vCloud Automation Center 6.0 (vCAC 6.0)–Reservation Policies, Storage Reservation Policies, Network Profiles

Before we proceed further let me revise where we are. In first post here we Installed and Configure vCloud Automation Center 6.0 Identity Appliance (vCAC 6.0 Identity Appliance) and vCloud Automation Center Appliance (vCAC 6.0) and in second post here we Installed and configured vCloud Automation Center IaaS (vCAC 6.0 IaaS). In third post we went further to configure Tenant. As per below diagram we completed almost every configuration. This post will be focusing on optional configuration part

ComponentLevel

We created sales business group, assigned Business group admin to it. We created reservation and assigned reservation to sales BU. 

While creating reservation we stopped at explaining Alert tab. Lets resume with its discussion. It is optional configuration but worth understanding and enabling it. In cloud environment where things change dynamically we must configure alert.

Click on the ALERTS tab, Set the capacity alerts to on various parameters seen below.

image

Unless you have configuration notification alerts emails won’t be sent

Few consideration about Reservation

Reservation is a portion/share of resources which we assign to multiple business group (e.g. Sales, HR, Marketing) and multiple business group can have different reservation types (e.g. Gold, Silver and Bronze). In my environment Gold cluster was assigned to Sales and Marketing Business group in above figure. I have linked PDF copy to the figure. However reservation cannot be shared across the Business group.
If you have created reservation for, end user cannot request a Hyper-V resource using that reservation. Reservation type must match the platform defined in blueprint. If you name your blueprint accordingly this shouldn’t be problem at all.

Reservation Policy

It is collection of resources into group to make specific type of service available. Below I have created a policy by name Production Reservation Policy and included silver and gold reservation.

 

image

 

In below figure I tried to explain that you can have different reservations assigned to single reservation policy but Blue prints can have only one reservation policy assigned. However when resources are provisioned, only reservation which match the blueprint type are considered & allocated.

 

image

 

Reservation policy needs to be populated with reservations. However this is not quite easy to correlate in practice. When you create reservation you have an option to assign that reservation to the reservation policy. This is where association between reservation and reservation policies is created. Reservations are created for Business group and Business group have multiple reservation from fabric. With reservation policy you have an option to bring all types of reservation assigned to a business group under single reservation policy. let me explain it via simple diagram below

 

image

In above example we have tenant, under which we have created a Sales Business group. Inside Sales Business group I have created three reservation of different types. I defined have multiple reservations e.g. Cloud, Virtual and Physical. As Fabric administrator I have created reservation policy by name “Virtual Reservation Policy” to collect resources of both Virtual and Cloud reservations. This policy will help me to provision all virtual resource as long as I select in Blueprint/Reservation “Virtual Reservation Policy”. This is just one way of doing it.

You can create reservation or reservation policy first. There is as such no dependence. In fact reservation policies are optional part of over all piece. Better way to do is create reservation policy first.

Reservation policy is actually a tag. All you need to put a name to the tag, little description for it. To create reservation policy, Go to Infrastructure –> Reservation –>Reservation Policies and Click New Reservation Policies. As described above I have created two reservation policy and can be seen below.

  1. Production Reservation Policy for Gold and Silver reservation
  2. Gold Storage for production virtual machines

image

Creating reservation policy is not sufficient. You must Assign reservation policy to reservations which you intended to group together. So below I’m creating new reservations and assigning newly creating reservation policies each one of them as described above.

image

Storage Reservation Policy

Storage reservation policy is similar to reservation policy. Primary purpose is to collect datastore of similar characteristic into a group. Below I have created a storage reservation policy by name GOLD and got three different datastores (Datastore01, Datastore02 & Datastore03) of same characteristic into single storage reservation policy.

image

This tag helps to assign storage as per the requirement of application. In case Datastore 01 one is full, VM will be automatically provision to datastore 02. It means we just need to have storage reservation policy in place. Behind scene Gold storage from either of datastore01,02 or 03 is assigned for sure.

