vSphere vNetwork Distributed Switch vDS Configuration

One of the new features of vSphere is the vNetwork Distributed Switch (vDS). Basically vDS allows you to create, manage, and provision your virtual network across all of your vSphere hosts in vCenter. vDS is available under the Enterprise Plus license.

Here is how I set up my vDS. I basically used the 3 host configuration example in What’s New in VMware vSphere 4: Virtual Networking white paper as a guide.

First I created a new vNetwork Distributed Switch in Inventory->Networking.

I configured it for 8 dvUplink ports. Why 8? Well I have 8 NICs in each of my host, and I would like to be able to use and manage all eight of them across one vDS.

I added each of my host to the vDS but did not add any physical adapters yet.

After the new vDS is created I created my port groups. One port group for the Service Console, one for vmotion, and one for each of my production VLANs.

When creating these port groups I just used the defaults except for changing the VLANs where needed.

Now that I have my vDS set up, time to migrate the host networks to the new switch. In Inventory->Hosts and Clusters select the host Configuration tab then Networking and the Distributed Virtual Switch button.

First i migrated the Virtual Machine networks to the new vDS. I took one NIC out of the port channel on the physical switch and added that physical NICs to the vDS. I did this for each of my hosts.

Then I use the Migrate Virtual Machine Networking wizard to move all of my VMs from the vSwitch port groups to the new vDS.

After this is done I add the rest of the physical NICs associated with my VM network to the vDS and recreate the port channel on the physical switch.

Now on to the vmkernel ports. I used the Manage Virtual Adapters wizard to migrate my VMotion VMKernel adapter to the new vDS.

I then did the same to my service console. Before I started making changes to the Service Console I put the host in maintenance mode. I created a new service console with a new IP address on the same subnet on my management port group and made sure I had connectivitiy (OK I did not do this the first time, messed up and lost the Service Console connectivity to my host – had to go CLI to fix it, but that is a completely different multi-page post in itself – very thankful for the spare NIC I have in each host).

Since my vMotion vmkernel port and Service Console are now on the vDS I attached their physical NICs to the new vDS and then added them to the port channel on the physical switch.

The only issue I had was with the iSCSI vmkernel ports. I was not able to get them to work on the vDS so they are still configured on a vSwitch on each hosts.

Not sure why I could not get it to work, but I will tackle that another day.

After I verified everything works, I deleted the old Virtual Switches from each host.

Just a quick overview of how I set up my vDS. Hope you find it helpful.

TGIF!

HAVE A GREAT WEEKEND!!!

First Hampton Roads User IT Group Meeting

Last night was the first meeting of the Hampton Roads User IT Group meeting. It was held at Burton’s Grill in the Hilltop section of VA Beach. The local EMC sales folks put the meeting together.

Unfortunately the turn out was not that great only a handful of folks showed up. Traffic was terrible and it took a little over an hour to make the 30 minute drive from Chesapeake to VA Beach, probably a reason for the low turn out.

Despite the small crowd it was still a great event. Tom Lennon from RSA Security did a presentation on some of their current and upcoming offerings. RSA’s log collection and analysis product – enVision – looks pretty interesting, definitely something to get a little more info on. I got to say a little bit about my experiences at EMC World (I am still working my blog post about it – so much good stuff, so little time). Chatted with a couple of other EMC customers and partners about technologies they are planning on or currently using – AVAMAR, VMware, Celerra, etc.

The appetizers were good, the drinks were cold, and Stephanie & Joe from EMC were great hosts.

A couple of folks from Varrow out of NC were there and it was pretty cool chatting with them. Check out their community blog at http://www.varrowblogs.com/ – some good info there.

The local EMC folks are planning to have User IT Group meetings once a quarter. I’ll be sure to post when the next one is, hope you can make it.

