Saturday, January 18, 2020

How to configure Jumbo Frames not only for vSAN

Not only vSAN but also vMotion, NFS and other types of traffic can benefit from Jumbo Frames configured on an ethernet network as the network traffic should consume fewer CPU cycles and achieve higher throughput.

Jumbo Frames must be configured end-to-end, therefore we should start the configuration in the network core on Physical Switches, then continue to Virtual Switches and finish on VMkernel ports (vmk). These three configuration places are depicted on schema below.

Physical Switch
Jumbo Frames on physical switches can be configured per the whole switch or per switch ports. It depends on a particular physical switch but my Force10 switch supports configuration only per switch ports as shown on the screenshot below. The configuration per the whole switch would be easier with less configuration and as far as I know, some Cisco switches support it.


If you have more physical switches, all ports in the path must be configured for Jumbo Frames.

Virtual Switch
On the screenshot below you can see the Jumbo Frame configuration on my VMware Virtual Distributed Switch.


VMkernel port
And last but not least, the configuration on VMkernel port, in this case, the vmk interface used for vSAN traffic.


Final test
After any implementation, we should do the test that implementation was successful and all is working as expected. We should log in to ESXi host via ssh and use following ping command

vmkping -I vmk5 -s 8972 -d 192.168.26.122

-d                  set DF bit (IPv4) or disable fragmentation (IPv6)
-I                   outgoing interface
-s                   set the number of ICMP data bytes to be sent.
                      The default is 56, which translates to a 64 byte
                      ICMP frame when added to the 8 byte ICMP header.
                      (Note: these sizes does not include the IP header).

and here is the result in case everything is configured correctly.


In case the message is longer than configured MTU we would see the following ...


You can ask why we use size 8972 and not 9000?
The reason for the 8972 on *nix devices is that the ICMP/ping implementation doesn’t encapsulate the 28 byte ICMP (8) + IP (20) (ping + standard internet protocol packet) header – thus we must take the 9000 and subtract 28 = 8972. [source & credits for the answer]

Hope this helps.

Sunday, December 22, 2019

How to remove VMFS datastore and reuse local disks for vSAN

I'm upgrading the hardware in my home lab to to leverage vSAN. I have 4x Dell PowerEdge R620, each having 2x 500 GB SATA disks but no SSD for cache disks. The cost is always the constraint for any home lab but I've recently found the M.2 NVMe PCI-e adapter for M.2 NVMe SSD in my local computer shop. The total cost of 1x M.2 NVMe PCI-e adapter + 1x M.2 NVMe 512 GB SSD is just $100.




Such hardware upgrade for only $400 would allow me to have vSAN datastore with almost 4 TB raw space because I would have 4-node HYBRID vSAN where each node has 1x NVMe disk as a cache disk and 2x 500 GB SATA disks as capacity disks. The vSAN raw space will be probably 4TB - 10% after disks format but 3.6 TB raw space and 2 TB usable space after decreasing 25% slack space and an additional 25% for RAID 5 protection is still a pretty good deal.

The issue I'm describing in this blog post usually happens in environments where you use local disks as backing storage for local VMFS datastores. Local VMFS datastores work perfectly fine until you would like to remove VMFS datastore and reuse these local disks for example for vSAN. That was exactly my case in my home lab where I have four ESXi hosts each with 2x 500 GB SATA disks having local VMFS datastore on two disks in each ESXi host.

When I tried to remove local datastore (ESX22-Local-SATA-01) it fails with the following error message:

The resource 'Datastore Name: ESX22-Local-SATA-01 VMFS uuid: 5c969e10-1d37088c-3a57-90b11c142bbc' is in use.




Why is the datastore in use? Well, it can be from several reasons. All these reasons are very well described back in 2014 on Virten blog post "Cannot remove datastore * because file system is busy."

