VMware Hands-on Labs - HOL-SDC-1402


Lab Overview - HOL-SDC-1402 - vSphere Distributed Switch from A to Z

Lab Guidance


Please Read: Many of the modules will have you enter Command Line Interface (CLI) commands. A text file has been placed on the desktop of the environment allowing you to easily copy and paste complex commands or passwords in the associated utility (CMD, Putty, console, etc). Certain characters are often not present on keyboards throughout the world. This text file is also included for keyboard layouts which do not provide those characters.

The text file is HOL-SDC-1402 CLI Commands. The file is divided into Module Sections with the command or credentials for you to copy and paste.

Thank you and enjoy the labs!

vSphere 5.5 U1 introduces some key networking enhancements and capabilities to further simplify operations, improve performance and provide security in virtual networks. The vSphere Distributed Switch (VDS) is a centrally managed, datacenter-wide switch that provides advanced networking features on the vSphere platform. Having one virtual switch across the entire vSphere environment greatly simplifies management.

Lab Module List:

Note: It will potentially take more than 90 minutes to complete the lab. We request that you complete Modules 1, 2, 3 and 4 in your first sitting. Modules 5 & 6 can be completed in the second sitting. You can also take the modules in any order or even skip some of them.

Lab Captains: Randy Jones, Kevin Lubojacky


Module 1 - Migrating from a vSphere Standard Switch to the vSphere Distributed Switch (20 minutes)

Migrating to the vSphere Distributed Switch - Overview


In this lab we will migrate a host from a vSphere Standard Switch (VSS) to a vSphere Distributed Switch (VDS).

There are two methods of migration:

1: User Interface (UI) - This method uses a wizard that guides the user through the migration steps.

2: Host Profiles - This method allows us to grab the network configuration from a host and duplicate it on another host or group of hosts.

In this lab section we will migrate the first host with the UI based host migration wizard. We will then extract a host profile from the migrated host and use it to migrate a second host to the distributed switch.


 

vSphere Distributed Switch Architecture

 

A vSphere Distributed Switch functions as a single switch across all associated hosts. This enables you to set network configurations that span across all member hosts, and allows virtual machines to maintain consistent network configuration as they migrate across multiple hosts.

Like a vSphere Standard Switch, each vSphere Distributed Switch is a network hub that virtual machines can use. A vSphere Distributed Switch can forward traffic internally between virtual machines, or link to an external network by connecting to physical Ethernet adapters, also known as uplink adapters.

Each vSphere Distributed Switch can also have one or more distributed port groups configured. The Distributed port group defines a common network configuration across a set of virtual ports. If users wants a set of virtual machines to connect to a network with similar properties, those virtual machines should be connected to the same distributed port group. Each distributed port group is identified by a network label, which is unique under the datacenter. For example, in the the diagram above there are three distributed port groups - Production, Test environment and XYZ.

This lab starts with a VSS with 3 port groups. We will create a VDS and configure it with 3 distributed port groups.

Management Network (A) - For Management traffic

Storage Network (A) - For Storage traffic

VM Network (A) - For VM traffic

These distributed port groups on the VDS have the same network properties defined on the VSS port groups.

Once we have a VDS to work with, we will then migrate the first host from VSS to VDS with the UI based migration wizard and the second host using Host Profiles.

 

Create a new vSphere Distributed Switch


In this lab section we will first investigate the state of the network on our hosts and then we will create a new vSphere Distributed Switch.


 

Password and Command Line Help File

 

Look for a text file on the ControlCenter Desktop named README.txt

This file contains all of the passwords and long command line entries found in this lab.

If needed, you can use this file for copying and pasting passwords and command line text into the lab environment.

Tip: Use the method of highlighting text and right-mouse clicking to copy and paste for consistency as the keyboard combinations ctrl-c and ctrl-v do not work on all keyboard types.

 

 

Launch Firefox from the ControlCenter Desktop

 

Double click the Firefox icon on the ControlCenterDesktop

 

 

Login to the vCenter Console

 

Login to the VMware vSphere Web Client

  1. User name: root
  2. Password: VMware1!
  3. Click Login

 

 

Navigate to vCenter

 

Click on the vCenter tab in the left hand navigation pane

 

 

Navigate to Hosts and Clusters

 

Click on the Hosts and Clusters tab in the left hand navigation pane

 

 

Usability Tip (Optional) - Unpinning the right hand pane to maximize viewable screen space

 

Click on the thumbtack icon on the top right to unpin the right hand pane and allow it to minimize

 

 

Usability Tip (Optional) - Minimizing the right hand pane to maximize viewable screen space

 

Notes:

1: Click on the thumbnail icon again to re-pin the pane and stop it from minimizing

2: Roll over the minimized pane to expand it

 

 

Observe the networking configuration of esx-01a.corp.local

 

  1. Click the arrows to expand vCenter -> Datacenter -> Cluster Site A and reveal the list of hosts
  2. Click on esx-01a.corp.local in the left hand navigation pane
  3. Click on Manage
  4. Click on Networking
  5. Click on Virtual switches
  6. Observe that esx-01a.corp.local has one standard vSwitch labeled vSwitch0
  7. Observe that esx-01a.corp.local has one port group named VM Network and that there is a VM labeled W2k8_base attached to that port group

 

 

Observe the networking configuration of esx-01a.corp.local

 

  1. Click on VMkernel adapters
  2. Observe that  vSwitch0 has two vmkernel nics

vmk0 | Management Network

vmk1 | Storage Network

Note: esx-02a.corp.local has an identical network configuration with the minor exception that there is a different VM attached to it's VM Network port group. If time allows, and you are interested, feel free to switch over host esx-02a.corp.local and observe its networking.

 

 

Click on VMs and Templates

 

Click on the VMs and Templates icon

 

 

Check to see if the W2k8_base VM is powered on

 

  1. Click on the arrow to the left of Datacenter Site A to show the list of VMs and Templates
  2. Observe the W2k8_base VM. It should be running (There should be a green triangle to the left of the VM name)

Note: If the W2k8_base VM is not running, please start it now. (We will need it later on in the lab)

 

 

Power on the W2k8_base VM (ignore this step if the VM is already powered on)

 

  1. Ensure that the W2k8_base is selected in the left hand navigation pane
  2. Click Actions
  3. Click Power On

 

 

Navigate to Networking

 

We will now head on over to networking and create a new VDS

Click on the Networking icon

 

 

Create a New Distributed Switch

 

  1. Click on Datacenter Site A  (Note: There is an existing VDS in this Datacenter named vds-site-b which will be used in different sections of this lab.)
  2. Click on Actions
  3. Select New Distributed Switch... from the context menu

 

 

New Distributed Switch - Name and Location

 

  1. Type vds-site-a in the Name: field
  2. Click Next

 

 

New Distributed Switch - Select version

 

  1. Keep the default setting Distributed switch: 5.5.0
  2. Click Next

 

 

New Distributed Switch - Edit settings

 

1.     Number of uplinks: 4 (Default)

       Network I/O Control: Enabled (Default)

       Default port group: Unchecked"We do not want to create a default port group."

       Port group name: Greyed Out

2.     Click Next

 

 

New Distributed Switch - Ready to complete

 

Ensure that your settings match the following:

Name: vds-site-a

Version: 5.5.0

Number of Uplinks: 4

Network I/O Control: Enabled

Click Finish

 

 

Observe the new VDS

 

  1. Click on the arrow to the left of Datacenter Site A in the left hand navigation pane
  2. Click on the new VDS labeled vds-site-a in the left hand navigation pane
  3. Choose the Summary tab to see the details of our new VDS.
  4. Observe vDS Features

Note: The Features box on the right shows the advanced features that are available with the 5.5 version of the VDS.

 

 

Rename the uplink port group

 

1.     Expand the vDS by clicking on the arrow to the left of vds-site-a

2.     Click the uplink port group vds-site-a-DVUplinks-##

       Right click on the uplink port group

2.     Choose Rename... from the context menu

 

 

Rename the uplink port group

 

  1. Enter the new name: vds-site-a-corpnet-uplink
  2. Click OK

 

 

Create VDS Port Group - Management Network

 

  1. Click on the vds-site-a
  2. Click on the Manage tab
  3. Click Settings
  4. Click Topology
  5. Click on the create a new distributed port group icon

 

 

New Distributed Port Group - Select name and location

 

1.     Name: Management Network (A)

       Location: vds-site-a

2.     Click Next

 

 

New Distributed Port Group - Configure settings

 

Leave all port group settings at the default values

Port binding: Static binding(Default)

Port allocation: Elastic(Default)

Number of ports: 8(Default)

Network resource pool: (default)

VLAN type: None(Default). Since this is a nested environment VLAN tagging is not used. However, users choose different VLANs on different distributed groups to provide isolation.

