admin, Author at TBL Networks

Virtualization Deployment Automation with vSphere 5

Posted on August 22, 2011February 11, 2019 by admin

I recently spoke at a lunch and learn event about “Security in a Virtualized World”. If one thing was made abundantly clear during the discussion, it was the fact that securing a virtual infrastructure is more complicated than securing a physical infrastructure. There are many moving parts to consider along with the hypervisor itself. For many years, I have been discussing the need for automation with my clients. It makes the infrastructure much easier to manage and from a security standpoint it helps to ensure that build policies are consistent for all of the virtual hosts in the infrastructure.

There have always been tools to automate a vSphere infrastructure ranging from Perl scripts to PowerCLI. With the release of vSphere 5 automation is becoming more and more a reality. When you think about automating a VMware infrastructure, you may think about writing scripts to perform certain tasks or spending hours on the “perfect” ESX build that can be deployed through automation. Scripts are still available and in some cases necessary for automation. However, with vSphere 5 we are beginning to see an “automation-friendly” environment built into the management tools that are given to us from VMware.

ESXi: Built for Automation

One of the most important aspects of maintaining a consistent environment starts with the hypervisor deployment itself. ESXi is the official hypervisor that will be deployed in vSphere environments moving forward. It has come a long way since Virtual Infrastructure 3. vSphere 4.1 saw the release of official LDAP authentication integration. This means that you can authenticate to your ESXi hosts using Active Directory. The vSphere CLI and vMA have many more commands available now. Also, PowerCLI is more feature rich with more cmdlets than ever before. Probably the most significant aspect of ESXi that makes it built for automation is its footprint on disk. Since ESXi only takes up a few hundred Megabytes on disk, it is easy to deploy from the network. While that would make it possible to install a common ESXi image across the infrastructure, vSphere 5 takes this one step further.

vSphere 5 Auto Deploy

Auto Deploy is a new deployment method in vSphere 5. This deployment method allows you to PXE-boot the ESXi hosts from the network, load a common image, and apply configuration settings after the image is loaded via vCenter Host Profiles. The idea is to maintain a consistent deployment throughout the infrastructure by eliminating human error. With this method, ESXi has literally zero disk footprint as the image is loaded into the memory of the host. The hosts become truly stateless and are decoupled from any underlying storage dependency. In other words, the host images are disposable. The hypervisor becomes just another part of the infrastructure, disappearing into the background like it should. After all, the virtual machines themselves run the applications. They are the real stars of the show. The system administrators should not have to think about maintaining the hypervisor itself. Let the infrastructure work for you instead of you working for the infrastructure.

Consistency is the key to any stable, secure infrastructure. An infrastructure component as important as the hypervisor should have a consistent, repeatable deployment that introduces as little human intervention as possible. vSphere 5 Auto Deploy makes this possible. You still have to do the work up front to ensure the hypervisor image is built properly. After that, you can let the hypervisor fade into the background and do what it does best. It can provide the best platform for running the applications that run your business.

vSphere 5 Profile-Driven Storage: Get VM Placement Right the First Time

Posted on August 8, 2011February 11, 2019 by admin

We all get in a hurry. When we get in a hurry we make mistakes. The following scenario has been played out plenty of times in a virtual infrastructure.

VM Administrator gets a request for a new VM to be deployed ASAP, which usually means yesterday.
VM Administrator looks through multiple datastores to determine a datastore with a sufficient amount of capacity.
VM Administrator picks the datastore and deploys the VM.

What if this particular VM was a database server and the log volume needed to be provisioned on a RAID1/10 datastore. Hopefully the datastores are named with the RAID level in the naming convention. But, what if they are not? Even if they are, it can be very tedious to wade through multiple datastores to find an appropriate datastore that meets both capacity and performance requirements. What if there was a way to “tag” certain datastores with characteristics that are meaningful to the VM administrator? That’s where the new “Profile-Driven Storage” feature comes in with vSphere 5.

Profile-Driven Storage allows user-defined “tags” and automated storage property discovery through the vStorage API’s for Array Awareness (VASA). Let’s take a look at the user-defined “tags” first.