Here is Virten's LUN removal checklist:
  • No virtual machine, template, snapshot or CD/DVD image resides on the datastore
  • The datastore is not part of a Datastore Cluster
  • Storage I/O Control is disabled for the datastore
  • The datastore is not used for vSphere HA heartbeat
  • The LUN is not used as an RDM
  • The Datastore is not used as a scratch location
  • The Datastore is not used as VMkernel Dump file location (/vmkdump/)
  • The Datastore is not used as active vsantraced location (/vsantrace/)
  • The Datastore is not used as Scratch location
  • The Datastore is not used to store VM swap files.
The root cause of my issue was the usage of "scratch location". I was blogging about this topic back in 2012 here "Set the Scratch Partition from the vSphere Client".

When you have another datastore available on ESXi host, the solution is very easy. You can simply change "the scratch location". It is much more tricky, in case you do not have any alternative datastore. Fortunately enough, in my home lab, I have three Synology NAS boxes leveraged as shared datastores over NFS and iSCSI, so the fix was quick. If you would need to do it for more then few ESXi hosts, PowerCLI script can be handy.

In case, you do not have any other datastore and you need to remove VMFS datastore you have two options

  1. Reboot the computer to some alternative system (linux, FreeBSD, etc.) and destroy MBR or GPT partition on a particular disk device. Something like gpart destroy -F /dev/ad0 in FreeBSD.
  2.  Physically remove the disk from your computer and when you boot it up VMware should automatically default back to temp scratch location (assuming you don't have any other available datastores on that box). You can then reinsert the disk and correctly remove Datastore from the ESXi host.

Wednesday, December 18, 2019

VMware NSX-T and vIDM licensing question

Time to time customers are asking the following NSX-T & vIDM question ...
Do I need license for VMware Identity Manager. The aim for using VIDM is RBAC for NSX-T ?
There is the community discussion in the VMTN at https://communities.vmware.com/thread/616803 with the correct answer ...
You may use vIDM for free with NSX-T if you bought NSX. No license required. vIDM may not be deployed for other solutions in this case.
However, it would be nice to know some official VMware documents supporting the answer.

Here it is ...
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/downloads/eula/product-guide/2019/vmware-product-guide-19-may.pdf

On page 16 is written ...
VMware Identity Manager feature.A license to use VMware NSX Data Center (any edition) or NSX Cloud (any edition) includes an entitlement to use the VMware Identity Manager feature, but only for the following functionalities:
  • directory integration functionality of VMware Identity Manager to authenticate users in a user directory such as Microsoft Active Directory or LDAP
  • conditional access policy
  • single-sign-on integration functionality with third party Identity providers to allow third party identity providers’ users to single-sign-on into NSX
  • two-factor authentication solution through integration with third party systems. VMware Verify, VMware’s multi-factor authentication solution, received as part of VMware Identity Manager, may not be used as part of NSX, and single-sign-on functionality to access VMware products that support single-sign-on capabilities.
Restriction on Features.Each edition of the Software (Standard, Professional, Advanced, Enterprise or Enterprise Plus) offers different features and functionality. You may access and use only the features and functionality that
correspond with the edition of Software You have validly licensed. Those features and functionality are detailed at the following links: http://kb.vmware.com/kb/2145269 and https://kb.vmware.com/s/article/52462. You agree to not access or use any feature or functionality of an edition of the Software to which You are not entitled based on the edition of Software You have validly licensed. 

Hope this helps.

Wednesday, December 11, 2019

vSAN Encryption and Core Dumps

I was on three days vSAN training (VMware vSAN: Deploy and Manage [V6.7]) which is very useful even for someone like me, who is observing vSAN since the beginning (2013) and did a lot of self-study and home lab practicing during the last year or so. The trainer (Jiri Viktorin) is very knowledgable and ready to answer any question. To be honest, I personally prefer class trainings over on-line trainings as personal contact and student discussions are sometimes even more valuable than the official training content. And that was exactly the case in this particular training.

