hands on lab : vsphere with operations management 6 – advanced topics
DESCRIPTION
hol-sdc-1602_pdf_en - vSphere with Operations Management 6 – Advanced TopicsTRANSCRIPT
Table of ContentsLab Overview - HOL-SDC-1602 - vSphere with Operations Management 6 – AdvancedTopics ................................................................................................................................ 2
Lab Guidance .......................................................................................................... 3Module 1: What's new in vSphere with Operations Manager (vSOM) - (60 Minutes).........7
Content Library ....................................................................................................... 8ESXi Security Enhancements ................................................................................ 10Network I/O Control Enhancements (NIOC) ........................................................... 12Migrating a Virtual Machine between Two vCenters.............................................. 29vSphere Web Client Enhancements ...................................................................... 31vSphere SSL Certificates ....................................................................................... 41vRealize Operations 6.1 - Custom Profiles for Capacity Planning ..........................43vRealize Operations 6.1 - Automation Action Framework......................................57vRealize Operations 6.1 - Custom Data Center for Capacity .................................62vRealize Operations 6.1 - Workload Balancing ...................................................... 72
Module 2: Build and Manage Your Infrastructure - Networking - (30 Minutes) ................78Migrating to the vSphere Distributed Switch - Overview.......................................79Implementing Quality of Service (QoS) Tagging.................................................. 106Monitoring the vSphere Distributed Switch with Encapsulated RemoteMirroring.............................................................................................................. 142Implementing LACP on the vSphere Distributed Switch......................................167Managing NSX..................................................................................................... 213
Module 3: Build and Manage Your Infrastructure - Storage - (30 Minutes) ....................214VVOL Management ............................................................................................. 215VSAN Management ............................................................................................. 216
Module 4: Build and Manage Your Infrastructure - Scale Out - (60 Minutes) .................217Build a Resilient Management Platform .............................................................. 218Configuring Auto Deploy ..................................................................................... 251Centralized Management of VM Content............................................................. 291vCloud Air Management...................................................................................... 331
Module 5: Optimize Workload Performance While Maintaining Business Priorities - (60Minutes) ........................................................................................................................ 340
Enable Controlled Usage Of Resources Based On Business Priorities..................341vRealize Operations Custom Alerting .................................................................. 383
Module 6: Ensure Business Continuity and Availability - (30 Minutes) ..........................395Demonstrate transparent failover for virtual machines ......................................396Demonstrate automatic restart of virtual machines after a storage failure .......399
Module 7: Simplified Security and Compliance - (30 Minutes) ......................................417Integrate your environment into your enterprise certificate infrastructure.........418Show fine-grained control of local user access on ESXi ......................................465
HOL-SDC-1602
Page 1HOL-SDC-1602
Lab Overview - HOL-SDC-1602 - vSphere withOperations Management
6 – Advanced Topics
HOL-SDC-1602
Page 2HOL-SDC-1602
Lab GuidanceYou are about to embark on a hands-on journey to learn about Advanced Topics invSphere with Operations Management. This lab will walk you through step-by-step, sobasic vSOM experience is not necessary, but it is helpful. If you would like to learn thebasics, VMware recommends also taking our lab titled "HOL-SDC-1610 - vSphere withOperations Management - The Basics."
VMware vSphere with Operations Management delivers vSphere optimized for efficientserver virtualization management by adding critical capacity management andperformance monitoring capabilities. It is designed for businesses of all sizes to runapplications at high service levels and maximize hardware savings through highercapacity utilization and consolidation ratios. Create an easy-to-manage virtualenvironment with the most trusted virtualization platform, vSphere.
This Hands-On Lab uses a beta version of vRealize Operations Manager, which is stillundergoing development before final release. Product features that are included in thislab are subject to change and there is no commitment from VMware to deliver them inany generally available product.
The following is a list of the different modules contained in this lab:
• Module 1 - What's New in vSphere with Operations Manager (vSOM) (60 minutes)• Module 2 - Build and Manage Your Infrastructure - Networking (30 minutes)• Module 3 - Build and Manage Your Infrastructure - Storage (30 minutes)• Module 4 - Build and Manage Your Infrastructure - Scale Out (60 minutes)• Module 5 - Optimize Workload Performance While Maintaining Business Priorities
(60 minutes)• Module 6 - Ensure Business Continuity and Availability (30 minutes)• Module 7 - Simplified Security and Compliance (30 minutes)• Module 8 - PowerCLI for vR Ops: Automate Your Virtual Infrastructure
Remediation (45 minutes)
Lab Captains:John Dias (Modules 1, 2, 3, 4, 6 and 7), Yuval Tenenbaum (Modules 1 and5), Tom Bonanno (Module 4), and Pavel Dimitrov (Module 8)
This lab manual can be downloaded from the Hands-on Labs Document site found here:
http://docs.hol.pub/HOL-2016/hol-sdc-1602_pdf_en.pdf
This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
HOL-SDC-1602
Page 3HOL-SDC-1602
Control Center Desktop
When you start the lab, the system you first access is referred to as the ControlCenter.On the ControlCenter desktop, you will find shortcuts to applications you will use
throughout the lab. You can think of this as your workstation in the lab environment.
Note: Depending on the screen resolutions of the lab, your icons may repositionthemselves and not be arranged as in the image above.
Login Credentials
In the Hands-On-Lab environments, VMware has established a convention of defaultlogin credentials. You will be the administrator/root user on most systems throughoutthe lab. Unless otherwise noted, the default login credentials for this lab are as follows:
vSphere Web Client:
HOL-SDC-1602
Page 4HOL-SDC-1602
Username: [email protected] -or sometimes- Username:[email protected]
Password: VMware1! Password:VMware1!
vRealize Operations Manager:
Username: admin
Password: VMware1!
Most Linux-based VMs and appliances:
Username: root
Password: VMware1!
This information is also available in the README file, in the Lab Guidance section nearthe top. You will learn more about the README file next.
README File
On the ControlCenter desktop, you will find a file named README.txt. This file willassist you throughout the lab. It has all of the login credentials, commands, andinformation you will need for this lab. Feel free to open this file and copy/paste from it.It is especially helpful if you are on an international keyboard, as you will have to type
very little, if at all.
Now that you know your way around the lab a little, it's time to begin Module 1.
Disclaimer
This session may contain product features that are currently underdevelopment.
HOL-SDC-1602
Page 5HOL-SDC-1602
This session/overview of the new technology represents no commitment fromVMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts,purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed orpresented have not been determined.
• “These features are representative of feature areas under development. Featurecommitments are subject to change, and must not be included in contracts,purchase orders, or sales agreements of any kind. Technical feasibility and marketdemand will affect final delivery.”
HOL-SDC-1602
Page 6HOL-SDC-1602
Module 1: What's new invSphere with Operations
Manager (vSOM) - (60Minutes)
HOL-SDC-1602
Page 7HOL-SDC-1602
Content LibraryA new feature introduced in vSphere 6 is the Content Library.
Many organizations have several vCenters servers across diverse geographic locations,and on these vCenters there is most likely a collection of templates and ISOs. Currentlythere is function within vCenter to centrally manage the templates and distribute themto all locations. The Content Catalog provides the ability to centrally manage contentand ensure it’s distributed across the infrastructure.
vCenter Server 6.0 Content Library Overview
As stated previously, the Content Library provides the ability to store and managecontent. This ensures that the latest versions of the templates are available across theinfrastructure.
In addition to virtual machine templates, vApp templates, ISO files, and scripts can alsobe stored within a Content Library.
Conclusion
If you would like more details, Content Libraries are covered in depth in Module 4 Buildand Manage Your Infrastructure - Scale Out
HOL-SDC-1602
Page 8HOL-SDC-1602
HOL-SDC-1602
Page 9HOL-SDC-1602
ESXi Security EnhancementsNew security features have been implemented in vSphere 6 and this lesson will focusspecifically on updates to ESXi.
Some of the new updates worth mentioning are:
Account Management
ESXi 6.0 enables management of local accounts on the ESXi server, using new ESXCLIcommands. The ability to add, list, remove, and modify accounts across all hosts in acluster can be centrally managed using a vCenter Server system. Previously, theaccount and permission management functionality for ESXi hosts was available onlywith direct host connections. Setting, removing, and listing local permissions on ESXiservers can also be centrally managed.
Account Lockout
There are two new settings available in ESXi Host Advanced System Settings for themanagement of local account failed login attempts and account lockout duration. Theseparameters affect SSH and vSphere Web Services connections but not DCUI and consoleshell access.
These Advanced Settings can be found at the ESXi host level and are:
• Security.AccountLockFailures - Maximum number of failed login attempts beforethe user's account is locked. By default, this setting is 10.
• Security.AcountUnlockTime - Number of seconds that user is locked out. Bydefault, this setting is 120 seconds (2 minutes).
Password Complexity Rules
In previous versions of ESXi, password complexity changes had to be made by hand-editing the/etc/pam.d/passwd file on each ESXi host. In vSphere 6.0, this has beenmoved to an entry in Host Advanced System Settings, enabling centrally managedsetting changes for all hosts in a cluster. Use caution when editing this setting, thesettings here are used for PAM's configuration file.
The Advanced Setting can be found at the ESXi host level and is:
• Security.PasswordQualityControl
Flexible Lockdown Modes
Prior to vSphere 6.0, there was one lockdown mode. Feedback from customers indicatedthat this lockdown mode was inflexible in some use cases. With vSphere 6.0, theintroduction of two lockdown modes aims to improve that.
HOL-SDC-1602
Page 10HOL-SDC-1602
The first mode is “normal lockdown mode.” The DCUI access is not stopped, and userson the “DCUI.Access” list can access DCUI. The second mode is “strict lockdown mode.”In this mode, DCUI is stopped.
There is also a new functionality called “Exception Users.” These are local accounts orMicrosoft Active Directory accounts with permissions defined locally on the host wherethese users have host access. These Exception Users are not recommended for generaluser accounts but are recommended for use by third-party applications—“ServiceAccounts,” for example—that need host access when either normal or strict lockdownmode is enabled. Permissions on these accounts should be set to the bare minimumrequired for the application to do its task and with an account that needs only read-onlypermissions to the ESXi host
Smart Card Authentication to DCUI
This functionality is for U.S. federal customers only. It enables DCUI login access using aCommon Access Card (CAC) and Personal Identity Verification (PIV). An ESXi host mustbe part of an Active Directory domain.
In this lesson, we will take a close look at the improved auditing feature in ESXi.
Conclusion
In this lab Module 7 Simplified Security and Compliance takes you through a deeper diveinto some of the ESXi security enhancements.
HOL-SDC-1602
Page 11HOL-SDC-1602
Network I/O Control Enhancements(NIOC)vSphere Network I/O Control version 3 introduces a mechanism to reserve bandwidth forsystem traffic based on the capacity of the physical adapters on a host. It enables fine-grained resource control at the VM network adapter level similar to the model that youuse for allocating CPU and memory resources.
Models for Bandwidth Resource Reservation
Network I/O Control version 3 supports separate models for resource management ofsystem traffic related to infrastructure services, such as vSphere Fault Tolerance, and ofvirtual machines.
The two traffic categories have different natures. System traffic is strictly associatedwith an ESXi host. The network traffic routes change when you migrate a virtualmachine across the environment. To provide network resources to a virtual machineregardless of its host, in Network I/O Control you can configure resource allocation forvirtual machines that is valid in the scope of the entire distributed switch.
Bandwidth Guarantee to Virtual Machines
Network I/O Control version 3 provisions bandwidth to the network adapters of virtualmachines by using constructs of shares, reservation and limit. Based on theseconstructs, to receive sufficient bandwidth, virtualized workloads can rely on admissioncontrol in the vSphere Distributed Switch, vSphere DRS and vSphere HA.
Network I/O Control Version 2 and Version 3 in vSphere 6.0
In vSphere 6.0, version 2 and version 3 of the Network I/O Control capability can coexist.The two versions implement different models for allocating bandwidth to virtualmachines and system traffic. In Network I/O Control version 2, you configure bandwidthallocation for virtual machines at the physical adapter level. In contrast, version 3 letsyou set up bandwidth allocation for virtual machines at the level of the entire distributedswitch.
When you upgrade a distributed switch, the Network I/O Control is also upgraded toversion 3 unless you are using features that are not available in Network I/O Controlversion 3, such as CoS tagging and user-defined network resource pools. In this case,the difference in the resource allocation models of version 2 and version 3 does notallow for non-disruptive upgrade. You can continue using version 2 to preserve yourbandwidth allocation settings for virtual machines, or you can switch to version 3 andtailor a bandwidth policy across the hosts connected to the switch.
HOL-SDC-1602
Page 12HOL-SDC-1602
In this lesson, we will walk through the steps needed to configure Network I/O Control atthe vNIC level.
Open the Google Chrome Browser
If you do not already have the vSphere Web Client running, open the Google Chromebrowser from the desktop.
Login to the vSphere Web Client by ticking the box for 'Use Windows sessionauthentication' and click the Login button.
Select Networking
First, let's verify the vDS we want to use is running NIOC version 3 and is enabled.
Start by clicking the Networking icon.
HOL-SDC-1602
Page 13HOL-SDC-1602
Expand vcsa-01a.corp.local
Expand vcsa-01a.corp.local until you can see the distributed switch vds-site-a.
HOL-SDC-1602
Page 14HOL-SDC-1602
Edit Settings
1. Click on vds-site-a,
2. Click on Manage tab.
3. Then click on the Settings.
4. Finally make sure you are on the Properties tab.
5. We can see that Network I/O Control is enabled on the distributed switch.
Note: If it were not enabled, you would just need to click the Edit button, select Enablein the Network I/O Control drop-down box and click OK.
HOL-SDC-1602
Page 15HOL-SDC-1602
Verify the Network I/O Control Version
Now let's see what version of Network I/O Control we are running.
1. Click on the Resource Allocation tab. You may have to unpin the Navigation pane tosee this.
2. Here you can see that we are running version 3, which is the required version forNIOC at the vNIC level.
Note: If the distributed switch was running an earlier version of NIOC, you just need toright-click on the distributed switch in the Navigation pane and select 'Upgrade-->Upgrade Network I/O Control...'.
HOL-SDC-1602
Page 16HOL-SDC-1602
Configure Bandwidth Allocation
Much like virtual machine CPU and Memory reservations and limits, we will need tocreate them for networking. In our case, since we want to reserve bandwidth for virtualmachines, we'll modify the reservations for virtual machine traffic.
1. Start by clicking on 'Virtual Machine Traffic' in the traffic types list
2. Click the Edit button.
HOL-SDC-1602
Page 17HOL-SDC-1602
Reservation
In the Reservation box, type '2000' to reserve 2,000Mbs bandwidth for Virtual Machinetraffic. Leave all other settings to their defaults.
Click OK to continue.
Reservation Set
Once you click OK, you will notice even though we have set a reservation of 2,000Mbsfor virtual machine traffic, it is not showing up under the Reservation Column. This isbecause we have just set the Reservation and not actually reserved it for a virtualmachine.
HOL-SDC-1602
Page 18HOL-SDC-1602
Show the Navigation Bar (if you unpinned it).
Click on the Navigation link on the left hand side, if you unpinned it earlier.
Pin the Navigation Bar
Now click the thumbnail so it points down. This will pin the navigation bar back in place.
HOL-SDC-1602
Page 19HOL-SDC-1602
Select Hosts and Clusters
1. From the Home menu
2. Select Hosts and Clusters.
Clone linux-micro-01a
So we don't interfere with other lessons you may want to take, let's clone linux-micro-01a. Expand the Cluster till you can see the VM 'linux-micro-01a'
1. Right-click on 'linux-micro-01a'
2. Select Clone -->
3. Clone to Virtual Machine...
HOL-SDC-1602
Page 20HOL-SDC-1602
Name your VM
1. Name your VM linux-nioc-01a
2. Accept the default location of Datacenter Site A for the location.
Click Next to continue.
HOL-SDC-1602
Page 21HOL-SDC-1602
Select Cluster Site A
Place the VM on Cluster Site A-1 by clicking on it.
HOL-SDC-1602
Page 22HOL-SDC-1602
Accept Default Storage
Just click Next for the storage selection.
Un-check All Boxes
Make sure to un-check all the boxes before clicking Next.
HOL-SDC-1602
Page 23HOL-SDC-1602
Ready to Complete
Verify the settings look correct and click Finish to clone the VM.
It should only take a minute to perform the clone operation. You can track the progressby clicking on the Recent Tasks link in the bottom left corner of the vSphere Web Client.
HOL-SDC-1602
Page 24HOL-SDC-1602
Edit the VM Settings
1. Right-click on the newly cloned VM, linux-nioc-01a
2. Select Edit Settings...
NOTE: You may have to refresh your browser to see the new VM.
HOL-SDC-1602
Page 25HOL-SDC-1602
Expand Network Adapter 1
1. Expand out Network adapter 1 and you will notice some new options. Now we canset how much bandwidth to reserve for this specific vNIC on the virtual machine.
Let's give it all of the 2,000Mbs reservation we set.
2. Type 2000 in the Reservation box. Click OK.
Note: If you don't see this box, make sure you connected Network adapter 1 to VMNetwork (vds-site-a).
HOL-SDC-1602
Page 26HOL-SDC-1602
Viewing Reservation
1. View the reservation by clicking on the summary tab for the Virtual Machine and
2. Expanding the VM hardware section, you can now see the reservation is set so thatthis virtual machine's network adapter will have a reserved 2,000Mbs of bandwidth.
HOL-SDC-1602
Page 27HOL-SDC-1602
Lesson Clean Up
Feel free to explore other options with NIOC. When you are finished with this lesson,please delete the linux-nioc-01a virtual machine to avoid confusion in other lessons.
Just go back to the Hosts and Clusters view and right-click on the virtual machine linux-nioc-01a and select Delete from Disk.
HOL-SDC-1602
Page 28HOL-SDC-1602
Migrating a Virtual Machine betweenTwo vCentersvMotion has been a standard feature of VMware virtual infrastructure since early 2004.Migrating a powered-on VM between different vCenters while preserving network
connectivity was introduced in 2015 with vSphere 6.
HOL-SDC-1602
Page 29HOL-SDC-1602
Cross vCenter Server vMotion - Overview
vMotion is probably the most widely VMware feature. vSOM 6 introduces some newfunctionality around vMotion:
• Cross vSwitch vMotion• Cross vCenter vMotion• Long Distance vMotion
Cross vCenter vMotion is a powerful new capability with a number of use cases. Itcould be used to migrate between legacy Windows vCenter and a new vCenterappliance or anytime if makes sense to migrate VMs to a completely new set of virtualinfrastructure. And of course it can be used to migrate VMs between data centers forplanned maintenance or other business purposes.
The migration between vCenter servers can occur with all the different migration types:compute / storage / network. You can even do it without having a shared datastorebetween the source and destination vCenter otherwise referred to as “shared nothingmigration. This functionality will come in handy when you are migrating to a differentvCenter instance or even when you are migrating workloads to a different location.Note, it is a requirement for the source and destination vCenter Server to belong to thesame SSO domain. When the VM is migrated, things like alarms, events, HA and DRSsettings are all migrated with it. So if you have affinity rules or changed the hostisolation response or set a limit or reservation it will follow the VM wherever it goes.
For a hands-on experience please refer to Module 4 - Build and Manage YourInfrastructure - Scale Out.
HOL-SDC-1602
Page 30HOL-SDC-1602
vSphere Web Client EnhancementsvSphere Web Client includes significant performance and usability improvements.
The performance improvements include login times that are up to 13 times faster, right-click menus that are visible and usable four times faster, and other actions that are nowat least 50 percent faster. This puts vSphere Web Client on par with the standaloneVMware vSphere Client.
Let's take a look at some of the new usability improvements made to the vSphere WebClient.
Open the Google Chrome Browser
If you do not already have the vSphere Web Client running, open the Google Chromebrowser from the desktop.
Login to the vSphere Web Client by ticking the box for 'Use Windows sessionauthentication' and click the Login button.
HOL-SDC-1602
Page 31HOL-SDC-1602
Home Drop-Down Menu
The first usability update we'll look at is the new Home drop-down menu.
1. Near the top of the browser, click the Home icon. With this new drop-downmenu, you can easily access any area of the vSphere Web Client from any screen.
2. Click on Hosts and Clusters.
HOL-SDC-1602
Page 32HOL-SDC-1602
Expand vcsa-01a.corp.local
Use the twist arrow to expand vcsa-01a.corp.local until you can see the two hosts andvirtual machines.
HOL-SDC-1602
Page 33HOL-SDC-1602
Right-click on esx-01a.corp
Another usability enhancement is the right-click actions.
Try this by right-clicking on 'esx-01a.corp.local'. The first thing you should notice is thatthe menu itself appears much faster.
The second thing to notice is the menu items are no more than one layer deep. Thishelps to avoid searching through multiple layers of menus to find the task you need.
HOL-SDC-1602
Page 34HOL-SDC-1602
Activate Recent Tasks portlet
Let's enable the Recent Tasks Portlet
From the top of the vSphere Web Client, click on the down arrow next to your user name
Select 'Layout Settings'
Activate Recent Tasks portlet
Next, Select the 'Recent Tasks' pane
Click OK
The 'Recent Tasks' pane will the appear at the bottom of the screen
HOL-SDC-1602
Page 35HOL-SDC-1602
Recent Tasks Pane
At the bottom of the Navigator, you will now see a link for Recent Tasks.
Recent Tasks
In the Recent Tasks pane, you will find the most recent tasks, updated in real timemaking it easier to view. In the Recent Tasks pane, you have the ability to:
1. Pin the Recent Tasks pane to another part of the vSphere Web Client (more in thislater!).
2. View additional tasks.3. Hide the Recent Tasks pane.
Docking the Recent Tasks Pane
If you click on the Thumbnail in the Recent Tasks pane, it will dock it to the bottom ofthe vSphere Web Client.
Click on the Thumbnail to give it a try.
HOL-SDC-1602
Page 36HOL-SDC-1602
Customizing the UI
You can also move the Recent Tasks pane (or any other pane) by clicking and draggingthe pane on the title bar.
Left-click and drag anywhere on the Recent Tasks title bar. You'll notice four areasindicating where you can dock the Recent Tasks pane. Let's move it over the right sideby dragging it in the direction of the right arrow. Move your mouse to the two bluearrows to the right until that side of the screen turns blue, then click your mouse tomove the pane there.
HOL-SDC-1602
Page 37HOL-SDC-1602
Resizing the Pane
You do have the ability to re-size the pane by clicking in the empty space betweenpanes and dragging it in the desired direction.
HOL-SDC-1602
Page 38HOL-SDC-1602
Move it Back!
In its current position, most of the useful information the Recent Tasks pane provides iscut off.
Let's move it back to its original location on the bottom of the screen by clicking theRecent Tasks title bar and dragging it to the bottom.
HOL-SDC-1602
Page 39HOL-SDC-1602
That's Better!
This layout seems to work better for me, but it is subject to personal preference which isone of the best parts of the vSphere Web Client, being able to customize it to how itworks best for you.
Lesson Clean Up
To prepare for the next lesson, click on the thumbnail to hide the Recent Tasks paneback to the bottom of the vSphere Web Client. This will give us more real estate for thelessons that follow. If the Recent Tasks pane is needed, the lesson will guide you to it.
HOL-SDC-1602
Page 40HOL-SDC-1602
vSphere SSL CertificatesIn vSphere 6 two new components of certificate management were introduced.
• The VMware Certificate Authority (VMCA)• VMware Endpoint Certificate Services (VECS)
One of the key things to remember is that certificates are now stored within VECS andno longer stored in the filesystem of vCenter. Even if you are using third partycertificates you will still need to store them in VECS. For ESXi the certificates are stillstored locally on the host this has not changed. VMCA provisions each vCenter serverand Service with certificates that are signed by VMCA.
VMCA and VECS provide a common platform for managing certificates and addresscustomer pain points with certificate issues and help customers more easily handlebusiness compliance with security policies.
VMCA Operational Modes
VMCA can operate in two modes:
• Root CA: VMCA is initialized with a self signed certificate. This is a similar form ofcertificate that the old vCenter 5.x solutions created for themselves, except thosewere not CA certs. It is normal practice that a CA will have a self-signed certificateat the root, especially if is the first one created in a new domain.
• Issuer CA: An Enterprise CA signs the Certificate Signing Request (CSR) that theVMCA generates and the administrator configures VMCA to use this certificateand keys.
HOL-SDC-1602
Page 41HOL-SDC-1602
Conclusion
If you would like hands on experience with VMCA, be sure to check out Module 7 -Simplified Security and Compliance in this lab.
HOL-SDC-1602
Page 42HOL-SDC-1602
vRealize Operations 6.1 - CustomProfiles for Capacity PlanningCapacity Remaining Overview
The capacityremaining badge represents the unused capacity of your virtualenvironment. Realize Operations Manager calculates the CapacityRemaining score as apercentage of the remainingcapacity count compared to the total number of capacitythat can be deployed on the selected object. Capacity remaining is the % of usablecapacity not consumed. Capacity remaining is calculated using both peak and averagedemand. The example shows us the peak of 19% capacity remaining because there wasa spike that used 81% of available capacity, but the average consumption is 52%.