User-Defined Storage Profiles

Very simply, the user-defined “tags” allow one to “tag” a datastore with meaningful text. In the example above, we could define an appropriate datastore as “RAID 1” in the datastore’s storage profile. Then, when the VM administrator provisions the VM, he or she simply selects the “RAID 1” storage profile as being applicable to the VM that is being provisioned. This ensures that the VM will be placed on an appropriate datastore because only those datastores that fit the “RAID 1” storage profile will be available as choices during the provisioning process. If more than one virtual hard drive will be in the VM then multiple storage profiles can be used. For example, you could use a “RAID 1” profile for one virtual disk and a “RAID 5” profile for another virtual disk.” The storage profiles ensure compliance and make it easier for the VM administrator to provision a new VM without human error.

VASA Storage Profiles

Arrays that can take advantage of VASA can provide storage characteristics for the VM administrator. Examples might be RAID Level, Deduplication, Replication, etc. One of these characteristics can be assigned by the system to the storage profile. This further eliminates human error and helps to ensure compliance during and after provisioning.

As you can see, Profile-Driven Storage ensures that VM’s get provisioned correctly the first time. No need to Storage vMotion the virtual machines around after the fact unless their storage requirements need to change. The above is a very simple example of what can be done with Profile-Driven Storage in vSphere 5. Profile-Driven Storage is flexible enough to fit many different use cases. It’s up to you VM admins out there to fit it to your particular use case.

vSphere 5 High Availability: Bring on the Blades

Posted on July 25, 2011February 11, 2019 by admin

vSphere 5 has many new and exciting features. This post will concentrate on High Availability(HA) and how it affects blade designs. While HA is certainly not new, it has been rewritten from the ground up to be more scalable and flexible than ever. The old HA software was based on Automated Availability Manager (AAM) licensed from Legato. This is why HA had its own set of binaries and log files.

One of the problems with this “now legacy” software was the method it used to track the availability of host resources. HA prior to vSphere 5 used the concept of primary nodes. There were a maximum of (5) primary nodes per HA cluster. These nodes were chosen by an election process at boot time. The (5) primary nodes kept track of the cluster state so that when an HA failover occurred, the virtual machines could restart on an available host in the cluster. Without the primary nodes, there was no visibility into the cluster state. So, if all (5) primary nodes failed, HA could not function.

This was not usually an issue in rackmount infrastructures. However, it posed some challenges in a blade infrastructure where a chassis failure can cause multiple blades to fail. Blade environments should typically have at least two chassis for failover reasons. If there was only a single chassis providing resources for an HA cluster, that single chassis failure could cause an entire cluster outage. You’ll seen in the diagram below that just because multiple chassis are used does not mean that the entire HA cluster is protected.

In this case, two chassis are used and populated with blades. However, the HA primary nodes all ended up on the same chassis. If that chassis were to fail, then HA will not function and the virtual machines will not restart on the remaining hosts in the other chassis. The way to design around this scenario prior to vSphere 5 is depicted in the below diagram.

No more than (4) blades should be part of the same HA cluster within a chassis. This does not mean that the entire chassis cannot be populated. The remaining slots in the chassis could be used for a second HA cluster. This scenario hinders single cluster scalability from a hardware perspective.

vSphere 5 HA

Some significant changes were made in vSphere 5 HA that address this challenge. HA was completely rewritten as Fault Domain Manager (FDM). The new HA software is baked into ESXi and does not rely at all on the AAM binaries. The idea of primary nodes has been abandoned. In its place is the concept of a single “Master” node and many (as many as are in the cluster) “Slave” nodes. All the nodes in an FDM based HA cluster can keep track of the cluster state. The “Master” node controls the distribution of cluster state information to the “Slave” nodes. However, any node in the cluster can initiate the HA failover process. The new HA failover process also includes electing a new “Master” node in the event that it is the node that fails. As you can see from the diagram below, a chassis failure can no longer take out an entire HA cluster that is stretched across multiple chassis.

The new FDM HA in vSphere 5 is much more resilient and allows the scaling of large single clusters in a blade environment. While blade architectures were certainly viable before, now those architectures can be utilized even more fully without compromises when it comes to HA.

A Structured Virtual Infrastructure Approach Part IV: Shared Storage Options

Posted on July 11, 2011February 11, 2019 by admin

The storage platform in a virtual infrastructure serves as most important foundation piece of the infrastructure. There are certainly many options to choose from. Those storage options generally fall into two main categories. Block storage and File System storage. Let’s take a look at these two categories.

