service Console Configuration

BoththeserviceconsoleandtheVMkernelusevirtualEthernetadapterstoconnectto

avSwitchandtoreachnetworksservicedbythevSwitch.

Basic Service Console Configuration Tasks

Therearetwocommonserviceconsoleconfigurationchanges:changingNICsand

changingthesettingsforanexistingNICthatisinuse.

Whenonlyoneserviceconsoleconnectionispresent,changingtheserviceconsole

configurationisnotallowed.Ifyouwantanewconnection,youmustchangethe

networksettingstouseanadditionalNIC.Afterverifyingthatthenewconnectionis

functioningproperly,removetheoldconnection.Youareswitchingovertothenew

NIC.

To configure service console networking

1 LogintotheVMwareVI Clientandselecttheserverfromtheinventorypanel.






4 Select Ser ice Console o the Connection Types sc ee a d clickNext


38/312

38 VMware, Inc.

4 SelectServiceConsoleontheConnectionTypesscreen,andclickNext.

TheServiceConsoleNetworkAccesspageappears.

5 SelectthevSwitchyouwanttousefornetworkaccess,orselectCreateanew

vSwitchandclickNext.

IfnoadaptersappearunderCreateanewvirtualswitch,allthenetworkadapters

inthesystemarebeingusedbyexistingvSwitches.Forinformationonmoving

networkadaptersbetweenvSwitches,seeToadduplinkadaptersonpage 50.


6 Under Port Group Properties select or enter theNetwork Label andVLAN ID


39/312

VMware, Inc. 39

6 UnderPortGroupProperties,selectorentertheNetworkLabelandVLANID.

NewerportsandportgroupsappearatthetopofthevSwitchdiagram.

7 EntertheIPAddressandSubnetMask,orselecttheDHCPoptionObtainIP

settingautomaticallyfortheIPaddressandsubnetmask.

8 ClicktheEditbuttontosettheServiceConsoleDefaultGateway.

SeeTosetthedefaultgatewayonpage 41.

9 ClickNext.

TheReadytoCompletepageappears.

10 ChecktheinformationandclickFinish.

To configure service console ports





3 On the right side of the screen find the vSwitch that you want to edit and click


40/312

40 VMware, Inc.

3 Ontherightsideofthescreen,findthevSwitchthatyouwanttoeditandclick

PropertiesforthatvSwitch.

ThevSwitchPropertiesdialogboxappears.

4 InthevSwitchPropertiesdialogbox,clickthePortstab.

5 SelectServiceConsole,andclickEdit.

Awarningdialogboxappearstoexplainthatmodifyingyourserviceconsole

connectionmaydisconnectallmanagementagents.


6 Tocontinuewiththeserviceconsoleconfiguration,clickContinuemodifyingthis


41/312

VMware, Inc. 41

g , y g

connection.

TheServiceConsolePropertiesdialogboxappears.

7 Editportproperties,IPsettings,andeffectivepoliciesasnecessary.

8 ClickOK.

OnlyonedefaultgatewaycanbeconfiguredperTCP/IPstack.

To set the default gateway



2 ClicktheConfigurationtab,andclickDNSandRouting.

TheDNSandRoutingpanelappears.


3 ClickthePropertieslink.


42/312

42 VMware, Inc.

p

TheDNSConfigurationdialogboxappears.

Underthe

DNS

Configurationtab,

the

name

of

the

host

is

entered

into

the

name

fieldbydefault.TheDNSserveraddressesandthedomainpreviouslyselected

duringinstallationarealsopreselected.

UndertheRoutingtab,theserviceconsoleandtheVMkernelareoftennot

connectedtothesamenetwork,andeachneedsitsowngatewayinformation.A

gatewayisneededforconnectivitytomachinesnotonthesameIPsubnetasthe

serviceconsoleorVMkernel.

Fortheserviceconsole,thegatewaydeviceisneededonlywhentwoormore

networkadaptersareusingthesamesubnet.Thegatewaydevicedetermines

whichnetworkadapterwillbeusedforthedefaultroute.

4 Clickthe

Routing

tab.

5 SettheVMkerneldefaultgateway.

6 ClickOKtosaveyourchangesandclosetheDNSConfigurationdialogbox.

NOTE AllNASandiSCSIserversneedtobeeitherreachablebythedefaultgatewayoron

thesamebroadcastdomainastheassociatedvSwitches.

CAUTION Thereisariskofmisconfiguration,whichcancausetheUItolose

connectivitytothehost,inwhichcasethehostwillhavetobe

reconfiguredfromcommandlineattheserviceconsole.


To display service console information


43/312

VMware, Inc. 43

1 Clickthebluespeechicontodisplayserviceconsoleinformation.

2 ClicktheXtoclosetheinformationpopupwindow.

Using DHCP for the Service Console

Inmostcases,youshouldusestaticIPaddressesfortheserviceconsole.Youcanalso

setuptheserviceconsoletousedynamicaddressing,DHCP,ifyourDNSserveris

capableofmappingtheserviceconsoleshostnametothedynamicallygeneratedIP

address.

IfyourDNSservercannotmapthehostsnametoitsDHCPgeneratedIPaddress,you

mustdeterminetheserviceconsolesnumericIPaddressandusethatnumericaddress

whenaccessingthehost.

