Tag Archives: networking

What you can learn from Networking for VMware Admins

Introduction

It was not so long ago when I was searching for good resource that would uncover what is happening at the hypervisor level from network point of view and how it all clicks together to provider connectivity to ever increasing number of virtual machines. I am happy to say that I have found that resource. It is called Networking for VMware Administrators by Chris Wahl and Steve Pantol.

Networking-for-VMware-Administrators 1

The book starts by discussing the very foundation of networking, what networks is and what benefits it provides. Continuing with with common models and protocol stacks like ISO OSI and TCP/IP and the concepts of layering.

Comparing ISO OSI to TCP/IP

Comparing ISO OSI to TCP/IP

Diving more deeply into the individual layers authors start with physical layer. Ethernet technology is explained in great detail as well as common physical connectivity options like copper or fiber. You will also gain some knowledge about most used network connectors such as RJ-45 and modules like older GBIC or SFP.

10Gbps Twinax Cable used for short interconnections

10Gbps Twinax Cable used for short connections

The chapters build on top of each other and after the foundation and physical network properties next chapter covers data-link operations in great detail. You learn about switching and common network challenges like preventing network loops with spanning tree or increasing network through put by utilizing link aggregation technologies.

Another layer that could not be forgotten is Layer 3 or Network layer. In this chapter IP addressing and routing is explained in detail. Other common services such as automatic address configuration thought DHCP or name resolution with DNS are well touched giving you as a reader better overall perspective.

With the foundation lied down in first 5 chapters the book continues to touch popular converged network infrastructures. Concept of stateless computing from Cisco is explained – the Unified Computing System as well as the HP’s Blade Chassis C7000. Both are compared to give you better insight on one over the other.

Cisco Unified Computing System

Cisco Unified Computing System

The true discussion on virtual networking begins with Chapter 7: How Virtual Switching Differs from Physical Switching. This is an excellent entry point chapter, which describes similarities and differences between both. It touches on common virtual vSwitch terms such as virtual machines’s NIC cards (vNIC), Port-Group, physical uplinks (pNIC), VM kernel ports (vmk) and generally how does the virtual architecture fits with physical.

vSwitch Architecture

vSwitch Architecture

vswitch-logic

vSwitch Forwarding Logic

Better yet, this chapter outlines various configuration options on vSwitch like number of uplinks, MTU and Security Settings. Last but not least trunking and VLAN tagging options are explained.

Chapter 9 focus on vSphere Distributed Switch which is commonly found in enterprise environments. It explains how it differs from Standard vSwitch in control and data plane operations. And elaborates on many extra features it provides. You can expect to gain knowledge on link discovery protocols CDP and LLDP, exporting traffic flows with NetFlow, monitoring traffic in virtual environment using Port Mirroring, segmenting traffic using VLANs and Private VLANs and finally Load Based teaming and Network IO Control for intelligent traffic management.

After you gain this strong foundation, you are free to enter to realm of third party virtual switch. Cisco Nexus 1000V is the topic of next chapter. Authors explain the reasons why you might consider using this third party switch from Cisco in your environment. It touches on core architecture concepts like Virtual Supervisor Module (VSM) and Virtual Ethernet Module (VEM) and various modes of deployment options.

Nexus 1000V deployment options

Nexus 1000V deployment options

If you are more practical type of person, you will definitely like the lab scenarios that authors put together. A step by stem approach is outlined how to build a basic vSphere environment using Cisco UCS as main computing platform. In later chapters you will also discover how to migrate workloads from standard virtual switch to distributed virtual switch without causing downtime.

After discussing general networking technologies with relevant examples, Chapter 14 moves our direction toward IP based storage, starting with iSCSI. General uses cases are explained as well the idea of initiators and targets. Best practices for setting up iSCSI storage adapters are also well explained giving you good confidence when planning in production environment.

The storage topics are then closed by discussing NFS based storage and its uses cases. I especially like the right depth of topics around storage. Practical demonstration at the end of the chapter is also a huge benefit to better put things together.

The next to last chapter deals with additional vSwitch design options, showing many different scenarios with or without IP based storage in place and using 1 Gbps or 10 Gbps network adapters.

