Monthly Archives: January 2015

VCP-DCV Series Part 2: What is vSphere

I do not know why but each time someone mentions the word vSphere I remember on old movie with Dustin Hoffman called Sphere. Unfortunately for you I do not have a space craft that crashed to be examined, but still the VMware’s vSphere is also interesting.

vSphere is a collection of products from VMware that help you manage data center resources more efficiently. It aggregates common physical resources such as CPU, RAM and storage and presents tham as virtual resoures for applications to consume.

vsphere

vSphere architecture

vSphere Editions

There are three different vSphere offerings, a higher edition contains all lower edition features and something on top.

  • vSphere Standard
  • vSphere Enterprise
  • vSphere Enterprise Plus

More information about editions and their pricing can be found here. For our lab purposes we are going to use 60-Day trial Enterprise Plus license for vCenter and ESXi hosts.

Addional Resources

If you are looking for good visio stencils that cover VMware products, head up to technodrone.

Advertisements

VCP-DCV Series Part 1: Introduction

In the current “cloudy” era of computing, there is growing need for engineers that are able to break the silos between different infrastructure teams such as network, compute and storage to delivery the next generation apps and services to consumers.

This approach brings many benefits to the business. Suddenly network people are interested and understand what server people mean by implementing a distributed virtual switch. Server people now better understand storage people when talking about IO performance and benefits of local storage caching.

In the end it will eventually make all sense. We are not living in closed isolated enviroments any more. People and teams are getting closer together to create a unified engineer who is specialized in one particular area but has presense in other technology towers as well and is able to speak to his peers to reach a common understanding. This is what gives such people the edge they need to be succesfull in this new world of thinking.

This is what the next generation engineer looks like (or atleast feels like :D)

I come with a networking background, in the old world you could call me “the network guy”. The idea of putting togerther a virtualization series came from experimenting and fuzzing with cumpute virtualization itself. I have realized many benefits of virtualization long time ago before knowing that it is one of key elements of every modern data center.

There are many virtualiation vendors out there, from Microsoft, Citrix, or VMware. I have selected the last one, VMware as it has a major share in the market, and I have seen it used by many customers.

If you also want to break the silos, learn something new and have fun, this series is the right place to start. It will give you perspective on data center virtualization from a different angle, from someone who is primarily specialized on networks that sits in the middle and connects these compute pieces together.

The series will explain the nuts and bolts of a typical VMware vSphere implementation in real world. I hope you will also find it useful when preparing for your VCP-DCV exam if that is your goal.

Managing Startups in Windows

This is a quick one on how to disable annoying apps that start when Windows boot. Start with Start\Search and type msconfig.

In Startup tab, you wil find all apps that start during boot, simple uncheck the desired app. This way you can disabled even the most “resistant” apps that do not offer you to do so in their own GUI.

startupWindows system configuraiton can also launch some other tools such as System Information, Even Viewer or Resource Monitor. Which can be useful to trhoubleshooting slow PC and pon point what is causing the slugginess. Keep you computer fit by shutting the unused apps and freeing up resources for others.

Lost objects in vCenter

To realized how important is DNS for vSphere installation, try shutting down your DNS server, wait for cache to expire and log into vCenter again. You may be presented with this error which on the first sight might not look like that is related to DNS.

sdk

Could not connect to one or more vCenter Server Systems

And, you won’t have access to any objects:

0obj

You can find more evidence that this is related to DNS in vCenter main log which is located at /var/log/vmware/vpx/vpxd.log

Fixing vCenter dirty shutdown

From time to time when I am hurry I tend to break the best practices in my home lab. Recently one of them was shutting down couple of vcenter servers and ESXi hosts unlugging the virtual power cords :-). Usually they boot and work well again, but this time I received a lovely error saying something went nuts with vcenter server, and I was unable to boot any VMs.