ThenumericIPaddressmightchangeasDHCPleasesrunoutorwhenthesystemis

rebooted.Forthisreason,wedonotrecommendusingDHCPfortheserviceconsole

unlessyourDNSservercanhandlethehostnametranslation.

bluespeech

icon



44/312

44 VMware, Inc.

3


45/312

VMware, Inc. 45

ThischapterguidesyouthroughadvancednetworkingtopicsinanESX Server

environmentandhowtosetupandchangeadvancednetworkingconfiguration

options.


AdvancedNetworkingTasksonpage 46

VirtualSwitchConfigurationonpage 46

PortGroupConfigurationonpage 60

DNSandRoutingonpage 62

SettingUpMACAddressesonpage 64

NetworkingTipsandBestPracticesonpage 67

Advanced Networking 3


46/312

Chapter 3 Advanced Networking

3 Ontherightsideofthewindow,findthevSwitchthatyouwanttoedit.


47/312

VMware, Inc. 47


4 ClickPropertiesforthatvSwitch.


48/312

48 VMware, Inc.


5 ClickthePortstab.

6 SelectthevSwitchitemintheConfigurationlist,andclickEdit.


7 ClicktheGeneraltabtosetthenumberofports.

8 Chooseorenterthenumberofportsyouwanttouse.

ModificationswillnottakeeffectuntilyourebootESXServer.

9 ClickOK.


To configure the uplink network adapter by changing its speed

1 L i t th VM VI Cli t d l t th f th i t l


49/312

VMware, Inc. 49




3 SelectavSwitchandclickProperties.

4 InthevSwitchPropertiesdialogbox,clicktheNetworkAdapterstab.

5 Tochangetheconfiguredspeed,duplexvalueofanetworkadapter,selectthe

networkadapterandclickEdit.

TheStatusdialogboxappears.ThedefaultisAutonegotiate,whichisusuallythe

correctchoice.


6 Toselecttheconnectionspeedmanually,selectthespeed/duplexfromthe

dropdownmenu.


50/312

50 VMware, Inc.

p

ChoosetheconnectionspeedmanuallyiftheNICandaphysicalswitchmightfail

tonegotiatetheproperconnectionspeed.Symptomsofmismatchedspeedandduplexincludelowbandwidthornolinkconnectivityatall.

Theadapterandthephysicalswitchportitisconnectedtomustbesettothesame

value,thatis,auto/autoorND/NDwhereNDissomespeedandduplex,butnot

auto/ND.

7 ClickOK.

To add uplink adapters

1 LogintotheVMwareVI Client,andselecttheserverfromtheinventorypanel.




4 InthePropertiesdialogboxforthevSwitch,clicktheNetworkAdapterstab.

5 ClickAddtolaunchtheAddAdapterWizard.


YoucanassociatemultipleadapterstoasinglevSwitchtoprovideNICteaming.

Suchateamcansharetrafficandprovidefailover.


51/312

VMware, Inc. 51

6 Selectoneormoreadaptersfromthelist,andclickNext.

CAUTION MisconfigurationcanresultinthelossoftheVIClientabilitytoconnect

tothehost.


7 ToordertheNICs,selectaNICandclickthebuttonstomoveitupordowninto

thecategory(ActiveorStandby)thatyouwant.


52/312

52 VMware, Inc.

ActiveAdaptersAdapterscurrentlyusedbythevSwitch.

StandbyAdaptersAdaptersthatbecomeactiveintheeventthatoneor

moreoftheactiveadaptersshouldfail.

8 ClickNext.

TheAdapterSummarypageappears.

9 Reviewtheinformationonthispage,usetheBackbuttontochangeanyentries,

andclick

Finish

to

leave

the

Add

Adapter

Wizard.

Thelistofnetworkadaptersreappears,showingthoseadaptersnowclaimedby

thevSwitch.

10 ClickClosetoexitthevSwitchPropertiesdialogbox.

TheNetworkingsectionintheConfigurationtabshowsthenetworkadaptersin

theirdesignatedorderandcategories.


Virtual Switch Policies

YoucanapplyasetofvSwitchwidepoliciesbyselectingthevSwitchatthetopofthe


53/312

VMware, Inc. 53

pp y p y g p

PortstabandclickingEdit.

Tooverrideanyofthesesettingsforaportgroup,selectthatportgroupandclickEdit.

AnychangestothevSwitchwideconfigurationareappliedtoanyoftheportgroups

onthatvSwitchexceptforthoseconfigurationoptionsthathavebeenoverriddenbythe

portgroup.

ThevSwitchpoliciesconsistof:

Layer2Securitypolicy

TrafficShapingpolicy

LoadBalancingandFailoverpolicy

Layer 2 Security Policy

Layer2isthedatalinklayer.ThethreeelementsoftheLayer2Securitypolicyare

promiscuousmode,MACaddresschanges,andforgedtransmits.

Innonpromiscuousmode,aguestadapterlistenstotrafficonlyonitsownMAC

address.Inpromiscuousmode,itcanlistentoallthepackets.Bydefault,guestadapters

aresettononpromiscuousmode.

Forfurtherinformationonsecurity,seeSecuringVirtualSwitchPortsonpage 201.

To edit the Layer 2 Security policy

1 Loginto

the

VMware

VI Client

and

select

the

server

from

the

inventory

panel.



3 ClickPropertiesforthevSwitchwhoseLayer2Securitypolicyyouwanttoedit.

4 InthePropertiesdialogboxforthevSwitch,clickthePortstab.

5 SelectthevSwitchitemandclickEdit.


6 InthePropertiesdialogboxforthevSwitch,clicktheSecuritytab.


54/312

54 VMware, Inc.

Bydefault,PromiscuousModeissettoReject,andMACAddressChangesand

ForcedTransmitsaresettoAccept.

