Knowledge
- Identify virtual switch entries in a Virtual Machine’s configuration file
- Identify virtual switch entries in the ESX/ESXi Host configuration file
- Identify CLI commands and tools used to troubleshoot vSphere networking configurations
- Identify logs used to troubleshoot network issues
Skills and Abilities
- Utilize net-dvs to troubleshoot vNetwork Distributed Switch configurations
- Utilize vicfg-* commands to troubleshoot ESX/ESXi network configurations
- Configure a network packet analyzer in a vSphere environment
- Troubleshoot Private VLANs
- Troubleshoot Service Console and vmkernel network configuration issues
- Troubleshooting related issues
- Use esxtop/resxtop to identify network performance problems
- Use CDP and/or network hints to identify connectivity issues
- Analyze troubleshooting data to determine if the root cause for a given network problem originates in the physical infrastructure or vSphere environment
Tools & learning resources
Identify virtual switch entries in a VMs configuration file
Contains both vSS and vDS entries;
In the example VM below it has three vNICs on two separate vDSs. When troubleshooting you may need to coordinate the values here with the net-dvs output on the host;
- NetworkName will show “” when on a vDS.
- The .VMX will show the dvPortID, dvPortGroupID and port.connectid used by the VM – all three values can be matched against the net-dvs output and used to check the port configuration details – load balancing, VLAN, packet statistics, security etc
NOTE: Entries are not grouped together in the .VMX file so check the whole file to ensure you see all relevant entries.
Identify virtual switch entries in the ESX/i host configuration file
The host configuration file (same file for both ESX and ESXi);
Like the .VMX file it contains entries for both switch types although there are only minimal entries for the vDS. Most vDS configuration is held in a separate database and can be viewed using net-dvs (see section 6.3.7).
Command line tools for network troubleshooting
The usual suspects;
- vicfg-nics
- vicfg-vmknic
- vicfg-vswitch (-b) for CDP
- vicfg-vswif
- vicfg-route
- cat /etc/resolv.conf, /etc/hosts
- net-dvs
- ping and vmkping
Knowledge
- Explain relationship between vDS and logical vSSes
Skills and Abilities
- Understand the use of command line tools to configure appropriate vDS settings on an ESX/ESXi host
- Determine use cases for and apply Port Binding settings
- Configure Live Port Moving
- Given a set of network requirements, identify the appropriate distributed switch technology to use
- Use command line tools to troubleshoot and identify configuration items from an existing vDS
Tools & learning resources
Relationship between vSS and vDS
Both standard (vSS) and distributed (vDS) switches can exist at the same time – indeed there’s good reason to use this ‘hybrid’ mode.
You can view the switch configuration on a host (both vSS and dvS) using esxcfg-vswitch -l. It won’t show the ‘hidden’ switches used under the hood by the vDS although you can read more about those in this useful article at RTFM or at Geeksilver’s blog.
Command line configuration of a vDS
The command line is pretty limited when it comes to vDS. Useful commands;
- esxcfg-vswitch
- esxcfg-vswitch -P vmnic0 -V 101 <dvSwitch> (link a physical NIC to a vDS)
- esxcfg-vswitch -Q vmnic0 -V 101 <dvSwitch> (unlink a physical NIC from a vDS)
- esxcfg-vswif -l | -d (list or delete a service console)
- esxcfg-nics
- net-dvs
NOTE: net-dvs can be used for diagnostics although it’s an unsupported command. It’s located in /usr/lib/vmware/bin. Use of this command is covered in section 6.4 Troubleshooting Network connectivity.
NOTE: esxcfg-vswitch can ONLY be used to link and unlink physical adaptors from a vDS. Use this to fix faulty network configurations. If necessary create a vSS switch and move your physical uplinks across to get your host back on the network. See VMwareKB1008127 or this blogpost for details.
Identify configuration items from an existing vDS
You can use esxcfg-vswitch -l to show the dvPort assigned to a given pNIC and dvPortGroup.
See the Troubleshooting Network connectivity section for more details.
Knowledge
- Identify VMware NIC Teaming policies
- Identify common network protocols
Skills and Abilities
- Understand the NIC Teaming failover types and related physical network settings
- Determine and apply Failover settings
- Configure explicit failover to conform with VMware best practices
- Configure port groups to properly isolate network traffic
Tools & learning resources
Identify, understand , and configure NIC teaming
The five available policies are;
- Route based on virtual port ID (default)
- Route based on IP Hash (MUST be used with static Etherchannel – no LACP). No beacon probing.
- Route based on source MAC address
- Route based on physical NIC load (vSphere 4.1 only)
- Explicit failover
NOTE: These only affect outbound traffic. Inbound load balancing is controlled by the physical switch.
Read more…
This is one of the smaller objectives plus only the PVLAN concepts and practices are new – VLAN support remains relatively unchanged from VI3 (although the vDS and it’s associated VLAN support is new).
Knowledge
- Identify types of VLANs and PVLANs
Skills and Abilities
- Determine use cases for and configure VLAN Trunking
- Determine use cases for and configure PVLANs
- Use command line tools to troubleshoot and identify VLAN configurations
Tools & learning resources
- Product Documentation
- vSphere Client
- vSphere CLI
Types of VLAN
VLANs are a network standard (802.1q) which are fully supported in vSphere. They can be used to minimise broadcast traffic and as a security measure to segregate traffic (although like any technology there are weaknesses). Typical uses for VLANs with vSphere are to isolate infrastructure (vMotion, iSCSI and NFS) traffic and VM traffic.