The operation is not allwed in the current connection state of the host.The solution was restarting the vCenter Services in servces.msc console.

services

Adding ‘unclean’ drive to ESXi

Adding some older hard drive from refurbished laptop to my lab ESXi host, I followed the usual steps, Configuration/Storage/Add Storage, format as VMFS-5. The drive was recognized, everything looked hunky dory, till the following error appear in the end.

Vim.Host.DiskPartitionInfo.Spec
Call "HostStorageSystem.ComputeDiskPartitionInfo" for object "storageSystem"

datastore1The reason is that the disk held an existing windows installation with multiple partitions, and ESXi did not like that. You need to manuallky delete the partitions and this can be done from ESXi CLI. Jump on DCUI or temporaty enable SSH at Configuration/Security Profile/Services.

~ # esxcfg-scsidevs -l
t10.ATA_____OCZ2DVERTEX4_____________________________OCZ2D4158A721RE3N09L2
Device Type: Direct-Access
Size: 122104 MB
Display Name: Local ATA Disk (t10.ATA_____OCZ2DVERTEX4_____________________________OCZ2D4158A721RE3N09L2)
Multipath Plugin: NMP
Console Device: /vmfs/devices/disks/t10.ATA_____OCZ2DVERTEX4_____________________________OCZ2D4158A721RE3N09L2
Devfs Path: /vmfs/devices/disks/t10.ATA_____OCZ2DVERTEX4_____________________________OCZ2D4158A721RE3N09L2
Vendor: ATA       Model: OCZ-VERTEX4       Revis: 1.5
SCSI Level: 5  Is Pseudo: false Status: on
Is RDM Capable: false Is Removable: false
Is Local: true  Is SSD: true
Other Names:
vml.01000000004f435a2d34313538413732315245334e30394c324f435a2d5645
VAAI Status: unknown
t10.ATA_____ST500LT0122D9WS142___________________________________W0V9954M
Device Type: Direct-Access
Size: 476940 MB
Display Name: Local ATA Disk (t10.ATA_____ST500LT0122D9WS142___________________________________W0V9954M)
Multipath Plugin: NMP
Console Device: /vmfs/devices/disks/t10.ATA_____ST500LT0122D9WS142___________________________________W0V9954M
Devfs Path: /vmfs/devices/disks/t10.ATA_____ST500LT0122D9WS142___________________________________W0V9954M
Vendor: ATA       Model: ST500LT012-9WS14  Revis: 0001
SCSI Level: 5  Is Pseudo: false Status: on
Is RDM Capable: false Is Removable: false
Is Local: true  Is SSD: false
Other Names:
vml.0100000000202020202020202020202020573056393935344d53543530304c
VAAI Status: unknown

The disk that is in question is second 500GB Non-SSD HDD (ST500LT012-9WS14) which is located at:

~ # partedUtil get /dev/disks/t10.ATA_____ST500LT0122D9WS142___________________________________W0V9954M
60801 255 63 976773168
1 2048 718847 7 128
2 718848 976771071 7 0

To delete the two exiting partitions, use the following comamnds.


~ # partedUtil delete /dev/disks/t10.ATA_____ST500LT0122D9WS142___________________________________W0V9954M 1
~ # partedUtil delete /dev/disks/t10.ATA_____ST500LT0122D9WS142___________________________________W0V9954M 2

Now going back to the process at the begining, adding new VMFS datastore is successfull.

datastore2

Cisco ASAv firewall installation

Introduction

The data center networking trend is clear with every network service being slowly virtualized. Network devices that are virtual provide big advantage over their physical counterparts. First, VMs can be provisioned much more quicker and be part of a larger virtual infrastructure, you can easily scale them adding more virtual CPU or memory and you can snapshot them to save their actual state to a file and move them around.

Cisco has also introduced their virtual version of their popular firewall product ASA. It simple called ASAv and runs under popular hypervisors such as VMware vSphere or KVM. You can find the product home page here. This is different product and idea than Cisco ASA 1000V Cloud Firewall.