ThepolicyhereappliestoallvirtualadaptersonthevSwitchexceptwheretheport

groupforthevirtualadapterspecifiesapolicyexception.

7 InthePolicyExceptionspane,selectwhethertorejectoraccepttheLayer2Security

policyexceptions:

PromiscuousMode

RejectPlacingaguestadapterinpromiscuousmodehasnoeffecton

whichframesarereceivedbytheadapter.

AcceptPlacingaguestadapterinpromiscuousmodecausesitto

detectall

frames

passed

on

the

vSwitch

that

are

allowed

under

the

VLAN

policyfortheportgroupthattheadapterisconnectedto.

MACAddressChanges

RejectIfyousettheMACAddressChangestoRejectandtheguest

operatingsystemchangestheMACaddressoftheadaptertoanything

otherthanwhatisinthe.vmx configurationfile,allinboundframeswill

bedropped.

IftheGuestOSchangestheMACaddressbacktomatchtheMAC

addressinthe.vmx configurationfile,inboundframeswillbepassed

again.

AcceptChangingtheMACaddressfromtheGuestOShasthe

intendedeffect:framestothenewMACaddressarereceived.


ForgedTransmits

RejectAnyoutboundframewithasourceMACaddressthatis


55/312

VMware, Inc. 55

differentfromtheonecurrentlysetontheadapterwillbedropped.

AcceptNofilteringisperformedandalloutboundframesarepassed.

8 ClickOK.

Traffic Shaping Policy

ESX Servershapestrafficbyestablishingparametersforthreeoutboundtraffic

characteristics:averagebandwidth,burstsize,andpeakbandwidth.Youcansetvalues

forthese

characteristics

through

the

VI Client,

establishing

atraffic

shaping

policy

for

eachuplinkadapter.

AverageBandwidthestablishesthenumberofbitspersecondtoallowacrossthe

vSwitchaveragedovertimetheallowedaverageload.

BurstSizeestablishesthemaximumnumberofbytestoallowinaburst.Ifaburst

exceedstheburstsizeparameter,excesspacketsarequeuedforlatertransmission.

Ifthequeueisfull,thepacketsaredropped.Whenyouspecifyvaluesforthesetwo

characteristics,youindicatewhatyouexpectthevSwitchtohandleduringnormal

operation.

PeakBandwidthisthemaximumbandwidththevSwitchcanabsorbwithout

droppingpackets.Iftrafficexceedsthepeakbandwidthyouestablish,excess

packetsarequeuedforlatertransmissionaftertrafficontheconnectionhas

returnedtotheaverageandthereareenoughsparecyclestohandlethequeued

packets.

If

the

queue

is

full,

the

packets

are

dropped.

Even

if

you

have

spare

bandwidthbecausetheconnectionhasbeenidle,thepeakbandwidthparameter

limitstransmissiontonomorethanpeakuntiltrafficreturnstotheallowed

averageload.

To edit the Traffic Shaping policy






5 SelectthevSwitchandclickEdit.

ThePropertiesdialogboxfortheselectedvSwitchappears.


6 ClicktheTrafficShapingtab.

ThePolicyExceptionspaneappears.Whentrafficshapingisdisabled,thetunable

f d d Y l l d ll ff h f h


56/312

56 VMware, Inc.

featuresaredimmed.Youcanselectivelyoverridealltrafficshapingfeaturesatthe

portgroup

level

if

traffic

shaping

is

enabled.

Thesearethepoliciestowhichtheperportgroupexceptionsareapplied.

Thepolicyhereisappliedtoeachvirtualadapterattachedtotheportgroup,notto

thevSwitchasawhole.

StatusIfyouenablethepolicyexceptionintheStatusfield,youaresetting

limitsontheamountofnetworkingbandwidthallocationeachvirtualadapter

associatedwiththisparticularportgroup.Ifyoudisablethepolicy,services

willhaveafree,clearconnectiontothephysicalnetworkbydefault.

Theremaining

fields

define

network

traffic

parameters:

AverageBandwidthAvaluemeasuredoveraparticularperiodoftime.

PeakBandwidthAvaluethatisthemaximumbandwidthallowedandthat

canneverbesmallerthanaveragebandwidth.Thisparameterlimitsthe

maximumbandwidthduringaburst.

BurstSizeAvaluespecifyinghowlargeaburstcanbeinkilobytes(K).This

parametercontrolstheamountofdatathatcanbesentinoneburstwhileexceedingtheaveragerate.

Load Balancing and Failover Policy

LoadBalancingandFailoverpoliciesallowyoutodeterminehownetworktrafficis

distributedbetweenadaptersandhowtoreroutetrafficintheeventofanadapter

failurebyconfiguringthefollowingparameters:


LoadBalancingpolicy

TheLoadBalancingpolicydetermineshowoutgoingtrafficisdistributedamong

th t k d t i d t S it h


57/312

VMware, Inc. 57

thenetworkadaptersassignedtoavSwitch.

FailoverDetection:LinkStatus/BeaconProbing

NetworkAdapterOrder(Active/Standby)

To edit the failover and load balancing policy




3 SelectavSwitchandclickEdit.


5 ToedittheFailoverand

Load

BalancingvaluesforthevSwitch,selectthevSwitch

itemandclickProperties.

ThePropertiesdialogboxforthevSwitchappears.

NOTE IncomingtrafficiscontrolledbytheLoadBalancingpolicyonthephysicalswitch.


