Update Manager and Isolated ESX Service Console Networks

Sometimes you may be required to run your vCenter server that has two network interfaces. One in the network it can be reached for remote desktop access and the other where it has access to the ESX servers in order to manage the VMware hosts. This is sort of a hybrid model of an isolated management network. Where only one host can reach the management ports. One thing to think about in this model is Update Manager by default will not like it. Everything may look ok, but trying to scan a host will fail. Luckily though it is an easy fix.

media_1274554600651.png

In the update manager configuration tab change the ip in the picture to the IP accessible by the ESX servers. Then remember to restart the Update Manager services. Now go back and run the ESX scan/stage/remediation.

Random Half Thoughts While Driving

So I often have epiphany teasers while driving long distances or stuck in traffic. I call them teasers because they are never fully developed ideas and often disappear into thoughts about passing cars, or yelling at the person on their cell phone going 15 MPH taking up 2 lanes.

Here is some I was able to save today (VMware related):

1. What if I DID want an HA cluster to be split in two different locations, Why?
2. Why must we over-subscribe iSCSI vmkernel ports to make the best use of the 1gbe phyical nics. Is it a just the software iSCSI in vSphere? Is just something that happens with IP storage? I should test that sometime…
3. If I had 10 GB nics I wouldn’t use them on Service Console or Vmotion that would be a waste. No wait, VMotion ports could use it to speed up  your VMotions.
4. Why do people use VLAN 1 for their production servers? Didnt’ their Momma teach em?
5.  People shouldn’t fear using extents, they are not that bad. No, maybe they are. Nah, I bet they are fine, how often does just 1 lun go down. What are the chances of it being the first lun in your extent? Ok maybe it happens a bunch. I am too scared to try it today.

iSCSI Connections on EqualLogic PS Series

Equallogic PS Series Design Considerations

VMware vSphere introduces support for multipathing for iSCSI. Equallogic released a recommended configuration for using MPIO with iSCSI.   I have a few observations after working with MPIO and iSCSI. The main lesson is know the capabilities of the storage before you go trying to see how man paths you can have with active IO.

  1. EqualLogic defines a host connection as 1 iSCSI path to a volume. At VMware Partner Exchange 2010 I was told by a Dell guy, “Yeah, gotta read those release notes!”
  2. EqualLogic limits the number of hosts in the to 128 per pool or 256 per group connections in the 4000 series (see table 1 for full breakdown) and to 512/2048 per pool/group connections in the 6000 series arrays.
  3. The EqualLogic MPIO recommendation mentioned above can consume many connections with just a few vSphere hosts.

I was under the false impression that by “hosts” we were talking about physical connections to the array. Especially since the datasheet says “Hosts Accessing PS series Group”. It actually means iSCSI connections to a volume. Therefore if you have 1 host with 128 volumes singly connected via 1 iSCSI path each, you are already at your limit (on the PS4000).

An example of how fast vSphere iSCSI MPIO (Round Robin) can consume available connections can be seen this this scenario. Five vSphere hosts with 2 network cards each on the iSCSI network. If we follow the whitepaper above we will create 4 vmkernel ports per host. Each vmkernel creates an additional connection per volume. Therefore if we have 10 300 GB volumes for datastores we already have 200 iSCSI connections to our Equallogic array. Really no problem for the 6000 series but the 4000 will start to drop connections. I have not even added the connections created by the vStorage API/VCB capable backup server. So here is a formula*:

N – number of hosts

V – number of vmkernel ports

T – number of targeted volumes

B – number of connections from the backup server

C – number of connections

(N * V * T) + B = C

Equallogic PS Series Array Connections (pool/group)
4000E 128/256
4000X 128/256
4000XV 128/256
6000E 512/2048
6000S 512/2048
6000X 512/2048
6000XV 512/2048
6010,6500,6510 Series 512/2048

Use multiple pools within the group in order to avoid dropped iSCSI connections and provide scalability. This reduces the number of spindles you are hitting with your IO. Using care to know the capacity of the array will help avoid big problems down the road.

*I have seen the connections actually be higher and I can only figure this is because the way EqualLogic does iSCSI redirection.

vSheild Zones My First Look

So my first experience trying to deploy the new vShield Zones security product included in VMware’s vSphere.

First vShield Zones is different than VMsafe. The way I understand it is the vShield Zones is like your border security but inside of the vSphere. It divides and segregates networks and virtual machines. The VMsafe is end point protection built into the kernel. Reflex has the first VMsafe certified appliance but I have not had a chance to try it yet. (Need more hardware hint hint)

The User Guide talks about downloading an appliance but you actually download an ISO then run an installer that unzips a folder with the 2 appliances. One is the vShield Zones Manager and the other is the actual firewall. The extra step of using the ISO image was annoying buy I guess I am just a whiner. On a super basic level, (I am not here to re-write the user guide) Import the appliance for the manager then import the firewall. Convert the firewall into a template. The Manager appliance takes care of the rest. Note: Internet Explorer 8 and the Manager Web UI don’t work. I used IE 7 just fine.

  1. You won’t get this far in IE8 🙂
  2. Deploying the vShield is straight forward. It creates new vSwitches and port groups and the Manager UI indicates which network is protected and unprotected. This is not in Virtual Center still in the Web Interface.
  3. As you deploy the vShield enjoy watching the tasks in vCenter.

All things considered it is a good product I don’t have enough throughput on my little lab machine to really test any impact using vShields would have on performance. If you are a Service Provider I think it would be a great add on to ensure some separation of virtuals.

Rescan All Hba’s Where are you?

So I was updating some of my blog posts on the esxcfg-* commands with any changes in ESX 4. I wrote earlier I did not know much about the esxcfg-advcfg command. Since writing that post at the end of 2008, I found Duncan Epping used esxcfg-advcfg in 3.5 to set the option rescan all the Hba’s. I thought this was a great shortcut and decided to try it out in vSphere but:

[root@esx4 ~]# esxcfg-advcfg -s 1 /Scsi/ScsiRescanAllHbas
Exception occured: Unable to find option ScsiRescanAllHbas

So I looked through vCenter 4 and did not find the option under Scsi I looked around some in the other Advanced Options and it is no where to be found.

Has this been removed or moved somewhere else? If you know hit me up on twitter @2vcps

Thin Disk on vSphere My First Glance

So today I got around to putting ESXi 4 on my spare box at home. I first deployed a new virtual server and decided to use the thin provisioning built into the new version. After getting everything all setup. I was suprised to still see this.

I was like DANG! that is some awesome thin provisioning. I was more thinking something had to be wrong. A 42 GB drive with Windows 2008 only using 2.28KB that is sweet! I thought for sure since I had not seen this screen on the information of the VM it had already refreshed. It was too good to be true though I clicked the Refresh Storage and it ended up like this. Which made alot more sense for a fresh and patched Windows install. So far this leads to my first question, why the manual refresh? Should this refresh automatically when the screen redraws?