Block Storage

This method of providing shared storage to a VMware cluster has been supported the longest. At its core, block storage presents a set of physical disks as a logical disk to a host (ESX server in this case). This is a very well understood method of providing storage for the virtual infrastructure. There are a couple of protocols that we can use to provide this type of storage: Fibre Channel and iSCSI.

Fibre Channel

Fibre Channel uses a dedicated Fibre Channel fabric to provide connectivity for the storage.
Fibre Channel was built from the ground up as a storage protocol.
Fibre Channel is the most mature protocol for block storage presentation.

iSCSI

iSCSI can use the same network fabric as your LAN servers. However, it is best to use a separate Ethernet fabric.
iSCSI is an IP based storage protocol that utilizes the existing TCP/IP stack.
iSCSI is a relatively new protocol for block storage.

The protocol chosen to support the Block Storage infrastructure will depend on a number of factors that go beyond the scope of this post. I will say that if you are building a greenfield environment with the Cisco UCS, it is already utilizing Fibre Channel over Ethernet. So, choosing a Fibre Channel fabric is a good way to go.

File System Storage

This method of providing shared storage to a VMware cluster utilizes the Network File System (NFS) protocol. This method doesn’t provide a logical disk to the host server. The host server is simply connecting to a network share or mount point using the IP network. This certainly offers some advantages in reducing management complexity. This comes at the cost of file system overhead versus providing a block disk to the host.

Which to Choose?

There are block-only storage devices and there are file system-only storage devices. So, which one should you choose?

It was a trick question. You shouldn’t have to choose. There are unified storage arrays (like the EMC VNX series) that offer Fibre Channel, iSCSI, NFS and CIFS from the same array. This is definitely a good way to go for needs today and future scalability tomorrow. We discussed the methods for providing VMware specific storage. I want to focus on one more protocol option in this post. Common Internet File System (CIFS) is the protocol that is used for Windows File Serving. Most of the clients I deal with have Windows File Servers with large hard drives. This can introduce some challenges when virtualizing those servers.

A single VMFS datastore can only be 2TB minus 512 bytes. This means a single file system needs to fit within those parameters.
Also, large VMDK files are more difficult to manage.
Why virtualize the file server at all?

I typically recommend that the files from the file servers be consolidated onto the unified storage array. This offers several advantages:

The file system can expand without restrictions placed on it by Windows.
There are fewer Windows Servers to patch and maintain if the files are consolidated onto the array.
No need to take resources on the VMware infrastructure if the files are consolidated onto the array.

If the infrastructure typically uses Linux file servers, NFS can be used for the same purpose.

Block-only or File System-only storage arrays hinder flexibility in the infrastructure. Shouldn’t the storage platform be as flexible as the virtual infrastructure can be?

A Structured Virtual Infrastructure Approach Part III: Compute Platform Software

Posted on June 27, 2011February 11, 2019 by admin

In Part II of the Structured Virtual Infrastructure Approach Series, we explored the Cisco Unified Computing System (UCS) hardware. This post will explore the UCS management software. Up to 20 chassis can be managed with a single instance of the UCS Manager. The UCS Manager is included with the 6100 series fabric interconnects. All of the blades in the infrastructure can be managed through this single interface. Below, we’ll discuss some of the features that make this interface unique among compute platform management interfaces.

Complete Compute Infrastructure Management

All the chassis / blades (up to 20 chassis worth) are managed in this single interface.
The management is not “per chassis” like legacy blade systems.
Consolidated management means efficient management for the entire compute platform.

Service Profiles

All of the items that make a single server (blade) unique are abstracted with a service profile.
This may include WWN, MAC, Bios Settings, Boot Order, Firmware Revisions, etc.
WWN’s and MAC’s are pulled from a pool that can be defined.
Even the KVM management IP’s are pulled from a pool so the administrator does not have to manage those IP’s at all.
You can create a Service Profile template with all of these characteristics and create Service Profiles from the template.
When you need to deploy a new blade all of the unique adjustments are already completed from the Service Profile template.
With the M81KR Virtual Interface Card (VIC) the number of interfaces assigned to a blade can be defined in the Service Profile template.
Even though the a single mezzanine card in a blade will only have (2) 10Gb ports, the M81KR VIC allows you to define up to 56 FC/Ethernet ports. This allows for more familiar vSphere Networking setups like the one below:

The diagram above is a setup that can be used with the Cisco Nexus 1000v. It would be impossible to do this setup on the UCS B-Series without the M81KR VIC. We’ll explore why a networking setup like this may be necessary when we get to the vSphere specific posts in this series.