One of many vSwitch design options

One of many vSwitch design options

Finally, the last chapter discusses additional design options when dealing with heavy load vMotion migrations. You will learn how to design multiple VM kernel adapters for moving workloads around in case you need to. Network IO Control is also revisited in relation of egress traffic shaping and protecting v host from traffic overload, in case of multiple hosts decide to migrate loads onto same destination hypervisor.

Although I am primarily a network guy I must admin I enjoyed this well written book from the first page to last. It gave exactly what I was looking for, a good foundation of vSphere networking which is the base for advanced technologies like virtual overlays with VXLAN.

Advertisements

OpenWRT: Spinning up Authoritative DNS server

Introduction

During last few months my small home infrastructure has grown in numbers. First there came a beefe virtualization host with 2x AMD Opteron CPUs and 48 GB RAM which runs all labs and is awesome for learning. I named it Sonic after the hedgehog. Then the idea for centralized storage was born, and Synology DS213J together with 2x WD 3TB REDs came on board and is packed with features. My popular ones are Download Station, File Station and Integrated IPSec VPN Server.

As the Internet of Things rises, I bought couple of Raspberry Pi, which one of them runs Openelec as home media center. The others are waiting for new exciting projects that will soon come.

Besides the physical infrastructure, the virtual one have grown even faster with more and more complex labs. Overall there was a need to manage all this stuff more easily and provide layer of abstraction, and home DNS service would make that happen.

After reading number of resources that explained the basics about DNS such as what is the difference between Authoritative, Cache and Forward server, I was confident enough to begin the process of changing the default combined DHCP+DNS service (dnsmasq) in my home router running Openwrt with more capable software. I have chosen bind for the job.

Installing packages

The installation process is very easy, first log into your router via SSH. I am running Barrier Breaker 14.07 on TP-LINK TL-WR941ND. Then using the package manager, install bind-server, bind-tools and isc-dhcp-server-ipv4.

By default, Openwrt includes vi test editor by default, if you are more a nano person, install that package as well. We will use to edit the configuration files later.

BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

  _______                     ________        __
 |       |.—–.—–.—–.|  |  |  |.—-.|  |_
 |   –   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 —————————————————–
 BARRIER BREAKER (14.07, r42625)
 —————————————————–
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 —————————————————–

root@soultrap:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_base.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_luci.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_packages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_routing.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_telephony.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_management.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_oldpackages.

root@soultrap:~# opkg install bind-server bind-tools Installing bind-server (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-server_9.9.4-1_ar71xx.ipk. Installing bind-libs (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-libs_9.9.4-1_ar71xx.ipk. Installing libopenssl (1.0.2-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/base/libopenssl_1.0.2-1_ar71xx.ipk. Installing zlib (1.2.8-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/zlib_1.2.8-1_ar71xx.ipk. Installing bind-tools (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/bind-tools_9.9.4-1_ar71xx.ipk. Configuring zlib. Configuring libopenssl. Configuring bind-libs. Configuring bind-tools. Configuring bind-server.
root@soultrap:~# opkg install isc-dhcp-server-ipv4 Installing isc-dhcp-server-ipv4 (4.2.4-3) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/isc-dhcp-server-ipv4_4.2.4-3_ar71xx.ipk. Configuring isc-dhcp-server-ipv4.

root@soultrap:~# opkg install nano
Installing nano (2.3.6-1) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/nano_2.3.6-1_ar71xx.ipk.
Configuring nano.

Dnsmasq is a combined DHCP and DNS server and it would interfere with bind by default. To still have DHCP capabilities, we will configure the isc-dhcp server. But first uninstall dnsmasq. Clean up by removing the old dhcp leases file.

root@soultrap:~# /etc/init.d/dnsmasq stop
root@soultrap:~# opkg remove dnsmasq
Removing package dnsmasq from root...
Not deleting modified conffile /etc/config/dhcp.
root@soultrap:~# mv /etc/config/dhcp /etc/config/dhcp.backup
root@soultrap:~# rm /var/dhcp.leases

Configuring dhcp and bind

After package installation, we are going to configure dhcpd daemon, and the right place to do that is at /etc/dhcpd.conf.

root@soultrap:~# nano /etc/dhcpd.conf
# dhcpd.conf

authoritative;

default-lease-time 3600;
max-lease-time 86400;

option domain-name-servers 10.0.2.1, 8.8.8.8;
option domain-search “papuckovo.home”;

subnet 10.0.2.0 netmask 255.255.255.0 {
  range 10.0.2.128 10.0.2.191;
  option routers 10.0.2.1;
}

Then enable automatic service start after reboot and start the service.

root@soultrap:~# /etc/init.d/dhcpd enable
root@soultrap:~# /etc/init.d/dhcpd start

We will now focus on bind configuration and the main file to look at is located under /etc/bind/ directory.  The file named.conf will be in our particular interest.

