VMware Hands-on Labs - HOL-1845-01-SLN

Lab Overview - HOL-1845-01-SLN - Modernize Infrastructure - Build Your Own SDDC

Lab Guidance

Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

This lab will introduce the value of modernizing your infrastructure with VMware technologies to leverage the benefits of a Software Defined Data Center (SDDC). It will demonstrate the process and requirements to extend compute, storage, and network virtualization across the data center and add intelligent operations management for proactively monitoring and managing the environment.

Lab Module List:

Learn what it means to “modernize the infrastructure” and the benefits you can achieve by extending compute, storage, and network virtualization across the data center and adding intelligent operations management.  The lab will cover a high-level overview of the process needed to modernize your infrastructure with VMware technologies and achieve the SDDC Nirvana State.

Introduction to vSphere 6.5 features that will make it easier for you to build and manage your virtual infrastructure, laying the foundation to extend your IT environment across private and public cloud, and build the foundation for your SDDC.

Learn how easy it is to extend virtualization to your storage environment by enabling VMware vSAN - the only vSphere-embedded storage solution that delivers flash-optimized, high-performance, hyper-converged storage for virtual machines.

Understand the core capabilities of VMware NSX in a vSphere environment, and understand the role network and security virtualization plays in your SDDC.

 Lab Captains:


This lab manual can be downloaded from the Hands-on Labs Document site found here:


This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:



Location of the Main Console


  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.



Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.



Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  



Accessing the Online International Keyboard


You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.



Activation Prompt or Watermark


When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  



Look at the lower right portion of the screen


Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.


Module 1 - Introduction to Modernizing IT (15 minutes)


This Module contains the following lessons:

Making the Case for Modern Infrastructure

Learn what it means to modernize your infrastructure

Modernizing Infrastructure speaks to the idea of leveraging the Software Defined Datacenter (SDDC), which involves the virtualization of Compute, Storage and Network resources.  For the purpose of this lab, we will be discussing the VMware products vSphere 6.5 (Compute), vSAN (Storage) and NSX (Network) to demonstrate how to modernize your infrastructure, and utilizing vRealize Operations (vROps) to provide monitoring and alerting.


Digital Evolution in the Multi-Cloud Era

As you know, we’re currently experiencing a major shift in data center infrastructure. Virtualization technology changed the game for compute virtualization. But that led to a mismatch between the highly-efficient compute layer and the rest of the data center, specifically the shared storage and networking services. As a result, many organizations face high storage costs, complex management and limited flexibility from a networking perspective.

Coupled with these basic challenges, three IT trends are placing more pressure on IT infrastructure and operations:

Clearly, the data center of yesterday cannot keep up.  It has to evolve.




What is a modern infrastructure and the VMware approach?

Click on the ~13-minute video below to learn how VMware can help modernize your data center by leveraging some of the same principles that made compute virtualization so successful.



Thank you for completing Module 1. You can find more details about how to leverage the software defined data center to modernize your infrastructure in our eBook (http://bit.ly/2tzpHh1) Modules 2-4 will showcase all the technologies discussed in this module.


You've finished Module 1

Proceed to any module below which interests you most.




How to End Lab


To end your lab click on the END button.  


Module 2 - Compute Virtualization - vSphere 6.5 (30 minutes)


This Module contains the following lessons:

Compute Virtualization

Compute Virtualization refers to the virtualization of both Memory and Processor resources inside of a Virtual Machine (VM).


vSphere 6.5: Dramatically Simplified Experience

vSphere 6.5 elevates the customer experience to an entirely new level.  It provides exceptional management simplicity, operational efficiency, and faster time to market.

vSphere 6.5 makes the vCenter Server Appliance (VCSA) the fundamental building block of a vSphere environment.  The core vSphere architecture is built around this "easy to deploy and manage approach", which reduces operational complexity by embedding key functionality into a single location.  Capabilities such as vSphere host management (with a fully integrated vSphere Update Manager (VUM) instance), file-based backup and recovery, native VCSA high availability (HA), and much more are now embedded in this new one-stop appliance model.  Users can now be more efficient as there is no longer a need to interface with multiple components.  Additionally, because everything is centralized, VCSA generates a tremendous amount of optimization and innovation, including an over 2x increase in scale and a 3x increase in performance.  Upgrading to this building block will be easier than ever before, as users can now convert from their traditional Windows deployment to the new appliance model using the vCenter Server Appliance Migration Tool.




Comprehensive Built-in Security

With increased threats, comprehensive built-in security becomes more critical than ever before.  vSphere 6.5 natively provides secure data, infrastructure, and access at scale via its operationally-simple, policy-driven model.  Protecting all three areas is essential for digital transformation and the evolution of any given business.

To secure data, vSphere 6.5 offers a new VM-level disk encryption capability designed to protect against unauthorized data access. VMware's approach is both universal and scalable, with the ability to encrypt any VM disk regardless of guest OS, as well as the ability to manage encryption at scale using the familiar vSphere storage policy framework.  Combined with the new encrypted vMotion capability, vSphere can safeguard both data at-rest and data in-motion.

To assure the security of the underlying infrastructure, vSphere 6.5 also adds a secure boot model to protect both the hypervisor and the guest operating system.  It helps prevent images from being tampered with and prevents the loading of unauthorized components.

vSphere 6.5 also delivers enhanced audit-quality logging capabilities that provide more forensic information about user actions.  IT can now better understand who did what, when, and where, if an investigation into anomalies or security threats require it.

vSphere 6.5 is the core of a secure Software Defined Data Center (SDDC) and works seamlessly with other SDDC products to provide a complete security model for infrastructure.