Custom Profiles Overview
A Default or Custom Profile contains information for a specific configuration of an object.With the profiles you can see how many more of that object can fit in your environmentdepending on the available capacity and object configuration. Default andcustomprofiles contain metrics configuration for an object. You can create as many
HOL-SDC-1602
Page 43HOL-SDC-1602
profiles as you require for an object type. For example, you can create a profile for avirtual machine with Memory-Demand model 2 GB and another profile with Memory-Demand model 4 GB. vRealize Operations Manager uses Custom Profiles to calculatehow many virtual machines with this Memory-Demand model can fit in yourenvironment. You can see this calculation in the What Will Fit panel of the CapacityRemaining tab on a container object. You can also use the profiles to populate metricswhen you create projects.
HOL-SDC-1602
Page 44HOL-SDC-1602
Log into vRealize Operations Manager
1. Open Firefox and click on the bookmark for vROPs-01a
2. Enter username - 'Admin', password - VMware1!
HOL-SDC-1602
Page 45HOL-SDC-1602
Where You Find Custom Profiles
To manage your custom profiles,
1. Click Content in the left pane.
2. Click CustomProfiles
3. Click on the "+" sign to add a new one.
Create A New Custom Profile
We will create a new profile for MySQL Server Virtual Machines. We could eitherpopulate from existing Virtual Machines in our environment or specify manually. We canalso choose whether we prefer an Allocation or Demand based calculation. We areselecting Allocation type model in this example. Create your own profile as described inthe image above. Then click "Ok".
1. Profile Name: MySQL2. Profile Description: Linux MySQL Server VMs3. Object Type: vCenter Adapter --> Virtual Machine4. Make sure the Enable this profile for all Polices is checked5. Filter (Model): Ensure Allocation is listed6. CPU - Allocation Model: 2 vCPUs7. Memory - Allocation Model: 4 GB8. Disk Space - Allocation Model: 3 GB
Note: Allocation is the total amount of resource you configure to the VM, while demandis the amount of that resource which that VM is asking for. Depending on the type ofenvironment you monitor, such as a production environment versus a test ordevelopment environment, whether you over allocate at all and by how much dependson the workloads and environment to which the policy applies. From a high levelperspective Allocation based capacity planning will be more conservative while Demand
HOL-SDC-1602
Page 46HOL-SDC-1602
based Capacity Planning will be less conservative but closer to reality as it is a goodindication of how much resources are really demanded and used in your datacenter.
HOL-SDC-1602
Page 47HOL-SDC-1602
Navigate To the vCenter Server Object
1. In the top far right side of the browser window type "vcsa-01a" in the search field
2. Select "vcsa-01a" (vCenter Server object type).
HOL-SDC-1602
Page 48HOL-SDC-1602
View The Results
1. Select the "Analysis" tab
2. Then "Capacity Remaining" badge.
3. Now you can see the newly created "MySQL Servers" Custom Policy. It looks like youcould accommodate several new MySQL Server VM's with the specified Allocation profileinto this vCenter Server.
Note: in the screenshot above you can see 8 MySQL VM's remaining but in your lab thenumber might be different.
HOL-SDC-1602
Page 49HOL-SDC-1602
Create A New Project
At this point we are going to create a new Capacity Planning Project to do some capacityplanning to leverage the new custom profile we just created.
1. Click on the "Projects" tab
2. Then hit the "+" sign to create a new project.
HOL-SDC-1602
Page 50HOL-SDC-1602
Name The Project
1. Specify a Project name and description
2. Select to commit the project
3. Expand the Advanced section and have it affect both the Time and CapacityRemaining Badges.
4. Then click "Scenarios".
Note: You can have vRealize Operations Manager account for committedprojects thatyou defined so that you can plan the future capacity of your objects. Becausecommittedprojects are scenarios that forecast the future capacity of objects, accountingfor committedprojects affects the Time Remaining and Capacity Remaining scores.
HOL-SDC-1602
Page 51HOL-SDC-1602
Add Scenario Part 1
1. Drag and Drop "add virtual machine" to the right pane.
2. Set the "Implementation Date" to January 1st 2017.
3. Set the number of VM's to 5.
4. Then click on "Populate metrics from...".
HOL-SDC-1602
Page 52HOL-SDC-1602
Add Scenario Part 2
1. Select the pre-created "MySQL Servers" as the profile to copy metrics from
2. Press OK.
3. Now press on "Save project and continue edition" to see the results of your project.
HOL-SDC-1602
Page 53HOL-SDC-1602
Show Project Result Before Final Save
Here you can see the results of your Demand simulation.
Now hit "Save".
Note: The image you may see may look different to the image above when it comes towhen exactly the shortfall starts.
HOL-SDC-1602
Page 54HOL-SDC-1602
View The Results With Committed Projects
1. Now let's go back to the Analysis Tab and
2. Capacity Remaining Badge still against the vCenter Server "vcsa-01a" object. Firstrefresh the page once by hitting "F5".
3. If we now select "With Committed Projects" we will see that Memory is mostconstrained.
HOL-SDC-1602
Page 55HOL-SDC-1602
See The Results Without Committed Projects
If we now select "Without Committed Projects" we will see that no resource is criticallyconstrained anymore.
HOL-SDC-1602
Page 56HOL-SDC-1602
vRealize Operations 6.1 - AutomationAction FrameworkAutomated Actions Overview
In vRealize Operations 6.1 Recommendations can identify ways to remediate problemsindicated by an alert. Some of these remediations can be associated with actionsdefined in your vRealize Operations Manager instance. You can automate several ofthese remediation actions for an alert when that recommendation is the first priority forthat alert.
The following actions are recommended for automation:
■ Delete Powered Off VM
■ Move VM
■ Power Off VM
■ Power On VM
■ Rebalance Container
■ Set CPU Count And Memory for VM
■ Set CPU Count And Memory for VM Power Off Allowed
■ Set CPU Count for VM
■ Set CPU Count for VM Power Off Allowed
■ Set CPU Resources for VM
■ Set Memory for VM
■ Set Memory for VM Power Off Allowed
■ Set Memory Resources for VM
■ Shut Down Guest OS for VM
Example: Action Supported for Automation
For the Alert Definition named Virtual machine has chronic high CPU workload leading toCPU stress, you can automate the action named Set CPU Count for VM.
HOL-SDC-1602
Page 57HOL-SDC-1602
When CPU stress on your virtual machines exceeds a critical, immediate, or warninglevel, the alert triggers the recommended action without user intervention.
View Alert Containing Action
1. Go to the Content section
2. Click on Alert Definitions,
3. Type "cpu usage" to find the alert called "Virtual Machine is experiencing CPU stressdue to insufficient CPU resources"
4. Then click on the little pencil icon to edit the alert.
HOL-SDC-1602
Page 58HOL-SDC-1602
View Alert Action Definition
1. Click on "Add Recommendations"
2. Scroll down on the right until you see the action called "Set CPU Count for VM". Thiswill add more CPU capacity to the VM automatically when the alert is triggered. Youenable actionable alerts in your policies. By default, automation is disabled in policies.
Click Cancel to close the Edit Alert wizard
HOL-SDC-1602
Page 59HOL-SDC-1602
View Default Policy Definition
You enable actionable alerts in your policies. To configure automation for your policy;
1. Select Administration
2. Policies
3. Policy Library.
4. vSphere Solution's Default Policy
5. Access the Alert / Symptom Definitions workspace.by clicking the pencil icon.
View Action Automation Settings
1. Now select Alert Symptom Definition on the left pane
2. Type "high cpu" to find the alert we are reviewing.
3. In the Automation column you can select between Local for the Automate setting inthe Alert Definitions pane. Green means enable and red means disable. By default it isdisabled.
When an action is automated, you can use the Automated and Alert columns inAdministration> Recent Tasks to identify the automated action and view the resultsof the action.
HOL-SDC-1602
Page 60HOL-SDC-1602
4. Do not change anything and just press cancel.
Automated Actions Summary
The actions available in vRealize Operations Manager allow you to modify the state orconfiguration of selected objects in vCenter Server from vRealize Operations Manager.For example, you might need to modify the configuration of an object to address aproblematic resource issue or to redistribute resources to optimize your virtualinfrastructure. The most common use of the actions is to solve problems. You can runthem as part of your troubleshooting procedures or add them as a resolutionrecommendation for alerts.
When you are troubleshooting problems, you can run the actions from the center paneActions menu or from the toolbar on list views that contain the supported objects.
When an alert is triggered, and you determine that the recommended action is the mostlikely way to resolve the problem, you can run the action on one or more objects.
HOL-SDC-1602
Page 61HOL-SDC-1602
vRealize Operations 6.1 - Custom DataCenter for CapacityCustom Datacenters Overview
A custom data center is a vRealize Operations Manager specific object type that you cancreate, modify, and delete. Custom data centers provide capacity analytics, includingcapacity badge computations, based on the objects it contains.
A data center in vSphere acts as a container of objects that a particular vCenter Servermanages. A custom data center in vRealize Operations Manager however is anabstraction that can contain objects from different vCenter Server instances thatvRealize Operations Manager monitors.
A custom data center can contain vCenter Server instances, data centers, clusters, andhosts. When you add an object to a custom data center, the hierarchical children of theobject become part of the custom data center. An object can belong to multiple customdata centers.
You can use the custom data centers when you want capacity analytics on objects thatspan multiple vCenter Server instances. For example, you want capacity analytics dataacross multiple clusters and different vCenter Server instances manage the clusters.Instead of analyzing one cluster or one vCenter Server instance at a time, you cancreate a custom data center, add all clusters to it, and have the capacity analysis in oneplace.
You can add certain vSphere object types to a custom data center.
HOL-SDC-1602
Page 62HOL-SDC-1602
View The Resource Balance Dashboard
Let's first see if we need to rebalance any resources in Datacenter Site A between itstwo clusters.
1. Navigate to Home
2. Click on Dashboard List
3. Select Rebalance
HOL-SDC-1602
Page 63HOL-SDC-1602
View How Well Balanced Cluster Site A-2 Is
1. Select the "Cluster Site A-2" object and view its workload balance information.
You can see that the two ESXi hosts are relatively under-utilized and a bit further awayfrom the "Optimal" area.
HOL-SDC-1602
Page 64HOL-SDC-1602
View How Well Balanced Cluster Site A-1 Is
1. Now select "Cluster Site A-1" and see its workload balance information.
The two ESXi hosts are slightly better positioned than "Cluster Site A-2" as they arecloser to the "Optimal area. In the next step we will see how we can balance resourcesbetter between the clusters.
HOL-SDC-1602
Page 65HOL-SDC-1602
Create A New Custom Datacenter
1. To create a custom data center, in the left pane click "Environment"
2. Click the "CustomDatacenters" tab.
3. Click the plus sign to create a custom data center or the pencil icon to edit a selectedcustom data center.
You can use an existing custom data center as a template by cloning it.
HOL-SDC-1602
Page 66HOL-SDC-1602
Save The New Custom Datacenter
1. Give the new DC a name and a description
2. Expand the vSphere Object and select the two Clusters 'Cluster Site A-1' & 'ClusterSite A-2'
3. Click "OK".
As you can see the new Custom Datacenter spans two clusters in the same vCenterServer. This will later give us the option to balance (vMotion) VM's between clusters.
HOL-SDC-1602
Page 67HOL-SDC-1602
Select The Newly Created Custom DataCenter
Now click on the newly created "HOL DC" Custom Datacenter object.
HOL-SDC-1602
Page 68HOL-SDC-1602
View Health Risk And Efficiency for the New Custom DC
We can now view all information including alerts, capacity information and all badgesagainst the newly create Custom DC.
It may take a minute or two for the screen to update with data.
HOL-SDC-1602
Page 69HOL-SDC-1602
Click On Rebalance Container
1. If you select "Actions"
2. Then Rebalance Container
vRealize Operations will offer you the option to rebalance VM's across Clusters.
HOL-SDC-1602
Page 70HOL-SDC-1602
View Rebalancing Recommendations
vRealize Operations automatically calculates which VM's should move where. As youcan see vRealize Operations suggests you move both VM's from Cluster Site A-1 toCluster Site A-2 which is a bit more under-utilized. Click Cancel as we are not going to dorun the migration in this module.
Note: Please do not perform the rebalance as it may break subsequent modules whichrely on the VM's to stay where they are currently.
Note: Please try out lab HOL-SDC-1610 for a deeper look at this new capability.
Summary
When the workload in your cluster becomes imbalanced, you can move the workloadacross your objects to rebalance the overall workload in your cluster. The container canbe a cluster, data center, or a custom data center.
HOL-SDC-1602
Page 71HOL-SDC-1602
vRealize Operations 6.1 - WorkloadBalancingWorkload Placement (WLP) Engine
In vRealize Operations 6.1 VMware introduces a new feature called Workload PlacementEngine or WLP for short. This engine is able to determine the best “place” to run yourworkload, both Initial placement and throughout the workloads lifecycle. It also offers aguided move action for capacity containers, which we already looked at the previousmodel where we selected "Balance Container" action. This re-balancing can also beautomated via alerts.
This new engine examines long term Demand and Stress of the workload and theprovider objects (hosts, clusters, etc) and tries to answer the following questions:
• Will it fit?• Where will it fit best?• Do I need to Power Off the VM?• Does the VM have any Affinity Rules?• Can I keep it on the same datastore?• Reserve capacity now?• Rebalance capacity containers?
Note: in vRealize Operations 6.1 the Initial Placement part of the WLP is only availablevia the REST API. The concept is for other VMware products such as vRealize Automationand 3rd party tools to programmatically query vRealize Operations to determine theright place to deploy a new VM and then for vRealize Operations to return the results ofbest candidate ESXi host.
HOL-SDC-1602
Page 72HOL-SDC-1602
Rebalance Containers Overview
When the workload in your cluster becomes imbalanced, you can move the workloadacross your objects to rebalance the overall workload in your cluster. The container canbe a Cluster, Datacenter, or a Custom Datacenter.
If one ESXi host in your Cluster, Datacenter, or a Custom Datacenter is experiencing ahigh workload, while another ESXi host in the same Cluster, Datacenter, or a CustomDatacenter is experiencing a low workload, you can use the Rebalance Container actionto balance the workload across those objects. For example, if the CPU demand on onehost is exceeding the available CPU capacity on that host, critical stress on the hostmachine occurs. To identify the cause of stress, some of the virtual machines on eachhost might be experiencing high CPU demand, whereas some of the virtual machinesmight be experiencing a low demand.
vRealize Operations Manager focuses on stress or workload, either long-term or short-term, depending on your selection. This identifies the recommendation plan thatvRealize Operations Manager uses to rebalanced the container.
Rebalance Alerts
When the workloads on the hosts in the cluster, data center, or custom data centerhave a significant difference in their workloads, a Rebalance type Alert will be triggered.You can then look at the alert to verify whether the alert is triggered on a cluster. Youcan click the alert to view the causes for the alert and identify the source of theimbalance problem.
When workloads become imbalanced, the following alerts can trigger on clusters, datacenters, and custom data centers:
■ Cluster has unbalanced workload
HOL-SDC-1602
Page 73HOL-SDC-1602
■ Custom datacenter has unbalanced workload
■ Datacenter has unbalanced workload
As the rebalance action runs, it moves the virtual machines identified in therecommendation to the host machine that has a low workload or stress. You view theaction running on each virtual machine identified in the recommendation.
You can view the status of the action in the list of recent tasks in Administration>Recent Tasks. You can also use the vSphere Web Client to view the status of the actionand the performance for the host.
After the action runs, and vRealize Operations Manager performs several collectioncycles, you can view the workload on the cluster, data center, or custom data center toconfirm that the workload was rebalanced and that the alert is no longer triggered.
To see how the workload changed on one or more of your hosts, in the navigation treeclick a host in the cluster, data center, or custom data center. Click Analysis > Stressto view the stress score and breakdown, and the workload on the host. Then, clickAnalysis > Capacity Remaining to determine how much capacity remains on thehost.
HOL-SDC-1602
Page 74HOL-SDC-1602
Where You Run the Action
For the supported objects and object levels, this action is available in the followinglocations in vRealize Operations Manager:
■ Center pane Action menu.
■ List toolbars, including Views on the Details tab, List on the Environments tab.
■ Resource List and Topology Graph dashboard widgets.
■ Environment Overview list. In the left pane, click the Administration icon, and clickList.
■ Configured alert recommendations.
Workload Automation Policy Settings
You can control how the Rebalancing actions you perform in your environment, both theguided ones and the automated ones, are behaving. For example, you can set thefollowing parameters:
1. Balanced Workloads- More balance minimizes contention but moves workloadsmore, which can cause disruption. Good for more stable populations. Lessbalance exposes potential contention, but moves workloads less. Good for moredynamic populations.
2. Consolidated Workloads - More consolidation will put workloads into as few hostsas possible to reduce licensing and power costs, but allows for less responsivecapacity. Good for populations with steady demand. Less consolidation uses all
HOL-SDC-1602
Page 75HOL-SDC-1602
available hosts, which leaves more room for demand spikes, but can run uplicensing and power costs. Good for populations with erratic demand.
3. Change Datastore - change or not the datastore the VM resides on as part of theRebalancing action.
4. Datastore Selection Options - Do not use datastore on local disk and/or excludedatastores that contain specific words in the name.
5. Virtual Machines selected to move during balance - Select Virtual Machines withsmallest demand first or with largest demand first.
HOL-SDC-1602
Page 76HOL-SDC-1602
Summary
When it comes to managing operations in a virtualized data center, there are some keyaspects that you need to tackle and one of the key ones is the ability to understandresource usage and then be able to rebalance it intelligently. With the new IntelligentWorkload Placement capability of vRealize Operations 6.1, we match the workload toyour specific IT and business needs and recommend the best placement location.
And as your workloads change and your environment evolves and grows, you canleverage the Intelligent Placement and Proactive Rebalancing capabilities to ensureperformance that meets the needs of your business.
Note: for a deeper dive on Workload Placement capability please refer to lab HOL-SDC-1610.
HOL-SDC-1602
Page 77HOL-SDC-1602
Module 2: Build andManage Your
Infrastructure -Networking - (30 Minutes)
HOL-SDC-1602
Page 78HOL-SDC-1602
Migrating to the vSphere DistributedSwitch - OverviewIn this lab we will migrate a host from a vSphere Standard Switch (VSS) to a vSphereDistributed Switch (VDS).
There are two methods of migration:
1: User Interface (UI) - This method uses a wizard that guides the user through themigration steps.
2: Host Profiles - This method allows us to grab the network configuration from a hostand duplicate it on another host or group of hosts.
In this lab section we will only have time to migrate a host with the UI based hostmigration wizard.
vSphere Distributed Switch Architecture
A vSphere Distributed Switch functions as a single switch across all associated hosts.This enables you to set network configurations that span across all member hosts, andallows virtual machines to maintain consistent network configuration as they migrateacross multiple hosts.
Like a vSphere Standard Switch, each vSphere Distributed Switch is a network hub thatvirtual machines can use. A vSphere Distributed Switch can forward traffic internallybetween virtual machines, or link to an external network by connecting to physicalEthernet adapters, also known as uplink adapters.
Each vSphere Distributed Switch can also have one or more distributed port groupsconfigured. The Distributed port group defines a common network configuration acrossa set of virtual ports. If a user wants a set of virtual machines to connect to a networkwith similar properties, those virtual machines should be connected to the samedistributed port group. Each distributed port group is identified by a network label,which is unique under the datacenter. For example, in the diagram above there arethree distributed port groups - Production, Test environment and XYZ.
This lab starts with a VSS with 4 port groups. There is also a pre-created VDS with 4distributed port groups.
Management Network (A) - For Management traffic
Storage Network (A) - For Storage traffic
vMotion Network (A) - For vMotion traffic
HOL-SDC-1602
Page 79HOL-SDC-1602
VM Network (A) - For VM traffic
These distributed port groups on the VDS have the same network properties defined onthe VSS port groups.
HOL-SDC-1602
Page 80HOL-SDC-1602
Migrate VSS to VDS Using the Web Client
Launch the Google Chrome browser from the desktop of ControlCenter.
You will be automatically directed to Site A Web Client. You may easily log in by tickingthe "Use Windows session authentication" box and then "Login"
HOL-SDC-1602
Page 81HOL-SDC-1602
Navigate to esx-01a.corp.local
In the top right corner of the Web Client, type "esx-01a" into the search bar and thenclick on the link for esx-01a.corp.local
HOL-SDC-1602
Page 82HOL-SDC-1602
Prepare the lab by configuring linux-micro-01a
We will need to move this VM to the standard switch so we can evaluate the impact ofmigration in our lab.
1. Click on the "Related Objects" tab
2. Select the "Virtual Machines" button.
3. Right click on linux-micro-01a
4. Select "Edit Settings" from the context menu.
Switch VM to Standard Switch
The VM is currently connected to the VDS on VM Network (vds-site-a)
1. You will need to pull down the list of available networks
HOL-SDC-1602
Page 83HOL-SDC-1602
2. Select "VM Network" (the first selection).
3. Click OK
Remove esx-01a from the VDS
Finally, let's remove the host from the VDS all together for our lab. We'll migrate thehost back to the VDS later in this lab. This way we can see how easy it is to migratefrom VSS to VDS.
1. Click on the "Manage" tab
2. Select "Networking" button.
HOL-SDC-1602
Page 84HOL-SDC-1602
3. Select "Virtual Switches"
4. Select "vds-site-a" switch - this is the VDS we want to remove.
5. Click the red "X" icon to remove the host from the switch.
6. Click "Yes" to complete the removal.
HOL-SDC-1602
Page 85HOL-SDC-1602
View the vSphere Standard Switch
1. Click the "Manage" tab
2. Select the "Networking" button.
3. Select "Virtual switches"
4. Select "vSwitch0" to display the switch configuration.
HOL-SDC-1602
Page 86HOL-SDC-1602
Review vSphere Standard Switch Configuration
This host has a standard switch with a VM network and three VMkernel ports. Theswitch also is using two physical switches for uplink to the physical network. We willmigrate this switch to an existing distributed switch.
Navigate to the vSphere Distributed Switch
1. Use the Web Client search bar again and type in "vds-site-a"
2. Click on the link for the vds-site-a Distributed Switch
HOL-SDC-1602
Page 87HOL-SDC-1602
Review Existing VDS Distributed Port Groups
1. Click on the "Related Objects" tab
2. Then click the "Distributed Port Groups" button.
Note that there are four port groups already created for this VDS - there are actuallyhosts from another cluster using the same VDS. We can add new hosts and importnetworking without disruption to the existing hosts and VMs.
HOL-SDC-1602
Page 88HOL-SDC-1602
Set Up to Validate Non-Disruptive Migration
To prove that we can do this migration non-disruptively, we will open a PuTTY session toa running VM.
1. Open Putty
2. Select 'Linux-micro-01a.corp.local
3. Click Open
HOL-SDC-1602
Page 89HOL-SDC-1602
Run "top" on linux-micro-01a
Execute "top" to give us proof that the VM is still running after the migration.
Once running, minimize the putty session
Add Hosts to the VDS
1. Open the "Actions" menu
2. Select "Add and Manage Hosts..."
HOL-SDC-1602
Page 90HOL-SDC-1602
Add Hosts continued
"Add hosts" is selected by default - click "Next"
HOL-SDC-1602
Page 91HOL-SDC-1602
Select Hosts
1. Click on the "New hosts..." icon to select the hosts to add to the VDS.
2. Select esx-01a at this time.
Click OK (not shown) to close the host selection popup.
Click Next (not shown) when you return to the host list.
HOL-SDC-1602
Page 92HOL-SDC-1602
Select network adapter tasks
1. Check the boxes next to:
• Manage physical adapters• Manage VMkernel adapters• Migrate virtual machine networking
2. Click "Next" to continue.
HOL-SDC-1602
Page 93HOL-SDC-1602
Manage Physical Network Adapters
1. Select vmnic0
2. Click "Assign uplink" to get the uplink selection popup.
3. Within the "Select an Uplink for vmnic0" popup, click on "Uplink 1" and then "OK"
Repeat this process for vmnic1 (assign to uplink 2) and click "Next"
HOL-SDC-1602
Page 94HOL-SDC-1602
Manage VMkernel network adapters
You will repeat this step for each VMkernel adapter:
VMkernel adapters are assigned as follows
• vmk0 = Management Network• vmk1 = Storage Network• vmk2 = vMotion Network
1. Select the vmk# in the adapters list2. Click on "Assign port group"3. Select the appropriate port group and click OK (e.g. select Management Network
for vmk0)
HOL-SDC-1602
Page 95HOL-SDC-1602
HOL-SDC-1602
Page 96HOL-SDC-1602
Verify Assignment
1. Verify that each VMkernel adapter is mapped to the correct VDS port group.
2. Click "Next"
HOL-SDC-1602
Page 97HOL-SDC-1602
Analyze Impact
There should be "No impact" - click "Next" to continue.