One training attendee asked the trainer if DEK keys (Data Encryption Key) used for vSAN Encryption are included in core dumps and shared with VMware Support (GSS) in case of core dump analysis. This would be a significant security risk especially in environments with strict security requirements.

In the beginning, I've also assumed that DEK's are most probably included in a memory dump because they are in ESXi host RAM, right? However, any assumption should be validated and clarified if possible, therefore I did some quick research in product documentation and also on google but I did not find any relevant info. Fortunately enough, as a VMware employee, I can use internal slack channels and ask our VMware SME's for answers to these deep-dive questions. The well-known authority in terms of vSphere security is Mike Foley and he replied back in a few minutes. Thanks, Mike! Really appreciated.

Mike's answer was even better what I was expecting.
VMware Encryption technology is smart enough to not include DEK keys (Data Encryption Key) into core dumps. Keys live in the key cache. The key cache is not included in a core dump. 
That's great! ESXi core dumps can be shared with VMware GSS without security risk of unveiling Data Encryption Keys. That's an awesome message for customer's security officers and it shows that VMware takes vSphere security seriously.

Hope this information will help other folks in the VMware community.
    

Thursday, September 12, 2019

Datacenter Fabric for HCI in scale

I'm currently designing a brand new data center based on VMware HCI for one of my customers. Conceptually, we are planning to have two sites in the metro distance (~10 km) for disaster avoidance and cross-site high availability. For me, a cross-site high availability (stretched metro clusters) is not a disaster recovery solution, so we will have the third location (200km+ far from the primary location) for DR purposes. We are also considering remote clusters in branch offices to provide services outside the datacenters. The overall concept is depicted in the drawing below.
Datacenter conceptual design
The capacity requirements lead to a decent number of servers, therefore the datacenter size will be somewhere around 10+ racks per site. The rack design is pretty simple. Top of rack switches and standard rack servers connected to TOR switches optimally by 4x 25Gb link.
Server rack design
However, we will have 10+ racks per site so there is the question of how we will connect racks together? Well, we have two options. Traditionally (Access / Aggregation / Core) or Leaf/Spine. In our case, both options are valid and pretty similar because if we would use Traditional topology, we would go with collapsed Access / Core topology anyway, however, the are two key differences between Access/Core network and Leaf/Spine fabric

  1. Leaf/Spine is always L3 internally keeping L2/L3 boundary at TORs. This is good because it splits the L2 fault domain and mitigates risks of L2 networking with STP issues, broadcast storms, unknown unicast flooding, etc.
  2. Leaf/Spine supports additional fabric services like automation, L2 over L3 to have L2 across the racks (PODs), Life Cycle Management (fabric level firmware upgrades, rollbacks, etc.), Single Point of Management/Visibility, etc.

We are designing the brand new data center which has to be in production for the next 15+ years and we will need very good connectivity within the data center supporting huge east-west traffic, therefore leaf-spine fabric topology based on 100Gb/25Gb ethernet makes a perfect sense. The concept of data center fabric in leaf-spine topology is depicted in the figure below.
Datacenter fabric
Ok. So, conceptually and logically we know what we want but how to design it physically and what products to choose?

I've just starting to work for VMware as HCI Specialist supporting Dell within our Dell Synergy Acceleration Team, so there is no doubt VxRAIL makes a perfect sense here and it perfectly fits into the concept. However, we need a data center fabric to connect all racks within each site and also interconnect two sites together.