AVAMAR f_cache and p_cache Formulas

Formulas to help determine the correct size of your f_cache and p_cache for AVAMAR backups.

f_cache = N * 40MB

N = Millions of Files
So for 3 million files:
f_cache = 3 * 40MB
f_cache = 120MB

p_cache = DB Size in GB/Average Chunk * 20MB

Average Chunk Sizes:
Exchange DB: 16
Microsoft SQL DB: 24

For a 100GB Microsoft SQL DB:
p_cache = 20/24 * 20MB
p_cache = 83.3MB

VMware Resolution Paths

These are very handy when trying to troubleshoot VM/vCenter/ESX issues. Just identify the path for the issue and read the KBs.

http://blogs.vmware.com/kb/2009/05/resolution-paths-published.html
–
Many common tech support issues in VMware products can be solved using what we call Resolution Paths. Resolution Paths are collections of modular steps that can be used to solve tech support issues.

These can be very handy and can save you having to make that call into Tech Support. Click the links below. There’s one for each potential problem area.
http://blogs.vmware.com/kb/2009/05/resolution-paths-published.html

Virtualizing Cisco Unity on ESX

Just doing a little reading on the possibilities of running Cisco Call Manager (Unified Communications), Unity, and CRS (UCCX) in a virtual environment.

Cisco actually supports running Unity as a virtual machine guest in ESX. The Desgin Guide is here http://www.cisco.com/en/US/docs/voice_ip_comm/unity/virtualization_design/guide/cuvirtualdg010.html

Cisco does not support Vmotion, HA, or iSCSI attached storage for a virtualized Unity box. They also do not support a physical to virtual conversion of a Unity server. Hopefully Cisco will support Vmotion and HA at some point.

I also found some interesting information on running an older Call Manager version (4.x) as a VM – http://www.blindhog.net/cisco-install-call-manager-4x-with-vmware/

Here is some info I found on UCCX – http://tannerezell.com/cisco/?p=85

Handy Linux iptables script

Here is a script I put together some years ago to create a simple Iptables firewall on my linux webserver. Some of the code was borrowed from a linux security book but I do not remember which one. Anyway it is a pretty handy script to give you some control and protection.

First create three files in /usr/local/etc:

ipblack.lst – this file contains a list of ip addresses you want to blacklist. One ip or subnet per line.

Example:

94.178.222.17
87.0.0.0/8

ipwhite.lst – this file contains a list of ip addresses that you allow unrestricted access (Be careful with this). One ip or subnet per line. Make sure you add localhost to this file.

Example:

localhost
10.10.1.1 #Home IP Address

ports.lst – this file contains a list of ports you allow.

Example:

22 #SSH
25 #SMTP
53 #DNS/Domain
80 #HTTPD
443 #HTTPS

Add this iptables.sh script to /usr/local/sbin

#!/bin/sh

#Iptables for webserver

IPTABLES=/sbin/iptables
WHITELIST=/usr/local/etc/ipwhite.lst
BLACKLIST=/usr/local/etc/ipblack.lst
PORTSLIST=/usr/local/etc/ports.lst

#—-Flood Variables—–#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT=”5/s”
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST=”10″

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT=”2/s”
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST=”10″

# Overall Limit for Ping-Flood-Detection
PINGLIMIT=”5/s”

# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST=”10″

#Clear any current filters
$IPTABLES -F

#Process Whitelist
for x in `grep -v ^# $WHITELIST | awk ‘{print $1}’`; do
echo “Permitting $x…”
$IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done

#Process Blacklist
for x in `grep -v ^# $BLACKLIST | awk ‘{print $1}’`; do
echo “Blocking $x…”
#$IPTABLES -A INPUT -t filter -s $x -j LOG
$IPTABLES -A INPUT -t filter -s $x -j DROP
done

#Allow Ports list
for port in `grep -v ^# $PORTSLIST | awk ‘{print $1}’`; do
echo “Accepting port $port…”
$IPTABLES -A INPUT -t filter -p tcp –dport $port -j ACCEPT
done

$IPTABLES -A INPUT -t filter -p tcp –syn -j DROP

#ICMP TIMESTAMP REQUEST AND REPLY
$IPTABLES -A INPUT -p icmp –icmp-type timestamp-request -j DROP
$IPTABLES -A FORWARD -p icmp –icmp-type timestamp-request -j DROP