HOL-SDC-1602
Page 98HOL-SDC-1602
Migrate VM Networking
1. Drill down to the "Network adapter 1" on the linux-micro-01a VM.
2. Click "Assign port group"
3. In the "Select Network" popup, select the "VM Network" and click OK.
Click "Next" (not shown) to continue.
Note that you could simply select the VM and assign all vNICs to a new Port Group. Wedid it this way to demonstrate that you have granular control of where vNICs aremigrated in the new network scheme.
HOL-SDC-1602
Page 99HOL-SDC-1602
HOL-SDC-1602
Page 100HOL-SDC-1602
Complete the Host Add and Network Migration
Verify the settings and click "Finish" (not shown) to apply the changes.
Switch Back to the Host View
Switch back to esx-01a by clicking the breadcrumbs link.
HOL-SDC-1602
Page 101HOL-SDC-1602
View Standard Networking Changes
Select vSwitch0 and note that there are no VMs attached to the VM Network, and theVMkernel adapters are not present.
HOL-SDC-1602
Page 102HOL-SDC-1602
View Distributed Switch Configuration
Click on vds-site-a and observe that all the VMkernel ports are migrated as well as theVM.
Note: If the VDS does not appear in the Virtual Switches view, you will needto refresh the browser (press F5) to get it to fully refresh the view.
HOL-SDC-1602
Page 103HOL-SDC-1602
Validate the Migration Was Non-Disruptive
Return to your PuTTY session and validate that "top" is still operating and the sessiondidn't close.
You can close the PuTTY session when you are finished.
Remove Legacy Switch
1. Return to the Web Client and select the vSwitch0 vSphere Standard Switch.
2. Click the Red X icon to delete this switch.
HOL-SDC-1602
Page 104HOL-SDC-1602
Confirm Removal
Click Yes.
Refresh Host Networking
Click the Refresh Host Networking icon and verify that the VSS has been removed.
HOL-SDC-1602
Page 105HOL-SDC-1602
Implementing Quality of Service (QoS)TaggingTwo types of QoS Marking/Tagging common in networking are 802.1p (COS) applied onEthernet(Layer 2) packets and Differentiated Service Code Point (DSCP) Marking appliedon IP packets. The physical network devices use these tags to identify important traffictypes and provide Quality of Service based on the value of the tag. As business criticaland latency sensitive applications are virtualized and run in parallel with otherapplications on ESXi hosts, it is important to enable traffic management and taggingfeatures on the VDS.
The traffic management feature on the VDS helps reserve bandwidth for importanttraffic types, and the tagging feature allows the external physical network to understandthe level of importance of each traffic type. It is a best practice to tag the traffic nearthe source to help achieve end-to-end Quality of Service (QoS). During networkcongestion scenarios, the tagged traffic doesn’t get dropped which translates to ahigher Quality of Service (QoS) for the tagged traffic.
VMware has supported 802.1p tagging on the VDS since the vSphere 5.1 release. The802.1p tag is inserted in the Ethernet header before the packet is sent out on thephysical network. In the 5.5 release, the DSCP marking support allows users to inserttags in the IP header. The IP header level tagging helps in layer 3 environments, wherephysical routers prefer the IP header tag to the Ethernet header tag.
Once the packets are classified based on the qualifiers described in the traffic filteringsection, users can choose to perform Ethernet (layer2) or IP (layer 3) header levelmarking. The markings can be configured at the port group level.
HOL-SDC-1602
Page 106HOL-SDC-1602
Where is the DSCP tag field in the Packet?
In this lab module we will implement DSCP tagging on all egress traffic on the VMNetwork Port Group.
We will then capture some traffic passing through the VDS and observe the DSCP field inthe packet header.
HOL-SDC-1602
Page 107HOL-SDC-1602
Log in to the vCenter Console
Launch Google Chrome from your ControlCenter desktop.
You will automatically be directed to the login for Site A Web Client.
1. Tick the "Use Windows session authentication" box
2. Click "Login"
HOL-SDC-1602
Page 108HOL-SDC-1602
Search for vds-site-a
1. In the Web Client search bar, type "vds-site-a"
2. Click on the link for the Distributed Switch.
HOL-SDC-1602
Page 109HOL-SDC-1602
Edit the VM Network Port Group on vds-site-a
1. In the vds-site-a related objects list, click on "Distributed Port Groups"
2. Click on "VM Network" from the list of available port groups.
3. Make sure you are on the Manage tab
4. Select the Settings option
5. Select Policies
3. Click the "Edit" button to open the settings editor.
HOL-SDC-1602
Page 110HOL-SDC-1602
VM Network - Edit Settings - Traffic filtering and marking
1. Click on Traffic filtering and marking
2. In the Status drop down box choose Enabled
3. Click the Green + to add a New Network Traffic Rule
HOL-SDC-1602
Page 111HOL-SDC-1602
New Network Traffic Rule - Action
1. In the Action: drop down box select Tag (default)
2. Check the box to the right of DSCP value
3. In the drop down box for the DSCP value select Maximum 63
4. In the Traffic direction drop down box select Ingress
5. Click the Green +
New Network Traffic Rule - Qualifier
Now that you have decided to tag the traffic the next question is which traffic you wouldlike to tag. There are three options available while defining the qualifier:
1) System Traffic Qualifier
2) New MAC qualifier
HOL-SDC-1602
Page 112HOL-SDC-1602
3) New IP Qualifier.
That means users have options to select packets based on system traffic types, MACheader or IP header fields. In this example we will create qualifier based on systemtraffic.
Select New System Traffic Qualifier from the drop down menu
HOL-SDC-1602
Page 113HOL-SDC-1602
New Network Traffic Rule - New System Traffic Qualifier
1. Select Virtual Machine
2. Click OK
New Network Traffic Rule
Check that your rule matches
Name: Network Traffic Rule 1
Action: Tag
DSCP Value: Checked
DSCP Value: 63
Traffic Direction: Ingress
HOL-SDC-1602
Page 114HOL-SDC-1602
System traffic Virtual Machine
Click OK
HOL-SDC-1602
Page 115HOL-SDC-1602
VM Network - Edit Settings
Click OK
HOL-SDC-1602
Page 116HOL-SDC-1602
Open a PuTTY Session
1. Click the PuTTY icon in the ControlCenter desktop taskbar.
2. Scroll down to the saved session "linux-micro-01b.corp.local"
3. Click "Open"
HOL-SDC-1602
Page 117HOL-SDC-1602
Accept Security Alert
You may get a PuTTY Security Alert. If so, answer "Yes" to continue.
HOL-SDC-1602
Page 118HOL-SDC-1602
Start a continuous ping from linux-micro-01b to theControlCenter Desktop
Type ping 192.168.110.10
Press Enter
HOL-SDC-1602
Page 119HOL-SDC-1602
Launch WireShark from the ControlCenter Desktop
Click on the Wireshark icon on the ControlCenter Desktop
HOL-SDC-1602
Page 120HOL-SDC-1602
Select an Interface to capture
Click on Interface List
Wireshark Capture Interfaces
1. Check the box to the left of Local Area Connection VMware vmxnet3 virtual networkdevice (default)
2. Click Start
HOL-SDC-1602
Page 121HOL-SDC-1602
Stop the Capture
Click the Stop the running live capture icon
HOL-SDC-1602
Page 122HOL-SDC-1602
Filter the capture for ICMP traffic
1. In the Filter: box type icmp
2. Click the Apply icon
HOL-SDC-1602
Page 123HOL-SDC-1602
Inspect an icmp packet
1. Click on any of the ICMP request packets from 192.168.110.130 (The linux-micro-01bVM)
2. Click the plus sign to the left of Internet Protocol version 4
3. Click the plus sign to the left of Differentiated Services Field
4. Observe the DSCP value of 63 in hexadecimal 0x3f
Now that we have shown that we can tag packets let's investigate traffic filtering.
You can close Wireshark when you are done. Leave the PuTTY session to linux-mirco-01b open. We will need it for the next lesson.
HOL-SDC-1602
Page 124HOL-SDC-1602
Implementing Traffic Filtering
Traffic filtering is the ability to filter packets based on the various parameters of thepacket header. This capability is also referred to as Access Control Lists (ACLs), and it isused to provide port level security on the VDS.
HOL-SDC-1602
Page 125HOL-SDC-1602
Traffic Filtering Diagram
The VDS supports packet classification based on the following three different types ofqualifiers:
• MAC SA and DA qualifier• System Traffic qualifiers vMotion, Management, FT, etc.• IP Qualifiers Protocol type, IP SA, IP DA, and Port number
Once the qualifier is selected and packets are classified, users have the option to eitherfilter or tag the packets.
When the classified packets are selected for filtering, users have the option to filteringress traffic, egress traffic or both.
As shown in the figure above, the traffic-filtering configuration is at the port group level.
In this lab we will implement traffic filtering to block ICMP (Ping) traffic from the VM PortGroup
HOL-SDC-1602
Page 126HOL-SDC-1602
HOL-SDC-1602
Page 127HOL-SDC-1602
Edit the VM Network Port Group Settings
Return to the Web Client.
Click "Edit" to edit the VM Network port group settings.
HOL-SDC-1602
Page 128HOL-SDC-1602
VM Network - Edit Settings - Traffic filtering and marking
1. Click on Traffic filtering and marking in the left hand navigation pane
2. Click on the Network Traffic Rule 1
3. Click the Pencil icon (edit)
HOL-SDC-1602
Page 129HOL-SDC-1602
Edit Network Traffic Rule - Action
Change Action to Drop
HOL-SDC-1602
Page 130HOL-SDC-1602
Edit Network Traffic Rule - New IP Qualifier
1. Click the Green + to add a new qualifier
2. Select New IP Qualifier... from the drop down list
HOL-SDC-1602
Page 131HOL-SDC-1602
New IP Qualifier
1. Select ICMP from the Protocol drop down menu
2. Select Source address is and set to192.168.100.130
3. Click OK
HOL-SDC-1602
Page 132HOL-SDC-1602
Remove the System traffic qualifier
1. Click on the System traffic qualifier
2. Click the Red X to remove the System traffic qualifier
HOL-SDC-1602
Page 133HOL-SDC-1602
Remove the System traffic qualifier
Click Yes
HOL-SDC-1602
Page 134HOL-SDC-1602
Edit Network Traffic Rule
Click OK
HOL-SDC-1602
Page 135HOL-SDC-1602
VM Network - Edit Settings
Ensure that your Traffic filtering and marking settings match
1. 1 | Network Traffic Rule 1| Drop | Ingress
2. IP | ICMP
3. Click OK
HOL-SDC-1602
Page 136HOL-SDC-1602
Stop Ping on the linux-micro-01b VM
To confirm that we can no longer send ICMP traffic from our VM, let's run another test.
Return to the PuTTY session for linux-micro-01b and stop Ping by pressing CTRL-C
HOL-SDC-1602
Page 137HOL-SDC-1602
Observe that ICMP (Ping) traffic is now being dropped
Now let's send only 4 ICMP packets instead of doing a continuous ping.
Enter "ping -c 4 192.168.110.10"
Wait about 10 seconds and observe the result. With our traffic filtering, the ICMPpackets to ControlCenter desktop have been dropped.
HOL-SDC-1602
Page 138HOL-SDC-1602
Edit the VM Network Port Group Settings
Return to the Web Client.
Click "Edit" to edit the VM Network port group settings.
HOL-SDC-1602
Page 139HOL-SDC-1602
Remove Network Traffic Rule 1
1. Click on Traffic filtering and marking in the left hand navigation pane
2. Click on the Network Traffic Rule 1
3. Click the red X icon
4. Click OK
Observe that ICMP traffic is once again flowing betweenthe VM's
Switch back to the PuTTY session
Press the up arrow to bring the last ping command back from history (or enter "ping -c 4192.168.110.10")
HOL-SDC-1602
Page 140HOL-SDC-1602
The ping now responds successfully.
This concludes QoS Tagging and Filtering. You may close the PuTTY session and theChrome browser.
HOL-SDC-1602
Page 141HOL-SDC-1602
Monitoring the vSphere DistributedSwitch with Encapsulated RemoteMirroringThe remote mirroring capability on VDS helps send traffic from a virtual machinerunning on one host to a virtual machine on another host for debugging or monitoringpurposes.
vSphere Distributed Switch 5.1 and above supports the following protocols:
• Switch Port Analyzer (SPAN, RSPAN, ERSPAN)• IP Flow Information Export (IPFIX / NetFLow v10)
In this lesson we will monitor virtual machine traffic using a centrally located trafficanalyzer.
Prepare testing tools
Before configuring Remote Port Mirroring we need to prepare our testing infrastructure.
HOL-SDC-1602
Page 142HOL-SDC-1602
Open PuTTY Session
1. From the ControlCenter desktop, click the PuTTY icon on the task bar.
2. In the PuTTY Configuration window scroll down to the saved session for "linux-micro-01b.corp.local" and click "Open"
HOL-SDC-1602
Page 143HOL-SDC-1602
Start Pinging base-w12-01b
Start pinging the VM base-w12-01b - this VM uses IP address 192.168.100.131.
We are showing the name in this step since we will refer to the VM name later whencreating the port mirror.
HOL-SDC-1602
Page 144HOL-SDC-1602
Launch tshark
In this module, we will use Tshark, a terminal based network traffic analyzer similar toWireShark.
To launch it, double click on the Tshark icon on the desktop. We've added a filter to onlylook at ICMP traffic to/from 192.168.100.131 (base-w12-01b).
HOL-SDC-1602
Page 145HOL-SDC-1602
Important - Re-enter tshark start command
Note: Due to an error in the tshark batch file, you will need to copy the command belowand paste it into the command window using the "Send Text" feature of your labinterface.
"C:\Program Files\Wireshark\tshark.exe" -p -Y "icmp and not icmp.code == 2 and ip.addr== 192.168.100.131"
Press "Enter" and then close out the "Send Text To Console" window.
Check the Tshark window
In the previous step, the ping succeeded but If you look at your tshark window, you'llsee it stays empty. No traffic is currently visible from our Windows desktop.
That's perfectly normal, to get it here, we first need to mirror it using EncapsulatedRemote Mirroring. That's the objective of the next lesson.
Note: For the curious, we've launched Tshark in non-promiscuous mode (-p). OurControl Center, being in the same L2 as our VMs, could have seen the traffic in somesituations, e.g., if both VMs were hosted on different ESXi hosts. We are usingEncapsulated Remote Mirroring here even if it would have been easier with Remote
HOL-SDC-1602
Page 146HOL-SDC-1602
Mirroring as the objective of this module is to demonstrate Encapsulated RemoteMirroring.
Encapsulated Remote Mirroring Configuration
In our nested environment where all of the physical switch configuration is out of reach,a convenient feature to monitor VM traffic from a central location is EncapsulatedRemote Mirroring, as it doesn't require any physical switch configuration.
With Encapsulated Remote Mirroring, you can mirror the traffic to any location in yourenvironment. This is done simply by defining the destination IP address of the mirroredtraffic.
In this lesson we will configure our VDS to mirror traffic to the windows desktop whereyou are currently connected.
HOL-SDC-1602
Page 147HOL-SDC-1602
Open the vSphere Web Client
If not already open, start the web client by starting Google Chrome from the shortcut onyour desktop.
Tick the box to "Use Windows session authentication" and then click "Login"
HOL-SDC-1602
Page 148HOL-SDC-1602
Navigate to base-w12-01b
1. In the Web Client quick search bar, type "site-b"
2. Click the link for the Distributed Switch "vds-site-b"
HOL-SDC-1602
Page 149HOL-SDC-1602
Add a New Port Mirror Session
1. Click the Manage tab.
2. Click Settings.
3. Select Port Mirroring.
4. Click the Green + to create a new session.
HOL-SDC-1602
Page 150HOL-SDC-1602
Select session type
1. Select Encapsulated Remote Mirroring (L3) Source
2. Click Next.
Edit Properties
1. Type Encapsulated Remote Mirroring - Destination in the Name field
2. Enable its status.
3. Click Next
HOL-SDC-1602
Page 151HOL-SDC-1602
Select sources
There are two options to Select sources, you can select Ports in a list or directly type in aPort IDs range like 2-8 for example.
1. Click the first + icon to select Port IDs from a list.
HOL-SDC-1602
Page 152HOL-SDC-1602
Select Ports
Selecting from a list is easier than typing a Port Range, you see the Connected Entityhere, so you can easily select the VMs you want to monitor.
Click on the checkbox for the Port ID connected to the full-sles-01a entity. Be careful toselect the correct one, the order of your list may differ.
Click OK.
HOL-SDC-1602
Page 153HOL-SDC-1602
Limit Traffic Direction
By default, mirroring of traffic will happen for both Ingress and Egress traffic. You canlimit the direction by clicking on the respective icons.
1. Click on the left blue arrow to mirror only Egress traffic.
Note: Keep in mind the notion of Egress and Ingress is defined by how the flow relates tothe VDS. Egress, in this context, means all the traffic going out of the VDS to theselected Port IDs.
2. Click Next.
HOL-SDC-1602
Page 154HOL-SDC-1602
Select destinations
Click the green + icon.
Add IP Address
1. Type the IP address of the Control Center where we will analyze the mirrored traffic:192.168.110.10
2. Click OK.
HOL-SDC-1602
Page 155HOL-SDC-1602
Next
Click Next.
Ready to complete
Review your Port Mirroring Session settings.
Click Finish.
Confirm settings
1. Your Encapsulated Remote Mirroring - Destination Port mirroring session is nowEnabled.
HOL-SDC-1602
Page 156HOL-SDC-1602
2. To confirm the settings you can select Encapsulated Remote Mirroring - Destinationand click on the Sources and Destinations tabs.
You should have the same information as:
Status: EnabledConnectee: base-w12-01bTraffic Direction: EgressDestination: 192.168.110.10 (not displayed in this screen capture, available behind theDestinations tab).
Click on the pencil and update your configuration accordingly until you get the sameresult.
Confirm you now see the mirrored traffic
Switch to your Tshark window, you should now see the mirrored traffic reaching yourWindows desktop.
We only see the Echo request, no reply here, it's normal as we are only mirroring Egresstraffic.
If the Tshark window stays empty read the following troubleshooting notes.
HOL-SDC-1602
Page 157HOL-SDC-1602
Troubleshooting Notes
1. Check the linux-micro-01b PuTTY session to see if the ping is still running. If that'snot the case, re-launch it.
2. Double check the Encapsulated Remote Mirroring - Destination session settings(see previous step).
3. Make sure you've applied this Encapsulated Remote Mirroring configuration tovds-site-b and not vds-site-a.
Encapsulated Remote Mirroring and vMotion
Before wrapping up this Encapsulated Remote Mirroring module, we'll confirm that whenvMotioning a VM, its traffic is still mirrored.
HOL-SDC-1602
Page 158HOL-SDC-1602
VMs and Templates
1. Type "base-w12" in the Web Client quick search box.
2. Click the link for the VM "base-w12-01b"
HOL-SDC-1602
Page 159HOL-SDC-1602
Migrate...
1. Click on Actions
2. Select Migrate...
HOL-SDC-1602
Page 160HOL-SDC-1602
Change compute resource only
Click Next.
HOL-SDC-1602
Page 161HOL-SDC-1602
Select Destination Resource
1. Select esx-01b.corp.local
2. Click Next.
HOL-SDC-1602
Page 162HOL-SDC-1602
Select network
Click Next
HOL-SDC-1602
Page 163HOL-SDC-1602
Select vMotion Priority
Click Next.
HOL-SDC-1602
Page 164HOL-SDC-1602
Review Selections
Compare your selections with the following yellow boxes.
If that looks the same on your side click Finish, click Back otherwise.
HOL-SDC-1602
Page 165HOL-SDC-1602
Mirroring is still happening
Switch back to your Tshark window to confirm traffic is still mirrored.
You can now close the Tshark window.
You can now close the PuTTY session.
This concludes our Encapsulated Remote Mirroring lesson.
HOL-SDC-1602
Page 166HOL-SDC-1602
Implementing LACP on the vSphereDistributed SwitchvSphere 5.1 added limited support for Link Aggregation Control Protocol (LACP), withthese constraints:
• Supports only one Link Aggregation Group (LAG) per VDS per host.• All uplinks in the dvuplink port group are included in this LAG.• Only the IP hash load balancing algorithm is supported.
vSphere 5.5 now comes with an enhanced LACP implementation which now supports:
• Support for multiple LAGs (Up to 32 LAGs per host and 64 LAGs per VDS).• Multiple load balancing options (22 different hashing algorithms)
In this module we will demonstrate how to configure LACP v2.
If you feel comfortable with the concepts involved with LACP, you can skip ahead to thenext section.
Link Aggregation Control Protocol is a vendor-independent standards defined in IEEE802.1ax (formerly IEEE 802.3ad). It provides a mechanism to control the bundling ofseveral ports together to form a single logical channel by sending LACP packets to apeer which also implement LACP.
LACP provides higher bandwidth and network redundancy.
The automatic negotiation of link aggregation parameters between virtual and physicalswitches provides the following advantages over static configuration:
• Plug and Play– Automatically configures and negotiates between host andaccess layer physical switch
• Dynamic– Detects link failures and cabling mistakes and automaticallyreconfigures the links
Lastly, one last definition, a Link Aggregation Group is a grouping of multiple individuallinks - with compatible properties - formed into a single logical channel.
Check Requirements
In this lesson we will check the requirements to implement LACP v2 on vSphere.
HOL-SDC-1602
Page 167HOL-SDC-1602
LACP v2 requirements
Before jumping in, please note the following restrictions when using LACP v2:
• A vSphere Distributed Switch version 5.5 is required.• Only same speed links can be combined to form a LAG.• Only one LAG can be made active in the teaming configuration of a Port
Group.• No other uplinks can be active or in standby mode at the same time,
failover will be handled at the LACP level.
HOL-SDC-1602
Page 168HOL-SDC-1602
Login to the vSphere Web Client
Launch the Google Chrome browser from your desktop.
Tick the box next to "Use Windows session authentication" and click "Login"
HOL-SDC-1602
Page 169HOL-SDC-1602
Navigate to vds-site-b
1. In the web client quick search type "vds"
2. Click on the link for the Distributed Switch "vds-site-b"
HOL-SDC-1602
Page 170HOL-SDC-1602
Check vSphere Distributed Switch version
Click on summary tab. As you can see, VDS version is 6.0, but an upgrade of the switchfeatures is available.
1. Click on the "Upgrades Available" link to view information about features that you canenable.
2. One of these is Enhanced LACP Support.
HOL-SDC-1602
Page 171HOL-SDC-1602
vds-site-b Enhance
Let's add Enhanced LACP Support by opening the Features widget and clicking the"Enhance" link under Link Aggregation Control Policy.
HOL-SDC-1602
Page 172HOL-SDC-1602
Enhance LACP Overview
It is a good idea to back up your switch configuration before enhancing the VDS.However, in this lab we will throw caution to the wind and click "Next"
HOL-SDC-1602
Page 173HOL-SDC-1602
Validate prerequisites
Everything looks good, click "Next"
HOL-SDC-1602
Page 174HOL-SDC-1602
Ready to Complete
Ready to go, click Finish to enhance our VDS.
Create a Link Aggregation Group on the VDS
In this lesson we will create a LAG on the VDS
HOL-SDC-1602
Page 175HOL-SDC-1602
Add a new LAG group
1. Select the Manage Tab
2. Click on LACP.
3. You can now add a new Link Aggregation Group by clicking on the green + icon.
HOL-SDC-1602
Page 176HOL-SDC-1602
Fill out the form
1. Select Source and destination IP address and VLAN as the load balancing schemeand keep everything else as is. As you can see in the current LACPimplementation we support lots of different load balancing modes.
2. Mode Passive means The port is in a passive negotiating state. In passive modethe port responds to LACP packets it receives but does not initiate LACPnegotiation.
Note: The Port Policies section is gray, we'll see how to activate it later in the lab .
3. Click OK.
HOL-SDC-1602
Page 177HOL-SDC-1602
LAG created
Your lag1 is now created.
If you don't see lag1 in the list, you may need to refresh the Web Client.
In the next step we'll confirm the creation of our LAG in our host.
HOL-SDC-1602
Page 178HOL-SDC-1602
Launch PUTTY
Click Start > PuTTY
HOL-SDC-1602
Page 179HOL-SDC-1602
Connect to esx-03a.corp.local
1. Select esx-01b.corp.local in the Saved Configurations list
2. Click Open.
HOL-SDC-1602
Page 180HOL-SDC-1602
Confirm LAG creation from the command line
Type the following command:
esxcli network vswitch dvs vmware lacp config get
as you can see lag1 is created but it isn't associated with any NICs. We'll do that in thenext section.
Note:You can keep Putty open for now.
Configure the hosts to use the LAG
In this lesson, we will add physical NICs to our lag1. Please switch back to the vSphereWeb Client.
HOL-SDC-1602
Page 181HOL-SDC-1602
Migrating network traffic to LAGs
A wizard will help you in migrating network traffic to LAG, make sure you've selectedvds-site-b > Manage > Settings > LACP.
Click on Migrating network traffic to LAGs to launch the wizard.