Click Next

 

 

New Distributed Port Group - Ready to complete

 

Click Finish

 

 

Observe the new Management Port Group

 

Observe the new Management Network(A) port group

Note:You may need to click the arrow to the left of vds-site-a to reveal the new Management Network (A) port group

 

 

Create VDS Port Groups - VM Network

 

Click on the create a new distributed port group icon

 

 

New Distributed Port Group - Select name and location

 

1.     Name:VM Network (A)

       Location:vds-site-a

2.     Click Next

 

 

New Distributed Port Group - Configure settings

 

Leave all port group settings at the default values

Port binding: Static binding(Default)

Port allocation: Elastic(Default)

Number of ports: 8(Default)

Network resource pool: (default)

VLAN type: None(Default)

Click Next

 

 

New Distributed Port Group - Ready to complete

 

Click Finish

 

 

Observe the new VM Network Port Group

 

Observe the new VM Network (A) port group

Note: You may need to click the arrow to the left of vds-site-a to reveal the new VM Network (A) port group

This concludes this portion of the lab. In the next portion of the lab we will migrate one of our hosts to the new VDS with the User Interface (UI)

 

User Interface (UI) based VSS to VDS Migration


In this section of the lab we will migrate a host to the VDS using the Add and Manage Hosts Wizard.

Using the Add and Manage Hosts Wizard we can migrate VM's without any loss of connectivity. We will illustrate this by initiating a continuous ping from a VM to the ControlCenter desktop and observe that no packets are dropped during the migration.


 

Switch over to VM's and Templates

 

Click on the VMs and Templates icon

 

 

Select the W2k8_base VM

 

  1. Click on the W2k8_base VM in the left hand navigation pane
  2. Click on the Summary tab

 

 

Ensure that the VM W2k8_base is fully powered on

 

The Win2k8_base VM should be fully powered on by now. You can confirm this by observing the following in the VM's Summary tab

  1. Recent Tasks pane shows "Power On virtual machine" task successful
  2. Memory stats graphic shows in use memory as green
  3. VMware Tools reports "Running", DNS Name and IP Addresses fields are populated
  4. Console thumbnail is visible.Note: This may not become visible until the VM has been fully powered on for several minutes so there is no need to wait for this.

Note: You may need to refresh the interface to speed things along

 

 

Open a console session to the W2k8_base VM

 

Click on Launch Console

 

 

Logon to the console of the W2k8_base VM

 

  1. Click on the browser tab for W2k8_base
  2. Click on the Send Ctrl-Alt-Delete button
  3. Click in the password field and type the password VMware1!
  4. Click on the blue arrow to the right of the password field or press enter

 

 

Open a command prompt on the W2k8_base VM

 

  1. Click  on Start
  2. Click on Command Prompt

Note: Due to the screen size and resolution you may have to scroll down to access W2k8_base's start menu.

 

 

Start a continuous ping to the CommandCenter Desktop

 

In the command prompt type

ping 192.168.110.10 -t

Press Enter

 

 

Switch back over to the vSphere Web Client browser tab

 

Click on the vSphere Web Client browser tab

 

 

Switch over to the Networking Tab

 

Click the Networking icon

 

 

Launch the Add and Manage Hosts Wizard

 

Now that we have our continuous ping running on our VM let's migrate the host that it's running on to the new VDS

  1. Ensure that vds-site-a is highlighted in the left navigation pane
  2. Select the Manage tab
  3. Click on Settings
  4. Click on Topology
  5. Click on the Add hoststo this distributed switch and migrate physical or virtual adapters icon

 

 

Add and Manage Hosts - Select task

 

  1. Select Add hosts (Default)
  2. Click Next

 

 

Add and Manage Hosts - Select Hosts

 

Click on the Green +

 

 

Add and Manage Hosts - Select new Hosts

 

  1. Select esx-01a.corp.local
  2. Click OK

Note: If your list is empty you can logout and log back in the vSphere Web UI, it will fix this known issue.

 

 

Add and Manage Hosts - Select hosts

 

  1. Ensure that (New) esx-01a.corp.local is in the list
  2. Click Next

 

 

Add and Manage Hosts - Select network adapter tasks

 

1.     Check Managed physical adapters (default)

       Check Manage virtual adapters (default)

       Check Migrate virtual machine networking. Note:Selecting this options allows users to migrate the virtual machines connected to the standard switch to a distributed switch. Please note there is no downtime while         migrating virtual machines from VSS to VDS.

       Uncheck Manage advanced host settings (default)

2.     Click Next

 

 

Add and Manage Hosts - Manage physical network adapters

 

As you can see, all the vmnics are currently connected to vSwitch0, which is a vSphere Standard Switch. We will move these vmnics from the VSS to the VDS. To reduce lab time we will only assign vmnic0 and vmnic1 to VDS.

  1. Click on vmnic0
  2. Click on the Assign uplink icon

 

 

Select an Uplink for vmnic0

 

  1. Click on Uplink 1
  2. Click OK

 

 

Add and Manage Hosts - Manage virtual network adapters

 

  1. Click on vmnic1
  2. Click on the Assign uplink icon

 

 

Select an Uplink for vmnic1

 

  1. Click on Uplink 2
  2. Click OK

 

 

Add and Manage Hosts - Manage virtual network adapters

 

Observe that both vmnic0 and vmnic1 are to be migrated to the uplinks defined in the vDS Uplink Port Group.

vmnic0 (Assigned) - vSwitch0 - Uplink 1 - vds-site-a-corpnet-uplink

vmnic1 (Assigned) - vSwitch0 - Uplink 2 - vds-site-a-corpnet-uplink

Click Next

 

 

Manage virtual network adapters - Management Network

 

After assigning vmnics, the next step is to assign the virtual network adapters (vmknics) from the VSS port groups to the VDS distributed port groups.

  1. Click vmk0. As you can see vmk0 is the management network vmkernel NIC.
  2. Click on the Assign port group icon

 

 

Assign destination port group - Management Network

 

Connect vmk0 to the distributed port group created for management network.

  1. Click Management Network (A)
  2. Click OK

 

 

Manage virtual network adapters

 

1.     Ensure that all of your vSwitch port groups are reassigned to the proper VDS distributed port groups

       vmk0 (Reassigned) - vSwitch0 - Management Network - Management Network (A)

       vmk1 - vSwitch0 - Storage Network - Do not migrate

       Note:Under normal circumstances we would migrate all of the VSS port groups to the VDS. In order to keep the lab time manageable we are going to leave the Storage Network attached to the VSS.

2.     Click Next

 

 

Add and Manage Hosts - Analyze impact

 

Click Next

 

 

Add and Manage Hosts - Migrate VM Networking

 

After migrating the vmkernel NICs it is time to migrate the virtual machines from the VSS to the VDS. In this example we have a windows virtual machine named W2k8_base running on host esx-01a.corp.local.

  1. Click on W2k8_base
  2. Click on the Assign port group icon

 

 

Add and Manage Hosts - Migrate VM Networking - Select Network

 

  1. Click VM Network (A)
  2. Click OK

 

 

Add and Manage Hosts - Migrate VM Networking

 

Ensure that all VM's are mapped to the VM Network (A) on the vDS

W2k8_base - VM Network (A)

Click Next

 

 

Add and Manage Hosts - Ready to complete

 

Click Finish

 

 

Observe that host esx-01a was migrated to the VDS

 

Click on the arrows to expand the different sections of the VDS Topology

Now that we have migrated the Host to the new VDS let's check back on our VM and it's continuous ping to ensure that we didn't loose connectivity during the migration.

 

 

Observe that the W2k8_base VM maintained connectivity throughout the migration

 

  1. Click on the W2k8_base browser tab
  2. Scroll up on the continuous ping and observe that no packets were dropped during the migration

       Press Ctrl-C to stop the continuous ping

3.     Observe the number of packets lost (It should be 0)

This concludes this portion of the lab. In the next section we will use host profiles to migrate another host to the VDS

 

Host Profiles based VSS to VDS migration


In this lab section we will extract a host profile from the host we migrated to the VDS in the previous step and then apply that host profile to another host. This host profile method helps in an environment where you have a large number of hosts that you need to migrate to VDS.


 

Switch back over to the vSphere Web Client

 

Click on the vSphere Web Client browser tab

 

 

Switch over to the Home View

 

Click on the Home icon

 

 

Select Host Profiles

 

Click of the Host Profiles icon

 

 

Extract Profile from Host

 

Click on the Green plus sign to Extract Profile from a host

 

 

Extract Host Profile - Select Host

 

  1. Click on esx-01a.corp.local (Make sure to select esx-01a.corp.local as it is not always the first in the list)
  2. Click Next

 

 

Extract Host Profile - Name and Description

 

  1. Name: VDS Host Profile
  2. Description: Host Profile extracted from esx-01a.corp.local after it was migrated to the VDS.
  3. Click Next

 

 

Extract Host Profile - Ready to complete

 

Click Finish

 

 

Wait for the Host Profile extraction to complete

 

Watch the Recent Tasks pane to see the status of the Create a host Profile task

When the process is complete you will see the new host profile show up in the Objects pane (You may select the refresh button if the browser does not refresh automatically)

 

 

Attach the newly created host profile to the host esx-02a.corp.local

 

Click on the Attach/Detach a host profile from hosts and clusters icon

 

 

VDS Host Profile - Attach/Detach Hosts and Clusters - Select Hosts/Clusters

 

  1. Click the arrow to the left of Cluster Site A to show the list of hosts in the cluster
  2. Click on esx-02a.corp.local

Note: Be careful to choose the right host as the order can change.

3.     Click Attach

 

 

VDS Host Profile - Attach/Detach Hosts and Clusters - Select Hosts/Clusters

 

  1. Ensure that esx-02a.corp.local appears in the right hand side pane
  2. Click Next

 

 

VDS Host Profile - Attach/Detach Hosts and Clusters Customize Hosts

 

Note: Leave the MAC Address field blank. vSphere will generate a MAC addresses for this interface.

