ProfessionalVMware.com

VCAP Brownbag, 8/17/2011Damian Karlson

VCAP Blueprint Section 2Objective 2.1: Implement & Manage Complex

Virtual NetworksObjective 2.2 : Configure and Maintain VLANs,

PVLANs and VLAN SettingsObjective 2.3: Deploy and Maintain Scalable

Virtual NetworkingObjective 2.4: Administer vNetwork

Distributed Switch Settings

SNMP & MoreIPv6: Host Configuration > Networking > PropertiesNetQueue: Host Configuration > Advanced

Settings > VMkernel/Boot; also use esxcfg-advcfgSNMP

vCenter: Administration > vCenter Settings > SNMP Notification traps only

ESX/ESXi ESXi only has VMware embedded SNMP agent. ESX has

Net-SNMP & VMware embedded Can only be managed through vicfg-snmp (remote CLI or

vMA), which opens the appropriate firewall ports. Configure communities first, then destination

Comparing vSS & vDSvSS (virtual standard switches) – same virtual

switching technology we all know and loveSwitches defined on each host in a clusterPortgroup/VLAN/uplink configurations can be tedious

vDS (virtual distributed switches) – introduced with vSphere 4.0Unified switch across hosts in a clusterSeparation of control and data planesExtensible through 3rd party switches (Cisco NK1v)Traffic stats available; shaping available at dvPortGroup

and dvUplink portgroup levelsIngress traffic shaping

Create & Manage vSwitchesFull range of vSS config needs supported

Some things only available through CLI, such as MTU

Partial range of vDS config needs supportedSome things not available through CLI, such as

PVLANs or creating dvPortGroupsTools are the usual suspects: esxcfg-vswitch,

esxcfg-nics, esxcfg-vswif, esxcfg-route, esxcfg-vmknic, PowerCLI, vMA

VLAN TaggingVST (virtual switch tagging)

VLANs defined at vSwitch level; physical switch accepts all or range

EST (external switch tagging)VLANs are set to 0 at vSwitch; physical switch

does all taggingVGT (virtual guest tagging)

VM tags thru virtual NIC propertiesvSwitch set to 4095; physical switch accepts all

or range

Private VLANsPVLANs are VLANs within VLANs. Requires physical

switch support.Original VLAN is the primary, additional VLANs are

secondary VLANs.Secondary VLANs come in 3 flavors:

Promiscuous VLANs have the same primary and secondary VLAN ID. Can talk to anyone in the same primary.

Isolated VLANs can only talk to hosts in a promiscuous VLAN

Community VLANs only talk to each other, and to the promiscuous VLAN

VLAN ConfigurationVLANs on vSS are defined at the portgroup levelPVLANs are defined at the vDS level first, then

can be selected at the portgroup levelDistributed switches can have VLANs defined at

the dvPortGroup level and the dvUplink PortGroup level

vDS VLAN options“None” for EST“VLAN” for VST“VLAN Trunking” for VGT or multiple VST

Uplink teamingRoute based on IP hash

Requires Etherchannel or equivalent. Req’d for FT

Explicit failoverCan be used to balance load & provide

availability in certain situationsRoute based on source MACRoute based on virtual port ID

Network IsolationIsolate vMotion, NFS, iSCSI, FTSeparate storage from VM networksUse VLANsWhen teaming use physical NICs on different

busses

vDS Port BindingsStatic

Port is assigned at all times, until the VM is removed from the port group

VM can only be connected through vCenterDynamic

Port is assigned when VM is on and vmnic is connected, otherwise it is disconnected.

VMs with dynamic ports can only be powered on/off through vCenter

EphemeraldvPorts can be assigned through ESX/ESXi or vCenterPort assigning works like dynamicUsually only reserved for emergency/recovery/vCenter down

vSS to vDS Port MigrationsCreate vDS

UplinksPortgroupsVLANs

Break vSS team and assign one uplink to vDSNetworking > Migrate Virtual Machine

NetworkSelect source and destination; select VMs;

migrateRemove vSS portgroups and switch as needed

ResourcesSean Crookston’s guide (updated on

damiankarlson.com)Ed Grigson’s guideEric Sloof’s VCAP testKendrick Coleman’s VCAP-DCA pageTrainsignal TroubleshootingPersonal experience and practice, practice,

practice