In order to get a wide audience for this topic, I've cross posted this post from the VMware Security and Compliance Blog. Enjoy!
It has been a couple of weeks since the release of the vSphere 5.1 Hardening Guide. Right around that time there was a call for updated content for the VMware Mobile Knowledge Portal app Well, I really wanted to see the updated Hardening Guide available on that platform. That presented a challenge. For most customers, the format of releasing it as an Excel spreadsheet meets their need but have you looked at a spreadsheet on an iPad? Not a pretty sight.
In the last six months, I have talked to many customers and partners on Virtual eXtensible Local Area Network (VXLAN). One of the things I felt was challenging was how to explain the technology to two different type of audience. On one hand, there are Virtual Infrastructure administrators who want to know what problems this new technology is going to solve for them and what are the use cases. While on the other hand, there are Networking folks who want to dig into packet flows and all the innate protocol level details, how this technology compares with others, and what is the impact of this on the physical devices in the network etc.
The papers that we have made available “Network virtualization Design Guide” and “VXLAN Deployment Guide”, provides some basic knowledge about the technology, Use cases, and step-by-step deployment instructions. However, some of the detailed packet flow scenarios are not explained in these papers. So I thought it would be a good idea to put together a series of post discussing the packet flows in a VXLAN environment. Also, there are many common questions that I would like to address as part of this series.
To start this series, I will first describe the different components of the VMware’s VXLAN implementation.
vSphere 5.1 Update 1 was just released last week and one of the things that caught my eye while reading through the release notes for ESXi 5.1 Update 1 was a new enhancement to hostd logging:
Component-based logging and advanced configurations added to hostd log level
To avoid difficulties in getting appropriate logs during an issue, this release introduces component-based logging by dividing the loggers into different groups and prefixing them. Also, new advanced configuration allows you to change hostd log’s log level without restarting.
Though this enhancement is targeted for troubleshooting purposes and will most likely be used when working with GSS. I thought I would walk you through on how this feature works as there were not much detail in the release notes.
Over the last few months, you have seen my blog articles on the vCloud Networking and Security solution. Some of you may have even been inspired to try it, but were not able to set aside or configure infrastructure to do any testing. Well, here’s your chance to get hands-on experience on everything that I wrote, without committing any equipment in your lab.
HOL-SDC-1303 - An In-depth Exploration of vCloud Networking and Security is a brand-new hands-on lab that walks you through vCloud Networking and Security with a use-case based approach. You can explore all of the following areas using this lab.
Prepare vSphere clusters for VXLAN logical network deployment
Logical network (VXLAN) provisioning
Connect the three-tier application virtual machines to logical networks and test connectivity between virtual machines on the same logical network
Deploy Edge Gateway and connect logical networks. Verify connectivity between virtual machines connected to different logical networks by using Edge Gateway
Define SNAT rule for accessing external (VLAN) network from virtual machines connected to VXLAN networks
Publish three-tier application web service using Edge load balancing
Configure Edge firewall rules to only open required ports and protocols between tiers of the application
Configure Edge High Availability
Micro-segmentation using App Firewall
Flow monitoring using App Firewall
This lab is now available in the VMware Hands-on Lab portal. This online environment lets you run a wide variety of labs from any web browser, and is free to anyone. You can register for access by visiting http://hol.vmware.com, where you can also find documentation, community discussions, and the HOL blog. Search for HOL-SDC-1303 in the catalog after logging to Hands-on Lab portal.
I would like to thank Ray Budavari, Bill Call, Charu Chaubal, Joseph Dieckhans, Andrew Hald and Pablo Roesch for all their help in making this hands-on-lab available.
Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.
VMware vCenter Multi-Hypervisor Manager is a component that enables support for heterogeneous hypervisors in a VMware vCenter Server environment. It provides the following benefits to your virtual environment:
An integrated platform for managing VMware and third-party hypervisors from a single interface.
A hypervisor choice for the different business units in your organization to accommodate their specific needs.
No single hypervisor vendor lock-in.
When you add a third-party host to vCenter Server, all virtual machines that exist on the host are discovered automatically, and are added to the third-party hosts inventory.
The ability of vCenter Multi-Hypervisor Manager to migrate virtual machines from third-party hosts to ESX or ESXi hosts is implemented by exposing the capabilities of vCenter Converter Standalone in the vSphere Client. See VMware KB article 2048927 for information about dependency between vCenter Multi-Hypervisor Manager and vCenter Converter Standalone.
vCenter Multi-Hypervisor Manager 1.1 introduces the following set of basic management capabilities over third-party hosts:
Third-party host management including add, remove, connect, disconnect, and view the host configuration.
