This is one of the smaller objectives plus only the PVLAN concepts and practices are new – VLAN support remains relatively unchanged from VI3 (although the vDS and it’s associated VLAN support is new).
Knowledge
- Identify types of VLANs and PVLANs
Skills and Abilities
- Determine use cases for and configure VLAN Trunking
- Determine use cases for and configure PVLANs
- Use command line tools to troubleshoot and identify VLAN configurations
Tools & learning resources
- Product Documentation
- vSphere Client
- vSphere CLI
Types of VLAN
VLANs are a network standard (802.1q) which are fully supported in vSphere. They can be used to minimise broadcast traffic and as a security measure to segregate traffic (although like any technology there are weaknesses). Typical uses for VLANs with vSphere are to isolate infrastructure (vMotion, iSCSI and NFS) traffic and VM traffic.
There are three main ways of using VLANs with vSphere (covered in this VMware whitepaper);
- Virtual guest tagging (VGT) – requires VLAN driver support in the guest OS
- Virtual Switch tagging (VST) – common option, requires VLAN trunking on external switches
- External switch tagging (EST) – less flexible and requires more physical NICs
In the Cisco world you set a port to be an ‘access port’ or a ‘trunk port’ if it’s going to carry multiple VLANs. VLAN IDs are 16 bit values giving a range of 0-4095. 4095 is used within vSphere to mean ‘all VLANs’ and is how you configure a portgroup when using VGT.
Configuring VLANs and VLAN trunking
For standard vSwitches you configure VLAN tags on portgroups. This configuration is done at the ESX host using the VI client (Configuration -> Networking);
- Use VLAN 0 when no VLAN tags are present (EST)
- Use VLAN 4095 to pass all VLANs (VGT)
Use a specific VLAN ID depending on the isolation required (VST)
Read more…
The VCAP-DCA lab is still v4.0 (rather than v4.1) which means features such as NIOC and load based teaming (LBT) aren’t covered. Even though the Nexus 1000V isn’t on the Network objectives blueprint (just the vDS) it’s worth knowing what extra features it offers as some goals might require you to know when to use the Nexus1000V or just the vDS.
Knowledge
- Identify common virtual switch configurations
Skills and Abilities
- Determine use cases for and apply IPv6
- Configure NetQueue
- Configure SNMP
- Determine use cases for and apply VMware DirectPath I/O
- Migrate a vSS network to a Hybrid or Full vDS solution
- Configure vSS and vDS settings using command line tools
- Analyze command line output to identify vSS and vDS configuration details
Tools & learning resources
Network basics (VCP revision)
Standard switches support the following features (see section 2.3 for more details);
- NIC teaming
- Based on source VM ID (default)
- Based on IP Hash (used with Etherchannel)
- Based on source MAC hash
- Explicit failover order
- VLANs (EST, VST, VGT)
vDS Revision
The vDistributed switch separates the control plane and the data place to enable centralised administration as well as extra functionality compared to standard vSwitches. A good summary can be found at GeekSilver’s blog. Benefits;
- Offers both inbound and outbound traffic shaping (standard switches only offer outbound)
- Traffic shaping can be applied at both dvPortGroup and dvUplink PortGroup level
- For dvUplink PortGroups ingress is traffic from external network coming into vDS, egress is traffic from vDS to external network
- For dvPortGroups ingress is traffic from VM coming into vDS, egress is traffic from vDS to VMs
- Configured via three policies – average bandwidth, burst rate, and peak bandwidth
- Ability to build a third party vDS on top (Cisco Nexus 1000v)
- Traffic statistics are available (unlike standard vSwitches)
NOTES:
- CDP and MTU are set per vDS (as they are with standard vSwitches).
- PVLANs are defined at switch level and applied at dvPortGroup level.
- There is one DVUplink Portgroup per vDS
- NIC teaming is configured at the dvPortGroup level but can be overridden at the dvPort level (by default this is disabled but it can be allowed). This applies to both dvUplink Portgroups and standard dvPortGroups although on an uplink you CANNOT override the NIC teaming or Security policies.
- Policy inheritance (lower level takes precedence but override is disabled by default)
- dvPortGroup -> dvPort
- dvUplink PortGroup -> dvUplinkPort
NOTE: Don’t create a vDS with special characters in the name (I used ‘Lab & Management’) as it breaks host profiles – see VMwareKB1034327.