HOL-SDC-1602
Page 182HOL-SDC-1602
Add and Manage Hosts...
Click on Add and Manage Hosts...
HOL-SDC-1602
Page 183HOL-SDC-1602
Manage host networking
1. Click on Manage host networking radio buttonand
2. Click Next
HOL-SDC-1602
Page 184HOL-SDC-1602
Add hosts
Click the green + to add Hosts to the list
Select Hosts
1. Select both hosts by clicking on the checkbox in the heading
2. Click OK.
HOL-SDC-1602
Page 185HOL-SDC-1602
Activate template mode
1. Activate the template mode by clicking on the checkbox at the bottom
2. Click Next.
Note: By using the template node you only configure one node, all the operations willbe replicated on the remaining nodes. All the nodes need to have the sameconfiguration. To get more information on this mode, you can click on the gray icon justafter (template mode).
HOL-SDC-1602
Page 186HOL-SDC-1602
Select template host
1. Select esx-01b.corp.local
2. Click Next.
HOL-SDC-1602
Page 187HOL-SDC-1602
Select network adapter tasks
1. Make sure only the first option Manage physical adapters (template mode) isselected
2. Click Next.
HOL-SDC-1602
Page 188HOL-SDC-1602
Manage Physical network adapters vmnic2
1. Select vmnic2
2. Click Assign uplink.
HOL-SDC-1602
Page 189HOL-SDC-1602
Assign vmnic2 to lag1-0
1. Select lag1-0
2. Click OK.
HOL-SDC-1602
Page 190HOL-SDC-1602
Manage Physical network adapters vmnic3
1. Select vmnic3
2. Click Assign uplink.
HOL-SDC-1602
Page 191HOL-SDC-1602
Assign vmnic3 to lag1-1
1. Select lag1-1
2. Click OK.
HOL-SDC-1602
Page 192HOL-SDC-1602
Apply to all
1. To replicate the configuration of esx-01b.corp.local on esx-02b.corp.local click onApply to all
2. Click Next.
HOL-SDC-1602
Page 193HOL-SDC-1602
Analyze impact
vCenter tells you there isn't any impact on network dependent services, so you canrelax and click Next.
HOL-SDC-1602
Page 194HOL-SDC-1602
Ready to complete
click Finish to proceed and wait until the operation completes.
HOL-SDC-1602
Page 195HOL-SDC-1602
Confirm NICs <-> LAG association from the command line
Switch back to your Putty session which should still be connected toesx-01b.corp.local.If you closed it, launch Putty again and connect to esx-01b.corp.local.
Use the up arrow key to recall the last command or type it again:
esxcli network vswitch dvs vmware lacp config get
As you can see, your lag1 is now associated with vmnic2 and vmnic3. Congratulations!!!
Wait, we still have one more thing to do to use this LAG in production.
Configure a Port Group to use the LAG
We are almost done with our LACP Hands on lab module, the last step is to configure aPort Group to use this Link Aggregation Group for its uplink.
HOL-SDC-1602
Page 196HOL-SDC-1602
Manage Distributed Port Groups...
Switch back to vSphere Web Client
In the wizard click on Manage Distributed Port Groups...
Note: If you closed the wizard earlier, you can reopen it from the LACP settings byclicking on Migrate network traffic to LAGs.
HOL-SDC-1602
Page 197HOL-SDC-1602
Select port group policies
1. Select Teaming and failover policies
2. Click Next.
HOL-SDC-1602
Page 198HOL-SDC-1602
Select distributed port groups
We need to add port groups to edit. Click the icon indicated in the screen shot.
HOL-SDC-1602
Page 199HOL-SDC-1602
Select Distributed Port Groups
1. For this lesson, let's use the VM Network port group. Select it
2. Click OK.
HOL-SDC-1602
Page 200HOL-SDC-1602
Select port groups
Click Next.
HOL-SDC-1602
Page 201HOL-SDC-1602
Teaming and failover
1. Select lag1
2. Click six times on the up arrow icon to move it above Uplink 1.
HOL-SDC-1602
Page 202HOL-SDC-1602
Teaming and failover
Click on the red icon warning and read the popup alert which reminds you of animportant caveat.
To comply, select each uplink and move them down to "Unused uplinks" using the bluedown arrow.
HOL-SDC-1602
Page 203HOL-SDC-1602
Teaming and failover
You should have something similar to the screenshot above.
As you can see the red warning icon disappeared and a gray icon appeared next theload balancing scheme. If you click on it, you'll learn that the load balancing scheme ofthe Port Group will get overwritten by the one from the LAG.
You can now click Next.
Ready to complete
Click Finish and close the wizard window.
Congratulations, your LACP configuration is now complete for your lag1. In a real-worldscenario we would do the same process for the Management, Storage and vMotionnetworks or we could also share a common LAG depending on NICs availability andnetwork requirements.
HOL-SDC-1602
Page 204HOL-SDC-1602
But, you know the drill, your time at VMworld 2015 is valuable so let's not repeatourselves and wrap up this module in the next chapter.
Check the Topology
Now let's inspect the topology
HOL-SDC-1602
Page 205HOL-SDC-1602
Close wizard
Close the LAG migration wizard
HOL-SDC-1602
Page 206HOL-SDC-1602
Topology
1. Select Topology2. Select on the VM Network Port Group.3. Click on the gray arrow in front of lag1 to see the implementation details for each
host.
This confirms Data traffic will use the newly created lag1 which use 3 physical NICs oneach host.
Conclusion
This concludes our LACP lab module. Keep in mind when implementing this features thefollowing requirements:
• VDS 5.5 and a physical switch implementing LACP are both required.• Only same speed links can be combined to form a LAG.• Only one LAG can be made active in the teaming configuration of a Port
Group.• No other uplinks could be active or in standby mode at the same time,
failover will be handled at the LACP level.
Regarding the maximums, you can have up to 32 LAGs per host but the number ofNICs on a host is also limited to 32 if you have 1 Gbe interfaces, or 8 for 10 Gbeones.
HOL-SDC-1602
Page 207HOL-SDC-1602
So, for example, you can only create 16 LAGs with two 1 Gig interfaces each.
Thanks for taking the time to learn about LACP in vSphere 5.5.
If you want to know even more about LACP configuration, continue to the next optionallesson, or skip it and go directly to the next module if you are short on time.
OPTIONAL - Allow Overrides of Port Policies
In this lesson we'll show how to allow a LAG to override Port Group policies. By using thisfeature, you'll be able to override VLAN or NetFlow settings as soon as the traffic goesout through the specified LAG.
If you are short on time you can skip it.
Edit uplink port group settings
1. Click on vds-site-b-corpnet-uplink.2. Click Edit distributed port group settings icon.
HOL-SDC-1602
Page 208HOL-SDC-1602
Edit Advanced Settings
1. Select the Advanced tab2. Click on Allowed Radio buttons for both VLAN and NetFlow3. Click OK.
HOL-SDC-1602
Page 209HOL-SDC-1602
Confirm you can now override Port Policies.
1. Select the LACP tab2. Select the lag1 LAG and note the Port Policies is currently inherited from uplink
port group.3. Click on the pencil to edit the LAG.
HOL-SDC-1602
Page 210HOL-SDC-1602
Edit Link Aggregation Group
As you can see above, you can click on the Override checkbox for both VLAN type andNetflow to override the Port Group policies.
1. VLAN type: check Override2. VLAN trunk range: 0-1003. NetFlow: check Override4. NetFlow: select Enabled form drop down menu5. Click OK
If you do so, all the traffic going out this LAG will comply to this setup no matter theconfiguration of the originating Port Group.
HOL-SDC-1602
Page 211HOL-SDC-1602
Confirm Overrides
Port Policies is now overridden. (You may have to update the Web Client to see thechanges)
That conclude the LACP lesson of the HOL-SDC-1602 Hands on Lab.
HOL-SDC-1602
Page 212HOL-SDC-1602
Managing NSXThis lab does not include NSX capability due to resource constraints. However, thevideo in the next step is provided for an overview of the vRealize OperationsManagement Pack for NSX. For a deeper level of understanding of NSX, please considerthe following lab:
HOL-SDC-1624 VMware NSX and the vRealize Suite
Video - Management Pack for NSX (4:08)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=dtt20NcsBXA" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-SDC-1602
Page 213HOL-SDC-1602
Module 3: Build andManage Your
Infrastructure - Storage -(30 Minutes)
HOL-SDC-1602
Page 214HOL-SDC-1602
VVOL ManagementVVOL is beyond the scope of this lab.. See HOL-SDC-1627 "VMware Software DefinedStorage - Advanced Topics" for an overview of VVOL.
HOL-SDC-1602
Page 215HOL-SDC-1602
VSAN ManagementIn this module we will show how you can monitor Virtual SAN 6 using the vRealizeOperations Manager Management Pack for Storage Devices (MPSD). This module onlyprovides a high level preview of VSAN integration and management. For a deeper levelof understanding of VSAN, please consider the following labs:
HOL-SDC-1608 Virtual SAN 6 from A to Z
Video - Management Pack for Storage Devices (5:34)
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=ly7WKrl4N1Q" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-SDC-1602
Page 216HOL-SDC-1602
Module 4: Build andManage Your
Infrastructure - Scale Out- (60 Minutes)
HOL-SDC-1602
Page 217HOL-SDC-1602
Build a Resilient Management PlatformvCenter Architecture Changes in vSphere 6.0
With the release of vSphere 6.0, vCenter Server installation and configuration has beendramatically simplified. The installation of vCenter now consists of only two componentsthat provide all services for the virtual datacenter:
• Platform Services Controller– This provides infrastructure services for thedatacenter. The Platform Services Controller contains these services:
◦ vCenter Single Sign-On◦ License Service◦ Lookup Service◦ VMware Directory Service◦ VMware Certificate Authority
• vCenter Services– The vCenter Server group of services provides the remainderof the vCenter Server functionality, which includes:
◦ vCenter Server◦ vSphere Web Client◦ vCenter Inventory Service◦ vSphere Auto Deploy◦ vSphere ESXi Dump Collector◦ vSphere Syslog Collector (Microsoft Windows)/VMware Syslog Service
(Appliance)
So, when deploying vSphere 6.0 you need to understand the implications of thesechanges to properly architect the environment, whether it is a fresh installation, or anupgrade. This is a dramatic change from previous releases, and one that is going to be asource of many discussions.
HOL-SDC-1602
Page 218HOL-SDC-1602
vCenter Deployment Modes - vCenter Server with anEmbedded Platform Services Controller:
There are two basic architectures that can be used when deploying vSphere 6.0. Thefirst one is vCenter Server with an Embedded Platform Services Controller – Thismode installs all services on the same virtual machine or physical server as vCenterServer. This is ideal for small environments, or if simplicity and reduced resourceutilization are key factors for the environment.
HOL-SDC-1602
Page 219HOL-SDC-1602
vCenter Deployment Modes - vCenter Server with anExternal Platform Services Controller
The second one is vCenter Server with an External Platform Services Controller– This mode installs the platform services on a system that is separate from wherevCenter services are installed. Installing the platform services is a prerequisite forinstalling vCenter. This is ideal for larger environments, where there are multiplevCenter servers, but you want a single pane-of-glass for the site.
vCenter Server - Enhanced Linked Mode
As a result of the architectural changes mentioned above, Platform Services Controllerscan be linked together. This enables a single pane-of-glass view of any vCenter serverthat has been configured to use the same Platform Services Controller domain. Thisfeature is called Enhanced Linked Mode and is a replacement for Linked Mode, whichwas a construct that could only be used with vCenter for Windows. The recommendedconfiguration when using Enhanced Linked Mode is to use an external platform servicescontroller.
Note: Although using embedded Platform Services Controllers and enabling EnhancedLinked Mode can technically be done, it is not a recommended configuration. See List ofRecommended topologies for vSphere 6.0 (2108548) for further details.
Enhanced Linked Mode connects multiple vCenter Server systems together by using oneor more Platform Services Controllers.
Enhanced Linked Mode lets you view and search across all linked vCenter Serversystems and replicate roles, permissions, licenses, policies, and tags.
HOL-SDC-1602
Page 220HOL-SDC-1602
When you install vCenter Server or deploy the vCenter Server Appliance with anexternal Platform Services Controller, you must first install the Platform ServicesController. During installation of the Platform Services Controller, you can select whetherto create a new vCenter Single Sign-On domain or join an existing domain. You canselect to join an existing vCenter Single Sign-On domain if you have already installed ordeployed a Platform Services Controller, and have created a vCenter Single Sign-Ondomain. When you join an existing vCenter Single Sign-On domain, the data betweenthe existing Platform Services Controller and the new Platform Services Controller isreplicated, and the infrastructure data is replicated between the two Platform ServicesControllers.
With Enhanced Linked Mode, you can connect not only vCenter Server systems runningon Windows but also vCenter Server Appliances. You can also have an environmentwhere multiple vCenter Server systems and vCenter Server Appliances are linkedtogether.
In the image example below you can see how we can search across all linked vCenterServer systems.
vCenter Server- Mixed Environments
Prior to vSphere 6.0, there was no interoperability between vCenter for Windows and thevCenter Server Linux Appliance. After a platform was chosen, a full reinstall would berequired to change to the other platform. The vCenter Appliance was also limited infeatures and functionality.
With vSphere 6.0, they are functionally the same, and all features are available in eitherdeployment mode. With Enhanced Linked Mode both versions of vCenter areinterchangeable. This allows you to mix vCenter for Windows and vCenter ServerAppliance configurations.
This mixed platform environment provides flexibility that has never been possible withthe vCenter Platform.
HOL-SDC-1602
Page 221HOL-SDC-1602
As with any environment, the way it is configured is based on the size of theenvironment (including expected growth) and the need for high availability. Thesefactors will generally dictate the best configuration for the Platform Services Controller(PSC).
vCenter Server High Availability
Providing high availability protection to the Platform Services Controller adds anadditional level of overhead to the configuration. When using an embedded PlatformServices Controller, protection is provided in the same way that vCenter is protected, asit is all a part of the same system.
Availability of vCenter is critical due to the number of solutions requiring continuousconnectivity, as well as to ensure the environment can be managed at all times.Whether it is a standalone vCenter Server, or embedded with the Platform ServicesController, it should run in a highly available configuration to avoid extended periods ofdowntime.
Several methods can be used to provide higher availability for the vCenter Serversystem. The decision depends on whether maximum downtime can be tolerated,failover automation is required, and if budget is available for software components.
The table below lists methods available for protecting the vCenter Server system andthe vCenter Server Appliance when running in embedded mode.
If high availability is required for an external Platform Services Controller, protection isprovided by adding a secondary backup Platform Services Controller, and placing themboth behind a load balancer.
The load balancer must support Multiple TCP Port Balancing, HTTPS Load Balancing, andSticky Sessions. VMware officially supports F5 and Netscaler, and the use of third party
HOL-SDC-1602
Page 222HOL-SDC-1602
load balancers will result in "best effort" support. See the vendor documentationregarding configuration details for any load balancer used.
With vCenter 6.0, connectivity to the Platform Services Controller is stateful, and theload balancer is only used for its failover ability. So active-active connectivity is notrecommended for both nodes at the same time, or you risk corruption of the databetween nodes.
Additional vSphere with Operations Management 6.0Enhancements
VMware vSphere® with Operations Management™ 6.0 is the latest release of theindustry-leading platform with insight to IT capacity and performance. This releasecontains some new features which greatly enhance the ease of Management,Performance and Resiliency:
New Compute Related Features:
• 4-vCPU vSphere Fault Tolerance (FT) - Provides continuous availability of anyapplication in the event of a hardware failure—with no data loss or downtime forworkloads up to 4-vCPU.
• Hot Add - An enhancement to the current Hot Add feature is NUMA awarenesswhen hot-adding memory.
• Cross-vCenter vMotion - Enables live migration across vCenter Servers of virtualmachines between servers with no disruption to users or loss of service,eliminating the need to schedule application downtime for planned servermaintenance.
• Long-Distance vMotion - Enables live migration over long distances (up to 150milliseconds round trip time) of virtual machines between servers with nodisruption to users or loss of service, eliminating the need to schedule applicationdowntime for planned server maintenance.
• Content Library - Provides simple and effective centralized management for VMtemplates, virtual appliances, ISO images and scripts.
HOL-SDC-1602
Page 223HOL-SDC-1602
vRealize Operations Manager 6.0 brings in Scalable &Resilient Architecture
VMware vRealize Operations Manager 6.0 managed to bring a robust, scalable andresilient architecture in the platform design. In this release, VMware has moved fromtwo VM vApp to a single VM virtual appliance. As a new initiative, VMware has created anewly built serviced based design for this release. So the capacity, performance and allplug-ins are now services that run across common services in the platform. This onevirtual appliance contains all the services. This is a new architecture that scales outhorizontally to support increased objects, metrics and concurrent users. From adeployment perspective, we want to remove the complexities of scaling out, so wedeploy the whole stack at a time. When one instance/slice of the stack runs out ofcapacity (CPU/Disk/Memory), we can spin up another and add more capacity. We cankeep doing this as necessary to handle the scale.
You can deploy vRealize Operations Manager as a cluster, containing one or more nodes.Each node in the cluster takes on a particular role: master, master replica, data, orremote collector. In this way, it provides High Availability (HA) against host and nodefailures.
vRealize Operations Manager supports high availability (HA) by enabling a replica nodefor the vRealize Operations Manager master node.
When present, an HA replica node can take over the functions that a master nodeprovides. When a problem occurs with the master node, failover to the replica node isautomatic and requires only two to three minutes of vRealize Operations Managerdowntime. Data stored on the master node is always 100% backed up on the replicanode. In addition, with HA enabled, the cluster can survive the loss of a data nodewithout losing any data.
When failover occurs, the replica node becomes the master node, but you will not haveHA again until you convert a data node into a new replica node. Old, failed masternodes should be removed from the cluster. They cannot be reused in vRealizeOperations Manager.
To enable HA, you must have another node deployed in addition to the master node.When you deploy nodes as virtual machines, deploy the replica node on differenthardware than the master node so that backup is physically redundant.
HOL-SDC-1602
Page 224HOL-SDC-1602
vRealize Operations - Unified Management Short Lab
HOL-SDC-1602
Page 225HOL-SDC-1602
Unified Management With vRealize Operations - Login
Open Firefox browser. Go to vRealize Operations vrops-01 URL as shown in thescreenshot (step1).
Login with user admin and password VMware1! as per steps 2 and 3 in the screenshotabove.
HOL-SDC-1602
Page 226HOL-SDC-1602
Navigate To The Unified Management Dashboard
Once you have logged-in,
1. Select Dashboard List
2. Then Unified Management.
HOL-SDC-1602
Page 227HOL-SDC-1602
Unified Management With vRealize Operations -Dashboard which span 2 vCenter Servers
This Dashboard is using the Environment Overview widget which displays the health,risk, and efficiency of resources for a given object from the managed inventory. In thiscase we can see that the dashboard spans the two vCenter Servers environments wehave in our inventory. As you click on one of the vCenter Server Objects, its entiretopology is then being highlighted making it easier to understand health and workloadissues in the context of the inventory relationships. You can then toggle between thebadges to see different information such as Workload, Stress, Capacity and TimeRemaining etc...
Migrating VM's Between vCenter Servers
vMotion in VMware vSphere 6.0 delivers breakthrough new capabilities that will offercustomers a new level of flexibility and performance in moving virtual machines acrosstheir virtual infrastructures. Included with vSphere 6.0 vMotion are features - Long-distance migration, Cross-vCenter migration, Routed vMotion network - that enableseamless migrations across current management and distance boundaries. For the firsttime ever, VMs can be migrated across vCenter Servers separated by cross-continentaldistance with minimal performance impact. vMotion is fully integrated with all the latestvSphere 6 software-defined data center technologies including Virtual SAN (VSAN) andVirtual Volumes (VVOL). Additionally, the newly re-architected vMotion in vSphere 6.0
HOL-SDC-1602
Page 228HOL-SDC-1602
now enables extremely fast migrations at speeds exceeding 60 Gigabits per second. Inthis module we are going to take a closer look at cross vCenter Servers vMotion.
Let's take a look around.
Switch back to the vSphere Web Client
1. Select "Use Windows session authentication".
2. Click the "Login" button.
This will pass through your current credentials (CORP\Administrator) to the PlatformServices Controller for confirmation that you are allowed to access the system and yourassigned roles. Notice that the login proceeds immediately with vSphere 6.
HOL-SDC-1602
Page 229HOL-SDC-1602
A Familiar View
Feel free to click the push pins for the "Alarms", "Work In Progress" and "Recent Tasks"panes. This will give you a little more room to work. You open the pane by clicking onthe closed pane and then re-close it by clicking on the closed pane button again.
Click on "Hosts and Clusters".
HOL-SDC-1602
Page 230HOL-SDC-1602
Focus on linux-micro-01a
Expand both vCenter inventories.
1. Navigate to the linux-micro-01a virtual machine, it should be powered on. If not,please power it on.
2. Make sure you are on the Summary tab
HOL-SDC-1602
Page 231HOL-SDC-1602
Review the virtual network adapter connection
Expand the "VM Hardware" pane. Notice that a single virtual network adapter isconnected to the "VM Network" portgroup which is on virtual Standard Switch.
Click on the "VM Network" link.
HOL-SDC-1602
Page 232HOL-SDC-1602
Review the networks in the data centers
Expand the network inventories in both vCenters. There is a virtual Distributed Switchin both data centers as well as the standard switch. We will migrate the linux-micro-01aVM from the Standard Switch on esx-01a Site A to the Distributed Switch in Site B.
Click the "Recent Objects" control to return to the linux-micro-01a VM
Using the Recent object button, simply highlight "linux-micro-01a" and click to return tothis recently viewed object. This is a new time-saver in the vSphere 6 Web Client.
HOL-SDC-1602
Page 233HOL-SDC-1602
Prepare to test networking during the migration
1. Open the Windows Start menu.
2. Click the "ping-linux-micro-01a" short cut.
HOL-SDC-1602
Page 234HOL-SDC-1602
Verify the continuous ping to linux-micro-01a
After the ping has started, minimize the Windows command window. The continuousping will verify network connectivity during the cross-vCenter vMotion.
HOL-SDC-1602
Page 235HOL-SDC-1602
Prepare to test networking even further
Open PuTTy from the Windows start bar along the bottom.
1. Select "linux-micro-01a.corp.local"
2. Press the "Load" button
3. Press the "Open" button
HOL-SDC-1602
Page 236HOL-SDC-1602
Login proceeds
Public key SSH authentication is set up so no password is required.
Test networking from the VM
Let's start a continuous ping to Control Center from the VM we will be migrating.
Enter:
ping 192.168.110.10
Now you are ready to migrate.
Migrate the VM
Minimize the current PuTTy session (don't close it!) and go back to the vSphere WebClient.
HOL-SDC-1602
Page 237HOL-SDC-1602
Right click on the 'linix-micro-01a' VM and select 'Migrate'.
HOL-SDC-1602
Page 238HOL-SDC-1602
Choose Both Compute Resource and Storage
1. We need to relocate the storage as well for cross-site vMotion to work because wedidn't configure shared virtual machine storage.
2. Click Next
In our example we have configured a routable vMotion network and then enabledvMotion TCP stack in vmkernel with different default gateway on all ESXi hosts. This isexplained in the vSphere 6.0 documentation: Place vMotion Traffic on the vMotionTCP/IP Stack of an ESXi Host
HOL-SDC-1602
Page 239HOL-SDC-1602
Select Compute Resource
1. Select Cluster Site B which is under the 2nd site vCenter Server (vcsa-01b.corp.local)
2. Then click Next.
HOL-SDC-1602
Page 240HOL-SDC-1602
Select storage
Accept the default storage options and click Next.
HOL-SDC-1602
Page 241HOL-SDC-1602
Select Folder
1. Select the Discovered virtual machines folder
2. Then click Next.
Then continue with the Wizard selecting all the default options then click "Finish".
HOL-SDC-1602
Page 242HOL-SDC-1602
Monitor Ping
Switch back to the PuTTy session and Command prompt and watch the pings. You maysee a packet drop or a slightly longer delay during the vMotion cut over. Notice thatLayer 2 networking for the VM Network is stretched between the two sites and that theVM retains its IP address when it migrates between sites.
HOL-SDC-1602
Page 243HOL-SDC-1602
Back in the vSphere Web Client
Go back to the vSphere Web Client and you should now see the 'linux-micro-01a' VMrunning in Cluster Site B.
NOTE - you may need to refresh the vSphere Web Client
HOL-SDC-1602
Page 244HOL-SDC-1602
Monitor linux-micro-01a
1. Click on 'linux-micro-01a'
2. Select the Monitor tab
3. Then Events
You will notice that all the events for the VM were carried over as it moved to the newvCenter Server. This is also true for any of the performance data.
HOL-SDC-1602
Page 245HOL-SDC-1602
Check the VM network configuration
1. Click on the Summary tab
2. Click on the "VM Network" link as before.
HOL-SDC-1602
Page 246HOL-SDC-1602
Network migration complete
Click on "Related Objects".