6 ClicktheNICTeamingtab.

ThePolicyExceptionsareaappears.Youcanoverridethefailoverorderattheport

group level By default new adapters are active for all policies New adapters carry


58/312

58 VMware, Inc.

grouplevel.Bydefault,newadaptersareactiveforallpolicies.Newadapterscarry

trafficfor

the

vSwitch

and

its

port

group

unless

you

specify

otherwise.

7 InthePolicyExceptionspane:

LoadBalancingSpecifyhowtochooseanuplink.

RoutebasedontheoriginatingportIDChooseanuplinkbasedonthe

virtualportwherethetrafficenteredthevirtualswitch.

RoutebasedoniphashChooseanuplinkbasedonahashofthe

sourceanddestinationIPaddressesofeachpacket.FornonIPpackets,

whateverisatthoseoffsetsisusedtocomputethehash.


RoutebasedonsourceMAChashChooseanuplinkbasedonahash

ofthesourceEthernet.

Use explicit failover order Always use the highest order uplink from


59/312

VMware, Inc. 59

Useexplicitfailoverorder Alwaysusethehighestorderuplinkfrom

thelist

of

Active

adapters

which

passes

failover

detection

criteria.

NetworkFailoverDetectionSpecifythemethodtouseforfailover

detection.

LinkStatusonlyReliessolelyonthelinkstatusprovidedbythe

networkadapter.Thisdetectsfailures,suchascablepullsandphysical

switchpowerfailures,butnotconfigurationerrors,suchasaphysical

switchportbeingblockedbyspanningtreeormisconfiguredtothe

wrongVLANorcablepullsontheothersideofaphysicalswitch.

BeaconProbingSendsoutandlistensforbeaconprobesonallNICsin

theteamandusesthisinformation,inadditiontolinkstatus,to

determinelinkfailure.Thisdetectsmanyofthefailuresmentionedabove

thatarenotdetectedbylinkstatusalone.

NotifySwitchesSelectYesorNotonotifyswitchesinthecaseoffailover.

IfyouselectYes,wheneveravirtualNICisconnectedtothevSwitchor

wheneverthatvirtualNICstrafficwouldberoutedoveradifferentphysical

NICintheteamduetoafailoverevent,anotificationissentoutoverthe

networktoupdatethelookuptablesonphysicalswitches.Inalmostallcases,

thisisdesirableforthelowestlatencyoffailoveroccurrencesandmigrations

withVMotion.

RollingFailoverSelectYesorNotodisableorenablerolling.

Thisoptiondetermineshowaphysicaladapterisreturnedtoactivedutyafter

recoveringfromafailure.IfrollingissettoNo,theadapterisreturnedto

activedutyimmediatelyuponrecovery,displacingthestandbyadapterthat

tookoveritsslot,ifany.IfrollingissettoYes,afailedadapterisleftinactive

evenafterrecoveryuntilanothercurrentlyactiveadapterfails,requiringits

replacement.

FailoverOrderSpecifyhowtodistributetheworkloadforadapters.Ifyou

wanttousesomeadaptersbutreserveothersforemergenciesincasetheones

inusefail,youcansetthisconditionusingthedropdownmenutoplacethem

intothetwogroups:

NOTE DonotusethisoptionwhenthevirtualmachinesusingtheportgroupareusingMicrosoftNetworkLoadBalancinginunicastmode.Nosuchissue

existswithNLBrunninginmulticastmode.


ActiveAdaptersContinuetouseitwhenthenetworkadapter

connectivityisupandactive.

Standby Adapters Use this adapter if one of the active adapters


60/312

60 VMware, Inc.

StandbyAdapters Usethisadapterifoneoftheactiveadapter s

connectivityis

down.

UnusedAdaptersNottobeused.

Port Group Configuration

Youcanchangethefollowingportgroupconfigurations:

Portgroupproperties

Labellednetworkpolicies

To edit port group properties



2 Clickthe

Configuration

tab,

and

click

Networking.

3 Ontherightsideofthewindow,clickPropertiesforanetwork.


4 ClickthePortstab.

5 SelecttheportgroupandclickEdit.

6 Inthe

Properties

dialog

box

for

the

port

group,

click

the

General

tab

to

change:

NetworkLabelIdentifiestheportgroupthatyouarecreating.Specifythis

labelwhenconfiguringavirtualadaptertobeattachedtothisportgroup,

eitherwhenconfiguringvirtualmachinesorVMkernelservices,suchas

VMotionandIPstorage.

VLANIDIdentifiestheVLANthattheportgroupsnetworktrafficwill

use.

7 ClickOKtoexitthevSwitchPropertiesdialogbox.

To override labeled network policies

1 Tooverrideanyofthesesettingsforaparticularlabelednetwork,selectthe

network.

2 ClickEdit.


3 ClicktheSecuritytab.

4 Selectthecheckboxforthelabelednetworkpolicythatyouwanttooverride.

F i f ti th tti L 2 S it P li 53


61/312

VMware, Inc. 61

Forinformationonthesesettings,seeLayer2SecurityPolicyonpage 53.

5 ClicktheTrafficShapingtab.

6 SelectthecheckboxtooverridetheenabledordisabledStatus.Forinformationon

theStatussettings,seeTrafficShapingPolicyonpage 55.

7 ClicktheNICTeamingtab.


8 Selecttheassociatedcheckboxtooverridetheloadbalancingorfailoverorder

policies.

Forinformationonthesesettings,seeLoadBalancingandFailoverPolicyon


62/312

62 VMware, Inc.

page 56.