Role Based Access Control

Even though the components are converging (storage, compute, networking) the different teams responsible for those components can still maintain access control for their particular area of responsibility.
The UCS manager has permissions that can be applied in such a way that each team only has access to the administrative tab(s) that they are responsible for.
Network team –> Network Tab, Server Team –> Server Tab, Storage Team –> Storage Tab.
The UCS manager also supports several different authentication methods, including local and LDAP based authentication.

What vSphere does for the Operating System instances, the UCS does for the blade hardware. It abstracts the unique configuration items into a higher software layer so that they can be easier managed from a single location. The next post in this series will take a look at some storage platform hardware. It’s not just about carving out disks for the virtual infrastructure any longer. We’ll take a look at some options that integrate well with a modern vSphere infrastructure.

A Structured Virtual Infrastructure Part II: Compute Platform Hardware

Posted on June 13, 2011February 11, 2019 by admin

In Part I of this series, I discussed some design options for a virtual infrastructure (Traditional Rackmount, Converged Rackmount, and Converged Blade). Using the Converged Blade option as the model going forward, we’ll explore the individual components of this solution in more detail. This post will explore the Compute Platform (UCS B-Series) in more detail.

Let’s start with the “brains” of the UCS B-Series, the 6100 series fabric interconnects.

6100 Series Fabric Interconnects:

Interconnect / Module Options:

6120XP – (20) 10gbE and FCoE capable SFP+ port Fabric Interconnect with a single expansion module slot
6140XP – (40) 10gbE and FCoE capable SFP+ port Fabric Interconnect with two expansion module slots

Expansion Module Options:

10Gbps SFP+ – (6) ports
10Gbps SFP+ – (4) ports, 1/2/4 Gbps Native Fibre Channel SFP+ – (4) ports
1/2/4 Gbps Native Fibre Channel SFP+ – (8) ports
2/4/8 Gbps Native Fibre Channel SFP+ – (6) ports

Below is a diagram of the UCS 6120XP labeled with the different ports:

A redundant UCS system consists of two 6100 series devices. They are connected via the cluster ports to act in unison. If a port or the whole 6100 series were to fail, the other would take over.

The 6100 series fabric interconnects provide 10Gb connectivity to the UCS 5108 via a module called the 2104XP fabric extender. A single pair of 6100 series fabric interconnects can manage up to twenty chassis depending on your bandwidth needs per chassis.

5108 Chassis (8 blade slots per chassis):

As you can see from the diagram you have two 2104XP Fabric Extenders per chassis. Each of the 2104XP’s have four 10Gb ports for a total of up to 80Gbps of throughput for the chassis. So, there is plenty of bandwidth and the added benefit of fewer cables and consequently, easier cable management. The only cables that will ever be needed for the back of the 5108 chassis are up to eight cables for connectivity and up to 4 cables for power.

Since the bandwidth needed for the external network is calculated at the Fabric Interconnect level, all that is needed at that point is to calculate the computing needs for the workload (CPU and RAM). This is where the blades themselves come in.

Blade Options:

Full-Width Blades (B250 M1, B440 M1) take up two chassis slots each
Half-Width Blades (B200 M2, B230 M1) take up one chassis slot each
You can have a combination of blades in the same chassis up to eight chassis slots
The blade processor configurations range.
The B2xx blades have either 4, 6, or 8 core processors in a dual socket configuration
The B440 M1 can hold up to (4) sockets of the Intel 7500 series 8 core processors
The B250 M1 holds up to 384GB of RAM in a full-width form factor
The B200 M2 holds up to 96GB of RAM in a half-width form factor
The B230 M1 holds up to 256GB of RAM in a half-width form factor
The full-width servers can hold up to (2) mezzanine cards for connectivity. Each card has (2) 10Gb ports for connectivity. That’s 20Gbps per card.