I have found that Dell EMC has SmartFabric Services. You can watch the high-level introduction at
https://www.dellemc.com/en-us/video-collateral/dellemc-smartfabric-services-for-vxrail.htm

SmartFabric Services seems very tempting.  To be honest, I do not have any experience with Dell EMC SmartFabric so far, however, my regular readers know that I was testing, designing and implementing Dell Networking a few years ago. At that time I was blogging about Force10 Networking (FTOS 9) technology and published a series of blog posts available at https://www.vcdx200.com/p/series.html 

However, DellEMC SmartFabric Services are based on a newer switch operating system (OS 10) which I do not have any experience yet, therefore, I did some research and I found a very interesting blog posts about Dell EMC SmartFabric published by Mike Orth aka @HCIdiver and Hasan Mansur. Here are links to blog posts:


So the next step is to get more familiar with DellEMC SmartFabric Services because it can significantly simplify data center operations and split the duties between the datacenter full-stack engineers (compute/storage/network) and traditional network team.

I personally believe, that datacenter full-stack engineer should be responsible not only for compute and storage (HCI) but also for data center fabric. And the traditional networking team takes the responsibility at network rack where the fabric is connected to the external network. You can treat datacenter fabric as a new generation of SAN which is nowadays operated by storage guys anyway, right?

Hope this makes sense and if there is anybody with Dell EMC SmartFabric experience or with a similar design, please feel free to leave the comment below or contact me on the twitter @david_pasek.

Wednesday, September 11, 2019

New job role - vSAN rulez

Hey, my readers.

Long-time readers of my blog know that I'm working with VMware datacenter technologies since 2006 when I moved from software development to data center infrastructure consulting. In June 2006, VMware released VMware Virtual Infrastructure 3 and it was for me the first production-ready version for hosting business applications. Back in the days, it was a very simple platform (at least for end-users / administrators) and very functional piece of software with huge business benefits.

Let me share with you one secret I have discovered. As I have the software background, over the years I personally developed a lot of software on my own and also in the development teams so there is the law I personally discovered during my developer days in 90' and 2000' ... "The 3rd version of the developed software code is production-ready and to develop three software versions usually takes around 5 years." There are multiple reasons for this statement but this is beyond the scope of this post.

I will just give you two examples related to the topic of this article.

  1. ESX 1.0 was released on March 2001 and production-ready (at least for me) was the version ESX 3.0 released on June 2006 ... 5 years of software development and continuous improvements based on customers feedback 
  2. vSAN 1.0 was released in 2013 and production-ready (at least for me) vSAN 6.7 U1 in October 2018 ... .. 5 years of software development and continuous improvements based on customers feedback 
But let's go back to the topic of this blog post. Since 2006, I'm dealing with various adventures and challenges with server virtualization and software-defined infrastructure as the whole. It was and still is a very interesting journey and great industry and community to be as the infrastructure principles do not change very often and it was mainly about the better manageability, scalability, and simpler infrastructure consumption for application admins. Well, when I'm saying that key principles in IT infrastructure do not change very often there are few innovations over decades which change the industry significantly.
  • Think about "The Flash" (SLC, MLC, QLC, Intel Optane, NVMe) which already changed the storage industry.
  • Think about the concept of Composable Disaggregated Infrastructure
  • Think about software-defined infrastructures in compute, storage and network
Few innovations mentioned above are changing the technologies but it always takes some time because the most resistant for change are humans. On the other hand, resistance or conservatism if you will, is not always bad because, at the end of the day, the infrastructure is just another tool in the toolbox of IT guys supporting the business.

Well, this is a pretty important thing to realize.
Infrastructure is not here for the sake of the infrastructure but to support software applications. And software applications are not here for the sake of applications but to support some business, whatever the business is. And each business supports some other business. So generally speaking, the quality of the support and simplicity in consumption is the key to have satisfied customers and be successful in any business.
During my datacenter career, I worked for two infrastructure giants - Dell and Cisco - delivering server, storage, and network virtualization consulting to simplify sometimes pretty complex infrastructures. If you ask me for one reason why this is the interesting industry to be, my answer would be - THE SIMPLIFICATION BY ABSTRACTION.