  1. esx-02a.corp.local | Host IPv4 address | vds-sitea:Management Network = 192.168.110.52
  2. esx-02a.corp.local | Subnet Mask | vds-sitea:Management Network = 255.255.255.0
  3. Click Finish

 

 

Check esx-02a for host profile compliance

 

Click VDS Host Profile

 

 

View Related Objects

 

Click on the Related Objects tab

 

 

Check Host Profile Compliance

 

Click on Actions -> All vCenter Actions -> Host Profiles -> Check Host Profile Compliance

 

 

Observe the host profile compliance status of esx-02a.corp.local

 

Click esx-02a.corp.local

 

 

Observe the host profile compliance status of esx-02a.corp.local

 

  1. Click the Summary tab
  2. Scroll down until you can see the Host Profile Compliance widget.
  3. Expand the Host Profile Compliance widget by click on the maximize icon in the top right hand corner of the widget.

 

 

Observe the host profile compliance status of esx-02a.corp.local

 

Click on the VDS Host Profile tab to return to the host profile view

 

 

Put esx-02a.corp.local into maintenance mode

 

Click the maintenance mode icon

 

 

Confirm Maintenance Mode

 

  1. Uncheck the box to Move powered-off and suspended virtual machines to other hosts in the cluster
  2. Click OK

 

 

Remediate esx-02a.corp.local to be compliant with the host profile

 

Wait for esx-02a.corp.local to enter maintenance mode

Click on Actions -> All vCenter Actions -> Host Profile -> Remediate

 

 

VDS Host Profile - Remediate host based on host profile - Customize hosts

 

Click Next

 

 

VDS Host Profile - Remediate host based on host profile - Review Remediation Tasks

 

  1. Click on the arrow to reveal the remediation tasks for esx-02a.corp.local
  2. Click Finish

 

 

Wait for the host configuration changes to complete

 

Watch the Recent Tasks pane for the Check Compliance and the Apply host configuration tasks to complete

 

 

Exit maintenance mode on host esx-02a.corp.local

 

Click the Exit maintenance mode icon

 

 

Review the Host Profile Compliance status of esx-02a.corp.local

 

Click esx-02a.corp.local

 

 

Review the Host Profile Compliance status of esx-02a.corp.local

 

Observe the Non Compliance Message is gone.  Also you may notice on the left side there is now 1 Distributed Switches assigned.  

You may also go to "Montor and then Events and see the the "Host is in compliance with the attached profile"

 

 

Observe the Networking changes to host esx-02a.corp.local

 

  1. Click Manage
  2. Click Networking
  3. Click Virtual switches
  4. Click vds-site-a
  5. Observe that the Management Network and the VM Network have been migrated to the VDS

We have now effectively migrated host esx-02a.corp.local to the VDS using host profiles

This completes this portion of the lab.

 

Module 2 - Implementing Quality of Service (QoS) Tagging & Traffic Filtering on the VDS (20 minutes)

Implementing Quality of Service (QoS) Tagging


Two types of QoS Marking/Tagging common in networking are 802.1p (COS) applied on Ethernet(Layer 2) packets and Differentiated Service Code Point (DSCP) Marking applied on IP packets. The physical network devices use these tags to identify important traffic types and provide Quality of Service based on the value of the tag.  As business critical and latency sensitive applications are virtualized and run in parallel with other applications on ESXi hosts, it is important to enable traffic management and tagging features on the VDS.

The traffic management feature on the VDS helps reserve bandwidth for important traffic types, and the tagging feature allows the external physical network to understand the level of importance of each traffic type. It is a best practice to tag the traffic near the source to help achieve end-to-end Quality of Service (QoS). During network congestion scenarios, the tagged traffic doesn’t get dropped which translates to a higher Quality of Service (QoS) for the tagged traffic.

VMware has supported 802.1p tagging on the VDS since the vSphere 5.1 release. The 802.1p tag is inserted in the Ethernet header before the packet is sent out on the physical network. In the 5.5 release, the DSCP marking support allows users to insert tags in the IP header. The IP header level tagging helps in layer 3 environments, where physical routers prefer the IP header tag to the Ethernet header tag.

Once the packets are classified based on the qualifiers described in the traffic filtering section, users can choose to perform Ethernet (layer2) or IP (layer 3) header level marking. The markings can be configured at the port group level.


 

Where is the DSCP tag field in the Packet ?

 

In this lab module we will implement DSCP tagging on all egress traffic on the VM Network Port Group.

We will then capture some traffic passing through the VDS and observe the DSCP field in the packet header.

Note: These lab modules were designed to run independently and out of order. If you are going in order and just completed module #1 you can skip the first two steps.

 

 

Launch Firefox from the ControlCenter Desktop

 

Double click the Firefox icon on the ControlCenterDesktop

 

 

Password and Command Line Help File

 

Look for a text file on the ControlCenter Desktop named README.txt

This file contains all of the passwords and long command line entries found in this lab.

If needed, you can use this file for copying and pasting passwords and command line text into the lab environment.

Tip: Use the method of highlighting text and right-mouse clicking to copy and paste for consistency as the keyboard combinations ctrl-c and ctrl-v do not work on all keyboard types.

 

 

Login to the vCenter Console

 

Login to the VMware vSphere Web Client

User name: root

Password: VMware1!

Click Login

 

 

Select VMs and Templates

 

  1. Select Home
  2. Click on the VMs and Templatesicon

 

 

Power on a VM on the host esx-04a

 

  1. Expand Datacenter Site A
  2. Right-click on W12-core
  3. Select Power On

 

 

Select Networking

 

Click on Networking

 

 

Select the VM Network Port Group on vds-site-b

 

  1. In the left hand navigation pane navigate to vc-1-01a -> Datacenter Site A -> vds-site-b -> VM Network
  2. Click on the Manage tab
  3. Click on the Settings tab
  4. Click on the Edit button

 

 

VM Network - Edit Settings - Traffic filtering and marking

 

  1. Click on Traffic filtering and marking
  2. In the Status drop down box choose Enabled
  3. Click the Green + to add a New Network Traffic Rule

 

 

New Network Traffic Rule - Action

 

  1. In the Action: drop down box select Tag (default)
  2. Check the box to the right of DSCP value
  3. In the drop down box for the DSCP value select Maximum 63
  4. In the Traffic direction drop down box select Egress
  5. Click the Green +

 

 

New Network Traffic Rule - Qualifier

 

Now that you have decided to tag the traffic the next question is which traffic you would like to tag. There are three options available while defining the qualifier:

1) System Traffic Qualifier

2) New MAC qualifier

3) New IP Qualifier.

That means users have options to select packets based on system traffic types, MAC header or IP header fields. In this example we will create qualifier based on system traffic.

Select New System traffic Qualifier from the drop down menu

 

 

New Network Traffic Rule - New System Traffic Qualifier

 

Select Virtual Machine

Click OK

 

 

New Network Traffic Rule

 

Check that your rule matches

Name: Network Traffic Rule 1

Action: Tag

DSCP Value: Checked

DSCP Value: 63

Traffic Direction: Egress

System traffic Virtual Machine

Click OK

 

 

VM Network - Edit Settings

 

Click OK

 

 

VMs and Templates

 

Click on the VMs and Templates icon

 

 

Ensure that the W12-core VM is fully powered on

 

The W12-core VM should be fully powered on by now. You can confirm this by observing the following in the VM's Summary tab

  1. In the left hand navigation pane select the W12-core VM
  2. Click on the Summary tab
  3. Memory stats graphic shows in use memory as green
  4. VMware Tools reports "Running", DNS Name and IP Addresses fields are populated
  5. Console thumbnail is visible.Note: This may not become visible until the VM has been fully powered on for several minutes so there is no need to wait for this.
  6. Click on the console thumbnail to open a console to the W12-core VM

Note: You may need to refresh the interface to speed things along

 

 

Switch to the W12-core console tab

 

  1. Click on the W12-core console tab
  2. Click the Send Ctrl-Alt-Delete button

 

 

Login to the W12-core VM

 

User: Corp\Administrator

Password: VMware1!

Click the arrow to the right of the password box or press Enter

 

 

Start a continuous ping from W12-core to the ControlCenter Desktop

 

Click in the command prompt box

Type Ping -t 192.168.110.10

Press Enter

 

 

Launch WireShark from the ControlCenter Desktop

 

Click on the Wireshark icon in the task bar of the ControlCenter Desktop

 

 

Select an Interface to capture

 

Click on Interface List

 

 

Wireshark Capture Interfaces

 

  1. Check the box to the left of Local Area Connection   VMware vmxnet3 virtual network device (default)
  2. Click Start

 

 

Stop the Capture

 

Click the Stop the running live capture icon

 

 

Filter the capture for ICMP traffic

 

  1. In the Filter: box type icmp
  2. Click the Apply icon

 

 

Inspect an icmp packet

 

Click on any of the ICMP request packets from 192.168.110.142(The W12-core VM)

Click the plus sign to the left of Internet Protocol version 4

Click the plus sign to the left of Differentiated Services Field

Observe the DSCP value of 63 in hexadecimal 0x3f

Now that we have shown that we can tag packets let's investigate traffic filtering.

 

Implementing Traffic Filtering


Traffic filtering is the ability to filter packets based on the various parameters of the packet header. This capability is also referred to as Access Control Lists (ACLs), and it is used to provide port level security on the VDS.