It is similar to storage profiles released in vSphere 5.0. However these tags were inherited by Dynamic ops. I wonder if there is still a use case of this tag when vSphere DRS cluster is becoming so much popular. Datastore cannot have multiple storage reservation policy e.g. Datastore 01 cannot have another storage reservation policy assigned but storage reservation policy can have different datastores. After storage reservation policy is created to be effective you must assigned it to volume.

Do not create storage reservation policy if you have well designed Storage DRS cluster

Similar to reservation policy, storage reservation policy is also a tag. You can create storage reservation policy from same interface as from reservation policy. Both are almost similar, at least I have not discovered any difference but logically they cannot be combined.

Assigning storage reservation policy differs from the assigning reservation policy. Storage reservation policy must be applied directly on datastores. Go to Infrastructure – Compute Resources – Compute Resources

image

Network Profiles

By default vCAC will assigns DHCP IP Address to all machine it can provision. DHCP is ok for non-production Server VMs but production Server VMs needs IP address. Probably we never need to worry about Desktop VMs as far as networking policies are considered. To allocate static IP is the primary intention of network profiles. It is way to create a pool of IPs using a pre-defined. You can apply network profiles while creating reservation or while creating Blueprint. 

Network profiles do not apply to AWS

Fabric Administrators defines the IP ranges, subnet mask, DNS, DHCP, WINS (does it exist yet???), DNS suffix and combine all these values into single profile referred as network profile. Network profile like reservation policies can be applied to the reservation, blueprints.

Create a Network Profile for Static IP Address Assignment

Login as fabric admin, navigate to infrastructure –> reservations –> New Network Profiles –>External

SNAGHTML3937ea3

1) Name of network profile –Append the name with type of profile e.g. Production External

2) Subnet mask for the network range

3) Gateway ( for NAT type network profile this field is compulsory)

4) Primary DNS server

5) DNS Suffix

SNAGHTML3a5e957

6) Click on IP Range tab. Below screen enter  IP Address you need to reserved for this profile. Provide name and description. Press OK once done

SNAGHTML3adcf91

After you press OK, below screen displays IP range and allocation status in status column.

SNAGHTML3ad3fd0

Now we have network profile, we need to assign it to reservation. Below here I’m  assigning it to existing reservation. Go to Infrastructure –> Reservations –> Edit Existing Reservation configured. For network path “VM Network” select network profile from drop down menu. Press OK

image

So in this post we learn the importance of reservation policy. How to configure reservation policy. We learnt about storage reservation policy and how to configure storage reservation policy. Storage reservation policy needs to applied to compute resource, while reservation policy needs to be configured at reservation screen. Then we went and checked the Network profile, it’s use cases. Finally we learnt How to configure network profile so that static IP’s can be assigned to Servers.

Next post I will be discussing how to create and configure vCloud Automation Center 6.0 (vCAC 6.0) Blueprints

Configure NetFlow Settings

NetFlow is a network analysis tool that you can use to monitor network monitoring and virtual machine traffic.

NetFlow is available on vSphere distributed switch version 5.0.0 and later.

Procedure

1 Log in to the vSphere Client and select the Networking inventory view.

2 Right-click the vSphere distributed switch in the inventory pane, and select Edit Settings.

3 Navigate to the NetFlow tab.

SNAGHTML5f0203b

The sampling rate determines what portion of data, NetFlow collects, with the sampling rate number

determining how often NetFlow collects the packets. A collector with a sampling rate of 2 collects data

from every other packet. A collector with a sampling rate of 5 collects data from every fifth packet.

9 Click OK.

How to enable Port Mirroring

Working With Port Mirroring

Port mirroring allows you to mirror a distributed port’s traffic to other distributed ports or specific physical

switch ports.

Create a Port Mirroring Session

Create a port mirroring session to mirror vSphere distributed switch traffic to specific physical switch ports.

Prerequisites

Needs a vSphere distributed switch version 5.0.0 or later.