When I look back retrospectively, this is the reason why I have decided to focus on VMware platform and invest my time (13+ years) into this technology. Back then, I have chosen VMware because they were emulating physical infrastructure components as a logical software constructs all backed by API with automation in mind from day zero. Another reason to chose the virtualization abstraction is that I'm a big believer of standardization and commoditization. It allowed me to leverage my existing knowledge about infrastructure principles. The disk is the disk, logically does not matter if it is connected locally through SATA, SCSI or remotely over Fibre Channel, iSCSI. At the end of the day, the disk is there to have a block device on a server and store some data on it. Period. And similarly, you can think about other infrastructure components like NIC, Switch, Router, File Storage, Object Storage, you name it.

My decisions and good intuition always paid back. Nowadays, nobody doubts about server virtualization and business-critical apps and even mission-critical apps are virtualized or planned to be virtualized soon. It's all about x86 commoditization and "good enough" technology. Compare it with another example in ICT. Do you remember the Telco battle between traditional telephone and IP telephony? I do. And do you see such discussions nowadays? No, no. It was accepted as a "good enough" technology even you do not have 100% guarantee you own the line during the telephone conversation. However, it has a lot of other benefits.

And we are in the same situation with PRIMARY STORAGE in datacenters. During the last 10+ years, I was dealing with or witnessing multiple storage issues in various data centers. I'm always saying NO STORAGE = NO DATACENTER. The storage system is a critical component of any datacenter. The major incidents and problems were caused because of
  • environment complexity (SAN fan-in / fan-out ratios, micro-bursting, and "slow-drain" issues)
  • overloaded storage systems from a performance point of view (any overloaded system behaves unpredictable, even a human body).
  • human mistakes
I was witnessing all these issues not only as a data center consultant but also as VMware Technical Account Manager during last 4 years, helping few assigned VIP VMware accounts to keep lights up and think strategically how to simplify data center infrastructures and deliver the value to the business.

Since 2013, VMware is developing the next big thing, software-defined storage. As I've mentioned above, from a technical point of view, I believe vSAN 6.7 U1 is the production-ready piece of software and from now it will be better and better. I'm not saying there are not or will not be any problems. The problems are everywhere around us, the failure is inevitable, but it is about the availability and recoverability options and how fast any solution can be fail-over or recovered. This is again beyond the scope of this article but I hope you understand the point.

Nevertheless, the software eats the world and I believe, there is the momentum for Hyper-Converged Infrastructures which in VMware means vSAN. Of course, it will require some time to convince traditional storage architects, engineers, and operation guys but the trend is absolutely clear. For the transition period, VMware has other storage technologies to leverage not only vSAN but consume traditional storage systems more intelligently with vVols and evolve into software-defined datacenter (SDDC) eventually.

So let me announce publically, that since September 1st, I work for VMware as a Senior Systems Engineer for Hyper Converged Infrastructure (HCI). As a VMware Systems Engineer for HCI, I'm responsible for driving the technical solutions to ensure customer success and revenue goals derived from VMware software and solutions. I'm focused on HCI solutions for assigned Alliance Partner (Dell Technologies) working closely with both the Alliance Partner and VMware technical teams to build the differentiation with that Alliance. I will be also able to bring feedback from the field to VMware and Alliance Product Management teams.

So what you, my blog readers, can expect? More storage-related blog posts about vSAN, vVols, vSphere Replications, SRM, I/O filters leveraged for 3rd party solutions, etc.


I'm excited and looking forward to this new journey. Hope I will have enough spare time to blog about the journey and share it with great VMware community. 

Wednesday, August 28, 2019

VMware Ports and Protocols

VMware recently released a very interesting tool. The tool documents all network ports and protocols required for communication from/to some VMware products. At the moment, there are the following products

  • vSphere
  • vSAN
  • NSX for vSphere
  • vRealize Network Insight
  • vRealize Operations Managers
  • vRealize Automation
I believe other products will follow. See the screenshot of the tool below.



The tool is available at https://ports.vmware.com/

I'm pretty sure technical designers and implementation engineers will love this tool.