Exploring vSphere 6.5

In this section, you will explore vSphere 6.5 utilizing both the (Flash/Flex) Web Client as well as the (HTML5) Web Client.


Choosing your Client

With vSphere 6.5, there are 2 clients available to you via your browser, the Web Client (Flash/Flex) and the HTML5 Client.  The Web Client is the fully-functional replacement to the old C# Client, also known as the fat client.  The HTML5 Client is a former VMware Fling that we packaged with vSphere 6.5, however, it only has partial functionality.  



Login to the vSphere Web Client


From within Chrome, select "vCenter (Web Client)" from the bookmark bar



Navigating the vSphere 6.5 Web Client


Now that you are logged in, let's get familiar with the interface.  The first page we see is the "Hosts and Clusters" view, which allows us to see all 6 of our ESXi hosts, and the two-cluster configuration we have setup.

For our 2 clusters, we have a compute cluster (RegionA01-COMP01) which hosts 3 of our ESXi hosts, and our 3-tiered application (you will do more with this in Module 4) and our management cluster (RegionA01-MGMT01) which hosts our remaining 3 hosts.  For each of those hosts, we have configured an NSX Controller.



Encrypted vMotion

One of the new features in vSphere 6.5 is Encrypted vMotion.  There are 3 options for Encrypted vMotion:

  1. Disabled
    • Do not use Encrypted vMotion, even if available
  2. Opportunistic
    • Use Encrypted vMotion if source and destination hosts support it, fall back to unencrypted vMotion otherwise.  This is the default option.
  3. Required
    • Allow only Encrypted vMotion.  If the source or destination host does not support vMotion Encryption, do not allow the vMotion to occur.



vSphere 6.5 HTML5 Client Overview


Select "vCenter (HTML5 Client)" from the Chrome bookmark bar


vSphere 6.5 Management

In this section, you will explore the management side of vSphere 6.5


Start Google Chrome




Login to vSphere Appliance Management


Once Chrome opens, click on "vSphere Management" from the bookmark bar


Intelligent Operations Overview

In this section, you will view the vRealize Operations Manager Dashboards that are used to monitor the vSphere Environment.


vRealize Operations Manager (vROps)

VMware delivers intelligent operations from applications to infrastructure in order to plan, manage and scale SDDC and multi-cloud deployments.  This highly-scalable, extensible and intuitive operations platform improves performance and availability with application-aware monitoring, troubleshooting and unified visibility into infrastructure and application health across SDDC and multiple clouds.

It simplifies operations by automating management of infrastructure and applications with automated workload balancing and proactive detection and automatic remediation of issues and anomolies.  It correlates operational and business insights to help accelerate cloud planning and placement decisions across multiple clouds, and reduces costs and risk by optimizing capacity utilization, accuately forecasting capacity needs and enforcing standards.




Login to vROps


Open up Google Chrome



Viewing Dashboards


From the initial login screen you get a high-level overview of your environment.  In our case we have a single vCenter and a single Datacenter, and everything is healthy, so we have green status.  Let's go to our dashboards tab by clicking "Dashboards"



vROps Alerting


To view the alerts within vROps, select the "Alerts" tab in the menu bar, and then expand out "Today" to see today's alerts.



Environment Overview


The last thing we will look at here is the "Environment" section.  Select "Environment" from the top menu bar.



Logout of vROps


Logout of vROps and close your browser.



In this module, you explored vSphere 6.5 using both the (Flash/Flex) Web & (HTML5) Clients.  You navigated through the administration portal for the VCSA, and monitored the environment with vROps.


You've finished Module 2

Congratulations on completing Module 2.

If you are looking for additional information on vSphere 6.5, try one of these:

Proceed to any module below which interests you most.

To take a deeper dive into vSphere 6.5 or vROps, here are some additional Hands-On-Labs available this year



How to End Lab


To end your lab click on the END button.  


Module 3 - Storage Virtualization - vSAN 6.6 (30 minutes)


When taking a "Build your own modern infrastructure" approach for building a Software Defined Data Center (SDDC), VMware Storage Virtualization (vSAN) allows you to transform industry-standard x86 servers with direct-attached storage (DAS) into cost-effective, highly-scalable building blocks with software-defined compute and networking.  This evolutionary software-defined approach paves the way for companies to easily increase agility and flexibility with integrated platforms that include powerful, easily deployable and unified management solutions truly capable of supporting digital transformation.

This Module contains the following lessons:

VMware vSAN Overview

In this section, we will provide a brief overview about storage virtualization with VMware vSAN and the requirements to deploy/enable vSAN in this environment.


Building Your Own Modern Infrastructure with vSAN

VMware vSAN is the default and primary storage for building a Software-Defined Data Center. The configuration and assembly process for each system can be standardized using compatible hardware, with all components installed in the same manner on each host. Standardizing the entire physical configuration of the ESXi hosts is critical to providing an easily manageable and supportable infrastructure because standardization eliminates variability. Consistent PCI card slot location, especially for network controllers, is essential for accurate alignment of physical to virtual I/O.