 

Specify Port Mirroring Name and Session Details

Specify the name, description, and session details for the new port mirroring session.

Procedure

1 Log in to the vSphere Client and select the Networking inventory view.

2 Right-click the vSphere distributed switch in the inventory pane, and select Edit Settings.

3 On the Port Mirroring tab, click Add.

SNAGHTML59c7339

4 Enter a Name and Description for the port mirroring session.

SNAGHTML5a5d7a6

Click Next.

Choose Port Mirroring Destinations

SNAGHTML5acdcd4

Click Next.

Choose Port Mirroring Destinations

Select Port, or uplink as destinations for the port mirroring session.

Port Mirroring is checked against the VLAN forwarding policy. If the VLAN of the original frames is not equal to or trunked by the destination port, the frames are not mirrored.

 

image

You can optionally enable port mirroring now or later now.

SNAGHTML5b7ceff

 

SNAGHTML5b96258

How to enable IPv6 on vSphere

Please note IPv6 is disabled by default.

Prerequisites

Required privilege: Host.Configuration.Network Configuration

Procedure

1 From the vSphere Client Home page, click Hosts and Clusters.

2 Select the host and click the Configuration tab.

3 Click the Networking link under Hardware.

image

4 In the vSphere Standard Switch view, click the Properties link.

image

5 Select Enable IPv6 support on this host system and click OK.

SNAGHTML5f98229

6 Reboot the host.

How to Manage Policies for Multiple Port Groups on a vDS

You can modify networking policies for multiple port groups on a distributed switch.

Prerequisites

Create a vSphere distributed switch with one or more port groups.

Procedure

1 Log in to the vSphere Client and select the Networking inventory view.

2 Right-click the distributed switch and select Manage Port Groups.

image

3 Select the policy categories to modify.

SNAGHTML22ca04f

For purpose of this discussion let’s select Teaming and Failover policy

So next screen are specific to Teaming and Failover policy only.

SNAGHTML22f7f67

 

SNAGHTML2324d5f

 

SNAGHTML23348fc

How to block Port Blocking in vDS

Port blocking policies allow you to selectively block ports from sending or receiving data.

Port Blocking Policy for a Distributed Port Group

The Miscellaneous policies dialog allows you to configure various distributed port group policies.

Procedure

1 Log in to the vSphere Client and select the Networking inventory view.

2 Right-click the distributed port group in the inventory pane, and select Edit Settings.

3 Select Policies.

SNAGHTML2201bd4

4 In the Miscellaneous group, choose whether to Block all ports in this distributed port group.

5 Click OK.

How to enable NetFlow

Monitoring Policy

The monitoring policy enables or disables NetFlow monitoring on a distributed port or port group.

NetFlow settings are configured at the vSphere distributed switch level.

Edit the Monitoring Policy on a Distributed Port Group

With the Monitoring policy, you can enable or disable NetFlow monitoring on a distributed port group.

Procedure

1 Log in to the vSphere Client and select the Networking inventory view.

2 Right-click the distributed port group in the inventory pane, and select Edit Settings.

3 Select Policies.

4 In the Monitoring group, select the NetFlow Status from the drop down menu.

SNAGHTML218da42

5 Click OK

Edit the Resource Allocation Policy on a Distributed Port

Associate a distributed port with a network resource pool to give you greater control over the bandwidth given to the port.

Prerequisites

Enable Network I/O Control on the host and create one or more user-defined network resource pools.

Procedure

1. Log in to the vSphere Client and select the Networking inventory view.

2. Select the vSphere distributed switch in the inventory pane.

3. On the Ports tab, right-click the port to modify and select Edit Settings.

SNAGHTML21150f7

 

4. Select Policies.

5. In the Resource Allocation group, select the Network Resource Pool to associate the port with from the drop-down menu.

SNAGHTML20e8e73

6. Click OK.

Notes for Storage Guide 02

For Guide 01 click here

 

NetFlow is a network analysis tool that you can use to monitor network monitoring and virtual machine traffic.