 

Traffic Filtering Diagram

 

The VDS supports packet classification based on the following three different types of qualifiers:

Once the qualifier is selected and packets are classified, users have the option to either filter or tag the packets.

When the classified packets are selected for filtering, users have the option to filter ingress traffic, egress traffic or both.

As shown in the figure above, the traffic-filtering configuration is at the port group level.

In this lab we will implement traffic filtering to block ICMP (Ping) traffic from the VM Port Group

 

 

Switch back to Firefox

 

Click on the Firefox icon on the taskbar of the ControlCenter Desktop

 

 

Return to the vSphere Web Client Tab

 

Click on the vSphere Web Client Tab

 

 

Select Networking

 

Click on the Networking Icon

 

 

Edit the VM Network Port Group Settings

 

Note: You should already be at this view from the previous module but if you have navigated away you can get back by:

  1. Navigate to Datacenter Site A -> vds-site-b -> VM Network
  2. Click the Manage tab
  3. Click the Settings tab
  4. Click on Properties
  5. Click Edit

 

 

VM Network - Edit Settings - Traffic filtering and marking

 

  1. Click on Traffic filtering and marking in the left hand navigation pane
  2. Click on the Network Traffic Rule 1
  3. Click the Pencil icon (edit)

 

 

Edit Network Traffic Rule - Action

 

Change Action to Drop

 

 

Edit Network Traffic Rule - New IP Qualifier

 

Click the Green + to add a new qualifier

Select New IP Qualifier... from the drop down list

 

 

New IP Qualifier

 

  1. Select ICMP from the Protocol drop down menu
  2. Source address 192.168.100.142
  3. Click OK

 

 

Remove the System traffic qualifier

 

  1. Click on the System traffic qualifier
  2. Click the Red X to remove the System traffic qualifier

 

 

Remove the System traffic qualifier

 

Click Yes

 

 

Edit Network Traffic Rule

 

Click OK

 

 

VM Network - Edit Settings

 

Ensure that your Traffic filtering and marking settings match

  1. 1 | Network Traffic Rule 1| Drop | Egress
  2. IP | ICMP
  3. Click OK

 

 

Observe that ICMP (Ping) traffic is now being dropped

 

Click on the W12-core console tab in Firefox

Observe that the ping from W12-core is now timing out (The ICMP packets are now being filtered out on the VM Port Group)

 

 

Switch back over to the vSphere Web Client

 

Click on the vSphere Web Client browser tab

 

 

Edit the VM Network Port Group Settings

 

Note: You should already be at this view from the previous module but if you have navigated away you can get back by:

  1. Navigate to Datacenter Site A -> vds-site-b -> VM Network
  2. Click the Manage tab
  3. Click the Settings tab
  4. Click on Properties
  5. Click Edit

 

 

Remove Network Traffic Rule 1

 

  1. Click on Traffic filtering and marking in the left hand navigation pane
  2. Click on the Network Traffic Rule 1
  3. Click the red X icon

 

 

Click OK

 

Observe that the Network Traffic Rule 1 is gone

Click OK

 

 

Observe that ICMP traffic is once again flowing between the VM's

 

Switch back over to the W12-core VM console

Observe that ping (ICMP) traffic is once again flowing between VM's

This concludes the QOS tagging and packet filtering module of this lab,before going to the next session you can stop the ping running on W12-core.

 

Module 3 - Monitoring the vSphere Distributed Switch with Encapsulated Remote Mirroring (20 minutes)

Monitoring the vSphere Distributed Switch with Port Mirroring


The remote mirroring capability on VDS helps send traffic from a virtual machine running on one host to a virtual machine on another host for debugging or monitoring purposes.

vSphere Distributed Switch 5.1 and above supports the following protocols:

In this lesson we will monitor virtual machine traffic using a centrally located traffic analyzer.


Prepare testing tools


Before configuring Remote Port Mirroring we need to prepare our testing infrastructure.


 

Password and Command Line Help File

 

Look for a text file on the ControlCenter Desktop named README.txt

This file contains all of the passwords and long command line entries found in this lab.

If needed, you can use this file for copying and pasting passwords and command line text into the lab environment.

Tip: Use the method of highlighting text and right-mouse clicking to copy and paste for consistency as the keyboard combinations ctrl-c and ctrl-v do not work on all keyboard types.

 

 

Launch Firefox

 

From the ControlCenter desktop, click the Firefox icon

 

 

Login in to the VMware vSphere Web Client

 

If you aren't already logged in, please do so now

User name: root
Password: VMware1!

Click Login.

 

 

VM and Templates

 

  1. Select Home
  2. Click the VM and Templates icon.

 

 

Power on the W12-core VM

 

If W12-core VM is not currently powered on, power it on now.

  1. Select the W12-core VM
  2. Click on Actions
  3. Select Power On.

 

 

Launch the console for W12-core VM

 

  1. Select Summary tab
  2. Click on the console thumbnail to open a console to the W12-core VM

 

 

Power on full-sles-01a VM

 

If full-sles-01a is not currently powered on, switch back to the vSphere UI tab and power it on now.

  1. Select the full-sles-01a VM
  2. Click on Actions
  3. select Power On.

Note: Wait until both VMs finish booting.

 

 

Switch to the W12-core console tab

 

Click on the W12-core console tab

 

 

Login to the W12-core VM

 

  1. Click the Send Ctrl-Alt-Delete button
  2. Password: VMware1!
  3. Click the arrow to the right of the password box or press Enter.

 

 

Start a continuous ping from W12-core to full-sles-01

 

Type the following command in a Command Prompt

ping -t 192.168.110.126

PressEnter

 

 

Launch tshark

 

In this module, we will use Tshark, a terminal based network traffic analyzer similar to WireShark.

To launch it, double click on the Tshark icon on thedesktop. We've added a filter to only look at ICMP traffic to/from 192.168.110.126 (full-sles-01a).

 

 

Check the Tshark window

 

In the previous step, the ping succeeded but If you look at your tshark window, you'll see it stays empty. No traffic is currently visible from our Windows desktop.

That's perfectly normal, to get it here, we first need to mirror it using Encapsulated Remote Mirroring. That's the objective of the next lesson.

Note: For the curious, we've launched Tshark in non promiscuous mode (-p). Our Control Center, being in the same L2 as our Linux VMs, could have seen the traffic in some situations, e.g., if both VMs were hosted on different ESXi hosts. We are using Encapsulated Remote Mirroring here even if it would have been easier with Remote Mirroring as the objective of this module is to demonstrate Encapsulated Remote Mirroring.

 

Encapsulated Remote Mirroring Configuration


In our nested environment where all of the physical switch configuration is out of reach, a convenient feature to monitor VM traffic from a central location is Encapsulated Remote Mirroring, as it doesn't require any physical switch configuration.

With Encapsulated Remote Mirroring, you can mirror the traffic to any location in your environment. This is done simply by defining the destination IP address of the mirrored traffic.

In this lesson we will configure our VDS to mirror traffic to the windows desktop where you are currently connected.


 

Add Port Mirroring Session

 

Switch back to the vSphere Web UI

  1. Click on the Networking icon
  2. Select the VDS named vds-site-b (Note: be sure to select vds-site-b and not vds-site-a which was created in the first module.)
  3. Click Manage
  4. Click Settings.
  5. Click Port Mirroring
  6. Click + New...

 

 

Select session type

 

Select Encapsulated Remote Mirroring (L3) Source and click Next.

 

 

Edit Properties

 

  1. Type Encapsulated Remote Mirroring - Destination in the Name field
  2. Enable its status.
  3. Click Next

 

 

Select sources

 

There are two options to Select sources, you can select Ports in a list or directly type in a Port IDs range like 2-8 for example.

Click the first + icon to select Port IDs from a list.

 

 

Select Ports

 

Selecting from a list is easier than typing a Port Range, you see the Connected Entity here, so you can easily select the VMs you want to monitor.

  1. Click on the checkbox for the Port ID connected to the full-sles-01a entity. Be careful to select the correct one, the order of your list may differ.
  2. Click OK.

 

 

Limit Traffic Direction

 

By default, mirroring of traffic will happen for both Ingress and Egress traffic. You can limit the direction by clicking on the respective icons.

1.     Click on the left blue arrow to mirror only Egress traffic.

Note: Keep in mind the notion of Egress and Ingress is defined by how the flow relates to the VDS. Egress, in this context, means all the traffic going out of the VDS to the selected Port IDs.

2.     Click Next.

 

 

Select destinations

 

Click the green + icon.

 

 

Add IP Address

 

Type the IP address of the Control Center where we will analyze the mirrored traffic: 192.168.110.10

Click OK.

 

 

Next

 

Click Next.

 

 

Ready to complete

 

Review your Port Mirroring Session settings.

Click Finish.

 

 

Confirm settings

 

1.     Your Encapsulated Remote Mirroring - Destination Port mirroring session is now Enabled.

2.     To confirm the settings you can select Encapsulated Remote Mirroring - Destination and click on the Sources and Destinations tabs.

You should have the same information as:

Status: Enabled
Connectee: full-sles-01a
Traffic Direction: Egress
Destination: 192.168.110.10 (not displayed in this screen capture, available behind the Destinations tab).

Click on the pencil and update your configuration accordingly until you get the same result.

 

 

Confirm you now see the mirrored traffic

 

Switch to your Tshark window, you should now see the mirrored traffic reaching your Windows desktop.