Knowledge
- Identify vCenter Server log file names and locations
- Identify ESX/ESXi log files names and locations
- Identify tools used to view vSphere log files
Skills and Abilities
- Generate vCenter Server and ESX/ESXi log bundles
- Use vicfg‐syslog to configure centralized logging on ESX/ESXi Hosts
- Test centralized logging configuration
- Configure the vMA appliance as a log host
- Use vilogger to enable/disable log collection on the vMA appliance
- Use vilogger to configure log rotation and retention
- Analyze log entries to obtain configuration information
- Analyze log entries to identify and resolve issues
Tools & learning resources
I’m covering the troubleshooting objectives last while preparing for the VCAP-DCA – it seems like the logical thing to do. Learn all the material then play with it, break it, fix it, recreate it etc. Practice makes perfect! I’ve been using the Trainsignal’s Troubleshooting for vSphere course but the official VMware Troubleshooting course has been getting good feedback.
vCenter log files
Located in;
- %ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter\Logs (W2k3)
- C:\ProgramData\VMware\VMware VirtualCenter\Logs (W2k8)
Available logs;
- sms.log Storage Management Service
- vpxd-xxxx.log vCenter logs
- vpxd-xxxx.log.gz are archived logs. You have to unzip them to see contents.
You can change the logging level (which defaults to ‘normal’) by going to vCenter Server Settings -> Logging Options. This VMwareKB describes how to enable trivia logging in vCenter (even if vCenter isn’t running) although this may have a performance impact and should only be used temporarily while diagnosing issues.
There are numerous ways to do this; Read more…
Managing storage capacity is another potentially huge topic, even for a midsized company. The storage management functionality within vSphere is fairly comprehensive and a significant improvement over VI3.
Knowledge
- Identify storage provisioning methods
- Identify available storage monitoring tools, metrics and alarms
Skills and Abilities
- Apply space utilization data to manage storage resources
- Provision and manage storage resources according to Virtual Machine requirements
- Understand interactions between virtual storage provisioning and physical storage provisioning
- Apply VMware storage best practices
- Configure datastore alarms
- Analyze datastore alarms and errors to determine space availability
Tools & learning resources
Storage provisioning methods
There are three main protocols you can use to provision storage;
- Fibre channel
- Block protocol
- Uses multipathing (PSA framework)
- Configured via vicfg-mpath, vicfg-scsidevs
- iSCSI
- block protocol
- Uses multipathing (PSA framework)
- hardware or software (boot from SAN is h/w initiator only)
- configured via vicfg-iscsi, esxcfg-swiscsi and esxcfg-hwiscsi, vicfg-mpath, esxcli
- NFS
- File level (not block)
- No multipathing (uses underlying Ethernet network resilience)
- Thin by default
- no RDM, MSCS,
- configured via vicfg-nas
I won’t go into much detail on each, just make sure you’re happy provisioning storage for each protocol both in the VI client and the CLI.
Know the various options for provisioning storage;
- VI client. Can be used to create/extend/delete all types of storage. VMFS volumes created via the VI client are automatically aligned.
- CLI – vmkfstools.
- NOTE: When creating a VMFS datastore via CLI you need to align it. Check VMFS alignment using ‘fdisk –lu’. Read more in Duncan Epping’s blogpost.
- PowerCLI. Managing storage with PowerCLI – VMwareKB1028368
- Vendor plugins (Netapp RCU for example). I’m not going to cover this here as I doubt the VCAP-DCA exam environment will include (or assume any knowledge of) these!
When provisioning storage there are various considerations;
- Thin vs thick
- Extents vs true extension
- Local vs FC/iSCSI vs NFS
- VMFS vs RDM
Read more…
Storage is an area where you can never know too much. For many infrastructures storage is the most likely cause of performance issues and a source of complexity and misconfiguration – especially given that many VI admins come from a server background (not storage) due to VMware’s server consolidation roots.
Knowledge
- Identify RAID levels
- Identify supported HBA types
- Identify virtual disk format types
Skills and Abilities
- Determine use cases for and configure VMware DirectPath I/O
- Determine requirements for and configure NPIV
- Determine appropriate RAID level for various Virtual Machine workloads
- Apply VMware storage best practices
- Understand use cases for Raw Device Mapping
- Configure vCenter Server storage filters
- Understand and apply VMFS resignaturing
- Understand and apply LUN masking using PSA‐related commands
- Analyze I/O workloads to determine storage performance requirements
Tools & learning resources
Identify RAID levels
Common RAID types: 0, 1, 5, 6, 10. Wikipedia do a good summary of the basic RAID types if you’re not familiar with them. Scott Lowe has a good article about RAID in storage arrays, as does Josh Townsend over at VMtoday.
The impact of RAID types will vary depending on your storage vendor and how they implement RAID. Netapp (which I’m most familiar with) using a proprietary RAID-DP which is like RAID-6 but without the performance penalties (so Netapp say).