Notice that "linux-micro-01a" is now connected to the "VM Network" port group on the"vds-site-b" Virtual Distributed Switch. It was migrated from a Virtual Standard Switchon Site A.
HOL-SDC-1602
Page 247HOL-SDC-1602
Review vmkernel networking
1. Click on the "Hosts and Clusters" icon.
2. Select "esx-01b.corp.local"
3. Open the "Manage" tab
4. Select "Networking"
5. Click on "TCP/IP configuration"
Notice that new with vSphere 6, multiple TCP/IP stacks are provided for vmkernel ports.The "vMotion" TCP/IP stack is using a different default gateway address than the default
TCP/IP stack which is used for the management network.
Feel free to check a vSphere 6 host on Site A and compare vmkernel TCP/IPconfigurations.
In order to accomplish vMotion from the Site A vCenter to the Site B vCenter, vMotiontraffic was routed between the sites. We simulated two sites in this vMotion exercise toshow the flexibility of this new capability. In real life, the VM's layer 2 network must bestretched and 150ms RTT or less must be maintained on the vMotion network.
HOL-SDC-1602
Page 248HOL-SDC-1602
Lesson Cleanup - PuTTy
Go back to the PuTTy session and press Ctrl+C to end the ping. Next type in 'exit' toterminate the PuTTy session.
Lesson Cleanup - Command Prompt
Now go back to the Command Prompt and press Ctrl+C to end the ping and press 'Y' toterminate the batch job.
Type 'exit' to close the Command Prompt if the window does not close automatically.
Conclusion
Cross vCenter vMotion is a powerful new capability with a number of use cases. It couldbe used to migrate between legacy Windows vCenter and a new vCenter appliance oranytime if makes sense to migrate VMs to a completely new set of virtual infrastructure.And of course it can be used to migrate VMs between data centers for planned
maintenance or other business purposes without interruption.
In Summary to enable migration across vCenter Server instances, your environmentmust meet these requirements:
• The source and destination vCenter Server instances and ESXi hosts must berunning version 6.0 or later.
HOL-SDC-1602
Page 249HOL-SDC-1602
• Both vCenter Server instances must be in Enhanced Linked Mode and must be inthe same vCenter Single Sign-On domain so that the source vCenter Server canauthenticate to the destination vCenter Server.
• Both vCenter Server instances must be time-synchronized with each other forcorrect vCenter Single Sign-On token verification.
• For migration of compute resources only, both vCenter Server instances must beconnected to the shared virtual machine storage.
HOL-SDC-1602
Page 250HOL-SDC-1602
Configuring Auto DeployIn this lesson, we will demonstrate the steps required to implement Auto Deploy tosupport stateless ESXi hosts for upgrading hosts or rapidly deploying new hosts. This labwill take you through the process of preparing the PXE boot infrastructure, configuringthe Auto Deploy server, preparing the Host Profile, and how to use PowerCLI to importsoftware bundles and create Image Profiles and deploy rules. Upon completion of thismodule we will deploy a new ESXi host into an existing HA cluster.
Case Study
The CIO of BigTelco has decided to implement a cloud-enabled datacenter toaccommodate the agility and scalability requirements of their customers. He is in thefinal stage of closing an agreement with the CIO of Rainpole Systems, a softwaredevelopment firm that is interested in having BigTelco host their cloud infrastructure.For Rainpole Systems, this new cloud initiative will help redefine their developmentmodel and radically improve time to market for a wave of new customer facingapplications.
Rainpole has asked for the ability to rapidly deploy and maintain hundreds of serverswithin hours to meet potential demand. In an effort to prepare for the cloud computingpartnership, the infrastructure teams at BigTelco have committed to spinning upVMware vSphere Servers on demand to host RainPole System's new projects. Tostreamline the numerous server deployments, the CIO has asked you and your team ofengineers to find the best way to adapt BigTelcos cloud environment for this newchallenge. You and your team have decided to leverage VMware vSphere Auto Deployand stateless ESXi features.
What is Auto Deploy?
Auto Deploy was first introduced with vSphere 5.0 as a new way to rapidly deployvSphere hosts. With Auto Deploy, the vSphere host loads the ESXi software image overthe network directly into the vSphere host's memory. Auto Deploy uses a PXE bootinfrastructure in conjunction with vSphere Host Profiles to provision and customize thehost. vCenter Server manages the state information for each host configured to useAuto Deploy. For this reason, Auto-Deployed vSphere hosts are often referred to asbeing "stateless."
The Auto Deploy server stores the ESXi Image Profiles and vCenter Host Profiles that areused to provision and configure vSphere hosts in a local cache. Rules are configured onthe Auto Deploy server (using PowerCLI) that use pattern matching to dynamically mapbooting vSphere hosts to the appropriate image profiles and host profiles.
HOL-SDC-1602
Page 251HOL-SDC-1602
Environment Overview
The diagram above shows the high-level architecture for the Auto Deploy lab.
Auto Deploy Components
• Auto Deploy Server - Serves images and host profiles to ESXi hosts. The AutoDeploy server is at the heart of the Auto Deploy infrastructure. The Auto Deployserver is made up of a rules engine and web server.
• Auto Deploy Rules Engine - Tells the Auto Deploy server which image profileand host profile to serve to each host and where to place the host in the vCenterinventory. Administrators use the Auto Deploy cmdlets provided with PowerCLI todefine the rules that assign image and host profiles to hosts.
• Auto Deploy Web Server - Used to boot hosts and deploy the ESXi ImageProfile. The web server uses HTTPS for both the host boot and Image Profileexchange.
• Image Profiles - Collection of VIBs that make up the ESXi image installed onvSphere hosts. Image profiles are created using the Image Builder CLI cmdletsprovided with PowerCLI.
• Software Depot - VMware and its partners make image profiles and VIBsavailable in public depots. Use the Image Builder PowerCLI to customize imageprofiles and upload them to the Auto Deploy Server. VMware customers cancreate a custom image profile based on the public image profiles and VIBs in thedepot and apply that image profile to the host.
• Host Profiles - Define machine-specific configuration such as networking orstorage setup. Administrators create host profiles by using the host profile UI. Youcan create a host profile for a reference host and apply that host profile to otherhosts in your environment for a consistent configuration.
HOL-SDC-1602
Page 252HOL-SDC-1602
• Host Customization - Stores information that the user provides when hostprofiles are applied to the host. Host customization might contain an IP address orother information that the user supplied for that host.
Auto Deploy and PowerCLI
The table above describes the deployment information stored by the Auto Deployserver.
The Auto Deploy server stores the ESXi Image Profiles and vCenter Host Profiles that areused to provision and configure vSphere hosts in a local cache. Rules are configured onthe Auto Deploy server (using PowerCLI) that use pattern matching to dynamically mapbooting vSphere hosts to the appropriate image profiles and host profiles.
Hosts deployed using Auto Deploy run in memory and do not require local storage. Thishelps reduce costs and simplify storage architectures by eliminating the need for adedicated boot disk (SAN Boot, local hard disks, SD Cards or USB keys).
Verify Prerequisites
Auto Deploy relies on 3 basic software services: DHCP, TFTP, and DNS. These threesystems need to be running and configured in order for Auto Deploy to work correctly.Below you will find the configurations that need to be in place.
For this lesson, we have a router called vPodRouter, which is a linux virtual machinethat also works as a TFTP and DHCP server. The ControlCenter (the machine that youare currently logged into), hosts our DNS server.
HOL-SDC-1602
Page 253HOL-SDC-1602
TFTP and DHCP
For Auto Deploy to work, you will need to have a TFTP server in your infrastructure. TheTFTP server will be used to hold the boot file with the configuration information to beused by the deployed ESXi host. The TFTP server IP address will have to be specified inthe DHCP Scope Option on the DHCP server, and the host on which we will install ESXiwill need network access to it. You can use any TFTP server you like. Here we are goingto use the native Linux one from our virtual machine vpodrouter.
After you install the TFTP server you will have to copy the boot file to the TFTP rootfolder. In our case it will be "/srv/tftp".
Important
Please be aware that the TFTP installation and DHCP configuration was already done foryou in this lab, so you do not need to do it. The following DHCP examples are only foryour information.
DHCP Examples
Once you have a DHCP server ready to use, you will need to do some additionalconfiguration in order for your new host to receive the right IP address. Below are thetasks you should perform.
1. Create a IP reservation in DHCP for your host, using the MAC address of a NIC onyour new host and choosing a desired IP address. This will cause your host toalways boot with the same address.
2. You will also need to set the option Boot Server Host Name to point to yourTFTP server address, and the option Bootfile Name to indicate the ESXi bootimage file name.
The way this is configured differs depending on the DHCP server platform. See theexamples for both Windows and Linux next.
Remember, this has already been done for you in this lab, so do not attemptto perform these steps.
HOL-SDC-1602
Page 254HOL-SDC-1602
Windows DHCP Option 66
To configure DHCP option 66 on Windows:
1. Scroll to option "066 Boot Server Host Name" and select it2. Enter your Boot Server Host Name in the String value box3. Select Apply
HOL-SDC-1602
Page 255HOL-SDC-1602
Windows DHCP Option 67
To configure DHCP option 67 on Windows:
1. Scroll to option "067 Bootfile Name" and select it2. Enter your Bootfile Name in the string value box3. Click Apply4. Click OK
Linux DHCP Example
If you are using a Linux DHCP server you will need to edit the /etc/dhcp/dhcpd.conffile, and add the following lines, either globally or in a scope of your choice:
## Example for AutoDeploynext-server 192.168.110.1;if ((exists user-class) and (option user-class = "gPXE")) {
filename "https://vcsa-01a.corp.local:6501/vmw/rbd/tramp";} else {
filename "undionly.kpxe.vmw-hardwired";}
HOL-SDC-1602
Page 256HOL-SDC-1602
DNS Configuration
DNS resolution is critical, because after our host receives an IP address, vCenter will beattempting to communicate with it by fully qualified domain name. Therefore, a hostentry needs to be created, pointing the new stateless ESXi host's name to the addressyou configured it to receive in DHCP.
Open the DNS Console
Open the DNS management console to confirm the DNS entry for our hostesx-03a.corp.local. You can click the shortcut on the desktop or navigate to WindowsStart Menu > Control Panel > Administrative Tools > DNS.
Confirm the Pre-Created DNS Entry
1. Expand the DNS tree for CONTROLCENTER2. Select Forward Lookup Zones > corp.local3. Locate the esx-03a entry and confirm that it is a Host (A) entry which points to
192.168.110.53
Add the Boot Image Files to the TFTP Server
Now that we already configured all of the prerequisite systems, we need to add the bootimage files to the TFTP server.
Login to the vSphere Web Client
To login to the vSphere Web Client:
HOL-SDC-1602
Page 257HOL-SDC-1602
1. Open Firefox.2. Click on the Site A Web Client shortcut3. Enter username [email protected]. For password, type VMware1!5. Click on Login
HOL-SDC-1602
Page 258HOL-SDC-1602
Navigate to vCenter Inventory Lists
1. Select Home2. Select vCenter Inventory Lists
Open vCenter Servers
Select vCenter Inventory Lists> Resources> vCenter Servers.
HOL-SDC-1602
Page 259HOL-SDC-1602
Select This vCenter Server
Select vcsa-01a.corp.local.
Download the TFTP Boot Zip File
1. Select the Manage tab2. Select Auto Deploy from the list under Settings3. Click on Download TFTP Boot Zip4. Choose Save File and click OK
Extract the TFTP Boot File
1. Open File Explorer2. Navigate to the Downloads folder where you saved the TFTP boot file.3. Right click on the file deploy-tftp.zip4. Select Extract All...
HOL-SDC-1602
Page 260HOL-SDC-1602
5. In the dialog box, click Extract
HOL-SDC-1602
Page 261HOL-SDC-1602
Verify the Files
You should then see the extracted files, as shown in the screenshot above.
Note: The file name "undionly.kpxe.vmw-hardwired" matches the file name specified inthe lab's DHCP server option.
Minimize or close File Explorer.
Open WinSCP
Now we will copy the files we just extracted to our TFTP server.
1. Open WinSCP using the shortcut on the desktop.
HOL-SDC-1602
Page 262HOL-SDC-1602
Login to the TFTP Server
Login to the TFTP server by double-clicking the vpodrouter favorites link.
HOL-SDC-1602
Page 263HOL-SDC-1602
Navigate to the Source Folder
In the left pane, navigate to the local folder where we extracted our boot files, asfollows:
1. You should be in the C:\Users\Administrator\Downloads folder.2. Double-click on the deploy-tftp folder
You should now be in the C:\Users\Administrator\Downloads\deploy-tftp folder.
HOL-SDC-1602
Page 264HOL-SDC-1602
Verify the Destination Folder
Now we will do the same on the right pane, which is our TFTP server. This is where weneed to place our boot files.
Verify that you are in the /srv/tftp folder. If you are not in the correct folder, navigatethe vPodRouter's file system to get there. You can double-click the folder named ".." togo up a folder, if necessary.
HOL-SDC-1602
Page 265HOL-SDC-1602
Upload the Boot Files to the TFTP Server
To upload the boot files to the TFTP server:
1. Select the snponly64.efi file on the left2. Hold down the Shift key, then click on the undionly.kpxe.vmw-hardwired-
nomcast file. Now all the files to be copied are highlighted.3. Right-click on any of the selected files and choose Upload...
HOL-SDC-1602
Page 266HOL-SDC-1602
Perform a Binary File Transfer
To perform a binary file transfer, in the upload dialog box, do the following:
1. Click on the downward facing arrow next to Transfer settings...2. Select Binary3. Click OK
Confirm the Upload
After the copy completes, the right pane should look like the screen shot above. If so,you can close WinSCP.
HOL-SDC-1602
Page 267HOL-SDC-1602
Create a Host Profile
Now we are going to start the Auto Deploy configuration. First, we need to choose areference ESXi host. The host should resemble a standard configuration that can beapplied to our Auto Deploy host. Then, we will create a host profile from that referencehost.
Navigate to Host Profiles
Open the vSphere Web Client. If you have closed it, you can browse tohttps://vcsa-01a.corp.local/vsphere-client, or use the bookmark toolbar shortcut Site AvSphere Web Client, and login using the following credentials:
Username: [email protected]
Password: VMware1!
1. Click on the Home button2. Select Host Profiles
HOL-SDC-1602
Page 268HOL-SDC-1602
Open the Extract Host Profile Dialog
Click the + icon to open the Extract Host Profile dialog.
Select the Reference Host
1. Be sure that vCenter Server vcsa-01a.corp.local is selected2. Select esx-02a.corp.local in the list. This will be our reference host.3. Click Next
HOL-SDC-1602
Page 269HOL-SDC-1602
Set the Host Profile Name and Description
Give the Host Profile a name and description:
1. Enter Rainpole as the name2. Optionally, add a description3. Click Next4. Review the details then click Finish
Note: The creation of the profile can take a minute or two.
Confirm Task Completion
You can review the task's progress on the bottom of the page under Recent Tasks. Oncecompleted, you will see the Host Profile in the Objects list.
HOL-SDC-1602
Page 270HOL-SDC-1602
Configure the Host Profile and Host Customization
Now that we have created a Host Profile, this will serve as the common or GOLD profilefor the rest of our hosts.
Each host will be associated with a common host profile, and, in many cases, will requirean associated Answer File. The answer file will provide the ability to input host-specificinformation that cannot be "answered" in the common profile. As an example, if aVMkernel port was set up specifically for vMotion or storage, the IP configuration willneed to be indicated in the answer file. Another common need for the answer file wouldbe for iSCSI information. At the time of this writing, a host has to be part of theinventory and have a profile applied to it in order to add or update an answer file. Theimportant thing to remember is that the host profile is common between hosts, whilethe answer file is unique for each host.
Edit the Host Profile
Before we apply the profile to our host, we need to edit it in order to configure theprimary NIC of the host to use DHCP.
1. Right click on the Rainpole host profile2. Click Edit Settings
HOL-SDC-1602
Page 271HOL-SDC-1602
Change the Host Virtual NIC MAC Address Policy
On the same screen, perform the following:
1. Select Edit Host Profile on the left2. Expand Networking configuration3. Click on Host virtual NIC4. Choose vds-site-a : Management Network5. Change the setting for Determine how MAC address for vmknic should be
decided to User must explicitly choose the policy option
Do not click Next just yet. There is one more option we need to configure.
HOL-SDC-1602
Page 272HOL-SDC-1602
Change the Host Virtual NIC to Use DHCP
In the Rainpole - Edit Host Profile dialog, perform the following:
1. Expand vds-site-a : Management Network2. Select IP address settings3. Change the IPv4 address setting on the right to Use DHCP to configure IP
address4. Click Next5. Click Finish on the next screen (not shown).
Wait for the Update to Complete
Check in Recent Tasks on the bottom of the page, and confirm that the Update hostprofile task is complete before you proceed.
HOL-SDC-1602
Page 273HOL-SDC-1602
Prepare the ESXi Image
The ESXi Software Depot is the location in which a group of binaries and softwarepackages in the form of "images" (used to run ESXi) are stored. The images themselvescan be either provided by VMware from the download page, or a customer couldpotentially modify (customize) an image with custom drivers or software (such asvendor specific CIM providers) by adding/removing "VIBs."
About VIBs
VIB stands for vSphere Installation Bundle. At a conceptual level a VIB is somewhatsimilar to a tarball or ZIP archive in that it is a collection of files packaged into a singlearchive to facilitate distribution. If we look under the covers, we will find that a VIB iscomprised of three parts:
• A file archive• An XML descriptor file• A signature file
The file archive, also referred to as the VIB payload, contains the files that make up theVIB. When a VIB is added to an ESXi image, the files in the VIB payload will be installedon the host. When a VIB is removed from an ESXi image these files are removed.
The XML descriptor file describes the contents of the VIB. Included with thedescription is important information about the requirements for installing the VIB, toinclude any dependencies, any compatibility issues, and whether the VIB can beinstalled without rebooting.
The signature file is an electronic signature used to verify the level of trust associatedwith the VIB. The acceptance level not only helps protect the integrity of the VIB, but italso identifies who created the VIB and the amount of testing and verification that hasbeen done.
For the purposes of this exercise, we are using the VMware provided depot with one ofthe default Image Profiles. For the sake of time in the lab, the Software Depot hasalready been downloaded to a local folder that we will configure Auto Deploy to use.
The next few steps in this document will give specific commands to run from thePowerCLI with brief explanations. If you would like further details on each command, atthe PowerCLI prompt type: help <cmdlet>
The key components of the software architecture are:
• VIBs• Image Profiles• Software Depots
HOL-SDC-1602
Page 274HOL-SDC-1602
The VIB is a software package that can be installed on an ESXi host.
Image Profiles are a collection of VIBs that represent a full ESXi Image.
A Software Depot is a repository of VIBs used to create Image Profiles. Softwaredepots can be accessed online via HTTP as well as offline using ZIP archives.
The image profile defines each of the ESXi images and consists of multiple VIBs.
The Software Depot location has to be accessible from the location you run the PowerCLIcommands (local drive or mapped network drive). For this lab, we have placed thedepot package on the ControlCenter.
Verify the Image Depot Location
As mentioned, the vSphere Software Depot that you will be using to create your ImageProfile has already been downloaded to the ControlCenter VM and is located in theC:\Software folder with the file name ESXi600-201507001.zip. We will use thisimage depot to create our image profile. Please open File Explorer and verify theexistence of this file.
HOL-SDC-1602
Page 275HOL-SDC-1602
Connect to vCenter using PowerCLI
First, we need to connect to vCenter with PowerCLI.
1. Click on the VMware PowerCLI shortcut on your desktop.2. Type the following command, or copy and paste it from the README.txt file on
the desktop, and press Enter to execute it.
connect-viserver vcsa-01a.corp.local -user [email protected] -password VMware1!
You should see a response as shown above.
Add the ESXi Image Software Depot
Now you will add the ESXi image Software Depot to the PowerCLI session.
1. Type the following command or copy and paste it from the README.txt file onthe desktop:
Add-EsxSoftwareDepot 'C:\Software\ESXi600-201507001.zip'
Verify that you got the Depot URL as the response
Note: Use TAB to auto complete the command.
HOL-SDC-1602
Page 276HOL-SDC-1602
ESXi image depots can be downloaded from the VMware Website as part of the vSpheredownloads or created by you with Image Builder. The image depot within C:\Software\ESXi600-201507001.zip. is, at the time of this writing, the latest standard ESX 6.0.0image depot available from VMware.
View the Image Profiles
To view the image profiles in the repository, type the following command:
Get-EsxImageProfile
Clone the Image Profile
To help us with the Deploy Rule creation we will clone theESXi-6.0.0-20150704001-standard image to an easier-to-remember profile name.We will call the new image profile RainpoleImage.
Type the following command:
New-EsxImageProfile -CloneProfile ESXi-6.0.0-20150704001-standard -name RainpoleImage -vendor VMware
HOL-SDC-1602
Page 277HOL-SDC-1602
Verify the New Image Profile
Type the following command to verify that the RainpoleImage profile has been addedto the repository:
Get-EsxImageProfile
Add the HA Agent Depot
Now we will need to add the HA Agent image depot. vCenter needs to install this agenton the host before it can join a cluster. Since we will need our new host to be added toa cluster, let's also prepare to install this agent. We can do this by getting the agentdirectly from vCenter via HTTP.
Type the following command:
Add-EsxSoftwareDepot http://vcsa-01a.corp.local/vSphere-HA-depot
Verify that you received the Depot URL as a response.
Note: This command is case sensitive.
HOL-SDC-1602
Page 278HOL-SDC-1602
Add the HA Agent Package to the Image Profile
Now we will add the HA agent package to our new Image Profile, so that the profile willcontain everything we need to deploy our new ESXi host.
Type the following command:
Add-EsxSoftwarePackage -imageprofile 'RainpoleImage' -SoftwarePackage vmware-fdm
Verify that you receive RainpoleImage as the image profile in the command output.
Add a Deploy Rule
The Deploy Rule controls what image profile, host profile, and/or vCenter Server locationeach host is provisioned with.
Now we need to create a rule that specifies the hosts on which the Host Profile will beapplied.
Create the Deploy Rule
To create the Deploy Rule using PowerCLI:
1. Execute the following command:
$DeployNoSignatureCheck=$true
2. Then type (please watch out for the spaces):
New-DeployRule -name "RainpoleBoot" -item "RainpoleImage", Rainpole, "Cluster Site A-1" -Pattern ipv4="192.168.110.53", hostname="esx-03a", domain="corp.local"
Once you execute the command, you'll see the ESXi image being uploaded to the AutoDeploy server.
The following explains the parameters:
• RainpoleBoot is the name given to the rule• RainpoleImage is the ESXi Image Profile• Rainpole is the host profile we are going to use it• ipv4= is the IP address to be used for the ESXi Host• hostname= is the hostname the machine will receive• domain= is the domain the machine will receive
HOL-SDC-1602
Page 279HOL-SDC-1602
In this case, we simply specified the new host by name. However, we can match onserver vendor (HP, Dell, etc.), or we can specify hosts within a given IP address range.
Note: This can take a little bit to complete.
Add the Deploy Rule
Now we need to make the rule active in our rule sets.
1. Type the following command:
Add-DeployRule RainpoleBoot
You should see the output above, summarizing your new active rule.
Provision Host Using Auto Deploy
At this point, we have completed the steps necessary to enable Auto Deploy toautomatically provision our new ESXi host. We are now ready to deploy our new hostand confirm that it has been added to our vCenter inventory as a member of ClusterSite A-1.
HOL-SDC-1602
Page 280HOL-SDC-1602
Open the Console for the New Host
Now we need to power on the new host esx-03a.
1. On the left hand side of the screen, Click on the Consoles icon2. Click on the esx-03a icon. This will open the console to the new host.
HOL-SDC-1602
Page 281HOL-SDC-1602
Power on Host ESX03-A
1. Click the Power On button
HOL-SDC-1602
Page 282HOL-SDC-1602
Review the PXE Boot Process
The Preboot eXecution Environment (PXE) allows a computer (in our case, the newESXi host) to boot using an operating system image hosted on the network, without theuse of a hard disk, or a local installation. The screen shot above shows the followingPXE actions:
1. The new host is powered on and receives a reserved IP address from the DHCPserver (192.168.110.53)
2. The DHCP server then redirects our new host to the TFTP server (in our case, thevpodrouter)
3. The ESXi image is loaded on the new host from the TFTP server
HOL-SDC-1602
Page 283HOL-SDC-1602
Confirm that ESXi is being Installed
Now you can see that our new host has booted up, and is downloading, extracting, andinstalling the ESXi image. This process should take approximately 10 to 12 minutes tocomplete.
HOL-SDC-1602
Page 284HOL-SDC-1602
View the ESXi Boot Process
At this point ESXi has finished loading and is starting the hypervisor services.
HOL-SDC-1602
Page 285HOL-SDC-1602
See the Host Profile being Applied
At this phase, you can see that ESXi is applying the host profile it received from the AutoDeploy server during the boot process.
HOL-SDC-1602
Page 286HOL-SDC-1602
Wait Until ESXi Startup is Complete
When you see this screen, the host has started completely and its host profile has beenapplied. We now have a fully operational ESXi host that was deployed automatically.Now let's check it out in vCenter.