We only see the Echo request, no reply here, it's normal as we are only mirroring Egress traffic.

If the Tshark window stays empty read the following troubleshooting notes.

Troubleshooting Notes

  1. Check the W12-core console tab to see if the ping is still running. If that's not the case, re-launch it.
  2. Double check the Encapsulated Remote Mirroring - Destination session settings (see previous step).
  3. Make sure you've applied this Encapsulated Remote Mirroring configuration to vds-site-b and not vds-site-a.

 

Encapsulated Remote Mirroring and vMotion


Before wrapping up this Encapsulated Remote Mirroring module, we'll confirm that when vMotioning a VM, its traffic is still mirrored.


 

VMs and Templates

 

  1. Go back to the Web Sphere UI
  2. Click on the VMs and Templates icon.

 

 

Migrate...

 

  1. Select full-sles-01a
  2. Click on Actions
  3. Select Migrate...

 

 

Change host

 

Click Next.

 

 

Select Destination Resource

 

Click Next.

 

 

Select Host

 

Select esx-04a.corp.local and click Next.

Note: For the purpose of our lab, we've activated SSH service on esx-03a.corp.local which explains the Warning status on that host.

 

 

Select vMotion Priority

 

Click Next.

 

 

Review Selections

 

Compare your selections with the following yellow boxes.

If that looks the same on your side click Finish, click Back otherwise.

 

 

Mirroring is still happening

 

Switch back to your Tshark window to confirm traffic is still mirrored.

You can now close the Tshark window.

Before closing the W12-core console tab make sure to stop the continuous ping by pressing crtl+c

This concludes our Encapsulated Remote Mirroring module, you still have three more modules to go to finish HOL-SDC-1402 lab.

 

Module 4 - Manage network traffic with NIOC (Network I/O Control) (15 minutes)

Virtual Networking Overview


The lab is designed to familiarize students with the fundamentals and basic troubleshooting of Virtual Networking within vSphere 5.  In this lab, participants will gain knowledge of advanced configuration possibilities of the vSphere Distributed Switch and Network I/O Control (NIOC).  The lab will also show participants how to use NIOC to:

Network I/O Control allows you to allocate shares and limits to different traffic types, provide isolation and guarantee service levels when different traffic types are competing for the same bandwidth.   The newest features within Network I/O control User-Defined Resource pools, a Host Based Replication Traffic Type and QOS Tagging (802.1p).

You may be interested in NIOC if you are deploying Tier 1 Apps on virtual infrastructure and wish to reserve I/O resource for those important critical applications giving them SLA Guarantees.  An example of this is Public Cloud service providers are serving multiple tenants and can provision I/O resources per tenant based on each tenants needs.

 


Troubleshooting vMotion and Network I/O Control Configurations


In this lesson you will see where to enable Network I/O Control and also some fundamental configurations that can help the VM traffic as well as other port group traffic for segmentation and Quality of Service.

Scenario:

You will use the Network I/O Controls features of the Virtual Distributed Switch to limit vMotion traffic causing a configuration error that prevents a successful vMotion between hosts. By default, Network I/O control has 8 predefined Network Resource Pool types:

Assigning Limits and Shares to these various categories of traffic provides an easy way to assign priorities to network traffic. In addition, Network I/O Controls provides the flexibility to define your own Network Resource Pool types that will be explored later in the module.


 

Password and Command Line Help File

 

Look for a text file on the ControlCenter Desktop named README.txt

This file contains all of the passwords and long command line entries found in this lab.

If needed, you can use this file for copying and pasting passwords and command line text into the

lab environment.

Tip: Use the method of highlighting text and right-mouse clicking to copy and paste for consistency

as the keyboard combinations ctrl-c and ctrl-v do not work on all keyboard types.

 

 

Launch Firefox from the ControlCenter Desktop

 

Double click the Firefox icon on the ControlCenterDesktop

 

 

Login to the vCenter Console

 

  1. Login to the VMware vSphere Web Client
  2. User name: root Password: VMware1!
  3. Click Login

 

 

Navigate to VMs and Templates

 

Select VMs and Templates

 

 

Power on VM

 

From Cluster Site A

  1. Right-click VM base-sles
  2. Select Power On

Note:VM may take up to two minutes to power on.

 

 

Migrate VM to new host

 

  1. Now that the VM is powered on, take note of the current host the VM is residing on. esx-03a.corp.local
  2. Use the Refresh icon to refresh the screen until VMware Tools status is"running" and memory is being used.

 

 

Migrate VM to new host

 

  1. Right click the "base-sles" VM
  2. Select "Migrate" and "Change Host" to move it to esx-04a.corp.local

 

 

Select new host

 

Continue with "Cluster Site A" and select Next

 

 

Select Host for migration

 

  1. Choose esx-04a.corp.local
  2. Ensure Compatibility checks succeeded
  3. Select Next

Note: Your hosts may be in a different order. Be sure esx-04a.vsphere.local is selected.

 

 

Select Priority

 

  1. Select "Reserve CPU for optimal vMotion perfomance" (Which is the default)
  2. Select "Next".

 

 

Validate migration

 

Validate the above settings and Select Finish

 

 

Monitor migration

 

Notice at the right of the screen that the vMotion is taking place and should complete within a minute or two.

Note: If you nave unpinned the "Recent Tasks"window, you will need to move the mouse to the right side of the screen to view the window.

 

 

Reconfigure Network I/O Controls to limit vMotion traffic

 

  1. Observe that VM base-sles has successfully relocated to esx-04a.corp.local
  2. Select Networking

 

 

Access vMotion Network Resource Pool

 

  1. Select vds-site-b
  2. Select Manage
  3. Scroll over and select Resource Allocation
  4. Select vMotion Traffic
  5. Click Edit

 

 

Edit vMotion Network Resource Pool

 

  1. Uncheck Unlimited
  2. Limit (Mbps) to 1
  3. Click OK

 

 

Failing vMotion

 

Now that you have limited vMotion traffic on the Virtual Distributed Switch, Let's go ahead and attempt a migration of the base-sles VM you powered on earlier in the module

Select VMs and Templates

 

 

Observe VM host location

 

Select the VM "base-sles" and notice on the right hand side of the screen that this VM is deployed on esx-04a.corp.local   

 

 

Migrate VM to new host

 

  1. Right click the "base-sles" VM
  2. Select "Migrate" and "Change Host" to move it back esx-03a.corp.local

 

 

Change host destination

 

Select "Change host" (which is the default) and select "Next"

 

 

Select new host

 

Continue with "Cluster Site A" and select Next

 

 

Select Host for migration

 

  1. Choose esx-03a.corp.local
  2. Ensure Compatibility checks suceeded
  3. Select Next

Note: Your hosts may be in a different order. Be sure esx-03a.vsphere.local is selected.

 

 

Select Priority

 

  1. Select "Reserve CPU for optimal vMotion perfomance" (Which is the default)
  2. Select "Next".

 

 

Validate migration

 

Validate the above settings and Select Finish

 

 

Monitor migration

 

Notice at the right of the screen that the vMotion is taking place and seems to be taking an extremely long time due to the limit of 1Mbps Network I/O.   Depending on your timeout specification for vMotion you may get an error.  If you do not get an error it means your timeout on vMotion is longer than default and may take a significant amount of time before getting the timeout error.  In this case make the necessary steps below to complete your vMotion before getting the timeout error.

 

 

Reconfigure Network I/O Control vMotion Network Resource Pool

 

While the "Recent Tasks" window still shows an uncompleted migration, select Networking

 

 

Reconfigure Network I/O Control vMotion Network Resource Pool

 

You will now reconfigure the vMotion Network Resource Pool to its original setting to increase vMotion bandwidth allowing the migration to complete

  1. Select vds-site-b
  2. Select Manage
  3. Scroll over and select Resource Allocation
  4. Select vMotion Traffic
  5. Click Edit

 

 

Reconfigure Network I/O Control vMotion Network Resource Pool

 

  1. In the Network Resource Pool settings, check Unlimited
  2. Select OK

 

 

Monitor Migration

 

Once the update is complete to the network resource Pool, you should notice the migration completes fairly quickly.

 

NIOC and User Defined Resource Pools


Network I/O control (NIOC) is the advanced feature in vSphere Distributed Switch that provides traffic management capability. Network traffic management provides the required control and guarantee to different traffic types in the consolidated I/O environment. In the VMware vSphere 5.0 platform, NIOC supports traffic management capabilities for the system, virtual machine, and user defined traffic types.

As an example, Applications have different CPU, Memory, and Network I/O resource requirements. Business critical applications have high resource requirements and higher Service Level Agreement (SLA) as compared to non-critical applications. In the virtual infrastructure, where business critical applications run along with non-critical applications it becomes critical that resources are allocated according the individual workload requirements.

vSphere Virtual Platform provides you the capability to manage CPU, Memory,  and Network resources. Network resources are managed through Network I/O control (NIOC) feature on vSphere Distributed Switch. When Network I/O control is enabled, Distributed Switch traffic is divided into the following predefined network resource pools:

Scenario:

You are approached by the linux admin who is adding an application to the base-sles VM.  He states that it is a Tier 1 application that needs additional bandwidth for a guaranteed SLA.  In this section we will set up two User Defined resource pools to show you how you can help achieve the Linux Administrators SLA's.