M81KR Virtual Interface Card:

The M81KR Virtual Interface Card deserves a special mention. This mezzanine card is capable of dividing the (2) 10Gbps ports into a combination of up to 56 virtual Ethernet and Fibre channel ports. This way you can manage port isolation and QoS for your blades like you may be used to in a traditional rackmount virtual infrastructure. As these posts continue, we will explore why this functionality may be needed for the virtual infrastructure when using the Converged Blade Infrastructure Model.

This post explored some of the Compute Platform Hardware components. The next post in this series will explore some of the software components and management that make the UCS compute platform ideal for a structured virtual infrastructure that can scale incrementally and be managed easily.

A Structured Virtual Infrastructure Part I: Physical Infrastructure

Posted on May 26, 2011February 11, 2019 by admin

Server virtualization is infectious. It is a technology that tends to take off in record pace in IT organizations that have adopted it as part of their infrastructure. It has been my experience that organizations fall into one of two broad categories when it comes to their virtualization initiatives. They either look at server virtualization as a “Strategic Initiative” or they use server virtualization as a “Tactical Tool.” Let’s explore these categories and then I’ll discuss some infrastructure options for a structured virtual infrastructure.

Server Virtualization as a “Tactical Tool”

I have seen this in many organizations. The IT group needed to test a new application or needed to spin up a new server quickly. What’s the quickest way to spin up a new server? Server virtualization, of course. So, here is how I see many infrastructures get started:

IT department downloads the free vSphere Hypervisor
IT department proceeds to click next until the hypervisor is installed
IT department spins up a few virtual machines on the hypervisor
“Life is good. That was easy wasn’t it?”
“It’s so easy and cool that more demand creeps up for further virtual machines
Pretty soon the IT department wants to host production workloads on the hypervisor
“But wait? What about failover, live migration, etc. Don’t I need a SAN for that?”
How “much” storage do I need?
IT department calculates how much space they are using on their servers, or worse yet, how much disk space in total is available on all of their servers combined
“Wow! I need a lot of space to host all of those servers”
IT department buys large slow “shared disks” of some variety to satisfy the SAN requirement
IT department sets up vCenter on a spare server
IT department clicks next until a few hypervisors are installed and added to the new cluster complete with “shared storage”
Now there is some equipment and software in place to host virtual machines
IT department spins up new virtual machines until they are suddenly out of capacity or things are “just slow and error prone”
Virtualization stalls because there is no more capacity and there is a lack of trust in the virtual infrastructure as it stands
IT department starts purchasing physical servers again for “critical” applications
“Now DR must be provided for those “critical” applications. How can we protect them?”
“The easiest thing to do would be to leverage virtualization, but we’re out of capacity and the platform has been problematic”
“What do we need to do to leverage virtualization on a larger scale in our infrastructure?”

It’s a vicious cycle and it is why I continue to see companies only 20-40% virtualized. It is great that server virtualization technology has been embraced. However, without proper planning and a structured approach to building and maintaining the virtual infrastructure, many organizations will continue to be only 20-40% virtualized. They are leaving the many benefits of server virtualization and even money on the table if they stall.

So, this series of posts will explore the alternative of server virtualization as a “Strategic Initiative”. This is the approach that I take with my clients at TBL to either build a structured virtual infrastructure from the ground up or remediate a “tactical tool” virtual infrastructure to the point that it becomes an effective platform to host the organizations infrastructure moving forward.

Physical Infrastructure Choices

There are many options when it comes to virtual infrastructure hardware. Before any hardware choices are made, a capacity planning engagement should occur. Notice that capacity planning was not mentioned at all in the “Server Virtualization as a Tactical Tool” scenario. Look at this infrastructure as if it is going to host all of your physical servers even if you will not start there. How else does one determine if the infrastructure purchased for a new virtual infrastructure is sufficient if capacity planning is not performed? I can’t count the number of times that I have heard the equivalent of the below phrase:

“These host servers and storage should do since my physical servers don’t really do much.”

How do you know that your host servers don’t do much unless you have performed capacity planning? Is it a gut feeling? I have seen many gut feelings cause server virtualization stall. We need to examine the four “core” resources (CPU, RAM, DISK, and NETWORK) to determine not only our capacity but the level of performance needed. After a proper capacity planning engagement we can determine the “feeds and speeds” of our hardware. However, the hardware choice becomes about more than just raw specs in a structured virtual infrastructure. Let’s examine some options.