Open the vSphere Web Client
1. Go back to vSphere Web Client. If you closed it, just open the browser andclick on the Site A Web Client bookmark or type the following URL:https://vcsa-01a.corp.local/vsphere-client
2. Click on the Home button
HOL-SDC-1602
Page 287HOL-SDC-1602
Navigate to Hosts and Clusters
Click on Hosts and Clusters.
HOL-SDC-1602
Page 288HOL-SDC-1602
Verify that the New Host Appears in vCenter
As you can see, our new host is already showing in vCenter and has been added to thecluster we specified in our deploy rule.
If you cannot see the new host, esx-03a, or it is showing as disconnected, try clicking onthe Refresh button.
Review the settings for the new ESXi host.
HOL-SDC-1602
Page 289HOL-SDC-1602
Verify that the Host is Ready
As you can see, we now have a new node in our cluster.
Note: The Alert icon is there because the Host needs to have additional configurationdone to comply with the Host Profile. In the interest of time, these steps have beenomitted from this lab.
Conclusion
Auto Deploy Possibilities:
Auto Deploy has two options that we can choose from. In this lesson we just used theAuto Deploy Stateless Caching.
Auto Deploy Stateless Caching– This feature allows you to cache the host's imagelocally on the host or on a network drive and continue to provision the host with AutoDeploy
Auto Deploy Stateful Installs– This feature allows you to install hosts over thenetwork without setting up a complete PXE boot infrastructure. After the initial networkboot, these hosts boot like other hosts on which ESXi is installed.
This completes our lesson, "Configuring Auto Deploy." VMware thanks you for takingtime to explore how you can utilize Auto Deploy to quickly scale up your cloudenvironment.
HOL-SDC-1602
Page 290HOL-SDC-1602
Centralized Management of VMContentA new feature introduced in vSphere 6 is the Content Library. The Content Library arecontainer objects for VM templates, vApp templates, ISO images and other files acrossyour vSphere environment. vSphere administrators can use the templates in the libraryto deploy virtual machines and vApps in the vSphere inventory. Sharing templates andfiles across multiple vCenter Server instances in same or different locations brings outconsistency, compliance, efficiency, and automation in deploying workloads at scale.
In this lesson, we will walk through the process of creating a Content Library andsynchronizing it to a second vCenter Server.
Open the vSphere Web Client
If you are not already in the vSphere Web Client, launch the Google Chrome browserfrom the Desktop.
The vSphere Web Client login page should appear and tick the 'Use Windows sessionauthentication' box and click 'Login'.
HOL-SDC-1602
Page 291HOL-SDC-1602
Create a New VM
Let's create a very small VM for this lesson. Due to lab constraints this will speed up thelesson and reduce the amount of storage required.
Click on the VMs and Templates icon in the Home tab.
HOL-SDC-1602
Page 292HOL-SDC-1602
Select Datacenter Site A
Select the Datacenter Site A object from the navigation panel and click on the "Create anew virtual machine" task.
HOL-SDC-1602
Page 293HOL-SDC-1602
The New VM Wizard
Click "Next" to create a new VM
HOL-SDC-1602
Page 294HOL-SDC-1602
Select a name and folder
Enter the name "Tiny-VM-Template" and click "Next"
HOL-SDC-1602
Page 295HOL-SDC-1602
Select a compute resource
Select the "Cluster Site A-1" cluster and click "Next"
HOL-SDC-1602
Page 296HOL-SDC-1602
Select Storage
Click "Next"
HOL-SDC-1602
Page 297HOL-SDC-1602
Select Compatibility
Click "Next"
HOL-SDC-1602
Page 298HOL-SDC-1602
Select a guest OS
Click "Next"
HOL-SDC-1602
Page 299HOL-SDC-1602
Customize Hardware
Very important - make sure you set the hard disk size to 1MB before clicking "Next" -this is not a practical size, of course. We are only doing this to make the template copygo very quickly. Also, set the network to VM Network.
HOL-SDC-1602
Page 300HOL-SDC-1602
Ready to complete
Verify the hard disk size is 1MB and click "Finish" to create the new VM.
HOL-SDC-1602
Page 301HOL-SDC-1602
vCenter Inventory Lists
From the Home menu icon, click on 'vCenter Inventory Lists'.
Content Libraries
Now click on the 'Content Libraries' tab.
HOL-SDC-1602
Page 302HOL-SDC-1602
Objects
Finally, click on the 'Objects' tab.
To create a new Content Library, click on the 'Create a New Library' button.
New Library - Name
When the New Library wizard appears, start by naming your Content Library'StandardVMTemplates' and leave the vCenter Server as vcsa-01a.corp.local.
Click 'Next' to continue.
HOL-SDC-1602
Page 303HOL-SDC-1602
New Library - Configure library
There are two options available when creating a Content Library, a Local content libraryand a Subscribed content library.
When you choose a Local content library, it will only be accessible in the vCenter Serverwhere it is created. By default, it is only available to the account that created it. If youselect the option 'Publish content library externally', the Content Library can be sharedwith other users on the same or other vCenter Server instances. You also have theoption to password protect the Content Library by selecting the 'Enable authenticationoption.
The Subscribed content library is used to subscribe to a published Content Library. Wewill be using this option later to synchronize the Content Library to the second vCenterServer.
For now, we will create a Local content library.
1. Tick the boxes for both 'Publish content library externally' and 'Enableauthentication'.
2. In the Password field, use the password VMware1!
When you have finished, click 'Next'.
HOL-SDC-1602
Page 304HOL-SDC-1602
New Library - Add Storage
Now we need to decide where to place the new Content Library and we have a fewoptions available to use.
• Enter a local file system path or an NFS URL - With this option, we can usethe local storage of the vCenter Server, running either the appliance version oron Windows. If you are running the appliance version , this can be an NFS mount.If you are running vCenter Server on Windows, this can be a CIFS share (ie \\vc-
w12-01a\content library).• Select a Datastore - with this option, we can use a datastore from our vCenter
Server inventory.
Choose the second option, 'Select a Datastore' and select the 'ds-site-a-nfs01'datastore. Click 'Next'.
NOTE: If you have completed other Modules in this lab, you may see additionaldatastores.
HOL-SDC-1602
Page 305HOL-SDC-1602
New Library - Ready to complete
Verify your settings and click the 'Finish' button to create the new Content Library.
HOL-SDC-1602
Page 306HOL-SDC-1602
New Content Library
You should now see the newly create Content Library appear.
Adding a VM Template to the Content Library
Now that we have created the Content Library, let's add something to it!
Click on the Home icon and select 'VMs and Templates'.
HOL-SDC-1602
Page 307HOL-SDC-1602
Clone the Tiny VM to Library
Right-click on the Tiny-VM-Template VM and select the 'Clone to Template in Library'option.
HOL-SDC-1602
Page 308HOL-SDC-1602
Adding Template to Library
Under the Filter tab, select the Standard VM Templates content library and click OK.
HOL-SDC-1602
Page 309HOL-SDC-1602
Open the Tasks Console
Let's monitor the progress by opening the Tasks Console.
Click on the Home icon and select Tasks.
HOL-SDC-1602
Page 310HOL-SDC-1602
Progress...
You can follow the progress of the task in the Tasks Console. You can see the Templatewas cloned to an OVF package, Exported as an OVF template, then transfered to theContent Library.
Verify the template was added
Now we'll verify the VM Template was added to the library.
Select the 'vCenter Inventory Lists' tab.
HOL-SDC-1602
Page 311HOL-SDC-1602
Content Libraries
Next select the 'Content Libraries' tab.
Open the Content Library
Finally, click on the 'Standard VM Templates' content library.
HOL-SDC-1602
Page 312HOL-SDC-1602
Template Added
Click on the Related Objects tab.
Here we can see the template that we just cloned to the content library.
Synchronizing Content to another vCenter Server
Now that we have content to share, let's synchronize it with the second vCenter Server.
Click the Content Libraries back button.
HOL-SDC-1602
Page 313HOL-SDC-1602
Edit Settings...
Right click on the 'StandardVMTemplates' content library and select 'Edit Settings...'
Copy URL
In the Edit Library window, click the 'Copy Link' button next to the subscription URL andclick OK. We will need this when we setup the synchronization to the other vCenterServer.
HOL-SDC-1602
Page 314HOL-SDC-1602
Home
Click on the Home icon and select Hosts and Clusters.
HOL-SDC-1602
Page 315HOL-SDC-1602
Select vcsa-01b.corp.local
Select the second vCenter Server, 'vcsa-01b.corp.local'.
Click the 'Related Objects' tab, then click the 'Content Libraries' tab. You may haveto scroll a bit to the right to see it.
Create New Library
To add the new content library, click the 'Create New Library' button.
New Library - Name
Name your new library 'vcsa-01a-Templates'.
HOL-SDC-1602
Page 316HOL-SDC-1602
In the vCenter Server drop down box, select 'vcsa-01b-corp,local' and click 'Next'.
HOL-SDC-1602
Page 317HOL-SDC-1602
New Library - Configure Library
This time we will select the 'Subscribed content library' button.
Click the mouse in the Subscribed content library field and press Ctrl+V on the keyboardto paste the URL.
We also set a password on the Content Library, so you will need to tick the 'Enableauthentication' box and enter VMware1! as the password.
Now we have a choice to make as to how much on the content we download.
• Download all library content immediately - with this option, all the contentfrom the library will be download to the new content library. All items will beavailable immediately.
• Download library content as needed - this option is useful if some of theitems in the catalog may not be needed or you need to save space. When youneed an item from the content library, you will need to synchronize it manually.You can choose to synchronize an individual item or the entire catalog.
Let's synchronize all the library content immediately by selecting the 'Download alllibrary content immediately' radio button (if not already selected).
Click 'Next'.
HOL-SDC-1602
Page 318HOL-SDC-1602
New Library - Add storage
We have the same options here as we did when we created the first content library.Let's stick with the datastore option.
Choose the 'Select a datastore' radio button and then select the 'ds-site-b-nfs01'datastore.
Click 'Next'.
HOL-SDC-1602
Page 319HOL-SDC-1602
New Library - Ready to complete
Verify things look good and click 'Finish' to synchronize the content library tovcsa-01b.corp.local.
Newly created Content Library
In a few seconds, you will see your new Content Library appear!
HOL-SDC-1602
Page 320HOL-SDC-1602
Monitor the task
Open the Tasks console by selecting the Home icon and then choose Tasks.
Tasks Console
You can see in the Tasks Console the Content Library being created and thensynchronized.
You may need to click the refresh button to see an update.
HOL-SDC-1602
Page 321HOL-SDC-1602
Deploy a VM from the Sync'd Library
Now that we have the Content Library sync'd to the second vCenter Server, let's deploya VM from it.
Start by clicking the Home icon and select Hosts and Clusters.
Open the Content Library on vcsa-01b.corp.local
Click on vcsa-01b.corp.local and make sure you are on the Related Objects tab. Again,you may have to scroll over the right to see the Content Library tab, but click on it, thenclick on vcsa-01a-Templates.
HOL-SDC-1602
Page 322HOL-SDC-1602
Click on Templates
Click on the Templates tab to view the available Templates.
Right-click on Tiny-VM-Template
Right-click on Tiny-VM-Template and select New VM from This Template.
HOL-SDC-1602
Page 323HOL-SDC-1602
Select a Name and Location
Name your new VM 'Tiny-VM-01a' and select Datacenter Site B.
Click Next.
Select a Resource
Click on Cluster Site B, then click Next.
HOL-SDC-1602
Page 324HOL-SDC-1602
Review Details
Click Next on the Review Details Page.
Select Storage
In the Select virtual disk format, select 'Thin provision' from the drop-down menu. Also,make sure ds-site-b-nfs01 is selected as the datastore.
Depending on what modules in this lab you have completed previously, you may seeadditional datastores.
Click Next.
HOL-SDC-1602
Page 325HOL-SDC-1602
Select Networks
Leave the default VM network selected and click Next.
Ready to Complete
Review your settings and click Finish to deploy the new VM!
HOL-SDC-1602
Page 326HOL-SDC-1602
Monitor the task
Open the Tasks console by selecting the Home icon and then choose Tasks.
Monitor Progress
You can monitor the progress of the new virtual machine being created.
When all tasks have been completed successfully, you may proceed to the next step.
HOL-SDC-1602
Page 327HOL-SDC-1602
VMs and Templates
Click on the Home icon and select VMs and Templates.
HOL-SDC-1602
Page 328HOL-SDC-1602
New VM Created
Expand vcsa-01b.corp.local and Datacenter Site B and you see your newly created VM!
HOL-SDC-1602
Page 329HOL-SDC-1602
Are you up for a challenge?
If you are up for a challenge, why not see if you can add the Tiny-VM-01a to theStandardVMTemplates Content Library by taking a clone of it. You can then synchronizeit to the vcsa-01a-Templates Content Library. The only trick here is that you will need tomanually synchronize the library. The Content Libraries do synchronize, but on regularintervals of 4 hours. The screen shot above shows the Synchronize Library button thatwill need to be clicked after the clone is added to the StandardVMTemplates ContentLibrary in order to manually synchronize it to the vcsa-01a-Templates Content Library.
Conclusion
This concludes this lesson.
HOL-SDC-1602
Page 330HOL-SDC-1602
vCloud Air ManagementIn this module we will show how you can monitor vCloud Air workloads using thevRealize Operations Manager Management Pack for vCloud Air.
Exploring the Management Pack for vCloud Air
This lab does not include vCloud Air integration, so we will use an instance of vRealizeOperations Manager running in "Historical View Mode" (HVM) that has already beenpopulated with vCloud Air data from another environment.
Open the Chrome browser and select the "vrops-01b" bookmark on the toolbar. If youare presented with a warning that your connection is not private, simply click the"Advanced" link and then "Proceed to vrops-01b.corp.local (unsafe)"
HOL-SDC-1602
Page 331HOL-SDC-1602
Log in to vRealize Operations Manager HVM
Log into the vR Ops instance with user name "admin" and password "VMware1!"
HOL-SDC-1602
Page 332HOL-SDC-1602
Activate the vCloud Air Dashboard Group
Make sure you are in the Home screen by selecting the Home icon on the navigationpanel. From the Dashboard List menu on the Home Screen, navigate to the vCloud Airgroup and then make sure to check the vCloud Air dashboard group so that thesedashboards will appear among the tabs in the Home screen.
Note that five dashboards are in available in this module for vCloud Air.
You may navigate to one of the dashboards by clicking on it from the Dashboard Listmenu or navigating the tabs within the Home screen. Next we will explore a couple ofthese dashboards. Let's start with the vCloud Air VM Utilization dashboard.
The vCloud Air VM Utilization Dashboard
This dashboard is comprised of two widgets which are set to interact with each other.The widgets along the top row are "Top N" widgets that provide a ranking of resources
based on a given metric. For example, the top 25 VMs by Memory Usage %. Thewidgets just below them are "Sparkline Charts" that display graphs that contain metricsfor a resource. Note that the Sparkline Charts prompt the user to select a resource fromthe Top N widget just above it to display a historical graph for a metric.
HOL-SDC-1602
Page 333HOL-SDC-1602
In the "Top 25 VMs by Memory Usage(%)" Top N widget, click on the VM "Phoenix-UAT-Pod12a" and note the graph information in the Sparkline Chart below it.
This is an example of dashboard interaction. We will explore this more in the next step.If you would like to know more about any widget, you can simply click on the "?" icon in
the widget menu to open the documentation to the page covering that widget.
Analyze vCloud Air VM Memory Usage
Click on the "Cent-64-DAO2" and "Ubuntu-12-AMD-DAO" VMs in the Top N memorywidget. Note that they appear now in the Sparkline Chart widget along with thepreviously selected graph. You can compare memory usage history in this way. Whenyou hover over one of the sparklines, a popup will appear to let you know which VM themetric is coming from.
HOL-SDC-1602
Page 334HOL-SDC-1602
Change the Sparkline Time Range
By default, the historical sparklines represent the last 6 hours. You can change this fromthe widget menu using the Time Range feature by clicking on the calendar icon. Selectthe last 24 hours from the range pull down menu.
Apply the New Time Range
Click the "Go" button to apply the new time range to all sparklines.
HOL-SDC-1602
Page 335HOL-SDC-1602
Evaluate VM Memory Usage With the New Time RangeSettings
Notice by expanding the time range we begin to see patterns appear in the sparklines.For example, the first and last sparklines indicate fairly flat memory consumption over
a 24 hour period with a spike in memory usage around the same time. However, themiddle VM has a more consistent usage pattern and does not appear to have the sameworkload pattern as the other two.
It is important to look for patterns like these in data, and vR Ops does this for youautomatically.
Navigate to the vCloud Air Troubleshooting Dashboard
Now we will take a look at our vCloud Air environment from the Troubleshootingdashboard. Navigate to the dashboard by clicking on the tab indicated in the screenshot.
Use the Object Filter
This dashboard provides information about all of the vCloud Air resources. Theinformation is provided hierarchically such that you can view the relationship betweenvarious vCloud Air resources. When you click on a resource in the vCloud AirRelationship widget, corresponding metrics and health information is shown for thatresource.
Let's focus on one of the VMs we were viewing in the previous dashboard. In thefiltering box, type "Ubuntu-12-AMD-DAO" and press Enter. The list will be filtered downto three resources.
HOL-SDC-1602
Page 336HOL-SDC-1602
Select the resource which is of the object type "VCHS Virtual Machine" (the middleresource) by clicking on it.
NOTE: Depending on your screen size, you may need to click the '>>' to see thefiltering option.
HOL-SDC-1602
Page 337HOL-SDC-1602
Observe Dashboard Interactions
With the Ubuntu-12-AMD-DAO VM selected, notice that the other widgets in thedashboard update to reflect information about this specific resource.
• The vCloud Air Relationship is an Environment Overview widget configured tohighlight the other objects that are ancestors of the VM. This is helpful todetermine the impact of a health issue in the environment.
• The Ordered Symptoms is an Anomaly Breakdown widget configured to show thelikely root causes for symptoms for the selected resource as well as relatedresources.
• Interesting Metrics is a Sparkline Chart widget configured to show "interesting"metrics for the resource. These metrics are selected automatically by vR Opsbased on analysis and dynamic thresholds. This is helpful to determine metricareas that are related to a change in normal behavior.
• Finally, the widget Health, Anomalies, Event Mashup is a Mashup Chart widgetconfigured to combine different aspects of the behavior of the selected resource.Here we can view trending of the health badge over time and overlay change
events that have occurred on the VM as well as events for related resources. Ifyou scroll down, you will notice a chart on the bottom that tracks anomalies(changes in behavior that are not normal).
NOTE: Depending on your screen size, you may have to scroll down to see theadditional widgets.
HOL-SDC-1602
Page 338HOL-SDC-1602
Log Out of vR Ops HVM
From the user menu at the top left of the vR Ops interface, select "Log Out" from themenu. Once you have logged out you may close the Chrome browser and proceed tothe next module.
HOL-SDC-1602
Page 339HOL-SDC-1602
Module 5: OptimizeWorkload Performance
While MaintainingBusiness Priorities - (60
Minutes)
HOL-SDC-1602
Page 340HOL-SDC-1602
Enable Controlled Usage Of ResourcesBased On Business PrioritiesOverview
Consider the following scenario: Due to capacity and budget constraints a certaincompany needs to make the best use of the resources they have but with minimalimpact to the environment. To address these business requirements this module willdiscuss the benefits of vSphere Resource Pools as well as Network and Storage I/OControl. A Resource Pool is a logical abstraction for flexible management of resources.Resource pools can be grouped into hierarchies and used to hierarchically partitionavailable CPU and memory resources. In addition, you can use VMware vSphere NetworkI/O Control (NIOC) to configure rules and policies to assure that I/O resources are alwaysavailable for your business-critical applications and of course VMware vSphere Storage I/O Control (SIOC) may also be used to provide I/O prioritization for virtual machinesrunning on a group of ESXi hosts that have access to a shared storage pool.
HOL-SDC-1602
Page 341HOL-SDC-1602
Introduction To Controlled Usage Of Resources
In this lab we are going to closely look at the pre-created Resource Pool called"Production" and additionally create a new Resource Pool at the same level in thehierarchy called "Staging".
To align with our business goals, the "Staging" VMs need to have a limit applied so theycannot consume more than 25% of the compute capacity of the Cluster for both CPUand Memory. Additionally, the "Staging" related virtual machines cannot be usingexpandable Resource Pools. In this configuration the "Staging" Resource Pool can neverconsume more than 25% of the available Cluster resources, even if there is idle capacityavailable in the "Production" resource pool, they will not be allocated to the "Staging"Resource Pool. Once the limit is reached, the "Staging" virtual machines will be capped.This allows 75% of the remaining resources for "Production" VMs since there is no limit
applied to the "Production" Resource Pool. Limiting the "Staging" Resource Pool to 25%will prevent a performance issue for VMs in the "Production" Resource Pool.
HOL-SDC-1602
Page 342HOL-SDC-1602
Let's Get Started - Login Into vSphere Web Client
1. In Firefox select the Site A Web Client bookmark,
2. Then check the box "Use Windows Session authentication"
3. Then press "Login".
HOL-SDC-1602
Page 343HOL-SDC-1602
Go To Host And Clusters
Select "Hosts and Clusters".
HOL-SDC-1602
Page 344HOL-SDC-1602
View Existing Resource Pool Called "Production"
In our case in vCenter Server "vcsa-01a.corp.local", Cluster Site A-1, there is already aProduction Resource pool.
1. Right Click on the 'Production' Resource Pool
2. Select Edit Settings
HOL-SDC-1602
Page 345HOL-SDC-1602
See "Production" Resource Pool Configuration
As you can see the "Production" Resource Pool has no limits applied for both CPU andMemory which means it can use as much as it needs within the limits of the Clustercapacity.
We are not changing anything here so just hit "Cancel".
HOL-SDC-1602
Page 346HOL-SDC-1602
Create New Resource Pool - "Staging"
1. Right click on Cluster called "Cluster Site A-1"
2. Then select "New Resource Pool".
HOL-SDC-1602
Page 347HOL-SDC-1602
Configure The New Resource Pool
1. Set the Resource Pool name as "Staging".
2. Set Shares to "Normal for both CPU and Memory.
3. Set CPU Limit to 1805 MHz, which is 25% of 7218 MHz Max limit and Memory Limit to488 MB, which is 25% of 1952 MB Max Limit. Make sure Expandable Reservation typecheckbox is unselected for both CPU and Memory.
4. Lastly ensure that Memory Reservation is set to 122 MB, which is 25% of the newlyset Limit of 488 MB.
As we said before in this configuration the Staging Resource Pool can never consumemore than 25% of the available Cluster resources, even if there is idle capacity availablein the Production Resource Pool, they will not be given to the Staging Resource Pool.Once the limit is reached, they will be capped. This allows 75% of the remainingresources for Production VMs since there is no limit applied to the Production ResourcePool.
5. Click OK when completed
HOL-SDC-1602
Page 348HOL-SDC-1602
Migrate "linux-micro-01a" To The Newly Created ResourcePool
1. Right Click on "linux-micro-01a"
2. Then Select "Migrate".
Note: as an alternative to migrating the VM using vMotion, we could have just draggedand dropped the VM into the "Staging" Resource Pool using the vSphere Web Client.
HOL-SDC-1602
Page 349HOL-SDC-1602
Select The Migration Type
1. Select "Change Compute Resource Only"
2. Then select "Next".
HOL-SDC-1602
Page 350HOL-SDC-1602
Select A Resource Pool
1. Select "Resource Pools" tab,
2. Then select the "Staging" Resource Pool and hit "Next".
HOL-SDC-1602
Page 351HOL-SDC-1602
Select Network
1. We are not going to change anything in here, so just hit "Next".
HOL-SDC-1602
Page 352HOL-SDC-1602
Select a vMotion Priority
Again don't change anything and just hit "Next".
HOL-SDC-1602
Page 353HOL-SDC-1602
Click On "Finish"
Press "Finish".
HOL-SDC-1602
Page 354HOL-SDC-1602
Verify That The VM Has Been Migrated Successfully
The VM "linux-micro-01a" should now be residing under the "Staging" Resource Pool.
Network I/O Control (NIOC) Overview
Use VMware vSphere Network I/O Control to configure rules and policies at the virtualmachine level and to assure that I/O resources are always available for your business-critical applications. NIOC monitors the network. In vSphere 6.0, VMware has furtherbuilt on NIOC features to deliver more predictable bandwidth. The goal of introducingthese changes has been to allow tighter control on the network resources available todifferent classes of traffic, irrespective of the traffic originating from other classes oftraffic on the host. Here are the key enhancements that NetIOC provides in vSphere 6.0:
• Bandwidth reservations for classes of traffic: You can specify the minimumbandwidth that must be reserved for a class of traffic. This guarantees that thebandwidth to the same class of traffic never falls below the specified threshold.