9 ClickOKtoexitthelabeledVMNetworkPropertiesdialogbox.

DNS and RoutingConfigureDNSandroutingthroughtheVI Client.

To change the DNS and Routing configuration



2 ClicktheConfigurationtab,andclickDNSandRouting.


3 Ontherightofthewindow,clickProperties.

4 IntheDNSConfigurationtab,entervaluesfortheNameandDomainfields.

5 Choose to either obtain the DNS server address automatically or use a DNS server


63/312

VMware, Inc. 63

5 ChoosetoeitherobtaintheDNSserveraddressautomaticallyoruseaDNSserver

address.

6 Specifythedomainsinwhichtolookforhosts.

NOTE DHCPissupportedonlyiftheDHCPserverisaccessibletotheserviceconsole.In

otherwords,theserviceconsolemusthaveavirtualinterface(vswif)configured

andattachedtothenetworkwheretheDHCPserverresides.


7 IntheRoutingtab,changedefaultgatewayinformationasneeded.

Youneedtoselectagatewaydeviceonlyifyouhaveconfiguredtheserviceconsole

toconnecttomorethanonesubnet.


64/312

64 VMware, Inc.

8 ClickOKtoclosetheDNSConfigurationdialogbox.

Setting Up MAC AddressesMACaddressesaregeneratedforvirtualnetworkadaptersusedbytheserviceconsole,

theVMkernalandvirtualmachines.Inmostcases,theseMACaddressesare

appropriate.However,youmightneedtosetaMACaddressforavirtualnetwork

adapterasinthefollowingcases:

Virtualnetworkadaptersondifferentphysicalserverssharethesamesubnetand

areassignedthesameMACaddress,causingaconflict.

YouwanttoensurethatavirtualnetworkadapteralwayshasthesameMAC

address.

ThefollowingsectionsdescribehowMACaddressesaregeneratedandhowyoucan

settheMACaddressforavirtualnetworkadapter.


MAC Addresses Generation

EachvirtualnetworkadapterinavirtualmachineisassigneditsownuniqueMAC

address.AMACaddressisasixbytenumber.Eachnetworkadaptermanufactureris


65/312

VMware, Inc. 65

assignedaunique

three

byte

prefix

called

an

OUI

(Organizationally

Unique

Identifier)

thatitcanusetogenerateuniqueMACaddresses.

VMwarehasthreeOUIs:

OneforgeneratedMACaddresses.

OneformanuallysetMACaddresses.

Onewhichwaspreviouslyusedforlegacyvirtualmachines,butisnolongerused

withESXServer3.0.

ThefirstthreebytesoftheMACaddressthatisgeneratedforeachvirtualnetwork

adapterhavethisvalue.ThisMACaddressgenerationalgorithmproducestheother

threebytes.ThealgorithmguaranteesuniqueMACaddresseswithinamachineand

attemptstoprovideuniqueMACaddressesacrossmachines.

Thenetworkadaptersforeachvirtualmachineonthesamesubnetshouldhaveunique

MACaddresses.Otherwise,theycanbehaveunpredictably.Thealgorithmputsalimitonthenumberofrunningandsuspendedvirtualmachinesatanyonetimeonany

givenserver.Italsodoesnothandleallcaseswhenvirtualmachinesondistinct

physicalmachinesshareasubnet.

TheVMwareUUID(UniversallyUniqueIdentifier)generatesMACaddressesthatare

checkedforanyconflicts.ThegeneratedMACaddressesarecreatedusingthreeparts:

theVMwareOUI,theSMBIOSUUIDforthephysicalESX Servermachine,andahash

basedonthenameoftheentitythattheMACaddressisbeinggeneratedfor.

AftertheMACaddresshasbeengenerated,itdoesnotchangeunlessthevirtual

machineismovedtoadifferentlocation,forexample,toadifferentpathonthesame

server.TheMACaddressintheconfigurationfileofthevirtualmachineissaved.All

MACaddressesthathavebeenassignedtonetworkadaptersofrunningand

suspendedvirtualmachinesonagivenphysicalmachinearetracked.

TheMAC

address

of

apowered

off

virtual

machine

is

not

checked

against

those

of

runningorsuspendedvirtualmachines.Itispossiblebutunlikelythatwhenavirtual

machineispoweredonagain,itcanacquireadifferentMACaddress.Thisacquisition

isduetoaconflictwithavirtualmachinethatwaspoweredonwhenthisvirtual

machinewaspoweredoff.


Setting MAC Addresses

Tocircumventthelimitof256virtualnetworkadaptersperphysicalmachineand

possibleMACaddressconflictsbetweenvirtualmachines,systemadministratorscan


66/312

66 VMware, Inc.

manuallyassign

MAC

addresses.

VMware

uses

this

OUI

for

manually

generated

addresses:00:50:56.

TheMACaddressrangeis

00:50:56:00:00:00-00:50:56:3F:FF:FF

Youcansettheaddressesbyaddingthefollowinglinetoavirtualmachines

configurationfile:

ethernet .address = 00:50:56:XX:YY:ZZ

wherereferstothenumberoftheEthernetadapter,XX isavalidhexadecimal

numberbetween00and3F,andYYandZZarevalidhexadecimalnumbersbetween00

andFF.ThevalueforXXmustnotbegreaterthan3FtoavoidconflictwithMAC

addressesthataregeneratedbytheVMwareWorkstationandVMwareGSXServer

products.ThemaximumvalueforamanuallygeneratedMACaddressis

ethernet.address = 00:50:56:3F:FF:FF

Youmustalsosettheoptioninavirtualmachinesconfigurationfile:

ethernet.addressType="static"

BecauseVMwareESX ServervirtualmachinesdonotsupportarbitraryMAC

addresses,theaboveformatmustbeused.Aslongasyouchooseauniquevaluefor

XX:YY:ZZ amongyourhardcodedaddresses,conflictsbetweentheautomatically

assignedMACaddressesandthemanuallyassignedonesshouldneveroccur.