VMware vSAN Overview

vSAN is a software-defined storage solution, powering VMware’s industry leading HyperConverged systems. vSAN is unique in its ability to provide vSphere-embedded storage and choices from a broad ecosystem of hardware and software solutions. The solution is an ideal first step for organizations wanting to naturally evolve without risk to HyperConverged Infrastructure (HCI) and to shift resources to strategic projects. Studies show that vSAN reduces Operating Expenses (OpEx) up to 60 percent through data center footprint, labor, power, and cooling savings. 

vSAN is fully integrated with vSphere, and supports all popular vSphere functionality: DRS, HA, vMotion and more. vSAN is also integrated with the vRealize suite for larger automated environments.

Key points:

Technical characteristics:



vSAN Requirements - vCenter Server

vSAN 6.5 requires both the vCenter and ESXi components to be at 6.5, and can be managed by either the vCenter Server Appliance (VCSA) or a Windows based vCenter Server.   In order to configure vSAN you must use the vSphere Web Client.



vSAN Requirements - ESXi

vSAN requires at least 3 vSphere hosts (where each host has local storage) in order to form a supported vSAN cluster. This is to allow the cluster to meet the minimum availability requirements of tolerating at least one host failure. The vSphere hosts must be running vSphere 6.5. With fewer hosts, there is a risk to the availability of virtual machines if a single host goes down. The maximum number of hosts supported is 64.

Each vSphere host in the cluster that contributes to local storage to vSAN must have at least one hard disk drive (HDD) and at least one solid state disk drive (SSD).



vSAN Requirements - Disk and Network

IMPORTANT : All components (hardware, drivers, firmware) must be listed on the vSphere Compatibility Guide for vSAN. All other configurations are unsupported.

The VMkernel port is labeled vSAN. This port is used for intra-cluster node communication and also for read and writes when one of the vSphere hosts in the cluster owns a particular virtual machine, but the actual data blocks making up the virtual machine files are located on a different vSphere host in the cluster. In this case, I/O will need to traverse the network configured between the hosts in the cluster.



Exploring VMware vSAN

In this section, we will walkthrough the vSphere web client to enable, manage and monitor vSAN.

First of all, it is important to note that VMware vSAN does not require the deployment of storage virtual appliances or the installation of a vSphere Installation Bundle (VIB) on every host in the cluster. vSAN is native in the vSphere hypervisor and typically consumes less than 10% of the compute resources on each host. vSAN does not compete with other virtual machines for resources and the I/O path is shorter.


vSAN's in-kernel operation creates efficiencies not possible on any other systems.  It also allows this technology to inherit all the native systems-level capabilities of vSphere including a well integrated and simplified management model.

In this lesson, we will show you how simple it is to enable and manage vSAN - all done from vCenter through the vSphere Web client.


Things to keep in mind when enabling vSAN

A vSAN cluster can include hosts with storage disks and hosts without storage disks.

Follow these guidelines when you create a vSAN cluster.

After you enable vSAN, the vSAN storage provider is automatically registered with vCenter Server and the vsanDatastore is created.



Open the Chrome Browser


  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.



Navigate to the vSphere Web Client Home Page


Once logged in, you will be presented with the vSphere Web Client Home Page.

You can minimize or maximize the Recent Tasks, Alarms and Work In Progress panes by clicking the pin.



Enable vSAN


 Select RegionA01-COMP01 then navigate to Configure > vSAN > General and select Configure

In this lab environment, vSAN is disabled and we will enable vSAN for the RegionA01-Com01 cluster.

Note: In this lab environment, vSAN is only configured and enabled on RegionA01-COMP01. All 3 ESXi hosts are contributing storage in the form of cache and capacity to form the vsanDatastore.



Configure vSAN


The Configure vSAN dialog will appear. For the purpose of this lab we will NOT enable deduplication and compression and we will NOT configure Fault Domains and Stretched Clusters.

1. Click Next to continue with enabling vSAN



vSAN Disk Claim


There should be NO disks to be claimed. The disk configuration was already completed for this lab.

  1. Click Next
  2. Click Finish



vSAN General Tab


The General tab displays the status of the vSAN service, and the features enabled on the vSAN cluster. At this point, you should now see  "vSAN is Turned ON" and "Deduplication and compression" are Disabled.

You can see that vSAN is using all 6 disks (two in each host) and all disks have the same disk format version.

Note: It may take a few minutes for the vSAN configuration to complete and the status page to load.



vSAN Disk Management


1. Select Cluster RegionA01-COMP01 then navigate to Configure > vSAN > Disk Management.

The vSAN Disk Group on each of the ESXi hosts is listed. Each host has one disk group with one flash device for caching and one flash device for capacity. This is an All-Flash vSAN configuration.



Migrating Virtual Machines into the vsanDatastore


Once vSAN is enabled, you can easily migrate your virtual machines to the vsanDatastore. In this section, we will move web-01a virtual machine to the vsanDatastore

  1. Select Home
  2. Select Hosts and Clusters
  3. Expand your RegionA01-COMP01 cluster
  4. Right-click on web-01a
  5. Select Migrate



Select Change storage only


  1. Select Change Storage Only
  2. Click Next



Choose the vsanDatastore


  1. Select the vsanDatastore
  2. Click Next
  3. Click Finish

The Web-01a virtual machine will start migrating from its current iSCSI datastore into the vsanDatastore. This may take a few minutes.

You can monitor the status on Recent Tasks




Check the vSAN Storage Capacity


1. Click on Storage, than select the vsanDatastore and click on Summary

The capacity shown is an aggregate of the capacity devices taken from each of the ESXi hosts in the cluster ( less some vSAN overhead).

The flash devices used as cache are not considered when the capacity calculation is made.