 

Launch Firefox

 

Double click the Firefox icon on the ControlCenterDesktop

 

 

Password and Command Line Help File

Look for a text file on the ControlCenter Desktop named README.txt

This file contains all of the passwords and long command line entries found in this lab.

If needed, you can use this file for copying and pasting passwords and command line text into the

lab environment.

Tip: Use the method of highlighting text and right-mouse clicking to copy and paste for consistency

as the keyboard combinations ctrl-c and ctrl-v do not work on all keyboard types.

 

 

Login to the vCenter Console

 

  1. Login to the VMware vSphere Web Client
  2. User name: root Password: VMware1!
  3. Click Login

 

 

Power on VMs

 

  1. Select Home
  2. Click VMs and Templates

 

 

Power on VMs

 

  1. Expand the Datacenter Site A inventory list
  2. Right-click full-sles-01a
  3. Click Power On

Repeat the process for base-sles if it's not already powered on

 

 

Networking Inventory

 

You will need to be in Networking inventory to start your work.  

Select Networking

Note: you can unpin the Recent Task window to expand the working window in this lab.

 

 

Edit Virtual Machine Traffic rules

 

Let's change the Virtual Machine Host Limit to 10Mbps. Keep in mind that in normal operation it is not recommended to limit this traffic, however; in this example to minimize the amount of traffic you have to generate the limit configuration is used.

  1. Expand Datacenter Site A
  2. Select vds-site-b
  3. Select Manage
  4. Scroll over and select Resource Allocation
  5. Select Virtual Machine Traffic
  6. Click Edit

 

 

Edit Virtual Machine Traffic rules

 

  1. Deselect Unlimited
  2. Change the Limit (Mbps) to 10
  3. Click OK

Note: The option of QoS priority tag helps in tagging the packets with 802.1p tags. You can use this option so that the network infrastructure treats the packets according to the priority and thus provides End to End QoS. In this example the packets are not tagged.

 

 

Create Network Resource Pool

 

Now let's create a few User-Defined Network Resource Pools.  

Select the + symbol

 

 

Create Network Resource Pool

 

  1. Now name your Network Resource Pool to "Linux Tier 1 App"
  2. Set the Host Limit (Mbps) to 10
  3. Uncheck Unlimited
  4. Set the Physical adapter shares to High
  5. Select OK

 

 

Create Network Resource Pool (Copy)

 

Now select "New Network Resource Pool" again.

Select the + symbol

 

 

Create Network Resource Pool

 

  1. Now name your Network Resource Pool to "No SLA"
  2. Set the Host Limit (Mbps) to 1
  3. Uncheck Unlimited
  4. Set the Physical adapter shares to Low
  5. Select OK

 

 

Confirm Network Resource Pool creation

 

Now confirm the creation of your user defined Network Resource Pools.

  1. Scroll down
  2. Confirm settings

 

 

Assign Network Resource Pool to Port Group

 

To deliver SLA's we will need to associate each of these network resource pools to different VM port groups.  We will assign the Low priority or "NO SLA" Network Resource Pool to the VM Network Port Group

  1. Right-click VM Network on the left
  2. Select Edit Settings

 

 

Assign Network Resource Pool to Port Group

 

  1. Ensure General is selected (default)
  2. Use the Network resource Pool Drop down menu and select No SLA
  3. Select OK

 

 

Create vDS Port Group

 

You need to assign the second Network Resource Pool to another VM-Portgroup and realize that you only had one port group assigned for VM Traffic.  In your environment you would need to create a second VM Portgroup in order to assign the network resource pool.

  1. Select and right-click vds-site-b
  2. Click New Distributed Port Group...

 

 

Create vDS Port Group

 

  1. Name the new port group "VM-Tier1"
  2. Click OK

 VM

 

 

Create vDS Port Group

 

  1. Change Network Resource Pool to Linux Tier 1 App
  2. Select Next

 

 

Create vDS Port Group

 

Confirm Port Group Settings

Select Finish

 

 

Observe new vDS configuration

 

Now your dvSwitch should have 2 VM port groups (VM Network for NO SLA Traffic and VM-Tier1 we are about to assign to your Tier 1 Traffic)

 

 

Observe Port Group uplinks

 

Let's confirm VM-Tier1 is set up the same way that VM Network is with equivalent network access.  

  1. Select vds-site-b
  2. Select Manage
  3. Select Settings
  4. Click Uplink 1

In this view you can see that both port groups have access to the same single uplink per host. Without Network I/O Control, access to the network would have no SLA with all traffic be treated equal. Now let's see how our user Defined Network Resource Pool settings affect network traffic.

 

 

Assign VMs to Port Groups

 

Now it's time to move our Tier1 VM base-sles to our VM-Tier1 Port Group

Select VMs and Templates

 

 

Assign VM to Port Groups

 

  1. Select and right-click base-sles
  2. Click Edit Settings

 

 

Assign VM to Port Groups

 

Use the Network drop down menu to associate the base-sles VM to our new VM-Tier1 Port Group

Click OK

 

 

Review VM Network settings

 

  1. Select Refresh
  2. Notice that the Port Group in the middle of the screen shows the new Network Adapter for base-sles as "VM-Tier 1"

 

 

Review the results of our settings

 

Time to test the results of your work.

  1. Right-click on base-sles
  2. Select Open Console

 

 

Login in to base-sles VM

 

Login with user "root" and password "VMware1!".  

Once logged in, enter "ping 192.168.110.113 -s 10000" in the command line

 

 

Observe pings

 

Your screen should look something like the above with pings in the terminal session.  

 

 

Login in to full-sles-01a

 

  1. Right-click on full-sles -01a
  2. Select Open Console

 

 

Login in to full-sles-01a

 

Login with user "root" and password "VMware1!

 

 

Observe pings

 

Minimize the console window (or move it to the side) an follow the above steps for the VM named "Centos-vmotion".  Run the file "ping_10mb" and select "Run in Terminal" just like above for the other VM.

 

 

Observe pings

 

 

 

Observe pings

 

Now switch between both VM Consoles side by side and notice that the response times on the  "base-sles" have a faster ping resonse than the right with "full-sles-01a" due to base-sles having been placed into the the SLA Network Resource Pool and full-sles-01a being placed in a "NO SLA" pool.   NOTE:  There is not much difference in times within the pings; however even without placing a production load on these machines there is a clear difference in priority of the two machines and faster response from the base-sles VM.

 

 

Summary

VMware vSphere 5.0 platform provides the visibility in virtual machine traffic through Netflow and Port mirror features and enhances the Network I/O control through user defined resource pools. These new networking features help network administrators VIrtual Infrastructure Administrators in troubleshooting network issues and provide advanced traffic management capability. This Lab covered the step by step configuration of these new features and also provided simple exercises on how to test these features. After going through these evaluation exercises in this lab, you should be able to see how these new features can benefit your virtual infrastructure and YOUR cloud deployments.

 

Module 5 - Implementing LACP on the vSphere Distributed Switch (20 minutes)

Implementing LACP on the vSphere Distributed Switch


vSphere 5.1 added limited support for Link Aggregation Control Protocol (LACP), with these constraints:

vSphere 5.5 now comes with an enhanced LACP implementation which now supports:

In this module we will demonstrate how to configure LACP v2.

If you feel comfortable with the concepts involved with LACP, you can skip ahead to the next section.

Link Aggregation Control Protocol is a vendor-independent standards defined in IEEE 802.1ax (formerly IEEE 802.3ad). It provides a mechanism to control the bundling of several ports together to form a single logical channel by sending LACP packets to a peer which also implement LACP.

LACP provides higher bandwidth and network redundancy.

The automatic negotiation of link aggregation parameters between virtual and physical switches provides the following advantages over static configuration:

Lastly, one last definition, a Link Aggregation Group is a grouping of multiple individual links - with compatible properties - formed into a single logical channel.


Check requirements


In this lesson we will check the requirements to implement LACP v2 on vSphere.


 

LACP v2 requirements

Before jumping in, please note the following restrictions when using LACP v2:

 

 

Password and Command Line Help File

 

Look for a text file on the ControlCenter Desktop named README.txt

This file contains all of the passwords and long command line entries found in this lab.

If needed, you can use this file for copying and pasting passwords and command line text into the lab environment.

Tip: Use the method of highlighting text and right-mouse clicking to copy and paste for consistency as the keyboard combinations ctrl-c and ctrl-v do not work on all keyboard types.

 

 

Login to the vCenter Console

 

Launch Firefox and authenticate to the vSphere Web UI if it's not yet available to you.

User name: root
Password: VMware1!

 

 

Select the Networking inventory view

 

Click on the Networking icon

 

 

Check vSphere Distributed Switch version

 

Navigate to vds-site-b and click on summary tab. As you can see, VDS version is 5.5. You can confirm LACP Enhanced support by looking at the list of supported features.

Note: If you want to implement LACP v2 on an older version, you first need to upgrade it by clicking on the upgrade link next to its version number.

 

Create a Link Aggregation Group on the VDS


In this lesson we will Create a LAG on the VDS.


 

Add a new LAG group

 

  1. Select the Manage Tab
  2. Click on LACP.
  3. You can now add a new Link Aggregation Group by clicking on the green + icon.

Note: If you have completed the lab module 1 you will have a second VDS named vds-site-a. Make sure you have selected vds-site-b and not vds-site-a.