Using MAC Addresses

TheeasiestwaytofamiliarizeyourselfwithMACaddressesistosetupaMACaddress.

To set up a MAC address

1 SettheMACaddressstatically.

2 Removethevirtualmachineconfigurationfileoptions:

ethernet.address, ethernet.addressType

and

ethernet.generatedAddressOffset

3 VerifythatthevirtualmachinereceivesageneratedMACaddress.


VMwareguarantees,however,thattheMACaddresswillneverconflictwithany

physicalhostbyusingtheVMwareOUIs(00:0C:29and00:50:56),whichareuniqueto

virtualmachines.


67/312

VMware, Inc. 67

Networking Tips and Best Practices

Thissectionprovidesinformationabout:

Networkingbestpractices

Networkhints

Networking Best PracticesConsiderthesebestpracticesforconfiguringyournetwork:

Separatenetworkservicesfromoneanothertoachievegreatersecurityorbetter

performance.

Ifyouwantaparticularsetofvirtualmachinestofunctionatthehighest

performancelevels,putthemonaseparatephysicalNIC.Thisseparationallows

foraportionofthetotalnetworkingworkloadtobemoreevenlysharedacrossmultipleCPUs.Theisolatedvirtualmachinesarethenmoreabletoservetraffic

fromaWebclient,forinstance.

TherecommendationsbelowcanbesatisfiedeitherbyusingVLANstosegmenta

singlephysicalnetworkorbyusingseparatephysicalnetworks(thelatteris

preferable).

Keepingtheserviceconsoleonitsownnetworkisanimportantpartof

securingtheESXsystem.Considertheserviceconsolenetworkconnectivity

inthesamelightasanyremoteaccessdeviceinaserverbecausecompromise

oftheserviceconsolegivesanattackerfullcontrolofallvirtualmachines

runningonthesystem.

KeepingtheVMotionconnectiononaseparatenetworkdevotedtothis

purposeisimportantbecausewhenmigrationwithVMotionoccurs,the

contentsof

the

guest

operating

systems

memory

are

transmitted

over

the

network.

Mounting NFS Volumes

InESX Server3.0,themodelofhowESXaccessesNFSstorageofISOimagesthatare

usedasvirtualCDROMsforvirtualmachinesisdifferentfromthemodelusedin

ESX Server2.x.


ESX Server3.0hassupportforVMkernelbasedNFSmounts.Thenewmodelisto

mountyourNFSvolumewiththeISOimagesthroughtheVMkernelNFSfunctionality.

AllNFSvolumesmountedinthiswayappearasdatastoresintheVI Client.Thevirtual

machineconfigurationeditorallowsyoutobrowsetheserviceconsolefilesystemfor


68/312

68 VMware, Inc.

ISOimagestobeusedasvirtualCDROMdevices.

Networking Tips

Considerthefollowingnetworkhints:

Theeasiestwaytophysicallyseparatenetworkservicesandtodedicatea

particularsetofNICstoaspecificnetworkserviceistocreateavSwitchforeach

service.Ifthisisnotpossible,theycanbeseparatedfromeachotheronasinglevSwitchbyattachingthemtoportgroupswithdifferentVLANIDs.Ineithercase,

confirmwithyournetworkadministratorthatthenetworksorVLANsyouchoose

areisolatedintherestofyourenvironment,thatis,noroutersconnectthem.

YoucanaddandremoveNICsfromthevSwitchwithoutaffectingthevirtual

machinesorthenetworkservicethatisrunningbehindthatvSwitch.Ifyou

removedalltherunninghardware,thevirtualmachineswouldstillbeableto

communicateamongstthemselves,asiftheyweregoingouttothenetworkandback.Moreover,ifyouleftoneNICintact,allofthevirtualmachineswouldstillbe

abletoconnectwiththephysicalnetwork.

Useportgroupswithdifferentsetsofactiveadaptersintheirteamingpolicyto

separatevirtualmachinesintogroups.Thesecanuseseparateadaptersaslongas

alladaptersareupbutstillfallbacktosharingintheeventofanetworkor

hardwarefailure.

Deployfirewallsinvirtualmachinesthatroutebetweenvirtualnetworkswith

uplinkstophysicalnetworksandpurevirtualnetworkswithnouplinkstoprotect

yourmostsensitivevirtualmachines.

4


69/312

VMware, Inc. 69

Thischapterdescribescommonnetworkingconfigurationandtroubleshooting

scenarios.


NetworkingConfigurationforSoftwareiSCSIStorageonpage 70

ConfiguringNetworkingonBladeServersonpage 76

Troubleshootingonpage 80

Networking Scenarios and

Troubleshooting 4


Networking Configuration for Software iSCSI Storage

ThestorageyouconfigureforanESX Serverhostmightincludeoneormorestorage

areanetworks(SANs)thatuseiSCSI,whichisameansofaccessingSCSIdevicesand

h id t

d

i

TCP/IP

t l

t k

t

thth


70/312

70 VMware, Inc.

exchanging data records using TCP/IP protocol over a network port rather thanthroughadirectconnectiontoaSCSIdevice.IniSCSItransactions,blocksofrawSCSI

dataareencapsulatediniSCSIrecordsandtransmittedtotherequestingdeviceoruser.