#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit –limit $LOGLIMIT –limit-burst $LOGLIMITBURST -j LOG –log-prefix “fp=SYNFLOOD:1 a=DROP ”
$IPTABLES -A LSYNFLOOD -j DROP

#INVALID SYN packets
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit –limit $LOGLIMIT –limit-burst $LOGLIMITBURST -j LOG –log-prefix “fp=PINGFLOOD:1 a=DROP ”
$IPTABLES -A LPINGFLOOD -j DROP

Add /usr/local/sbin/iptables.sh to rc.local so that it runs when the machine starts up.

Anytime you make changes to the ipblack.lst, ipwhite.lst, or ports.lst files rerun the iptables.sh script to apply the rules.

The script also applies iptable rules to help protect against ping floods, SYN flood, and invalid SYN packets.

Migrating to vSphere 4

Details on the migration from VI 3 to vSphere 4.

vSphere Update Center

Check out the step-by-step vSphere migration videos.

A Few VMware/ESX/ESXi Tips, Tricks, and How to’s

Just a few quick useful VMware/ESX tips.

Installing VMware tools on an Ubuntu guest

ESX Server, NIC Teaming, and VLAN trunking

Speed up your Windows 2003 Server guests – Disable File Last Access Check

Hidden network adapters when importing to VMWare

Installing Windows XP on ESX with LSI Logic Driver

Moving hosts from one vCenter server to another.

Enable SSH on ESXi

Hope you find them as useful as I have.

Free VMware Visio Stencils from Veeam

Check out these great Visio stencils available for free from Veeam. Perfect for designing or documenting your virtual infrastructure.

Veeam Stencils is a free collection of VMware Visio stencils that can be used by ESX administrators, system integrators and datacenter managers to create their own diagrams in Microsoft Visio 2003 or higher.

Download them here http://www.veeam.com/vmware-esx-stencils.html

Looking for Knowledge Management System Suggestions

I am looking for a corporate knowledge management solution and would like to find out what others out there are using. Currently the IT department uses a simple dokuwiki to keep notes about different systems, procedures, policies, documentation, etc. Believe it or not the wiki works well for the department and you can quickly find most of the information you need about the systems we manage – but we really need to take it a step further.

The rest of the company basically just uses file shares with no formal organization, version control, or security (multiple versions of documents in multiple locations) and a staff website that is not organized, updated, or managed as well as it should be.

We are looking for a more formal company wide knowledge management solution that we can use to manage both internal knowledge for employees and external knowledge for our customers.

Here are our basic requirements:

• Easy to use, manage, and administer – IT does not want to have to be involved in the daily management of knowledge for other departments.
• Our staff and customers need to be able to search the knowledge base to get answers to questions.
• A security scheme so that internal staff has access to one set of docs and customers another.
• Version control or version history.
• Staff need to be able to submit documents (knowledge) for approval and inclusion into the knowledge base (work flow).
• Need to be able to track what knowledge our staff and customers are searching for.
• An article rating system would be a plus (Was this article helpful kind of rating).

We have seen demos from a few knowledge management solution providers: Novo Solutions, Talisma, and SilverCloud Systems.

Each of these offer a good solution but so far I am really impressed with the Novo Solutions solution. It met the requirements and I really like the way Novo Solutions integrates the KB with Help Desk/Support functions, the ability for each department to manage their own knowledge, an admin and reporting interface that is easy to use, and the price is within our budget.

I would like to hear about what some other people out there are using for their knowledge management, especially if you happen to be using a solution from one of the companies mentioned above. What do you use? How did the installation go? How much day to day administration/management is required? What do the end users (internal/external) think? Do you feel the system was worth the investment? What is one feature you wish the solution had? What is the most important thing we should consider when looking for a knowledge management solution?

Any input anyone can give would be very much appreciated. Thanks.

← Previous Page — Next Page →