Scott Lowe has a good article about RAID in storage arrays, as does Josh Townsend over at VMtoday.
Supported HBA types
This is a slightly odd exam topic – presumably we won’t be buying HBAs as part of the exam so what’s there to know? The best (only!) place to look for real world info is VMware’s HCL (which is now an online, searchable repository). Essentially it comes down to Fibre Channel or iSCSI HBAs.
Remember you can have a maximum of 8 HBAs or 16 HBA ports per ESX/ESXi server.You should not mix HBAs from different vendors in a single server. It can work but isn’t officially supported.
Read more…
vShield Zones is basically a firewall framework to protect your VMs without requiring external or hardware based firewalls. It requires Advanced or higher licencing. For study I’d suggest going through Eric Siebert’s blogposts (part one, two, and three) to start with (they cover real world issues) and then getting stuck into the official docs – they cover everything on the blueprint. There’s quite a bit to learn making this is one of the larger objectives on the VCAP-DCA blueprint.
NOTE: vShield Zones is NOT the same as vShield App, Edge, and Endpoint so make sure you download the right version. The VCAP-DCA exam only covers v1.0 of vShield Zones (not the most recent v4.1) and doesn’t cover the more feature rich vShield App Suite. See VMware’s product page for more details.
Knowledge
- Identify vShield Zones components
- Identify the four CLI command modes
Skills and Abilities
- Configure vShield Zones
- Backup and restore vShield Manager Data
- Backup CLI Configuration
- Create/Delete Layer 2/3/4 firewall rules using VM Wall
- Install/Uninstall a vShield manually and from template
- Configure vShield Manager plug‐in capability
- Configure VM Flow charts
- Update vShield Zones
- Add/Edit/Delete User Accounts
- Assign rights to a user
- Add/Delete Application‐Port Pair mapping
- Execute/Schedule Execution of virtual machine discovery
- Utilize vShield Zones CLI commands to configure and monitor vShield Zones
- Analyze traffic using VM Flow to determine root cause of network related issues
Installing vShield Zones
Deployed as an appliance with two components;
- Setup the vShield Manager appliance
- Deploy the vShield Manager from OVF
- Create a port group on the vSwitch which hosts your VM traffic, named vsmgmt and amend the vNIC on the vShield Manager VM to use this network.
- Power up the VM, login with ‘admin’ and ‘default’, then run ‘setup’ to configure the server.
- Allocate IP details
- Upgrade VMtools (you can use the ‘Automatic’ option – being Linux based no reboot is required)
- Initial install of the vShield Agent
- Deploy from OVF and then convert to a template. This simply gets the agent ready for deployment.
If you’re wondering whether VMtools make a significant difference to this customised Linux appliance see (the pointless) VMwareKB1011501! You can also find out what’s new in vShield Zones 1.0 Update 1.
Read more…
A blessedly quick objective this one! Quite why the ESXi Configuration Guide is listed in the blueprint is anyone’s idea as ESXi doesn’t contain a firewall! The blueprint also lists vicfg-firewall which is a typo – they mean esxcfg-firewall, as vicfg-firewall doesn’t exist!
Knowledge
- Identify vicfg-firewall commands
- Explain the three firewall security levels
- Identify ESX firewall architecture with/without vCenter Server
Skills and Abilities
- Enable/Disable pre‐configured services
- Configure service behavior automation
- Open/Close ports in the firewall
- Create a custom service
- Set firewall security level
Firewall architecture
The ESX Configuration Guide talks very generally about where to put firewalls to protect traffic. In reality I can’t see much difference in architecture whether you have a vCenter server or not. These two diagrams are from the ESX Configuration Guide – minimal differences!
The firewall is ESX only (there’s no ESXi firewall as no service console).
Firewall security levels
Three firewall security levels (high is default);
- High (outbound blocked, limited inbound allowed (902, 443,22,123 and a few other including ICMP).
- Medium (outbound allowed, inbound blocked apart from allowed services)
- Off
Read more…
Security is a large topic and one you could spend a lifetime mastering. The blueprint isn’t too helpful in clarifying what level of detail you’re expected to know for this as the ESX/ESXi configuration guides cover issues not in the ‘skills and abilities’ section. More in depth still is the vSphere Hardening Guide. I guess the main thing is to focus on practical issues as the VCAP-DCA is a practical exam – knowing that the VMkernel uses memory hardening is no use in an exam if it can’t be configured or tweaked! Some of this section seems to have been added for the sake of it – how often will an admin need to modify the SSL timeouts? I could only fine one KB article about it!