First you need to get hold of the ova package. You need to be entitled with Cisco to download the software from here or you can do a Google search and find it elsewhere. I had some problems with the latest release 9.3.2(200) where it would stuck at booting loop, the kernel complained about Illegal Instruction. Looks like it did not like my dual Opteron 4180 host. Therefore in this demo we are going to use release 9.3.1 which worked just fine.

Sharping the axe

Before we are going to deploy the actual virtual firewall, lets make some solid ground for it. Firewalls usually divide network into multiple security zones so first we are going to create some, and we use vSwitches for that. In my vSphere deployment I already have default vSwitch called vSwitch0, with a Portgroup called Native that has a connection to outside world.

We are going to create additional two vSwitches that will have following Portgroups: ASAv-inside and ASAv-DMZ respectively, and we are going to attach two linux instances to them. So in the end we end up with simple topology like this:

asav-network

To get started, log in to vSphere and go to Hosts\Configuration\Networking\Virtual Standard Switch, click add Add networking.

Select New Standard Switch, there is no need to assign physical adapter for breakout, we will attach this vSwitch to one of ASAv interfaces. The first port group will be called ASAv-inside with no VLAN tag. Follow the same steps for DMZ vSwitch and its ASAv-DMZ PortGroup.

asav1

Chopping the tree

Back to ASAv, after downloading, log into the vCenter and go to VMs and File\Deploy OVF Template.

Note: I tried to deploy the asav932-200.ova directly into ESXi, however I received and error that The OVF package requires support for OVF properties. Details: Line 264: Unsupported element ‘Property’

Answer the usual OVF deployment question such as name of VM, which Data Center and Cluster will be used. I only have one so it is no brainier. Deployment configuration specifies the number of vCPU that the VM will have and whether it will be part of HA pair. By default ASAv will come with 1 Management Interface Management0/0 and 9 regular interfaces GigabitEthernet0/0 – 0/8. You need to map each of them to correct port group created in previous step.

I am only really using 4 interfaces at this point, so I left the rest connected in ASAv-DMZ portgroup.

asav2

1 Mgmt Interface and 9 Regular Interfaces

Some basic configuration parameters such as IP configuration of management interface can also be entering during wizard. That makes me wonder if those parameters can be passed to template while deploying automatically via script.

asav3

Initial Configuration Options

After quick OVF deployment, you can look at default resource requirements which correspond to deployment size selected in wizard.

asav6

Resource utilization

And finally the ASAv console is available directly through vCenter.

asav3

ASAv Virtual Console

Before you can take full advantage of all ASAv features in your lab you need to license the box. If you are lucky you can ask a Cisco representative for a temporary license or *hint* do a smart Google search for a little piece of software.

Initial Configuration

To actually verify that the ASAs has indeed network connectivity, we will perform initial configuration and test reach ability to Google DNS servers.

#First virtual interface mapped to Native PortGroup
#
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp
#
#Second virtual interface mapped to ASAv-inside PortGroup
#
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
#
#Management virtual interface mapped to Backend PortGroup
#
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.0.1.41 255.255.255.0
#
# DNS, SSH and routing
#
dns server-group DefaultDNS
name-server 8.8.8.8
!
route outside 0.0.0.0 0.0.0.0 10.0.2.1 1
aaa authentication ssh console LOCAL
ssh 10.0.1.0 255.255.255.0 management
username cisco password

Verification

asav5

If you are currently aiming for CCIE Security this is an excellent way how to build your own virtual lab for practice. Coupled with virtual ACS server and IPS appliances it is very easy to test and learn new features, validate syntax for scripts and many more without harming your production environment.

I draw the line in the sand here and leave your imagination what you can do with multiple of these virtual firewalls bundled with couple of virtual routers and virtual machines to re-create complete data center infrastructure sandbox.

Resources

Introduction to ASAv

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asav/quick-start/asav-quick/intro-asav.html

ASAv Product Overview

http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/datasheet-c78-733399.pdf

Deploying ASAv

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-asav.pdf