Ability to migrate virtual machines from third-party hosts to ESX or ESXi hosts.
Ability to provision virtual machines on third-party hosts.
Ability to edit virtual machine settings.
Integrated vCenter Server authorization mechanism across ESX/ESXi and third-party hosts inventories for privileges, roles, and users.
Automatic discovery of pre-existing third-party virtual machines
Ability to perform power operations with hosts and virtual machines.
Ability to connect and disconnect DVD, CD-ROM, and floppy drives and images to install operating systems.
vSphere 5.1 Update 1 is now available. For those of you running 5.1, there are a lot of critical fixes and enhancements, so I'd urge you to review the release notes and consider scheduling a slot to upgrade your infrastructure to this new release. There are updates for both vCenter and ESXi in this release.
Since this is the storage blog, I wanted to call out a few items which are directly relevant to storage and are addressed in 5.1U1, and these are features which I know a number of our customers have been waiting on.
VMware vSphere Data Protection (VDP) is a backup and recovery solution that was introduced with vSphere 5.1. VDP leverages mature, proven technology from EMC Avamar to provide reliable, space-efficient, disk-based data protection for VMware virtual machines (VMs). VDP is fully integrated with VMware vCenter Server and the vSphere Web Client. One of the real beauties of VDP is its ease of deployment and management which explains why thousands of VMware customers have already downloaded VDP since it was introduced just a little over six months ago. Today, VMware released VDP 5.1.10 which enhances the capabilities of VDP. Here are the highlights of the new functionality found in the latest version:
Configure tab in the VDP UI now includes a Log tab, which provides more detailed log information. This information can also be exported to a file.
Integration with vCenter alarms and alerts notification system
Ability to clone backup jobs
New filters for Restore tab
Added more post-restore options (automatically power on, NIC reconnect)
Restore rehearsal can be started by right-clicking a virtual machine > All VDP Actions > Restore Rehearsal
There are also multiple resolved issues including the Windows Server 2008 R2 error requiring the disk.EnableUUID=false .vmx configuration parameter. The complete list of resolved issues and known issues can be found in the VDP 5.1.10 Release Notes.
This release of VMware vCenter Server 5.1 Update 1 offers the following improvements:
vCenter Server is now supported on Windows Server 2012
Additional vCenter Server Database Support: vCenter Server now supports the following databases.
Microsoft SQL Server 2012
Microsoft SQL Server 2008 R2 SP2
Additional Guest Operating System Customization Support -vCenter Server now supports customization of the following guest operating systems:
Windows Server 2012
vCenter Essentials no longer enforces vRAM usage limit of 192 GB With vSphere 5.1 Update 1, the Essentials and Essentials Plus licenses no longer restrict virtual machine power-on operations when the vRAM usage limit of 192 GB is met.
Resolved Issues - This release delivers a number of bug fixes that have been documented in the Resolved Issues section.
VMware has just released the much anticipated Update 1 patch for vSphere 5.1 which includes several updates and bug fixes for both ESXi and vCenter Server 5.1. I highly encourage everyone to review the release notes for the complete list of resolved issues. While going through the ESXi 5.1 Update 1 release notes myself, I noticed a few resolved bugs that I had been following and thought I would highlight a few of them:
Reinstallation of ESXi 5.1 does not remove the Datastore label of the local VMFS of an earlier installation
Re-installation of ESXi 5.1 with an existing local VMFS volume retains the Datastore label even after the user chooses the overwrite datastore option to overwrite the VMFS volume.
resxtop fails when upgraded from vSphere 5.0 to vSphere 5.1
In vSphere 5.1, SSL certification checks are turned ON. This might cause resxtop to fail in connecting to hosts and displays an exception message similar the following: HTTPS_CA_FILE or HTTPS_CA_DIR not set. (More details about this issue can be found in this blog article)
Using the invoke-vmscript command displays an error
When you use the invoke-vmscript powercli command scripts on the virtual machine, the script fails with the following error message:
One interesting thing that caught my eye while going through the release note is the following:
Component-based logging and advanced configurations added to hostd log level
To avoid difficulties in getting appropriate logs during an issue, this release introduces component-based logging by dividing the loggers into different groups and prefixing them. Also, new advanced configuration allows you to change hostd log's log level without restarting.
It looks like you now have the ability to configure granular log levels for various components within hostd which can better assist during troubleshooting and log collection. I will discuss how this works in more detail in another blog article.
There are many more resolved issues and you can check out the rest of the fixes in the ESXi 5.1 release notes.
Get notification of new blog postings and more by following lamw on Twitter: @lamw