VLAN tagging in VMware vSphere

Introduction

In a physical environment all the servers have dedicated physical NIC that are connected to a physical switch. VLANs in physical world are usually controlled by setting the VLAN ID on the physical switch port and then setting the server’s IP address to correspond to that NIC’s VLAN.

But in a virtual environment, dedicating a physical NIC (pNIC) to each VM that resides on the host is not possible. In reality, a physical NIC of the Esxi host service many VMs, and these VM’s may need to be connected to different VLANs. So the method of setting a VLAN ID on the physical switch port doesn’t work.

To counter this issue, 802.1Q VLAN tagging comes in picture in virtual environment.

Before digging deep into 802.1Q VLAN tagging lets understand how networking works in a virtual environment.

An Esxi host typically can have more than one physical network adapters for redundancy, load balancing and segregation.Read More

Advanced Configuration options for VMware HA

In this post I am going to cover a few advance settings in HA which you can be used in deploying complex HA solutions. You may or may not be using these advance value in your environment but sometimes you have to use these values depending upon how your virtualization infrastructure is laid.

1: das.isolationaddress: – By default the IP address used to check host isolation is the default gateway of the VMkernel port on the host. You can add more IP addresses for the host to use during an isolation check. A total of 10 addresses can be used (0-9).

For setting up this value Select Cluster > Edit Settings > vSphere HA > Advanced Options

2: das.usedefaultisolationaddress:– this option has 2 values: True or False. When set to false a host will NOT use the default gateway as an isolation address. This may be useful when the default gateway of your host is an unpingable address, or a virtual machine, such as a virtual firewall

3: das.isolationShutdownTimeoutRead More

VMware vSphere 6.0 — What’s New?

vSphere 6.0 public beta has been released several months ago and in 2014 VMworld conference some of the new features have been announced. Due to NDA all the features were not disclosed. 

Multi-CPU Fault Tolerance

FT is going to support VM’s with 4 vCPUs and 64GB of RAM. A new feature called fast checkpointing uses a  mechanism to keep primary and secondary VMs in sync. The Record/Replay technology that was previously used is replaced by  Fast checkpointing in vSphere 6.0

 vMotion Enhancements
Earlier upto vSphere 5.5, vMotion was limited to the vCenter/Datacenter boundary but now in vSphere 6.0 vMotion can migrate Virtual Machines across vCenters, virtual switches and routed networks.

Virtual Datacenters
vSphere 6.0 goes one step further than resource Pools. A Virtual Datacenter aggregates CPU, Memory, Storage and Network resources.

vCenter Server Appliance (VCSA)

The VCSA has also been beefed up. With 5.1 you could manage 100 hosts and 3000 powered on VMs.Read More

Replace Esxi host default certificate with CA-Signed Certificate

A default certificate is generated automatically for the ESXi host during installation. Because the certificate for the ESXi host was self-generated, it has not been signed and will not be given a trusted status when attempting to communicate with other servers and clients. Other network devices might not allow communication with the ESXi host until it is certified by a well-known CA. X.509 certificates are supported over SSL connections for the encrypted session.

NOTE: When replacing the default certificate of the ESXi host, if the vCenter Server stops managing the host, check whether the ESXi host has Verify Certificates enabled. If this is the case, reconnect the ESXi host to the vCenter Server using the vSphere Client.

The steps to add a CA-signed certificate are as follows:

Step 1. Log in to the ESXi host over SSH using Putty.

Step 2. Change the directories to /etc/vmware/ssl, and backup the certificate files:

# mv rui.crtRead More

Generate ESXi Host Certificates

VMware use standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server.

If you want to replace default certificates for vCenter Server and ESXi , the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.

Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.

Certificate files located on an ESXi host are

  • Private key file: /etc/vmware/ssl/rui.key
Read More