What is Lun Masking?

LUN masking is a way to control which LUNs to be made visible to Esxi host. If you have a storage array with multiple LUN’s and you want that an Esxi host should only be seeing a subset of LUN’s and not all, you can use lun masking technique.

Lun masking is totally opposite of lun zoning, where the storage array configuration determines which LUNs are visible to a host.

Last year I was doing a lab on vSphere Replication setup and wanted a subset of LUN’s from my openfiler appliance to be visible in my source site and remaining lun’s in my protected site. That was the first time when I felt need for masking the paths to storage array so that all my Esxi host from both sites, should not be seeing/mounting all the Lun’s which I created on my openfiler appliance.

Although I ended up doing the configuration change on openfiler side (same like zoning), but the idea remained always in my mind to use Lun masking someday.… Read More

Objective 2.3 of VCAP6-Deploy exam covers following topics

• Analyze and resolve storage multi-pathing and failover issues
• Troubleshoot storage device connectivity
• Analyze and resolve Virtual SAN configuration issues
• Troubleshoot iSCSI connectivity issues
• Analyze and resolve NFS issues
• Troubleshoot RDM issues

Lets discuss each topic one by one

                               Analyze and resolve storage multi-pathing and failover issues

There can be hundreds of reason for multipathing and failover issues and troubleshooting these issues comes with experience only. Issues with multipathing can be because of issues on storage side (SAN Switch, Fibre configuration etc)  or from vSphere side. In this post we will focus only on vSphere side troubleshooting.

In my lab I am using openfiler appliance for shared storage and my vSphere hosts are configured to use software iSCSI to reach to openfiler. Each host has 2 physical adapters mapped to two disting portgroups configured for iSCSI connection and both portgroups are complaint with iSCSI Port Binding settings

VMware KB-1027963 explains in great details about storage path failover sequence in vSphere. … Read More

Objective 3.4 of VCAP6-Deploy exam covers following topics

• Perform a vDS Health Check for teaming, MTU, mismatches, etc.
• Configure port groups to properly isolate network traffic
• Use command line tools to troubleshoot and identify configuration issues
• Use command line tools to troubleshoot and identify VLAN configurations
• Use DCUI network tool to correct network connectivity issue

Lets discuss about these topics one by one.

                      Perform a vDS Health Check for teaming, MTU, mismatches, etc.

The network configuration for the vSphere infrastructure is a very cumbersome task and if the process is not automated then there are chances of configuration error. Typical network configuration includes tasks like configuring VLAN, Setting uplinks, NIC teaming, configuring VLAN etc. 

Now if anyone of the above configuratin is misconfigured, it can lead to host disconnection, VM traffic not traversing to destination, storage disconnection (if using iSCSI) or any other issues.

In earlier versions of vSphere, there were no tools available that could help resolve such misconfigurations across the physical and virtual switches.… Read More

Securing virtual machines in a virtualized environment is equally important as securing physical servers. In this post we will learn a few techniques for hardening a virtual machine security. Although its not possible to cover everything in a single post. 

1: Remove Unnecessary Hardware Devices

If you have work inside a datacenter, you might have noticed none of the physical servers are equipped with CD RM/Floppy drive. This is done intentionally so that no one can use these removeable devices to perfor actions for which they are not authorized to.

Virtual machines are no different than physical servers and its equally important to make sure external devices are attached to a VM when its actually needed and as soon as work is completed, make sure to dismount/remove any Floppy drives or CD-ROM drives.

Force a VM to boot into Bios and disable any Serial ports, Parallel ports or Floppy disk controller.  … Read More

Objective 4.3 of VCAP6-Deploy exam covers following topics:

• Analyze and resolve DRS/HA faults
• Troubleshoot DRS/HA configuration issues
• Troubleshoot Virtual SAN/HA interoperability
• Resolve vMotion and storage vMotion issues
• Troubleshoot VMware Fault Tolerance

We will discuss each topic one by one.

                                             Analyze and resolve DRS/HA faults

DRS faults can be viewed from Web Client by selecting Cluster > Monitor > vSphere DRS > Faults

HA issues can be viewed from Web Client by selecting Cluster > Monitor > vSphere HA > Configuration issue

Also if you look into issues tab, it will tell you HA and DRS issues collelctively. 

Common DRS Faults are :

• Virtual Machine is Pinned: When DRS can’t move a VM because DRS is disabled on the VM.
• Virtual Machine Not Compatible with ANY Host: Fault occurs when DRS can’t find a host that can run the VM. This might mean that there are not enough physical compute resources or disk available to satisfy the VM’s requirements.

Objective 6.2 of VCAP6-Deploy exam covers following topics:

• Adjust Virtual Machine properties according to a deployment plan:
  • Network configurations
  • CPU configurations
  • Storage configurations
• Troubleshoot Virtual Machine performance issues based on application workload
• Modify Transparent Page Sharing and large memory page settings
• Optimize a Virtual Machine for latency sensitive workloads
• Configure Flash Read Cache reservations

We will discuss these topics one by one

                             Adjust Virtual Machine properties according to a deployment plan

This topic could mean a lot of things. A lot of  information on this topic can be found in vSphere 6 Resource Management Guide. We will start with networking topic.

Networking Configurations

Esxi networking features provide communication between virtual machines on the same host, between virtual machines on different hosts, and between other virtual and physical machines. Virtual machines are equipped with vNIC’s and the type of vNIC is dependent on guest os chosen at the time of VM creation.… Read More

Objective 6.1 of VCAP6-Deploy exam covers following topics:

• Configure esxtop / resxtop custom profiles
• Evaluate use cases for and apply esxtop / resxtop Interactive, Batch and Replay modes
• Use esxtop / resxtop to collect performance data
• Given esxtop / resxtop output, identify relative performance data for capacity planning purposes

Before starting discussing on these topics, I want to cover a few basics of vSphere Management Assistant (vMA) as we will be using it for performing few tasks listed in this objective.

What is vSphere Management Assistant (vMA)?

The vSphere Management Assistant (vMA) is a virtual machine that includes prepackaged software such as a Linux distribution, the vSphere command‐line interface, and the vSphere SDK for Perl. Basically it is the missing service console for ESXi. But it’s more than that too.

This allows administrators to run scripts or agents that interact with ESX/ESXi and vCenter Server systems without having to explicitly authenticate each time.… Read More

Objective 5.4 of VCAP6-Deploy exam covers following topics:

• Create a Global User
• Create a Content Library
• Subscribe to a Content Library
• Configure a Content Library for space efficiency
• Synchronize a subscribed Content Library

                                                             Create a Global User

vSphere objects inherit permissions from a parent object in the hierarchy. Content libraries work in the context of a single vCenter Server instance. However, content libraries are not direct children of a vCenter Server system from an inventory perspective. The direct parent for content libraries is the global root.

This means that if you set a permission at a vCenter Server level and propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines, and so on, but does not apply to the content libraries that you see and operate with in this vCenter Server instance. 

To allow a user to manage a content library and its items, an administrator can assign the Content Library Administrator role to that user as a global permission.… Read More