First we will configure DNS forwarders that will be used when looking for something outside our authoritative domain. Popular choices are OpenDNS servers or Google Public DNS Servers, I will use the later one.

Next, we will add one forward and one reverse zone for our home domain papuckovo.home. As you can see they will point to files that will hold our records, and we need to create them.

root@soultrap:~# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
acl “RFC1918” {
        10.0.0.0/8;
};

options {
        directory “/tmp”;
        recursion yes;
        allow-recursion { RFC1918; };
        allow-transfer { none; };
        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing
        // the all-0’s placeholder.

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        auth-nxdomain no;    # conform to RFC1035
};
// prime the server with knowledge of the root servers
zone “.” {
        type hint;
        file “/etc/bind/db.root”;
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone “localhost” {
        type master;
        file “/etc/bind/db.local”;
};
zone “papuckovo.home” {
        type master;
        file “/etc/bind/zones/db.papuckovo.home”;
};
zone “127.in-addr.arpa” {
        type master;
        file “/etc/bind/db.127”;
};
zone “0.in-addr.arpa” {
        type master;
        file “/etc/bind/db.0”;
};
zone “255.in-addr.arpa” {
        type master;
        file “/etc/bind/db.255”;
};
zone “2.0.10.in-addr.arpa” {
        type master;
        file “/etc/bind/zones/db.2.0.10”;
}

Now we will create new folder zones and copy example files from main bind directory.

root@soultrap:~# mkdir /etc/zones
root@soultrap:~# cp /etc/bind/db.local /etc/bind/zones/db.papuckovo.home
root@soultrap:~# cp /etc/bind/db.127 /etc/bind/zones/db.2.0.10

Edit the copied files to suit your needs. The SOA record needs to include domain name and the administrator’s email. You should also increment the Serial number after each change to zone files.

root@soultrap:~# nano /etc/bind/zones/db.papuckovo.home
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      soultrap.papuckovo.home.
@       IN      A       10.0.2.1
soultrap        IN     A       10.0.2.1
www01           IN     A       10.0.2.2

Do the same thing for reverse zone

root@soultrap:~# nano /etc/bind/zones/db.2.0.10
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      soultrap.papuckovo.home.
1       IN      PTR     soultrap.papuckovo.home.
2       IN      PTR     www01.papuckovo.home.

Finally, enable automatic service start after boot and start the service

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
root@soultrap:~# /etc/init.d/named enable

Verification

You can verify the operations of DHCP server by jumping on an internal client and issues ipconfig /renew. Or directly from the router listing dhcpd leases.

root@soultrap:~# head /var/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.4

lease 10.0.2.129 {
  starts 1 2015/02/23 08:19:57;
  ends 1 2015/02/23 08:21:57;
  tstp 1 2015/02/23 08:21:57;
  cltt 1 2015/02/23 08:19:57;
  binding state free;
  hardware ethernet 14:7d:c5:11:19:7f;

You can also verify that DNS server is operating correctly using nslookup or dig.

root@soultrap:~# dig ANY papuckovo.home @localhost
; <<>> DiG 9.9.4 <<>> ANY papuckovo.home @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53030
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;papuckovo.home.                        IN      ANY

;; ANSWER SECTION:
papuckovo.home.         604800  IN      SOA     papuckovo.home. root.papuckovo.home. 5 604800 86400 2419200 604800
papuckovo.home.         604800  IN      NS      soultrap.papuckovo.home.
papuckovo.home.         604800  IN      A       10.0.2.1

;; ADDITIONAL SECTION:
soultrap.papuckovo.home. 604800 IN      A       10.0.2.1

;; Query time: 74 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 24 16:04:56 CET 2015
;; MSG SIZE  rcvd: 139

Troubleshooting

Sometimes, things do not go as we expected, it would be great to narrow down the problem.