 

 

Fill out the form

 

  1. Increase the number of ports to 3, it defines how many physical NICs you want to group together in this logical channel.
  2. Select Source and destination IP address and VLAN as the load balancing scheme and keep everything else as is. As you can see in the current LACP implementation we support lots of different load balancing modes.
  3. Mode Passive means The port is in a passive negotiating state. In passive mode the port responds to LACP packets it receives but does not initiate LACP negotiation.

Note: The Port Policies section is gray, we'll see how to activate it later in the lab .

4.     Click OK.

 

 

LAG created

 

Your lag1 is now created.

In the next step we'll confirm the creation of our LAG in our host.

 

 

Launch PUTTY

 

Click Start > PuTTY

 

 

Connect to esx-03a.corp.local

 

Type esx-03a.corp.local in the Host Name Box and click Open.

 

 

Logon as Root

 

Login as: root
Password: VMware1!

 

 

Confirm LAG creation from the command line

 

Type the following command:

esxcli network vswitch dvs vmware lacp config get

as you can see lag1 is created but it isn't associated with any NICs. We'll do that in the next section.

Note: You can keep Putty open for now.

 

Configure the hosts to use the LAG


In this lesson, we will add physical NICs to our lag1. Please switch back to the vSphere Web UI.


 

Migrating network traffic to LAGs

 

A wizard will help you in migrating network traffic to LAG, make sure you've selected vds-site-b > Manage > Settings > LACP.

Click on Migrating network traffic to LAGs to launch the wizard.

 

 

Add and Manage Hosts...

 

Click on Add and Manage Hosts...

 

 

Manage host networking

 

Click on Manage host networking radio buttonand click Next

 

 

Add hosts

 

Click the green + to add Hosts to the list

 

 

Select Hosts

 

Select both hosts by clicking on the checkbox in the heading and click OK.

 

 

Activate template mode

 

Activate the template mode by clicking on the checkbox at the bottom and click Next.

Note: By using the template node you only configure one node, all the operations will be replicated on the remaining nodes. All the nodes need to have the same configuration. To get more information on this mode, you can click on the gray icon just after (template mode).

 

 

Select template host

 

Select esx-03a.corp.local and click Next.

 

 

Select network adapter tasks

 

Make sure only the first option Manage physical adapters (template mode) is selected and click Next.

 

 

Manage Physical network adapters vmnic1

 

Select vmnic1 and click Assign uplink.

 

 

Assign vmnic1 to lag1-0

 

Select lag1-0 and click OK.

 

 

Manage Physical network adapters vmnic2

 

Select vmnic2 and click Assign uplink.

 

 

Assign vmnic2 to lag1-1

 

Select lag1-1 and click OK.

 

 

Manage Physical network adapters vmnic3

 

Select vmnic3 and click Assign uplink.

 

 

Assign vmnic3 to lag1-2

 

Select lag1-2 and click OK.

 

 

Apply to all

 

To replicate the configuration of esx-03a.corp.local on esx-04a.corp.local click on Apply to all and click Next.

 

 

Analyze impact

 

vCenter tells you there isn't any impact on network dependent services, so you can relax and click Next.

 

 

Ready to complete

 

click Finish to proceed and wait until the operation completes.

 

 

Confirm NICs <-> LAG association from the command line

 

Switch back to your Putty session which should still be connected to esx-03.corp.local.
If you closed it, launch Putty again and connect to esx-03a.corp.local.

Use the up arrow key to recall the last command or type it again:

esxcli network vswitch dvs vmware lacp config get

As you can see, your lag1 is now associated with vmnic1, vmnic2 and vmnic3. Congratulations !!!

Wait, we still have one more thing to do to use this LAG in production.

 

Configure a Port Group to use the LAG


We are almost done with our LACP Hands on lab module, the last step is to configure a Port Group to use this Link Aggregation Group for its uplink.


 

Manage Distributed Port Groups...

 

Switch back to vSphere Web UI

In the wizard click on Manage Distributed Port Groups...

Note: If you closed the wizard earlier, you can reopen it from the LACP settings by clicking on Migrate network traffic to LAGs.

 

 

Select port group policies

 

Select Teaming and failover policies and click Next.

 

 

Select port groups

 

Select Data Port Group and click Next.

Note: Depending on your use case, you can select multiple Port Groups instead by using shift+ctrl click. In our lab we will limit ourselves to the Data Network.

 

 

Teaming and failover

 

Select lag1 and click three times on the up arrow icon to move it above Uplink 1.

 

 

Teaming and failover

 

Click on the red icon warning and read the popup alert which reminds you of an important caveat.

To comply, select Uplink 1 and click on the down arrow two more times .

 

 

Teaming and failover

 

You should have something similar to the screenshot above.

As you can see the red warning icon disappeared and a gray icon appeared next the the load balancing scheme. If you click on it, you'll learn that the load balancing scheme of the Port Group will get overwritten by the one from the LAG.

You can now click Next.

 

 

Ready to complete

 

Click Finish and close the wizard window.

Congratulations, your LACP configuration is now complete for your lag1. In a real-world scenario we would do the same process for the Management, Storage and VM Networks or we could also share a common LAG depending on NICs availability and network requirements.

But, you know the drill, your time at VMworld 2014 is valuable so let's not repeat ourselves and wrap up this module in the next chapter.

 

Check the topology


Now, lets inspect the topology.


 

Close wizard

 

Close the LAG migration wizard

 

 

Topology

 

  1. Select Topology
  2. Click on the reload icon.
  3. Select on the Data Port Group.
  4. Click on the gray arrow in front of lag1 to see the implementation details for each host.

This confirms Data traffic will use the newly created lag1 which use 3 physical NICs on each host.

 

 

Conclusion

This concludes our LACP lab module. Keep in mind when implementing this features the following requirements:

Regarding the maximums, you can have up to 32 LAGs per host but the number of NICs on a host is also limited to 32 if you have 1 Gbe interfaces, or 8 for 10 Gbe ones.

So, for example, you can only create 16 LAGs with two 1 Gig interfaces each.

Thanks for taking the time to learn about LACP in vSphere 5.5.

If you want to know even more about LACP configuration, continue to the next optional lesson, or skip it and go directly to the next module if you are short on time.

 

Allow overrides of port policies (optional)


In this lesson we'll show how to allow a LAG to override Port Group policies. By using this feature, you'll be able to override VLAN or NetFlow settings as soon as the traffic goes out through the specified LAG.

If you are short on time you can skip it.


 

Edit uplink port group settings

 

  1. Click on vds-site-b-corpnet-uplink.
  2. Click Edit distributed port group settings icon.

 

 

Edit Advanced Settings

 

  1. Select theAdvanced tab
  2. Click on Allowed Radio buttons for both VLAN and NetFlow
  3. Click OK.

 

 

Confirm you can now override Port Policies.

 

  1. Select the LACPtab
  2. Select the lag1 LAG and note the Port Policies is currently inherited from uplink port group.
  3. Click on the pencil to edit the LAG.

 

 

Edit Link Aggregation Group

 

As you can see above, you can click on the Override checkbox for both VLAN type and Netflow to override the Port Group policies.

  1. VLAN type: check Override
  2. VLAN trunk range: 0-100
  3. NetFlow: check Override
  4. NetFlow: select Enabled form drop down menu
  5. Click OK

If you do so, all the traffic going out this LAG will comply to this setup no matter the configuration of the originating Port Group.

 

 

Confirm Overrides

 

Port Policies is now overridden.

That conclude the LACP module of the HOL-SDC-1402 Hands on Lab.

 

Module 6 - Network Troubleshooting Using The ESXCLI (20 minutes)

Network Troubleshooting Using The ESXCLI


When it comes to network troubleshooting on an ESXi host, there are various types of information that can be useful to a vSphere administrator such as basic information like a virtual machine's IP Addresses, MAC Addresses, Uplink ports, Port ID's, etc. There is also valuable network statistics that can be viewed in the esxtop command-line utility. However, all of this useful information is spread across multiple tools which can be challenging for a vSphere administrator who needs to quickly retrieve this data while troubleshooting an issue.

With the release of vSphere 5.1, the network namespace in ESXCLI has been enhanced to include a comprehensive set of network statistics at various points in the virtual network. This enables a vSphere administrator to easily get an overall status of the vSphere network as well as provide the ability to drill down further for troubleshooting.

In ESXCLI 5.1, you can now retrieve additional network statistics at a physical NIC (vmnic), on a per VLAN (portgroup) which needs to be configured and on a per VMport (vNIC).

Note:Network statistics are available on a per host basis and this is applicable to both a Distributed Virtual Switch as well as a regular Virtual Standard Switch.


 

Illustration of areas where we can retrieve network statistics

 

In this lab we will use the ESXCLI to:

1: View all of the physical NIC's (vmnic's) attached to a host

2: Gather network statistics from a vmnic

3: Gather VLAN statistics from a vmnic

4: List all VM's with active vnics on a host

5: Gather all of the network detail from a VM's vnic

 

Gathering network stats and other useful information with the ESXCLI


In this lesson we will gather network statistics and other useful information with the ESXCLI.


 

Launch Firefox from the ControlCenter Desktop

 

Double click the Firefox icon on the ControlCenterDesktop

 

 

Password and Command Line Help File

 

Look for a text file on the ControlCenter Desktop named README.txt

This file contains all of the passwords and long command line entries found in this lab.

If needed, you can use this file for copying and pasting passwords and command line text into the lab environment.