Health and Performance

The vSAN Performance Service provides a variety of performance information such as throughput and latency at a number of levels (hosts, cluster, vSAN Disk Group, virtual machine). The first step is to make sure the performance service is enabled.



vSAN Performance Service


In order to verify that the vSAN Performance Service is turned ON, navigate to Hosts and Clusters, select RegionA01-COMP01. Click on the Configure tab > vSAN > Health and Performance

In the Health and Performance tab, you can see that the service is running and healthy. The vSAN performance history database is stored as a vSAN object. The policy controls the availability, space consumption and performance of the object. If the object becomes unavailable, the performance history for the cluster will also be unavailable.



Review some performance information


Now let's review some performance data for our vSAN cluster. Select the RegionA01-COMP01 cluster and navigate to Monitor > Performance > vSAN - Virtual Machine Consumption.

At the cluster level, statistics such as IOPS, throughput, and latency are available. Information over the last hour is shown by default. It is possible to change the time range - for example, statistics from the last 3 hours or a custom date and time range.



Navigate to vSAN - Backend


The Virtual SAN - Backend traffic shows information about the backend IO such as vSAN metadata updates, virtual machine provisioning, and objects rebuilds. Similar to vSAN - Virtual Machine Consumption - congestion, IOPS, Throughput and outstanding IO information is available.  



ESXi Hosts - vSAN Performance Data


1. Navigate to Hosts and Clusters and select ESX-01a.corp.local.

2. Click on Monitor > Performance

vSAN Performance Data is also available at the ESXi host level. Disk group and individual physical disk information can also be viewed. Some graphs show multiple statistics - for example front end read and write IOPS, Write buffer, IO Latency.

You can navigate through the different tabs and explore the performance data available at the host level.



vSAN Health Check

The native vSAN Health Check was introduced with vSAN 6.1. The integrated vSAN health check runs a number of proactive configuration and state checks and alerts users to potential risks in their environment. Let's explore this key vSAN functionality.


Click on Hosts and Clusters and select the RegionA01-COMP01 cluster. Navigate to Monitor > vSAN > Health.

Here, you can see the list of health checks and the overall status - Passed, Warning or Errors. You can expand on each of the tests to see the individual tests within each.



vSAN Health Check - Ask VMware


Another really useful aspect of the health check is the fact that every test has an "Ask VMware" link. For those of you not familiar with Ask VMware, these links will take administrators directly to a VMware knowledge base article detailing the purpose of the test, reasons why it might fail, and what can be done to remediate the situation. If any of the tests fail, administrators should always click on the Ask VMware button and read the associated KB article. In many cases, steps toward finding a resolution are offered. In others cases, administrators are urged to contact VMware support for further assistance.

1. Expand the Hardware compatibility Test and select Controller is VMware Certified for ESXi Release.  

Here, you can see the information about whether there is any driver supported for a given controller in the release of ESX installed.

ATTENTION - This lab is not connected to the internet and we cannot access the VMware Knowledge base system.



vSAN HCL Health


The Virtual SAN HCL health (HCL is short for hardware compatibility list) verifies that the storage controller hardware and driver version are on the HCL and are supported for this version of vSAN. If the controller or driver is not on the HCL, or are not supported for this version of vSAN (namely the ESXi version on which vSAN is running), then the health check displays a warning.

Another check is to verify that the Virtual SAN HCL DB is up-to-date. In other words, the checks that you are running are against a valid, up-to-date version of the HCL database.



HCL Database Update


In order to verify that the Virtual SAN HCL Database is up-to-date select Hosts and Cluster > RegionA01-COMP01 and navigate to Configure > vSAN > Health and Performance.

Since the HCL is updated regularly and frequently, administrators should update the local version of the database of these checks. This can be done online (if your vCenter Server has access to the VMware.com) or alternatively if your vCenter Server is not online, you can download a HCL DB file, and update it. To update the version of the HCL DB online, simply click on the "Update from file" or "Get latest version online" as shown in the health check test.


vSAN Intelligent Operations with vROps

In this section, you will view the vRealize Operations Manager Dashboards that are used to monitor the your vSAN environment.


With every release of vRealize Operations Manager (vROps), a massive effort is made to integrate the various products of VMware into the platform out of the box to provide you a seamless experience and quick time to value. With vROps 6.6, the solution is extended further to integrate monitoring and management of other VMware products such as vSAN.

What's new highlights:


Open Chrome


Open Google Chrome from your Windows Quick Launch Task Bar



Login as admin to vRealize Operations Manager.


  1. Select Local Users
  2. Enter admin as the username
  3. Enter the password VMware1!
  4. Click Log In



Viewing vSAN Dashboards


The Dashboard screen contains all the out of the box dashboards as well as any custom dashboard created for your environment. In this section, we will explore all the "out of box" dashboards for vSAN.

  1. To access the dashboard page, click on Dashboards from the top menu
  2. A list of all the dashboards for vSAN should be available on the left-pane
  3. If you are missing the vSAN dashboards, you can enabled them by selecting each one from the list under All Dashboards.
  4. Select the vSAN Operations Overview



Dashboard - vSAN Operations Overview


vSAN operations overview is an easy way of looking at aggregate health and performance of the vSAN clusters. From this dashboard you can get a holistic view of your vSAN environment and what components make up that environment.  You can also see the growth trend of virtual machines which are being served by vSAN. Along with the bigger picture, you can view the key properties of each of your vSAN clusters on this dashboard.