There are three main ways of using VLANs with vSphere (covered in this VMware whitepaper);
- Virtual guest tagging (VGT) – requires VLAN driver support in the guest OS
- Virtual Switch tagging (VST) – common option, requires VLAN trunking on external switches
- External switch tagging (EST) – less flexible and requires more physical NICs
In the Cisco world you set a port to be an ‘access port’ or a ‘trunk port’ if it’s going to carry multiple VLANs. VLAN IDs are 16 bit values giving a range of 0-4095. 4095 is used within vSphere to mean ‘all VLANs’ and is how you configure a portgroup when using VGT.
Configuring VLANs and VLAN trunking
For standard vSwitches you configure VLAN tags on portgroups. This configuration is done at the ESX host using the VI client (Configuration -> Networking);
- Use VLAN 0 when no VLAN tags are present (EST)
- Use VLAN 4095 to pass all VLANs (VGT)
Use a specific VLAN ID depending on the isolation required (VST)
Read more…
The VCAP-DCA lab is still v4.0 (rather than v4.1) which means features such as NIOC and load based teaming (LBT) aren’t covered. Even though the Nexus 1000V isn’t on the Network objectives blueprint (just the vDS) it’s worth knowing what extra features it offers as some goals might require you to know when to use the Nexus1000V or just the vDS.
Knowledge
- Identify common virtual switch configurations
Skills and Abilities
- Determine use cases for and apply IPv6
- Configure NetQueue
- Configure SNMP
- Determine use cases for and apply VMware DirectPath I/O
- Migrate a vSS network to a Hybrid or Full vDS solution
- Configure vSS and vDS settings using command line tools
- Analyze command line output to identify vSS and vDS configuration details
Tools & learning resources
Network basics (VCP revision)
Standard switches support the following features (see section 2.3 for more details);
- NIC teaming
- Based on source VM ID (default)
- Based on IP Hash (used with Etherchannel)
- Based on source MAC hash
- Explicit failover order
- VLANs (EST, VST, VGT)
vDS Revision
The vDistributed switch separates the control plane and the data place to enable centralised administration as well as extra functionality compared to standard vSwitches. A good summary can be found at GeekSilver’s blog. Benefits;
- Offers both inbound and outbound traffic shaping (standard switches only offer outbound)
- Traffic shaping can be applied at both dvPortGroup and dvUplink PortGroup level
- For dvUplink PortGroups ingress is traffic from external network coming into vDS, egress is traffic from vDS to external network
- For dvPortGroups ingress is traffic from VM coming into vDS, egress is traffic from vDS to VMs
- Configured via three policies – average bandwidth, burst rate, and peak bandwidth
- Ability to build a third party vDS on top (Cisco Nexus 1000v)
- Traffic statistics are available (unlike standard vSwitches)
NOTES:
- CDP and MTU are set per vDS (as they are with standard vSwitches).
- PVLANs are defined at switch level and applied at dvPortGroup level.
- There is one DVUplink Portgroup per vDS
- NIC teaming is configured at the dvPortGroup level but can be overridden at the dvPort level (by default this is disabled but it can be allowed). This applies to both dvUplink Portgroups and standard dvPortGroups although on an uplink you CANNOT override the NIC teaming or Security policies.
- Policy inheritance (lower level takes precedence but override is disabled by default)
- dvPortGroup -> dvPort
- dvUplink PortGroup -> dvUplinkPort
NOTE: Don’t create a vDS with special characters in the name (I used ‘Lab & Management’) as it breaks host profiles – see VMwareKB1034327.
Security is a large topic and one you could spend a lifetime mastering. The blueprint isn’t too helpful in clarifying what level of detail you’re expected to know for this as the ESX/ESXi configuration guides cover issues not in the ‘skills and abilities’ section. More in depth still is the vSphere Hardening Guide. I guess the main thing is to focus on practical issues as the VCAP-DCA is a practical exam – knowing that the VMkernel uses memory hardening is no use in an exam if it can’t be configured or tweaked! Some of this section seems to have been added for the sake of it – how often will an admin need to modify the SSL timeouts? I could only fine one KB article about it!
Knowledge
- Identify configuration files related to network security
- Identify virtual switch security characteristics
Skills and Abilities
- Add/Edit Remove users/groups on an ESX Host
- Customize SSH settings for increased security
- Enable/Disable certificate checking
- Generate ESX Host certificates
- Enable ESXi lockdown mode
- Replace default certificate with CA‐signed certificate
- Configure SSL timeouts
- Secure ESX Web Proxy
- Enable strong passwords and configure password policies
- Identify methods for hardening virtual machines
- Analyze logs for security‐related messages
Virtual switch security characteristics
vSwitch security (layer2) settings (can be overridden at portgroup level);
- Promiscuous mode – needed for packet sniffing, vShield Zones (and virtual ESX hosts). Disabled by default.
- MAC address changes –affects inbound traffic. May need to be enabled if you’re using MS load balancing in Unicast mode, or the iSCSI software initiator with certain storage arrays. Enabled by default.
- Forged transmits – affects outbound traffic. Enabled by default.
Other network security measures (IPSec, VLANs, PVLANs etc) are dealt with in section 2, Networking.
Host security
Customise SSH settings (ESX only)
- Edit /etc/ssh/sshd.conf and set ‘PermitRootLogin’ to YES (default is NO). See VMwareKB for a list of other settings you can adjust (including the available ciphers).
- You can use PKI to authenticate using SSH without being prompted for a password. This is a standard Linux procedure – for step by step instructions see VMwareKB1002866.
- By default only SSH server is enabled. Configuration -> Security Profile to enable SSHClient, or use ‘esxcfg-firewall –e SSHClient’.
Read more…
Categories: VCAP, Virtualisation, VMware Tags: certificates, certification, esx, esxi, lockdown, passwords, security, ssl, vswitch
Loading ...
Recent Comments