Tip: Use the method of highlighting text and right-mouse clicking to copy and paste for consistency as the keyboard combinations ctrl-c and ctrl-v do not work on all keyboard types.

 

 

Login to the vCenter Console

 

Login to the VMware vSphere Web Client

User name: root

Password: VMware1!

Click Login

 

 

Select vCenter

 

Click on vCenter

 

 

Select Hosts and Clusters

 

Click on Hosts and Clusters

 

 

Usability Tip - Unpinning the right hand pane to maximize viewable screen space

 

Click on the thumbtack icon on the top of the right to unpin the right hand pane and allow it to minimize

 

 

Usability Tip - Unpinning the right hand pane to maximize viewable screen space

 

Notes:

1: Roll over the minimized pane to expand it

2: Click on the thumbnail icon again to re-pin the pane and stop it from minimizing

 

 

Host Security Profile - Services

 

  1. Navigate to host esx-01a.corp.local in the left hand navigation pane
  2. Click the Manage tab
  3. Click the Settings tab
  4. Select System -> Security Profile from the list of settings
  5. Scroll down until you find the Services section
  6. Click Edit

 

 

Start The SSH Daemon

 

  1. Select SSH from the list of daemons
  2. Click Start

 

 

Confirm that the SSH daemon is Running

 

Observe that the SSH daemon is running

Note: Do not close the vSphere Web UI. We will need it a little later in the lab.

 

 

Launch PuTTY

 

From the ControlCenter desktop click Start

Click on the PuTTY icon

 

 

Open an SSH session to host "esx-01a"

 

In the Host Name (or IP address) box type esx-01a

Click Open

 

 

PuTTY Security Alert

 

Click Yes

 

 

Login to the ESXCLI

 

Login as: root

Password: VMware1!

 

 

View all physical NIC's attached to Host esx-01a

 

Type esxcli network nic list

Press Enter

 

 

Gather network statistics from "vmnic1"

 

Type esxcli network nic stats get -n vmnic1

Press Enter

 

 

Enable VLAN stats on "vmnic1"

 

Type esxcli network nic vlan stats set -e true -n vmnic1

Press Enter

 

 

Retrieve all VLAN stats for "vmnic1"

 

Type esxcli network nic vlan stats get -n vmnic1

Observe the vLAN statistics for VLAN 0 (The only vLAN on vmnic1)

Press Enter

 

 

Switch back to the vSphere Web Client tab of the Firefox browser

 

From the task bar on the ControlCenter desktop click on the vSphere Web Client - Mozilla Firefox icon

 

 

Start the "W2k8_base" VM (If it's not already running)

 

  1. Click on the VMs and Templates icon
  2. Click on the W2k8_base VM
  3. Click on Actions
  4. Select Power On from the context menu

Note: If you are doing the lab sections in order W2k8_base may still be running from the earlier section on migration. If this is the case, you can skip this step.

 

 

Ensure that the W2k8_base VM is fully powered on

 

The W2k8_base VM should be fully powered on. You can confirm this by observing the following in the VM's Summary tab

In the left hand navigation pane select the W2k8_base VM

  1. Recent Tasks pane shows "Power On virtual machine" task successful
  2. Memory stats graphic shows in use memory as green
  3. VMware Tools reports "Running", DNS Name and IP Addresses fields are populated
  4. Console thumbnail is visible.Note: This may not become visible until the VM has been fully powered on for several minutes so there is no need to wait for this.

Note: You may need to refresh the interface to speed things along

 

 

Switch back to PuTTY and our open session to esx-01a

 

From the task bar on the Control Center desktop click on the esx-01a.corp.local - PuTTY icon

 

 

List all VM's with active network connections

 

Type esxcli network vm list

Note: Take note of your World ID as you will need it in the next step

 

 

Get all of the networking details for the W2k8 VM

 

 

Type esxcli network vm port list -w World ID (Where World ID is the World ID value we revealed in the previous step)

Observe all of the network information for the W2k8_base VM

Now, let's investigate how the new packet capture utility can help us gather even more granular information that we can use to troubleshoot the network.

 

Troubleshooting the virtual network with the new packet capture tool


In this section of the lab we will use the new packet capture tool to gather network traffic programmatically for analysis.


 

Switch back over to the vSphere Web Client tab in Firefox

 

On the ControlCenter Desktop click on the vSphere Web Client - Mozilla Firefox icon

 

 

Start the base-sles VM

 

Note: You can skip this step if you left the base-sles VM powered on from the QOS tagging module.

Click on the VMs and Templates icon

Click on the base-sles VM

Click on Actions

Select Power On from the context menu

 

 

Wait for the base-sles VM to fully power up

 

Indications that a VM is fully powered on:

1: Recent Tasks pane shows "Power On virtual machine" task successful

2: Memory stats graphic shows in use memory as green

3: VMware Tools reports "Running", DNS Name and IP Addresses fields are populated

4: Console thumbnail is visible.Note: This may not become visible until the VM has been fully powered on for several minutes so there is no need to wait for this.

 

 

Start the "W12-core" VM

 

Note: You can skip this step if you left the W12-core VM powered on from the QOS tagging module.

Navigate to W12-core in the left hand navigation pane

Click on W12-core

Click on Actions

Click Power On

 

 

Wait for VM W12-core to fully power up

 

Indications that a VM is fully powered on:

1: Recent Tasks pane shows "Power On virtual machine" task successful

2: Memory stats graphic shows in use memory as green

3: VMware Tools reports "Running", DNS Name and IP Addresses fields are populated

4: Console thumbnail is visible.Note: This may not become visible until the VM has been fully powered on for several minutes so there is no need to wait for this.

 

 

Launch the console for the W12-core VM

 

Click on the console thumbnail to open a console to the W12-core VM

 

 

Switch to the W12-core console tab

 

Click on the W12-core console tab

 

 

Login to the W12-core VM

 

Click the Send Ctrl-Alt-Delete button

User: Corp\Administrator

Password: VMware1!

Click the arrow to the right of the password box or press Enter

 

 

Start a continuous ping from W12-core to base-sles

 

Click in the command prompt box

Type Ping -t 192.168.110.125

Press Enter

 

 

Launch PuTTY

 

From the ControlCenter desktop click Start

Click on the PuTTY icon

 

 

Open an SSH session to host "esx-03a"

 

In the Host Name (or IP address) box type esx-03a

Click Open

 

 

Login to the ESXCLI

 

Login as: root

Password: VMware1!

 

 

Introducing the new Packet Capture tool

 

Type pktcap-uw --help

Press Enter

Observe the command usage for the Packet Capture and Trace command

 

 

Capture packets from at vmnic

 

1: Type pktcap-uw --uplink vmnic0 -c 60 -o vmnic_capture.pcap

Press Enter

Wait for the packet capture to complete.

 

 

Discover the vnic port-id using esxtop

 

Type esxtop

Press Enter

Press n

Observe and note the PORT-ID of the base-sles VM

Press q to exit esxtop

 

 

Capture packets at the vnic

 

1: Type pktcap-uw --switchport # -c 25 -o vnic_capture.pcap (where # is the port-id from the previous step)

PressEnter

Wait for the packet capture to complete.

 

 

Capture packets at the vmknic

 

1: Type pktcap-uw --vmk vmk0 -c 25 -o vmknic_capture.pcap

Press Enter

Wait for the packet capture to complete.

 

 

Capture packets at the vmknic filtered by a destination IP address

 

Type pktcap-uw --vmk vmk0 -c 25 --dstip 192.168.110.22 -o vmknic_filtered_capture.pcap

Press Enter

Wait for the packet capture to complete.

 

 

Start a WinSCP connection to host ESX-03a.corp.local

 

From the ControlCenter Desktop click on the WinSCP icon

 

 

WinSCP Login

 

1: Host name: esx-03a

2: User name: root

3: Password: VMware1!

4: Click Login

 

 

WinSCP Warning

 

Click Yes

 

 

Copy the capture files from the host to the ControlCenter Desktop

 

1: Scroll down on the right hand side remote directory view on host esx-03a

2: In the right hand pane of WinSCP hold down CTRL and select the four .pcap capture files

Right click on the selection and choose copy from the list

 

 

Copy

 

Click Copy

 

 

Open an explorer window on the ControlCenter Desktop

 

From the taskbar of the ControlCenter Desktop click on the Explorer icon

 

 

Select the Documents folder

 

In the left hand navigation pane of the explorer window click the Documents icon.

 

 

Open the unfiltered vmknic capture file in WireShark

 

Double click on the file named vmknic_capture.pcap

 

 

Observe the traffic flowing through the vmkernel interface vmk0

 

Observe the traffic:

1: There is an open SSH connection between the ControlCenter Desktop and the host ESX-03a

2: Host ESX-03a is sending Syslog traffic to the vCenter Appliance

 

 

Switch over to the open Explorer Documents Window

 

From the taskbar of the ControlCenter Desktop click on the Explorer icon

 

 

Open the filtered vmknic capture file in WireShark

 

Double click on the file named vmknic_filtered_capture.pcap

 

 

Observe the filtered traffic flowing through the vmkernel interface vmk0

 

Observe that the filtered packet capture only contains packets headed to the vCenter Server Appliance (192.168.110.22)

If time permits, feel free to open and observe the additional capture files we created.

This concludes this portion on the lab.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-SDC-1402

Version: 20150226-143732