The dashboard allows you to dive into any of this cluster by selecting it and looking at the cluster wide Performance, Utilization and Capacity statistics. The dashboard also provides you a trend of know issues which might have occurred specific to your vSAN environments.

Feel free to explore the dashboard to see the range of data collected.  



Dashboards - vSAN Capacity Overview


Next we will explore the vSAN Capacity Overview.

  1. Select All Dashboards from the Dashboard page
  2. From the Capacity & Utilization option you can select vSAN Capacity Overview



Exploring vSAN Capacity Overview


  1. Select vSAN Cluster (RegionA01-COMP01)  from the list of vSAN Clusters.

The vSAN Capacity Overview simplifies vSAN capacity management by providing you an out of the box aggregation of capacity contributors and utilization for all your vSAN clusters. It provides transparency into your return on investments on all flash vSAN array by showing the storage savings achieved due to deduplication and compression.  Since people mostly think of clusters when they think of capacity, the dashboard provides you the capability to drill down into each of the clusters to view the capacity remaining and time remaining before you run out of storage based on past utilization trends.

This dashboard provides you information around how evenly the capacity of each of the disks within the vSAN cluster is being utilized, giving you a sense of how evenly loaded the disks are. While vSAN runs internal rebalance algorithms to keep the disks balanced for best performance, an admin could also manually trigger the rebalance if they see too much variance in disk utilization.

Note: Since we had you enable vSAN as part of the previous module, vROps has not had the necessary time to gather data to report on.  We are demonstrating data we gathered previously for you to view here.



Open the Troubleshooting vSAN Dashboard


  1. Navigate to All Dashboards
  2. Select Performance Troubleshoot
  3. Open Troubleshoot vSAN



Troubleshoot vSAN Dashboard


The Troubleshoot vSAN dashboard is designed specifically to cater to the needs of a vSAN administrator. Once you have identified that you have a potential problem with your vSAN environment, you can come to this dashboard to conduct a fish bone analysis by using the rule of elimination.

The dashboard will list all your vSAN clusters along with the key inventory details which will provide you an overview of the key properties of your cluster. Once you select a cluster, you can list all the known problems with all the objects that are associated to that cluster. This includes, clusters, datastores, disk groups, physical disks and, most importantly, the virtual machines which are being served by the selected vSAN cluster.

The dashboard then drills down into the key utilization and performance metrics and shows you a trend of how the cluster has been used and has performed in the last 24 hours. You can easily go back in time if you are dealing with historical issues.



Logout of vROps




In this module you explored VMware vSAN using the vSphere web client. We discussed the requirements to enable vSAN and how to manage and monitor your vSAN infrastructure using both the vSphere web client as well as vROps.


You've finished Module 3

Congratulations on completing  Module 3.

If you are looking for additional information on VMware vSAN, try one of these labs:

Proceed to any module below which interests you most.



How to End Lab


To end your lab click on the END button.  


Module 4 - Network Virtualization - NSX 6.2 (30 minutes)


Learn how easy it is to extend virtualization to your network environment by enabling VMware NSX.

This Module contains the following lessons:

VMware NSX Overview

In this section, we will provide a quick overview about VMware Networking and Virtualization and its primary use cases.

VMware NSX® is foundational to the software-defined data center and completes the virtualization infrastructure, enabling IT to move as fast as the business demands without compromising the security or availability of critical applications. NSX embeds networking and security functionality typically handled in hardware directly into the hypervisor, delivering the operational model of a virtual machine for networking and security and unlocking the ability for IT to move at the speed of business.


Abstracting Networking Hardware

Most organizations have already virtualized compute components in their data centers, with the overwhelming majority virtualizing 50% to 100% of their servers. In addition, as discussed in module 3, businesses have made the decision to virtualize storage, with more than 70% of businesses having already adopted or planning to adopt software-defined storage. This abstraction of functionality from hardware into software enables businesses to quickly provision applications, move virtual systems across and between data centers, and automate a number of processes. Unfortunately, a number of these benefits are still anchored to data center components that have been slow to evolve, and are still constrained to the one piece of the data center infrastructure that has not been virtualized: networking. The full value of the software-defined data center still remains completely unavailable to most organizations because of this legacy.

A fundamentally new approach to the network infrastructure is needed — one that no longer demands compromises between speed and security or between security and agility. The rules of the data center that have held businesses back from unleashing their full potential need to be rewritten to enable IT to perform without compromises. As thousands of businesses have now realized, network virtualization is that new approach.



Building your modern IT Infrastructure with VMware NSX

By moving network and security services into the data center virtualization layer, network virtualization enables IT to create, snapshot, store, move, delete, and restore entire application environments with the same simplicity and speed that they now have when spinning up virtual machines. This, in turn, enables levels of security and efficiency that were previously infeasible. VMware NSX is the network virtualization platform of the software defined data center. It takes the functionality that was formerly embedded in network hardware—such as switching, routing, and firewalling—and abstracts it to the hypervisor. By doing this, NSX creates what can be thought of as a “network hypervisor” that is distributed throughout the data center. With it, IT is able to become an enabler of innovation for the organization, effectively saying “yes” to multiple stakeholders instead of treating their requests as competing and mutually exclusive. Not only is IT now able to provide unprecedented levels of security; it is able to do so at a speed that keeps pace with the demands of the organization. The continuity of applications, automation of manual IT processes, and critical security of the data center are all able to work in harmony with business-driven time constraints and schedules in a way that significantly reduces operational complexities and associated costs.