Traditional Rackmount Server Infrastructure

This is the standard virtual infrastructure that has been around for a while. With this approach, you take rackmount servers as hosts and provide shared storage via iSCSI, NFS, or Fibre Channel. A diagram of this approach can be seen below.

This infrastructure is well understood. However, the scalability is somewhat limited. Typically, a virtual infrastructure host will have eight to ten cables attached to it in a 1Gbe environment. This is due to the way that traffic should be separated in a virtual infrastructure. This is fine for a few hosts. As the infrastructure is scaled, the number of cables and ports required becomes problematic. I have seen environments where shortcuts were taken to provide enough ports by combining virtual infrastructure traffic types even though they should be separated. As more hosts are needed a better solution to scaling the infrastructure needs to be in place.

Converged Rackmount Server Infrastructure

This infrastructure consolidates the traditional 1GbE infrastructure into a 10GbE infrastructure by connecting to an FCoE or straight 10GbE switch. This allows more bandwidth and cuts down on the port count required as the infrastructure scales.

As this infrastructure is scaled, the number of cables and ports required is much more manageable. It must be noted that the cable infrastructure still scales linearly with the hosts. Port count can still be an issue in larger environments. Also, we really haven’t added anything new on the server management front in this design choice. Again, for smaller, relatively static environments this can work nicely. If the infrastructure needs to be able to scale quickly and efficiently, there are better options.

Converged Blade Infrastructure

Large scale ease of management, efficient scaling, and massive compute capacity can be achieved without the inherent cable / port count problems with a converged blade infrastructure. In the example below, a Cisco UCS B-Series converged blade infrastructure to achieve these benefits.

Let’s look at the components of this infrastructure model.

The UCS 6100 series would be similar to the FCoE switches in the Converged Rackmount Infrastructure. I say similar because it is ideal to still have upstream SAN and LAN switches. In this scenario the 6100 pair act like a host (or multiple hosts) attached to the Fibre Channel Fabric. They accomplish this with an upstream switch that is NPIV capable.
The blade chassis provide the backplane connectivity for your compute resources or blades. Each chassis can have up to (8) 10Gb FCoE ports for connectivity. The blades share that connectivity to the upstream 6100’s.
The 6100’s then take that FCoE traffic and split it into Fibre Channel to connect to the upstream SAN Fabric and Ethernet to connect to the upstream LAN Fabric.
Instead of calculating bandwidth / port counts at the server level as you would in a traditional rack mount scenario, you calculate bandwidth needs at the 6100 level.
Less cabling, more scalability, easier management, smaller footprint.

With the up front investment in the 6100’s in this architecture, the solution scales out with only incremental cost very nicely. Also, the 6100’s are the single point of management using the UCS Manager in this infrastructure. The UCS abstracts unique information that would identify a server into a service profile. The types of data in the service profile may include items such as:

Bios Settings
WWN
MAC Addresses
Boot Order
Firmware Revisions

This way, settings that would normally be configured after a server arrives can be pre-configured. When a new blade arrives you can simply slide the blade into the chassis, assign the service profile, boot it and it is ready to install an OS in minutes. If this OS is ESXi, then that only takes about 5 minutes to install as well.

With the Converged Blade Infrastructure we set up a foundation for ease of incremental scalability when the environment grows. Using this as the model infrastructure, the upcoming posts will examine the different components involved in more detail so that you can get a holistic view of the entire virtual infrastructure as a structure approach is taken to building this out.

Ask Harley: Guitar Hero Edition Question and Answer Summary

Posted on May 6, 2011February 11, 2019 by admin

On Thursday, May 5th I had my second Ask Harley Session, the Ask Harley: Guitar Hero Edition. This was a session where I answered virtualization and VMware related questions on Twitter. I received a lot of great questions during this session. At the end of the session my virtual band, “Harley Stagner and the 46er’s” played Michael Jackson’s “Beat It” live on Guitar Hero. The song was determined by a vote and the stream was provided by Cisco Show and Share. Thank you to all who participated. Below are the questions and their answers in case you missed them on Twitter.

Ask Harley: Question 1 – What are the reasons / cases for using different VMware NMP PSPs? Why would you not use Round-Robin? Thanks!