BeforeyoucanconfigureiSCSIstorage,youmustcreateaVMkernelporttohandle

iSCSInetworkingandaserviceconsoleconnectiontotheiSCSInetwork.

To create a VMkernel port for software iSCSI







ThisletsyouconnecttheVMkernel,whichrunsservicesforiSCSIstorage,tothe

physicalnetwork.

TheNetworkAccesspageappears.

5 SelectthevSwitchyouwanttouseortheCreateavirtualswitchradiobutton.

Chapter 4 Networking Scenarios and Troubleshooting

6 SelectthecheckboxesforthenetworkadaptersyourvSwitchwilluse.


71/312

VMware, Inc. 71

YourchoicesappearinthePreviewpane.

SelectadaptersforeachvSwitchsothatvirtualmachinesorotherservicesthat

connectthroughtheadaptercanreachthecorrectEthernetsegment.Ifnoadapters

appearunderCreateanewvirtualswitch,thismeansthatallthenetwork

adaptersinthesystemarebeingusedbyexistingvSwitches.

ForinformationonmovingnetworkadaptersbetweenvSwitches,seeToadd

uplinkadaptersonpage 50.

7 ClickNext.






attached

to

this

port

group

when

configuring

iSCSI

storage


72/312

72 VMware, Inc.

attached to this port group, when configuring iSCSI storage. VLANIDIdentifiestheVLANthattheportgroupsnetworktrafficwill

use.

9 UnderIPSettings,clickEdittosettheVMkernel

Default

GatewayforiSCSI.





preselectedasisthedomain.


73/312

VMware, Inc. 73


UndertheRoutingtab,theserviceconsoleandtheVMkerneleachneedtheirown

gatewayinformation.Agatewayisneededforconnectivitytomachinesnotonthe

sameIPsubnetastheserviceconsoleorVMkernel.


74/312

74 VMware, Inc.

10 ClickOKtosaveyourchanges,andclosetheDNSand

Routing

Configuration

dialogbox.

11 ClickNext.



Afteryou

create

aVMkernel

port

for

iSCSI,

you

must

create

aservice

console

connectiononthesamevSwitchastheVMkernelport.

To configure a service console connection for software iSCSI storage




NOTE Makesurethatyousetadefaultgatewayfortheportthatyoucreated.Youmust

useavalidstaticIPaddresstoconfiguretheVMkernelstack.


3 Ontherightsideofthescreen,clickPropertiesforvSwitchassociatedwiththe

VMkernelportyoujustcreated.

4 OnthePortstab,clickAdd.

TheAdd Network Wizardappears.


75/312

VMware, Inc. 75

pp

5 Asaconnectiontype,selectServiceConsoleandclickNext.

TheConnectionSettingsscreenappears.


thatyouarecreating.

Newerports

and

port

groups

appear

at

the

top

of

the

vSwitch

diagram.


7 EntertheIPAddressandSubnetMask,orselecttheDHCPoptionObtainIP

settingautomaticallyfortheIPaddressandsubnetmask.

8 ClicktheEditbuttontosettheServiceConsoleDefaultGateway.

SeeTosetthedefaultgatewayonpage 41.


76/312

76 VMware, Inc.

9 ClickNext.

TheReadytoCompletescreenappears.


AfteryoucreateaVMkernelportandserviceconsoleconnection,youareabletoenable

andconfiguresoftwareiSCSIstorage.ForinformationonconfiguringiSCSIadapters

andstorage,seeiSCSIStorageonpage 110.

Configuring Networking on Blade ServersBecausebladeserversmayhavealimitednumberofnetworkadapters,itwilllikelybe

necessarytouseVLANstoseparatetrafficfortheserviceconsole,VMotion,IPstorage,

andvariousgroupsofVMs. VMwarebestpracticesrecommendthattheservice

consoleandVMotionhavetheirownnetworksforsecurityreasons. Ifyoudedicate

physicaladapterstoseparatevSwitchesforthispurpose,youwilllikelyhavetogive

upredundant(teamed)connectionsorgiveupisolatingthevariousnetworkingclients,

orboth. VLANsallowyoutoachievenetworkostentationwithouthavingtousemultiplephysicaladapters.

ForthenetworkbladeofabladeservertosupportanESX Serverportgroupwith

VLANtaggedtraffic,youmustconfigurethebladetosupport802.1Qandconfigurethe

portasataggedport.


77/312



thatyouarecreating.

Usenetworklabelstoidentifymigrationcompatibleconnectionscommontotwo

ormorehosts.

8 In theVLAN ID field enter a number between 1 and 4094


78/312

78 VMware, Inc.

8 IntheVLANIDfield,enteranumberbetween1and4094.

Ifyouareunsurewhattoenter,leavethisblankoraskyournetworkadministrator.

9 ClickNext.

TheReadytoCompletepageappears.


To configure a VMkernel port with VLAN on a blade server




3 Onthe

right

side

of

the

screen,

click

Properties

for

vSwitch

associated

with

the

serviceconsole.

4 OnthePortstab,clickAdd.




ThisletsyouconnecttheVMkernel,whichrunsservicesforVMotionandIP

storage(NFSoriSCSI),tothephysicalnetwork.



79/312

VMware, Inc. 79




attachedtothisportgroup,whenconfiguringVMkernelservices,suchas

VMotionandIPstorage.