NetFlow is available on vSphere distributed switch version 5.0.0 and later.

 

Switch discovery protocols allow vSphere administrators to determine which switch port is connected to a given vSphere standard switch or vSphere distributed switch.

 

vSphere 5.0 supports Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP).

CDP is available for both vSphere standard switches and vSphere distributed switches connected to Cisco physical switches.

LLDP is only available for vSphere distributed switches version 5.0.0 and later.

 

When CDP or LLDP is enabled for a particular vSphere distributed switch or vSphere standard switch,

you can view properties of the peer physical switch such as device ID, software version, and timeout from the vSphere Client.

 

Enable Cisco Discovery Protocol on a vSphere Distributed Switch

 

Procedure

1.      Log in to the vSphere Client and select the Networking inventory view.

2.      Right-click the vSphere distributed switch in the inventory pane, and select Edit Settings.

3.      On the Properties tab, select Advanced.

4.      Select Enabled from the Status drop-down menu.

5.      Select Cisco Discovery Protocol from the Type drop-down menu.

 

image

 

6.      Select the CDP mode from the Operation drop-down menu.

7.      Click OK.

 

SNAGHTML34cbf6

 

 

MAC Addresses

 

MAC addresses are generated for virtual network adapters that virtual machines and network services use.

In most cases, the generated MAC addresses are appropriate. However, you might need to set a MAC address

for a virtual network adapter, as in the following cases:

·         Virtual network adapters on different physical hosts share the same subnet and are assigned the same

        MAC address, causing a conflict.

·         To ensure that a virtual network adapter always has the same MAC address.

To circumvent the limit of 256 virtual network adapters per physical machine and possible MAC address conflicts

between virtual machines, system administrators can manually assign MAC addresses.

 

By default, VMware uses the Organizationally Unique Identifier (OUI) 00:50:56 for manually generated

addresses, but all unique manually generated addresses are supported.

 

You can set the addresses by adding the following line to a virtual machine‘s configuration file:

ethernetnumber.address = 00:50:56:XX:YY:ZZ

 

where <number> refers to the number of the Ethernet adapter,

XX is a valid hexadecimal number between 00 and 3F (in decimal it is 63),

and YY and ZZ are valid hexadecimal numbers between 00 and FF(in decimal it is 255).

 

The value for XX must not be greater than 3F to avoid conflict with MAC addresses that are generated

by the VMware Workstation and VMware Server products.

 

The maximum value for a manually generated MAC address is:

ethernetnumber.address = 00:50:56:3F:FF:FF (in decimal 00:50:56:63:255:255)

 

You must also set the option in a virtual machine’s configuration file:

 

ethernetnumber.addressType=”static”

 

The first three bytes of the MAC address that is generated for each virtual network adapter consists of the OUI.

The MAC address-generation algorithm produces the other three bytes. The algorithm guarantees unique

MAC addresses within a machine and attempts to provide unique MAC addresses across machines.

The network adapters for each virtual machine on the same subnet should have unique MAC addresses.

Otherwise, they can behave unpredictably. The algorithm puts a limit on the number of running and suspended

virtual machines at any one time on any given host. It also does not handle all cases when virtual machines on

distinct physical machines share a subnet.

 

Who is responsible for generating MAC addresses in vSphere environment?

The VMware Universally Unique Identifier (UUID) generates MAC addresses that are checked for conflicts.

 

The generated MAC addresses are created by using three parts: the VMware OUI, the SMBIOS UUID for the physical ESXi machine, and a hash based on the name of the entity that the MAC address is being generated for.

 

When does MAC address changes?

After the MAC address has been generated, it does not change unless the virtual machine is moved to a different location, for example, to a different path on the same server. The MAC address in the configuration file of the virtual machine is saved.