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
  isc-bind failed to start

The default error message is not very useful and you can investigate further in log file. In this case I have mistyped the allow-transfer keyword in the main configuration file.

root@soultrap:~# logread
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: BIND 9 is maintained by Internet Systems Consortium,
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: corporation.  Support and training for BIND 9 are
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: available at https://www.isc.org/support
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: —————————————————-
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using 1 UDP listener per interface
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using up to 4096 sockets
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: loading configuration from ‘/etc/bind/named.conf’
Tue Feb 24 16:20:30 2015 daemon.err named[13361]: /etc/bind/named.conf:10: unknown option ‘allow-trasfer’
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: loading configuration: failure
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: exiting (due to fatal error)

MACs – Moved Adds and Changes

When adding new records in reverse and forward zone files it is needed to increase the serial number and then reload bind with new configuration.

root@soultrap:~# /etc/init.d/named reload
Stopping isc-bind
Starting isc-bind

Conclusion

Adding name resolution service to your home router will give you great flexibility and easy to use, your everyday users won’t need to be bothered with IP addresses, they can simple type names.

Further Reading

https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts

Cisco ASAv firewall installation

Introduction

The data center networking trend is clear with every network service being slowly virtualized. Network devices that are virtual provide big advantage over their physical counterparts. First, VMs can be provisioned much more quicker and be part of a larger virtual infrastructure, you can easily scale them adding more virtual CPU or memory and you can snapshot them to save their actual state to a file and move them around.

Cisco has also introduced their virtual version of their popular firewall product ASA. It simple called ASAv and runs under popular hypervisors such as VMware vSphere or KVM. You can find the product home page here. This is different product and idea than Cisco ASA 1000V Cloud Firewall.

First you need to get hold of the ova package. You need to be entitled with Cisco to download the software from here or you can do a Google search and find it elsewhere. I had some problems with the latest release 9.3.2(200) where it would stuck at booting loop, the kernel complained about Illegal Instruction. Looks like it did not like my dual Opteron 4180 host. Therefore in this demo we are going to use release 9.3.1 which worked just fine.

Sharping the axe

Before we are going to deploy the actual virtual firewall, lets make some solid ground for it. Firewalls usually divide network into multiple security zones so first we are going to create some, and we use vSwitches for that. In my vSphere deployment I already have default vSwitch called vSwitch0, with a Portgroup called Native that has a connection to outside world.

We are going to create additional two vSwitches that will have following Portgroups: ASAv-inside and ASAv-DMZ respectively, and we are going to attach two linux instances to them. So in the end we end up with simple topology like this:

asav-network

To get started, log in to vSphere and go to Hosts\Configuration\Networking\Virtual Standard Switch, click add Add networking.

Select New Standard Switch, there is no need to assign physical adapter for breakout, we will attach this vSwitch to one of ASAv interfaces. The first port group will be called ASAv-inside with no VLAN tag. Follow the same steps for DMZ vSwitch and its ASAv-DMZ PortGroup.

asav1

Chopping the tree

Back to ASAv, after downloading, log into the vCenter and go to VMs and File\Deploy OVF Template.

Note: I tried to deploy the asav932-200.ova directly into ESXi, however I received and error that The OVF package requires support for OVF properties. Details: Line 264: Unsupported element ‘Property’

Answer the usual OVF deployment question such as name of VM, which Data Center and Cluster will be used. I only have one so it is no brainier. Deployment configuration specifies the number of vCPU that the VM will have and whether it will be part of HA pair. By default ASAv will come with 1 Management Interface Management0/0 and 9 regular interfaces GigabitEthernet0/0 – 0/8. You need to map each of them to correct port group created in previous step.

I am only really using 4 interfaces at this point, so I left the rest connected in ASAv-DMZ portgroup.

asav2

1 Mgmt Interface and 9 Regular Interfaces

Some basic configuration parameters such as IP configuration of management interface can also be entering during wizard. That makes me wonder if those parameters can be passed to template while deploying automatically via script.

asav3

Initial Configuration Options

After quick OVF deployment, you can look at default resource requirements which correspond to deployment size selected in wizard.

asav6

Resource utilization

And finally the ASAv console is available directly through vCenter.

asav3

ASAv Virtual Console

Before you can take full advantage of all ASAv features in your lab you need to license the box. If you are lucky you can ask a Cisco representative for a temporary license or *hint* do a smart Google search for a little piece of software.