• Bandwidth reservations for VMs: NIOC also allows the ability to provide bandwidthreservations to each VM virtual adapter (vNIC), thus providing the ability toprovide dedicated bandwidth reservations at a per VM granularity. NIOC alsoallows you to create abstract network resource pools that can be attributed to aport group of a distributed virtual switch (DVS). Bandwidth reserved for aresource pool is available only to VM vNICs that are part of the port groupassociated with the resource pool.
• Load balancing: This feature allows VMware vSphere Distributed ResourceScheduling (DRS) to migrate VMs within a cluster of vSphere hosts toaccommodate bandwidth reservations assigned to VM ports. This powerfulfeature allows you to assign bandwidth reservations to VMs without worryingabout hitting the reservation limit in a single host of the cluster.
HOL-SDC-1602
Page 355HOL-SDC-1602
The above features are in addition to NetIOC features already available in vSphere 5,such as:
• Resource isolation through resource pools• Distributing bandwidth with fair shares• Bandwidth limits• Load-based teaming policies
The ability to assign bandwidth reservations, along with bandwidth limits and shares,provides you with immense flexibility to control and isolate network resources. Abandwidth reservation guarantees that the network port (the term network port is usedin this paper to describe a VM vNIC, or a vSphere kernel NIC) is guaranteed a specifiedamount of transmit bandwidth under all circumstances. This is a much more powerfulfeature compared to the fair shares and bandwidth limit features available in previousversions of vSphere. While you could control the relative priorities of different VMs byassigning different shares, the proportion of bandwidth assigned could have fallen toless than the desired expectation if there were a lot of competition between differenttraffic flows. Bandwidth reservation enforces a minimum guarantee and therebyprovides a much easier way of consolidating VMs, guaranteeing them bandwidth, andnot worrying about the effect of virtualization on application performance.
Networking - vds-site-a
Select the Networking tab.
Now select 'vds-site-a'. You may have to expand out vcsa-01a.corp.local to see it.
HOL-SDC-1602
Page 356HOL-SDC-1602
Resource Allocation
Next, select the 'Manage' tab, the 'Resource Allocation'.
Make sure you are on the 'System traffic' tab.
HOL-SDC-1602
Page 357HOL-SDC-1602
Edit Resource Settings
In the 'Traffic Type' table, clock on 'Virtual Machine Traffic', then click the pencil iconto Edit.
HOL-SDC-1602
Page 358HOL-SDC-1602
Set a Traffic Reservation
In the Edit Resource Settings box, change the Reservation value to 7500 and click OK.
HOL-SDC-1602
Page 359HOL-SDC-1602
Navigate To The "Linux-load-02a" VM And Edit Its Settings
Compared with previous version of vSphere, in vSphere 6.0 you can set bandwidthshares, limits and reservations to each individual VM.
1. Switch pack to Hosts and Cluster by clicking on the tab
2. Right click on Linux-load-02a VM
3. Select Edit Settings.
Set Bandwidth Reservation On The VM
1. Expand the "Network adapter 1"
2. Set the Reservation to 750 Mbits
3. Click "Ok".
HOL-SDC-1602
Page 360HOL-SDC-1602
Note that you do not need to restart the VM in order to apply the new configuration.
Networking - vds-site-a
By using Network Resource Pools, you can configure bandwidth allocation for virtualmachines across the entire Virtual Distributed Switch (vDS). Once you reservedbandwidth for virtual machine traffic, you can use Network Resource Pools to assignquotas of the bandwidth, that is aggregated across the physical adapters on the switch,to the virtual machines. A virtual machine receives bandwidth from a Pool through theDistributed Port Group the virtual machine is connected to.
Let’s assume you have an application that is sensitive to latency and requiresbandwidth to always be available. For instance, a VoIP application. In this scenario, anew NIOC Resource Pool should be created with a guarantee of bandwidth. Let's getstarted.
1. In the vSphere web client go to Network Tab
HOL-SDC-1602
Page 361HOL-SDC-1602
2. Select the vds-site-a Distributed Switch
Network Resource Pools
Next, select the 'Manage' tab, the 'Resource Allocation'.
Make sure you are on the 'Network Resource Pools' tab and click the green '+' to adda new Resource Pool.
New Network Resource Pool
In the New Network Resource Pool box, use:
1. Name: VoIP2. Reservation Quota: 45,000
HOL-SDC-1602
Page 362HOL-SDC-1602
3. Click OK
HOL-SDC-1602
Page 363HOL-SDC-1602
Assign Network Resource Pool To Port Group
We could now go to any Port Group on the vDS and assign the just created NetworkResource Pool to the Port Group.
1. In our case let's select the VM Network Port Group (Right click and edit settings)
2. Assign the "VoIP" Network Resource Pool to it
3. Press "OK".
View
Now let's make sure that the Network Bandwidth we have reserved for the "linux-load-02a" VM in one of the previous steps, is honored at the Network Resource poollevel. Still in the vSphere web client
1. Go to Network Tab
2. vds-site-a
3. Manage
4. Resource Allocation
HOL-SDC-1602
Page 364HOL-SDC-1602
5. Network Resource Pools
6. Select the already created Network Resource Pool called "VoIP".
7. You should see at the bottom of the screen, under the "Virtual Machines" tab that the"linux-load-02a" VM is indeed reserved 750 Mbits Network Bandwidth, which is what weconfigured it to be so this is the result we expected to see.
Next we are going to take a closer look into Storage I/O Control.
Storage I/O Control (SIOC)
VMware vSphere Storage I/O Control is used to provide I/O prioritization for virtualmachines running on a group of ESXi hosts that have access to a shared storage pool. Itextends the familiar constructs of shares and limits, which exist for CPU and memory, toaddress storage utilization through a dynamic allocation of I/O capacity across a clusterof vSphere hosts. It increases administrator productivity by reducing active performancemanagement.
Storage I/O Control can trigger device-latency monitoring that hosts observe whencommunicating with that datastore. When latency exceeds a set threshold, the featureengages to relieve congestion. Each virtual machine that accesses that datastore isthen allocated I/O resources in proportion to their shares.
HOL-SDC-1602
Page 365HOL-SDC-1602
Enable Storage I/O Control On The Datastore
In vSphere web client
1. Go to Storage tab
2. Select the "ds-site-a-nfs01" datastore
3. Click on the Manage Tab
4. Select Settings and make sure you are on the General tab
5. Click on "Edit" for Storage Capabilities
6. Click in the box to enable "Storage I/O Control"
7. Then press on "Ok".
Set Storage IOPS Limit On the VM
1. Click back to the Hosts and Clusters tab
2. Navigate to the "Linux-load-02a" VM, Right Click and edit its settings.
3. Expand the "Hard Disk 1" section
HOL-SDC-1602
Page 366HOL-SDC-1602
4. et "Limit-IOPs" to 200 Mbits.
5. In our case we are going to click on "Cancel" to not commit this change in IOPs limit.
HOL-SDC-1602
Page 367HOL-SDC-1602
Reset The Topology Before We Move To The Next Section
1. In the vSphere Web client go to "Hosts and Clusters"
2. Drag and drop the "linux-micro-01a" VM back to its original location under the"Production" Resource Pool.
3. Then delete the "Staging" Resource Pool.
Summary
So far in this modules we have looked at Resource Pools, Network and Storage I/OControl to enable control over usage of resources based on business priorities.
HOL-SDC-1602
Page 368HOL-SDC-1602
Resource pools allow you to delegate control over resources of a host (or a cluster), butthe benefits are evident when you use resource pools to compartmentalize all resourcesin a cluster. Create multiple resource pools as direct children of the host or cluster andconfigure them. You can then delegate control over the resource pools to otherindividuals or organizations. Using resource pools can result in the following benefits:
• Flexible hierarchical organization—Add, remove, or reorganize resource pools orchange resource allocations as needed.
• Isolation between pools, sharing within pools—Top-level administrators can makea pool of resources available to a department-level administrator. Allocationchanges that are internal to one departmental resource pool do not unfairly affectother unrelated resource pools.
• Access control and delegation—When a top-level administrator makes a resourcepool available to a department-level administrator, that administrator can thenperform all virtual machine creation and management within the boundaries ofthe resources to which the resource pool is entitled by the current shares,reservation, and limit settings. Delegation is usually done in conjunction withpermissions settings.
• Separation of resources from hardware—If you are using clusters enabled forDRS, the resources of all hosts are always assigned to the cluster. That meansadministrators can perform resource management independently of the actualhosts that contribute to the resources. If you replace three 2GB hosts with two3GB hosts, you do not need to make changes to your resource allocations. Thisseparation allows administrators to think more about aggregate computingcapacity and less about individual hosts.
• Management of sets of virtual machines running a multitier service— Groupvirtual machines for a multitier service in a resource pool. You do not need to setresources on each virtual machine. Instead, you can control the aggregateallocation of resources to the set of virtual machines by changing settings ontheir enclosing resource pool.
Use Network I/O Control to configure rules and policies at the virtual machine level andto assure that I/O resources are always available for your business-critical applications.NIOC monitors the network. Whenever it sees congestion, it automatically shiftsresources to your highest-priority applications as defined by your business rules. Thanksto NIOC, your administrators can be more productive, you can extend virtualizationacross more workloads and your infrastructure can become more versatile.
Use Storage I/O Control to configure rules and policies to specify the business priority ofeach virtual machine. When I/O congestion is detected, Storage I/O Control dynamicallyallocates the available I/O resources to virtual machines according to your rules,improving service levels for critical applications and allowing you to virtualize moreworkloads, including I/O-intensive applications.
HOL-SDC-1602
Page 369HOL-SDC-1602
Log-In Into vRealize Operations
Login into vRealize Operations at https://vrops-01a.corp.local with username admin andpassword VMware1!
Once logged-in go to Dashboard list > Recommendations.
HOL-SDC-1602
Page 370HOL-SDC-1602
Verify There Are No Active Alerts Currently
There should be no active alerts listed against any Virtual Machine. Note: in your vPODthere might be some already triggered alerts. Please ignore these alerts as they shouldnot impact the lab sequence.
HOL-SDC-1602
Page 371HOL-SDC-1602
Create vRealize Operations Custom Groups
1. Click on Environment
2. then the "+" sign to add a new Custom Group.
HOL-SDC-1602
Page 372HOL-SDC-1602
Create Production Custom Group
We are going to create a new custom group based on dynamic relationship which is adescendent of "Cluster Site A-1" called "Production". Please follow the exact sameconfiguration as in the image above. Make sure the check box "Keep group membershipup to date" is selected as above.
• Name: Production• Group Type: Enviornment• Policy: Production Policy• Keep group membership up to date: box is ticked• Select Object type...: vCenter Adapter --> Virtual Machine
In the Define Membership Criteria boxes below, select:
Relationship, Descendant of, contains, Cluster Site A-1.
The Production Custom Policy has been pre-created in the lab.
HOL-SDC-1602
Page 373HOL-SDC-1602
Preview The Items In the New Group
Click on "Preview" to see the items. Then close the preview window and click OK tocreate the group.
Note: the items you may see in the Preview window may be different than in thescreenshot above.
HOL-SDC-1602
Page 374HOL-SDC-1602
Create Test-Dev Custom Group
Please follow the exact same configuration as in the image above then create the group.The Test-Dev Custom Policy has been pre-created in the lab. Make sure the check box"Keep group membership up to date" is selected as above.
• Name: Test-Dev• Group Type: Enviornment• Policy: Test-Dev Policy• Keep group membership up to date: box is ticked• Select Object type...: vCenter Adapter --> Virtual Machine
In the Define Membership Criteria boxes below, select:
Relationship, Descendant of, contains, Cluster Site A-2.
View New CPU Capacity Alert Created
Go to the alerts tab and see the newly create alert called "CPU Capacity Remaining % istoo low for Prod VM" against the "linux-load-01b" VM. This is because we have assignedthe Production policy to all VM's in the newly formed "Production" custom group.
HOL-SDC-1602
Page 375HOL-SDC-1602
Note: you might need to wait 60 seconds before you refresh the alerts page again to seethe alert displaying as it may take about a minute for the new alert to trigger based onthe new group membership.
Once you see the alert listed, click on the alert link to view its details.
Review The CPU Capacity Alert
View the alert details, symptom and recommendation. Then click on the VM name (seenumber 1).
HOL-SDC-1602
Page 376HOL-SDC-1602
Migrate the VM to the Test-Dev Cluster
1. Select Actions
2. Move VM.
HOL-SDC-1602
Page 377HOL-SDC-1602
Select Cluster Site A-2
1. Select Cluster Site A-2
2. Click "Next"
HOL-SDC-1602
Page 378HOL-SDC-1602
Select a Host
1. Select any of the ESXi Hosts
2. Then hit "Begin Action".
Note: as you can see there is an Affinity Rule Details section where it is mentioned ifthere any affinity rules which are about to be broken. In our case no affinity rules aredefined.
HOL-SDC-1602
Page 379HOL-SDC-1602
See Recent Tasks
Click on "Recent tasks" to see if the vMotion was successful.
See Completed Task
You should see Move VM task marked as completed.
HOL-SDC-1602
Page 380HOL-SDC-1602
Validate CPU Alert Is Cleared
Click on the Alerts icon (item number 1). Since we have migrated the "linux-load-01b"VM to a Test-Dev Cluster the CPU Capacity Alert is now cleared. This is because the Test-Dev Cluster (Cluster Site A-2) is associated with the dynamic custom group called Test-Dev that we have created in vRealize Operations earlier which is in turn associated withthe Test-Dev custom policy which is less restrictive when it comes to capacity andperformance monitoring since we have different business needs for a Test-Dev clusterthan we do for a Production cluster.
Note: Alert may take 2-3 minutes to clear following the successful VM migration. Justrefresh the page until you see it disappear.
Summary
In this Module we have looked at how we can enable controls such as Shares,Reservations, Limits, SIOC, NIOS over how resources are utilized in vCenter and thenhow can these controls dictate how vRealize Operations trigger alert and report onperformance and capacity of resources. In vRealize Operations a custom object group isa container that includes one or more objects. vRealize Operations Manager usescustom groups to collect data from the objects in the group, and report on the datacollected.
Why Use Custom Object Groups In vRealize Operations?
HOL-SDC-1602
Page 381HOL-SDC-1602
You use groups to categorize your objects and have vRealize Operations Manager collectdata from the groups of objects and display the results in dashboards and viewsaccording to the way you define the data to appear.
You can create static groups of objects, or dynamic groups with criteria that determinesgroup membership as vRealize Operations Manager discovers and collects data fromnew added to the environment.
When you create a custom group, and assign a policy to the group, vRealize OperationsManager can use the criteria defined in the applied policy to collect data from andanalyze the objects in the group. vRealize Operations Manager reports on the status,problems, and recommendations for those objects based on the settings in the policy.
HOL-SDC-1602
Page 382HOL-SDC-1602
vRealize Operations Custom AlertingCreating Custom Alerts In vRealize Operations
vRealize Operations Alerting Overview
Alerts - vRealize Operations alerts notify you when a problem occurs in yourenvironment. You use the alerts to determine the state of your environment and tobegin resolving the problems. Each alert includes one or more symptoms.
Symptoms - are conditions that indicate problems in your environment. You definesymptoms that you add to alert definitions so that you know when a problem occurswith your monitored objects. As data is collected from your monitored objects, the datais compared to the defined symptom condition. If the condition is true, then thesymptom is triggered. Each alert can optionally include some Recommendations andActions.
Recommendations - are probable solutions for an alert generated in vRealize OperationsManager. You can create a library of recommendations that include instructions to yourenvironment administrators or actions that they can run to resolve an alert.
Actions - are the ability to update objects or read data about objects in monitoredsystems, and are commonly provided in vRealize Operations Manager as part of asolution. The actions added by solutions are available from the object Actions menu, listand view menus, including some dashboard widgets, and can be added to alertdefinition recommendations. The possible actions include read actions and updateactions. The read actions retrieve data from the target objects. The update actions makechanges to the target objects. For example, if you configure an alert definition to notifyyou when a virtual machine is experiencing memory issues, you can add an action therecommendations that runs the Set Memory for Virtual Machine action. This actionincreases the memory and resolves the likely cause of the alert.
Create New Alert Definition
vRealize Operations comes with many pre-defined Alerts and Symptoms however in thismodule we will create a net new alert.
1. First go to the Content tab
2. Select Alert Definitions
HOL-SDC-1602
Page 383HOL-SDC-1602
3. Click on the "+" sign.
HOL-SDC-1602
Page 384HOL-SDC-1602
Provide Alert Name And Description
1. Type in: 'Host Memory Usage is Above Trend'the Alert name and description.
The Alert name should be a concise note about the problem while the description can bemore detailed as this information can help your users process the alerts as they aregenerated.
2. Now go to "Select Base Object".
HOL-SDC-1602
Page 385HOL-SDC-1602
Select Base Object Type
1. Type Host System
2. Then select Host System
3. Now select "Alert Impact".
HOL-SDC-1602
Page 386HOL-SDC-1602
Define Alert Impact
Add the information as displayed in the image above and then select "Add SymptomDefinitions".
1. Impact: Health2. Criticality: Warning3. Alert Type and Subtype: VirtualizationHypervisor: Capacity4. Wait Cycle: 15. Cancel Cycle: 1
Define Alert Symptom Definitions
Alert Symptom Definitions are a core component of the alert definition. As you addsymptoms do not over-build a single alert definitions with too many symptoms, if you doyou might not be able to find the true problem and resolve it. At the same time includesufficient conditions to try and accurately identify the problem.
1. Select "Self" as Defined on.
HOL-SDC-1602
Page 387HOL-SDC-1602
2. Then "Metric/Property" for Symptom Definition Type
3. Finally click on the "+" sign.
HOL-SDC-1602
Page 388HOL-SDC-1602
Define A Dynamic Threshold Symptom
A threshold marks the boundary between normal and abnormal behavior for a metricinside a definition of a Symptom. In addition to Static thresholds, vRealize OperationsManager supports dynamic thresholds for a metric, calculated based on historical andincoming data. By default, dynamic thresholds are refreshed on a regular schedule, butyou can recalculate dynamic thresholds outside of the schedule if you want to capturethe most recent data.
Type "usage" to search all metrics which are usage related, then memory and doubleclick on Usage (%) so that in shows up on the right pane. Set it to be based on DynamicThresholds, add a description (for example: "Host Memory is over trending threshold").Then set the status to "Warning" and "Above threshold. Leave everything else as it isand click on save.
HOL-SDC-1602
Page 389HOL-SDC-1602
Add The Newly Created Symptom To Your Alert
Now filter on "Host Memory is over trending threshold" and when you find it, drag it tothe pane on the right. Then click on "Add Recommendation".
HOL-SDC-1602
Page 390HOL-SDC-1602
Add Recommendations
Recommendations are instruction to the users to help fix the problem identified by thesymptoms. We will first add a recommendation to add more hosts to the cluster.
1. Search the text "add more hosts"
2. Then drag and drop "Add more hosts to the cluster to increase memory capacity" tothe right pane area.
3. We are then going to add an action so now click on the "+" sign.
HOL-SDC-1602
Page 391HOL-SDC-1602
Add An Action To The Recommendation
1. Type "power off idle virtual machine"
2. Then select the "Power Off VM" action
3. Hit "Save".
HOL-SDC-1602
Page 392HOL-SDC-1602
Associate The Action With The Recommendation
1. Now Search for the text "idle"
2. Then drag and drop the action to the right bottom pane
HOL-SDC-1602
Page 393HOL-SDC-1602
Save The Alert
Now hit Save.
Summary
The newly created Alert definition is now added to you Alert Definition list and it isactive for all ESXi Hosts objects in your environment. After each collection cycle, thecollected data is compared against all the symptom expressions in the alert definitions.If the symptom expressions you have added to this alert definition is true for 3consecutive collection cycles then the alert is generated for the host system. Generatedalerts are listed in the alerts lists for your environment and on the alerts tab for anyESXi host system. The alerts will include the symptoms and the recommendations toresolve the problem including any actions if needed.
You can use this process to modify or add other alerts to vRealize Operations ensuringyou are notified when problems occur.
HOL-SDC-1602
Page 394HOL-SDC-1602
Module 6: EnsureBusiness Continuity and
Availability - (30 Minutes)
HOL-SDC-1602
Page 395HOL-SDC-1602
Demonstrate transparent failover forvirtual machinesvSphere 6.0 HA provides a base level of protection for your virtual machines byrestarting virtual machines in the event of a host failure. vSphere 6.0 Fault Toleranceprovides a higher level of availability, allowing users to protect any virtual machine froma host failure with no loss of data, transactions, or connections.
Fault Tolerance provides continuous availability by ensuring that the states of thePrimary and Secondary VMs are identical at any point in the instruction execution of thevirtual machine.
If the host running the Primary VM fails, an immediate and transparent failover occurs.The functioning ESXi host seamlessly becomes the Primary VM host without losingnetwork connections or in-progress transactions. With transparent failover, there is nodata loss and network connections are maintained. After a transparent failover occurs, anew Secondary VM is respawned and redundancy is re-established. The entire process istransparent and fully automated and occurs even if vCenter Server is unavailable.
VMware vSphere Fault Tolerance
The benefits of Fault Tolerance are:
• Protect mission critical, high performance applications regardless of OS• Continuous availability - Zero downtime, zero data loss for infrastructure failures• Fully automated response
Use cases
Any workload that has up to 4 vCPUs and 64GB Memory that is not latency sensitive(eg. VoIP & High-Frequency trading are not good candidates for FT). Note that vSphere6.0 introduces the capability to use FT to protect VMs with more than 1 vCPU. InvSphere 5.5 and prior versions, only VMs with 1 vCPU could be protected by FT.
There is VM/Application overhead to using FT and that will depend on a number offactors like the application, number of vCPUs, number of FT protected VMs on a host,host processor type, etc. A performance paper will soon be released that will get intomore specifics. For now the recommendation to customers is to test out using FT andsee if it works for their workloads/use cases.
The new version of Fault Tolerance greatly expands the use cases for FT toapproximately 90% of workloads.
The new technology used by FT is called Fast Checkpointing and is basically a heavilymodified version of an xvMotion that never ends and executes many more checkpoints
HOL-SDC-1602
Page 396HOL-SDC-1602
(multiple/sec). Also note that in versions prior to 6.0, FT required shared storage whereboth the Primary and Secondary copies of the FT-protected VM would share the sameVMDK files. However, in vSphere 6.0 in order to add additional protection to the FT-protected VM, the Primary & Secondary VM use unique VMDK's.
FT logging (traffic between hosts where primary and secondary are running) is verybandwidth intensive and will require a dedicated 10GbE NIC on each host. If FT doesn’tget the bandwidth it needs the impact is that the protected VM will run slower and resultin higher latency to client applications.
HOL-SDC-1602
Page 397HOL-SDC-1602
Monitoring FT with vR Ops
vR Ops provides alerting of vCenter events, such as FT issues and state changes forprotected VMs. In this example above, a VM has become unprotected due to loss of thesecondary VM.
Video: Protecting Virtual Machines with FT (2:51)
This video shows how to protect virtual machines with VMware Fault Tolerance (FT). Dueto resource constraints in the Hands On Labs environment we're unable to demonstratethis live for you.
<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=rWGrmbHfbIw" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>
HOL-SDC-1602
Page 398HOL-SDC-1602
Demonstrate automatic restart ofvirtual machines after a storagefailureIn this lesson we will configure vSphere High Availability (HA) on a cluster and thentrigger a failure and observe HA restarting a protected VM on a new host.
Login to vSphere Web Client
Start Google Chrome from the ControlCenter desktop. You will automatically be directedto the login page for vSphere Web Client.
Tick the box next to "Use Windows session authentication" and then click "Login"
HOL-SDC-1602
Page 399HOL-SDC-1602
Navigate to Cluster Site A-1 cluster
1. In the web client search box, start typing "Cluster" until you see Cluster Site A-1appear in the quick search menu.
2. Click on the link for "Cluster Site A-1" to be directed to the cluster's screen.
HOL-SDC-1602
Page 400HOL-SDC-1602
Edit Cluster HA Settings
1. Click the "Manage"
2. Then "vSphere HA" under the settings.
3. Click "Edit".
HOL-SDC-1602
Page 401HOL-SDC-1602
Enable HA
1. Tick the box next to "Turn on vSphere HA" and
2. "Protect against Storage Connectivity Loss"
We will simulate our failure by disconnecting storage on the host, so we need thisfeature enabled.
HOL-SDC-1602
Page 402HOL-SDC-1602
Configure Failure Conditions and VM Response
We need to configure HA to respond to our storage failure, so we need to change somedefaults.
1. Expand "Failure conditions and VM response"
2. Set VM Restart Priority to High
3. Set Response for Datastore with All Paths Down (APD) to "Power off and restart VMs(aggressive)"
4. Set the Delay for VM failover for APD to 0 minutes
HOL-SDC-1602
Page 403HOL-SDC-1602
Disable Admission Control
Since we only have two hosts in the cluster we will need to disable admission control.
1. Expand "Admission Control"
2. Scroll to the bottom of the options.
3. Click the radio button for "Do not reserve failover capacity"
Click OK at the bottom right to complete the HA configuration (not shown)
Verify HA is Enabled
Click on the "Summary" tab
HOL-SDC-1602
Page 404HOL-SDC-1602
1.Open the vSphere HA widget.