Traditional hardware-defined solutions rely on placing rigid security constructs primarily on the data center perimeter, leaving the inside of the data center unguarded. By contrast, NSX enables a fundamentally-more secure data center by integrating virtualized security and distributed firewalling directly into the infrastructure. This creates policy enforcement points for every workload. For the first time, it is operationally feasible to provide granular security with policies that travel with the workloads, independent of where workloads are in the network topology. This dramatically reduces risk to the business by enabling security actions to adapt quickly to changing threats, while significantly simplifying the operational model for security.





Automation is at the heart of IT agility and consistency, which in turn significantly improve overall operational savings. However, IT organizations that are still constrained by hardware are not able to implement a meaningful automation strategy that meets the often competing goals of the organization. Networking hardware in particular depends heavily on error-prone manual configuration and maintenance of a sprawling library of scripts. The result is a labor-intensive process that impacts IT’s ability to support the business as it moves quickly to seize emerging opportunities. NSX completely removes this hardware-centric barrier to the automation of networking operations. By moving networking and security services into the data center virtualization layer, NSX delivers the same automated operational model of a VM, but for the entire network. Whether through VMware vRealize Automation, OpenStack, or other tool, NSX is able to automate a number of processes, significantly accelerating service delivery and reducing provision times from months to minutes. The positive business impacts of this cannot be overstated and include dramatically-reduced operational complexity and cost, as well as improved governance, compliance, and consistency.




Application Continuity


Whether for disaster recovery or for pooling of data center resources, application continuity is a top priority for IT. However, due to network complexities and an inflexible infrastructure, the ability to move workloads quickly between data centers or to pool data center resources across multiple locations has been out of reach for most organizations. Moving workloads seamlessly requires matching network and security configurations across multiple domains. With hardware-based networking, replicating networks in different domains is difficult to achieve, so critical tasks like disaster recovery remain slow and cumbersome. NSX enables organizations not only to move virtual machines between data centers, but also to move all of their associated networks and security policies. On a virtualized networking infrastructure, IT can now move live workloads running on a virtual machine between continents in just minutes without any interruption to the running application, achieving active-active data centers and immediate disaster recovery options. For the business, this means maximum application uptime, significant cost savings, cloud-scale service availability, and elimination of unplanned outages.


Exploring VMware NSX

In this section, we will explore how easy is to deploy NSX and how to use the vSphere Web Client to manage and monitor NSX. 

First lets take a look at the system architecture for NSX.


NSX Network virtualization platform comprises of various components includes the NSX vSwitch, which is a part of the hypervisor and is a termination point for overlay networking, a controller that programs the various components and basically is the system control plane providing API based access from NSX manager. The controller is capable of even providing extensions to 3rd party partners.


Easy of deployment




Open Chrome


1. Click on the Chrome Icon on the Windows Quick Launch Task bar



Navigate to vSphere Web Client Home Page


Once logged in, you will be presented with the vSphere Web Client Home Page.

You can minimize or maximize the Recent Tasks, Alarms and Work In Progress panes by clicking the pin.



Navigate to the Networking & Security Section in the Web Client


Select the Home icon on the top of the page, and select Home, and then select "Networking & Security"



View the deployed components


1. Click on Installation

You will notice that NSX Manager is installed. The NSX Manager controls all the NSX components and provides a centralized management plane across the datacenter, as well as the management UI and APIs for NSX. The NSX manager is installed as a virtual appliance and integrates with the vSphere Web Client for consumption within the web management platform.

Along with providing the management APIs and a UI for administrators, the NSX manager component installs a variety of VIBs to the hosts when initiating host preparation. These VIBs are VXLAN, Distributed routing, Distributed Firewall and a user world agent.

The benefit of leveraging a VMware solution is that access to the kernel is much easier to obtain. With that VMware provide the distributed firewall function and distributed routing function in-kernel. This provides extremely in kernel function processing without the inadequacies of traditional user space or physical firewall network architectures.

There are also the NSX controllers nodes, which support the VXLAN and Distributed routing functions



Host Preparation


1. From the Installation page, select Host Preparation.

2. Within the Clusters & Hosts page, click on expand for both RegionA01-COMP01 and RegionA01-MGMT01 clusters

In this page, we can see that the data plane components, which included the Distributed Firewall, VXLAN and Distributed Routing, are all installed and enabled on all vSphere hosts.


Use Case - NSX Distributed Firewall

In this section, we will walk you through the process of deploying NSX distributed firewall to protect a three tier application using NSX DFW.

As discussed before, traditional hardware-defined solutions rely on placing rigid security constructs primarily on the data center perimeter, leaving the inside of the data center unguarded. By contrast, NSX enables a fundamentally-more secure data center by integrating virtualized security and distributed firewalling directly into the infrastructure.  

This functionality is called NSX Distributed Firewall (DFW). DFW is a hypervisor kernel-embedded firewall that provides visibility and control for virtualized workloads and networks. You can create access control policies based on VMware vCenter objects like datacenters, clusters, and virtual machine names; network constructs like IP or IPSets, VLAN (DVS port-groups), VXLAN (logical switches), security groups, as well as user group identity from Active Directory. Firewall rules are enforced at the vNIC level of each virtual machine to provide consistent access control even when the virtual machine gets vMotioned. The hypervisor-embedded nature of the firewall delivers close to line rate throughput to enable higher workload consolidation on physical servers. The distributed nature of the firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts are added to a datacenter.