Initial Configuration

To actually verify that the ASAs has indeed network connectivity, we will perform initial configuration and test reach ability to Google DNS servers.

#First virtual interface mapped to Native PortGroup
#
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp
#
#Second virtual interface mapped to ASAv-inside PortGroup
#
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
#
#Management virtual interface mapped to Backend PortGroup
#
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.0.1.41 255.255.255.0
#
# DNS, SSH and routing
#
dns server-group DefaultDNS
name-server 8.8.8.8
!
route outside 0.0.0.0 0.0.0.0 10.0.2.1 1
aaa authentication ssh console LOCAL
ssh 10.0.1.0 255.255.255.0 management
username cisco password

Verification

asav5

If you are currently aiming for CCIE Security this is an excellent way how to build your own virtual lab for practice. Coupled with virtual ACS server and IPS appliances it is very easy to test and learn new features, validate syntax for scripts and many more without harming your production environment.

I draw the line in the sand here and leave your imagination what you can do with multiple of these virtual firewalls bundled with couple of virtual routers and virtual machines to re-create complete data center infrastructure sandbox.

Resources

Introduction to ASAv

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asav/quick-start/asav-quick/intro-asav.html

ASAv Product Overview

http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/datasheet-c78-733399.pdf

Deploying ASAv

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-asav.pdf

My VCP-NV Experience

I am pleased to announce that I successfull passed the VMware VCPN610 exam on 26.10.2014 and received a VCP-NV certificate. It was a long hard journey and I would like to share my experience how I prepared for the actual exam.

VCP-NV Certificate

When VMware announced first their new certification path covering network virtualization, it was no question that I will persue this path. I was so excited. Since there is no offcial free courseware available to prepare for the actual exam I did the hard way, reading through the offical exam blueprint which was about 25 pages long.

Then, expanding on blueprint, I started to research each topic in more detail. It really help that blueprint itself will direct you to right resource. However I wanted to know far more, not just the product it self but also the story behind it. I read various publications from Martin Casado and his friends tracing back to Stanford where the idea begun. It was a long time before VMware bough Nicira in 2012 for 1.2B dollars. Nicira was created by Martin and they had product called Nicira Network Virtualization Platform, which eventually became NSX flavor for multi hypervisor support. Just looking at this investment you can see how big is NSX for VMware at the moment, and trust me software defined networking is just beginning to shape our networks..

Besides official technical resources, what really helped fill the gaps were many sessions from this years VMware World, convering anything from Distributed Swtich deep dive to explaining various NSX components and services in greater detail. You can find these sessions on youtube. I already had some previous knowledge about vSphere but book from Chris Wahl – Networking for VMware Administrators helped me reinforce the core networking topics in vSphere. I highly recommend this book for either network admins seeking more information about VMware and for server admins seeking to know more about networking.

Networking for VMware Administrators

Great publication for 2 VMware Experts

The essenatial resources, and I am very thankfull for that were the VMware Hands on Labs, which are free and allow you to play with the technology it self and look under the hood. Nothing is hidden. Depending on your previous experience I recommend to go throug these follovings labs:

If you check the blueprint you can notice that thera are quite a large number of topics. My tip for exam VCPN610 is to know the core foundation of NSX and that includes

  • Familiarity with core VMware products – vSphere, ESXi, vCNS, vCAC,
  • Difference between Standard Virtual Switch and Distributed Virtual Switch
  • What are VMkernel port, portgroup, uplink ports,
  • Difference between south-north and east-west traffic patterns
  • Difference between underlay and overlay network
  • NSX architecture, components and services and their relationships
  • Differenct between tradional 3-Tier network architecture and Leaf-Spine
  • Data, Control and Management Plane of NSX
  • NSX Maxims – how many VXLAN supports, how many NSX Edges can you run…
  • Physical network requirements, what is VTEP

There are lot more topic to cover, however during the exam I found these the be the most important. There are very generous pre-requesties for this exam. If you are currently a Cisco CCNA or CCNP certified in Routing and Switching or Data Center Track you can sit the exam till 28.02.2015. After that date you need to sit of an official course to be qualified to take the exam.

If you think that this new technology is something you are interested in and want to expand your knowledge skills in software defined networking this track is the right choice. Stay tuned for more articles covering NSX that may help you toward you goal.