NOTE: This answer was originally provided over a series of Tweets by Harley Stagner on 5/5/11 at TBL Networks’ Twitter site as part of our “Ask Harley” series.

Answer:

The VMware NMP PSP that is chosen (either MRU or Fixed) by default will typically be the supported PSP for the storage array.

You should not change to Fixed or MRU from the default.

Changing to Round-Robin is supported on all arrays unless specifically noted by the vendor.

Having said that, different arrays will have different support of the Round-Robin functionality.

More info about path selection policies can be found here: http://bit.ly/ltblbs

Ask Harley: Question 2 – Everyone talks about the advantages of VDI. What are some disadvantages?

NOTE: This answer was originally provided over a series of Tweets by Harley Stagner on 5/5/11 at TBL Networks’ Twitter site as part of our “Ask Harley” series.

Answer:

VDI is not going to be the magic-bullet technology to cure desktop woes in all environments.

Capital savings tend to not be as heavy in VDI deployments. Operational savings is where it’s at with VDI.

If you want to just serve up applications in lieu of a whole desktop, VDI is probably not the right fit today.

VDI can make laborious desktop refreshes, desk-side visits for desktop issues,

and rolling out OS patches over the network a thing of the past.

Much more analysis needs to be put into a VDI deployment because there are many more moving parts (and users).

VDI can have some great operational cost savings (and capital savings at scale).

However, one must do their due diligence in the analysis.

Ask Harley: Question 3 – Can VMFS Extents be used to create a datastore that is capable of hosting a VM file server that needs more than 2TB of space?

NOTE: This answer was originally provided over a series of Tweets by Harley Stagner on 5/5/11 at TBL Networks’ Twitter site as part of our “Ask Harley” series.

Answer:

While extents can extend the size of a VMFS volume, the maximum virtual disk size for a VM is still 2TB minus 512 bytes.

I would discourage the use of extents anyway because if you lose one extent the whole datastore is lost.

A more suitable option for a very large datastore would be NFS, not VMFS.

You still will not get past the 2TB single virtual disk limitation on the VM, though.

More information on the maximums discussed here can be found in vSphere configuration maximums guide.

For those of you who missed the Live Streaming on Cisco Show and Share of “Harley Stagner and the 46er’s”, here it is 🙂

http://www.youtube.com/watch?v=32WzkPyDSCM&feature=channel_video_title

End to end virtual network security with the Cisco Nexus VSG

Posted on April 11, 2011February 11, 2019 by admin

So I’ve been spending a lot of time in our lab with the Cisco Nexus Virtual Security Gateway. I have come to the conclusion that it rocks! Finally, the virtual infrastructure is no longer treated as a second class citizen when it comes to securing network traffic between virtual machines. We are at a point now with the Cisco VSG that we can have robust Cisco infrastructure, including security, from the upstream physical network to the virtual network.

The Cisco Nexus VSG builds upon the Nexus 1000v distributed virtual switch and communicates with the Virtual Ethernet Modules in the Nexus 1000v to provide a very robust security policy engine that can perform granular filtering and matching on a number of parameters. For example:

Network (ip address, port number, etc.)
VM (VM Name, Installed OS Name, Cluster, Host, Zone)

Yep, that’s right, I said VM. Since the Cisco VSG integrates with the vSphere API’s and vCenter, you can filter on items like a virtual machine name or partial name, installed OS, cluster, etc. This is very powerful. I no longer have to rely on network and IP rules alone to filter traffic between virtual machines. This is a more intelligent approach to filtering that really highlights the synergies that Cisco and VMware have established. Best of all, once it is set up everything is managed from a single Cisco Virtual Network Management Center (VNMC) instance. This web-based management tool let’s you manage multiple Virtual Security Gateway instances. Let’s look at a simple example of how easy it is to perform traffic filtering in the virtual infrastructure with the Cisco VSG.