 

 

All MAC addresses that have been assigned to network adapters of running and suspended virtual machines on a given physical machine are tracked. The MAC address of a powered off virtual machine is not checked against those of running or suspended virtual machines. It is possible that when a virtual machine is powered on again, it can acquire a different MAC address. This acquisition is caused by a conflict with a virtual machine that was powered on when this virtual machine was powered off.

 

For Guide 01 click here

Notes for Storage Guide 01

Load Balancing and Failover Policy

 

You can edit your load balancing and failover policy by configuring the following parameters:

 

Load Balancing policy determines how outgoing traffic is distributed among the network adapters associated

with a switch or port group.

 

NOTE Incoming traffic is controlled by the load balancing policy on the physical switch.

 

Failover Detection controls the link status and beacon probing.

Beaconing is not supported with guest VLAN tagging.

 

Network Adapter Order can be active or standby.

List down one of the reason why you should enable port fast

In some cases, you might lose standard switch connectivity when a failover or failback event occurs.

This causes the MAC addresses used by virtual machines associated with that standard switch

to appear on a different switch port than they previously did. To avoid this problem, put your

physical switch in portfast or portfast trunk mode

 

In network detection failover detection, what are the limitations of “Link Status Only”

This policy does not detect configuration errors, such as a physical switch port being blocked by

spanning tree or misconfigured to the wrong VLAN or cable pulls on the other side of a

physical switch. This policy relies solely on the link status that the network adapter provides.

This option detects only failures, such as cable pulls and physical switch power failures.

 

 

In network detection failover detection, when it is recommended not to use beacon Probing

It is recommend not using beacon probing when you are using IP hash load balancing policies.

Beacon probing sends out and listens for beacon probes on all NICs in the team and uses this

information, in addition to link status, to determine link failure. This option detects many of

the failures mentioned above that are not detected by link status alone.

 

image

 

In almost all cases, Notify Switches policy is set to Yes as it is desirable for the lowest

latency of failover occurrences and migrations with vMotion. But there is one use case

where it is recommended setting Notify Switches to No?

=>If you are going to use Microsoft Network Load Balancing in unicast mode, it is recommended

to set this option to No.

 

When you select Yes, whenever a virtual NIC is connected to the standard switch or whenever

that virtual NIC’s traffic is routed over a different physical NIC in the team because of a failover

event, a notification is sent over the network to update the lookup tables on the physical switches.

 

In which two cases you should not keep any network adapter in Standby Adapters list

=>When you are using iSCSI Multipathing, your VMkernel interface must be configured to have

one active adapter and when using IP-hash load balancing.

 

Security Policy

 

Networking security policies determine how the adapter filters inbound and outbound frames.

The three elements of the security policy are promiscuous mode; MAC address changes, and forged transmits.

 

In nonpromiscuous mode, a guest adapter listens only to traffic forwarded to own MAC address.

In promiscuous mode, it can listen to all the frames. By default, guest adapters are set to nonpromiscuous mode.

 

In Mac Address Changes If you set the MAC Address Changes to Reject and the guest operating system

changes the MAC address of the adapter to anything other than what is in the .vmx configuration file,

all inbound frames are dropped.

 

In Forget Transmits – Any outbound frame with a source MAC address that is different from the

one currently set on the adapter are dropped.

 

Traffic Shaping Policy

 

A traffic shaping policy is defined by average bandwidth, peak bandwidth, and burst size.

You can establish a traffic shaping policy for each port group and each distributed port or distributed port group.

 

ESXi shapes outbound network traffic on standard switches and inbound and outbound traffic on distributed switches.

 Traffic shaping restricts the network bandwidth available on a port, but can also be configured to

allow bursts of traffic to flow through at higher speeds.

 

 

 

 

image

 

The Status policy here is applied to each virtual adapter attached to the port group, not to the standard switch

as a whole. If you enable the policy exception in the Status field, you set limits on the amount of networking

bandwidth allocation for each virtual adapter associated with this particular port group. If you disable the

policy, services have a clear connection to the physical network by default.