Knowledge
- Identify configuration files related to network security
- Identify virtual switch security characteristics
Skills and Abilities
- Add/Edit Remove users/groups on an ESX Host
- Customize SSH settings for increased security
- Enable/Disable certificate checking
- Generate ESX Host certificates
- Enable ESXi lockdown mode
- Replace default certificate with CA‐signed certificate
- Configure SSL timeouts
- Secure ESX Web Proxy
- Enable strong passwords and configure password policies
- Identify methods for hardening virtual machines
- Analyze logs for security‐related messages
Virtual switch security characteristics
vSwitch security (layer2) settings (can be overridden at portgroup level);
- Promiscuous mode – needed for packet sniffing, vShield Zones (and virtual ESX hosts). Disabled by default.
- MAC address changes –affects inbound traffic. May need to be enabled if you’re using MS load balancing in Unicast mode, or the iSCSI software initiator with certain storage arrays. Enabled by default.
- Forged transmits – affects outbound traffic. Enabled by default.
Other network security measures (IPSec, VLANs, PVLANs etc) are dealt with in section 2, Networking.
Host security
Customise SSH settings (ESX only)
- Edit /etc/ssh/sshd.conf and set ‘PermitRootLogin’ to YES (default is NO). See VMwareKB for a list of other settings you can adjust (including the available ciphers).
- You can use PKI to authenticate using SSH without being prompted for a password. This is a standard Linux procedure – for step by step instructions see VMwareKB1002866.
- By default only SSH server is enabled. Configuration -> Security Profile to enable SSHClient, or use ‘esxcfg-firewall –e SSHClient’.
Read more…
Categories: VCAP, Virtualisation, VMware Tags: certificates, certification, esx, esxi, lockdown, passwords, security, ssl, vswitch
The main document to work through for the VCAP-DCA is the Availability Guide but there are plenty of good white papers and blog posts which give useful background information (see the bottom of this post). If you have access to the 2010 VMworld content it’s worth watching session BC8274 which covers most of the material on the blueprint.
Knowledge
- Identify VMware FT hardware requirements
- Identify VMware FT compatibility requirements
Skills and Abilities
- Modify VM and ESX/ESXi Host settings to allow for FT compatibility
- Use VMware best practices to prepare a vSphere environment for FT
- Configure FT logging
- Prepare the infrastructure for FT compliance
- Test FT failover, secondary restart and application fault tolerance in a FT Virtual Machine
FT requirements (hardware, software and feature compatibility)
Compatibility
- Firstly you have to make sure your host hardware will support FT – it’s more demanding than many other VMware features.
- The main requirement is to have Intel Lockstep technology support in the CPUs and chipset. Rather than list the processor families which support FT you can read VMwareKB1008027.
- Hardware virtualisation must also be enabled in the BIOS (not always on by default).
- You need to ensure the guest OS and CPU combination is supported (as the Availability Guide states, Solaris on AMD is not for example).
- Must have HA enabled on the cluster
- Licencing– you need Advanced or higher to run FT
- Host certificates need to be enabled. If you did a clean install of vSphere 4.x this is enabled by default but if you upgraded from VI3.x you have to explicitly enable it (vCentre settings, SSL)
- Should avoid mixing ESX and ESXi hosts in a cluster with FT-enabled VMs (VMwareKB1013637)
There are also VM level requirements;
- No USB or sound devices
- No NPIV
- No paravirtualized guest OS
- No physical mode RDMs
- Hot plug (memory, CPU, hard disks etc) is automatically disabled for FT-enabled VMs
- No Serial or parallel ports
Restrictions
FT places quite a few restrictions on the features you can use;
Read more…
The main guide for this section is the ‘Setup for Failover clustering and Microsoft Cluster Service’ whitepaper. It’s a difficult topic to test in a lab unless you’re lucky enough to have FC in your lab! Very little has changed in regards to running MSCS on VMware since the VI3 days so if you’re familiar with that (and it was on the VCP syllabus) then don’t read any further! If you want a refresher however (and a few tidbits which are new to vSphere 4.1), read on….
Knowledge
- Identify MSCS clustering solution requirements
- Identify the three supported MSCS configurations
Skills and Abilities
- Configure Virtual Machine hardware to support cluster type and guest OS
- Configure a MSCS cluster on a single ESX/ESXi Host
- Configure a MSCS cluster across ESX/ESXi Hosts
- Configure standby host clustering
Tools & learning resources
Supported MSCS configurations
Three options;
- Cluster in a box
- Cluster across boxes
- Standby (one physical node, one virtual node)
Solution requirements
Physical hardware
One of the main requirements is a FC SAN (this is one of the rare features which doesn’t work with NFS).
Read more…
Loading ...
Recent Comments