Topology and Components:

vSphere 4.1 Enterprise Plus Host Servers
Cisco VNMC VM
Cisco Nexus 1000v Infrastructure
Cisco VSG Infrastructure
tenanta-srv1 VM
tenanta-srv2 VM
tenantb-srv1 VM
tenantb-srv2 VM

The goal of this configuration is to allow the following communication flows:

tenanta-srv1 and tenanta-srv2 should communicate
tenantb-srv1 and tenantb-srv2 should communicate
The Tenant A servers(tenanta-srv1 and tenanta-srv2) should not be able to communicate with the Tenant B servers (tenantb-srv1 and tenantb-srv2)
Anyone else should be able to communicate with both the Tenant A and Tenant B servers
There is a further caveat that the Tenant A and Tenant B servers are both on the same subnet (don’t worry these servers belong to the same company )

Below are the network settings:

tenanta-srv1 VM – 10.91.41.200
tenanta-srv2 VM – 10.91.41.201
tenantb-srv1 VM – 10.91.41.202
tenantb-srv2 VM – 10.91.41.203
a client with another ip address

Here are the general steps for setting up this scenario once the Cisco VSG infrastructure is in place:

Create a tenant
Assign the VSG to the tenant
Create a zone each for the Tenant A and Tenant B servers (these zones match VM’s with names that contain “tenanta” and “tenantb” respectively)
Create a firewall policy for the VSG
Create a policy set that includes the policy
Bind the policy set to the VSG
Bind the tenant to a port-profile so that any VM that is on that port-profile is filtered with the policy rules

Below are the screenshots of the results after the VSG was configured.

These are the only rules that are required for the communication flows.

Here is what the port-profile looks like on the Nexus 1000v. Notice the org and vn-service entries. This means that this port profile is VSG aware.

The ICMP traffic from the Tenant A Servers.

The ICMP traffic from the Tenant B Servers (same result as the Tenant A servers. Only one is shown here.)

Finally the results from the external client

As you can see, we achieved our goal with just three filtering rules. Also, we were able to leverage VM name filtering instead of IP filtering which allowed us to filter on the same subnet without resorting to naming each IP address or different port numbers. Very cool! The Cisco VSG is capable of many complex configurations combining both networking categories (ip, port number, etc.) and VM categories. This was just a quick example of what can be done. As always, if you have any questions or would like to see a live demo feel free to contact me.

CJ’s Thumbs Up Foundation: Helping Make Every Day A Bonus

Posted on March 25, 2011February 11, 2019 by admin

TBL Networks is proud to present guest blogger Rachel Reynolds, Executive Director at CJSTUF.

Sickle cell disease is a life threatening genetic disorder that causes chronic pain, delayed growth, ulcers, jaundice, and other medical issues. Ongoing treatments are necessary and can range from dialysis, blood transfusions, medical management through steroids and pain medications, and (when possible) bone marrow transplants. While symptoms and treatment can vary across patients, it is a disease that requires lifelong management and frequent medical care.

The Price Family knows the reality of Sickle Cell disease only too well. Thirteen year old Nile (one of a set of triplets) has battled the disease since birth. Last year, Nile was fortunate to receive a bone marrow transplant that has cured his sickle cell disease and placed him in remission; however, he still faces chronic health challenges on a daily basis. His four-year-old sister Olivia also has the disease.

The Price family has struggled to balance their days between hospital visits and a “normal” life. They have faced the emotional, physical, and financial challenges that this disease brings to every family it impacts. Thanks to CJSTUF, the family was able to receive two Financial Assistance Grants in 2010: one for Nile and one for Olivia. The funds helped the family with their ongoing medical and household expenses.

This is just one example of how CJ’s Thumbs Up Foundation helps families of children with chronic and life-threatening illnesses. We serve families where children face cancer, cystic fibrosis, leukemia, and other debilitating illnesses that require constant care. Our mission is not to find a cure or to solve all of a family’s financial problems. We make an unbearable situation a little more bearable. We do this by providing financial support to families in need served by Children’s Hospital of Richmond. In our first year as a 501(c)3, (2010) we provided almost $13,000 in support to over 30 families through our financial assistance grants, vouchers for healthy meals, and other tangible support.

As a young organization in the Richmond area, we are grateful to individuals and businesses such as TBL Networks for their generous support. With the help of donors and volunteers, we can continue to provide support to families in the Richmond area and, hopefully, expand our services to cover more families around the state and even across the country.

If you would like to know more about our organization, visit our website for information on how to get involved. You can also follow us on Twitter and Facebook or hook into our blog for the latest updates.

–Rachel Reynolds
Executive Director, CJSTUF
rachel@cjstuf.org