2. Notice that the HA icon shows up next to the cluster
3. And the HA settings we made are confirmed in the HA widget.
HOL-SDC-1602
Page 405HOL-SDC-1602
Observe Current State of esx-01a
1. Click on the Hosts link under Cluster Site A-1. This will show all hosts running withinthe cluster in the panel below.
2. Click on esx-01a.corp.local to manage that host.
3. Switch to the Related Objects tab within the host screen.
4. Click the Virtual Machines button to show all VMs running on this host.
5. We only have one machine, linux-micro-01a, which will be the subject of our testfailure.
Edit Storage Connection
1. To edit the storage connection, go to the Manage tab
2. Click the Networking button
3. Select VMkernel adapters.
4. We will edit vmk1, which is our Storage Network connection (the lab is using NFSstorage). Select vmk1 adapter
HOL-SDC-1602
Page 406HOL-SDC-1602
5. Click the pencil icon to edit.
HOL-SDC-1602
Page 407HOL-SDC-1602
Misconfigure the network settings
1. In the Edit Settings wizard, click the "IPv4 settings" tab
2. Then click the "Obtain IPv4 settings automatically" radio button. This effectively usesDHCP instead of the static address of 10.10.20.51 and will disconnect the host from theNFS storage server.
3. Click OK when you are ready.
HOL-SDC-1602
Page 408HOL-SDC-1602
Observe the Storage Failure
1. Switch to the Summary tab
2. View the notification that shared datastores have failed on the host.
Check HA Status
1. Click on Cluster Site A-1
2. Then the Monitor tab.
3. Click the vSphere HA button
4. Select the "Datastores under APD or PDL" option. Notice that esx-01a is showing afailure because of APD (All Paths Down) was detected for storage.
HOL-SDC-1602
Page 409HOL-SDC-1602
Note HA Alert
In a few moments, you should notice a new Alarm appear in the web client (look to theright side of the web client) indicating an HA failover is in progress.
NOTE: This may take a few minutes to appear.
Observe Relocation of VM Task
Check the Recent Tasks window at the bottom of the web client. You should see a taskindicating that linux-micro-01a has been relocated. This is due to the HA failover.
HOL-SDC-1602
Page 410HOL-SDC-1602
Verify Recovery for VM
1. Click on Virtual Machines link under the Cluster Site A-1 object.
2. Select linux-micro-01a from the list of virtual machines.
3. Click the Summary tab
4. Note the location is now esx-02a and the machine has powered on, completingfailover recovery.
Repair esx-01a Storage
1. Click the Hosts link under Cluster Site A-1
2. Then click esx-01a.corp.local on the list of Hosts.
3. Click on the Manage tab
4. Select Networking.
5. Click on the VMkernel adapters
6. Select vmk1 (Storage Network).
7. Click the pencil icon to edit the adapter configuration.
HOL-SDC-1602
Page 411HOL-SDC-1602
8. In the Edit Settings wizard, select IPv4 setting.
9. Click the radio button for "Use static IPv4 settings"
10. Enter the IP address 10.10.20.51
11. Click OK to apply the new settings.
HOL-SDC-1602
Page 412HOL-SDC-1602
Reboot the ESX host
To fully recover, the host must be rebooted.
1. From the "Actions" menu
2. Select Power
3. Reboot.
HOL-SDC-1602
Page 413HOL-SDC-1602
Confirm the Reboot
Click OK.
HOL-SDC-1602
Page 414HOL-SDC-1602
HA Events in vRealize Operations Manager
vSphere HA events are captured in vR Ops. For example, this screen shot shows a hostisolation failure and HA failover as displayed in vR Ops.
HOL-SDC-1602
Page 415HOL-SDC-1602
VM Recovery Event in vR Ops
The HA restart event for the protected VM is available in the Events view.
HOL-SDC-1602
Page 416HOL-SDC-1602
Module 7: SimplifiedSecurity and Compliance -
(30 Minutes)
HOL-SDC-1602
Page 417HOL-SDC-1602
Integrate your environment into yourenterprise certificate infrastructureIn this module we will learn how to configure the VMware vSphere 6.0 VMwareCertificate Authority (VMCA) as a subordinate of an existing Certificate Authority.
A VMCA exists on an embedded vCenter Server 6.0 installation and an external PlatformServices Controller (PSC). We will be using the PSC in this module.
WARNING - This lesson will "break" connectivity between vrops-01a.corp.localand the two vCenter servers in this lab. There is an optional set of steps atthe end of the lesson to re-establish trust. If you are taking these lessons outof order or you wish to explore vR Ops further, you will need to perform theoptional steps.
Creating a Microsoft Certificate Authority Template
We will first need to configure a Microsoft Certificate Authority (CA) templates for usewith custom SSL certificate implementation in vSphere 6.0.
HOL-SDC-1602
Page 418HOL-SDC-1602
Start the Certificate Template Console
On the Control Center desktop, click the Windows Start and type "certtmpl.msc" into thesearch window. Click on the console link to start the console.
HOL-SDC-1602
Page 419HOL-SDC-1602
Duplicate the Subordinate Certificate Authority
Right click on the Subordinate Certificate Authority template and click "DuplicateTemplate" from the context menu.
HOL-SDC-1602
Page 420HOL-SDC-1602
Set the Template Name
Click on the General tab and change the Template display name to "vSphere 6.0 VMCA"
Click OK to save the template.
Close the Certificate Template Console.
HOL-SDC-1602
Page 421HOL-SDC-1602
Start the Certificate Server Console
On the Control Center desktop, click the Windows Start and type "certsrv.msc" into thesearch window. Click on the console link to start the console.
HOL-SDC-1602
Page 422HOL-SDC-1602
Add the New Template to the CA
Expand the CONTROLCENTER-CA and right click on Certificate Templates folder. SelectNew > Certificate Template to Issue from the context menu.
HOL-SDC-1602
Page 423HOL-SDC-1602
Enable the vSphere 6.0 VMCA Template
Select the "vSphere 6.0 VMCA" template and click "OK"
LEAVE THIS CONSOLE OPEN - we will use it to submit our certificate signing request.
Configuring VMware vSphere 6.0 VMware CertificateAuthority as a subordinate Certificate Authority
Next we will configure VMCA on the PSC as a subordinate CA to our Microsoft CA.
HOL-SDC-1602
Page 424HOL-SDC-1602
Open a PuTTY Session to PSC
Locate the PuTTY icon on the task bar and click on it. In the PuTTY window, find the"psc-01a.corp.local" saved session and click "Open"
HOL-SDC-1602
Page 425HOL-SDC-1602
Start the certificate manager on the PSC
(It is a good idea to enlarge the PuTTY session screen or make it full screen to properlydisplay the Certificate Manager menus)
From the shell prompt, enter this command
/usr/lib/vmware-vmca/bin/certificate-manager
The menu will appear. Select option 2 (press the 2 key and then Enter)
HOL-SDC-1602
Page 426HOL-SDC-1602
Enter SSO Password and Generate CSR
Use the password "VMware1!" for the SSO password.
Select option 1 to generate the Certificate Signing Request.
HOL-SDC-1602
Page 427HOL-SDC-1602
Save the CSR
When prompted, enter "/tmp" for the path to save the CSR.
Enter option 2 to exit the Certificate Manager.
Leave the PuTTY session open.
HOL-SDC-1602
Page 428HOL-SDC-1602
Start WinSCP
Click the Windows Start button, type "winscp" in the search bar. Click on the WinSCPshortcut to start the program.
HOL-SDC-1602
Page 429HOL-SDC-1602
Connect to the PSC
Select "New Site" and enter "psc-01a.corp.local" in the Host name box. Click "Login"
Accept the PSC fingerprint
If you are prompted with a warning that the PSC is an unknown server, click "Yes" toproceed.
HOL-SDC-1602
Page 430HOL-SDC-1602
Login as root
Enter username "root" and click "OK"
Continue the login
Click "Continue"
HOL-SDC-1602
Page 431HOL-SDC-1602
Open the /tmp directory
Double-click the navigation bar and input /tmp in the "Open directory" dialogue. Click"OK"
HOL-SDC-1602
Page 432HOL-SDC-1602
Download the CSR and key
Select the "root_signing_cert.csr" and click on the Download link. Click OK to accept thedefault download path.
HOL-SDC-1602
Page 433HOL-SDC-1602
Copy Request Contents
In the left navigation panel of WinSCP, click on the file we just downloaded(root_signing_cert.scr) and then click the Edit button on the menu.
When the file is opened in the editor, select all of the text with CTRL-A and then CTRL-Cto copy.
Leave the WinSCP session open.
HOL-SDC-1602
Page 434HOL-SDC-1602
Browse to the CA Request Website
Open the Chrome browser and navigate to
http://localhost/certsrv
Once there, select the link to "Request a certificate"
HOL-SDC-1602
Page 435HOL-SDC-1602
Submit an Advanced Certificate Request
Now click the link for "advanced certificate request"
HOL-SDC-1602
Page 436HOL-SDC-1602
Submit the Request
Click inside the "Saved Request" text box and press CTRL-V to paste the CSR text copiedin the last step. Make sure to use the "vSphere 6.0 VMCA" certificate template and thenclick the "Submit" button.
HOL-SDC-1602
Page 437HOL-SDC-1602
Download the Certificate
On the download page, Select “Base 64 encoded” and click on “Download Certificate”.The downloaded file will be called “certnew.cer”.
Next click on “Download certificate chain” (ensuring that "Base 64 encoded” is stillselected). The downloaded file will be called “certnew.pb7”.
HOL-SDC-1602
Page 438HOL-SDC-1602
Rename the downloaded files
Use File Explorer to navigate to the Downloads folder. Rename the files as follows(select the file and press F2):
certnew.cer > machine_ssl.cer
certnew.p7b > cachain.p7b
HOL-SDC-1602
Page 439HOL-SDC-1602
Export the Certificate Chain
Double-click on the file "cachain.p7b" to open it in the Certificate Manager managementconsole. Drill down to Certificates and right-click the CONTROLCENTER-CA rootcertificate and choose "All Tasks > Export" from the context menu.
HOL-SDC-1602
Page 440HOL-SDC-1602
Complete the Certificate Export Wizard
The Certificate Export Wizard will start. Click Next on the initial screen and then select"Base-64 encoded X.506 (.CER) radio button and click Next.
HOL-SDC-1602
Page 441HOL-SDC-1602
HOL-SDC-1602
Page 442HOL-SDC-1602
Save Export File
Enter the path "C:\Users\Administrator\Downloads\root-64.cer" in the File name: inputbox and click "Next"
HOL-SDC-1602
Page 443HOL-SDC-1602
Finish the Export Wizard
Click "Finish" and then acknowledge the export success.
HOL-SDC-1602
Page 444HOL-SDC-1602
HOL-SDC-1602
Page 445HOL-SDC-1602
Copy the New Certificates to the PSC
Return to WinSCP. Navigate to the downloads directory by double-clicking thenavigation bar and entering
c:\users\administrator\downloads
Select the files "machine_ssl.cer" and "root-64.cer" and click the "Upload" menu item.Click OK on the transfer confirmation.
Combine the Root and Machine Certs
Return to the PuTTY session. Change to the tmp directory by entering
cd /tmp
Execute the command
cat root-64.cer >> machine_ssl.cer
HOL-SDC-1602
Page 446HOL-SDC-1602
This will append the CA certificate to the machine certificate. View the resulting file byexecuting
cat machine_ssl.cer
Replace the existing certificate with the newly generatedcertificate
Start the vSphere 6 Certificate Manager by executing the command
HOL-SDC-1602
Page 447HOL-SDC-1602
/usr/lib/vmware-vmca/bin/certificate-manager
We want to replace the VMCA Root certificate with our custom CA signing certificate andreplace all certificate Selection option 2.
The SSO password is "VMware1!"
Next we will selection option 2 to import the certificate and key.
Provide the path for the custom root certificate
/tmp/machine_ssl.cer
Provide the path for the key
/tmp/root_signing_cert.key
HOL-SDC-1602
Page 448HOL-SDC-1602
Configure certool.cfg
Enter "Y" at the "Continue Operation" prompt.
Next we will be prompted to configure certool.cfg - for this lab we will just accept thedefault values but ideally you would use values meaningful to your enterprise.
Notice that the Hostname value requires you to enter the FQDN of the PSC. Use"psc-01a.corp.local" and press Enter.
HOL-SDC-1602
Page 449HOL-SDC-1602
After the import, the PSC services will be restarted - this may take a couple of minutes.Just wait until it is completed.
HOL-SDC-1602
Page 450HOL-SDC-1602
Restart vCenter Servers
Next we need to stop and restart vCenter services on each vCenter appliance. Enter thecommand:
ssh vcsa-01a.corp.local service-control --stop --all
If you are prompted to accept the ECDSA key fingerprint, enter "Yes" (not shown)
When prompted for the root password, use "VMware1!"
It will take a couple of minutes for the services to stop. When they do, repeat theprocess for the second vCenter appliance
ssh vcsa-01b.corp.local service-control --stop --all
HOL-SDC-1602
Page 451HOL-SDC-1602
Start vCenter Services
Now start vCenter services on each node with the commands
ssh vcsa-01a.corp.local service-control --start --all
and
ssh vcsa-01b.corp.local service-control --start --all
Again, use the password "VMware1!" for root when prompted.
Replace Certificates on vCenter Appliances
In the next few steps, we will replace the machine SSL certificates and the solution usercertificates on each of the vCenter appliances. We will start with vcsa-01a.corp.local
When you finish with that appliance, return here to follow the same process forvcsa-01b.corp.local.
OPTIONALLY, you can open a new PuTTY session to the PSC and perform thesteps for vcsa-01b.corp.local in parallel. This will speed up the lab steps butbe careful that you are entering the commands correctly in the appropriatePuTTY session.
SSH to vCenter Appliance and Start Certificate Manager
Enter the command
(change the host name in command below to vcsa-01b.corp.local for the secondappliance)
HOL-SDC-1602
Page 452HOL-SDC-1602
ssh vcsa-01a.corp.local
Use the password "VMware1!" for root login
Enter the command
/usr/lib/vmware-vmca/bin/certificate-manager
to start the Certificate Manager
HOL-SDC-1602
Page 453HOL-SDC-1602
Replace the Machine SSL Certificate
Enter option 3 at the prompt.
Use "VMware1!" for the SSO password.
Next enter the FQDN of our PSC "psc-01a.corp.local"
Accept defaults for the certool.cfg configuration.
Enter the FQDN of the vCenter appliance "vcsa-01a.corp.local" (or "vcsa-01b.corp.local"for the second node)
Answer "Y" to the prompt.
The Certificate Manager will now replace the machine SSL certificate and restartservices - this will take a couple of minutes.
Replace Solution User Certificates
Enter the command to start the Certificate Manager
/usr/lib/vmware-vmca/bin/certificate-manager
Select option 6 to replace the Solution user certificates
HOL-SDC-1602
Page 454HOL-SDC-1602
Use "VMware1!" for the SSO password
Enter the FQDN of the PSC server "psc-01a.corp.local"
Enter "Y" at the continue operation prompt
Certificate Manager will replace the solution user certificates and restart services on theappliance, this will take a few minutes.
When completed, enter "exit" to log out of the vCenter appliance.
Repeat the steps for replacing machine and solution user certificates on the secondvCenter appliance. When you have completed both appliances, you may close thePuTTY session window.
HOL-SDC-1602
Page 455HOL-SDC-1602
HOL-SDC-1602
Page 456HOL-SDC-1602
Verify Certificate Functionality.
Open the Google Chrome browser from the ControlCenter desktop. Click the shortcut tovcsa-01a.
You should see a green lock icon in the address bar, indicating that you have a validcertificate. Right click on the lock icon and click the "Connection" tab.
Click on the "Certificate information" link.
HOL-SDC-1602
Page 457HOL-SDC-1602
View Certificate Path
In the Certificate window, click the "Certification Path" icon and view the path. Noticethat our default organization name of "Acme" is presented, indicating that ourcertificates are using the values we input earlier. Also note that the root CA is theCONTROLCENTER-CA.
Click OK to close the window.
Close the Chrome browser window.
OPTIONAL - Re-establish Trust Between vR Ops andvCenters
Because we have changed the certificates on the VCSAs in our lab, vR Ops will no longertrust the connections to the two VCSAs and collections will stop. However, it is veryeasy to re-establish trust and get your environment back to normal.
HOL-SDC-1602
Page 458HOL-SDC-1602
This is an optional part of the lesson and unless you plan to take other lessons thatincorporate vR Ops it is not necessary to proceed.
HOL-SDC-1602
Page 459HOL-SDC-1602
Login to vrops-01a
Open the Chrome browser and click on the bookmark for vrops-01a.
Enter user name "admin"
Password "VMware1!"
Click "Login"
HOL-SDC-1602
Page 460HOL-SDC-1602
Clean Certificate Store
We first need to remove the old, invalid certificates from the vR Ops certificate store.
Click on the Administration icon.
Select Certificates from the navigation panel.
You will see two certificates. Notice that they are both issued from the PSC for theVCSAs. Select one at a time and click the red "X" icon to delete them.
Answer "Yes" to both confirmation prompts (not shown).
HOL-SDC-1602
Page 461HOL-SDC-1602
Configure the vSphere Solution
Click on "Solutions" in the navigation panel.
Select the "VMware vSphere" solution and click the gear icon to open the configurationwindow.
HOL-SDC-1602
Page 462HOL-SDC-1602
Re-establish Trust
The vCenter Adapter will be selected by default. Also, the vcsa-01a instance will beselected by default.
Click on "Test Connection" to initiate an SSL communication test.
Note the "Review and Accept Certificate" window shows the new "Issued to" informationwe configured for the VCSA (i.e. "AcmeOrg Engineering").
Click "OK" to trust this new certificate. Click "Save Settings" to complete.
Repeat these steps for each solution adapter and each instance name (i.e. bothinstances of vCenter Adapter and both instances of the vCenter Python ActionsAdapter).
Close the Manage Solution window when you have completed re-establishing trust forall four instances.
HOL-SDC-1602
Page 463HOL-SDC-1602
Note Collection Status
Initially, you may see errors for the collection status. Within a couple of minutes, youshould refresh and make sure all four instances have a Collection Status "Datareceiving" to confirm you have repaired the connections.
HOL-SDC-1602
Page 464HOL-SDC-1602
Show fine-grained control of local useraccess on ESXiIn this module we will use ESXCLI to create and modify local accounts, and also learnhow to change password policies (complexity and timeout). Also, you will learn how toadd an ESXi host to AD and grant access to an AD group with ESXCLI.
Create a New Local User Account on an ESXi Host
In this lesson we will create a new local user account on an ESXi host. Assume that theNetwork Operations Center (NOC) needs a user account for basic troubleshooting of thehost.
Open PuTTY
Click on the PuTTY icon in the taskbar.
HOL-SDC-1602
Page 465HOL-SDC-1602
Connect to esx-01a.corp.local
Select the saved session for esx-01a.corp.local and click "Open" to start your session.You will automatically be logged into root.
HOL-SDC-1602
Page 466HOL-SDC-1602
List Current Local User Accounts
Enter the command
esxcli system account list
and observe that there are currently three local accounts available on the host.
HOL-SDC-1602
Page 467HOL-SDC-1602
Add a New Local User Account
Enter the command to create a new local user:
esxcli system account add -i=nocuser -d="NOC Account" -p=HOL@VMware1! -c=HOL@VMware1!
HOL-SDC-1602
Page 468HOL-SDC-1602
Verify User Account
Once again enter
esxcli system account list
to validate that the account has been added.
HOL-SDC-1602
Page 469HOL-SDC-1602
List Current Account Permissions
Enter the command
esxcli system permission list
to validate the existing permissions granted on this host. Note that our new user doesnot have any permissions listed.
HOL-SDC-1602
Page 470HOL-SDC-1602
Set Permissions for the New Local Account
Let's grant them ReadOnly since they only need this account to gather information andnot make changes. Enter the command
esxcli system permission set -i=nocuser -r=Admin
HOL-SDC-1602
Page 471HOL-SDC-1602
Verify Permissions
Enter the command
esxcli system permission list
to validate that our user has Admin access to the host. Leave the PuTTY session openfor the next lesson.
ESXi Passwords, ESXi Pass Phrases, and Account Lockout
For ESXi hosts, you can use a password or a pass phrase. In each case, you must makesure the password or pass phrase meets the requirements.
ESXi uses the Linux PAM module pam_passwdqc for password management and control.See the manpages for pam_passwdqc for detailed information.
ESXi enforces password requirements for direct access from the Direct Console UserInterface, the ESXi Shell, SSH, or the vSphere Client. When you create a password,include a mix of characters from four character classes: lowercase letters, uppercaseletters, numbers, and special characters such as underscore or dash.
Starting with vSphere 6.0, your user password must meet the following requirements.
• Passwords must contain characters from at least three character classes.
HOL-SDC-1602
Page 472HOL-SDC-1602
• Passwords containing characters from three character classes must be at leastseven characters long.
• Passwords containing characters from all four character classes must be at leastseven characters long.
In this lesson we will change ESXi password requirements to allow for a passphrase andincrease the password requirement to at least eight characters long.
The password quality is controlled via the advanced optionSecurity.PasswordQualityControl which can be accessed via the vSphere Web Client. Inthis lesson we will use vi-cmd from the ESXi shell to make these modifications.
View the Current Settings for Password Quality
Enter the command
vim-cmd hostsvc/advopt/view Security.PasswordQualityControl
and observe the current settings of retry=3 min=disabled,disabled,disabled,7,7 theseare the default settings and match the requirements for password quality outlined in thelesson overview above.
HOL-SDC-1602
Page 473HOL-SDC-1602
Set the Password Quality to Allow Passphrase andIncrease Password Minimum Length
Enter the command
vim-cmd hostsvc/advopt/update Security.PasswordQualityControl string "retry=3 min=disabled,disabled,16,8,8 passphrase=4"
This will set our password quality to allow for passphrases with at least 16 charactersand 4 words separated by spaces. We also increased the password option to aminimum of 8 characters.
Validate the Password Quality Settings
Now let's update the password for nocuser to test our password quality checking. First,let's try a 7 character password by entering the command
esxcli system account set -i=nocuser -p=HOL@VMw -c=HOL@VMw
Notice that our password checking will not allow the short password. What about apassphrase? Let's try a 3 word passphrase as a test. Enter the command
esxcli system account set -i=nocuser -p="correct horse battery" -c="correct horse battery"
HOL-SDC-1602
Page 474HOL-SDC-1602
Again, our password quality check works, disallowing the short phrase (remember werequire at LEAST 4 words in the phrase). OK, let's try a phrase that should give ussuccess. Enter the command
esxcli system account set -i=nocuser -p="correct horse battery staple" -c="correct horse battery staple"
Note we do not get an error indicating the password update was successful.
Configure a Host to Use Active Directory in the vSphereWeb Client
In this lesson, we walk through the process of adding a vSphere Host to authenticateagain Active Directory.
Log in to the Web Client
Launch the Chrome browser from your desktop. You will automatically be directed tothe vSphere Web Client login. Tick the "Use Windows session authentication" box andclick "Login"
HOL-SDC-1602
Page 475HOL-SDC-1602
Hosts and Clusters
Click on the Home icon and select Hosts and Clusters.
HOL-SDC-1602
Page 476HOL-SDC-1602
esx-01a.corp.local
Click on esx-01a.corp.local.
HOL-SDC-1602
Page 477HOL-SDC-1602
Settings
Click on the Manage tab, then Settings and then Authentication Services.
HOL-SDC-1602
Page 478HOL-SDC-1602
Join Domain
Click the Join Domain button.
HOL-SDC-1602
Page 479HOL-SDC-1602
Join Domain Settings
Enter corp.local for the Domain.
In the Using Credentials section enter:
Username: administratorPassword: VMware1!
Click OK.
HOL-SDC-1602
Page 480HOL-SDC-1602
Added to Active Directory
After a few moments, you should see the screen refresh and The AuthenticationServices section update to show the host is now connected to the Active Directorydomain.
Grant Permissions to a Domain Group on an ESXi Host
Now that the host has joined AD, we can grant access to the host by AD user or group.
HOL-SDC-1602
Page 481HOL-SDC-1602
Set Permissions for Domain Admins
Return to the PuTTY session window. Enter the command
esxcli system permission set -g -i="corp\Domain Admins" -r=Admin
Notice we added the -g switch to indicate this is a group. Now validate the AD grouphas been given permissions by entering the command
esxcli system permission list
Login with AD Credentials
Let's test this by logging in as a member of the Domain Admins AD group. Enter thecommand
login
Use the following credentials and verify you are able to log in
login: [email protected]: VMware1!
HOL-SDC-1602
Page 482HOL-SDC-1602
Close the PuTTY session window.
Close the Chrome browser.
HOL-SDC-1602
Page 483HOL-SDC-1602
ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-SDC-1602
Version: 20160411-074555
HOL-SDC-1602
Page 484HOL-SDC-1602