Micro-segmentation is powered by the Distributed Firewall (DFW) component of NSX. DFW operates at the ESXi hypervisor kernel layer and processes packets at near line-rate speed. Each VM has its own firewall rules and context. Workload mobility (vMotion) is fully supported with DFW, and active connections remain intact during the move. This advanced security capability makes the data center network more secure by isolating each related group of virtual machines onto a distinct logical network segment, allowing the administrator to firewall traffic traveling from one segment of the data center to another (east-west traffic). This limits attackers’ ability to move laterally in the data center.


Protecting our 3-tier web app with NSX


Next, we will leverage our simple 3-tier web app to demonstrate how to leverage NSX DFW to control communication between the different virtual machines. All three virtual machines are running in the same "production" VLAN" and the following communication should be allowed:




Testing our 3-Tier App


Using our Chrome Web Browser open our 3-tier web app.

1. Click on the Chrome Icon on the Windows Quick Launch Task bar


From your browser click on the bookmark 3-Tier App open up the 3-Tier App in the browser tab.


The Customer Database Access Application will load. To test the application enter in the Name Filter box "Virtucon" and click Apply

The application should query the database and only show the row with the name of Virtucon.



Open the vSphere Web client using the same Google Chrome session


Using the same Chrome browser open a new tab and log in to vCenter

Login using the administrator@vsphere.local username and VMware1! password.



Test 3-tier VM to VM Connectivity using Putty


Click on the PuTTY shortcut on the desktop taskbar


  1. Select web-01a.corp.local
  2. Click on Load
  3. Click on Open



Ping from web-01a to other 3-tier members


First you will show that web-01a can ping app-01a by entering

ping -c 2 app-01a

Now test connectivity between web-01a to db-01a

ping -c 2 db-01a

(Note: You might see DUP! at the end of a Ping line.  This is due to the nature of the virtual lab environment using nested virtualization and promiscuous mode on the virtual routers. You will not see this in production.)

Don't close the window yet.  For now, minimize it for later use.



Change the default firewall policy from Allow to Block

In this section you will change the default Allow rule to Block and show communication to the 3-tier application to be broken. After that you will create new access rules to re-establish communication in a secure method.




Examine the Default Rules


  1. Expand the section using the drop down arrow 

Notice the Rules have green check marks.  This means a rule is enabled.  Rules are built in the typical fashion with source, destination, and service fields.  Services are a combination of protocols and ports.  

The last Default Rule is a basic any-to-any-allow.



Explore the Last Default Rule


Scroll to the right and you can see the Action choices for the Default Rule by placing the cursor in the field for Action:Allow.  This will bring up a pencil sign that allows you to see the choices for this field.



Change the Last Default Rule Action from Allow to Block


  1. Select the Block action choice and select
  2. Click Save 



Publish the Default Rule changes


You will notice a green bar appears announcing that you now need to choose either to Publish Changes, Revert Changes or Save Changes.  Publish pushes to the DFW.  Revert cancels your edits.  Save Changes allows you to save and publish later.



Verify the Rule change blocks communication


To test the block rule using your previous Putty and browser sessions



Verify the Rule blocks https using Web Browser


  1. Navigate to the Browser Tab for the 3-Tier App. If you closed the tab by mistake, open the Chrome web browser and try accessing the 3-tier-app by clicking on the bookmark or refreshing the web-page.
  2. You will get an error that this site can be reached. This is the expected behavior because of the firewall rules created on NSX.



Create 3-Tier Access Rules using NSX DFW

Make sure you are still connected to the vSphere Web Client by navigating to the vSphere web client TAB. If no, open Google Chrome again and login to the vSphere Web Client


From the vSphere Web Client open the Networking & Security page and navigate to  Firewall > Configuration



Create New Firewall Section


  1. On the far right of the "Default Section Layer3 (Rule 1 - 3)" row click on Add Section which looks like a folder



Add New Rule Section for 3-Tier Application


  1. Name the section"3-tier App"
  2. Select Add section above
  3. Click Save



Add Rule to New Section


  1. On the row for the new "3-tier App" section click on the Add rule icon which is a green plus-sign.



Edit New Rule name


  1. Click the Drop down arrow to open the rule
  2. Hover to the upper right corner of the "Name" field until a pencil icon appears, then click on the pencil



Edit New Rule name cont


  1. Enter "Ext to Web" for the name
  2. Click Save



Set Rule Source and Destination


Source:Leave the Rule Source set to any.

  1. Hover the mouse pointer in the Destination field and select the Destination pencil sign.



Set the Destination



  1. Pull down the Object Type and scroll down until you find Virtual Machine
  2. Click on web-01a
  3. Click on the top arrow to move the object to the right
  4. Click OK



Edit Service


  1. Again hover in the Service field and click on the pencil sign.  



Set Rule Service


In the search field you can search for service pattern matches.  

  1. Enter "https" and press enter to see all services associated with the name https
  2. Select the simple HTTPS service
  3. Click on the top arrow
  4. Note: Repeat the above steps 1-3 to find and add SSH.  (You will see later in the module that we need SSH.)
  5. Click OK

Note: This will cause the green bar with the option to publish or revert changes.

DO NOT Publish yet, as you have more rules to make.



Create Rule to Allow Web-01a to communicate with App-01a


You will now add a second rule to allow the Web-01a virtual machine to communicate with App-01a. By design the web app should only communicate with the application server and not be able to communicate with the database server.