VLANID

IdentifiestheVLANthattheportgroupsnetworktrafficwill

use.

7 SelecttheUsethisportgroupforVMotioncheckboxtoenablethisportgroupto

advertiseitselftoanotherESX ServerasthenetworkconnectionwhereVMotion

trafficshouldbesent.

YoucanenablethispropertyforonlyoneVMotionandIPstorageportgroupfor

eachESX Server

host.

If

this

property

is

not

enabled

for

any

port

group,

migration

withVMotiontothishostisnotpossible.


8 UnderIPSettings,clickEdittosettheVMkernelDefaultGatewayforVMkernel

services,suchasVMotion,NAS,andiSCSI

NOTE Makesurethatyousetadefaultgatewayfortheportthatyoucreated.

VirtualCenter2behavesdifferentlyherefromVirtualCenter1.x.YoumustuseavalidIPaddresstoconfiguretheVMkernelIPstack,notadummyaddress.


80/312

80 VMware, Inc.




preselectedasisthedomain.

UndertheRoutingtab,theserviceconsoleandtheVMkerneleachneedtheirowngatewayinformation.Agatewayisneededifconnectivitytomachinesnotonthe

sameIPsubnetastheserviceconsoleorVMkernel.

StaticIPsettingsisthedefault.

9 ClickOKtosaveyourchanges,andclosetheDNSConfigurationandRouting

dialogbox.

10 ClickNext.



Troubleshooting

Thefollowing

section

guides

you

through

troubleshooting

common

networking

issues.

Thissectioncoversthefollowingtopics:

TroubleshootingServiceConsoleNetworkingonpage 80

TroubleshootingNetworkAdapterConfigurationonpage 82

TroubleshootingPhysicalSwitchConfigurationonpage 82

Troubleshooting

Port

Group

Configuration

on

page 82

Troubleshooting Service Console Networking

Ifcertainpartsoftheserviceconsolesnetworkingaremisconfigured,youwillloseyour

abilitytoaccessyourESXServerhostwiththeVIClient.Intheeventthatthishappens,

g , y


youcanreconfigurenetworkingbyconnectingdirectlytoserviceconsoleandusingthe

followingserviceconsolecommands:

esxcfg-vswif -l

Providesalist

of

the

service

consoles

current

network

interfaces.

Check that vswif0 is present and that the current IP address and Netmask are


81/312

VMware, Inc. 81

Checkthatvswif0ispresentandthatthecurrentIPaddressandNetmaskare

correct.

esxcfg-vswitch -l

Providesalistofcurrentvirtualswitchconfigurations.

Checkthattheuplinkadapterconfiguredfortheserviceconsoleisconnectedtothe

appropriatephysicalnetwork.

exscfg-nics -l

Providesalistofcurrentnetworkadapters.

Checkthattheuplinkadapterconfiguredfortheserviceconsoleisupandthatthe

speedandduplexarebothcorrect.

esxcfg-nics -s

Changesthespeedofanetworkadapter.

esxcfgnics d

Changestheduplexofanetworkadapter.

esxcfg-vswif -i vswifX

ChangestheserviceconsolesIPaddress.

esxcfg-vswif -n vswifX

Changestheserviceconsolesnetmask.

esxcfg-vswitch -U

Removestheuplinkfortheserviceconsole

esxcfg-vswitch -L

Changestheuplinkfortheserviceconsole.

Ifyouencounterlongwaitswhenusingesxcfg-*commands,itispossiblethatDNSis

misconfigured.Theesxcfg-*commandsrequirethatDNSbeconfiguredsothat

localhostnameresolutionworksproperly.Thisrequiresthatthe/etc/hostsfilecontainanentryfortheconfiguredIPaddressandthe127.0.0.1localhostaddress.


82/312


Thebestprincipleistoavoidrenamingnetworksaftertheyareinuse.Afteryourename

aportgroup,youmustreconfigureeachassociatedvirtualmachineusingtheservice

consoletoreflectthenewportgroupname.


83/312

VMware, Inc. 83



84/312

84 VMware, Inc.


85/312

VMware, Inc. 85

Storage



86/312

86 VMware, Inc.

5

5


87/312

VMware, Inc. 87

ThischaptercontainsoverviewinformationabouttheavailablestorageoptionsforESX

Server.

ForinformationaboutconfiguringSANs,seetheSANConfigurationGuide.This

chapter

covers

the

following

topics:

StorageConceptsonpage 88

StorageOverviewonpage 89

ViewingStorageInformationintheVirtualInfrastructureClientonpage 93

VMwareFileSystemonpage 97

Configuring

and

Managing

Storage

on

page 101

Introduction to Storage 5


Storage Concepts

Afewconceptsareessentialforathoroughunderstandingofstorage.

DatastoreFormattedlogicalcontaineranalogoustoafilesystemonalogical

volume.ThedatastoreholdsvirtualmachinefilesandcanexistondifferenttypesofphysicalstorageincludingSCSI,iSCSI,FibreChannelSAN,orNFS.Datastores

can be of the two types: VMFSbased or NFSbased.


88/312

88 VMware, Inc.

canbeofthetwotypes:VMFS basedorNFS based.

DiskpartitionReservedpartofharddiskthatissetasideforspecificpurposes.

InthecontextofESXServerstorage,diskpartitionsonvariousphysicalstorage

devicescanbereservedandformattedasdatastores.

Extent

In

the

ESX

Server

context,

an

extent

is

a

vi3 301 201 server config

Documents