  1. Start by opening the pencil sign next to the rule 1 you just created
  2. You want this rule to be processed below the previous rule so choose Add Below from the drop down box



Create Second Rule Name and Source Fields


  1. As you did before hover the mouse over the Name field and click the plus-sign.  Enter "Web to App" for the name
  2. Hover the mouse pointer in the Source field and select the Source pencil sign.



Set the Source Field


  1. Pull down the Object Type and scroll down until you find Virtual Machine
  2. Click on web-01a
  3. Click on the top arrow to move the object to the right
  4. Click OK



Create Second Rule Destination


  1. Hover over the Destination Field
  2. Click the pencil to edit.



Create Second Rule Destination Field: Choose your App-01a Virtual Machine


  1. Scroll down in the Object Type drop-down and click on Virtual Machine choice
  2. Select app-01a
  3. Click on the top arrow to move the object to the right
  4. Click OK



Create Second Rule Service


  1. Hover over the Service Field and click the pencil to edit.



Create Second Rule Service Field: New Service


The 3-tier application uses tcp port 8443 between the web and app tiers.  You will create a new Service called MyApp to be the allowed service.

  1. Click on New Service
  2. Enter MyApp for the new service name
  3. Select TCP for the Protocol
  4. Enter 8443 for the Port number
  5. Click OK and OK again in the main Specify Service page



Create Third Rule: Allow the App-01a to communicate with Db-01a


Repeating the steps: On your own create the third and last rule below your last rule to give access between the App-01a and the Db-01a.

  1. Create the final rule allowing the App virtual machine to communicate with the Database virtual machine via the predefined service for HTTP.  The service is predefined so you will only have to search for it rather than create it.

Your new rule should look like the one listed in the example.

  1. Publish Changes



Verify New Rule Allow 3-Tier Application Communication


  1. Return to the tab you used previously for the 3-Tier App
  2. Refresh the browser to show you are getting the data via the 3-tier app.

Your new "3-tier App" section allows access to the application.



Open Putty Session to web-01a to test communication between vms


If you closed your previous  Putty session, open it again from the Windows Quick Launch Task Bar.

  1. Select web-01a.corp.local virtual machine
  2. Click Load
  3. Click Open



Ping Test Between the virtual machines

Try to ping 3-tier application guest VMs.

ping -c 2 app-01a

ping -c 2 db-01a

Pings are not allowed and will fail as ICMP is not allowed between tiers or tier members in your rules.  Without allowing for ICMP between the tiers the Default Rule now blocks all other traffic. The only traffic allowed is required for the application to work properly.




Please close Putty, and then select "Administrator@CORP.LOCAL" from the top right-hand side of the screen, and click "Logout".


Go ahead and close your browser.


NSX Intelligent Operations with vROps

In this section, you will view the vRealize Operations Manager Dashboards that are used to monitor the NSX Environment.

Using vROps, you can add intelligent operations to your NSX deployment providing analytics, correlation,  predictive capacity, and visualization capabilities to virtual networks.  Coverage includes configuration assurance, health, performance,  capacity, and troubleshooting for NSX logical switches, logical routers,  edge services, distributed firewall and load balancers. At a glance,  the NSX operations team can detect a configuration problem, troubleshoot  a connectivity issue, see the impact of any unhealthy vSphere  condition, and/or drill into many of the NSX objects for deeper  troubleshooting.

What's new highlights:


Login to vRealize Operation Manager



Viewing NSX Dashboards


The Dashboard screen contains all the out of the box dashboards as well as any custom dashboard created for your environment. In this lab we will explore all the "out of box" dashboards for NSX.

  1. To access your dashboard page click on Dashboards from the top menu
  2. A list of all the dashboards for NSX should be available on the left-pane
  3. If you are missing the NSX dashboards, you can enabled them by selecting each one from the list under All Dashboards.
  4. For our next step select the NSX-vSphere Main



Dashboards - NSX-vSphere Main


1. Select nsxmgr-01a from the NSX-vSphere Environments

An overview of the health of the network objects (network traffic information and NSX-related open alerts) are displayed. You can monitor key components such as the overall health of your NSX manager and controllers, a heat map of each transport node registered with NSX. Top logical network by traffic and virtual machines.

Please explore the dashboards before continuing.




Open the NSX-vSphere Topology Dashboard


1. Select  All Dashboards dropdown menu

2. Navigate to NSX-vSphere

3. Open NSX-vSphere Topology



Explore the NSX-vSphere Topology Dashboard


The NSX-vSphere Topology dashboard provides you with details about the topology of a selected object, how it connects to the logical elements in the network, and a view of related alerts and metrics.  If you access the NSX-vSphere Topology dashboard directly from the menu bar, the Logical Topology widget and the Physical Topology widget do not display data. To display data in these widgets, in the Objects widget, click the object for which you want to view details. You can also locate the object by searching for it in the Search box on the right side of the widget.

Please explore this dashboard, and, if time allows, go ahead and explore the other two dashboards NSX-vSphere Object Path and NSX-vSphere Troubleshooting



Logout of vROps


Please logout of vROps



In this module, you explored VMware NSX. We discussed the requirements to enable NSX, how to manage using the vSphere web client and how to deploy security firewall using NSX DFW. It was also covered in this module how to use vROps to monitor your NSX deployment.


You've finished Module 4

Congratulations on completing Module 4.

If you are looking for additional information on VMware NSX, try one of these labs:

Proceed to any module below which interests you most.



How to End Lab


To end your lab click on the END button.  



Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1845-01-SLN

Version: 20171215-212342